DOJ Doubles Down on Corporate Enforcement with New Whistleblower Program
Julian L. André | Caitlyn M. Campbell | Edward B. Diskant | James Durkin | Paul M.G. Helms | Matthew Madden | Sagar K. Ravi | Paul M. Thompson | Ashley Hoff
During the 2024 American Bar Association National Institute on White Collar Crime (the 2024 White Collar Conference) earlier in March US Attorney General (AG) Merrick Garland, US Deputy Attorney General (DAG) Lisa Monaco, Acting US Assistant Attorney (AAG) General Nicole Argentieri and other US government officials spoke extensively on the US Department of Justice’s (DOJ) heightened corporate enforcement efforts. Building on last year’s changes to DOJ’s corporate enforcement policies, DOJ will be using a “mix of carrots and sticks†– including a new DOJ-run whistleblower program – to promote corporate compliance, encourage voluntary self-disclosure, and hold individuals and corporations accountable for corporate misconduct.
DAG Monaco and AAG Argentieri unveiled plans for a whistleblower program that will reward individuals who help DOJ uncover significant corporate or financial misconduct. The new whistleblower program will “fill gaps†not covered by existing whistleblower programs and provides DOJ with another tool to encourage companies to enhance their compliance programs and voluntarily self-disclose misconduct. DOJ will use the next 90 days to fully develop its whistleblower program before formally implementing a pilot program.
At the conference, AG Garland, DAG Monaco and others discussed recent DOJ corporate enforcement policy initiatives. DOJ’s leadership repeatedly emphasized the substantial financial benefits of voluntary self-disclosure, cooperation and remediation while stressing the importance of accountability for individual wrongdoers and the need to address corporate recidivism. Companies with a history of misconduct can expect to receive harsher financial penalties designed to deliver meaningful consequences.
DOJ officials also discussed a number of ongoing DOJ enforcement priorities, including artificial intelligence (AI), cryptocurrency, data protection and sanctions. DOJ cautioned that criminal deployment of AI will result in prosecutors seeking stiffer penalties and highlighted an increasing connection between corporate enforcement objectives and American national security interests related to the protection of sensitive data.
IN DEPTH
DOJ’s New Whistleblower Pilot Program
The headline from the 2024 White Collar Conference is DOJ’s new whistleblower program. DAG Monaco and AAG Argentieri announced that DOJ will use the next 90 days to develop and implement a DOJ-run pilot whistleblower program, which is expected to start later this year. If an individual helps DOJ discover misconduct that was otherwise unknown to DOJ, then the whistleblower can qualify for a monetary share of any resulting civil or criminal forfeiture action.
By implementing its own whistleblower program, DOJ is hoping to emulate the success of other whistleblower programs, which have become “indispensable†for many federal agencies. For example, in 2023, the US Securities and Exchange Commission’s (SEC) Whistleblower Program received more than 18,000 tips and awarded nearly $600 million to whistleblowers. The Commodity Futures Trading Commission’s (CFTC) Whistleblower Program has resulted in enforcement actions leading to more than $3 billion in financial penalties in the past decade.
DOJ’s whistleblower program is meant to “fill gaps†and proactively address misconduct that existing federal whistleblower programs do not already cover. In particular, DOJ is focused on criminal abuses of the US financial system, foreign corruption matters outside the jurisdiction of the SEC and domestic corruption matters involving bribes to government officials. DOJ also appears to be heavily focused on privately-owned companies. As examples of cases that would fall within DOJ’s new whistleblower program, DAG Monaco referenced the chief financial officer of a private equity firm forging loan documents or a private technology startup paying bribes to obtain regulatory approvals.
DAG Monaco and AAG Argentieri also made clear that DOJ’s whistleblower program is designed to drive companies to voluntarily self-disclose misconduct and to do so quickly. Whistleblowers can only obtain an award by providing original information, and companies can only obtain the benefits of DOJ’s voluntary self-disclosure program if they are “first in the door.†As DAG Monaco explained, “[w]hen everyone needs to be first in the door, no one wants to be second.†DOJ expects these “incentives to reinforce each other and multiplier effect, encouraging both companies and individuals to tell us what they know as soon as they know it.â€
DAG Monaco and AAG Argentieri said DOJ will offer payments to whistleblowers under the following conditions:
- Only after all victims have been properly compensated
- Only to those who submit truthful information not already known to the government
- Only when the information is provided voluntarily and not in response to any government inquiry, preexisting reporting obligation or imminent threat of disclosure
- Only to those not involved in the criminal activity itself
- Only in cases where there is not an existing financial disclosure incentive – such as a qui tam or another applicable federal whistleblower program
Other key details of the forthcoming whistleblower program, however, have yet to be developed or announced. DOJ provided no information regarding the range of potential whistleblower awards, the criteria for determining the amount of a whistleblower award, or who will be ultimately responsible for determining whether an individual is entitled to a whistleblower award. Until these additional details are known, it is difficult to predict whether the program will have a meaningful impact on corporate enforcement going forward.
DOJ’s ‘Carrots and Sticks’ Approach to Corporate Enforcement
Throughout the 2024 White Collar Conference, DOJ officials spoke extensively about DOJ’s ongoing corporate enforcement efforts and policies. AG Garland, DAG Monaco and other officials repeatedly emphasized the need to hold both individuals and corporations accountable for misconduct, while encouraging companies to invest in a culture of compliance and voluntarily self-disclose any misconduct. To achieve these goals, DOJ continues to implement what it refers to as a “carrots and sticks†approach to corporate enforcement.
The “sticks†include aggressive prosecution of the most serious individual and corporate wrongdoers and significant consequences for corporate recidivists. AG Garland noted that DOJ’s “first priority in the area of white collar crime is going after individual bad actors.†He explained that the “greatest deterrence to white collar crime is fear of individual prosecutions of executives.†DAG Monaco and AAG Argentieri then emphasized convictions DOJ has recently obtained against individual corporate executives, including the convictions of FTX’s CEO Samuel Bankman-Fried and Binance’s CEO Changpeng Zhao. DAG Monaco, AAG Argentieri and other officials also spoke repeatedly about the need to address corporate recidivism, with increased financial penalties for companies with a history of past misconduct.
As for the “carrots,†DAG Monaco highlighted the benefits of DOJ’s voluntary self-disclosure (VSD) programs, touting the single corporate VSD policy for all US Attorney’s Offices nationwide that was rolled out last year. Voluntary self-disclosure remains at the core of DOJ’s corporate enforcement efforts. DAG Monaco’s mantra for corporations that discover misconduct is to “step up and own up,†encouraging disclosure first and foremost if they desire the most beneficial treatment considerations, including declination, non-prosecution agreements and deferred prosecution agreements, and substantially reduced monetary penalties. She, however, noted that even if DOJ discovers misconduct in the absence of company disclosure, cooperation and remediation remain valuable considerations for DOJ in the process of resolution.
DOJ believes its “carrots and sticks†approach is working. AAG Argentieri noted that DOJ has already seen “substantial year-over-year increases in disclosures†from companies to DOJ’s fraud section, with nearly twice as many disclosures in 2023 as in 2021.
DOJ’s Current Enforcement Priorities
AG Garland, DAG Monaco and other officials also discussed a number of ongoing DOJ’s enforcement priorities. In addition to traditional financial crimes, government officials repeatedly referenced AI, cryptocurrency, data security and sanctions.
DOJ and other government officials focused heavily on AI throughout the 2024 White Collar Conference. AG Garland observed that AI demonstrates great promise, but it has evolved with equally great risk, particularly in accelerating cyberattacks, advancing fraud and enhancing national security threats. DOJ will be hiring experts in computer science and technology to address AI capabilities and enforcement concerns. DAG Monaco also noted that federal prosecutors will seek penalty enhancements if AI is used to further criminal activity.
Assistant Attorney General for National Security, Matthew Olsen, emphasized the importance of sensitive data security as a crucial measure to protect US national security interests. Citing President Joe Biden’s recent Executive Order that grants authority to DOJ to issue regulations to strengthen security protections for Americans’ bulk sensitive data, including personal, health and financial data, AAG Olsen encouraged companies to have a clear understanding of the data that they have collected for their businesses and how it is safeguarded, where that data is being transmitted, who has access to the data, and where the data will potentially be shared, through sales or otherwise.
AAG Olsen also noted that corporations “are on the front lines when it comes to enforcing critical national security tools, like sanctions and export controls.†AAG Olsen said that the National Security Division has more than “doubled the number of prosecutors working on sanctions, export control, and foreign agent laws†and “brought on two veteran prosecutors to serve as the division’s first ever chief and deputy chief counsel for corporate enforcement.â€
DOJ and other government agencies remain focused on fraud involving cryptocurrency. As noted above, AAG Argentieri highlighted the recent FTX and Binance convictions. And SEC’s Director of Enforcement, Grubir Grewal, and CFTC’s Director of Enforcement, Ian McGinley, both addressed their agencies’ ongoing enforcement efforts regarding cryptocurrency.
KEY TAKEAWAYS
- DOJ is aggressively encouraging companies to voluntarily self-disclose misconduct and to do so at the earliest possible opportunity. DOJ clearly expects the threat of increased whistleblower activity to further pressure companies to voluntarily self-disclosure misconduct.
- While the new whistleblower program underscores DOJ’s efforts to incentivize self-disclosure, it is unclear whether the program will have a meaningful impact on enforcement. Rewards will only be available to individuals with no involvement in the alleged misconduct and only after all victims have been paid. These limitations could substantially reduce the financial incentives for potential whistleblowers to come forward and report wrongdoing.
- Companies that do not voluntarily self-report misconduct should expect DOJ to seek harsher financial penalties going forward. Throughout the 2024 White Collar Conference, government officials explained that financial penalties cannot become “the cost of doing business†and noted that increased penalties may be necessary to deter future misconduct.
- A well-designed and robust corporate compliance program is critical in the current enforcement environment, where DOJ is actively encouraging whistleblowers to come to DOJ first. Companies should ensure that their compliance programs are designed to proactively identify misconduct which is then investigated and remediated so that self-disclosure is at least an option.
- dOJ increasingly views corporate enforcement as a national security issue. Companies can expect DOJ to continue to focus on sanctions and export control violations.
- DOJ recognizes both the promise and perils of AI. DOJ officials expressed growing concern about the use of AI to commit sophisticated financial fraud, as well as cybercrimes that manipulate data and threaten national security interests. If AI is uncovered as part of corporate misconduct, federal prosecutors are likely to pursue enhanced penalties. Companies should continuously monitor fraud prevention strategies and data security protocols to identify and address evolving risks associated with disruptive technologies like AI.
ç±³å¸æ³•çœã€æ–°å†…部告発プãƒã‚°ãƒ©ãƒ ã«ã‚ˆã‚Šä¼æ¥ã®å–ã‚Šç· ã¾ã‚Šã‚’å€å¢—
Julian L. André | Caitlyn M. Campbell | Edward B. Diskant | James Durkin | Paul M.G. Helms | Matthew Madden | Sagar K. Ravi | Paul M. Thompson | Ashley Hoff
三月åˆæ—¬ã«é–‹å‚¬ã•ã‚ŒãŸ2024年米国法曹å”ä¼šãƒ›ãƒ¯ã‚¤ãƒˆã‚«ãƒ©ãƒ¼çŠ¯ç½ªå…¨å›½ç ”ç©¶ä¼šï¼ˆ2024年ホワイトカラー会è°ï¼‰ã«ãŠã„ã¦ã€ãƒ¡ãƒªãƒƒã‚¯ãƒ»ã‚¬ãƒ¼ãƒ©ãƒ³ãƒ‰å¸æ³•é•·å®˜ã€ãƒªã‚µãƒ»ãƒ¢ãƒŠã‚³å¸æ³•å‰¯é•·å®˜ã€ãƒ‹ã‚³ãƒ¼ãƒ«ãƒ»ã‚¢ãƒ«ã‚¸ã‚§ãƒ³ãƒ†ã‚£ã‚¨ãƒªå¸æ³•æ¬¡å®˜è£œä»£ç†ã€ãã®ä»–ã®ç±³å›½æ”¿åºœé«˜å®˜ãŒã€ç±³å¸æ³•çœï¼ˆDOJ)ã«ã‚ˆã‚‹ä¼æ¥å–ã‚Šç· ã¾ã‚Šã®å¼·åŒ–ã«ã¤ã„ã¦å¹…広ã講演ã—ãŸã€‚昨年ã®DOJã®ä¼æ¥å–ã‚Šç· ã¾ã‚Šæ–¹é‡ã®å¤‰æ›´ã«åŸºã¥ãã€DOJã¯ã€ä¼æ¥ã®ã‚³ãƒ³ãƒ—ライアンスを促進ã—ã€è‡ªç™ºçš„ãªè‡ªå·±é–‹ç¤ºã‚’奨励ã—ã€ä¼æ¥ä¸ç¥¥äº‹ã«å¯¾ã™ã‚‹å€‹äººã¨ä¼æ¥ã®è²¬ä»»ã‚’追åŠã™ã‚‹ãŸã‚ã«ã€DOJãŒé‹å–¶ã™ã‚‹æ–°ã—ã„内部告発プãƒã‚°ãƒ©ãƒ ã‚’å«ã‚€ã€Œã‚¢ãƒ¡ã¨ãƒ ãƒã€ã‚’使用ã™ã‚‹äºˆå®šã§ã‚る。
