In brief

Where does the responsibility lie for an acquiring company to understand and evaluate cyber risks in an acquisition? How can these risks be identified and mitigated in the middle of a fast-paced deal? A data breach can have serious financial consequences to both the buyer and the seller. A significant security breach can lead to a nearly instantaneous devaluation of assets and can severely damage the acquiring company’s business viability, raising serious questions as to purchase price and follow-on integration issues.


  1. Whose risk is it?
  2. Upgrade your diligence
  3. Conclusion

Trillions of dollars are spent on M&A each year, yet reports suggest that less than 10% of deals integrate cybersecurity into the due diligence process.1

Despite the FBI and private watch dog groups raising multiple warning flags about ransomware groups hitting more and more companies in the middle of significant transactions like M&A, and despite increased focus from the FTC and the SEC on data security failures as legitimate reasons for shareholder and government enforcement actions, companies continue to struggle with how to capture and mitigate cyber risk in an M&A transaction. Even with increased top down pressure from Boards of Directors and the potential for breach of fiduciary duties related to lax data security measures, companies are fumbling the ball on what questions to ask and how to measure the security risk in a target.

Whose risk is it?

Where does the responsibility lie for an acquiring company to understand and evaluate cyber risks in an acquisition? How can these risks be identified and mitigated in the middle of a fast-paced deal? A data breach can have serious financial consequences to both the buyer and the seller. A significant security breach can lead to a nearly instantaneous devaluation of assets and can severely damage the acquiring company’s business viability, raising serious questions as to purchase price and follow-on integration issues. Unresolved risk can also push investors to question the impact of future attacks. And for good reason: An increasing number of deals have stalled or not gone through at all since the widely publicized 2017 Yahoo disclosure of a data breach which led to a decrease in the deal price for Yahoo in its acquisition by Verizon Wireless Inc. Initially Yahoo did not disclose any significant cyber events but later disclosed an earlier data breach affecting more than 500 million users. The following day Yahoo’s stock dropped 3%, and it lost USD 1.3 billion in market capitalization.

Verizon determined that the incident was a material adverse event under the stock purchase agreement and the parties agreed to reduce the purchase price by USD 350 million, or 7.25%. In response to this and similar incidents, and as cyber events increase in scope and complexity, investors are requiring more detailed quantification of cyber risk exposure, including risks of financial loss and reputational harm.

Upgrade your diligence

Preemptive and proactive cyber integrity risk assessment must be incorporated into the M&A process. This means that dedicated cyber and security experts must be involved at an early enough stage of the transaction to gauge a company’s cyber security and resiliency. Risk reports should inform both initial deal-making and stay relevant through the lifecycle of the deal.

There is no simple playbook for an acquiring company to address cyber risk but the diligence process is key to getting it right.

As part of efforts to uncover cybersecurity risks or incidents at a target, some key areas for an acquiring company to direct its focus include:

  • IT and data assets: What IT assets, systems, software, platforms, websites and applications exist and are critical to the target? How is company data stored, and is it encrypted?
  • Governance practices: Who has responsibility for privacy compliance and data security within the company and for overseeing security preparedness? Is there a specifically appointed data protection officer?
  • Security risk management: What is the target’s data security infrastructure? When and how has it been upgraded? What third parties are involved in maintaining?
  • Has the target experienced any interruptions, outages or suspensions of system operations? Does the target have a comprehensive written security management program and show proof of vulnerability testing? Consider hiring an outside firm to do penetration tests or security audits.
  • Insurance: Does the target have data security insurance coverage? Does the target require vendors to maintain such coverage?
  • Historic incident or loss experience: Has the target received complaints from customers, employees, contractors or other third parties regarding data privacy and security practices? Have any such complaints resulted in litigation or other proceedings?

Sharing information with third parties: How does the target vet third party security infrastructure, policies and records? Does the target ensure audit rights in contracts with third parties? Has the company assessed its obligations to notify customers and regulators in case of a breach?

Ultimately, while these examples provide a starting point for appropriate cybersecurity diligence, it is critical that the acquiring company tailor its diligence on data privacy and security matters to the target company by also understanding its data collection and use practices. Foremost, the forthrightness of the target in these matters is of increasing importance. A blank stare or a vague response to any of the data security questions is itself an answer and should be given attention.


Cybersecurity and resilience has become increasingly important for successful business practices. Executive teams are judged on lax security measures and appropriate breach response. Ransomware is increasing at an alarming rate. Ignorance or the inability to obtain a straight answer from a seller company no longer appeases shareholders and regulators when significant fines and enforcement actions could be at stake. Cyber integrity and proper data security due diligence is no longer a “nice to have,” it is a necessary and critical part of M&A.

Jake Rubenstein contributed to this article.

1.  Aon Cyber Solutions, 2020 Cyber Security Risk Report

The post United States: Buyer Beware Cyber Diligence in M&A appeared first on Global Compliance News.


In brief

Companies around the world have to comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to personal data of consumers in Virginia. With the VCDPA, Virginia follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) but excludes employee and business representative data from its scope.


