International News: Global Privacy and Cybersecurity - McDermott Will & Emery


As we move into the next phase of the Coronavirus (COVID-19) pandemic, the test, track and trace approach being adopted by governments is generating myriad data privacy concerns. Added to this are the challenges created by new privacy laws in California, the end of the Brexit transition period, and the recent judgement in Schrems II that affects the US Privacy Shield mechanism. There has never been a more pressing need for robust global privacy and cybersecurity advice.

Although the pandemic continues to impact global business, creative thinkers are identifying solutions to economic distress and are examining the viability of material adverse effect clauses in their markets. And, of course, developments unrelated to the pandemic, such as the forthcoming EU Whistleblower Directive and the Federal Trade Commission’s focus on non-compete provisions in transaction agreements, continue to challenge companies.

We explore all these issues and more, in our latest International News.


Privacy Considerations for COVID-19 Digital Contact Tracing

Deepali Doddi

Generally, contact tracing refers to an effort by public health officials to identify individuals with whom a patient who has tested positive for an infectious disease has been in close proximity. Public health officials will inform these individuals that they were exposed to a contagious patient and encourage them to monitor their symptoms and quarantine for a period of time.

In response to COVID-19, governments around the world have explored using digital contact tracing, by which smartphone users download an application (app) to enable public health officials to track infected individuals’ contacts. In addition, private sector companies are exploring how digital technologies can be used for contact tracing on employees as they reenter the workplace.

Read more…

The Uncertain “State” of US Data Protection Law: California Leads the Way

Austin Mooney

The California Consumer Privacy Act of 2018 (CCPA), which took effect this year, introduced a complicated data protection framework for the personal information of California residents, imposing a variety of new obligations on affected businesses. Although the interpretation of many of the CCPA’s provisions remains unsettled—and proposed regulations are still pending— the CCPA’s original architects have already advanced another proposed law, the California Privacy Rights Act (CPRA), which will be decided in a statewide referendum this November. If enacted, the CPRA would substantially amend the CCPA, granting consumers additional rights and imposing further liability on businesses.

Whether or not it passes, the proposed CPRA highlights the fluid state of the US legal environment for data protection, which has left businesses around the world struggling to account for the uncertain risks and compliance costs posed by these developments.

It did not have to be this way. The developments in California are due in part to the failure of the US Congress to enact comprehensive federal data protection legislation. Despite widespread support, compromise on a federal standard remains elusive, with legislators unable to agree on critical questions, such as whether or not the law will pre-empt state laws like the CCPA.

Read more…

Data Protection During and After the Pandemic: Consolidate, Update and Innovate

Having adapted products, processes, services, facilities and IT systems in response to Coronavirus (COVID-19), businesses should now refocus on their legal and business fundamentals as they move towards returning to the office. Compliance policies should be updated, Brexit contingency plans reinvigorated, and upcoming legal and regulatory changes anticipated.

While taking these steps, businesses should bear in mind a number of key data protection and IT/cybersecurity fundamentals, and take the opportunities afforded by the return to work period to kick-start new initiatives.

Read more…

Double Trouble for Data Transfers Post-Brexit and Post-Schrems II?

On 16 July 2020, Europe’s highest court, the CJEU, ruled in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems that individuals in Europe had insufficient redress against US bulk interception rules when their personal data was transferred to the United States under the US Department of Commerce “Privacy Shield” mechanism. This ruling followed a long running campaign by the activist, Max Schrems, who’s prior case to the CJEU invalidated the predecessor to the Privacy Shield, the Safe Harbor.

It is a general tenet of European data protection law that, when personal data is exported from the European Union, any further processing must be to European standards unless the local data protection laws are considered “adequate” by the European Commission. Self-certification under the US Privacy Shield mechanism was a popular method for providing adequate data protection amongst US based service providers which had European customers and regularly needed to transfer personal data from Europe to the United States.

Schrems II impacts not only the over 5,300 US companies that enjoyed Privacy Shield selfcertification, but also the many thousands of EU and US companies that rely upon US companies in their supply chain for data processing. This supply chain could include outsourcing, cloud services, data processing, data storage, telecommunications and the like.

Read more…

Start Preparing For the New EU Whistleblower Directive

Jacques Buhart

The legal regime applicable to whistleblowers across the European Union is fragmented. Only nine EU Member States currently have comprehensive laws. The remaining countries offer only partial rules, limited to certain sectors and specific wrongdoing. In practice, whistleblowing tends to be focused on the reporting of corruption concerns in the financial services sector.

In order to set minimum common standards across the European Union, the European Commission proposed a new directive on “the protection of persons reporting on breaches of Union law”. Following approval by the European Parliament on 16 April 2019, Directive (EU) 2019/1937 received European Council approval and was officially adopted by the European Union on 7 October 2019.

The Directive must be transposed by Member States into domestic law by October 2021.

Read more…

Federal Trade Commission Zeros in on Problematic Non-Competes

Joel R. Grosberg | Lisa P. Rumin

Non-compete provisions help protect a buyer’s significant investment in an acquired business. Although non-compete clauses often play a vital role in M&A deals, they are not immune from antitrust scrutiny.

Since September 2019, the FTC has challenged noncompete provisions in at least three transactions. These demonstrate that the Commission and other antitrust enforcers are closely scrutinising non-competes and will not hesitate to challenge problematic provisions, even when the underlying transaction raises no substantive antitrust issues or when the provision relates to minority investments.

Parties to a commercial transaction can easily manage this scrutiny by tailoring the scope of the non-compete to the transaction at hand.

Read More…

Developments in Material Adverse Effect Clauses in M&A

Nicholas Azis | Thomas Sauermilch | Nicole Yoon | Nicolas Lafont | Fabrizio Faina

The Coronavirus (COVID-19) pandemic has brought Material Adverse Effect (MAE) clauses in M&A transactions into renewed focus. In several announced M&A transactions, parties have sought to terminate or renegotiate agreements, and even commenced litigation based on MAE clauses.

MAE law and practice differs widely among key jurisdictions, such as the United States, France, Germany, Italy and the United Kingdom.

Read More…

Solutions for Sponsors and Portfolio Companies During Macroeconomic Distress

Mark Fine | Aymen Mahmoud

Perhaps the most critical challenge is liquidity. Unlike previous periods of economic distress, 2020 has seen few liquidity shortages, but businesses should ensure they maintain a strong cash position by using liquidity monitoring modelled against any bank covenant models, and monitor the situation on a 13- week basis, or more frequently, to identify liquidity issues early. This information should help to inform whether or not discussions with lenders are required. An early dialogue with lenders can often be a highly effective tool in securing required amendments or even additional liquidity. It may also be helpful for companies to actively maintain frequent cash management sweeps to reduce cash inefficiency.

Sponsors and companies may have access to many avenues of liquidity, whether through government schemes or permissive financing documentation. Advisors are undertaking analyses with a view to offering short and medium term solutions.

Read More…