モナコå¸æ³•å‰¯é•·å®˜ã¨ã‚¢ãƒ«ã‚¸ã‚§ãƒ³ãƒ†ã‚£ã‚¨ãƒªå¸æ³•æ¬¡å®˜è£œä»£ç†ã¯ã€DOJãŒé‡å¤§ãªä¼æ¥ã‚„金èžã®ä¸æ£è¡Œç‚ºã‚’摘発ã™ã‚‹ã®ã«å”力ã—ãŸå€‹äººã«è¤’賞を与ãˆã‚‹å†…部告発プãƒã‚°ãƒ©ãƒ ã®è¨ˆç”»ã‚’発表ã—ãŸã€‚ã“ã®æ–°ã—ã„内部告発プãƒã‚°ãƒ©ãƒ ã¯ã€æ—¢å˜ã®å†…部告発プãƒã‚°ãƒ©ãƒ ã§ã¯ã‚«ãƒãƒ¼ã•ã‚Œã¦ã„ãªã„「ギャップを埋ã‚ã‚‹ã€ã‚‚ã®ã§ã‚ã‚Šã€ä¼æ¥ã«ã‚³ãƒ³ãƒ—ライアンス・プãƒã‚°ãƒ©ãƒ ã®å¼·åŒ–ã‚„ä¸ç¥¥äº‹ã®è‡ªç™ºçš„ãªè‡ªå·±é–‹ç¤ºã‚’促ã™ãŸã‚ã®æ–°ãŸãªæ‰‹æ®µã‚’DOJã«æä¾›ã™ã‚‹ã‚‚ã®ã§ã‚る。DOJã¯ä»Šå¾Œ90日間ã§ã€ãƒ‘イãƒãƒƒãƒˆãƒ—ãƒã‚°ãƒ©ãƒ ã‚’æ£å¼ã«å®Ÿæ–½ã™ã‚‹å‰ã«ã€å†…部告発プãƒã‚°ãƒ©ãƒ ã‚’å分ã«ç–定ã™ã‚‹ã€‚
åŒä¼šè°ã§ã¯ã€ã‚¬ãƒ¼ãƒ©ãƒ³ãƒ‰å¸æ³•é•·å®˜ã€ãƒ¢ãƒŠã‚³å¸æ³•å‰¯é•·å®˜ã‚‰ãŒã€æœ€è¿‘ã®DOJã®ä¼æ¥å–ã‚Šç· ã¾ã‚Šæ”¿ç–ã«ã¤ã„ã¦è°è«–ã—ãŸã€‚DOJã®æŒ‡å°Žè€…ãŸã¡ã¯ã€è‡ªç™ºçš„ãªè‡ªå·±é–‹ç¤ºã€å”力ã€æ˜¯æ£ã«ã‚ˆã£ã¦ä¼æ¥ãŒäº«å—ã§ãる多大ãªçµŒæ¸ˆçš„利益を繰り返ã—強調ã™ã‚‹ä¸€æ–¹ã€å€‹ã€…ã®ä¸æ£è¡Œç‚ºè€…ã«é–¢ã™ã‚‹èª¬æ˜Žè²¬ä»»ã®é‡è¦æ€§ã¨ä¼æ¥ã®å†çŠ¯é˜²æ¢ã«å–り組む必è¦æ€§ã‚’強調ã—ãŸã€‚éŽåŽ»ã«ä¸ç¥¥äº‹ã‚’èµ·ã“ã—ãŸã“ã¨ã®ã‚ã‚‹ä¼æ¥ã¯ã€æœ‰æ„ãªçµæžœã‚’ã‚‚ãŸã‚‰ã™ã‚ˆã†è¨è¨ˆã•ã‚ŒãŸã€ã‚ˆã‚ŠåŽ³ã—ã„罰則をå—ã‘ã‚‹ã“ã¨ãŒäºˆæƒ³ã•ã‚Œã‚‹ã€‚
DOJ関係者ã¯ã¾ãŸã€äººå·¥çŸ¥èƒ½ï¼ˆAI)ã€æš—å·è³‡ç”£ã€ãƒ‡ãƒ¼ã‚¿ä¿è·ã€åˆ¶è£ãªã©ã€DOJãŒç¾åœ¨é€²ã‚ã¦ã„る執行ã®å„ªå…ˆäº‹é …ã«ã¤ã„ã¦ã‚‚言åŠã—ãŸã€‚DOJã¯ã€AIã®çŠ¯ç½ªã®ãŸã‚ã®åˆ©ç”¨ã¯ã€æ¤œå¯ŸãŒã‚ˆã‚ŠåŽ³ã—ã„罰則を求ã‚ã‚‹çµæžœã¨ãªã‚‹ã¨è¦å‘Šã—ã€ä¼æ¥ã«å¯¾ã™ã‚‹åŸ·è¡Œã®ç›®çš„ã¨æ©Ÿå¯†ãƒ‡ãƒ¼ã‚¿ã®ä¿è·ã«é–¢é€£ã™ã‚‹ã‚¢ãƒ¡ãƒªã‚«ã®å›½å®¶å®‰å…¨ä¿éšœä¸Šã®åˆ©ç›Šã¨ã®é–¢é€£æ€§ãŒé«˜ã¾ã£ã¦ã„ã‚‹ã“ã¨ã‚’強調ã—ãŸã€‚
より深ã
DOJã®æ–°å†…部告発パイãƒãƒƒãƒˆãƒ—ãƒã‚°ãƒ©ãƒ
2024年ホワイトカラー会è°ã®ãƒ˜ãƒƒãƒ‰ãƒ©ã‚¤ãƒ³ã¯ã€DOJã®æ–°ã—ã„内部告発プãƒã‚°ãƒ©ãƒ ã§ã‚る。モナコå¸æ³•å‰¯é•·å®˜ã¨ã‚¢ãƒ«ã‚¸ã‚§ãƒ³ãƒ†ã‚£ã‚¨ãƒªå¸æ³•æ¬¡å®˜è£œä»£ç†ã¯ã€DOJãŒã€DOJãŒé‹å–¶ã™ã‚‹è©¦é¨“çš„ãªå†…部告発プãƒã‚°ãƒ©ãƒ を今後90日間ã§ç–定ã—ã€å®Ÿæ–½ã™ã‚‹ã¨ç™ºè¡¨ã—ãŸã€‚ã“ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã¯ä»Šå¹´ã®å¾ŒåŠã«é–‹å§‹ã™ã‚‹ã“ã¨ãŒæœŸå¾…ã•ã‚Œã‚‹ã€‚ã‚る個人ãŒDOJãŒèªè˜ã—ã¦ã„ãªã„ä¸æ£è¡Œç‚ºã‚’発見ã™ã‚‹æ‰‹åŠ©ã‘ã‚’ã—ãŸå ´åˆã€ãã®å†…部告発者ã¯æ°‘事上ã¾ãŸã¯åˆ‘事上ã®æ²¡åŽæŽªç½®ã®çµæžœã¨ã—ã¦ç”Ÿã˜ã‚‹é‡‘éŠçš„分é…ã‚’å—ã‘ã‚‹è³‡æ ¼ã‚’å¾—ã‚‹ã“ã¨ãŒã§ãる。
DOJã¯ã€ç‹¬è‡ªã®å†…部告発プãƒã‚°ãƒ©ãƒ を実施ã™ã‚‹ã“ã¨ã§ã€å¤šãã®é€£é‚¦æ”¿åºœæ©Ÿé–¢ã«ã¨ã£ã¦ã€Œä¸å¯æ¬ ã€ã¨ãªã£ã¦ã„ã‚‹ä»–ã®å†…部告発プãƒã‚°ãƒ©ãƒ ã®æˆåŠŸã‚’模倣ã—ãŸã„ã¨è€ƒãˆã¦ã„る。例ãˆã°ã€2023å¹´ã€ç±³è¨¼åˆ¸å–引委員会(SEC)ã®å†…部告発プãƒã‚°ãƒ©ãƒ ã¯1万8000件以上ã®é€šå ±ã‚’å—ã‘ã€ç´„6億ドルを内部告発者ã«æŽˆä¸Žã—ãŸã€‚商å“先物å–引委員会(CFTC)ã®å†…部告発プãƒã‚°ãƒ©ãƒ ã§ã¯ã€éŽåŽ»10å¹´é–“ã«30億ドル以上ã®ç½°é‡‘ã«ã¤ãªãŒã‚‹åŸ·è¡ŒãŒè¡Œã‚ã‚ŒãŸã€‚
DOJã®å†…部告発プãƒã‚°ãƒ©ãƒ ã¯ã€æ—¢å˜ã®é€£é‚¦å†…部告発プãƒã‚°ãƒ©ãƒ ãŒã¾ã ã‚«ãƒãƒ¼ã—ã¦ã„ãªã„「ギャップを埋ã‚ã€ã€äº‹å‰ã«ä¸æ£è¡Œç‚ºã«å¯¾å‡¦ã™ã‚‹ã“ã¨ã‚’目的ã¨ã—ã¦ã„る。特ã«DOJã¯ã€ç±³å›½é‡‘èžã‚·ã‚¹ãƒ†ãƒ ã®çŠ¯ç½ªçš„悪用ã€SECã®ç®¡è½„外ã®æµ·å¤–è…æ•—å•é¡Œã€æ”¿åºœé«˜å®˜ã¸ã®è³„賂をå«ã‚€å›½å†…è…æ•—å•é¡Œã«é‡ç‚¹ã‚’ç½®ã„ã¦ã„る。ã¾ãŸã€DOJã¯æ°‘é–“ä¼æ¥ã«ã‚‚é‡ç‚¹ã‚’ç½®ã„ã¦ã„るよã†ã§ã‚る。モナコå¸æ³•å‰¯é•·å®˜ã¯ã€DOJã®æ–°ã—ã„内部告発プãƒã‚°ãƒ©ãƒ ã«è©²å½“ã™ã‚‹äº‹ä¾‹ã¨ã—ã¦ã€ãƒ—ライベート・エクイティ会社ã®CFOãŒèžè³‡æ›¸é¡žã‚’å½é€ ã™ã‚‹ã‚±ãƒ¼ã‚¹ã‚„ã€æ°‘é–“ã®ãƒ†ã‚¯ãƒŽãƒã‚¸ãƒ¼é–¢é€£ã‚¹ã‚¿ãƒ¼ãƒˆã‚¢ãƒƒãƒ—ä¼æ¥ãŒè¦åˆ¶å½“å±€ã®æ‰¿èªã‚’å¾—ã‚‹ãŸã‚ã«è³„賂を支払ã†ã‚±ãƒ¼ã‚¹ã‚’挙ã’ãŸã€‚
モナコå¸æ³•å‰¯é•·å®˜ã¨ã‚¢ãƒ«ã‚¸ã‚§ãƒ³ãƒ†ã‚£ã‚¨ãƒªå¸æ³•æ¬¡å®˜è£œä»£ç†ã¯ã€ã¾ãŸã€DOJã®å†…部告発プãƒã‚°ãƒ©ãƒ ã¯ã€ä¼æ¥ãŒè‡ªç™ºçš„ã«ä¸ç¥¥äº‹ã‚’自己開示ã—ã€ãれを迅速ã«è¡Œã†ã‚ˆã†ä¿ƒã™ã‚ˆã†ã«è¨è¨ˆã•ã‚Œã¦ã„ã‚‹ã“ã¨ã‚’明らã‹ã«ã—ãŸã€‚内部告発者ã¯ç‹¬è‡ªã®æƒ…å ±ã‚’æä¾›ã™ã‚‹ã“ã¨ã«ã‚ˆã£ã¦ã®ã¿è¤’賞をå—ã‘ã‚‹ã“ã¨ãŒã§ãã€ã€Œæœ€åˆã«ãƒ‰ã‚¢ã‚’å©ã„ãŸã€ä¼æ¥ã®ã¿ãŒDOJã®è‡ªç™ºçš„自己開示プãƒã‚°ãƒ©ãƒ ã®æ©æµã‚’å—ã‘ã‚‹ã“ã¨ãŒã§ãる。モナコå¸æ³•å‰¯é•·å®˜ãŒèª¬æ˜Žã—ãŸã‚ˆã†ã«ã€ã€Œæœ€åˆã«è¡Œã†å¿…è¦ãŒã‚ã‚‹å ´åˆã€èª°ã‚‚二番手ã«ã¯ãªã‚ŠãŸããªã„ã€ã®ã§ã‚る。DOJã¯ã€ã“ã®ã‚ˆã†ãªã€Œã‚¤ãƒ³ã‚»ãƒ³ãƒ†ã‚£ãƒ–ãŒäº’ã„ã«å¼·åŒ–ã—åˆã„ã€ç›¸ä¹—効果をもãŸã‚‰ã—ã€ä¼æ¥ã‚‚個人もã€çŸ¥ã£ãŸå¾Œã™ãã«DOJã«ä¼ãˆã‚‹ã‚ˆã†ä¿ƒã™ã€ã“ã¨ã‚’期待ã—ã¦ã„る。
モナコå¸æ³•å‰¯é•·å®˜ã¨ã‚¢ãƒ«ã‚¸ã‚§ãƒ³ãƒ†ã‚£ã‚¨ãƒªå¸æ³•æ¬¡å®˜è£œä»£ç†ã¯ã€ä»¥ä¸‹ã®æ¡ä»¶ã§ã€DOJã¯å†…部告発者ã«æ”¯æ‰•ã„ã‚’è¡Œã†ã ã‚ã†ã¨è¿°ã¹ã‚‹ã€‚
- ã™ã¹ã¦ã®è¢«å®³è€…ã«é©åˆ‡ãªè£œå„ŸãŒè¡Œã‚ã‚ŒãŸå¾Œã€‚
- 政府ãŒèªè˜ã—ã¦ã„ãªã„真実ã®æƒ…å ±ã‚’æä¾›ã—ãŸå ´åˆã«é™ã‚‹ã€‚
- 政府ã‹ã‚‰ã®ç…§ä¼šã€æ—¢å˜ã®å ±å‘Šç¾©å‹™ã€ã¾ãŸã¯é–‹ç¤ºã®å·®ã—è¿«ã£ãŸè„…å¨ã«å¿œã˜ã‚‹ãŸã‚ã§ã¯ãªãã€è‡ªç™ºçš„ã«æƒ…å ±ã‚’æä¾›ã™ã‚‹å ´åˆã«é™ã‚‹ã€‚
- 犯罪行為自体ã«é–¢ä¸Žã—ã¦ã„ãªã„者ãŒæä¾›ã™ã‚‹å ´åˆã«é™ã‚‹ã€‚
- クイ・タム(Qui Tam)や他ã®é€£é‚¦å†…部告発プãƒã‚°ãƒ©ãƒ ãªã©ã€æ—¢å˜ã®é‡‘éŠçš„ãªæƒ…å ±é–‹ç¤ºã‚¤ãƒ³ã‚»ãƒ³ãƒ†ã‚£ãƒ–ãŒãªã„å ´åˆã«é™ã‚‹ã€‚
- ã—ã‹ã—ã€ä»Šå¾Œäºˆå®šã•ã‚Œã¦ã„る内部告発プãƒã‚°ãƒ©ãƒ ã®ãã®ä»–ã®é‡è¦ãªè©³ç´°ã«ã¤ã„ã¦ã¯ã€ã¾ã ç–定も発表もã•ã‚Œã¦ã„ãªã„。DOJã¯ã€å†…部告発者ã«å¯¾ã™ã‚‹è¤’賞ã®å¯èƒ½æ€§ã®ç¯„囲ã€è¤’賞ã®é‡‘é¡ã‚’決定ã™ã‚‹åŸºæº–ã€ã¾ãŸã¯å€‹äººãŒè¤’賞をå—ã‘る権利ãŒã‚ã‚‹ã‹ã©ã†ã‹ã‚’決定ã™ã‚‹æœ€çµ‚çš„ãªè²¬ä»»è€…ã«ã¤ã„ã¦ã®æƒ…å ±ã‚’æä¾›ã—ã¦ã„ãªã„。ã“れらã®è©³ç´°ãŒæ˜Žã‚‰ã‹ã«ãªã‚‹ã¾ã§ã¯ã€ã“ã®ãƒ—ãƒã‚°ãƒ©ãƒ ãŒä»Šå¾Œã®ä¼æ¥å–ã‚Šç· ã¾ã‚Šã«æœ‰æ„ãªå½±éŸ¿ã‚’与ãˆã‚‹ã‹ã©ã†ã‹ã‚’予測ã™ã‚‹ã“ã¨ã¯å›°é›£ã§ã‚る。
DOJã®é£´ã¨éžã«ã‚ˆã‚‹ä¼æ¥å–ã‚Šç· ã¾ã‚Šã¸ã®ã‚¢ãƒ—ãƒãƒ¼ãƒ
2024年ホワイトカラー会è°ã‚’通ã˜ã¦ã€DOJ関係者ã¯DOJã®ç¶™ç¶šçš„ãªä¼æ¥å–ã‚Šç· ã¾ã‚Šã®å–り組ã¿ã¨æ–¹é‡ã«ã¤ã„ã¦å¹…広ã語ã£ãŸã€‚ガーランドå¸æ³•é•·å®˜ã€ãƒ¢ãƒŠã‚³å¸æ³•å‰¯é•·å®˜ã‚’ã¯ã˜ã‚ã¨ã™ã‚‹å½“局関係者ã¯ã€å€‹äººã¨ä¼æ¥ã®åŒæ–¹ã«ä¸ç¥¥äº‹ã®è²¬ä»»ã‚’å•ã†å¿…è¦æ€§ã‚’ç¹°ã‚Šè¿”ã—強調ã™ã‚‹ã¨ã¨ã‚‚ã«ã€ä¼æ¥ã«ã¯ã‚³ãƒ³ãƒ—ライアンス文化ã¸ã®æŠ•è³‡ã¨ä¸ç¥¥äº‹ã®è‡ªç™ºçš„自己開示を奨励ã—ãŸã€‚ã“れらã®ç›®æ¨™ã‚’é”æˆã™ã‚‹ãŸã‚ã€DOJã¯ä¼æ¥å–ã‚Šç· ã¾ã‚Šã«ãŠã„ã¦ã€Œã‚¢ãƒ¡ã¨ãƒ ãƒã€ã¨å‘¼ã°ã‚Œã‚‹ã‚¢ãƒ—ãƒãƒ¼ãƒã‚’実施ã—続ã‘ã¦ã„る。
「ムãƒã€ã«ã¯ã€æœ€ã‚‚深刻ãªå€‹äººãŠã‚ˆã³ä¼æ¥ã®ä¸æ£è¡Œç‚ºè€…ã«å¯¾ã™ã‚‹ç©æ¥µçš„ãªèµ·è¨´ã¨ã€ä¼æ¥ã®å†çŠ¯è€…ã«å¯¾ã™ã‚‹é‡å¤§ãªå‡¦ç½°ãŒå«ã¾ã‚Œã‚‹ã€‚ガーランドå¸æ³•é•·å®˜ã¯ã€DOJã®ã€Œãƒ›ãƒ¯ã‚¤ãƒˆã‚«ãƒ©ãƒ¼çŠ¯ç½ªã®åˆ†é‡Žã§ã®æœ€å„ªå…ˆäº‹é …ã¯ã€å€‹äººã®æ‚ªè³ªãªè¡Œç‚ºè€…を追åŠã™ã‚‹ã“ã¨ã§ã‚ã‚‹ã€ã¨æŒ‡æ‘˜ã—ãŸã€‚ãã—ã¦ã€ã€Œãƒ›ãƒ¯ã‚¤ãƒˆã‚«ãƒ©ãƒ¼çŠ¯ç½ªã«å¯¾ã™ã‚‹æœ€å¤§ã®æŠ‘æ¢åŠ›ã¯ã€çµŒå–¶è€…個人ãŒè¨´è¿½ã•ã‚Œã‚‹ã‹ã‚‚ã—ã‚Œãªã„ã¨ã„ã†æ怖ã§ã‚ã‚‹ã€ã¨èª¬æ˜Žã—ãŸã€‚モナコå¸æ³•å‰¯é•·å®˜ã¨ã‚¢ãƒ«ã‚¸ã‚§ãƒ³ãƒ†ã‚£ã‚¨ãƒªå¸æ³•æ¬¡å®˜è£œä»£ç†ã¯ã€FTXã®ã‚µãƒŸãƒ¥ã‚¨ãƒ«ãƒ»ãƒãƒ³ã‚¯ãƒžãƒ³-フリードCEOã¨ãƒã‚¤ãƒŠãƒ³ã‚¹ï¼ˆBinance)ã®ãƒãƒ£ãƒ³ãƒšãƒ³ãƒ»ã‚¶ã‚ªCEOã®æœ‰ç½ªåˆ¤æ±ºãªã©ã€DOJãŒæœ€è¿‘ç²å¾—ã—ãŸä¼æ¥å¹¹éƒ¨å€‹äººã«å¯¾ã™ã‚‹æœ‰ç½ªåˆ¤æ±ºã‚’強調ã—ãŸã€‚モナコå¸æ³•å‰¯é•·å®˜ã€ã‚¢ãƒ«ã‚¸ã‚§ãƒ³ãƒ†ã‚£ã‚¨ãƒªå¸æ³•æ¬¡å®˜è£œä»£ç†ã€ãã®ä»–ã®å½“局関係者ã¯ã¾ãŸã€éŽåŽ»ã«ä¸æ£è¡Œç‚ºã®å±¥æ´ãŒã‚ã‚‹ä¼æ¥ã«å¯¾ã™ã‚‹é‡‘éŠçš„罰則を強化ã™ã‚‹ã“ã¨ã§ã€ä¼æ¥ã®å†çŠ¯é˜²æ¢ã«å–り組む必è¦æ€§ã«ã¤ã„ã¦ç¹°ã‚Šè¿”ã—語ã£ãŸã€‚
「アメã€ã«ã¤ã„ã¦ã¯ã€ãƒ¢ãƒŠã‚³å¸æ³•å‰¯é•·å®˜ãŒã€DOJã®è‡ªç™ºçš„自己開示(VSD)プãƒã‚°ãƒ©ãƒ ã®åˆ©ç‚¹ã‚’強調ã—ã€æ˜¨å¹´ã‹ã‚‰å…¨å›½ã®é€£é‚¦æ¤œäº‹å±€ã«å°Žå…¥ã•ã‚ŒãŸä¼æ¥VSDãƒãƒªã‚·ãƒ¼ã‚’紹介ã—ãŸã€‚自発的自己開示ã¯ã€ä¾ç„¶ã¨ã—ã¦DOJã®ä¼æ¥å–ã‚Šç· ã¾ã‚Šã®ä¸æ ¸ã‚’ãªã—ã¦ã„る。モナコå¸æ³•å‰¯é•·å®˜ã¯ã€ä¸ç¥¥äº‹ã‚’発見ã—ãŸä¼æ¥ã«å¯¾ã—ã€ã€Œé€²ã¿å‡ºã¦ç™½çŠ¶ã™ã‚‹ã€ã“ã¨ã‚’標語ã¨ã—ã¦ãŠã‚Šã€ä¸èµ·è¨´å‡¦åˆ†ã€ä¸èµ·è¨´åˆæ„ã€èµ·è¨´çŒ¶äºˆåˆæ„ã€ç½°é‡‘ã®å¤§å¹…減é¡ãªã©ã€æœ€ã‚‚有利ãªå‡¦é‡ã‚’望むã®ã§ã‚ã‚Œã°ã€ä½•ã‚ˆã‚Šã‚‚ã¾ãšæƒ…å ±é–‹ç¤ºã‚’è¡Œã†ã“ã¨ã‚’奨励ã—ã¦ã„る。ã—ã‹ã—ã€å½¼å¥³ã¯ã€ä¼æ¥ã®æƒ…å ±é–‹ç¤ºãŒãªã„ã¾ã¾DOJãŒä¸ç¥¥äº‹ã‚’発見ã—ãŸå ´åˆã§ã‚‚ã€å”力ã¨æ˜¯æ£ã¯DOJã«ã¨ã£ã¦è§£æ±ºéŽç¨‹ã«ãŠã‘ã‚‹è²´é‡ãªæ¤œè¨Žäº‹é …ã§ã‚ã‚‹ã“ã¨ã«å¤‰ã‚ã‚Šã¯ãªã„ã¨æŒ‡æ‘˜ã—ãŸã€‚
DOJã¯ã€Œã‚¢ãƒ¡ã¨ãƒ ãƒã€ã®ã‚¢ãƒ—ãƒãƒ¼ãƒãŒå¥åŠŸã™ã‚‹ã¨è€ƒãˆã¦ã„る。アルジェンティエリå¸æ³•æ¬¡å®˜è£œä»£ç†ã¯ã€DOJã®ä¸æ£éƒ¨é–€ã«å¯¾ã™ã‚‹ä¼æ¥ã‹ã‚‰ã®ã€Œå‰å¹´æ¯”ã§ã®é–‹ç¤ºä»¶æ•°ã®å¤§å¹…ãªå¢—åŠ ã€ãŒã™ã§ã«ç¢ºèªã•ã‚Œã¦ãŠã‚Šã€2023å¹´ã«ã¯2021å¹´ã®ç´„2å€ã®é–‹ç¤ºä»¶æ•°ãŒã‚ã£ãŸã¨æŒ‡æ‘˜ã—ãŸã€‚
DOJã®ç¾åœ¨ã®å–ã‚Šç· ã¾ã‚Šæ”¿ç–
ガーランドå¸æ³•é•·å®˜ã€ãƒ¢ãƒŠã‚³å¸æ³•å‰¯é•·å®˜ã‚’ã¯ã˜ã‚ã¨ã™ã‚‹å½“局関係者ã¯ã€ç¾åœ¨é€²è¡Œä¸ã®DOJã®åŸ·è¡Œå„ªå…ˆäº‹é …ã«ã¤ã„ã¦ã‚‚言åŠã—ãŸã€‚従æ¥ã®é‡‘èžçŠ¯ç½ªã«åŠ ãˆã€æ”¿åºœé«˜å®˜ã¯AIã€æš—å·è³‡ç”£ã€ãƒ‡ãƒ¼ã‚¿ãƒ»ã‚»ã‚ュリティã€åˆ¶è£ã«ã¤ã„ã¦ç¹°ã‚Šè¿”ã—言åŠã—ãŸã€‚
DOJã¨ä»–ã®æ”¿åºœé–¢ä¿‚者ã¯ã€2024年ホワイトカラー会è°ã‚’通ã˜ã¦AIã«å¤§ãã焦点を当ã¦ãŸã€‚ガーランドå¸æ³•é•·å®˜ã¯ã€AIã¯å¤§ããªå¯èƒ½æ€§ã‚’示ã—ã¦ã„ã‚‹ãŒã€ç‰¹ã«ã‚µã‚¤ãƒãƒ¼æ”»æ’ƒã®åŠ 速ã€è©æ¬ºã®é€²å±•ã€å›½å®¶å®‰å…¨ä¿éšœä¸Šã®è„…å¨ã®å¢—大ãªã©ã€åŒæ§˜ã«å¤§ããªãƒªã‚¹ã‚¯ã‚’ä¼´ã†é€²åŒ–ã‚’é‚ã’ã¦ã„ã‚‹ã¨æŒ‡æ‘˜ã—ãŸã€‚DOJã¯ã€AIã®èƒ½åŠ›ã¨å–ã‚Šç· ã¾ã‚Šä¸Šã®æ‡¸å¿µã«å¯¾å‡¦ã™ã‚‹ãŸã‚ã€ã‚³ãƒ³ãƒ”ューター・サイエンスã¨ãƒ†ã‚¯ãƒŽãƒã‚¸ãƒ¼ã®å°‚門家を雇用ã™ã‚‹äºˆå®šã§ã‚る。モナコå¸æ³•å‰¯é•·å®˜ã¯ã¾ãŸã€AIãŒçŠ¯ç½ªè¡Œç‚ºã‚’助長ã™ã‚‹ãŸã‚ã«ä½¿ç”¨ã•ã‚ŒãŸå ´åˆã€é€£é‚¦æ¤œå¯Ÿå®˜ã¯åˆ‘ç½°ã®å¼·åŒ–を求ã‚ã‚‹ã¨è¿°ã¹ãŸã€‚
国家安全ä¿éšœæ‹…当ã®ãƒžã‚·ãƒ¥ãƒ¼ãƒ»ã‚ªãƒ«ã‚»ãƒ³å¸æ³•æ¬¡å®˜è£œã¯ã€ç±³å›½ã®å›½å®¶å®‰å…¨ä¿éšœä¸Šã®åˆ©ç›Šã‚’守るãŸã‚ã®é‡è¦ãªæŽªç½®ã¨ã—ã¦ã€æ©Ÿå¯†ãƒ‡ãƒ¼ã‚¿ã®ã‚»ã‚ュリティã®é‡è¦æ€§ã‚’強調ã—ãŸã€‚オルセンå¸æ³•æ¬¡å®˜è£œã¯ã€ã‚¸ãƒ§ãƒ¼ãƒ»ãƒã‚¤ãƒ‡ãƒ³å¤§çµ±é ˜ã«ã‚ˆã‚‹æœ€è¿‘ã®å¤§çµ±é ˜ä»¤ã‚’引ãåˆã„ã«å‡ºã—ã€å€‹äººæƒ…å ±ã€å¥åº·ãƒ‡ãƒ¼ã‚¿ã€è²¡å‹™ãƒ‡ãƒ¼ã‚¿ãªã©ã€ç±³å›½äººã®å¤§é‡ã®æ©Ÿå¯†ãƒ‡ãƒ¼ã‚¿ã®ã‚»ã‚ュリティä¿è·ã‚’強化ã™ã‚‹ãŸã‚ã®è¦åˆ¶ã‚’発行ã™ã‚‹æ¨©é™ãŒDOJã«ä»˜ä¸Žã•ã‚ŒãŸã“ã¨ã«è§¦ã‚Œã€ä¼æ¥ã«å¯¾ã—ã€ãƒ“ジãƒã‚¹ã®ãŸã‚ã«åŽé›†ã—ãŸãƒ‡ãƒ¼ã‚¿ã¨ãã®ä¿è·æ–¹æ³•ã€ãƒ‡ãƒ¼ã‚¿ã®é€ä¿¡å…ˆã€ãƒ‡ãƒ¼ã‚¿ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹æ¨©è€…ã€è²©å£²ãªã©ã‚’通ã˜ã¦ãƒ‡ãƒ¼ã‚¿ãŒå…±æœ‰ã•ã‚Œã‚‹å¯èƒ½æ€§ã®ã‚ã‚‹å ´æ‰€ã«ã¤ã„ã¦æ˜Žç¢ºã«ç†è§£ã™ã‚‹ã‚ˆã†ä¿ƒã—ãŸã€‚
オルセンå¸æ³•æ¬¡å®˜è£œã¯ã¾ãŸã€ä¼æ¥ã¯ã€Œåˆ¶è£ã‚„輸出è¦åˆ¶ã®ã‚ˆã†ãªé‡è¦ãªå›½å®¶å®‰å…¨ä¿éšœæ‰‹æ®µã®åŸ·è¡Œã«é–¢ã—ã¦ã€æœ€å‰ç·šã«ã„ã‚‹ã€ã¨æŒ‡æ‘˜ã—ãŸã€‚オルセンå¸æ³•æ¬¡å®˜è£œã«ã‚ˆã‚‹ã¨ã€å›½å®¶å®‰å…¨ä¿éšœéƒ¨ã¯ã€ã€Œåˆ¶è£ã€è¼¸å‡ºç®¡ç†ã€å¤–国代ç†äººæ³•ã‚’担当ã™ã‚‹æ¤œå¯Ÿå®˜ã‚’2å€ä»¥ä¸Šã€ã«å¢—å“¡ã—ã€ã€Œ2人ã®ãƒ™ãƒ†ãƒ©ãƒ³æ¤œå¯Ÿå®˜ã‚’åŒéƒ¨åˆã®ä¼æ¥å–ã‚Šç· ã¾ã‚Šã®ä¸»ä»»ã¨å‰¯ä¸»ä»»ã¨ã—ã¦è¿Žãˆå…¥ã‚ŒãŸã€ã¨ã®ã“ã¨ã§ã‚る。
DOJã‚’ã¯ã˜ã‚ã¨ã™ã‚‹æ”¿åºœæ©Ÿé–¢ã¯ã€æš—å·è³‡ç”£ã«çµ¡ã‚€è©æ¬ºã«å¼•ã続ã注目ã—ã¦ã„る。上述ã®ã‚ˆã†ã«ã€ã‚¢ãƒ«ã‚¸ã‚§ãƒ³ãƒ†ã‚£ã‚¨ãƒªå¸æ³•æ¬¡å®˜è£œä»£ç†ã¯æœ€è¿‘ã®FTXã¨ãƒã‚¤ãƒŠãƒ³ã‚¹ã®æœ‰ç½ªåˆ¤æ±ºã‚’強調ã—ãŸã€‚ã¾ãŸã€SECã®ã‚°ãƒ«ãƒ“ア・グレワル執行部長ã¨CFTCã®ã‚¤ã‚¢ãƒ³ãƒ»ãƒžãƒƒã‚®ãƒ³ãƒªãƒ¼åŸ·è¡Œéƒ¨é•·ã¯ã€æš—å·è³‡ç”£ã«é–¢ã™ã‚‹å„æ©Ÿé–¢ã®ç¶™ç¶šçš„ãªå–ã‚Šç· ã¾ã‚Šæ´»å‹•ã«ã¤ã„ã¦è¨€åŠã—ãŸã€‚
é‡è¦ãªãƒã‚¤ãƒ³ãƒˆ
- DOJã¯ä¼æ¥ã«å¯¾ã—ã€ä¸ç¥¥äº‹ã‚’自発的ã«è‡ªå·±é–‹ç¤ºã™ã‚‹ã“ã¨ã€ãã—ã¦å¯èƒ½ãªé™ã‚Šæ—©æœŸã«é–‹ç¤ºã™ã‚‹ã“ã¨ã‚’ç©æ¥µçš„ã«å¥¨åŠ±ã—ã¦ã„る。DOJã¯ã€å†…部告発活動ã®æ´»ç™ºåŒ–ã¨ã„ã†è„…å¨ãŒã€ä¼æ¥ãŒè‡ªç™ºçš„ã«ä¸ç¥¥äº‹ã‚’自己開示ã™ã‚‹ã‚ˆã†ã•ã‚‰ã«åœ§åŠ›ã‚’ã‹ã‘ã‚‹ã“ã¨ã‚’明確ã«æœŸå¾…ã—ã¦ã„る。
- æ–°ã—ã„内部告発プãƒã‚°ãƒ©ãƒ ã¯ã€è‡ªå·±é–‹ç¤ºã‚’奨励ã™ã‚‹DOJã®åŠªåŠ›ã‚’強調ã™ã‚‹ã‚‚ã®ã§ã‚ã‚‹ãŒã€ã“ã®ãƒ—ãƒã‚°ãƒ©ãƒ ãŒå–ã‚Šç· ã¾ã‚Šã«æœ‰æ„ãªå½±éŸ¿ã‚’与ãˆã‚‹ã‹ã©ã†ã‹ã¯ä¸æ˜Žã§ã‚る。褒賞ã¯ã€å¯¾è±¡ã¨ãªã‚‹ä¸æ£è¡Œç‚ºã«é–¢ä¸Žã—ã¦ã„ãªã„個人ã«ã®ã¿æ”¯çµ¦ã•ã‚Œã‚‹ã‚‚ã®ã§ã‚ã‚Šã€ã™ã¹ã¦ã®è¢«å®³è€…ã«è£œå„ŸãŒè¡Œã‚ã‚ŒãŸå¾Œã«ã®ã¿æ”¯çµ¦ã•ã‚Œã‚‹ã€‚ã“ã®ã‚ˆã†ãªåˆ¶é™ã«ã‚ˆã‚Šã€æ½œåœ¨çš„ãªå†…部告発者ãŒå乗り出ã¦ä¸æ£è¡Œç‚ºã‚’å ±å‘Šã™ã‚‹é‡‘éŠçš„インセンティブãŒå¤§å¹…ã«ä½Žä¸‹ã™ã‚‹å¯èƒ½æ€§ãŒã‚る。
- ä¸ç¥¥äº‹ã‚’自発的ã«è‡ªå·±ç”³å‘Šã—ãªã„ä¼æ¥ã¯ã€ä»Šå¾ŒDOJãŒã‚ˆã‚ŠåŽ³ã—ã„罰則を求ã‚ã‚‹ã“ã¨ã‚’想定ã™ã¹ãã§ã‚る。2024年ホワイトカラー会è°ã‚’通ã˜ã¦ã€å½“局関係者ã¯ã€é‡‘éŠçš„ãªç½°å‰‡ãŒã€Œãƒ“ジãƒã‚¹ã‚’è¡Œã†ãŸã‚ã®ã‚³ã‚¹ãƒˆã€ã«ãªã‚‹ã“ã¨ã¯ã‚ã‚Šå¾—ãªã„ã¨èª¬æ˜Žã—ã€å°†æ¥ã®ä¸ç¥¥äº‹ã‚’抑æ¢ã™ã‚‹ãŸã‚ã«ã¯ç½°å‰‡ã®å¼·åŒ–ãŒå¿…è¦ã‹ã‚‚ã—ã‚Œãªã„ã¨æŒ‡æ‘˜ã—ãŸã€‚
- よãè¨è¨ˆã•ã‚ŒãŸå¼·å›ºãªä¼æ¥ã‚³ãƒ³ãƒ—ライアンス・プãƒã‚°ãƒ©ãƒ ã¯ã€ç¾åœ¨ã®å–ã‚Šç· ã¾ã‚Šç’°å¢ƒã«ãŠã„ã¦æ¥µã‚ã¦é‡è¦ã§ã‚ã‚Šã€DOJã¯ã€å†…部告発者ãŒã¾ãšDOJã«é€šå ±ã™ã‚‹ã“ã¨ã‚’ç©æ¥µçš„ã«å¥¨åŠ±ã—ã¦ã„る。ä¼æ¥ã¯ã€ã‚³ãƒ³ãƒ—ライアンス・プãƒã‚°ãƒ©ãƒ ãŒä¸ç¥¥äº‹ã‚’ç©æ¥µçš„ã«ç‰¹å®šã—ã€ãれを調査・改善ã™ã‚‹ã‚ˆã†ã«è¨è¨ˆã•ã‚Œã¦ã„ã‚‹ã“ã¨ã‚’確èªã™ã‚‹å¿…è¦ãŒã‚る。
- DOJã¯ã€ä¼æ¥å–ã‚Šç· ã¾ã‚Šã‚’国家安全ä¿éšœã®å•é¡Œã¨è¦‹ãªã™ã‚ˆã†ã«ãªã£ã¦ãã¦ã„る。ä¼æ¥ã¯ã€DOJãŒåˆ¶è£ã¨è¼¸å‡ºç®¡ç†é•åã«å¼•ã続ã焦点を当ã¦ã‚‹ã“ã¨ã‚’想定ã—ã¦å–り組むã“ã¨ãŒã§ãる。
- DOJã¯AIã®å°†æ¥æ€§ã¨å±é™ºæ€§ã®ä¸¡æ–¹ã‚’èªè˜ã—ã¦ã„る。DOJ関係者ã¯ã€é«˜åº¦ãªé‡‘èžè©æ¬ºã‚„ã€ãƒ‡ãƒ¼ã‚¿ã‚’æ“作ã—ã¦å›½å®¶å®‰å…¨ä¿éšœä¸Šã®åˆ©ç›Šã‚’è„…ã‹ã™ã‚µã‚¤ãƒãƒ¼çŠ¯ç½ªã«AIãŒåˆ©ç”¨ã•ã‚Œã‚‹ã“ã¨ã¸ã®æ‡¸å¿µãŒé«˜ã¾ã£ã¦ã„ã‚‹ã“ã¨ã‚’表明ã—ãŸã€‚ä¼æ¥ã®ä¸æ£è¡Œç‚ºã®ä¸€éƒ¨ã¨ã—ã¦AIãŒæ‘˜ç™ºã•ã‚ŒãŸå ´åˆã€é€£é‚¦æ¤œå¯Ÿã¯ç½°å‰‡å¼·åŒ–を追求ã™ã‚‹å¯èƒ½æ€§ãŒé«˜ã„。ä¼æ¥ã¯ä¸æ£é˜²æ¢æˆ¦ç•¥ã¨ãƒ‡ãƒ¼ã‚¿ãƒ»ã‚»ã‚ュリティ・プãƒãƒˆã‚³ãƒ«ã‚’継続的ã«ç›£è¦–ã—ã€AIã®ã‚ˆã†ãªå•é¡Œã‚’引ãèµ·ã“ã—ã†ã‚‹æŠ€è¡“ã«é–¢é€£ã™ã‚‹é€²åŒ–ã™ã‚‹ãƒªã‚¹ã‚¯ã‚’特定ã—ã€å¯¾å‡¦ã™ã‚‹å¿…è¦ãŒã‚る。
The AI Act: The EU’s Bid to Set the Global Standard for AI Regulation
Rosa Barcelo | Romain Perray | Lorraine Maisnier-Boché | Simon Mortier
In a groundbreaking move, the European Union has launched its bid to set the new comprehensive standard for the regulation of artificial intelligence (AI) with the European Parliament passing the EU AI Act on March 13, 2024. This pioneering legislation, set to come into effect in the coming years, ushers in a new era in AI regulation and stands as a testament to the EU’s commitment to ensuring a subtle balance between safe, ethical, and innovative use of AI.
In this article we will first explore the eleven key aspects of the EU AI Act, offering an in-depth look at its broad scope and essential requirements, including its interplay with the EU General Data Protection Regulation (GDPR), and how businesses can leverage their existing GDPR compliance programs to meet the EU AI Act’s requirements.
We will then dive into five key takeaways focusing on the key points and actionable steps you can take to navigate the evolving landscape of AI regulation and the EU AI Act in particular.
IN DEPTH
Eleven Key Aspects of the EU AI Act
The EU AI Act introduces several pivotal provisions that will significantly impact the regulatory framework of AI. Most significantly these include:
1. Broad Scope and Specific Exclusions: The EU AI Act is intended as a horizontal regulation and provides a comprehensive definition of AI systems, applicable to a wide array of applications in sectors such as healthcare, finance, public administration, and consumer technologies. Drawing from the OECD’s definition, the Act describes an AI system as “a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environmentsâ€. As inclusive as the GDPR in order to ensure the highest level of protection possible, this definition aims to encompass the diversity in AI systems’ levels of autonomy and adaptability after their initial deployment.
At the same time, the Act makes it clear that it does not apply to areas outside the scope of EU law, including national security and defense, and excludes AI models and systems used solely for research, innovation, or for non-professional purposes.
2. Extraterritorial Effect: The AI Act will apply not only within the EU but also to entities outside its borders. This includes non-EU providers placing AI systems or models on the EU market, those putting AI systems into service within the EU, and cases where the output of an AI system located outside the EU is used within its borders. In this respect, the AI Act aligns with both GDPR and the other acts included in the new EU digital package that it belongs to, although with quite a special angle notably as the only one directly governing technologies in contrast with the others which merely focus on data usage.