  1. Who and what data are protected?
  2. Who must comply?
  3. How to comply?

Businesses that have implemented measures to comply with the CCPA can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the VCDPA. However, the VCDPA contain certain unique and prescriptive requirements that will require VCDPA-specific approaches to compliance. For example, the VCDPA requires businesses to obtain affirmative opt-in consent before processing sensitive personal data, and to conduct data protection assessments when processing sensitive data or conducting certain activities with the personal data such as targeted advertising, selling or profiling. Unlike the CCPA and other privacy laws, the VCDPA does not provide the Virginia Attorney General with rulemaking authority. Any changes to the VCDPA must be done via amendments by the legislature.

The VCPDA becomes effective 1 January 2023 and does not include a look-back period for violations.

Who and what data are protected?

The VCDPA protects “consumers”, which the statute defines as Virginia residents acting in an individual or household context. Individuals acting in an employment or commercial context are expressly excluded from protection.

The VCDPA defines “personal data” to mean information that is linked or reasonably linkable to an identified or identifiable individual, but does not include data that is de-identified or publicly available. Unlike the CCPA, the VCDPA does not expressly protect the personal data of households.

The VCDPA includes exemptions for certain types of data and entities. These include exemptions for institutions governed by the Gramm-Leach-Bliley Act (GLBA) and certain data maintained by a public utility, employment records, protected health information processed by covered entities and business associates under the Health Insurance Portability and Accountability Act, and other types of information already regulated under other federal laws, including the GLBA, Family Educational Rights and Privacy Act, Fair Credit Reporting Act, and Children’s Online Privacy Protection Act (COPPA).

Who must comply?

Unless an exemption applies, the VCDPA applies to “controllers” and “processors” that conduct business in Virginia or sell products or services intentionally targeted to residents of Virginia, and meet either of the following thresholds: the business (i) controls or processes personal data of 100,000 or more consumers during a calendar year; or (ii) controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

“Controller” is analogous to a “business” under the CCPA and is defined as a person that, alone or jointly with others, determines the purposes for and means of processing personal data. “Processor” is analogous to a “service provider” under the CCPA and is defined as a person who processes personal data on behalf of a controller. To qualify as a “processor” under the VCDPA, a company has to process personal data on behalf of a controller. The VCDPA mandates that processors adhere to the controller’s instructions and assist the controller with complying with the controller’s own obligations, and the two parties must enter into an agreement with certain terms prescribed by the VCDPA.

How to comply?

Privacy Notices. Under the VCDPA, controllers must provide privacy notices that include: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their rights, including the controller’s contact information and how a consumer may appeal a controller’s decision with regard to a consumer’s request; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data. Unlike the CCPA, the VCDPA does not expressly require that privacy notices be issued prior to collection and they do not need to include certain elements required by the CCPA such as information on sources of personal data, processes that the controller follows to verify requests, or information on financial incentives offered in exchange for the collection, retention or sale of personal information. Nevertheless, and depending on what notices a business currently issues and what they cover, many businesses can leverage current privacy notices to comply with the VCDPA by updating such notices to include statements regarding the right under the VCDPA to appeal a controller’s decision with respect to data subject requests.

The VCDPA also requires controllers that “sell” personal data to third parties or process personal data for targeted advertising to clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing. Unlike the CCPA, the VCDPA definition of “sale” of personal data is limited to an exchange of personal data for monetary consideration. The VCDPA also excludes certain types of disclosures from being a “sale” of personal data, such as disclosures to a processor to process the personal data for the controller, disclosures of personal data to a third party for the purpose of providing a product or service requested by the consumer, disclosures to an affiliate of a controller, disclosures to third parties as part of a merger or similar transaction, or disclosures of personal data intentionally made available by a consumer to the general public or mass media channels.

Sensitive Data. Unlike the CCPA, which will introduce an “opt-out” regime for the processing of sensitive personal information beyond certain authorized purposes, the VCDPA requires consumers to “opt-in” to the processing of their sensitive data.

The VCDPA defines “sensitive data” to mean certain prescribed categories of data, including personal data that reveals an individual’s race, ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status; personal data from a known child (under 13); the processing of genetic or biometric data for the purpose of uniquely identifying an individual; and precise geolocation data.

In practice, fitness trackers, delivery app services, and other businesses that provide recommendations and/or services based on a consumer’s precise location must ensure that they obtain opt-in consent from users before processing such personal data. When dealing with children’s data, companies must obtain consent from parents or guardians in accordance with the verifiable parental consent requirements of COPPA.

Technical and Organizational Measures, Assessments. The VCDPA requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices, and to conduct and document data protection assessments before engaging in any processing activity that presents a heightened risk of harm to a consumer. The VCDPA considers processing for purposes of targeted advertising or profiling, selling personal data, and processing sensitive data to be activities that typically present a heightened risk of harm to consumers.

The CCPA did not initially contain such an assessment requirement, but the California Privacy Protection Agency is tasked under the CCPA with issuing regulations that will require audits and risk assessments as well. Companies should be able to leverage assessments performed under the VCDPA to comply with CCPA and other US state privacy statutes.

Data Processing Agreements. Before a processor performs any processing on behalf of a controller, the parties must enter into a contract that includes terms similar to those required under other US state privacy laws (and the GDPR), including the controller’s instructions for processing and requirements that the processor shall (1) keep the personal data confidential; (2) delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (3) on request, make data available to the controller; (4) cooperate with third party assessments; and (5) conclude similar agreements with subcontractors. Data processors must adhere to controllers’ instructions and use appropriate technical and organizational measures to assist controllers in meeting their obligations under the VCDPA. Businesses should continue to update their contracts while keeping standardization in mind where possible (see Standardizing data-processing agreements globally).

