The Uncertain “State” of US Data Protection Law: California Leads the Way
The California Consumer Privacy Act of 2018 (CCPA), which took effect this year, introduced a complicated data protection framework for the personal information of California residents, imposing a variety of new obligations on affected businesses. Although the interpretation of many of the CCPA’s provisions remains unsettled—and proposed regulations are still pending— the CCPA’s original architects have already advanced another proposed law, the California Privacy Rights Act (CPRA), which will be decided in a statewide referendum this November. If enacted, the CPRA would substantially amend the CCPA, granting consumers additional rights and imposing further liability on businesses.
Whether or not it passes, the proposed CPRA highlights the fluid state of the US legal environment for data protection, which has left businesses around the world struggling to account for the uncertain risks and compliance costs posed by these developments.
It did not have to be this way. The developments in California are due in part to the failure of the US Congress to enact comprehensive federal data protection legislation. Despite widespread support, compromise on a federal standard remains elusive, with legislators unable to agree on critical questions, such as whether or not the law will pre-empt state laws like the CCPA.
Data Protection During and After the Pandemic: Consolidate, Update and Innovate
Having adapted products, processes, services, facilities and IT systems in response to Coronavirus (COVID-19), businesses should now refocus on their legal and business fundamentals as they move towards returning to the office. Compliance policies should be updated, Brexit contingency plans reinvigorated, and upcoming legal and regulatory changes anticipated.
While taking these steps, businesses should bear in mind a number of key data protection and IT/cybersecurity fundamentals, and take the opportunities afforded by the return to work period to kick-start new initiatives.
Double Trouble for Data Transfers Post-Brexit and Post-Schrems II?
On 16 July 2020, Europe’s highest court, the CJEU, ruled in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems that individuals in Europe had insufficient redress against US bulk interception rules when their personal data was transferred to the United States under the US Department of Commerce “Privacy Shield” mechanism. This ruling followed a long running campaign by the activist, Max Schrems, who’s prior case to the CJEU invalidated the predecessor to the Privacy Shield, the Safe Harbor.
It is a general tenet of European data protection law that, when personal data is exported from the European Union, any further processing must be to European standards unless the local data protection laws are considered “adequate” by the European Commission. Self-certification under the US Privacy Shield mechanism was a popular method for providing adequate data protection amongst US based service providers which had European customers and regularly needed to transfer personal data from Europe to the United States.
Schrems II impacts not only the over 5,300 US companies that enjoyed Privacy Shield selfcertification, but also the many thousands of EU and US companies that rely upon US companies in their supply chain for data processing. This supply chain could include outsourcing, cloud services, data processing, data storage, telecommunications and the like.
Start Preparing For the New EU Whistleblower Directive
The legal regime applicable to whistleblowers across the European Union is fragmented. Only nine EU Member States currently have comprehensive laws. The remaining countries offer only partial rules, limited to certain sectors and specific wrongdoing. In practice, whistleblowing tends to be focused on the reporting of corruption concerns in the financial services sector.
In order to set minimum common standards across the European Union, the European Commission proposed a new directive on “the protection of persons reporting on breaches of Union law”. Following approval by the European Parliament on 16 April 2019, Directive (EU) 2019/1937 received European Council approval and was officially adopted by the European Union on 7 October 2019.
The Directive must be transposed by Member States into domestic law by October 2021.
Federal Trade Commission Zeros in on Problematic Non-Competes
Joel R. Grosberg
Lisa P. Rumin
Non-compete provisions help protect a buyer’s significant investment in an acquired business. Although non-compete clauses often play a vital role in M&A deals, they are not immune from antitrust scrutiny.
Since September 2019, the FTC has challenged noncompete provisions in at least three transactions. These demonstrate that the Commission and other antitrust enforcers are closely scrutinising non-competes and will not hesitate to challenge problematic provisions, even when the underlying transaction raises no substantive antitrust issues or when the provision relates to minority investments.
Parties to a commercial transaction can easily manage this scrutiny by tailoring the scope of the non-compete to the transaction at hand.
Developments in Material Adverse Effect Clauses in M&A
Dr. Tobias Koppmann
The Coronavirus (COVID-19) pandemic has brought Material Adverse Effect (MAE) clauses in M&A transactions into renewed focus. In several announced M&A transactions, parties have sought to terminate or renegotiate agreements, and even commenced litigation based on MAE clauses.
MAE law and practice differs widely among key jurisdictions, such as the United States, France, Germany, Italy and the United Kingdom.