3. Risk-Based Approach: The Act employs a structured, risk-based approach to AI regulation, organizing AI systems into four categories based on their potential risk levels: Prohibited AI, High-Risk AI,           Risk AI, and Minimal Risk AI. This system ensures that stricter regulatory measures are applied to AI applications with higher potential risks, particularly those used in critical areas such as healthcare or infrastructure. Conversely, AI systems with minimal risk are subject to less rigorous requirements. This tiered model is designed to balance the necessity of safeguarding user safety and privacy rights with the goal of fostering innovation in lower-risk AI technologies.
4. Prohibited AI and Law Enforcement Exemptions: The EU AI Act sets clear boundaries by prohibiting certain AI applications that pose risks to privacy, ethics, and fundamental rights. Again following the GDPR quite closely these include:
- Subliminal Techniques: The use of manipulative or deceptive techniques that significantly distort behavior and impair informed decision-making.
- Exploiting Vulnerabilities: AI systems that exploit vulnerabilities related to age, disability, or socio-economic circumstances.
- Biometric Categorization: Systems inferring sensitive attributes from biometric data, such as racial or ethnic origin, political opinions, religious beliefs, or sexual orientation.
- Social Scoring: Evaluation or classification of individuals based on social behavior or personal characteristics, leading to detrimental treatment of individuals.
- Predictive Policing: Assessing the risk of an individual committing criminal offenses based solely on profiling or personality traits.
- Facial Recognition Databases: Compiling databases through untargeted scraping of facial images from the internet or CCTV footage.
- Emotion Inference: Inferring emotions in workplaces or educational institutions, except for AI systems used for medical or safety reasons.
In the context of law enforcement, the Act generally restricts the use of real-time biometric identification in public spaces, allowing it only under limited, pre-authorized circumstances.
5. High-Risk AI Systems and Key Requirements: The EU AI Act identifies high-risk AI systems as those critical to sectors such as healthcare, transportation, HR management, education, essential public services, and systems influencing democratic processes. It categorizes these into two main groups:
- Annex II Systems: AI systems acting as safety components of products or as standalone products, which are subject to EU laws already requiring a conformity assessment. These are typically associated with high-risk and regulated products (medical devices, machinery, protective equipment, etc.).
- Annex III Systems: AI systems designed for specific purposes such as biometrics (excluding banned types), critical infrastructure, educational and vocational training tools, employment and workers’ management systems, essential services access (including credit scoring and insurance pricing), law enforcement, migration and border control, and the administration of justice and democratic processes.
The Act mandates comprehensive obligations for providers and deployers of these systems, covering governance measures and technical interventions necessary from the design stage through the entire lifecycle. This includes ensuring CE marking, transparency, accountability, technical documentation, data governance, human oversight, and maintaining accuracy, robustness, and cybersecurity. Providers of these systems will have to report serious incidents to market surveillance authorities.
Despite recent efforts to refine the scope and introduce exemptions for certain AI systems, ambiguities in classification remain. To address this, companies are advised to maintain high governance standards for all AI systems in use. The EU Commission will provide further classification guidelines within 18 months of the Act’s entry into force, aiming for clarity and consistency in high-risk AI system regulation.
Interestingly, the AI Act also allows, where strictly necessary and under additional conditions, the processing of special categories of personal data, such as ethnicity, for the purpose of ensuring bias detection and correction in relation to high-risk AI systems. As feeding such systems, this processing will also remain subject to the GDPR, under which it will be allowed for purposes of substantial public interest within the meaning of Article 9(2)(g).
6. Limited/Minimal Risk AI: Under the EU AI Act, AI systems categorized at the lower risk level are subject to specific transparency and identification requirements. This primarily targets AI technologies that engage directly with users, mandating that any synthetic content produced—be it audio, visual, or textual—must be clearly labeled in a way that machines can recognize as artificially created or altered. Providers are responsible for the efficacy, compatibility, and dependability of these labeling mechanisms. Additionally, the Act imposes obligations on AI functionalities like emotion detection, biometric sorting, AI-generated content, deep fakes, or the alteration of significant textual content to ensure they are transparently marked and made detectable to uphold transparency and prevent misinformation. Regarding Generative AI applications specifically, individuals must be clearly informed when they are interacting with such as chatbots and content generation tools. For AI systems deemed to pose minimal risk, the Act envisages the adoption of voluntary best practices through future codes of conduct.
7. General Purpose AI: The EU AI Act introduces specific requirements for General Purpose AI (GPAI) Models, generally known as Foundation Models, which are defined as those “capable to competently perform a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applicationsâ€. GPAI was not expressly considered in the initial draft AI Act, while the risk-based approach based on the AI intended purposes and applications created the risk of leaving underlying foundation models uncovered. GPAI became a bone of contention, discussed until the last stages of negotiation of the Act, because of the specific risks it presents for users’ fundamental rights and safety. The Act thus focuses on GPAI transparency and accountability. All GPAI models, such as those used for broad applications, are required to provide extensive technical documentation, summaries of training data, and adhere to copyright and intellectual property safeguards. Models released under open-source license are considered as already insuring high levels of transparency and benefit from exemptions. For high-impact GPAI models, i.e., that pose systemic risks, the Act mandates additional stringent requirements, including thorough model evaluations, comprehensive risk assessments, adversarial testing, and incident reporting.
8. Innovation-Friendly Ecosystem: To nurture innovation, the Act introduces measures such as regulatory sandboxes and provisions for real-world testing. These initiatives intend to benefit SMEs and startups, offering them the flexibility to experiment and refine their AI systems within a controlled environment before wider deployment. This approach recognizes the dynamic nature of AI development and seeks to provide a supportive ecosystem for emerging AI innovations.
9. The interplay between the EU AI Act and the GDPR: AI systems that process personal data will be subject to both the GDPR and the EU AI Act (and respective fines in case of violations). Both acts lay down some requirements that have strong commonalities. A key question is whether it is possible to leverage compliance efforts, and if so, how. For instance, under the GDPR, data controllers are required to carry out a data protection impact assessment (DPIA) in certain circumstances, whereas under the EU AI Act, providers/users of high-risk AI systems have to carry out DPIAs, which, among others, need to consider privacy risks. In line with the effective explainability and transparency principles – which are the cornerstones of trustworthy AI systems – the EU AI Act imposes requirements to inform individuals when they interact with AI systems (e.g., chatbots and content generation tools).
10. Penalties and Enforcement: The EU AI Act establishes a comprehensive framework for penalties and enforcement. Fines for violations are scaled, with up to 7% of global annual turnover or EUR 35 million for prohibited AI violations, up to 3% for other breaches, and up to 1.5% or EUR 7.5 million for supplying incorrect information, including specific caps for SMEs and startups. Enforcement will be coordinated through a newly established central ‘AI Office’ and ‘AI Board’ at the EU level, complemented by market surveillance authorities in each EU country, ensuring a balanced and effective application of the Act across all member states.
11. Entry into force: The AI Act will start applying gradually: prohibited AI will be banned six months from the Act entering into force, while the Act will start applying to GPAI one year after entry into force; two years for high-risk AI systems of Annex III and three years for high-risk AI systems already covered by other EU regulations mandating a third-party conformity assessment.
Five Takeaways on the EU AI Act
The above compilation of key aspects is intended to serve as a useful starting point to inform proactive steps legal and compliance managers as well as DPOs can take to position their companies and their teams for success. Below, we are sharing five key takeaways for businesses to prepare for the rapidly evolving risks and challenges posed by AI:
1. Comprehensive Impact Assessment and Compliance Evaluation: Businesses should conduct a thorough assessment to understand how the AI Act will affect their operations. This evaluation should cover not just mapping and identifying high-risk AI systems but also the wider range of entities involved in AI deployment, distribution, or usage. It’s important to review existing governance frameworks to ensure they align with the Act’s requirements. Additionally, organizations should proactively examine how the AI Act might impact their daily operations and specifically, systems already covered by other EU mandatory conformity assessments (medical devices, machinery, protective equipment, etc). This requires gaining a comprehensive understanding of the legal, technological, and ethical aspects of AI to facilitate responsible integration and usage within the organization.
2. Developing a Robust AI Governance Program: It’s essential for organizations to develop an AI governance program that integrates the AI Act’s requirements with broader business strategies and objectives. This program should cover risk management, privacy, ethics, data governance, intellectual property, safety, and security, among others, and adapt existing policies and procedures to meet the new standards. Any types of organizations, more specifically businesses in tech- and data-driven industries, should assess how to leverage their existing GDPR compliance programs to also meet most, if not all, of the AI Act’s requirements. The role of the board in overseeing AI use within the organization is also a critical consideration.
3. Global Coordination and Voluntary Initiatives: Businesses, above all, should pay close attention to international efforts to harmonize AI regulations, including the EU’s collaborations with global bodies and initiatives. In this regard, the EU Commission has initiated an ‘AI Pact’, encouraging organizations to anticipate the AI Act by voluntarily sharing their internal guidelines, processes and concrete actions carried out to address the AI Act requirements, and by testing their solutions within the community. Participating in such voluntary commitments to implement the AI Act’s requirements ahead of deadlines can position organizations as leaders in ethical AI use and governance.
4. Proactive Adaptation and Compliance Strategy: With the regulatory landscape rapidly evolving, businesses need to be agile, ready to update their AI strategies and compliance programs as new guidelines and requirements emerge. Starting early on this adaptation process will help mitigate risks and liabilities and ensure compliance. Keeping an eye on regulatory developments in the EU (including the AI Act delegated / implementing acts and guidance), the UK, the US, and other regions further along in AI regulation is vital for a comprehensive compliance effort.
5. Engagement and Transparency: Collaboration with regulators, transparent communication, and fostering global harmonization are critical for successful AI governance. Businesses should also consider public engagement and transparency in their AI operations as part of their compliance and risk management strategies. This includes clear communication about AI’s role and impact within the organization and ensuring that AI technologies are deployed in a way that is ethical, responsible, and aligned with societal values. On a more operational standpoint, it would also make a lot of sense to combine as much as possible information to individuals respectively required under GDPR and the EU AI Act.
EU AI法:AIè¦åˆ¶ã®ã‚°ãƒãƒ¼ãƒãƒ«ã‚¹ã‚¿ãƒ³ãƒ€ãƒ¼ãƒ‰ã‚’目指ã™EUã®è©¦ã¿
Rosa Barcelo | Romain Perray | Lorraine Maisnier-Boché | Simon Mortier
画期的ãªå‹•ãã¨ã—ã¦ã€æ¬§å·žé€£åˆï¼ˆEU)ã¯ã€2024å¹´3月13æ—¥ã«æ¬§å·žè°ä¼šãŒEU AI法をå¯æ±ºã—ã€äººå·¥çŸ¥èƒ½ï¼ˆAI)è¦åˆ¶ã®æ–°ãŸãªåŒ…括的基準をè¨å®šã™ã‚‹ãŸã‚ã®å–り組ã¿ã‚’開始ã—ãŸã€‚今後数年ã§æ–½è¡Œã•ã‚Œã‚‹ã“ã®å…ˆé§†çš„ãªæ³•å¾‹ã¯ã€AIè¦åˆ¶ã®æ–°æ™‚代を切り開ãã‚‚ã®ã§ã‚ã‚Šã€AIã®å®‰å…¨æ€§ã€å€«ç†æ€§ã€é©æ–°çš„利用ã®å¾®å¦™ãªãƒãƒ©ãƒ³ã‚¹ã‚’確ä¿ã™ã‚‹ã¨ã„ã†EUã®ã‚³ãƒŸãƒƒãƒˆãƒ¡ãƒ³ãƒˆã®è¨¼ã¨ãªã‚‹ã‚‚ã®ã§ã‚る。
本稿ã§ã¯ã€ã¾ãšEU AI法ã®11ã®ä¸»è¦ãªå´é¢ã‚’探りã€EU一般データä¿è·è¦å‰‡ï¼ˆGDPR)ã¨ã®ç›¸äº’作用をå«ã‚€ãã®åºƒç¯„ãªã‚¹ã‚³ãƒ¼ãƒ—ã¨å¿…é ˆè¦ä»¶ã«ã¤ã„ã¦è©³ã—ã見ã¦ã„ãã¨ã¨ã‚‚ã«ã€ä¼æ¥ãŒæ—¢å˜ã®GDPRコンプライアンス・プãƒã‚°ãƒ©ãƒ を活用ã—ã¦EU AI法ã®è¦ä»¶ã‚’満ãŸã™ã«ã¯ã©ã†ã™ã‚Œã°ã‚ˆã„ã‹ã‚’解説ã™ã‚‹ã€‚
ãã—ã¦ã€é€²åŒ–ã—続ã‘ã‚‹AIè¦åˆ¶ã€ç‰¹ã«EU AI法をナビゲートã™ã‚‹ãŸã‚ã®ã‚ーãƒã‚¤ãƒ³ãƒˆã‚„実行å¯èƒ½ãªã‚¹ãƒ†ãƒƒãƒ—ã«ç„¦ç‚¹ã‚’当ã¦ã€5ã¤ã®é‡è¦ãªãƒã‚¤ãƒ³ãƒˆã‚’紹介ã™ã‚‹ã€‚
詳細
EU AI法ã®11ã®ä¸»è¦ãªå´é¢
EU AI法ã¯ã€AIã®è¦åˆ¶æž 組ã¿ã«å¤§ããªå½±éŸ¿ã‚’与ãˆã‚‹ã„ãã¤ã‹ã®é‡è¦ãªæ¡é …ã‚’å°Žå…¥ã—ã¦ã„る。最もé‡è¦ãªã‚‚ã®ã¯ä»¥ä¸‹ã®ã¨ãŠã‚Šã§ã‚る。