Data Subject Rights. Under the VCDPA, consumers have the right to know whether a controller is collecting their personal data, to access their collected personal data, to download and remove personal data from a platform in a format that allows the transfer to another, and to correct and delete personal data held on them. Consumers also have the right to opt-out of the sale of their personal data, or use of their personal data for targeted advertising and certain types of profiling.

Responding to Data Subject Rights Requests. To exercise one’s rights, the VCDPA allows consumers to, once they have been authenticated, receive responses to consumer requests without undue delay but in any case within 45 days of receipt of the request. Controllers may extend this time period by another 45 days where reasonably necessary, and the consumer will ultimately have the ability to appeal any decision made by the controller under the controller’s appeal process (which the VCDPA requires controllers to put into place). The appeals process must provide the consumer with an appellate response within 60 days and must provide consumer information on how to contact the Virginia Attorney General if the consumer has concerns about the results of any appeal. This contrasts with the CCPA, which does not mandate an appeals process.

Sanctions and remedies. Unlike the CCPA, there is no private right of action provided by the VCDPA, but the Virginia Attorney General can bring a civil action for an injunction or penalties of not more than USD 7,500 per violation. The Virginia Attorney General must first issue a notice of violation to a controller and allow a 60-day cure period before pursuing an enforcement action. Similar to the CCPA, the VCDPA creates a consumer privacy fund that will support actions by the Virginia Attorney General to enforce the VCDPA. 

The post United States: Virginia Consumer Data Protection Act takes effect in 2023 appeared first on Global Compliance News.


In brief

In the wake of U.S. Supreme Court precedent in the 2021 AMG Capital Management LLC v. Federal Trade Commission decision, the FTC is doubling down and expanding its enforcement efforts to target executives, directors and owners, including private equity, in an effort to hold accountable anyone profiting from anti-competitive conduct or conduct harmful to consumers. 

William Roppolo, Ashley Eickhof and Annasofia Roig explores this issue in an article published in Law360. Click here to read Beware FTC’s Expanded Focus On Private Equity, Individuals.

For access to full article, please click here.

This article was first published in

The post United States: Law360 – Beware FTC’s Expanded Focus on Private Equity, Individuals appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled OFAC extends and reissues General License authorizing certain transactions involving the Central Bank of Russia, the National Wealth Fund of the Russian Federation, or the Ministry of Finance of the Russian Federation  on 22 November 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC extends and reissues GL authorizing certain transactions appeared first on Global Compliance News.


Seeking public comments

On November 18, 2022, the US Department of Commerce (“DOC”) published a notice of a proposed change to its particular market situation (“PMS”) methodology.

Since the 2015 expansion of the DOC’s PMS authority, the DOC has been using the PMS methodology in the calculation of antidumping duty rates when it considers that there is a market distortion in the exporting country under investigation, such as the availability of low-priced energy, which reduces exporters’ costs of production. PMS methodologies have been used against imports from countries like Argentina, South Korea, and Turkey. Costs deemed to be distorted by the PMS are adjusted, which inflates the antidumping margin. US antidumping law does not prescribe a specific method for calculating the adjustment.

The revisiting of the PMS methodology arises, in part, from a recent decision by the US Court of Appeals for the Federal Circuit (“CAFC”). The CAFC criticized, in particular, the apparent lack of evidence in the DOC’s use of the PMS methodology. In doing so, CAFC reached four conclusions.

  1. A PMS that distorts costs must cause costs to deviate from what they would have otherwise been in the ordinary course of trade.
  2. A PMS must be particular to certain producers or exporters, inputs, or the market where the inputs are manufactured.
  3. If there is a claim of a subsidy or government interference, there should be evidence that the producer or seller of the input at issue received, or should have received, that subsidy or government assistance, and that there is some form of impact on the price of the input as a result of that subsidy or government interference.
  4. The DOC is not required to quantify a distortion in costs by the PMS to find the existence of a PMS, but if the DOC is able to quantify the distortion, such a quantification may help support a finding of the existence of a PMS.

In light of the CAFC decision, the DOC considers that changes to its policies and practices may be needed to ensure that allegations of a PMS are vetted in a manner consistent with the CAFC’s conclusions. The DOC now seeks comments on three issues, asking the public to:

  1. Identify information that the DOC should consider in determining if a PMS exists which distorts the costs of production, if that information is reasonably available and relevant to the PMS allegation;
  2. Identify information that the DOC should not be required to consider when determining if a PMS exists, regardless of the PMS allegation; and
  3. Provide comments on adjustments that the DOC may make to its calculations when it determines the existence of a PMS, but the record before it does not allow for the quantification of cost distortions.

As context, investigating authorities around the world use PMS methodologies in various ways, making the use of PMS a key live issue in global antidumping law. Australia’s use of PMS in a case against A4 copy paper from Indonesia resulted in a World Trade Organization (“WTO”) Panel Report that leaves open important questions on the scope of PMS. The newly established UK Trade Remedies Authority has relied on the notion of PMS to adjust costs in its first case targeting imports from China, concerning aluminum extrusions. Further, PMS has been proffered to be a likely legal basis under WTO law for the European Union’s “significant distortions” methodology. Comments on the DOC’s proposed change are due no later than December 18, 2022. If you are interested in filing comments, please reach out to the authors or the Baker McKenzie attorney with whom you work.

The post US Commerce Department Considers Revising “Particular Market Situation” Methodology appeared first on Global Compliance News.


In brief

On November 10, 2022, following a 3-1 vote, the Federal Trade Commission (“FTC”) issued a policy statement expanding its interpretation of the scope of unfair methods of competition under section 5 of the Federal Trade Commission Act.1 Commissioner Christine S. Wilson voted against the policy statement and issued an unforgiving 20-page dissent, referring to the policy change as a “radical” departure from the agency’s recent enforcement efforts.2 Commissioner Wilson states that the policy “adopts an ‘I know it when I see it’ approach premised on a list of nefarious-sounding adjectives, many of which have no antitrust or economic meaning.”

Section 5 of the FTC Act prohibits “unfair methods of competition,” which covers conduct that violates antitrust laws or Section 5 itself. It “empower[s]” the FTC to “prevent persons, partnerships, or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.”3

The FTC has recently attempted to broaden its enforcement powers through various avenues. This policy statement is the latest iteration of those efforts. In the FTC’s own words, the statement establishes a “rigorous” enforcement policy of laws banning unfair methods of competition. The FTC stated that it plans to prosecute various areas of conduct, including “incipient violations” of antitrust laws and conduct that violates the “spirit” of antitrust laws.

Key takeaways

  • The FTC plans to prosecute and punish far more “unfair” conduct than it ever has before.
  • According to the FTC, Section 5 reaches beyond the Sherman and Clayton Acts to encompass various types of unfair conduct that tend to negatively affect competitive conditions.
  • New actionable conduct may include “incipient violation[s] of the antitrust laws,” such as acquisitions that have the “tendency to ripen” into actual violations; and conduct that violates the “spirit of antitrust laws,” such as conduct that in the aggregate “may tend to undermine competitive conditions,” and a series of acquisitions “that tend to bring about the harms that the antitrust laws were designed to prevent, but individually may not have violated the antitrust laws.”

Under the FTC’s new policy, even conduct that is not independently actionable, may be actionable in the aggregate, at the FTC’s discretion.

In depth

In July of 2021, the FTC rescinded its 2015 Statement of Enforcement Principles Regarding “Unfair Methods of Competition” under Section 5 of the FTC Act. On November 10, 2022, it issued a new statement, which “supersedes all prior FTC policy statements and advisory guidance on the scope and meaning of unfair methods of competition under Section 5 of the FTC Act.”

The statement explains the FTC’s view of the legislative history of Section 5. It states that Congress clearly intended for the FTC to be able to prosecute “unfair” conduct more broadly than what is allowed for under the Sherman and Clayton Acts. The FTC states that Congress intended for Section 5 of the FTC Act to extend beyond the reach of antitrust laws; Congress wanted to more generally protect society against oppressive anti-competitive conduct. As such, Congress wanted to give the FTC flexibility to adapt to changing circumstances over time. Essentially, the FTC’s position is that its authority extends not only to the letter of antitrust laws, but also the spirit.

The FTC goes on to explain, broadly, what is actionable as an “unfair method of competition.” First, the conduct must be a “method of competition,” meaning that it is conduct undertaken by an actor in the marketplace, which directly or indirectly implicates competition. Second, the method of competition must be “unfair.” Unfair conduct is that which “goes beyond competition on the merits.” The FTC explains that this means the conduct (1) is “coercive, exploitative, collusive, abusive, deceptive, predatory, or involve[s] the use of economic power of a similar nature;” and (2) “tend[s] to negatively affect competitive conditions.” These criteria are evaluated on a sliding scale—where the first is particularly clear, less is required of the second, as an example.

The policy statement identifies some areas of conduct the FTC views as actionable under Section 5. Conduct that satisfies the FTC’s definition of “unfair method of competition” will be analyzed under the “per se” standard, meaning the conduct is automatically considered illegal regardless of any procompetitive justifications.  Below are some excerpts of the FTC’s “non-exhaustive” list of conduct that violates Section 5.

  1. Conduct deemed to be an incipient violation of the antitrust laws. Incipient violations include conduct by respondents who have not gained full-fledged monopoly or market power, or by conduct that has the tendency to ripen into violations of the antitrust laws. Examples include:
    • mergers, acquisitions, or joint ventures that have the tendency to ripen into violations of the antitrust laws,
    • a series of mergers, acquisitions, or joint ventures that tend to bring about the harms that the antitrust laws were designed to prevent, but individually may not have violated the antitrust laws, and
    • loyalty rebates, tying, bundling, and exclusive dealing arrangements that have the tendency to ripen into violations of the antitrust laws by virtue of industry conditions and the respondent’s position within the industry.
  2. Conduct that violates the spirit of the antitrust laws. This includes conduct that tends to cause potential harm similar to an antitrust violation, but that may or may not be covered by the literal language of the antitrust laws or that may or may not fall into a “gap” in those laws. Examples of such violations include:
    • parallel exclusionary conduct that may cause aggregate harm,
    • conduct by a respondent that is undertaken with other acts and practices that cumulatively may tend to undermine competitive conditions in the market,
    • de facto tying, bundling, exclusive dealing, or loyalty rebates that use market power in one market to entrench that power or impede competition in the same or a related market,
    • a series of mergers or acquisitions that tend to bring about the harms that the antitrust laws were designed to prevent, but individually may not have violated the antitrust laws,
    • mergers or acquisitions of a potential or nascent competitor that may tend to lessen current or future competition,
    • using market power in one market to gain a competitive advantage in an adjacent market by, for example, utilizing technological incompatibilities to negatively impact competition in adjacent markets,
    • false or deceptive advertising or marketing that tends to create or maintain market power, or
    • discriminatory refusals to deal which tend to create or maintain market power.