1広範ãªé©ç”¨ç¯„囲ã¨ç‰¹å®šã®é™¤å¤–äº‹é …: EUã®AI法ã¯æ°´å¹³çš„ãªè¦åˆ¶ã§ã‚ã‚Šã€ãƒ˜ãƒ«ã‚¹ã‚±ã‚¢ã€é‡‘èžã€è¡Œæ”¿ã€æ¶ˆè²»è€…技術分野ãªã©ã«ãŠã„ã¦åºƒç¯„ã«é©ç”¨ã•ã‚Œã‚‹AIシステムã®åŒ…括的ãªå®šç¾©ã‚’è¨ã‘ã¦ã„る。OECDã®å®šç¾©ã«åŸºã¥ãã€æœ¬è¦å‰‡ã¯AIシステムを「様々ãªãƒ¬ãƒ™ãƒ«ã®è‡ªå¾‹æ€§ã§å‹•ä½œã™ã‚‹ã‚ˆã†ã«è¨è¨ˆã•ã‚Œã€å±•é–‹å¾Œã«é©å¿œæ€§ã‚’示ã™å¯èƒ½æ€§ãŒã‚ã‚Šã€æ˜Žç¤ºçš„ã¾ãŸã¯æš—黙的ãªç›®çš„ã®ãŸã‚ã«ã€ç‰©ç†çš„ã¾ãŸã¯ä»®æƒ³çš„環境ã«å½±éŸ¿ã‚’与ãˆã‚‹ã“ã¨ãŒã§ãる予測ã€å†…容ã€æŽ¨å¥¨ã€æ±ºå®šãªã©ã®å‡ºåŠ›ã‚’生æˆã™ã‚‹æ–¹æ³•ã‚’ã€å—ã‘å–ã£ãŸå…¥åŠ›ã‹ã‚‰æŽ¨æ¸¬ã™ã‚‹æ©Ÿæ¢°ãƒ™ãƒ¼ã‚¹ã®ã‚·ã‚¹ãƒ†ãƒ ã€ã¨èª¬æ˜Žã—ã¦ã„る。å¯èƒ½ãªé™ã‚Šæœ€é«˜ãƒ¬ãƒ™ãƒ«ã®ä¿è·ã‚’確ä¿ã™ã‚‹ãŸã‚ã«ã€GDPRã¨åŒæ§˜ã«åŒ…括的ãªå®šç¾©ã§ã‚ã‚Šã€AIシステムã®è‡ªå¾‹æ€§ã¨é©å¿œæ€§ã®ãƒ¬ãƒ™ãƒ«ã®å¤šæ§˜æ€§ã‚’包å«ã™ã‚‹ã“ã¨ã‚’目的ã¨ã—ã¦ã„る。
åŒæ™‚ã«ã€æœ¬è¦å‰‡ã¯ã€å›½å®¶å®‰å…¨ä¿éšœã‚„防衛ãªã©EU法ã®é©ç”¨ç¯„囲外ã®åˆ†é‡Žã«ã¯é©ç”¨ã•ã‚Œãªã„ã“ã¨ã€ç ”究や技術é©æ–°ã®ã¿ã«ä½¿ç”¨ã•ã‚Œã‚‹å ´åˆã€ã‚ã‚‹ã„ã¯ãƒ“ジãƒã‚¹ä»¥å¤–ã®ç›®çš„ã§ä½¿ç”¨ã•ã‚Œã‚‹AIモデルやシステムã¯é™¤å¤–ã•ã‚Œã‚‹ã“ã¨ã‚’明確ã«ã—ã¦ã„る。
2. 域外é©ç”¨: AI法ã¯EU域内ã ã‘ã§ãªãã€åŸŸå¤–ã®äº‹æ¥ä½“ã«ã‚‚é©ç”¨ã•ã‚Œã‚‹ã€‚ã“ã‚Œã«ã¯ã€AIシステムやモデルをEUå¸‚å ´ã«æŠ•å…¥ã™ã‚‹EU域外ã®äº‹æ¥è€…ã€EU域内ã§AIシステムを稼åƒã•ã›ã‚‹äº‹æ¥è€…ã€EU域外ã«ã‚ã‚‹AIシステムã®å‡ºåŠ›ã‚’EU域内ã§ä½¿ç”¨ã™ã‚‹ã‚±ãƒ¼ã‚¹ãªã©ãŒå«ã¾ã‚Œã‚‹ã€‚ã“ã®ç‚¹ã§ã€AI法ã¯GDPRã‚„ã€æ–°ã—ã„EUデジタル・パッケージ(AI法もã“ã‚Œã«å±žã™ã‚‹ï¼‰ã«å«ã¾ã‚Œã‚‹ä»–ã®æ³•å¾‹ã¨æ•´åˆã—ã¦ã„ã‚‹ãŒã€ä»–ã®æ³•å¾‹ãŒå˜ã«ãƒ‡ãƒ¼ã‚¿åˆ©ç”¨ã«ç„¦ç‚¹ã‚’当ã¦ã¦ã„ã‚‹ã®ã¨ã¯å¯¾ç…§çš„ã«ã€æŠ€è¡“を直接管ç†ã™ã‚‹å”¯ä¸€ã®æ³•å¾‹ã¨ã„ã†æ„味ã§ç‰¹æ®Šãªç«‹ã¡ä½ç½®ã«ã‚る。
3. リスクベースアプãƒãƒ¼ãƒ:本è¦å‰‡ã¯ã€AIè¦åˆ¶ã«å¯¾ã—ã¦æ§‹é€ 化ã•ã‚ŒãŸãƒªã‚¹ã‚¯ãƒ™ãƒ¼ã‚¹ã®ã‚¢ãƒ—ãƒãƒ¼ãƒã‚’採用ã—ã¦ãŠã‚Šã€AIシステムを潜在的ãªãƒªã‚¹ã‚¯ãƒ¬ãƒ™ãƒ«ã«åŸºã¥ã„ã¦æ¬¡ã®4ã¤ã®ã‚«ãƒ†ã‚´ãƒªãƒ¼ã«æ•´ç†ã—ã¦ã„る: ç¦æ¢ã•ã‚Œã¦ã„ã‚‹AIã€é«˜ãƒªã‚¹ã‚¯ã®AIã€é™å®šçš„ãªãƒªã‚¹ã‚¯ã®AIã€æœ€å°ãƒªã‚¹ã‚¯ã®AI。ã“ã®ã‚·ã‚¹ãƒ†ãƒ ã«ã‚ˆã‚Šã€ç‰¹ã«ãƒ˜ãƒ«ã‚¹ã‚±ã‚¢ã‚„インフラãªã©ã®é‡è¦ãªåˆ†é‡Žã§ä½¿ç”¨ã•ã‚Œã‚‹ã‚‚ã®ã®ã‚ˆã†ã«ã€æ½œåœ¨çš„リスクãŒé«˜ã„AIアプリケーションã«ã¯ã€ã‚ˆã‚ŠåŽ³æ ¼ãªè¦åˆ¶æŽªç½®ãŒé©ç”¨ã•ã‚Œã‚‹ã“ã¨ã«ãªã‚‹ã€‚逆ã«ã€ãƒªã‚¹ã‚¯ãŒæœ€å°é™ã®AIシステムã«ã¯ã€ãã‚Œã»ã©åŽ³å¯†ãªè¦ä»¶ãŒèª²ã•ã‚Œã‚‹ã“ã¨ã¯ãªã„。ã“ã®æ®µéšŽçš„モデルã¯ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ã®å®‰å…¨ã¨ãƒ—ライãƒã‚·ãƒ¼ã®æ¨©åˆ©ã‚’ä¿è·ã™ã‚‹å¿…è¦æ€§ã¨ã€ãƒªã‚¹ã‚¯ã®ä½Žã„AI技術ã®ã‚¤ãƒŽãƒ™ãƒ¼ã‚·ãƒ§ãƒ³ã‚’促進ã™ã‚‹ã¨ã„ã†ç›®æ¨™ã¨ã®ãƒãƒ©ãƒ³ã‚¹ã‚’ã¨ã‚‹ã‚ˆã†ã«è¨è¨ˆã•ã‚Œã¦ã„る。
4. ç¦æ¢ã•ã‚Œã¦ã„ã‚‹AIã¨æ³•åŸ·è¡Œã®å…除: EU AI法ã¯ã€ãƒ—ライãƒã‚·ãƒ¼ã€å€«ç†ã€åŸºæœ¬çš„権利ã«ãƒªã‚¹ã‚¯ã‚’ã‚‚ãŸã‚‰ã™ç‰¹å®šã®AIアプリケーションをç¦æ¢ã™ã‚‹ã“ã¨ã§ã€æ˜Žç¢ºãªå¢ƒç•Œç·šã‚’è¨å®šã—ã¦ã„る。ã“ã“ã§ã‚‚GDPRã«éžå¸¸ã«è¿‘ã„形をå–ã£ã¦ã„ã‚‹ãŒã€å…·ä½“çš„ã«ã¯ä»¥ä¸‹ã®ã‚ˆã†ãªã‚‚ã®ãŒå«ã¾ã‚Œã‚‹ã€‚
- サブリミナル・テクニック: 行動を著ã—ãæªã‚ã€æƒ…å ±ã«åŸºã¥ã„ãŸæ„æ€æ±ºå®šã‚’æãªã†ã€æ“作的ã¾ãŸã¯æ¬ºçžžçš„ãªãƒ†ã‚¯ãƒ‹ãƒƒã‚¯ã®ä½¿ç”¨ã€‚
- 脆弱性ã®æ‚ªç”¨: å¹´é½¢ã€éšœå®³ã€ç¤¾ä¼šçµŒæ¸ˆçš„状æ³ã«é–¢é€£ã™ã‚‹è„†å¼±æ€§ã‚’悪用ã™ã‚‹AIシステム。
- 生体ã«ã‚ˆã‚‹åˆ†é¡ž: 人種や民æ—的出自ã€æ”¿æ²»çš„æ„見ã€å®—教的信æ¡ã€æ€§çš„指å‘ãªã©ã€ã‚»ãƒ³ã‚·ãƒ†ã‚£ãƒ–ãªå±žæ€§ã‚’生体データã‹ã‚‰æŽ¨æ¸¬ã™ã‚‹ã‚·ã‚¹ãƒ†ãƒ 。
- ソーシャル・スコアリング: 社会的行動や個人的特徴ã«åŸºã¥ã„ã¦å€‹äººã‚’評価ã¾ãŸã¯åˆ†é¡žã—ã€å€‹äººã‚’ä¸åˆ©ã«æ‰±ã†ã“ã¨ã€‚
- 予測的ãªå–ã‚Šç· ã¾ã‚Š: プãƒãƒ•ã‚¡ã‚¤ãƒªãƒ³ã‚°ã‚„æ€§æ ¼çš„ç‰¹å¾´ã®ã¿ã«åŸºã¥ã„ã¦ã€å€‹äººã®çŠ¯ç½ªã‚’犯ã™ãƒªã‚¹ã‚¯ã‚’評価ã™ã‚‹ã“ã¨ã€‚
- é¡”èªè¨¼ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹: インターãƒãƒƒãƒˆã‚„CCTVã®æ˜ åƒã‹ã‚‰é¡”ç”»åƒã‚’抜ãå–ã‚Šã€ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚’構築ã™ã‚‹ã“ã¨ã€‚
- 感情推論: 医療や安全ã®ãŸã‚ã«ä½¿ç”¨ã•ã‚Œã‚‹AIシステムを除ãã€è·å ´ã‚„教育機関ã«ãŠã„ã¦æ„Ÿæƒ…を推測ã™ã‚‹ã“ã¨ã€‚
法執行ã®æ–‡è„ˆã§ã¯ã€ã“ã®è¦å‰‡ã¯ä¸€èˆ¬ã«ã€å…¬å…±ã®å ´ã§ã®ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã®ç”Ÿä½“èªè¨¼ã®ä½¿ç”¨ã‚’制é™ã—ã¦ãŠã‚Šã€äº‹å‰æ‰¿èªã•ã‚ŒãŸé™å®šçš„ãªçŠ¶æ³ä¸‹ã§ã®ã¿ä½¿ç”¨ã‚’許å¯ã—ã¦ã„る。
5. 高リスクã®AIã¨ä¸»è¦è¦ä»¶: EU AI法ã¯ã€ãƒªã‚¹ã‚¯ã®é«˜ã„AIシステムをã€ãƒ˜ãƒ«ã‚¹ã‚±ã‚¢ã€äº¤é€šã€äººäº‹ç®¡ç†ã€æ•™è‚²ã€é‡è¦ãªå…¬å…±ã‚µãƒ¼ãƒ“スã€æ°‘主的プãƒã‚»ã‚¹ã«å½±éŸ¿ã‚’与ãˆã‚‹ã‚·ã‚¹ãƒ†ãƒ ãªã©ã®åˆ†é‡Žã«ä¸å¯æ¬ ãªã‚‚ã®ã¨ã—ã¦ã„る。ã“れらã¯ä¸»ã«2ã¤ã®ã‚°ãƒ«ãƒ¼ãƒ—ã«åˆ†é¡žã•ã‚Œã‚‹ï¼š
- Annex II Systems(別紙IIã®ã‚·ã‚¹ãƒ†ãƒ ): 製å“ã®å®‰å…¨ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨ã—ã¦ã€ã‚ã‚‹ã„ã¯ã‚¹ã‚¿ãƒ³ãƒ‰ã‚¢ãƒãƒ¼ãƒ³è£½å“ã¨ã—ã¦æ©Ÿèƒ½ã™ã‚‹AIシステムã§ã€ã™ã§ã«EU法ã®ä¸‹ã§é©åˆæ€§è©•ä¾¡ãŒç¾©å‹™ä»˜ã‘られã¦ã„ã‚‹ã‚‚ã®ã€‚ã“れらã¯ä¸€èˆ¬çš„ã«ã€ãƒªã‚¹ã‚¯ã®é«˜ã„è¦åˆ¶å¯¾è±¡è£½å“(医療機器ã€æ©Ÿæ¢°ã€ä¿è·è£…ç½®ãªã©ï¼‰ã«é–¢é€£ã™ã‚‹ã€‚
- Annex III Systems(別紙IIIã®ã‚·ã‚¹ãƒ†ãƒ ): ãƒã‚¤ã‚ªãƒ¡ãƒˆãƒªã‚¯ã‚¹ï¼ˆç¦æ¢ã•ã‚ŒãŸã‚¿ã‚¤ãƒ—を除ã)ã€é‡è¦ã‚¤ãƒ³ãƒ•ãƒ©ã€æ•™è‚²ãƒ»è·æ¥è¨“練ツールã€é›‡ç”¨ãƒ»åŠ´åƒè€…管ç†ã‚·ã‚¹ãƒ†ãƒ ã€å¿…è¦ä¸å¯æ¬ ãªã‚µãƒ¼ãƒ“スã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ï¼ˆã‚¯ãƒ¬ã‚¸ãƒƒãƒˆã‚¹ã‚³ã‚¢ãƒªãƒ³ã‚°ã‚„ä¿é™ºä¾¡æ ¼è¨å®šã‚’å«ã‚€ï¼‰ã€æ³•åŸ·è¡Œã€ç§»æ°‘・国境管ç†ã€å¸æ³•ãƒ»æ°‘主主義プãƒã‚»ã‚¹ã®ç®¡ç†ãªã©ã€ç‰¹å®šã®ç›®çš„ã®ãŸã‚ã«è¨è¨ˆã•ã‚ŒãŸAIシステム。
本è¦å‰‡ã¯ã€ã“ã†ã—ãŸã‚·ã‚¹ãƒ†ãƒ ã®ãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã‚„導入者ã«åŒ…括的ãªç¾©å‹™ã‚’課ã—ã¦ãŠã‚Šã€è¨è¨ˆæ®µéšŽã‹ã‚‰ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«å…¨ä½“を通ã˜ã¦å¿…è¦ãªã‚¬ãƒãƒŠãƒ³ã‚¹å¯¾ç–や技術的介入を網羅ã—ã¦ã„る。ã“ã‚Œã«ã¯ã€CEマーã‚ングã®ç¢ºä¿ã€é€æ˜Žæ€§ã€èª¬æ˜Žè²¬ä»»ã€æŠ€è¡“文書化ã€ãƒ‡ãƒ¼ã‚¿ã‚¬ãƒãƒŠãƒ³ã‚¹ã€äººçš„監視ã€æ£ç¢ºæ€§ãƒ»å …牢性・サイãƒãƒ¼ã‚»ã‚ュリティã®ç¶æŒãªã©ãŒå«ã¾ã‚Œã‚‹ã€‚ã“れらã®ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€é‡å¤§ãªã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã‚’å¸‚å ´ç›£è¦–å½“å±€ã«å ±å‘Šã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
最近ã€ç¯„囲ã®çµžã‚Šè¾¼ã¿ã‚„特定ã®AIシステムã«å¯¾ã™ã‚‹é©ç”¨é™¤å¤–ã‚’å°Žå…¥ã™ã‚‹åŠªåŠ›ãŒãªã•ã‚Œã¦ã„ã‚‹ãŒã€åˆ†é¡žã®æ›–昧ã•ã¯æ®‹ã£ã¦ã„る。ã“ã‚Œã«å¯¾å‡¦ã™ã‚‹ãŸã‚ã€ä¼æ¥ã¯ä½¿ç”¨ä¸ã®ã™ã¹ã¦ã®AIシステムã«å¯¾ã—ã¦é«˜ã„ガãƒãƒŠãƒ³ã‚¹åŸºæº–ã‚’ç¶æŒã™ã‚‹ã“ã¨ãŒæŽ¨å¥¨ã•ã‚Œã‚‹ã€‚EU委員会ã¯ã€é«˜ãƒªã‚¹ã‚¯ã®AIシステムè¦åˆ¶ã«ãŠã‘る明確性ã¨ä¸€è²«æ€§ã‚’目指ã—ã€æœ¬è¦å‰‡ã®ç™ºåŠ¹ã‹ã‚‰18カ月以内ã«ã•ã‚‰ãªã‚‹åˆ†é¡žã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã‚’発行ã™ã‚‹äºˆå®šã§ã‚る。
興味深ã„ã“ã¨ã«ã€EU AI法ã¯ã€åŽ³å¯†ã«å¿…è¦ãªå ´åˆã¨è¿½åŠ æ¡ä»¶ã‚’満ãŸã™å ´åˆã«ãŠã„ã¦ã€é«˜ãƒªã‚¹ã‚¯ã®AIシステムã«é–¢é€£ã™ã‚‹åã‚Šã®æ¤œå‡ºã¨æ˜¯æ£ã‚’確ä¿ã™ã‚‹ç›®çš„ã§ã€æ°‘æ—ãªã©ã®ç‰¹åˆ¥ãªã‚«ãƒ†ã‚´ãƒªãƒ¼ã®å€‹äººãƒ‡ãƒ¼ã‚¿ã‚’å–扱ã†ã“ã¨ã‚‚èªã‚ã¦ã„る。ã“ã®ã‚ˆã†ãªã‚·ã‚¹ãƒ†ãƒ ã«ãƒ‡ãƒ¼ã‚¿ã‚’供給ã™ã‚‹å ´åˆã€ãã®ãƒ‡ãƒ¼ã‚¿ã®å–扱ã„ã¯GDPRã®å¯¾è±¡ã¨ãªã‚Šã€ç¬¬9æ¡2é …(g)ã®æ„味ã«ãŠã‘る実質的ãªå…¬å…±ã®åˆ©ç›Šã®ç›®çš„ã®ãŸã‚ã«å–扱ã„ãŒèªã‚られる。
6. é™å®šçš„ãªãƒªã‚¹ã‚¯ã®AIã€æœ€å°ãƒªã‚¹ã‚¯ã®AI: EU AI法ã§ã¯ã€ã‚ˆã‚Šä½Žã„リスクレベルã«åˆ†é¡žã•ã‚Œã‚‹AIシステムã¯ã€ç‰¹å®šã®é€æ˜Žæ€§ã¨è˜åˆ¥è¦ä»¶ã®å¯¾è±¡ã¨ãªã‚‹ã€‚ã“ã‚Œã¯ä¸»ã«ãƒ¦ãƒ¼ã‚¶ãƒ¼ã¨ç›´æŽ¥é–¢ã‚ã‚‹AI技術を対象ã¨ã—ãŸã‚‚ã®ã§ã€éŸ³å£°ã€è¦–覚ã€ãƒ†ã‚ストをå•ã‚ãšã€ç”Ÿæˆã•ã‚Œã‚‹åˆæˆã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã«ã¯ã€äººå·¥çš„ã«ä½œæˆã¾ãŸã¯æ”¹å¤‰ã•ã‚ŒãŸã‚‚ã®ã§ã‚ã‚‹ã¨æ©Ÿæ¢°ãŒèªè˜ã§ãるよã†ãªæ˜Žç¢ºãªãƒ©ãƒ™ãƒ«ä»˜ã‘ãŒç¾©å‹™ä»˜ã‘られã¦ã„る。プãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€ã“ã®ã‚ˆã†ãªãƒ©ãƒ™ãƒªãƒ³ã‚°ãƒ¡ã‚«ãƒ‹ã‚ºãƒ ã®æœ‰åŠ¹æ€§ã€äº’æ›æ€§ã€ä¿¡é ¼æ€§ã«è²¬ä»»ã‚’è² ã†ã€‚ã•ã‚‰ã«æœ¬è¦å‰‡ã¯ã€æ„Ÿæƒ…èªè˜ã€ç”Ÿä½“èªè¨¼ã«ã‚ˆã‚‹é¸åˆ¥ã€AIãŒç”Ÿæˆã—ãŸã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã€ãƒ‡ã‚£ãƒ¼ãƒ—フェイクã€é‡è¦ãªãƒ†ã‚ストコンテンツã®æ”¹å¤‰ã¨ã„ã£ãŸAIã®æ©Ÿèƒ½ã«å¯¾ã—ã¦ã€é€æ˜Žæ€§ã‚’ç¶æŒã—èª¤å ±ã‚’é˜²æ¢ã™ã‚‹ãŸã‚ã«ã€ãれらã®ç‰¹å¾´ãŒé€æ˜Žæ€§ã‚’ã‚‚ã£ã¦è¡¨ç¤ºã•ã‚Œã€æ¤œå‡ºå¯èƒ½ã§ã‚ã‚‹ã“ã¨ã‚’ä¿è¨¼ã™ã‚‹ç¾©å‹™ã‚’課ã—ã¦ã„る。特ã«ç”ŸæˆAIアプリケーションã«ã¤ã„ã¦ã¯ã€ãƒãƒ£ãƒƒãƒˆãƒœãƒƒãƒˆã‚„コンテンツ生æˆãƒ„ールãªã©ã¨å¯¾è©±ã™ã‚‹éš›ã«ã¯ã€å€‹äººã«æ˜Žç¢ºã«é€šçŸ¥ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。最å°é™ã®ãƒªã‚¹ã‚¯ã ã¨åˆ¤æ–ã•ã‚ŒãŸAIシステムã«ã¤ã„ã¦ã¯ã€å°†æ¥ã®è¡Œå‹•è¦ç¯„を通ã˜ã¦è‡ªä¸»çš„ãªãƒ™ã‚¹ãƒˆãƒ—ラクティスを採用ã™ã‚‹ã“ã¨ã‚’想定ã—ã¦ã„る。
7. 汎用AI: EU AI法ã¯ã€ä¸€èˆ¬çš„ã«ãƒ•ã‚¡ã‚¦ãƒ³ãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³ãƒ¢ãƒ‡ãƒ«ã¨ã—ã¦çŸ¥ã‚‰ã‚Œã‚‹æ±Žç”¨AI(General Purpose AI)モデルã«å¯¾ã™ã‚‹å…·ä½“çš„ãªè¦ä»¶ã‚’å°Žå…¥ã—ã¦ã„る。汎用AIモデルã¨ã¯ã€ã€Œå¸‚å ´ã«æŠ•å…¥ã•ã‚Œã‚‹æ–¹æ³•ã«é–¢ä¿‚ãªãã€å¹…広ã„明確ãªã‚¿ã‚¹ã‚¯ã‚’有能ã«å®Ÿè¡Œã§ãã€æ§˜ã€…ãªãƒ€ã‚¦ãƒ³ã‚¹ãƒˆãƒªãƒ¼ãƒ システムやアプリケーションã«çµ±åˆã§ãã‚‹ã‚‚ã®ã€ã¨å®šç¾©ã•ã‚Œã¦ã„る。汎用AIã¯ã€å½“åˆã®AI法è‰æ¡ˆã§ã¯æ˜Žç¢ºã«è€ƒæ…®ã•ã‚Œã¦ã„ãªã‹ã£ãŸãŒã€AIã®ç›®çš„ã¨ç”¨é€”ã«åŸºã¥ãリスクベースã®ã‚¢ãƒ—ãƒãƒ¼ãƒã‚’採用ã™ã‚‹ã“ã¨ã«ã‚ˆã£ã¦ã€åŸºç¤Žã¨ãªã‚‹ãƒ¢ãƒ‡ãƒ«ã‚’ã‚«ãƒãƒ¼ã—ãªã„リスクãŒç”Ÿã˜ãŸã€‚汎用AIã¯ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ã®åŸºæœ¬çš„権利ã¨å®‰å…¨æ€§ã«å…·ä½“çš„ãªãƒªã‚¹ã‚¯ã‚’ã‚‚ãŸã‚‰ã™ãŸã‚ã€æœ¬è¦å‰‡ã®äº¤æ¸‰ã®æœ€çµ‚段階ã¾ã§è°è«–ã•ã‚ŒãŸäº‰ç‚¹ã¨ãªã£ãŸã€‚ãã®ãŸã‚本è¦å‰‡ã¯ã€æ±Žç”¨AIã®é€æ˜Žæ€§ã¨èª¬æ˜Žè²¬ä»»ã‚’é‡è¦–ã—ã¦ã„る。幅広ã„用途ã«ä½¿ç”¨ã•ã‚Œã‚‹ã‚ˆã†ãªã™ã¹ã¦ã®æ±Žç”¨AIモデルã¯ã€åŒ…括的ãªæŠ€è¡“文書ã€ãƒˆãƒ¬ãƒ¼ãƒ‹ãƒ³ã‚°ãƒ‡ãƒ¼ã‚¿ã®è¦ç´„ã‚’æä¾›ã—ã€è‘—作権ãŠã‚ˆã³çŸ¥çš„財産ã®ä¿è·æŽªç½®ã‚’éµå®ˆã™ã‚‹ã“ã¨ãŒæ±‚ã‚られる。オープンソースライセンスã®ã‚‚ã¨ã§å…¬è¡¨ã•ã‚Œã‚‹ãƒ¢ãƒ‡ãƒ«ã¯ã€ã™ã§ã«é«˜ã„é€æ˜Žæ€§ãŒç¢ºä¿ã•ã‚Œã¦ã„ã‚‹ã¨ã¿ãªã•ã‚Œã€å…除ã®æ©æµã‚’å—ã‘る。影響力ã®å¤§ãã„汎用AIモデルã€ã™ãªã‚ã¡ã‚·ã‚¹ãƒ†ãƒŸãƒƒã‚¯ãƒ»ãƒªã‚¹ã‚¯ã‚’ã‚‚ãŸã‚‰ã™ãƒ¢ãƒ‡ãƒ«ã«ã¤ã„ã¦ã€æœ¬è¦å‰‡ã¯ã€å¾¹åº•ã—ãŸãƒ¢ãƒ‡ãƒ«è©•ä¾¡ã€åŒ…括的ãªãƒªã‚¹ã‚¯è©•ä¾¡ã€æ•µå¯¾çš„テストã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå ±å‘Šãªã©ã€ã•ã‚‰ã«åŽ³ã—ã„è¦ä»¶ã‚’義務付ã‘ã¦ã„る。
8. イノベーションã«é©ã—ãŸã‚¨ã‚³ã‚·ã‚¹ãƒ†ãƒ : イノベーションを育むãŸã‚ã€æœ¬è¦å‰‡ã¯è¦åˆ¶ä¸Šã®ã‚µãƒ³ãƒ‰ãƒœãƒƒã‚¯ã‚¹ã‚„実環境ã§ã®ãƒ†ã‚¹ãƒˆã«é–¢ã™ã‚‹è¦å®šãªã©ã®æŽªç½®ã‚’å°Žå…¥ã—ã¦ã„る。ã“れらã®ã‚¤ãƒ‹ã‚·ã‚¢ãƒ†ã‚£ãƒ–ã¯ã€ä¸å°ä¼æ¥ã‚„スタートアップä¼æ¥ã«åˆ©ç›Šã‚’ã‚‚ãŸã‚‰ã™ã“ã¨ã‚’æ„図ã—ã¦ãŠã‚Šã€ã‚ˆã‚Šåºƒç¯„ãªå±•é–‹ã®å‰ã«ã€ç®¡ç†ã•ã‚ŒãŸç’°å¢ƒå†…ã§AIシステムを実験ã—ã€æ”¹è‰¯ã™ã‚‹æŸ”軟性をæä¾›ã™ã‚‹ã€‚ã“ã®ã‚¢ãƒ—ãƒãƒ¼ãƒã¯ã€AI開発ã®ãƒ€ã‚¤ãƒŠãƒŸãƒƒã‚¯ãªæ€§è³ªã‚’èªè˜ã—ã€æ–°ãŸãªAIイノベーションを支æ´ã™ã‚‹ã‚¨ã‚³ã‚·ã‚¹ãƒ†ãƒ ã‚’æä¾›ã—よã†ã¨ã™ã‚‹ã‚‚ã®ã§ã‚る。
9. EU AI法ã¨GDPRã®ç›¸äº’作用: 個人データをå–扱ã†AIシステムã¯ã€GDPRã¨EU AI法ã®ä¸¡æ–¹ã®å¯¾è±¡ã¨ãªã‚‹ï¼ˆé•åã—ãŸå ´åˆã¯ãã‚Œãžã‚Œã®ç½°é‡‘ãŒç§‘ã•ã‚Œã‚‹ï¼‰ã€‚ãµãŸã¤ã®è¦å‰‡ã¯ã€ã„ãã¤ã‹ã®å…±é€šã™ã‚‹è¦ä»¶ã‚’定ã‚ã¦ã„る。é‡è¦ãªèª²é¡Œã¯ã€ã‚³ãƒ³ãƒ—ライアンスã¸ã®å–り組ã¿ã‚’活用ã™ã‚‹ã“ã¨ãŒå¯èƒ½ã‹ã©ã†ã‹ã€å¯èƒ½ãªå ´åˆã©ã®ã‚ˆã†ã«æ´»ç”¨ã™ã‚‹ã‹ã§ã‚る。例ãˆã°ã€GDPR上ã€ãƒ‡ãƒ¼ã‚¿ç®¡ç†è€…ã¯ç‰¹å®šã®çŠ¶æ³ä¸‹ã«ãŠã„ã¦ã¯ãƒ‡ãƒ¼ã‚¿ä¿è·å½±éŸ¿è©•ä¾¡ï¼ˆDPIA)を実施ã™ã‚‹ã“ã¨ãŒç¾©å‹™ä»˜ã‘られã¦ã„ã‚‹ã®ã«å¯¾ã—ã€EU AI法ã§ã¯ã€é«˜ãƒªã‚¹ã‚¯ã®AIシステムã®ãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ï¼ãƒ¦ãƒ¼ã‚¶ãƒ¼ã¯DPIAを実施ã—ãªã‘ã‚Œã°ãªã‚‰ãšã€ç‰¹ã«ãƒ—ライãƒã‚·ãƒ¼ãƒªã‚¹ã‚¯ã‚’考慮ã™ã‚‹å¿…è¦ãŒã‚ã‚‹ã€‚ä¿¡é ¼ã§ãã‚‹AIシステムã®åŸºç¤Žã¨ãªã‚‹åŠ¹æžœçš„ãªèª¬æ˜Žå¯èƒ½æ€§ã¨é€æ˜Žæ€§ã®åŽŸå‰‡ã«æ²¿ã£ã¦ã€EU AI法ã¯ã€AIシステム(ãƒãƒ£ãƒƒãƒˆãƒœãƒƒãƒˆã‚„コンテンツ生æˆãƒ„ールãªã©ï¼‰ã¨å¯¾è©±ã™ã‚‹éš›ã«å€‹äººã«æƒ…å ±ã‚’æä¾›ã™ã‚‹è¦ä»¶ã‚’課ã—ã¦ã„る。
10. 罰則ã¨æ³•åŸ·è¡Œ: EU AI法ã¯ã€ç½°å‰‡ã¨åŸ·è¡Œã«é–¢ã™ã‚‹åŒ…括的ãªæž 組ã¿ã‚’確立ã—ã¦ã„る。é•åã«å¯¾ã™ã‚‹ç½°é‡‘ã¯æ®µéšŽçš„ã«è¨å®šã•ã‚Œã€ç¦æ¢ã•ã‚Œã¦ã„ã‚‹AIé•åã«å¯¾ã—ã¦ã¯ã€å…¨ä¸–ç•Œã®å¹´é–“売上高ã®æœ€å¤§7ï¼…ã¾ãŸã¯3,500万ユーãƒã€ãã®ä»–ã®é•åã«å¯¾ã—ã¦ã¯æœ€å¤§3ï¼…ã€ä¸æ£ç¢ºãªæƒ…å ±ã®æä¾›ã«å¯¾ã—ã¦ã¯æœ€å¤§1.5ï¼…ã¾ãŸã¯750万ユーãƒã¨ã•ã‚Œã€ä¸å°ä¼æ¥ã‚„スタートアップä¼æ¥ã«å¯¾ã™ã‚‹ç‰¹åˆ¥ãªä¸Šé™ã‚‚è¨ã‘られã¦ã„る。法執行ã¯ã€EUレベルã§æ–°è¨ã•ã‚Œã‚‹ã€ŒAI事務局ã€ã¨ã€ŒAI委員会ã€ã‚’通ã˜ã¦èª¿æ•´ã•ã‚Œã€EUå„国ã®å¸‚å ´ç›£è¦–å½“å±€ã«ã‚ˆã£ã¦è£œå®Œã•ã‚Œã€ã™ã¹ã¦ã®åŠ 盟国ã«ãŠã„ã¦ã€ãƒãƒ©ãƒ³ã‚¹ã®ã¨ã‚ŒãŸåŠ¹æžœçš„ãªæ³•ã®é©ç”¨ã‚’確ä¿ã™ã‚‹ã€‚
11. 効力発生日: EU AI法ã¯æ®µéšŽçš„ã«é©ç”¨ãŒé–‹å§‹ã•ã‚Œã‚‹ã€‚ç¦æ¢ã•ã‚Œã¦ã„ã‚‹AIã¯æœ¬è¦å‰‡ã®ç™ºåŠ¹ã‹ã‚‰6ヵ月後ã«ç¦æ¢ã•ã‚Œã‚‹ãŒã€æ±Žç”¨AI ã«ã¤ã„ã¦ã¯ç™ºåŠ¹ã‹ã‚‰1年後ã€åˆ¥ç´™IIIã®é«˜ãƒªã‚¹ã‚¯ã®AIシステムã«ã¤ã„ã¦ã¯2年後ã€ç¬¬ä¸‰è€…ã«ã‚ˆã‚‹é©åˆæ€§è©•ä¾¡ã‚’義務付ã‘ã‚‹ä»–ã®EUè¦åˆ¶ã§ã™ã§ã«ã‚«ãƒãƒ¼ã•ã‚Œã¦ã„る高リスクã®AIシステムã«ã¤ã„ã¦ã¯3年後ã«é©ç”¨ãŒé–‹å§‹ã•ã‚Œã‚‹ã€‚
EU AI法ã®5ã¤ã®é‡è¦ãªãƒã‚¤ãƒ³ãƒˆ
上記ã§ã¯ã€ä¼šç¤¾ã¨ãã®ãƒãƒ¼ãƒ ã‚’æˆåŠŸã«å°ŽããŸã‚ã«ã€æ³•å‹™ãƒ»ã‚³ãƒ³ãƒ—ライアンス担当者やDPOãŒå–ã‚‹ã¹ã手段を主è¦ãªå´é¢ã¨ã—ã¦ã¾ã¨ã‚ãŸã€‚以下ã§ã¯ã€AIãŒã‚‚ãŸã‚‰ã™æ€¥é€Ÿã«é€²åŒ–ã™ã‚‹ãƒªã‚¹ã‚¯ã¨èª²é¡Œã«ä¼æ¥ãŒå‚™ãˆã‚‹ãŸã‚ã®5ã¤ã®ãƒã‚¤ãƒ³ãƒˆã‚’紹介ã™ã‚‹ã€‚
1. 包括的ãªå½±éŸ¿è©•ä¾¡ã¨ã‚³ãƒ³ãƒ—ライアンス評価: ä¼æ¥ã¯ã€EU AI法ãŒè‡ªç¤¾ã®æ¥å‹™ã«ã©ã®ã‚ˆã†ãªå½±éŸ¿ã‚’åŠã¼ã™ã‹ã‚’ç†è§£ã™ã‚‹ãŸã‚ã«ã€å¾¹åº•çš„ãªè©•ä¾¡ã‚’実施ã™ã¹ãã§ã‚る。ã“ã®è©•ä¾¡ã§ã¯ã€é«˜ãƒªã‚¹ã‚¯AIシステムã®ãƒžãƒƒãƒ”ングや特定ã ã‘ã§ãªãã€AIã®å±•é–‹ã€é…布ã€åˆ©ç”¨ã«é–¢ã‚る幅広ã„事æ¥ä½“も対象ã¨ã™ã¹ãã§ã‚る。既å˜ã®ã‚¬ãƒãƒŠãƒ³ã‚¹ã®æž 組ã¿ã‚’見直ã—ã€æœ¬è¦å‰‡ã®è¦ä»¶ã«åˆè‡´ã—ã¦ã„ã‚‹ã“ã¨ã‚’確èªã™ã‚‹ã“ã¨ãŒé‡è¦ã 。ã•ã‚‰ã«ã€EU AI法ãŒã€æ—¥å¸¸æ¥å‹™ã‚„特ã«EUã®ä»–ã®ç¾©å‹™çš„é©åˆæ€§è©•ä¾¡ï¼ˆåŒ»ç™‚機器ã€æ©Ÿæ¢°ã€ä¿è·è£…ç½®ãªã©ï¼‰ã®å¯¾è±¡ã«ãªã£ã¦ã„るシステムã«ã«ã©ã®ã‚ˆã†ãªå½±éŸ¿ã‚’åŠã¼ã™å¯èƒ½æ€§ãŒã‚ã‚‹ã‹ã€ç©æ¥µçš„ã«æ¤œè¨Žã™ã‚‹å¿…è¦ãŒã‚る。ãã®ãŸã‚ã«ã¯ã€çµ„織内ã§ã®è²¬ä»»ã‚ã‚‹çµ±åˆã¨åˆ©ç”¨ã‚’促進ã™ã‚‹ãŸã‚ã«ã€AIã®æ³•çš„ã€æŠ€è¡“çš„ã€å€«ç†çš„å´é¢ã‚’包括的ã«ç†è§£ã™ã‚‹å¿…è¦ãŒã‚る。
2. 強固ãªAIガãƒãƒŠãƒ³ã‚¹ãƒ»ãƒ—ãƒã‚°ãƒ©ãƒ ã®é–‹ç™º: EU AI法ã®è¦ä»¶ã‚’より広範ãªäº‹æ¥æˆ¦ç•¥ã‚„目標ã«çµ±åˆã™ã‚‹AIガãƒãƒŠãƒ³ã‚¹ãƒ»ãƒ—ãƒã‚°ãƒ©ãƒ ã‚’ç–定ã™ã‚‹ã“ã¨ãŒä¸å¯æ¬ ã§ã‚る。ã“ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã§ã¯ã€ãƒªã‚¹ã‚¯ç®¡ç†ã€ãƒ—ライãƒã‚·ãƒ¼ã€å€«ç†ã€ãƒ‡ãƒ¼ã‚¿ã‚¬ãƒãƒŠãƒ³ã‚¹ã€çŸ¥çš„財産ã€å®‰å…¨æ€§ã€ã‚»ã‚ュリティãªã©ã‚’ã‚«ãƒãƒ¼ã—ã€æ–°ã—ã„基準を満ãŸã™ã‚ˆã†ã«æ—¢å˜ã®ãƒãƒªã‚·ãƒ¼ã‚„æ‰‹é †ã‚’èª¿æ•´ã™ã‚‹å¿…è¦ãŒã‚る。ã©ã®ã‚ˆã†ãªã‚¿ã‚¤ãƒ—ã®çµ„ç¹”ã§ã‚‚(より具体的ã«ã¯ãƒã‚¤ãƒ†ã‚¯ã‚„データ主導型ã®æ¥ç•Œã®ä¼æ¥ï¼‰ã€æ—¢å˜ã®GDPRコンプライアンス・プãƒã‚°ãƒ©ãƒ を活用ã—ã¦ã€EU AI法ã®è¦ä»¶ã®ã™ã¹ã¦ã§ã¯ãªã„ã«ã›ã‚ˆã€ã»ã¨ã‚“ã©ã‚’満ãŸã™æ–¹æ³•ã‚’検討ã™ã¹ãã§ã‚る。組織内ã§ã®AI利用を監ç£ã™ã‚‹å§”員会ã®å½¹å‰²ã‚‚ã¾ãŸã€é‡è¦ãªæ¤œè¨Žäº‹é …ã§ã‚る。
3. ã‚°ãƒãƒ¼ãƒãƒ«ãªèª¿æ•´ã¨è‡ªä¸»çš„イニシアティブ: ä¼æ¥ã¯ã€EUãŒä¸–界的ãªæ©Ÿé–¢ã¨å”力ã—ã¦ã„ã‚‹ã“ã¨ã‚’å«ã‚ã€AIè¦åˆ¶ã®èª¿å’Œã«å‘ã‘ãŸå›½éš›çš„ãªå–組ã¿ã«ç´°å¿ƒã®æ³¨æ„を払ã†ã¹ãã§ã‚る。ã“ã®ç‚¹ã«é–¢ã—ã¦ã€EU委員会ã¯ã€ŒAI Pactã€ã‚’開始ã—ã€EU AI法ã®è¦ä»¶ã«å¯¾å¿œã™ã‚‹ãŸã‚ã«å®Ÿæ–½ã•ã‚Œã‚‹ç¤¾å†…ガイドラインã€ãƒ—ãƒã‚»ã‚¹ã€å…·ä½“çš„ãªã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã‚’自主的ã«å…±æœ‰ã—ã€ãã®è§£æ±ºç–をコミュニティ内ã§ãƒ†ã‚¹ãƒˆã™ã‚‹ã“ã¨ã«ã‚ˆã£ã¦ã€EU AI法を先å–ã‚Šã™ã‚‹ã“ã¨ã‚’組織ã«å¥¨åŠ±ã—ã¦ã„る。ã“ã®ã‚ˆã†ãªè‡ªä¸»çš„ãªã‚³ãƒŸãƒƒãƒˆãƒ¡ãƒ³ãƒˆã«å‚åŠ ã—ã€æœŸé™ã«å…ˆé§†ã‘ã¦EU AI法ã®è¦ä»¶ã‚’実施ã™ã‚‹ã“ã¨ã§ã€å€«ç†çš„ãªAIã®ä½¿ç”¨ã¨ã‚¬ãƒãƒŠãƒ³ã‚¹ã®ãƒªãƒ¼ãƒ€ãƒ¼ã¨ã—ã¦çµ„織をä½ç½®ã¥ã‘ã‚‹ã“ã¨ãŒã§ãる。
4. ç©æ¥µçš„ãªé©å¿œã¨ã‚³ãƒ³ãƒ—ライアンス戦略: è¦åˆ¶ç’°å¢ƒãŒæ€¥é€Ÿã«é€²åŒ–ã™ã‚‹ä¸ã€ä¼æ¥ã¯æ–°ãŸãªã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã‚„è¦ä»¶ãŒå‡ºç¾ã™ã‚‹ã«ã¤ã‚Œã¦ã€AI戦略やコンプライアンス・プãƒã‚°ãƒ©ãƒ ã‚’æ›´æ–°ã§ãるよã†ã€æ©Ÿæ•ã«å¯¾å¿œã™ã‚‹å¿…è¦ãŒã‚る。ã“ã®é©å¿œãƒ—ãƒã‚»ã‚¹ã‚’早期ã«é–‹å§‹ã™ã‚‹ã“ã¨ã§ã€ãƒªã‚¹ã‚¯ã¨è²¬ä»»ã‚’軽減ã—ã€ã‚³ãƒ³ãƒ—ライアンスを確ä¿ã™ã‚‹ã“ã¨ãŒã§ãる。EU(AI法ã€å§”任法令/実施法令ã€ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚’å«ã‚€ï¼‰ã€è‹±å›½ã€ç±³å›½ã€ãã®ä»–AIè¦åˆ¶ãŒé€²ã‚“ã§ã„る地域ã®è¦åˆ¶å‹•å‘を注視ã™ã‚‹ã“ã¨ã¯ã€åŒ…括的ãªã‚³ãƒ³ãƒ—ライアンスã¸ã®å–り組ã¿ã«ã¨ã£ã¦ä¸å¯æ¬ ã§ã‚る。
5. エンゲージメントã¨é€æ˜Žæ€§: AIガãƒãƒŠãƒ³ã‚¹ã‚’æˆåŠŸã•ã›ã‚‹ãŸã‚ã«ã¯ã€è¦åˆ¶å½“å±€ã¨ã®é€£æºã€é€æ˜Žæ€§ã®é«˜ã„コミュニケーションã€ã‚°ãƒãƒ¼ãƒãƒ«ãªãƒãƒ¼ãƒ¢ãƒŠã‚¤ã‚¼ãƒ¼ã‚·ãƒ§ãƒ³ã®å®Ÿæ–½ãŒå¿…è¦ä¸å¯æ¬ ã§ã‚る。ä¼æ¥ã¯ã¾ãŸã€ã‚³ãƒ³ãƒ—ライアンスãŠã‚ˆã³ãƒªã‚¹ã‚¯ç®¡ç†æˆ¦ç•¥ã®ä¸€ç’°ã¨ã—ã¦ã€AIã®é‹ç”¨ã«ãŠã‘るパブリックエンゲージメントã¨é€æ˜Žæ€§ã‚’考慮ã™ã¹ãã§ã‚る。ã“ã‚Œã«ã¯ã€çµ„織内ã§ã®AIã®å½¹å‰²ã¨å½±éŸ¿ã«é–¢ã™ã‚‹æ˜Žç¢ºãªã‚³ãƒŸãƒ¥ãƒ‹ã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚„ã€å€«ç†çš„ã§è²¬ä»»æ„ŸãŒã‚ã‚Šã€ç¤¾ä¼šçš„価値観ã«æ²¿ã£ãŸæ–¹æ³•ã§AI技術ãŒå°Žå…¥ã•ã‚Œã‚‹ã“ã¨ã‚’ä¿è¨¼ã™ã‚‹ã“ã¨ãŒå«ã¾ã‚Œã‚‹ã€‚よりæ¥å‹™çš„ãªè¦³ç‚¹ã‹ã‚‰ã¯ã€GDPRã¨EU AI法ã§ãã‚Œãžã‚Œç¾©å‹™ä»˜ã‘られã¦ã„る個人ã¸ã®æƒ…å ±æ供をå¯èƒ½ãªé™ã‚Šçµ„ã¿åˆã‚ã›ã‚‹ã“ã¨ã‚‚大ã„ã«æ„味ãŒã‚ã‚‹ã ã‚ã†ã€‚
Major Developments in US Labor Union Law: Insights for Effectively Navigating Transactions and Operations
Christopher Foster | David Beach
Labor relations in the United States are highly regulated, and the regulatory environment fluctuate greatly with presidential administrations. This reality compounds transactional costs and risks. Nonetheless, Japanese companies with subsidiaries in the United States or interested in investing, acquiring or establishing operations in the United States can navigate and overcome these regulatory complexities with strategic planning and execution.