According to the FTC, the statement was intended as a guide to the public, business community, and antitrust practitioners by laying out principles defining whether business practices constitute unfair methods of competition under Section 5 of the FTC Act. In reality, however, the statement merely advises the public that the FTC has interpreted Section 5 in a manner that expands the scope of its powers by punishing additional conduct. It does not offer much in the way of practical guidance.

The policy statement has already been widely criticized, including by Commissioner Wilson. In her dissenting statement, Commissioner Wilson points out some of the statement’s practical shortcomings.4 It does not (1) “provide clear guidance to businesses seeking to comply with the law,” (2) “provide a framework that will result in credible enforcement,” or (3) “address the legislative history [of Section 5] that . . . cautions against an expansive approach to enforcing Section 5.”5 Commissioner Wilson argues that the statement “announces that the Commission has the authority summarily to condemn essentially any business conduct it finds distasteful.”6 Chair Khan responded, calling Commissioner Wilson’s concerns “misplaced” because the FTC intends only to enforce the law, and because the policy statement “identifies the framework and factors the Commission will consider when determining whether a business practice constitutes an “unfair method of competition.”7

The U.S. Chamber of Commerce also critiqued the policy statement, referring to it as “a pure political power grab designed to give Chair Khan carte blanche control over when, where, and how companies compete.”8 The Chamber of Commerce went on to say that the “FTC’s decision to reject decades of bipartisan consensus and declare itself the nation’s economic czar will discourage healthy competition and damage America’s competitiveness.” Other organizations—Demand Progress, the American Economic Liberties Project, and the Open Markets Institute—have celebrated the FTC’s move, stating that the FTC will now be better equipped to combat anticompetitive practices.9

In sum, the FTC has further delineated what it perceives to be actionable conduct, as part of its efforts to prosecute any and all types of anticompetitive conduct. The scope of the FTC’s ability to secure judgments against companies under this new Section 5 policy will become clearer over time as companies challenge the FTC’s actions. In the meantime, companies should be particularly mindful of ways in which they can curb anticompetitive conduct and mitigate Section 5 liability, including by conducting antitrust compliance reviews or health checks. Companies can and should consult counsel before engaging in conduct that may fall under the FTC’s expanded interpretation of its enforcement powers. Please reach out to us if we can be of assistance in considering how the FTC’s Section 5 interpretation will affect your company’s antitrust policies and procedures.

Download alert

1 Fed. Trade Comm’n, Policy Statement regarding The Scope of Unfair Methods of Competition under Section 5 of The Federal Trade Commission Act (2022),
2 Comm’r Christine S. Wilson, dissenting statement regarding the “Policy statement regarding the scope of unfair methods of competition under Section 5 of The Federal Trade Commission Act” (2022),
3 15 U.S.C. § 45.
4 Comm’r. Wilson, dissenting statement.
5 Id.
6 Id.
7 Chair Lina M. Khan, joined by Comm’rs Rebecca Kelly Slaughter & Alvaro M. Bedova, statement on the adoption of the statement of Enforcement Policy regarding Unfair Methods of Competition under Section 5 of the FTC Act (2022),
8 Neil Bradley, Federal Trade Commission’s Section 5 Guidance Will Discourage Competition and Damage America’s Competitiveness, U.S. Chamber of Com. (Nov. 10, 2022),
9 See, e.g., Press Release, American Economic Liberties Project, FTC Charges Path Forward to Combat Anticompetitive Behavior Across Markets (Nov. 10, 2022),; Press Release, Open Markets, Open Markets Applauds the FTC’s New Landmark Policy Statement on Policing Unfair Methods of Competition Policy (Nov. 10, 2022),

The post United States: FTC expanding scope of unfair competition appeared first on Global Compliance News.


In brief

At COP 27 in November 2022, South Africa launched its new Just Energy Transition Investment Plan (JET IP) and announced a five-year investment plan for the USD 8.5 billion financing package, which was announced as part of the country’s Just Energy Transition Partnership with France, Germany, the United Kingdom, the United States and the European Union at COP 26. The JET IP is aligned with the Cabinet-approved National Just Transition Framework and outlines the investments required to achieve the country’s decarbonization commitments, while promoting sustainable development, and ensuring a just transition for affected workers and communities.

In depth

During the World Leaders’ Summit at COP 27 in November 2022, South African President Cyril Ramaphosa launched the new Just Energy Transition Investment Plan (JET IP) for South Africa. It was at COP 26 in November 2021, that it was first announced that the governments of France, Germany, the United Kingdom, the United States and the European Union had pledged USD 8.5 billion in first round financing to assist South Africa with energy transition projects as part of the Just Energy Transition Partnership (JETP) between the countries. In October 2022, the South African cabinet approved a five-year investment plan for the USD 8.5 billion package. 

The Just Energy Transition Investment Plan (JET IP)

The JET IP is aligned with the Cabinet-approved National Just Transition Framework. The South African government said the plan outlined the investments required to achieve the country’s decarbonization commitments, while promoting sustainable development, and ensuring a just transition for affected workers and communities – in other words, a whole society approach.

The JET IP covers electricity, new energy vehicles (NEVs) and green hydrogen and identifies USD 98 billion in financial requirements over the next five years, to come from both the public and private sectors. The goal of the JET IP is to decarbonize the South African economy to within the NDC target range of 350-420 MtCO2 by 2030, in a just manner. The JET IP is centered on decarbonization, social justice, economic growth and inclusivity, and governance. The investment criteria for the Plan include projects that deliver on greenhouse gas emissions reduction and just transition outcomes, and are catalytic in nature and ready to implement.

Key investments under the JET IP will include: 

  • Electricity – Decommissioning (repowering and repurposing with clean technologies), transmitter grid strengthening and expansion, and renewable energy.
  • New Energy Vehicles – Decarbonizing the automotive sector and supporting supply chain transition towards green sustainable manufacturing.
  • Gaseous Hydrogen (GH2) – Essential planning and feasibilities including port investment to enhance exports and boost employment and GDP.
  • Cross-cutting – Investment in skills development and municipalities.

Also at COP 27, Masopha Moshoeshoe, a green economy specialist in the Presidency’s Investment and Infrastructure Office, said that the country was seeking to attract investment worth USD 250 billion for the development of its green hydrogen energy economy by 2050. Moshoeshoe said the industry could create around 1.4 million jobs and USD 30 billion in annual revenue by 2050, but that renewable-power generation capacity of between 140,000 MW and 300,000 MW was needed to supply the green hydrogen sector. The country currently has renewable energy capacity of around 40,000 MW.

Just transition

In South Africa, there is a requirement to build economic and social resilience to meet the NDC targets, and to manage transition risks and ensure social preparedness as the country diversifies its energy mix and grows new industries. A just transition takes into account the requirement to balance the reduction of carbon emissions with the impact of this transition on employment and the need to develop long-term green energy jobs, especially in respect of impacted communities that have a current heavy reliance on fossil fuels. There is also a need to recognize location and sector-specific vulnerabilities (such as care, preparation and social infrastructure) and intergenerational effects. 

Coal remains the primary source of energy for the country, but in order for South Africa to reach its reduction in carbon emission targets, this must change. Reskilling the existing workforce and educating the future workforce is also essential. South Africa updated its NDC under the Paris Agreement in 2021 and now has a proposed revised target range of 398 to 510 Mt CO2-eq for 2025, and 398 to 440 Mt CO2-eq for 2030. 

Policy developments

There have been a number of policy developments to assist South Africa with its energy transition. The National Development Plan (NDP), the draft Integrated Energy Plan (IEP), the Renewable Energy White Paper, the Nationally Determined Contribution (NDC), the Just Transition Framework, and enabling policies under development and in implementation, outline the policy foundation for energy transition in South Africa and the move away from carbon-fueled energy. The Integrated Resource Plan (IRP) 2019 covers the government’s plans for power until 2030 and outlines a decreased reliance on coal-powered energy and an increased focus on a diversified energy mix that includes renewable energy, distributed generation and battery storage.

The Renewable Energy Independent Power Producer Procurement Program (REIPPPP), introduced in 2011, outlined the procurement of renewable energy in the country. The sixth round of the REIPPP kicked off in 2022 and this round aims to procure 2.6 GW of solar and wind power. To incentivize the self-generation of renewable energy, the South African government has also indicated that it proposes to scrap the threshold for distributed energy generation of 100 MW, meaning that large-scale power plants in excess of 100 MW could be built without a license, to meet their own demand and to sell to the grid. Other developments include, inter alia, the South African Automotive Master Plan, the Climate Change Bill, the South Africa Green Taxonomy and carbon tax increases. Further policies such as the National Energy Efficiency Strategy and the Green Transport Strategy also have a role to play in ensuring the country meets its climate change targets and reduces its carbon emissions. 

Trading in carbon offsets in the carbon market, where companies can pay other entities to offset their emissions for them, is also growing in popularity in emerging markets. In August 2022, the Johannesburg Stock Exchange announced that it was investigating the possibility of introducing a carbon trading market in South Africa. 

In February 2022, the South African Hydrogen Society Roadmap (HSRM) was published by the South African government. The Roadmap is considered to be an important marker on its path towards implementing hydrogen development, which is envisaged to be at the center of South Africa’s strategy for economic growth and mitigating climate change.

As part of a diversified energy mix strategy, Eskom also recently identified eighteen independent power producer bids in terms of an auction relating to the use of vacant land it owned in Mpumalanga, situated in proximity to its coal-fired power stations, with direct access to the national transmission network that will enable wheeling. The projects will add approximately 1,800 MW of renewable power to the South African grid. 

Further, recent amendments to the Electricity Regulation Act were proposed by the Department of Minerals Resources and Energy and are likely to address, inter alia, the electricity supply deficit, the vertical structure of the market and the lack of competition, the introduction of a multi-market including independent power producers (IPPs), and the formation of a central purchasing agency. The amendments will also address the introduction of a day-ahead market to accommodate hourly supply and demand, the direct procurement of power by municipalities, the increase in the threshold pertaining to self-generation, the need to accommodate low carbon-emitting generation technologies, the timing of licensing applications, changes in transmission system operation including power trading, and the creation of additional regulatory capability. The strategy aims to accelerate affordable, decentralized, diversely owned renewable energy systems.