OVERVIEW OF US LABOR LAW
The National Labor Relations Act (NLRA) governs labor relations in the United States by regulating interactions between employees, employers and labor unions. The NLRA is administered by the National Labor Relations Board (NLRB), a federal administrative agency consisting of a five-person board to decide cases and a general counsel who investigates and prosecutes alleged violations of the NLRA.
Members of the NLRB are appointed by the president. Four of the five board positions are split between the country’s two major political parties, with the decisive fifth seat awarded to the same party as the sitting president. The NLRB general counsel is also appointed by the president. As a result, US labor law incurs significant shifts (often 180-degree reversals) between presidential administrations.
There are three key areas of the NLRA that impact business operations in the United States:
- Regulation on how employees form a union
- Regulation on which terms of employment require “bargaining†once a union is formed
- Regulation on what rules and policies employers may implement for their workplaces (including nonunion workplaces)
CURRENT TRENDS IN US LABOR LAW
President Biden campaigned, in large part, on a promise to be “pro-union.†Unsurprisingly, the NLRB – based on his appointments – has followed suit and made major changes to US labor law both by regulation and by decisions in specific cases that favor unionization and impose additional burdens on employers.
These shifts in prior law include the following:
Expediting Union RecognitionÂ
One of the NLRA’s primary functions is governing how unions become the legal representative of employees. Until recently, this was only accomplished in one of two ways: (1) The employer voluntarily recognized a union (usually after the union provided proof that a majority of employees wished to join, making an election unnecessary) or (2) a majority of employees voted to join a union through an NLRB-administered secret ballot election. These pathways to recognition have been enshrined in US labor law for decades.
In 2023, however, the current NLRB created a third pathway intended to facilitate unionization. Now, unions are permitted to demand and potentially obtain automatic recognition. Employers receiving a demand for recognition from a union must promptly file an election petition or forfeit their employees’ right to a secret ballot election.
The right to an employee secret ballot election has long been considered fundamental and sacrosanct. This right enables employees to hear their employer’s perspective on voting for or against a union (during the employer’s “campaignâ€) and the potential implications of doing so. It also allows for the employee to then decide to vote for or against a union representative without fear of coercion or intimidation. Now, the NLRB will potentially force employers to recognize and bargain with a union regardless of the election’s outcome if the NLRB finds any technical campaign infractions in the run-up to that election, including relatively minor ones. In other words, unions may end up obtaining very swift certification (and resulting rights of representation) without an employee secret ballot voting process.
Employers will likely challenge these attempts to undermine secret ballot elections as the primary basis for determining union representation, but these challenges will take time (potentially years) to work their way through the US federal court system. In the meantime, Japanese companies with subsidiaries in the United States or evaluating investment opportunities must account for the reality of expedited union recognition.
Restricting Operational Changes at Unionized Facilities Without Bargaining
A core principle of US labor law is that employers with unionized workforces may not change employment conditions until they complete a bargaining process with the appropriate union. There is, however, one important caveat. Until recently, employers were permitted to take actions consistent with historical practices without bargaining and without union consent.
For example, employers of unionized operations must typically bargain with their employees’ union before implementing any layoffs. However, if the employer was implementing layoffs because of an economic downturn, and it has always implemented layoffs during economic downturns throughout its history, the employer was permitted to implement the layoffs in question without any bargaining, saving time and money.
Now, employers with unionized workforces must bargain with a union on any discretionary decision regardless of the employer past practices (outside very limited exceptions). This requirement not only restricts operational freedom but it may create delays and opportunity costs that should be considered well in advance of any major employment-related decision.
Expanding ‘Joint Employer’ Obligations and Liability
On October 27, 2023, the NLRB issued a new rule expanding bargaining obligations and unfair labor practice liability to multiple entities at once. Under US labor law, it is possible for several companies to legally employ the same group of workers at the same time, so long as each company controls key aspects of the workers’ employment. When this is the case, each company is required to bargain with the union representing the workers and all are equally liable for any labor violations. The application of this principle has been limited, however, by the commonsense requirement that each purported joint employer must actually exercise direct control over the employees at issue.
The NLRB’s new rule now considers any company with indirect or reserved authority over workers as a joint employer (e.g., any company which use staffing agencies), even if those workers are controlled by another company (i.e., staffing agencies). In other words, any company with a contractual or potential right to control a worker’s employment will be considered a joint employer, even if it never actually exercises any control. This change will extend bargaining obligations, unfair labor practice liability and labor disruptions, including strikes, to companies utilizing staffing agencies and other forms of contracted third-party labor. These arrangements are common in US labor markets and must be accounted for when analyzing operational risks and contingency plans.
Expanding Employer Liability for Unfair Labor Practices
Section 10(c) of the NLRA allows the NLRB to “make whole†any employee subjected to an unfair labor practice. For nearly 80 years, the NLRB’s remedies have largely been restricted to worker reinstatement (if appropriate) and monetary damages equal to the income the employee would have received but did not because of the unfair labor practice less interim earnings. In December 2022, the NLRB expanded the monetary damages it will award to “all direct and foreseeable pecuniary harms suffered†because of a labor violation, possibly including:
- Out-of-pocket medical expenses incurred after losing employer-sponsored insurance
- Costs associated with securing new health insurance
- Credit card debt incurred due to loss of income
- Compensation for damages to an employee’s credit score
- Fees and expenses for training or coursework required to renew or obtain a new security clearance, certification or professional license
- Expenses related to housing, relocation, transportation and/or childcare
The NLRB’s recent expansion of unfair labor practice likely exceeds its statutory authority and may be struck down by a US court of appeals. Until then, this expansion will increase litigation costs, which unions will try to leverage to extort concessions from employers during bargaining with a union.
NAVIGATING LABOR RISKS FOR SUBSIDIARIES AND TRANSACTIONS IN THE UNITED STATES
Japanese companies evaluating US subsidiary operations, investments or operational opportunities in the United States should consider the burdens and impacts of the NLRB’s new agenda. While these costs and risks are potentially significant, these can be overcome through careful analysis and forward planning.
For currently unionized operations of a subsidiary or investment target, it is important to develop a full and accurate understanding of past and current labor relations of the relevant workforces. This includes determining if the relationship with the union is cordial or hostile as well as how long the company has been unionized. It is also crucial to analyze all existing labor agreements, as the acquiring company will likely be bound by their terms as the successor. It is especially important to determine whether there are “labor neutrality,†automatic accretion or other such terms that require the company to idly stand by if the union seeks to expand to other facilities or other groups at that facility. A labor neutrality term can give a union access, information and recognition rights to help it quickly organize other employees or facilities of affiliates or parent entities. An accretion term enables a union to automatically represent other employee groups.
Certain subsidiary operations and opportunities will be attractive despite union status or risks. In these cases, there are strategies companies can utilize to mitigate or avoid risk at unionized operations. For example, companies might consider restructuring workforces (combinations or separations) or engaging in asset transactions whereby a purchase is not necessarily obligated to recognize a union or a collective bargaining agreement.
For investment opportunities involving nonunionized operations, the focus must remain on the risk of unionization post-acquisition. Pre-transaction diligence should examine any ongoing organizing activity, union outreach and/or unfair labor practices. Diligence should also consider industry trends and whether union drives are proliferating at similar or nearby facilities.
Companies setting up new operations should evaluate organizing trends. Union participation and support varies greatly across the country, and setting up operations in an area with low union participation will help avoid subsequent encroachment. If unionization at a new operation is unavoidable, consider advantageous organizational structures where a separate legal entity employs any unionized workers. This will help prevent the union from extending its reach to other operations.
For all current or potential operations in the United States, companies should anticipate the possibility of union engagement and should determine their philosophical approach to union encroachment in advance. The primary leverage unions hold over companies is their ability to increase transactional and operational costs through strikes or other work stoppages, slow bargaining and excessive litigation.
Companies need to know whether their approach will be to make peace, prepare for battle or chart a middle course. Some companies choose to foster a harmonious relationship with the union. Others seek to avoid unions and, when necessary, defend their right to act. Both approaches can work and promote prosperous operations when properly executed. The key is knowing which approach fits the company’s culture and outlook, and consistently applying the chosen course of action once it is determined.
Disclaimer: This article was published in the January 2024 issue of The Journal of the Japanese Institute for International Business Law. The discussion above is reflecting general market trends and developments. It is not a summary, analysis or commentary on any local laws. This article cannot be regarded as legal advice.
米国労åƒçµ„åˆæ³•ã®ä¸»è¦ãªå‹•å‘―å–引åŠã³æ¥å‹™é‹å–¶ã‚’効果的ã«é€²ã‚ã‚‹ãŸã‚ã®æ´žå¯Ÿ
Christopher Foster | David Beach
米国ã®åŠ´ä½¿é–¢ä¿‚ã¯éžå¸¸ã«è¦åˆ¶ã•ã‚Œã¦ã„る。ã¾ãŸã€ãã®è¦åˆ¶ã¯å¤§çµ±é ˜æ”¿æ¨©ã«ã‚ˆã£ã¦éƒ½åº¦å¤§ãã変動ã™ã‚‹ã€‚ã“れらã¯ã€å–引コストã¨ãƒªã‚¹ã‚¯ã‚’増大ã•ã›ã‚‹ã€‚ã¨ã¯ã„ãˆã€ç±³å›½ã«å会社をæŒã¤æ—¥æœ¬ä¼æ¥åˆã¯ç±³å›½ã§ã®æŠ•è³‡ã€è²·åŽã€äº‹æ¥è¨ç«‹ã«é–¢å¿ƒã‚’æŒã¤æ—¥æœ¬ä¼æ¥ã¯ã€æˆ¦ç•¥çš„ãªè¨ˆç”»ã¨å®Ÿè¡Œã«ã‚ˆã‚Šã€ã“ã†ã—ãŸè¦åˆ¶ã®è¤‡é›‘ã•ã‚’乗り越ãˆã‚‹ã“ã¨ãŒã§ãる。以下ã€ã“れらã«ã¤ã„ã¦è§£èª¬ã‚’åŠ ãˆã‚‹ã€‚
米国労åƒæ³•ã®æ¦‚è¦
全国労åƒé–¢ä¿‚法(National Labor Relations Actã€ä»¥ä¸‹ã€ŒNLRAã€ã¨ã„ã†ã€‚)ã¯ã€åŠ´åƒè€…ã€é›‡ç”¨ä¸»ã€åŠ´åƒçµ„åˆã®é–“ã®é–¢ä¿‚を相互ã«è¦åˆ¶ã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€ç±³å›½ã®åŠ´ä½¿é–¢ä¿‚ã‚’è¦å¾‹ã—ã¦ã„る。NLRAã¯å…¨å›½åŠ´åƒé–¢ä¿‚委員会(National Labor Relations Boardã€ä»¥ä¸‹ã€ŒNLRBã€ã¨ã„ã†ã€‚)ã«ã‚ˆã£ã¦é‹å–¶ã•ã‚Œã¦ã„る。NLRBã¯é€£é‚¦è¡Œæ”¿æ©Ÿé–¢ã§ã‚ã‚Šã€5人ã®å§”å“¡ã‹ã‚‰æˆã‚‹ã€äº‹ä»¶ã‚’決定ã™ã‚‹å§”員会ã¨ã€NLRAé•åã®ç–‘ã„を調査・起訴ã™ã‚‹ã‚¸ã‚§ãƒãƒ©ãƒ«ãƒ»ã‚«ã‚¦ãƒ³ã‚»ãƒ«ã‹ã‚‰æ§‹æˆã•ã‚Œã‚‹ã€‚
NLRBã®ãƒ¡ãƒ³ãƒãƒ¼ã¯å¤§çµ±é ˜ã«ã‚ˆã£ã¦ä»»å‘½ã•ã‚Œã‚‹ã€‚NLRBã®5ã¤ã®ãƒã‚¹ãƒˆã®ã†ã¡4ã¤ã¯å¸¸ã«å›½å†…ã®2大政党ã®é–“ã§åˆ†å‰²ã•ã‚Œã€5ã¤ç›®ã®è°å¸ãŒç¾è·ã®å¤§çµ±é ˜ã¨åŒã˜æ”¿å…šã«ä¸Žãˆã‚‰ã‚Œã‚‹ã€‚NLRBã®ã‚¸ã‚§ãƒãƒ©ãƒ«ãƒ»ã‚«ã‚¦ãƒ³ã‚»ãƒ«ã‚‚å¤§çµ±é ˜ã«ã‚ˆã£ã¦ä»»å‘½ã•ã‚Œã‚‹ã€‚ãã®çµæžœã€ç±³å›½ã®åŠ´åƒæ³•ã¯å¤§çµ±é ˜æ”¿æ¨©é–“ã§å¤§ãã変化ã™ã‚‹ï¼ˆ180度逆転ã™ã‚‹ã“ã¨ã‚‚多ã„)。
米国ã§ã®ãƒ“ジãƒã‚¹ã«å½±éŸ¿ã‚’与ãˆã‚‹NLRAã®ä¸»è¦ãªåˆ†é‡Žã¨ã—ã¦ã€ä»¥ä¸‹ã®3ã¤ãŒå˜åœ¨ã™ã‚‹ã€‚
- 労åƒè€…ã«ã‚ˆã‚‹åŠ´åƒçµ„åˆã®çµæˆæ–¹æ³•ã«é–¢ã™ã‚‹è¦åˆ¶