The lack of access to affordable and secure power has had a significant impact on the private sector in South Africa for some time, and the country’s energy policy developments, which are aligned with the global energy transition towards a clean and decentralized energy system, have been welcomed as a means to improve access to decarbonized, affordable renewable energy that takes into account the country’s carbon reduction commitments and economic growth requirements based on a just transition.

The post South Africa: The latest developments in Just Energy Transition appeared first on Global Compliance News.


On October 28, 2022, the US Commerce Department’s Bureau of Industry and Security (“BIS”) issued a first round of FAQs regarding the advanced computing and semiconductor manufacturing Interim Final Rule, published on October 13, 2022 (87 Fed. Reg. 62,186) (the “Rule”) and amending the Export Administration Regulations (“EAR”).  The FAQs are available here and the Rule is available here.  Our blog post related to the Rule is located here.

The FAQs address certain questions around: (i) the geographic scope of the Rule; (ii) the definition of “facility” under the Rule; (iii) the deemed export and reexport implications of the Rule; (iv) the definition and controlled activities of US persons under § 744.6(c) as they relate to the Rule; (v) licensing and the license review policy for the Rule; and (vi) the Rule’s implications for end items with encryption functionality classified under new ECCNs 3A090 and 4A090.

Geographic Scope

The FAQs clarify that that the new restrictions on exports and reexports to China also apply to Hong Kong.  The new restrictions, however, do not apply to Macau, as BIS treats Macau as a distinct destination from China.  Therefore, Macau is not subject to the same license requirements that are specific to China.  Nonetheless, BIS encourages exporters and reexporters to conduct due diligence and be aware of red flags when shipping to Macau.

Meaning of “Facility”

The FAQs indicate that exporters and reexporters may rely on the definition of “facilities” under § 772.1 of the EAR: “a building or outdoor area in which people use an item that is built, installed, produced, or developed for a particular purpose.”  Thus, a semiconductor fabrication “facility” is a building where the production at the restricted technology level occurs.  The Rule does not, however, cover subsequent steps at facilities (e.g., assembly, test, and/or packaging) that do not alter the technology levels.

BIS also clarified that under § 772.1 of the EAR, the definition of “facilities” is considered at the “building” level.  Thus, if a building/facility contains both a restricted line of production and an unrestricted line of production, the entire building/facility is subject to the Rule.  Exporters and reexporters should exercise due diligence and be aware of red flags when shipping to an unrestricted building located at a property that also has a restricted building on the same campus.

Deemed Export and Reexport Implications

The new regional security (“RS”) controls applicable to China for advanced computing and semiconductor manufacturing items (see EAR § 742.6) do not apply to deemed exports or reexports.  The BIS FAQs remind companies that all of the relevant new ECCNs and associated technology/software controls are also controlled for anti-terrorism (“AT”) reasons, such that deemed export/reexport considerations still apply where AT controls are implicated (e.g., for deemed exports to nationals of Cuba, Iran, North Korea, and Syria.)  

BIS reiterated its position that a foreign person who lawfully received newly controlled technology or software source code prior to the effective date of the Rule does not require a new license or authorization.  However, subsequent authorization is required for that foreign person when receiving controlled technology or software source code different than the material received lawfully by that foreign person, even if classified under the same ECCN.

US Person Activities

With respect to the new “is informed” controls on US person activities in § 744.6(c)(2) of the EAR, BIS clarified that such controls do not extend to all US person activities.  BIS advised that these restrictions do not apply to US persons conducting administrative or clerical activities (e.g., arranging for shipment or preparing financial documents) or otherwise implementing a decision to approve a restricted shipment, transmittal, or in-country transfer, or “development” or “production” activities that are not directly related to the provision or servicing of specified items for advanced fabrication facilities in China, absent evidence of knowledge of a violation by those persons.

Licensing and License Review Policy

BIS clarified that licenses previously issued for items now captured under one of the new ECCNs will remain valid until their expiration dates, absent any license-specific BIS action to suspend, revoke, or impose additional conditions on the previously issued licenses.  Companies that have been granted BIS authorization to continue their operations in China for a limited period should provide a copy of any such authorization to suppliers and customers to jointly determine if their potential transaction would meet the terms and conditions of the authorization.

Implications for End Items with Encryption Functionality

Under the new Rule, ECCNs 5A992 and 5D992 items that meet or exceed the parameters of ECCN 3A090 or 4A090 are subject to the license requirement and review policy for ECCNs 3A090 and 4A090 under § 742.6(a)(9) of the EAR.  These items are also subject to the restrictions and requirements of Category 5 Part 2 of the Commerce Control List in Supplement No. 1 to Part 774 of the EAR.  Additionally, License Exception ENC is not available for computers, integrated circuits, “electronic assemblies,” or “components” not specified in § 740.2.(a)(9)(i) of the EAR that meet or exceed the parameters of ECCN 3A090 or 4A090.

The authors thank Rob O’Brien for contributing to this blog post.

The post United States: BIS issues FAQs regarding China’s advanced computing and semiconductor sectors appeared first on Global Compliance News.