- 労åƒçµ„åˆçµæˆå¾Œã«ã€Œäº¤æ¸‰ã€ãŒå¿…è¦ã¨ãªã‚‹åŠ´åƒæ¡ä»¶ã«é–¢ã™ã‚‹è¦åˆ¶
- 使用者ãŒè·å ´ï¼ˆåŠ´åƒçµ„åˆã®ãªã„è·å ´ã‚’å«ã‚€ï¼‰ã«ãŠã„ã¦å®Ÿæ–½ã™ã‚‹è¦å‰‡åŠã³æ–¹é‡ã«é–¢ã™ã‚‹è¦åˆ¶
米国労åƒæ³•ã®æœ€æ–°ãƒˆãƒ¬ãƒ³ãƒ‰
ãƒã‚¤ãƒ‡ãƒ³å¤§çµ±é ˜ã¯ã€é¸æŒ™é‹å‹•ã®å¤§ããªä¸€ç’°ã¨ã—ã¦ã€ŒåŠ´åƒçµ„åˆæ”¯æŒã€ã‚’公約ã«æŽ²ã’ãŸã€‚当然ã®ã“ã¨ãªãŒã‚‰ã€å½¼ãŒä»»å‘½ã—ãŸNLRBã¯ã“ã‚Œã«è¿½éšã—ã€åŠ´åƒçµ„åˆçµæˆã‚’有利ã«ã—ã€é›‡ç”¨ä¸»ã«ã•ã‚‰ãªã‚‹è² 担を課ã™ã‚ˆã†ãªè¦åˆ¶ã¨ç‰¹å®šã®äº‹ä¾‹ã«ãŠã‘る決定ã«ã‚ˆã£ã¦ã€ç±³å›½ã®åŠ´åƒæ³•ã«å¤§ããªå¤‰æ›´ã‚’åŠ ãˆãŸã€‚変更内容ã¨ã—ã¦ã¯ä»¥ä¸‹ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚る。
労åƒçµ„åˆæ‰¿èªã®ä¿ƒé€²
NLRAã®ä¸»ãªæ©Ÿèƒ½ã®1ã¤ã¯ã€åŠ´åƒçµ„åˆãŒå¾“æ¥å“¡ã®æ³•çš„代表者ã¨ãªã‚‹æ–¹æ³•ã‚’管ç†ã™ã‚‹ã“ã¨ã§ã‚る。もã£ã¨ã‚‚ã€åŠ´åƒçµ„åˆãŒæ³•çš„代表者ã¨ãªã‚‹æ–¹æ³•ã¯ã€æœ€è¿‘ã¾ã§ã€æ¬¡ã®2ã¤ã®ã„ãšã‚Œã‹ã§ã—ã‹é”æˆã•ã‚Œãªã‹ã£ãŸã€‚(1) 使用者ãŒè‡ªç™ºçš„ã«çµ„åˆã‚’承èªã™ã‚‹ï¼ˆé€šå¸¸ã€çµ„åˆãŒå¾“æ¥å“¡ã®éŽåŠæ•°ãŒåŠ 入を希望ã—ã¦ã„ã‚‹ã“ã¨ã‚’証明ã™ã‚‹æ›¸é¡žã‚’æ出ã—ãŸå¾Œã§ã‚ã‚‹ãŸã‚ã€é¸æŒ™ã¯ä¸è¦ã§ã‚る)方法ã€ã¾ãŸã¯(2)NLRBãŒç®¡ç†ã™ã‚‹ç„¡è¨˜å投票é¸æŒ™ã‚’通ã˜ã¦å¾“æ¥å“¡ã®éŽåŠæ•°ãŒçµ„åˆåŠ 入を投票ã™ã‚‹æ–¹æ³•ã€‚ã“れらã®æ‰¿èªã¸ã®é“ã¯ã€ä½•åå¹´ã‚‚ã®é–“ã€ç±³å›½ã®åŠ´åƒæ³•ã«æ˜Žè¨˜ã•ã‚Œã¦ããŸã€‚
ã—ã‹ã—ã€2023å¹´ã€ç¾åœ¨ã®NLRBã¯ã€åŠ´åƒçµ„åˆåŒ–を促進ã™ã‚‹ã“ã¨ã‚’目的ã¨ã—ãŸç¬¬3ã®é“ã‚’è¨ã‘ãŸã€‚ç¾åœ¨ã€åŠ´åƒçµ„åˆã¯è‡ªå‹•çš„ãªæ‰¿èªã‚’è¦æ±‚ã—ã€æ½œåœ¨çš„ã«å½“該承èªã‚’å–å¾—ã™ã‚‹ã“ã¨ãŒèªã‚られã¦ã„る。労åƒçµ„åˆã‹ã‚‰æ‰¿èªã®è¦æ±‚ã‚’å—ã‘ãŸä½¿ç”¨è€…ã¯ã€é€Ÿã‚„ã‹ã«é¸æŒ™è«‹é¡˜æ›¸ã‚’æ出ã™ã‚‹ã‹ã€å¾“æ¥å“¡ã®ç„¡è¨˜å投票ã®æ¨©åˆ©ã‚’喪失ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。従æ¥å“¡ã®ç„¡è¨˜å投票é¸æŒ™ã®æ¨©åˆ©ã¯ã€é•·ã„é–“ã€åŸºæœ¬çš„ã‹ã¤ç¥žè–ãªã‚‚ã®ã¨è€ƒãˆã‚‰ã‚Œã¦ããŸã€‚無記å投票é¸æŒ™ã«ã‚ˆã£ã¦ã€å¾“æ¥å“¡ã¯ï¼ˆä½¿ç”¨è€…ã®ã€Œé¸æŒ™é‹å‹•ã€ä¸ã«ï¼‰åŠ´åƒçµ„åˆã«æŠ•ç¥¨ã™ã‚‹ã‹å¦ã‹ã«é–¢ã™ã‚‹ä½¿ç”¨è€…ã®è¦‹è§£ã‚„ã€æ½œåœ¨çš„ãªå½±éŸ¿ã‚’èžãã“ã¨ãŒã§ãã€ãã®å¾Œã€å¾“æ¥å“¡ã¯å¼·åˆ¶ã‚„è„…è¿«ã‚’æれるã“ã¨ãªãã€åŠ´åƒçµ„åˆã®ä»£è¡¨è€…ã«æŠ•ç¥¨ã™ã‚‹ã‹å¦ã‹ã‚’決ã‚ã‚‹ã“ã¨ãŒã§ãる。ã—ã‹ã—ã€ç¾åœ¨ã€NLRBãŒé¸æŒ™ã¾ã§ã®é–“ã«é¸æŒ™é‹å‹•ã«é–¢ã™ã‚‹æŠ€è¡“çš„ãªé•å(比較的軽微ãªã‚‚ã®ã‚‚å«ã‚€ï¼‰ã‚’発見ã—ãŸå ´åˆã€é¸æŒ™ã®çµæžœã«ã‹ã‹ã‚らãšã€ä½¿ç”¨è€…ã«åŠ´åƒçµ„åˆã‚’承èªã—ã€äº¤æ¸‰ã™ã‚‹ã‚ˆã†å¼·åˆ¶ã™ã‚‹å¯èƒ½æ€§ãŒã‚る。言ã„æ›ãˆã‚Œã°ã€åŠ´åƒçµ„åˆã¯ã€å¾“æ¥å“¡ã®ç„¡è¨˜å投票プãƒã‚»ã‚¹ãªã—ã«ã€éžå¸¸ã«è¿…速ãªèªè¨¼ï¼ˆãŠã‚ˆã³ãã®çµæžœã¨ã—ã¦ã®ä»£è¡¨æ¨©ï¼‰ã‚’å¾—ã‚‹ã“ã¨ã«ãªã‚‹ã‹ã‚‚ã—ã‚Œãªã„。
使用者å´ã¯ã€çµ„åˆã®ä»£è¡¨æ¨©ã‚’決定ã™ã‚‹ä¸»è¦ãªæ ¹æ‹ ã¨ã—ã¦ã®ç„¡è¨˜å投票é¸æŒ™ã‚’弱体化ã•ã›ã‚ˆã†ã¨ã™ã‚‹ã“ã†ã—ãŸè©¦ã¿ã«ç•°è°ã‚’å”±ãˆã‚‹ã ã‚ã†ãŒã€ã“ã†ã—ãŸç•°è°ç”³ç«‹ã¦ãŒç±³å›½ã®é€£é‚¦è£åˆ¤åˆ¶åº¦ã‚’通éŽã™ã‚‹ã«ã¯æ™‚é–“ãŒã‹ã‹ã‚‹ï¼ˆæ•°å¹´ã‹ã‹ã‚‹å¯èƒ½æ€§ã‚‚ã‚る)。ãã®é–“ã€ç±³å›½ã«å会社をæŒã¤æ—¥æœ¬ä¼æ¥åˆã¯æŠ•è³‡æ©Ÿä¼šã‚’検討ã™ã‚‹æ—¥æœ¬ä¼æ¥ã¯ã€åŠ´åƒçµ„åˆæ‰¿èªãŒä¿ƒé€²ã•ã‚Œã¦ã„ã‚‹ç¾å®Ÿã‚’考慮ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
労åƒçµ„åˆãŒå˜åœ¨ã™ã‚‹è·å ´ã«ãŠã‘ã‚‹ã€äº¤æ¸‰ã‚’経ãªã„æ¥å‹™å¤‰æ›´ã®åˆ¶é™
米国労åƒæ³•ã®åŸºæœ¬åŽŸå‰‡ã¯ã€åŠ´åƒçµ„åˆãŒå˜åœ¨ã™ã‚‹å ´åˆã€ä½¿ç”¨è€…ã¯ã€å½“該労åƒçµ„åˆã¨ã®äº¤æ¸‰ãƒ—ãƒã‚»ã‚¹ã‚’完了ã™ã‚‹ã¾ã§é›‡ç”¨æ¡ä»¶ã‚’変更ã—ã¦ã¯ãªã‚‰ãªã„ã¨ã„ã†ã‚‚ã®ã§ã‚る。ãŸã ã—ã€1ã¤é‡è¦ãªæ³¨æ„äº‹é …ã¨ã—ã¦ã€ã¤ã„最近ã¾ã§ã€é›‡ç”¨ä¸»ã¯äº¤æ¸‰åŠã³çµ„åˆã®åŒæ„ã‚’å¾—ã‚‹ã“ã¨ãªãã€éŽåŽ»ã®æ…£è¡Œã«æ²¿ã£ãŸè¡Œå‹•ã‚’ã¨ã‚‹ã“ã¨ãŒè¨±ã•ã‚Œã¦ã„ãŸã€‚
例ãˆã°ã€åŠ´åƒçµ„åˆãŒå˜åœ¨ã™ã‚‹äº‹æ¥æ‰€ã®ä½¿ç”¨è€…ã¯ã€é€šå¸¸ã€ãƒ¬ã‚¤ã‚ªãƒ•ï¼ˆè§£é›‡ï¼‰ã‚’実施ã™ã‚‹å‰ã«å¾“æ¥å“¡ã®åŠ´åƒçµ„åˆã¨äº¤æ¸‰ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã—ã‹ã—ã€ä½¿ç”¨è€…ãŒæ™¯æ°—後退をç†ç”±ã«ãƒ¬ã‚¤ã‚ªãƒ•ã‚’実施ã—ã€ä½¿ç”¨è€…ã®æ´å²ã‚’通ã˜ã¦å¸¸ã«æ™¯æ°—後退時ã«ãƒ¬ã‚¤ã‚ªãƒ•ã‚’実施ã—ã¦ããŸã®ã§ã‚ã‚Œã°ã€äº¤æ¸‰ãªã—ã§å½“該レイオフを実施ã™ã‚‹ã“ã¨ãŒè¨±ã•ã‚Œã€æ™‚é–“ã¨è²»ç”¨ã‚’節約ã™ã‚‹ã“ã¨ãŒã§ããŸã€‚
ã—ã‹ã—ã€ç¾åœ¨ã€åŠ´åƒçµ„åˆãŒå˜åœ¨ã™ã‚‹å ´åˆã€ä½¿ç”¨è€…ã¯ã€ä¼šç¤¾ã®éŽåŽ»ã®æ…£è¡Œï¼ˆã”ãé™ã‚‰ã‚ŒãŸä¾‹å¤–を除ã)ã«é–¢ä¿‚ãªãã€ã‚らゆるè£é‡çš„決定ã«ã¤ã„ã¦åŠ´åƒçµ„åˆã¨äº¤æ¸‰ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã“ã®è¦ä»¶ã¯ã€æ¥å‹™é‹å–¶ã®è‡ªç”±ã‚’制é™ã™ã‚‹ã ã‘ã§ãªãã€é›‡ç”¨ã«é–¢é€£ã™ã‚‹é‡å¤§ãªæ±ºå®šã«é–¢ã™ã‚‹é…延や機会費用を生ã˜ã•ã›ã‚‹å¯èƒ½æ€§ãŒã‚ã‚‹ãŸã‚ã€å½“該決定ã®å‰ã«å分ã«è€ƒæ…®ã™ã‚‹å¿…è¦ãŒã‚る。
å…±åŒä½¿ç”¨è€…ã€ã®ç¾©å‹™ã¨è²¬ä»»ã®æ‹¡å¤§
2023å¹´10月27æ—¥ã€NLRBã¯äº¤æ¸‰ç¾©å‹™ã¨ä¸å½“労åƒè¡Œç‚ºè²¬ä»»ã‚’åŒæ™‚ã«è¤‡æ•°ã®ä¼æ¥ã«æ‹¡å¤§ã™ã‚‹æ–°è¦å‰‡ã‚’発表ã—ãŸã€‚米国労åƒæ³•ã§ã¯ã€å„ä¼æ¥ãŒåŠ´åƒè€…ã®é›‡ç”¨ã®é‡è¦ãªå´é¢ã‚’管ç†ã—ã¦ã„ã‚‹é™ã‚Šã€è¤‡æ•°ã®ä¼æ¥ãŒåˆæ³•çš„ã«åŒã˜åŠ´åƒè€…グループをåŒæ™‚ã«é›‡ç”¨ã™ã‚‹ã“ã¨ã¯å¯èƒ½ã§ã‚る。ã“ã®å ´åˆã€å„ä¼æ¥ã¯åŠ´åƒè€…を代表ã™ã‚‹åŠ´åƒçµ„åˆã¨äº¤æ¸‰ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã€ã‚らゆる労åƒæ³•é•åã«å¯¾ã—ã¦ã™ã¹ã¦ã®ä¼æ¥ãŒç‰ã—ãè²¬ä»»ã‚’è² ã†ã€‚ã—ã‹ã—ã€ã“ã®åŽŸå‰‡ã®é©ç”¨ã¯ã€å…±åŒä½¿ç”¨è€…ã¨ã•ã‚Œã‚‹å„ä¼æ¥ãŒã€ãã‚Œãžã‚Œã€å•é¡Œã¨ãªã£ã¦ã„る従æ¥å“¡ã«å¯¾ã—ã¦å®Ÿéš›ã«ç›´æŽ¥çš„ãªæ”¯é…権を行使ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„ã¨ã„ã†å¸¸è˜çš„ãªè¦ä»¶ã«ã‚ˆã£ã¦åˆ¶é™ã•ã‚Œã¦ããŸã€‚
ã—ã‹ã—ã€NLRBã®æ–°ãƒ«ãƒ¼ãƒ«ã§ã¯ã€åŠ´åƒè€…ã«å¯¾ã™ã‚‹é–“接的ã¾ãŸã¯ç•™ä¿ã•ã‚ŒãŸæ¨©é™ã‚’æŒã¤ä¼æ¥ï¼ˆä¾‹ãˆã°æ´¾é£ä¼šç¤¾ã‚’使用ã™ã‚‹ä¼æ¥ï¼‰ã¯ã™ã¹ã¦ã€ãŸã¨ãˆãã®åŠ´åƒè€…ãŒå®Ÿéš›ã«ã¯åˆ¥ã®ä¼æ¥ï¼ˆæ´¾é£ä¼šç¤¾ç‰ï¼‰ã«ç®¡ç†ã•ã‚Œã¦ã„ãŸã¨ã—ã¦ã‚‚ã€å…±åŒä½¿ç”¨è€…ã¨ã¿ãªã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£ãŸã€‚ã™ãªã‚ã¡ã€åŠ´åƒè€…ã®é›‡ç”¨ã‚’管ç†ã™ã‚‹å¥‘約上ã¾ãŸã¯æ½œåœ¨çš„ãªæ¨©åˆ©ã‚’æŒã¤ä¼æ¥ã¯ã€ãŸã¨ãˆãã®ä¼æ¥ãŒåŠ´åƒè€…ã«å¯¾ã—ã¦å®Ÿè³ªçš„ãªæ”¯é…ã‚’è¡Œã£ã¦ã„ãªãã¦ã‚‚ã€å…±åŒä½¿ç”¨è€…ã¨ã¿ãªã•ã‚Œã‚‹ã“ã¨ã«ãªã‚‹ã€‚ã“ã®å¤‰æ›´ã«ã‚ˆã‚Šã€äº¤æ¸‰ç¾©å‹™ã€ä¸å½“労åƒè¡Œç‚ºè²¬ä»»åŠã³ã‚¹ãƒˆãƒ©ã‚¤ã‚ã‚’å«ã‚€åŠ´åƒç´›äº‰ã¯ã€äººææ´¾é£ã‚„ãã®ä»–ã®å½¢æ…‹ã®å¥‘約労åƒè€…を利用ã™ã‚‹ä¼æ¥ã«æ‹¡å¤§ã•ã‚Œã‚‹ã§ã‚ã‚ã†ã€‚ã“ã®ã‚ˆã†ãªå¥‘約労åƒè€…ã®åˆ©ç”¨ã¯ç±³å›½ã®åŠ´åƒå¸‚å ´ã§ã¯ä¸€èˆ¬çš„ã§ã‚ã‚Šã€æ¥å‹™é‹å–¶ãƒªã‚¹ã‚¯ã‚„コンティンジェンシー・プランを分æžã™ã‚‹éš›ã«ã¯è€ƒæ…®ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
ä¸å½“労åƒè¡Œç‚ºã«å¯¾ã™ã‚‹ä½¿ç”¨è€…責任ã®æ‹¡å¤§
NLRA第10æ¡(c)ã¯ã€NLRBãŒä¸å½“労åƒè¡Œç‚ºã®å¯¾è±¡ã¨ãªã£ãŸå¾“æ¥å“¡ã‚’「全体ã¨ã—ã¦æ•‘済ã€ã™ã‚‹ã“ã¨ã‚’èªã‚ã¦ã„る。80å¹´è¿‘ãã«ã‚ãŸã‚Šã€NLRBã®æ•‘済措置ã¯ä¸»ã«å¾©è·ï¼ˆé©åˆ‡ãªå ´åˆï¼‰ã¨ã€ä¸å½“労åƒè¡Œç‚ºã®ãŸã‚ã«å¾“æ¥å“¡ãŒå—ã‘å–ã‚‹ã¯ãšã§ã‚ã£ãŸãŒå—ã‘å–ã‚Œãªã‹ã£ãŸåŽå…¥ã‹ã‚‰ä¸é–“åŽå…¥ã‚’å·®ã—引ã„ãŸé‡‘é¡ã«ç›¸å½“ã™ã‚‹é‡‘éŠè³ å„Ÿã«é™å®šã•ã‚Œã¦ããŸã€‚ã—ã‹ã—ã€2022å¹´12月ã€NLRBã¯ã€é‡‘éŠçš„æå®³è³ å„Ÿã‚’èªã‚る範囲をã€åŠ´åƒé•åã®ãŸã‚ã«ã€Œè¢«ã£ãŸç›´æŽ¥çš„ã‹ã¤äºˆè¦‹å¯èƒ½ãªã™ã¹ã¦ã®é‡‘éŠçš„æ害ã€ã«æ‹¡å¤§ã—ãŸã€‚ã“ã‚Œã¯ä»¥ä¸‹ã®é‡‘éŠçš„æå®³è³ å„Ÿã‚’å«ã‚€å¯èƒ½æ€§ãŒã‚る。
- ä½¿ç”¨è€…è² æ‹…ã®ä¿é™ºã‚’失ã£ãŸå¾Œã«ç™ºç”Ÿã—ãŸåŒ»ç™‚è²»ã®è‡ªå·±è² æ‹…é¡ã€‚
- æ–°ãŸãªå¥åº·ä¿é™ºã®ç¢ºä¿ã«é–¢é€£ã™ã‚‹è²»ç”¨ã€‚
- åŽå…¥å–ªå¤±ã«ã‚ˆã‚Šç™ºç”Ÿã—ãŸã‚¯ãƒ¬ã‚¸ãƒƒãƒˆã‚«ãƒ¼ãƒ‰å‚µå‹™ã€‚
- 従æ¥å“¡ã®ã‚¯ãƒ¬ã‚¸ãƒƒãƒˆã‚¹ã‚³ã‚¢ã«å¯¾ã™ã‚‹æå®³è³ å„Ÿã€‚
- ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ»ã‚¯ãƒªã‚¢ãƒ©ãƒ³ã‚¹è³‡æ ¼ã€èªå®šã€ã¾ãŸã¯è·æ¥å…許ã®æ›´æ–°ã¾ãŸã¯æ–°è¦å–å¾—ã«å¿…è¦ãªç ”ä¿®ã¾ãŸã¯ã‚³ãƒ¼ã‚¹ãƒ¯ãƒ¼ã‚¯ã®æ–™é‡‘ãŠã‚ˆã³è²»ç”¨ã€‚
- ä½å±…ã€è»¢å±…ã€äº¤é€šã€ãŠã‚ˆã³/ã¾ãŸã¯è‚²å…ã«é–¢ã™ã‚‹è²»ç”¨ã€‚
NLRBã®æœ€è¿‘ã®ä¸å½“労åƒè¡Œç‚ºã®æ‹¡å¤§ã¯ã€ãã®æ³•å®šæ¨©é™ã‚’超ãˆã¦ã„ã‚‹å¯èƒ½æ€§ãŒé«˜ãã€é€£é‚¦æŽ§è¨´è£åˆ¤æ‰€ã«ã‚ˆã£ã¦å–り消ã•ã‚Œã‚‹å¯èƒ½æ€§ãŒã‚る。ã—ã‹ã—ã€ãã‚Œã¾ã§ã¯ã€ã“ã®æ‹¡å¤§ã¯ã€è¨´è¨Ÿè²»ç”¨ã‚’å¢—åŠ ã•ã›ã€åŠ´åƒçµ„åˆã¯äº¤æ¸‰ä¸ã«ä½¿ç”¨è€…ã‹ã‚‰è²æ©ã‚’引ã出ã™ãŸã‚ã«ã“れを活用ã—よã†ã¨ã™ã‚‹ã ã‚ã†ã€‚
å会社ã«ãŠã‘る労務リスクåŠã³ç±³å›½ã«ãŠã‘ã‚‹å–引を進ã‚ã‚‹ã«ã‚ãŸã£ã¦ã®è€ƒæ…®äº‹é …
米国ã«å会社をæŒã¤æ—¥æœ¬ä¼æ¥åˆã¯ç±³å›½ã§ã®æŠ•è³‡ãŠã‚ˆã³/ã¾ãŸã¯äº‹æ¥æ©Ÿä¼šã‚’検討ã™ã‚‹æ—¥æœ¬ä¼æ¥ã¯ã€NLRBã®æ–°ã—ã„æ–¹é‡ã«ã‚ˆã£ã¦ç”Ÿã˜ã‚‹è² æ‹…åŠã³ã‚¤ãƒ³ãƒ‘クトを考慮ã™ã¹ãã§ã‚る。ã“れらã®ã‚³ã‚¹ãƒˆã¨ãƒªã‚¹ã‚¯ã¯æ½œåœ¨çš„ã«é‡å¤§ã§ã‚ã‚‹ãŒã€æ…Žé‡ãªåˆ†æžã¨äº‹å‰è¨ˆç”»ã«ã‚ˆã£ã¦å…‹æœã™ã‚‹ã“ã¨ãŒã§ãる。
å会社åˆã¯æŠ•è³‡å¯¾è±¡ä¼šç¤¾ã«ãŠã„ã¦ç¾åœ¨åŠ´åƒçµ„åˆãŒé–¢ä¸Žã™ã‚‹å ´åˆã«ã¤ã„ã¦ã¯ã€é–¢é€£ã™ã‚‹åŠ´åƒè€…ã®éŽåŽ»ã¨ç¾åœ¨ã®åŠ´ä½¿é–¢ä¿‚ã‚’å分ã‹ã¤æ£ç¢ºã«æŠŠæ¡ã™ã‚‹ã“ã¨ãŒé‡è¦ã§ã‚る。ã“ã‚Œã«ã¯ã€åŠ´åƒçµ„åˆã¨ã®é–¢ä¿‚ãŒå‹å¥½çš„ãªã®ã‹æ•µå¯¾çš„ãªã®ã‹ã€ã¾ãŸã€åŠ´åƒçµ„åˆãŒã„ã¤ã‹ã‚‰çµæˆã•ã‚Œã¦ã„ã‚‹ã®ã‹ã‚’判æ–ã™ã‚‹ã“ã¨ã‚‚å«ã¾ã‚Œã‚‹ã€‚ã¾ãŸã€è²·åŽä¼æ¥ãŒå¾Œç¶™è€…ã¨ã—ã¦ãã®æ¡ä»¶ã«æ‹˜æŸã•ã‚Œã‚‹å¯èƒ½æ€§ãŒé«˜ã„ãŸã‚ã€æ—¢å˜ã®åŠ´åƒè€…ã¨ã®é–“ã®å¥‘ç´„ã‚’ã™ã¹ã¦åˆ†æžã™ã‚‹ã“ã¨ã‚‚極ã‚ã¦é‡è¦ã§ã‚る。特ã«ã€ã€ŒåŠ´åƒä¸ç«‹æ¡é …ã€ï¼ˆåŠ´åƒçµ„åˆã«ã‚¢ã‚¯ã‚»ã‚¹æ¨©ã€æƒ…å ±ã€æ‰¿èªæ¨©ã‚’与ãˆã€ä»–ã®å¾“æ¥å“¡ã€æ–½è¨ã€é–¢é€£ä¼šç¤¾åˆã¯è¦ªä¼šç¤¾ã‚’迅速ã«çµ„織化ã™ã‚‹ã®ã«å½¹ç«‹ã¤æ¡é …)ã€ã€Œè‡ªå‹•ä»˜åŠ æ¡é …ã€ï¼ˆåŠ´åƒçµ„åˆãŒè‡ªå‹•çš„ã«ä»–ã®å¾“æ¥å“¡ã‚°ãƒ«ãƒ¼ãƒ—を代表ã™ã‚‹ã“ã¨ã‚’å¯èƒ½ã¨ã™ã‚‹æ¡é …)ã€ã¾ãŸã¯çµ„åˆãŒä»–ã®æ–½è¨ã‚„ãã®æ–½è¨ã®ä»–ã®ã‚°ãƒ«ãƒ¼ãƒ—ã«æ‹¡å¤§ã—よã†ã¨ã™ã‚‹å ´åˆã«ã€ä¼šç¤¾ãŒå¾…æ©Ÿã™ã‚‹ã“ã¨ã‚’è¦æ±‚ã™ã‚‹ãã®ä»–ã®æ¡é …ãŒã‚ã‚‹ã‹ã©ã†ã‹ã‚’判æ–ã™ã‚‹ã“ã¨ãŒé‡è¦ã§ã‚る。
組åˆã®çŠ¶æ³ã‚„リスクã«ã‚‚ã‹ã‹ã‚らãšã€ç‰¹å®šã®å会社ã®äº‹æ¥ã‚„機会ã¯é…力的ãªå ´åˆã‚‚ã‚る。ã“ã®ã‚ˆã†ãªå ´åˆã€çµ„åˆãŒå˜åœ¨ã™ã‚‹äº‹æ¥ã®ãƒªã‚¹ã‚¯ã‚’軽減ã—åˆã¯å›žé¿ã™ã‚‹ãŸã‚ã«ã€ä¼æ¥ãŒæ´»ç”¨ã§ãる戦略ãŒã‚る。例ãˆã°ã€å¾“æ¥å“¡ã®ãƒªã‚¹ãƒˆãƒ©ã‚¯ãƒãƒ£ãƒªãƒ³ã‚°ï¼ˆåˆä½µã‚„分割)を検討ã—ãŸã‚Šã€è²·åŽè€…ãŒå¿…ãšã—も労åƒçµ„åˆã‚„労åƒå”約を承èªã™ã‚‹ç¾©å‹™ã‚’è² ã‚ãªã„資産å–引を行ã†ã“ã¨ãŒè€ƒãˆã‚‰ã‚Œã‚‹ã€‚
投資ã«éš›ã—ã¦åŠ´åƒçµ„åˆãŒé–¢ä¸Žã—ãªã„å ´åˆã«ã¤ã„ã¦ã¯ã€è²·åŽå¾Œã®åŠ´åƒçµ„åˆåŒ–ã®ãƒªã‚¹ã‚¯ã«ç„¦ç‚¹ã‚’当ã¦ç¶šã‘ãªã‘ã‚Œã°ãªã‚‰ãªã„。買åŽå‰ã®ãƒ‡ãƒ¥ãƒ¼ãƒ»ãƒ‡ã‚£ãƒªã‚¸ã‚§ãƒ³ã‚¹ã§ã¯ã€ç¾åœ¨é€²è¡Œä¸ã®åŠ´åƒçµ„åˆåŒ–活動ã€åŠ´åƒçµ„åˆåŒ–ã¸ã®åƒãã‹ã‘ã€ä¸å½“労åƒè¡Œç‚ºãªã©ã‚’調査ã™ã‚‹å¿…è¦ãŒã‚る。ã¾ãŸã€æ¥ç•Œå‹•å‘ã‚„ã€é¡žä¼¼æ–½è¨ã‚„近隣施è¨ã§çµ„åˆæ´»å‹•ãŒç››ã‚“ã§ã‚ã‚‹ã‹ã©ã†ã‹ã‚‚考慮ã™ã¹ãã§ã‚る。
æ–°è¦äº‹æ¥ã‚’ç«‹ã¡ä¸Šã’ã‚‹ä¼æ¥ã«ã¤ã„ã¦ã¯ã€åŠ´åƒçµ„åˆåŒ–ã®å‚¾å‘を評価ã™ã‚‹ã€‚労åƒçµ„åˆã¸ã®å‚åŠ ã¨æ”¯æŒã¯åœ°åŸŸã«ã‚ˆã£ã¦å¤§ããç•°ãªã‚Šã€åŠ´åƒçµ„åˆå‚åŠ çŽ‡ã®ä½Žã„地域ã§äº‹æ¥ã‚’ç«‹ã¡ä¸Šã’ã‚‹ã“ã¨ã¯ã€ãã®å¾Œã®åŠ´åƒçµ„åˆã®å½±éŸ¿ã‚’é¿ã‘ã‚‹ã®ã«å½¹ç«‹ã¤ã€‚æ–°è¦äº‹æ¥æ‰€ã§ã®åŠ´åƒçµ„åˆçµæˆãŒé¿ã‘られãªã„å ´åˆã¯ã€çµ„åˆåŠ 入労åƒè€…を別法人ã§é›‡ç”¨ã™ã‚‹çµ„ç¹”æ§‹é€ ã‚’æ¤œè¨Žã™ã‚‹ã“ã¨ã‚‚有用ã§ã‚ã‚Šã€ãã‚Œã«ã‚ˆã‚Šã€åŠ´åƒçµ„åˆãŒä»–ã®äº‹æ¥ã«ã¾ã§æ‰‹ã‚’伸ã°ã™ã®ã‚’防ãã“ã¨ãŒã§ãる。
米国ã«ãŠã‘ã‚‹ç¾åœ¨ã¾ãŸã¯æ½œåœ¨çš„ãªã™ã¹ã¦ã®æ¥å‹™é‹å–¶ã«ãŠã„ã¦ã€ä¼æ¥ã¯åŠ´åƒçµ„åˆã¨ã®é–¢ã‚ã‚Šåˆã„ã®å¯èƒ½æ€§ã‚’予期ã—ã€åŠ´åƒçµ„åˆã®å½±éŸ¿ã«å¯¾ã™ã‚‹å“²å¦çš„アプãƒãƒ¼ãƒã‚’事å‰ã«æ±ºå®šã™ã¹ãã§ã‚る。労åƒçµ„åˆãŒä¼æ¥ã«åŠã¼ã™ä¸»ãªå½±éŸ¿åŠ›ã¯ã€ã‚¹ãƒˆãƒ©ã‚¤ã‚ã‚„ãã®ä»–ã®åŠ´åƒåœæ¢ã€äº¤æ¸‰ã®é…滞ã€éŽåº¦ã®è¨´è¨Ÿã‚’通ã˜ã¦å–引コストや経営コストを増大ã•ã›ã‚‹ã“ã¨ã§ã‚る。
ä¼æ¥ã¯ã€è‡ªåˆ†ãŸã¡ã®ã‚¢ãƒ—ãƒãƒ¼ãƒãŒå’Œå¹³ã«å‘ã‹ã†ã®ã‹ã€æˆ¦ã„ã«å‚™ãˆã‚‹ã®ã‹ã€ãã‚Œã¨ã‚‚ä¸é–“ã®é“ã‚’è¡Œãã®ã‹ã‚’知る必è¦ãŒã‚る。労åƒçµ„åˆã¨ã®èª¿å’Œçš„ãªé–¢ä¿‚を築ãã“ã¨ã‚’é¸æŠžã™ã‚‹ä¼æ¥ã‚‚ã‚る一方ã€åŠ´åƒçµ„åˆã‚’é¿ã‘ã€å¿…è¦ãªå ´åˆã«ã¯ä¼æ¥ã®æ¨©åˆ©ã‚’守ã‚ã†ã¨ã™ã‚‹ä¼æ¥ã‚‚ã‚る。ã„ãšã‚Œã®ã‚¢ãƒ—ãƒãƒ¼ãƒã‚‚é©åˆ‡ã«å®Ÿè¡Œã•ã‚Œã‚Œã°ã†ã¾ã機能ã—ã€ã‚ˆã‚Šã‚ˆã„é‹å–¶ã‚’促進ã™ã‚‹ã“ã¨ãŒã§ãる。é‡è¦ãªã®ã¯ã€ã©ã¡ã‚‰ã®ã‚¢ãƒ—ãƒãƒ¼ãƒãŒä¼æ¥æ–‡åŒ–ã¨å±•æœ›ã«åˆã£ã¦ã„ã‚‹ã‹ã‚’知るã“ã¨ã€ãã—ã¦ã€ã„ã£ãŸã‚“決定ã—ãŸè¡Œå‹•æ–¹é‡ã‚’一貫ã—ã¦é©ç”¨ã™ã‚‹ã“ã¨ã§ã‚る。
ディスクレーマー: 上記ã®è¨˜äº‹ã¯ã€ã€Œå›½éš›å•†äº‹æ³•å‹™ã€ã®2024å¹´1月å·ã«æŽ²è¼‰ã•ã‚Œã¾ã—ãŸã€‚記事ã®å†…容・è°è«–ã¯ä¸€èˆ¬ã®å¸‚å ´ãƒˆãƒ¬ãƒ³ãƒ‰åŠã³å‹•å‘ã‚’åæ˜ ã—ã¦ãŠã‚Šã€ç¾åœ°æ³•ã®è¦ç´„ã€åˆ†æžåˆã¯ã‚³ãƒ¡ãƒ³ãƒˆã‚’è¡Œã†ã‚‚ã®ã§ã¯ã‚ã‚Šã¾ã›ã‚“。ã¾ãŸã€æœ¬ç¨¿ã¯æ³•çš„助言ã¨ã¯ã¿ãªã•ã‚Œã¾ã›ã‚“。
UPC Court of Appeal Issues First Decision, Overturns Preliminary Injunction
Hon.-Prof. Dr. Henrik Holzapfel | Charles (Chuck) Larsen | Lisa Nassi | Diana Pisani
Back in September 2023, the Unified Patent Court’s (UPC) Local Division Munich issued a preliminary injunction against the defendant in 10x Genomics, Inc. v. NanoString Technologies, Inc. On February 26, 2024, in a landmark decision, the UPC’s Court of Appeal overturned the preliminary injunction, allowing NanoString to return to most European markets.
The Court of Appeal clarified three key substantive issues in the case: the standard for claim construction, the standard for granting a preliminary injunction and the substantive evaluation of inventive step. Specifically, the Court of Appeal established the following:
- Regarding the standard for claim construction, the patent claim is not only the starting point but the decisive basis for determining the scope of protection. The interpretation must always use the “description†and the “drawings†as explanatory aids and is not limited to cases where the claims include ambiguities. There will be no protection for what is disclosed only in the description or the drawings but has no basis in the patent claims. The same principles for claim construction will apply when assessing both infringement and validity.
- Regarding the standard for a preliminary injunction, a proper decision for granting one must be based on it being “more likely than not†that the asserted patent is infringed and “more likely than not†that the patent will be found valid. This creates a balance – the opportunities to present facts and evidence by way of summary proceedings are limited, so the standard of proof must not be set too high. It also cannot be set too low in order to prevent the defendant from being harmed by an order for a provisional measure that is revoked at a later date. A sufficient degree of certainty is therefore needed, both for infringement and validity.
- In provisional proceedings without hearing the defendant, the burden of proof for all relevant facts, including potential invalidity, lies with the applicant. In contrast, in provisional proceedings in which the defendant is heard, the burden of proof for entitlement and infringement lies with the applicant, while the burden of proof for invalidity lies with the defendant.
- On the merits, the Court of Appeal held that the Local Division Munich incorrectly evaluated the likelihood that the patent would be found valid. The Court of Appeal determined that while the Local Division correctly concluded that the asserted patent would be found infringed and novel, it incorrectly concluded that the patent would likely be found to have an inventive step.
- To reach this determination, the Court of Appeal relied on its own analysis of the prior art and on the opinion of its own technically qualified judges, with only a brief mention of a contrary view from the defendant’s expert.