In brief

In less than two months, on 1 January 2023, the California Consumer Privacy Act (CCPA) as revised by the California Privacy Rights Act (CPRA) will take effect fully in the job applicant and employment context.

And with respect to job applicants and personnel, businesses subject to the CCPA will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply. See also our related previous post: Employers Must Prepare Now for New California Employee Privacy Rights.

Here are some key recommendations on what employers should do now

1. Review contracts with parties to whom you disclose personal information about applicants and personnel. The CCPA prescribes certain types of clauses that have to appear in agreements between parties exchanging personal information, and you will have to include certain data processing clauses if you do not want to be considered to be “selling” (which the CCPA defines to mean disclosing in exchange for monetary or valuable consideration) or “sharing” (which the CCPA defines to mean disclosing for the purposes of cross-context behavioral advertising) personal information and offer related opt-out processes. It is not practical for employers to offer opt-out rights in most scenarios, due to the CCPA’s non -discrimination requirements. The CCPA regulations, which are currently being revised by the California Privacy Protection Agency (latest draft as of this publication is available here), include additional requirements. Businesses should continue to update such contracts with parties it discloses personal information to.

2. Prepare/revise notices at collection and include HR data in your online CCPA Privacy Policy. At collection notices in the employment context have been required under the CCPA since 2020, but new specific disclosure requirements apply from 1 January 2023. Your comprehensive online CCPA privacy policy will also have to reflect your processing of HR data. You should consider updating/preparing a privacy notice at collection that is specific to the CCPA and separate from any privacy notice you might use to address privacy laws in other jurisdictions, since California laws establish increasingly unique requirements and use unique terms that may be difficult to reconcile with those of other jurisdictions (from 1 January 2023, businesses must use specific terms from the CCPA to describe categories of personal information in all notices at collection). At the same time, you have to be mindful of setting or negating privacy expectations. If you issue privacy notices to job applicants and personnel that merely address CCPA disclosure requirements, the recipients of such notices may develop privacy expectations that could later hinder you in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives.

3. Prepare/update and document your data subject request program and train HR professionals. Your job applicants and personnel who reside in California will gain data access, portability, correction, deletion and other rights in 2023. You should implement protocols and training to ensure that your HR, compliance and similar teams can deal with their requests in a consistent, timely and compliant manner. Any email, spreadsheet, contract or other document that refers to a California-based employee constitutes their “personal information” which you may have to produce in response to an access request, free of charge. To keep track of where information is stored while reducing the amount of data potentially subject to data access requests, you should work on tightening your data retention and deletion protocols. This will also help you comply with CCPA’s new data minimization requirements. Documenting your program is important because the draft regulations also define the concept of “disproportionate effort” within the context of a business responding to a consumer request. Disproportionate effort is defined as the time and/or resources expended by a business to respond to an individualized request significantly outweighing the reasonably foreseeable impact to the consumer by not responding, taking into account applicable circumstances. Under the draft regulations, a business can only claim disproportionate effort as an exemption to the duty to respond to a data subject request if they have in place adequate processes and procedures to receive and process consumer requests in accordance with the CCPA and its regulations. The draft regulations give examples of circumstances that may amount to disproportionate effort and businesses should consider as part of the fact-gathering involved in preparing required privacy notices to also document when it would amount to a disproportionate effort to identify particular information in response to a data subject request and why. 

4. Consider whether and the extent to which you process “sensitive personal information”, such as if you use employee monitoring software, and address related CCPA requirements. California residents will have the right to request that businesses stop using and disclosing their “sensitive personal information” outside of specific purposes. CCPA defines “sensitive personal information” to include, among other things, government identifiers, precise geolocation data, information on racial or ethnic origin, religious or philosophical beliefs, and the contents of a California resident’s mail, email and text messages addressed to someone other than the business. If you process sensitive personal information outside of the specific purposes, you have to post a link titled “Limit the Use of my Sensitive Personal Information” online. CCPA may also require you to engage in privacy risk assessments and allow California residents to opt-out of automated decision-making activities in certain situations. Diversity and Inclusion data often contains sensitive personal information and employers should consider if they run programs that could trigger rights to limit use or disclosure of such information (see our thoughts on Running a privacy compliant inclusion and diversity program globally). The newly established California Privacy Protection Agency is in the process of clarifying some of these requirements and some are addressed in its draft revisions to the CCPA regulations (the limited purposes for which sensitive personal information may be used and disclosed without triggering a right to limit are listed in subsection 7027(m) of the November 2022 version of the draft regulations). We recommend that you stay abreast of such developments to ensure that your HR data processing activities comply. Visit our California privacy law blog for our take on developments. 


The California Attorney General’s Office currently enforces CCPA, and the California Privacy Protection Agency will have the power to bring administrative enforcement actions under CCPA starting 1 July 2023. The authorities can investigate violations, hold hearings, issue cease-and-desist orders, and impose administrative fines of up to USD 7,500 for each intentional violation. Currently, CCPA requires the California Attorney General’s Office to give a business a 30-day cure period before bringing enforcement actions. Starting 1 July 2023, the California Attorney General’s Office and California Privacy Protection Agency will be able to bring enforcement actions without delay.

The post United States: California Privacy Law action items for employers appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled OFAC reissues general license extending authorization period for transactions related to energy on 11 November 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC reissues general license extending authorization period for transactions related to energy appeared first on Global Compliance News.