- Additionally, the Court of Appeal applied a “classical†style inventive step analysis, determining and applying the understanding and capability of a skilled person in the art (as reflected in the cited prior art references) rather than strictly applying the “problem/solution†analysis commonly practiced at the European Patent Office. A skilled person in the art would have had a reasonable expectation of success when using the claimed method because, based on their expertise, they would have been able to deal with issues such as “molecular crowding†and “autofluorescence.â€
In setting these legal standards, the Court of Appeal has demonstrated that it is committed to actively leading the development of law and practice across the UPC, even if that means reigning in the work of the Local Divisions.
To learn more, visit our UPC Resource Center.
統一特許è£åˆ¤æ‰€æŽ§è¨´å¯©ãŒä»®å·®æ¢å‘½ä»¤ã‚’覆ã™åˆã®æ±ºå®šã‚’下ã™
Hon.-Prof. Dr. Henrik Holzapfel | Charles (Chuck) Larsen | Lisa Nassi | Diana Pisani
2023å¹´9月ã€çµ±ä¸€ç‰¹è¨±è£åˆ¤æ‰€ï¼ˆUPC)ã®ãƒŸãƒ¥ãƒ³ãƒ˜ãƒ³æ”¯éƒ¨ã¯ã€10x Genomics, Inc. v. NanoString Technologies, Inc事件ã«ãŠã„ã¦ã€è¢«å‘Šã«å¯¾ã—ã¦ä»®å·®æ¢å‘½ä»¤ã‚’下ã—ãŸã€‚2024å¹´2月26æ—¥ã€ç”»æœŸçš„ãªæ±ºå®šã¨ã—ã¦ã€UPCã®æŽ§è¨´è£åˆ¤æ‰€ã¯ä»®å·®æ¢å‘½ä»¤ã‚’覆ã—ã€NanoString社ã¯ã»ã¨ã‚“ã©ã®æ¬§å·žå¸‚å ´ã«å¾©å¸°ã§ãるよã†ã«ãªã£ãŸã€‚
控訴è£åˆ¤æ‰€ã¯ã€ã‚¯ãƒ¬ãƒ¼ãƒ 解釈ã®åŸºæº–ã€ä»®å·®æ¢è¨±å¯ã®åŸºæº–ã€é€²æ©æ€§ã®å®Ÿè³ªçš„評価ã®3ã¤ã®é‡è¦ãªå®Ÿè³ªçš„å•é¡Œã‚’明らã‹ã«ã—ãŸã€‚具体的ã«ã¯ã€æŽ§è¨´é™¢ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«è¿°ã¹ãŸã€‚
- クレーム解釈ã®åŸºæº–ã«ã¤ã„ã¦ã€ç‰¹è¨±ã‚¯ãƒ¬ãƒ¼ãƒ ã¯å‡ºç™ºç‚¹ã§ã‚ã‚‹ã ã‘ã§ãªãã€ä¿è·ç¯„囲を決定ã™ã‚‹æ±ºå®šçš„ãªæ ¹æ‹ ã§ã‚る。解釈ã¯å¸¸ã«ã€Œæ˜Žç´°æ›¸ã€ã¨ã€Œå›³é¢ã€ã‚’説明ã®è£œåŠ©ã¨ã—ã¦ç”¨ã„ãªã‘ã‚Œã°ãªã‚‰ãšã€ã‚¯ãƒ¬ãƒ¼ãƒ ã«æ›–昧ã•ãŒå«ã¾ã‚Œã‚‹å ´åˆã«é™å®šã•ã‚Œãªã„。明細書や図é¢ã«ã®ã¿é–‹ç¤ºã•ã‚Œã€ç‰¹è¨±è«‹æ±‚ã®ç¯„囲ã«æ ¹æ‹ ãŒãªã„ã‚‚ã®ã¯ä¿è·ã•ã‚Œãªã„。クレーム解釈ã®åŽŸå‰‡ã¯ã€ä¾µå®³ã¨æœ‰åŠ¹æ€§ã®ä¸¡æ–¹ã«ã¤ã„ã¦é©ç”¨ã•ã‚Œã‚‹ã€‚
- 仮差æ¢ã‚ã®åŸºæº–ã«ã¤ã„ã¦ã€ä»®å·®æ¢ã‚ã‚’èªã‚ã‚‹é©åˆ‡ãªåˆ¤æ–ã¯ã€ä¸»å¼µã•ã‚ŒãŸç‰¹è¨±ãŒä¾µå®³ã•ã‚Œã¦ã„ã‚‹å¯èƒ½æ€§ãŒã€Œãªã„よりã¯é«˜ã„ã€ã“ã¨ã€ãŠã‚ˆã³ç‰¹è¨±ãŒæœ‰åŠ¹ã§ã‚ã‚‹ã¨åˆ¤æ–ã•ã‚Œã‚‹å¯èƒ½æ€§ãŒã€Œãªã„よりã¯é«˜ã„ã€ã“ã¨ã«åŸºã¥ã‹ãªã‘ã‚Œã°ãªã‚‰ãªã„。ã“ã‚Œã¯ãƒãƒ©ãƒ³ã‚¹ã‚’å¿…è¦ã¨ã™ã‚‹ã€‚ã™ãªã‚ã¡ã€ç•¥å¼æ‰‹ç¶šã«ã‚ˆã£ã¦äº‹å®Ÿã‚„è¨¼æ‹ ã‚’æ出ã™ã‚‹æ©Ÿä¼šã¯é™ã‚‰ã‚Œã¦ã„ã‚‹ãŸã‚ã€ç«‹è¨¼åŸºæº–を高ãè¨å®šã—ã™ãŽã¦ã¯ãªã‚‰ãªã„。ã¾ãŸã€å¾Œæ—¥å–り消ã•ã‚Œã‚‹ä»®å‡¦åˆ†å‘½ä»¤ã«ã‚ˆã£ã¦è¢«å‘ŠãŒæ害を被るã®ã‚’防ããŸã‚ã«ã€ä½Žã™ãŽã‚‹æ°´æº–ã«è¨å®šã™ã‚‹ã“ã¨ã‚‚ã§ããªã„。ã—ãŸãŒã£ã¦ã€ä¾µå®³ã¨æœ‰åŠ¹æ€§ã®ä¸¡æ–¹ã«ã¤ã„ã¦ã€å分ãªç¢ºå®Ÿæ€§ãŒå¿…è¦ã¨ã•ã‚Œã‚‹ã€‚
- 被告ã®å¯©å°‹ã‚’経ãªã„仮手続ã«ãŠã„ã¦ã¯ã€ç„¡åŠ¹ã®å¯èƒ½æ€§ã‚’å«ã‚€ã™ã¹ã¦ã®é–¢é€£äº‹å®Ÿã®ç«‹è¨¼è²¬ä»»ã¯ç”³ç«‹äººã«ã‚る。対照的ã«ã€è¢«å‘ŠãŒå¯©å°‹ã‚’å—ã‘る仮手続ã«ãŠã„ã¦ã¯ã€æ¨©åˆ©åŠã³ä¾µå®³ã®ç«‹è¨¼è²¬ä»»ã¯ç”³ç«‹äººã«ã‚ã‚Šã€ç„¡åŠ¹ã®ç«‹è¨¼è²¬ä»»ã¯è¢«ç”³ç«‹äººã«ã‚る。
- 本案ã«ã¤ã„ã¦ã€æŽ§è¨´è£åˆ¤æ‰€ã¯ã€ãƒŸãƒ¥ãƒ³ãƒ˜ãƒ³æ”¯éƒ¨ã¯ç‰¹è¨±ãŒæœ‰åŠ¹ã¨åˆ¤æ–ã•ã‚Œã‚‹å¯èƒ½æ€§ã‚’誤ã£ã¦è©•ä¾¡ã—ãŸã¨åˆ¤æ–ã—ãŸã€‚控訴è£åˆ¤æ‰€ã¯ã€ãƒŸãƒ¥ãƒ³ãƒ˜ãƒ³æ”¯éƒ¨ã®åˆ¤æ–ã¯ã€ä¸»å¼µç‰¹è¨±ãŒä¾µå®³ã•ã‚Œã€æ–°è¦æ€§ãŒã‚ã‚‹ã¨åˆ¤æ–ã•ã‚Œã‚‹å¯èƒ½æ€§ã«ã¤ã„ã¦ã¯æ£ã—ã„ãŒã€ç‰¹è¨±ã«é€²æ©æ€§ãŒã‚ã‚‹ã¨åˆ¤æ–ã•ã‚Œã‚‹å¯èƒ½æ€§ã«ã¤ã„ã¦ã¯èª¤ã£ã¦ã„ã‚‹ã¨åˆ¤æ–ã—ãŸã€‚ã“ã®åˆ¤æ–ã«è‡³ã‚‹ã¾ã§ã€æŽ§è¨´è£åˆ¤æ‰€ã¯ç‹¬è‡ªã®å…ˆè¡ŒæŠ€è¡“分æžã¨æŠ€è¡“è³‡æ ¼ã‚’æœ‰ã™ã‚‹è£åˆ¤å®˜ã®æ„見ã«ä¾æ‹ ã—ã€è¢«å‘Šã®å°‚門家ã«ã‚ˆã‚‹å対æ„見ã«ã¤ã„ã¦ã¯ç°¡å˜ã«è¨€åŠã™ã‚‹ã®ã¿ã§ã‚ã£ãŸã€‚
- ã•ã‚‰ã«ã€æŽ§è¨´è£åˆ¤æ‰€ã¯ã€æ¬§å·žç‰¹è¨±åºã§ä¸€èˆ¬çš„ã«è¡Œã‚ã‚Œã¦ã„る「å•é¡Œï¼è§£æ±ºã€åˆ†æžã‚’厳密ã«é©ç”¨ã™ã‚‹ã®ã§ã¯ãªãã€ï¼ˆå¼•ç”¨ã•ã‚ŒãŸå…ˆè¡ŒæŠ€è¡“文献ã«åæ˜ ã•ã‚Œã¦ã„る)当æ¥è€…ã®ç†è§£ã¨èƒ½åŠ›ã‚’判æ–ã—é©ç”¨ã™ã‚‹ã€Œå¤å…¸çš„ã€ã‚¹ã‚¿ã‚¤ãƒ«ã®é€²æ©æ€§åˆ†æžã‚’é©ç”¨ã—ãŸã€‚当æ¥è€…ã§ã‚ã‚Œã°ã€ãã®å°‚門知è˜ã«åŸºã¥ã„ã¦ã€ã€Œåˆ†åã®æ··é›‘ã€ã‚„「自家è›å…‰ã€ã¨ã„ã£ãŸå•é¡Œã«å¯¾å‡¦ã™ã‚‹ã“ã¨ãŒã§ãã‚‹ãŸã‚ã€ã‚¯ãƒ¬ãƒ¼ãƒ ã•ã‚ŒãŸæ–¹æ³•ã‚’使用ã™ã‚‹éš›ã«ã¯ã€æˆåŠŸã®åˆç†çš„ãªæœŸå¾…ã‚’æŒã¤ã“ã¨ãŒã§ããŸã§ã‚ã‚ã†ã€‚
ã“ã®ã‚ˆã†ãªæ³•çš„基準をè¨å®šã™ã‚‹ã“ã¨ã§ã€æŽ§è¨´è£åˆ¤æ‰€ã¯ã€æ”¯éƒ¨ã®ä»•äº‹ã‚’抑制ã™ã‚‹ã“ã¨ã‚’æ„味ã™ã‚‹ã¨ã—ã¦ã‚‚ã€UPC全体ã®æ³•å¾‹ã¨å®Ÿå‹™ã®ç™ºå±•ã‚’ç©æ¥µçš„ã«ãƒªãƒ¼ãƒ‰ã™ã‚‹ã“ã¨ã«å…¨åŠ›ã‚’å°½ãã—ã¦ã„ã‚‹ã“ã¨ã‚’示ã—ãŸã€‚
NOTE: 統一特許è£åˆ¤æ‰€ï¼ˆUPC)ã®æœ€æ–°æƒ…å ±ã«ã¤ã„ã¦ã¯ã€å¼Šæ‰€ã®UPCリソースセンターをã”覧ãã ã•ã„。
How the New PCI DSS 4.0 Will Impact the Automotive Industry
Jonathan Ende | Mark E. Schreiber | Brian Long
The automotive industry is experiencing a shift to an e-commerce model through direct interactions with the customer to accept credit card payments. This innovation allows drivers and passengers to make payments for products and services directly from their vehicles, offering an enhanced consumer experience. The automotive industry, like others, must comply with the Payment Card Industry Data Security Standard (PCI DSS) with respect to card transactions. The new version of PCI DSS (4.0) became mandatory April 1, 2024, and introduced many new rigorous requirements.
Changing Automotive Payment ModalitiesÂ
Subscription services such as music streaming services, third-party apps, security services, and telemetric or concierge services are being offered and paid through cars’ infotainment systems using payment cards. These payments may be collected directly by the car manufacturer or other third parties.
Entities that provide these new infotainment-based services and accept payment cards are likely “merchants†or “service providers†under the PCI DSS definitions. Both merchants and service providers must complete either a report on compliance (ROC) or a self-assessment questionnaire (SAQ) at least annually to comply with PCI DSS. ROCs or SAQs that are started after March 31, 2024 (the retirement date of prior PCI version 3.2.1) will need to use the new 4.0 version with its more rigorous requirements.
Some merchants and service providers may be in the midst of their PCI DSS compliance validation efforts under prior PCI version 3.2.1 as of March 31, 2024. In that case, merchants or service providers should reach out to the organizations that require their PCI compliance (e.g., acquiring banks, card brands, processors) to determine next steps, including whether they can continue with their 3.2.1 validation exercise.
As with any other channel used to process payment cards, in-car payments’ connectivity, security and authentication are paramount concerns. Even if the entire cardholder data environment is outsourced, there are still obligations to comply with PCI DSS.
IN DEPTH
While participants in this industry may have some familiarity with PCI DSS obligations, the confluence of new technologies and connected-to systems with the advent of PCI DSS 4.0 drives a new PCI DSS compliance imperative.
PCI DSS 4.0 Brings New Requirements
After two years to prepare, the March 31, 2024, date for compliance with PCI DSS 4.0 is almost here. PCI DSS 4.0—which brings major changes to the payments ecosystem—places an increased focus on targeted risk analysis, organizational maturity and governance. It also makes PCI DSS compliance a continuous effort, rather than an annual snapshot exercise, and introduces a customized approach to PCI assessments, enabling businesses to implement alternative technical and administrative controls that meet the customized approach objective.
Merchants, service providers, issuers, acquirers and any other businesses that accept card payments or store, process or transmit payment cardholder data should have already begun planning for PCI DSS 4.0. Implementing PCI DSS 4.0 will require structural changes that go beyond tweaking security controls. Businesses will also need to prepare for the increased legal risks of PCI DSS 4.0’s obligations. PCI assessments under version 4.0 will require more security documentation, risk analysis and affirmative statements than before, exposing the company’s security posture to greater scrutiny.
According to Mazars’s USA PCI qualified security assessor (QSA) team, automotive manufacturers, app developers and other companies that accept payments through in-vehicle systems will need to carefully assess how their in-vehicle payment solutions integrate with their existing payment platform. Particular attention should be paid to the communications protocols, deployment model and integrated payment infrastructure.
Because of the complexity of the new requirements and the time required to implement structural changes, companies should promptly begin addressing and internally validating compliance in advance of an assessment by their QSA. Businesses should consider whether to involve legal counsel and other consultants (under privilege) in this assessment and other aspects of their transition to PCI DSS 4.0, including for purposes of encouraging full and open communication and consideration of risks and exposure.
WHAT’S NEW IN PCI DSS 4.0?
PCI DSS 4.0 is an extensive change to the previous version, PCI DSS 3.2.1. Some of the significant changes are included below.
Increased Requirements for Yearly Diligence for Merchants and Service Providers
PCI DSS 4.0 increases the requirements for periodic diligence by merchants and service providers by adding several new controls, including the following:
- Service providers now have an explicit requirement to provide merchants with information necessary for the merchant to comply with its monitoring requirements under PCI DSS 12.8.4 and 12.8.5 (PCI DSS 12.9.2).
- At least every 12 months and upon a significant change, merchants and service providers must document and confirm the PCI DSS in-scope environment (PCI DSS 12.5.2), with additional documentation requirements for service providers (PCI DSS 12.5.2.1-2).
- Merchants and service providers must conduct a targeted risk analysis for any controls that use the customized approach, at least every 12 months with written approvals by senior management (PCI DSS 13.3.2).
- Merchants and service providers must complete at least an annual risk analysis for any controls that have flexibility for the frequency of controls (PCI DSS 13.3.1, best practice until 2025).
- Merchants and service providers must review at least annually cipher suites and protocols (PCI DSS 12.3.3, best practice until 2025).
- Merchants and service providers must conduct at least an annual review of hardware and software technologies in use, with a plan to remediate outdated technologies approved by senior management (PCI DSS 12.3.4, best practice until 2025).
These additional annual diligence requirements will take time and effort to establish. Merchants and service providers may want to build these new processes well in advance of having to rely on them for PCI DSS compliance through their ROC or SAQ processes and QSA oversight. Starting sooner rather than later will be key to pragmatic results, allowing at least one practice cycle of these assessments prior to relying on them for PCI DSS compliance.
New Customized Approach
When merchants and service providers cannot meet the prescriptive controls of PCI DSS 3.2.1, they must propose a compensating control and justify it with a risk assessment and a compensating control worksheet. In PCI DSS 4.0, this option still exists, but there is also a new option for a customized control approach. This customized approach retains the requirement to evaluate risk but allows for a more strategic pathway to meet a control. Instead of compensating for the lack of a control, the customized approach allows the merchant or service provider to document a different control based on the objective of the control that is being customized. The assessor will then assess the customized control in place of the control that is being substituted, allowing for a long-term customization rather than a shorter-term “compensating†control. (Not all controls are eligible for the customized approach. Notably, PCI DSS 3.3.1 prohibits storage of sensitive authentication data after authorization.)
Expanded Risk Analysis Guidance
PCI DSS 4.0 also provides expanded guidance on conducting risk analysis. Risk analysis has always been a part of PCI DSS, and it significantly is used as part of the compensating control worksheet. This new version includes a Sample Targeted Risk Analysis Template (PCI DSS Appendix E2). While using the template is not mandatory, the template provides more information on how the PCI Security Council expects a risk analysis to be carried out.
Clarifications to “Significant Change†Standard
PCI DSS 4.0 clarifies key PCI DSS concepts, including a more fulsome description of a “significant change,†which was not specifically defined in prior PCI DSS versions. While this latest version does not provide an exact definition, PCI DSS 4.0 does provide descriptions and examples of a significant change (PCI DSS, 7 Description of Timeframes Used in PCI DSS Requirements). This is important given the many interim changes, adaptations and updates (especially in the mobile payments industry) in the United States and other countries, such as India.
WHEN DOES PCI DSS 4.0 TAKE EFFECT?
PCI DSS 4.0 was issued on March 31, 2022, but will remain optional until March 31, 2024, when PCI DSS v. 3.2.1 will be retired. Assessments begun after that date must be under version 4.0. Some companies have opted into 4.0 already and are conducting PCI assessments and SAQs/ROCs under 4.0.
Several new requirements added for version 4.0 will not become mandatory until March 31, 2025. Until that date these requirements are considered “best practice.â€
WHAT ARE THE LEGAL RISKS?
Failure to comply with PCI DSS 4.0 may lead to further investigations, fines, penalties and assessments, especially if there is a card breach after PCI DSS 4.0 becomes mandatory. Several state laws already incorporate PCI DSS, and other state laws include compliance with PCI DSS as a safe harbor.
The increased focus on risk analysis in PCI DSS 4.0 means that entities are likely to disclose more information about their security program to QSAs than they would under version 3.2.1. Given that PCI security assessments are not conducted under privilege, businesses should be prepared for the assessment papers to be scrutinized, particularly in the wake of a security incident. This will be increasingly significant, because the widespread adoption of chip transactions in the United States has reduced the viability of card cloning, reportedly causing credit card fraudsters large and small to target card-not-present transaction data and increase cybersecurity risk to a wide variety of companies.
Statements made in risk analyses should be accurate, verifiable and consistent with other disclosures. Security documentation should reflect actual, provable and current practices. Customized controls should defensibly meet the defined customized approach objectives.
The transition to PCI DSS version 4.0 will prove challenging and time-consuming to many companies. Companies should begin their transition planning promptly. An initial step in the transition should be an assessment against the PCI DSS 4.0 standard to identify compliance gaps and opportunities to implement a customized approach. Engaging outside counsel to help oversee the conduct of the internal assessment or other aspects of transition planning can mitigate risk and contribute to a successful transition.
æ–°ã—ã„PSI DSS 4.0ãŒè‡ªå‹•è»Šç”£æ¥ã«ä¸Žãˆã‚‹å½±éŸ¿
Jonathan Ende | Mark E. Schreiber | Brian Long
自動車æ¥ç•Œã§ã¯ã€é¡§å®¢ã¨ã®ç›´æŽ¥çš„ãªã‚„ã‚Šå–りを通ã˜ã¦ã‚¯ãƒ¬ã‚¸ãƒƒãƒˆã‚«ãƒ¼ãƒ‰æ±ºæ¸ˆã‚’å—ã‘付ã‘ã‚‹Eコマース・モデルã¸ã®ç§»è¡ŒãŒé€²ã‚“ã§ã„る。ã“ã®æŠ€è¡“é©æ–°ã«ã‚ˆã‚Šã€é‹è»¢æ‰‹ã‚„åŒä¹—者ã¯è»Šã‹ã‚‰ç›´æŽ¥è£½å“やサービスã®æ”¯æ‰•ã„ã‚’è¡Œã†ã“ã¨ãŒã§ãã€ã‚«ã‚¹ã‚¿ãƒžãƒ¼ã‚¨ã‚¯ã‚¹ãƒšãƒªã‚¨ãƒ³ã‚¹ã®å‘上ã«ç¹‹ãŒã‚‹ã€‚自動車æ¥ç•Œã¯ä»–ã®æ¥ç•ŒåŒæ§˜ã€ã‚«ãƒ¼ãƒ‰å–引ã«é–¢ã—ã¦PCI DSS(Payment Card Industry Data Security Standard)をéµå®ˆã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。PCI DSSã®æ–°ãƒãƒ¼ã‚¸ãƒ§ãƒ³ï¼ˆ4.0)ã¯2024å¹´4月1æ—¥ã«ç¾©å‹™åŒ–ã•ã‚Œã€æ–°ãŸã«å¤šãã®åŽ³æ ¼ãªè¦ä»¶ãŒå°Žå…¥ã•ã‚Œã‚‹ã€‚
自動車ã®æ”¯æ‰•ã„方法ã®å¤‰åŒ–
自動車ã®ã‚¤ãƒ³ãƒ•ã‚©ãƒ†ã‚¤ãƒ³ãƒ¡ãƒ³ãƒˆã‚·ã‚¹ãƒ†ãƒ を通ã˜ãŸæ”¯æ‰•ã„ã«ã‚ˆã‚Šã€éŸ³æ¥½ã‚¹ãƒˆãƒªãƒ¼ãƒŸãƒ³ã‚°ã‚µãƒ¼ãƒ“スã€ã‚µãƒ¼ãƒ‰ãƒ‘ーティアプリã€ã‚»ã‚ュリティサービスã€ã‚³ãƒã‚¯ãƒ†ãƒƒãƒ‰ã‚µãƒ¼ãƒ“スやコンシェルジュサービスãªã©ã®ã‚µãƒ–スクリプションサービスãŒæä¾›ã•ã‚Œã¦ã„る。ã“れらã®æ”¯æ‰•ã„ã¯ã€è‡ªå‹•è»Šãƒ¡ãƒ¼ã‚«ãƒ¼ãŒç›´æŽ¥å¾´åŽã™ã‚‹å ´åˆã‚‚ã‚ã‚Œã°ã€ãã®ä»–ã®ç¬¬ä¸‰è€…ãŒå¾´åŽã™ã‚‹å ´åˆã‚‚ã‚る。
ã“れらã®æ–°ã—ã„インフォテイメントベースã®ã‚µãƒ¼ãƒ“スをæä¾›ã—ã€æ”¯æ‰•ã„カードをå—ã‘付ã‘る事æ¥è€…ã¯ã€PCI DSSã®å®šç¾©ä¸Šã®ã€ŒåŠ 盟店(merchants)ã€ã¾ãŸã¯ã€Œã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ï¼ˆservice providers)ã€ã«è©²å½“ã™ã‚‹ã€‚åŠ ç›Ÿåº—ã¨ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€PCI DSSã‚’éµå®ˆã™ã‚‹ãŸã‚ã«å°‘ãªãã¨ã‚‚å¹´ã«1回ã€éµå®ˆå ±å‘Šæ›¸ï¼ˆreport on compliance)ã¾ãŸã¯è‡ªå·±è©•ä¾¡ã‚¢ãƒ³ã‚±ãƒ¼ãƒˆï¼ˆself-assessment questionnaire)ã®ã„ãšã‚Œã‹ã‚’è¡Œã†å¿…è¦ãŒã‚る。2024å¹´3月31日(旧PCIãƒãƒ¼ã‚¸ãƒ§ãƒ³3.2.1ã®å»ƒæ¢æ—¥ï¼‰ä»¥é™ã«å®Ÿæ–½ã™ã‚‹éµå®ˆå ±å‘Šæ›¸ã¾ãŸã¯è‡ªå·±è©•ä¾¡ã‚¢ãƒ³ã‚±ãƒ¼ãƒˆã¯ã€ã‚ˆã‚ŠåŽ³æ ¼ãªè¦ä»¶ã‚’å‚™ãˆãŸæ–°ãƒãƒ¼ã‚¸ãƒ§ãƒ³4.0を使用ã™ã‚‹å¿…è¦ãŒã‚る。
一部ã®åŠ 盟店ãŠã‚ˆã³ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€2024å¹´3月31日時点ã§ä»¥å‰ã®PCIãƒãƒ¼ã‚¸ãƒ§ãƒ³3.2.1ã«åŸºã¥ãPCI DSSéµå®ˆã®æ¤œè¨¼ä½œæ¥ã®æœ€ä¸ã‹ã‚‚ã—ã‚Œãªã„。ã“ã®å ´åˆã€åŠ 盟店ã¾ãŸã¯ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€PCIéµå®ˆã‚’è¦æ±‚ã™ã‚‹çµ„織(アクワイアリング銀行ã€ã‚«ãƒ¼ãƒ‰ãƒ–ランドã€ãƒ—ãƒã‚»ãƒƒã‚µãƒ¼ãªã©ï¼‰ã«é€£çµ¡ã—ã¦ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³3.2.1ã®æ¤œè¨¼ä½œæ¥ã‚’継続ã§ãã‚‹ã‹ã©ã†ã‹ã‚’å«ã‚ã€æ¬¡ã®ã‚¹ãƒ†ãƒƒãƒ—を決定ã™ã‚‹å¿…è¦ãŒã‚る。
支払ã„カードã®å‡¦ç†ã«ä½¿ç”¨ã•ã‚Œã‚‹ä»–ã®ãƒãƒ£ãƒãƒ«ã¨åŒæ§˜ã«ã€è»Šå†…決済ã®æŽ¥ç¶šæ€§ã€ã‚»ã‚ュリティã€ãŠã‚ˆã³èªè¨¼ã¯æœ€é‡è¦äº‹é …ã§ã‚る。カードä¿æœ‰è€…データ環境全体を外部委託ã™ã‚‹å ´åˆã§ã‚‚ã€PCI DSSã«æº–æ‹ ã™ã‚‹ç¾©å‹™ãŒã‚ã‚‹ã“ã¨ã‚’忘れã¦ã¯ãªã‚‰ãªã„。
詳細
ã“ã®ç”£æ¥ã®äº‹æ¥è€…ã¯PCI DSSã®ç¾©å‹™ã«ã‚る程度精通ã—ã¦ã„ã‚‹ã‹ã‚‚ã—ã‚Œãªã„ãŒã€PCI DSS 4.0ã®ç™»å ´ã«ã‚ˆã‚‹æ–°ã—ã„テクノãƒã‚¸ãƒ¼ã¨ã‚³ãƒã‚¯ãƒ†ãƒƒãƒ‰ã‚·ã‚¹ãƒ†ãƒ ã®èžåˆã¯ã€PCI DSSæº–æ‹ ã®æ–°ãŸãªå¿…é ˆæ¡ä»¶ã‚’課ã™ã“ã¨ã«ãªã‚‹ã€‚
PCI DSS 4.0ãŒã‚‚ãŸã‚‰ã™æ–°ãŸãªè¦ä»¶
2å¹´é–“ã®æº–備期間を経ã¦ã€PCI DSS 4.0ã®éµå®ˆæœŸé™ã¯2024å¹´3月31æ—¥ã«è¿«ã£ã¦ã„る。決済æ¥ç•Œã®ã‚¨ã‚³ã‚·ã‚¹ãƒ†ãƒ ã«å¤§ããªå¤‰åŒ–ã‚’ã‚‚ãŸã‚‰ã™PCI DSS 4.0ã§ã¯ã€ã‚¿ãƒ¼ã‚²ãƒƒãƒˆãƒªã‚¹ã‚¯åˆ†æžã€çµ„ç¹”ã®æˆç†Ÿåº¦ã€ãŠã‚ˆã³ã‚¬ãƒãƒŠãƒ³ã‚¹ã«ç„¦ç‚¹ã‚’当ã¦ã¦ã„る。ã¾ãŸã€PCI DSSéµå®ˆã‚’毎年ã®ã‚¹ãƒŠãƒƒãƒ—ショット作æ¥ã§ã¯ãªãã€ç¶™ç¶šçš„ãªå–り組ã¿ã¨ã—ã€PCI評価ã«ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã•ã‚ŒãŸã‚¢ãƒ—ãƒãƒ¼ãƒã‚’å°Žå…¥ã™ã‚‹ã“ã¨ã§ã€ä¼æ¥ã¯ç›®æ¨™ã«åˆã‚ã›ãŸä»£æ›¿çš„ãªæŠ€è¡“çš„ãŠã‚ˆã³ç®¡ç†çš„コントãƒãƒ¼ãƒ«ã‚’実装ã§ãるよã†ã«ãªã‚‹ã€‚
åŠ ç›Ÿåº—ã€ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã€ç™ºè¡Œä¼šç¤¾ã€ã‚¢ã‚¯ãƒ¯ã‚¤ã‚¢ãƒ©ã€ãŠã‚ˆã³ã‚«ãƒ¼ãƒ‰æ±ºæ¸ˆã‚’å—ã‘付ã‘ã‚‹ã€ã¾ãŸã¯æ”¯æ‰•ã„カードä¿æœ‰è€…データをä¿å˜ã€å‡¦ç†ã€é€ä¿¡ã™ã‚‹ä¼æ¥ã¯ã€PCI DSS 4.0ã«å‘ã‘ãŸè¨ˆç”»ã‚’ã™ã§ã«é–‹å§‹ã—ã¦ã„ã‚‹ã¯ãšã§ã‚る。PCI DSS 4.0を実装ã™ã‚‹ã«ã¯ã€ã‚»ã‚ュリティ管ç†ã®å¾®èª¿æ•´ã«ã¨ã©ã¾ã‚‰ãªã„æ§‹é€ çš„ãªå¤‰æ›´ãŒå¿…è¦ã«ãªã‚‹ã€‚ä¼æ¥ã¯ã€PCI DSS 4.0ã®ç¾©å‹™ã«ã‚ˆã‚‹æ³•çš„リスクã®å¢—åŠ ã«ã‚‚å‚™ãˆã‚‹å¿…è¦ãŒã‚る。ãƒãƒ¼ã‚¸ãƒ§ãƒ³4.0ã§ã®PCI評価ã§ã¯ã€ä»¥å‰ã‚ˆã‚Šã‚‚多ãã®ã‚»ã‚ュリティ文書ã€ãƒªã‚¹ã‚¯åˆ†æžã€ãŠã‚ˆã³è‚¯å®šçš„ãªã‚¹ãƒ†ã‚¤ãƒˆãƒ¡ãƒ³ãƒˆãŒè¦æ±‚ã•ã‚Œã‚‹ãŸã‚ã€ä¼æ¥ã®ã‚»ã‚ュリティ態勢ã¯ã‚ˆã‚ŠåŽ³ã—ã„精査ã«ã•ã‚‰ã•ã‚Œã‚‹ã“ã¨ã«ãªã‚‹ã€‚
Mazarsã®ç±³å›½PCIã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡è³‡æ ¼è€…ï¼ˆqualified security assessor)ãƒãƒ¼ãƒ ã«ã‚ˆã‚‹ã¨ã€è»Šè¼‰ã‚·ã‚¹ãƒ†ãƒ を通ã˜ã¦æ”¯æ‰•ã„ã‚’å—ã‘付ã‘る自動車メーカーã€ã‚¢ãƒ—リ開発者ã€ãã®ä»–ã®ä¼æ¥ã¯ã€è»Šè¼‰æ±ºæ¸ˆã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ãŒæ—¢å˜ã®æ±ºæ¸ˆãƒ—ラットフォームã«ã©ã®ã‚ˆã†ã«çµ±åˆã•ã‚Œã¦ã„ã‚‹ã‹ã‚’æ…Žé‡ã«è©•ä¾¡ã™ã‚‹å¿…è¦ãŒã‚る。特ã«ã€é€šä¿¡ãƒ—ãƒãƒˆã‚³ãƒ«ã€å±•é–‹ãƒ¢ãƒ‡ãƒ«ã€çµ±åˆæ±ºæ¸ˆã‚¤ãƒ³ãƒ•ãƒ©ã«æ³¨æ„を払ã‚ãªã‘ã‚Œã°ã„ã‘ãªã„。
æ–°ã—ã„è¦ä»¶ã¯è¤‡é›‘ã§ã‚ã‚Šã€æ§‹é€ çš„ãªå¤‰æ›´ã‚’実施ã™ã‚‹ã®ã«æ™‚é–“ãŒã‹ã‹ã‚‹ãŸã‚ã€ä¼æ¥ã¯ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡è³‡æ ¼è€…ã«ã‚ˆã‚‹è©•ä¾¡ã«å…ˆç«‹ã¡ã€æ—©æ€¥ã«ç¤¾å†…ã§ã®ã‚³ãƒ³ãƒ—ライアンス検証を開始ã™ã‚‹å¿…è¦ãŒã‚る。ä¼æ¥ã¯ã€å®Œå…¨ã‹ã¤ã‚ªãƒ¼ãƒ—ンãªã‚³ãƒŸãƒ¥ãƒ‹ã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã¨ãƒªã‚¹ã‚¯ãŠã‚ˆã³ã‚¨ã‚¯ã‚¹ãƒãƒ¼ã‚¸ãƒ£ãƒ¼ã®æ¤œè¨Žã‚’促ã™ç›®çš„ã‚‚å«ã‚ã€ã“ã®è©•ä¾¡ãŠã‚ˆã³PCI DSS 4.0ã¸ã®ç§»è¡Œã®ä»–ã®å´é¢ã«ãŠã„ã¦ã€ï¼ˆç§˜åŒ¿ç‰¹æ¨©ã®ä¸‹ã§ï¼‰å¤–部å¼è·å£«ãŠã‚ˆã³ã‚³ãƒ³ã‚µãƒ«ã‚¿ãƒ³ãƒˆã«ä¾é ¼ã™ã‚‹ã‹ã©ã†ã‹ã‚’検討ã™ã‚‹å¿…è¦ãŒã‚る。
PCI DSS 4.0ã®æ–°ã—ã„点ã¯ï¼Ÿ
PCI DSS 4.0ã¯ã€å‰ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã®PCI DSS 3.2.1ã‹ã‚‰å¤§å¹…ã«å¤‰æ›´ã•ã‚Œã¦ã„る。é‡è¦ãªå¤‰æ›´ç‚¹ã®ä¸€éƒ¨ã¯ä»¥ä¸‹ã®ã¨ãŠã‚Šã§ã‚る。
åŠ ç›Ÿåº—ãŠã‚ˆã³ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã«å¯¾ã™ã‚‹å¹´é–“ディリジェンスã®è¦ä»¶å¼·åŒ–
PCI DSS 4.0ã¯ã€ä»¥ä¸‹ã‚’å«ã‚€ã„ãã¤ã‹ã®æ–°ã—ã„コントãƒãƒ¼ãƒ«é …ç›®ã‚’è¿½åŠ ã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€åŠ 盟店ã¨ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã«ã‚ˆã‚‹å®šæœŸçš„ãªãƒ‡ã‚£ãƒªã‚¸ã‚§ãƒ³ã‚¹ã®è¦ä»¶ã‚’強化ã™ã‚‹ã€‚
- サービスプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€PCI DSS 12.8.4ãŠã‚ˆã³12.8.5(PCI DSS 12.9.2)ã«åŸºã¥ãモニタリングè¦ä»¶ã‚’éµå®ˆã™ã‚‹ãŸã‚ã«å¿…è¦ãªæƒ…å ±ã‚’åŠ ç›Ÿåº—ã«æä¾›ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„。
- åŠ ç›Ÿåº—ãŠã‚ˆã³ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€å°‘ãªãã¨ã‚‚12ã‹æœˆã”ã¨ãŠã‚ˆã³é‡è¦ãªå¤‰æ›´ãŒç”Ÿã˜ãŸéš›ã«ã€PCI DSSãŒé©ç”¨ã•ã‚Œã‚‹ç’°å¢ƒï¼ˆPCI DSS 12.5.2)を文書化ã—ã¦ç¢ºèªã™ã‚‹å¿…è¦ãŒã‚ã‚Šã€ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã«ã¯è¿½åŠ ã®æ–‡æ›¸åŒ–è¦ä»¶ãŒèª²ã•ã‚Œã‚‹ï¼ˆPCI DSS 12.5.2.1-2)。
- åŠ ç›Ÿåº—ãŠã‚ˆã³ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã•ã‚ŒãŸã‚¢ãƒ—ãƒãƒ¼ãƒã‚’使用ã™ã‚‹ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã«ã¤ã„ã¦ã€å°‘ãªãã¨ã‚‚12ã‹æœˆã«1回ã€ã‚·ãƒ‹ã‚¢ãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã®æ›¸é¢ã«ã‚ˆã‚‹æ‰¿èªã‚’å¾—ã¦ã€ã‚¿ãƒ¼ã‚²ãƒƒãƒˆãƒªã‚¹ã‚¯åˆ†æžã‚’実施ã™ã‚‹å¿…è¦ãŒã‚る(PCI DSS 13.3.2)。
- åŠ ç›Ÿåº—ã¨ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€é »åº¦ã«æŸ”軟性ãŒã‚るコントãƒãƒ¼ãƒ«ã«ã¤ã„ã¦ã€å°‘ãªãã¨ã‚‚å¹´ã«1回ã®ãƒªã‚¹ã‚¯åˆ†æžã‚’実施ã™ã‚‹å¿…è¦ãŒã‚る(PCI DSS 13.3.1ã€2025å¹´ã¾ã§ã®ãƒ™ã‚¹ãƒˆãƒ—ラクティス)。
- åŠ ç›Ÿåº—ã¨ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€æš—å·ã‚¹ã‚¤ãƒ¼ãƒˆã¨ãƒ—ãƒãƒˆã‚³ãƒ«ã‚’å°‘ãªãã¨ã‚‚å¹´1回見直ã™å¿…è¦ãŒã‚る(PCI DSS 12.3.3ã€2025å¹´ã¾ã§ã®ãƒ™ã‚¹ãƒˆãƒ—ラクティス)。
- åŠ ç›Ÿåº—ãŠã‚ˆã³ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€å°‘ãªãã¨ã‚‚å¹´ã«1回ã€ä½¿ç”¨ä¸ã®ãƒãƒ¼ãƒ‰ã‚¦ã‚§ã‚¢ãŠã‚ˆã³ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã®ãƒ¬ãƒ“ューを実施ã—ã€ã‚·ãƒ‹ã‚¢ãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã®æ‰¿èªã‚’å¾—ã¦ã€å¤ããªã£ãŸæŠ€è¡“ã‚’ä¿®æ£ã™ã‚‹è¨ˆç”»ã‚’ç«‹ã¦ãªã‘ã‚Œã°ãªã‚‰ãªã„(PCI DSS 12.3.4ã€2025å¹´ã¾ã§ã®ãƒ™ã‚¹ãƒˆãƒ—ラクティス)。
ã“ã®ã‚ˆã†ãªè¿½åŠ ã®å¹´é–“ディリジェンスè¦ä»¶ã‚’確立ã™ã‚‹ã«ã¯æ™‚é–“ã¨åŠ´åŠ›ã‚’è¦ã™ã‚‹ã€‚åŠ ç›Ÿåº—ãŠã‚ˆã³ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€éµå®ˆå ±å‘Šæ›¸ã¾ãŸã¯è‡ªå·±è©•ä¾¡ã‚¢ãƒ³ã‚±ãƒ¼ãƒˆã®ãƒ—ãƒã‚»ã‚¹ãŠã‚ˆã³ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡è³‡æ ¼è€…ã®ç›£ç£ã‚’通ã˜ãŸPCI DSSéµå®ˆã«ä¾å˜ã—ãªã‘ã‚Œã°ãªã‚‰ãªããªã‚‹å‰ã«ã€ã“れらã®æ–°ã—ã„プãƒã‚»ã‚¹ã‚’å分ã«æ§‹ç¯‰ã™ã‚‹ã“ã¨ã‚’望むã ã‚ã†ã€‚PCI DSSéµå®ˆã®ãŸã‚ã«ã“れら評価ã«ä¾å˜ã™ã‚‹å‰ã«ã€å°‘ãªãã¨ã‚‚1回ã¯ã“れらã®è©•ä¾¡ã‚’実践ã§ãるよã†ã«ã€å¯èƒ½ãªé™ã‚Šæ—©ã‚ã«é–‹å§‹ã™ã‚‹ã“ã¨ãŒç¾å®Ÿçš„ãªçµæžœã‚’å¾—ã‚‹ãŸã‚ã®éµã¨ãªã‚‹ã ã‚ã†ã€‚
æ–°ã—ã„カスタマイズã•ã‚ŒãŸã‚¢ãƒ—ãƒãƒ¼ãƒ
åŠ ç›Ÿåº—ãŠã‚ˆã³ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ãŒPCI DSS 3.2.1ã«è¦å®šã•ã‚ŒãŸã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã‚’満ãŸã›ãªã„å ´åˆã€ä»£æ›¿ã¨ãªã‚‹ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã‚’æ案ã—ã€ãƒªã‚¹ã‚¯è©•ä¾¡ãŠã‚ˆã³ä»£æ›¿ã¨ãªã‚‹ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã®ãƒ¯ãƒ¼ã‚¯ã‚·ãƒ¼ãƒˆã‚’使用ã—ã¦ãれをæ£å½“化ã™ã‚‹å¿…è¦ãŒã‚る。PCI DSS 4.0ã§ã‚‚ã€ã“ã®ã‚ªãƒ—ションã¯å¼•ã続ãå˜åœ¨ã™ã‚‹ãŒã€ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã•ã‚ŒãŸã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã‚¢ãƒ—ãƒãƒ¼ãƒã¨ã„ã†æ–°ã—ã„オプションもã‚る。ã“ã®ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã•ã‚ŒãŸã‚¢ãƒ—ãƒãƒ¼ãƒã§ã¯ã€ãƒªã‚¹ã‚¯ã‚’評価ã™ã‚‹è¦ä»¶ã¯ç¶æŒã•ã‚Œã‚‹ãŒã€ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã‚’満ãŸã™ãŸã‚ã®ã‚ˆã‚Šæˆ¦ç•¥çš„ãªæ–¹æ³•ãŒå¯èƒ½ã¨ãªã‚‹ã€‚カスタマイズã•ã‚ŒãŸã‚¢ãƒ—ãƒãƒ¼ãƒã§ã¯ã€ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã®æ¬ 如を補ã†ä»£ã‚ã‚Šã«ã€åŠ 盟店ã¾ãŸã¯ã‚µãƒ¼ãƒ“スプãƒãƒã‚¤ãƒ€ãƒ¼ã¯ã€ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã•ã‚ŒãŸã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã®ç›®çš„ã«åŸºã¥ã„ã¦ã€ç•°ãªã‚‹ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã‚’文書化ã™ã‚‹ã“ã¨ãŒã§ãる。評価者ã¯ã€ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã•ã‚ŒãŸã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã‚’代替ã•ã‚Œã‚‹ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã®ä»£ã‚ã‚Šã«è©•ä¾¡ã—ã€çŸæœŸçš„ãªã€Œä»£æ›¿ã€ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã§ã¯ãªãã€é•·æœŸçš„ãªã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã‚’å¯èƒ½ã«ã™ã‚‹ï¼ˆã™ã¹ã¦ã®ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ãŒã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºæ‰‹æ³•ã®å¯¾è±¡ã¨ãªã‚‹ã‚ã‘ã§ã¯ãªã„。特ã«ã€PCI DSS 3.3.1ã§ã¯ã€èªè¨¼å¾Œã«æ©Ÿå¯†èªè¨¼ãƒ‡ãƒ¼ã‚¿ã‚’ä¿å˜ã™ã‚‹ã“ã¨ã‚’ç¦æ¢ã—ã¦ã„る)。
リスク分æžã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã®æ‹¡å¤§
PCI DSS 4.0ã§ã¯ã€ãƒªã‚¹ã‚¯åˆ†æžã®å®Ÿæ–½ã«é–¢ã™ã‚‹ã‚¬ã‚¤ãƒ€ãƒ³ã‚¹ã‚‚拡大ã—ã¦ã„る。リスク分æžã¯å¸¸ã«PCI DSSã®ä¸€éƒ¨ã§ã‚ã‚Šã€ä»£æ›¿ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã®ãƒ¯ãƒ¼ã‚¯ã‚·ãƒ¼ãƒˆã®ä¸€éƒ¨ã¨ã—ã¦å¤§ããªå½¹å‰²ã‚’æžœãŸã—ã¦ã„る。ã“ã®æ–°ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã«ã¯ã€ã‚µãƒ³ãƒ—ルã®ã‚¿ãƒ¼ã‚²ãƒƒãƒˆãƒªã‚¹ã‚¯åˆ†æžãƒ†ãƒ³ãƒ—レート(PCI DSS Appendix E2)ãŒå«ã¾ã‚Œã‚‹ã€‚テンプレートã®ä½¿ç”¨ã¯ç¾©å‹™ã§ã¯ãªã„ãŒã€ã“ã®ãƒ†ãƒ³ãƒ—レートã¯ã€PCI ã‚»ã‚ュリティå”è°ä¼šãŒæœŸå¾…ã™ã‚‹ãƒªã‚¹ã‚¯åˆ†æžã®å®Ÿæ–½æ–¹æ³•ã«é–¢ã™ã‚‹è©³ç´°ãªæƒ…å ±ã‚’æä¾›ã—ã¦ã„る。
「é‡è¦ãªå¤‰æ›´ã€åŸºæº–ã®æ˜Žç¢ºåŒ–
PCI DSS 4.0ã§ã¯ã€ä»¥å‰ã®PCI DSSãƒãƒ¼ã‚¸ãƒ§ãƒ³ã§ã¯æ˜Žç¢ºã«å®šç¾©ã•ã‚Œã¦ã„ãªã‹ã£ãŸã€Œé‡è¦ãªå¤‰æ›´ã€ã®ã‚ˆã‚Šè©³ç´°ãªèª¬æ˜Žã‚’å«ã‚ã€PCI DSS ã®ä¸»è¦ãªæ¦‚念ãŒæ˜Žç¢ºåŒ–ã•ã‚ŒãŸã€‚ã“ã®æœ€æ–°ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¯æ£ç¢ºãªå®šç¾©ã‚’æä¾›ã—ã¦ã„ãªã„ãŒã€PCI DSS 4.0ã¯é‡è¦ãªå¤‰æ›´ç‚¹ã¨ä¾‹ã®è©³ç´°ã‚’説明ã—ã¦ã„る(PCI DSSã€ã€ŒPCI DSSè¦ä»¶ã§ä½¿ç”¨ã•ã‚Œã‚‹ã‚¿ã‚¤ãƒ フレームã®èª¬æ˜Žã€ï¼‰ã€‚ã“ã‚Œã¯ã€ç±³å›½ã‚„インドãªã©ã®å›½ã€…ã§ï¼ˆç‰¹ã«ãƒ¢ãƒã‚¤ãƒ«æ”¯æ‰•ã„æ¥ç•Œã«ãŠã‘る)多ãã®æš«å®šçš„ãªå¤‰æ›´ã€é©å¿œã€ãŠã‚ˆã³æ›´æ–°ãŒã‚ã‚‹ã“ã¨ã‚’考慮ã™ã‚‹ã¨é‡è¦ã§ã‚る。
PCI DSS 4.0ã¯ã„ã¤ã‹ã‚‰æœ‰åŠ¹ã«ãªã‚‹ã®ã‹ï¼Ÿ
PCI DSS 4.0ã¯2022å¹´3月31æ—¥ã«ç™ºè¡Œã•ã‚ŒãŸãŒã€PCI DSS v.3.2.1ãŒå»ƒæ¢ã•ã‚Œã‚‹2024å¹´3月31æ—¥ã¾ã§ã¯ä»»æ„ã§ã‚る。ãれ以é™ã«é–‹å§‹ã•ã‚Œã‚‹è©•ä¾¡ã¯ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³4.0ã«æº–æ‹ ã™ã‚‹å¿…è¦ãŒã‚る。一部ã®ä¼æ¥ã¯ã™ã§ã«ãƒãƒ¼ã‚¸ãƒ§ãƒ³4.0ã‚’é¸æŠžã—ã€ãã‚Œã«åŸºã¥ã„ã¦PCI評価ãŠã‚ˆã³è‡ªå·±è©•ä¾¡ã‚¢ãƒ³ã‚±ãƒ¼ãƒˆ/éµå®ˆå ±å‘Šæ›¸ã‚’実施ã—ã¦ã„る。
ãƒãƒ¼ã‚¸ãƒ§ãƒ³4.0ã§è¿½åŠ ã•ã‚ŒãŸã„ãã¤ã‹ã®æ–°è¦ä»¶ã¯ã€2025å¹´3月31æ—¥ã¾ã§ç¾©å‹™åŒ–ã•ã‚Œãªã„。ãã‚Œã¾ã§ã¯ã€ã“れらã®è¦ä»¶ã¯ã€Œãƒ™ã‚¹ãƒˆãƒ—ラクティスã€ã¨ã¿ãªã•ã‚Œã‚‹ã€‚
何ãŒæ³•çš„リスクã‹ï¼Ÿ
PCI DSS 4.0ã‚’éµå®ˆã—ãªã„å ´åˆã€ç‰¹ã«PCI DSS 4.0ãŒç¾©å‹™åŒ–ã•ã‚ŒãŸå¾Œã«ã‚«ãƒ¼ãƒ‰ä¾µå®³ãŒç™ºç”Ÿã—ãŸå ´åˆã¯ã€ã•ã‚‰ãªã‚‹èª¿æŸ»ã€ç½°é‡‘ã€ç½°å‰‡ã€ãŠã‚ˆã³è©•ä¾¡ã«ã¤ãªãŒã‚‹å¯èƒ½æ€§ãŒã‚る。ã„ãã¤ã‹ã®å·žæ³•ã¯ã™ã§ã«PCI DSSã‚’å–り入れã¦ãŠã‚Šã€ãã®ä»–ã®å·žæ³•ã‚‚PCI DSSéµå®ˆã‚’セーフãƒãƒ¼ãƒãƒ¼ã¨ã—ã¦ã„る。
PCI DSS 4.0ã§ã¯ãƒªã‚¹ã‚¯åˆ†æžãŒã‚ˆã‚Šé‡è¦–ã•ã‚Œã‚‹ãŸã‚ã€ä¼æ¥ã¯ãƒãƒ¼ã‚¸ãƒ§ãƒ³3.2.1よりも多ãã®ã‚»ã‚ュリティプãƒã‚°ãƒ©ãƒ ã«é–¢ã™ã‚‹æƒ…å ±ã‚’ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£è©•ä¾¡è³‡æ ¼è€…ã«é–‹ç¤ºã™ã‚‹ã“ã¨ã«ãªã‚‹ã€‚PCIã‚»ã‚ュリティ評価ã¯ç§˜åŒ¿ç‰¹æ¨©ã®ä¸‹ã§å®Ÿæ–½ã•ã‚Œã‚‹ã‚‚ã®ã§ã¯ãªã„ãŸã‚ã€ä¼æ¥ã¯ã€è©•ä¾¡æ–‡æ›¸ãŒç²¾æŸ»ã•ã‚Œã‚‹ã“ã¨ã«å‚™ãˆã‚‹å¿…è¦ãŒã‚る。特ã«ã‚»ã‚ュリティインシデントã®ç™ºç”Ÿå¾Œã«ã¯ã‚ˆã‚Šé‡è¦æ€§ã‚’増ã™ã ã‚ã†ã€‚ãªãœãªã‚‰ã€ç±³å›½ã§ãƒãƒƒãƒ—å–引ãŒåºƒã採用ã•ã‚ŒãŸã“ã¨ã§ã€ã‚«ãƒ¼ãƒ‰ã‚¯ãƒãƒ¼ãƒ‹ãƒ³ã‚°ã®å®Ÿè¡Œå¯èƒ½æ€§ãŒä½Žä¸‹ã—ã€å¤§å°ã®ã‚¯ãƒ¬ã‚¸ãƒƒãƒˆã‚«ãƒ¼ãƒ‰è©æ¬ºå¸«ãŒã‚«ãƒ¼ãƒ‰ã‚’æ示ã—ãªã„å–引データを標的ã¨ã™ã‚‹ã‚ˆã†ã«ãªã‚Šã€ã•ã¾ã–ã¾ãªä¼æ¥ã®ã‚µã‚¤ãƒãƒ¼ã‚»ã‚ュリティリスクãŒé«˜ã¾ã£ãŸã¨å ±å‘Šã•ã‚Œã¦ã„ã‚‹ãŸã‚ã§ã‚る。
リスク分æžã«ãŠã‘る記述ã¯ã€æ£ç¢ºã§ã€æ¤œè¨¼å¯èƒ½ã§ã‚ã‚Šã€ä»–ã®é–‹ç¤ºã¨æ•´åˆã—ã¦ã„ãªã‘ã‚Œã°ãªã‚‰ãªã„。セã‚ュリティ文書ã¯ã€å®Ÿéš›ã®ã€è¨¼æ˜Žå¯èƒ½ãªã€æœ€æ–°ã®å®Ÿå‹™ã‚’åæ˜ ã™ã¹ãã§ã‚る。カスタマイズã•ã‚ŒãŸã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ«ã¯ã€å®šç¾©ã•ã‚ŒãŸã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã•ã‚ŒãŸã‚¢ãƒ—ãƒãƒ¼ãƒã®ç›®çš„を満ãŸã™ã‚‚ã®ã§ãªã‘ã‚Œã°ãªã‚‰ãªã„。
PCI DSSãƒãƒ¼ã‚¸ãƒ§ãƒ³4.0ã¸ã®ç§»è¡Œã¯ã€å¤šãã®ä¼æ¥ã«ã¨ã£ã¦å›°é›£ã§æ™‚é–“ã®ã‹ã‹ã‚‹ã‚‚ã®ã§ã‚る。ä¼æ¥ã¯é€Ÿã‚„ã‹ã«ç§»è¡Œè¨ˆç”»ã‚’開始ã™ã‚‹å¿…è¦ãŒã‚る。移行ã®æœ€åˆã®ã‚¹ãƒ†ãƒƒãƒ—ã¯ã€PCI DSS 4.0基準ã«ç…§ã‚‰ã—ãŸè©•ä¾¡ã‚’è¡Œã„ã€éµå®ˆã®ã‚®ãƒ£ãƒƒãƒ—ã¨ã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã•ã‚ŒãŸã‚¢ãƒ—ãƒãƒ¼ãƒã‚’実装ã™ã‚‹æ©Ÿä¼šã‚’特定ã™ã‚‹ã“ã¨ã§ã‚ã†ã€‚外部å¼è·å£«ã«ã‚ˆã‚‹å†…部評価ã®å®Ÿæ–½ã‚„移行計画ã®ä»–ã®å´é¢ã®ç›£ç£ã¯ã€ãƒªã‚¹ã‚¯ã‚’軽減ã—ã€ç§»è¡Œã®æˆåŠŸã«ç¹‹ãŒã‚‹ã ã‚ã†ã€‚