The Data Act – the EU’s Bid to “Ensure Fairness in the Digital Environment and a Competitive Data Market” – Has Been Adopted
by Hope Anderson, Clara Hainsdorf, Tim Hickman, Dr. Sylvia Lorenz, and Jenna Rennie
Left to right: Hope Anderson, Clara Hainsdorf, Tim Hickman, Dr. Sylvia Lorenz, and Jenna Rennie (Photos courtesy of White & Case LLP)
On November 27, 2023, the European Union (“EU”) adopted the final text of the Data Act, marking an effort to create a harmonized, cross-sectoral data sharing framework with the stated goal of ensuring fair access to and use of data.
The Data Act is part of the European Data Strategy Package,[1] which aims for the EU to take a leading role in our networked world. Following the Data Governance Act,[2] which facilitates voluntary data sharing by businesses, individuals and the public sector, the Data Act is the second key piece of legislation aiming to make generated data more available for reuse. To that end, the Data Act seeks to maximize the value of data and to stimulate a competitive data market in which open opportunities for data-driven innovations make data more accessible for all.
CISA Releases Revised Draft of Secure Software Development Self-Attestation Form
by
Left to right: Michael T. Borgia, Andrew M. Lewis, and Patrick J. Austin. (Photos courtesy of Davis Wright Tremaine LLP)
Once Finalized, the Form will Establish Secure Software Development Baselines for Companies that Provide Software to the Federal Government
The Cybersecurity and Infrastructure Security Agency (CISA) has released a revised draft of its Secure Software Development Attestation Common Form (“Form”). The Form, once finalized, will obligate vendors providing software to the federal government to attest to enumerated practices to secure their software, third-party components, and the development environment. Software vendors to federal agencies are advised to review the draft Form and assess their current secure development practices—both for in-house and third-party developed software—against the Form’s relevant attestations and the supporting NIST guidance. Software producers unable to make any of the required attestations should prioritize conforming their software development practices to the Form’s attestations and NIST guidance, and should consider whether to pursue a plan of action and milestones (POA&M) with their federal agency customers once the Form is finalized.
Questions about the “Carrot” and “Stick” Remain: Unpacking DOJ’s New M&A Safe Harbor Policy, Part I
by Joel M. Cohen and Marietou Diouf
From right to left: Joel M. Cohen and Marietou Diouf (Photos courtesy of White & Case LLP)
On October 4, 2023, United States Deputy Attorney General (DAG) Lisa Monaco announced a new Department of Justice (DOJ) Mergers & Acquisitions Safe Harbor policy that encourages companies to self-disclose criminal misconduct discovered by an acquiring company during the acquisition of a target company. Under the policy, the acquiring party will receive a presumption of criminal declination if it promptly and voluntarily discloses criminal misconduct, cooperates with any ensuing investigation, and engages in appropriate remediation, restitution and disgorgement.
The Safe Harbor policy is a clear continuation of the DOJ’s push for corporate voluntary self-disclosure (VSD). But as with many DOJ policy pronouncements, the devil is in the details. It remains unclear what it will take for an acquiring company to obtain the “carrot” DOJ is dangling and poses questions as to the “stick” the DOJ might wield if a self-disclosure does not achieve safe harbor, or more broadly, if an acquirer fails to identify criminal misconduct in the acquisition process. Continue reading
The European Court of Justice Tightens the Requirements for Credit Scoring under the GDPR
Professor Katja Langenbucher (photo courtesy of author)
The quality of a credit scoring model depends on the data it has access to. Yesterday, the European Court of Justice (ECJ) decided its first landmark case on data protection in a credit-scoring situation. The court issued a preliminary ruling involving a consumer’s request to disclose credit-score related data against a German company (“Schufa”). The practice of credit reporting and credit scoring varies enormously across Europe. Somewhat similar to the US, the UK knows separate credit reporting and scoring agencies. In France, the central bank manages a centralized database that is accessible to credit institutions, which establish their own proprietary scoring models. In Germany, a private company (the “Schufa”) has a de facto monopoly, holding data on 68 million German citizens and establishing the enormously wide-spread “Schufa”-score. Banks look to that score when extending credit, as do landlords, mobile phone companies, utility suppliers, and, sometimes, potential employers. This every-day use stands in stark contrast with a lack of transparency as to which data Schufa collects and how it models the score.
Privacy Experts Share Tips for Managing an Effective Privacy Program from PCCE’s Fall Security, Privacy, and Consumer Protection Conference
Left to Right: James Haldin, Judy Titera, Melissa Harrup, Nicole Friedlander, and Avi Gesser (©Hollenshead: Courtesy of NYU Photo Bureau)
On November 17, 2023, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted a standing-room-only full-day conference on Security, Privacy, and Consumer Protection. The conference addressed issues such as managing effective cybersecurity and privacy compliance programs, the use of “dark patterns” to manipulate consumer choices, whether privacy regulation and enforcement actions actually prompt firms to update their privacy policies, and the new amendments to the New York Department of Financial Services cybersecurity rules. A full agenda of the conference, along with speaker bios, is available here. In this post, several participants from the panel on Managing an Effective Privacy Program in a Time of Increasing Regulatory and Legal Risk share further thoughts on the issue.
The EU AI Act – Navigating the EU’s Legislative Labyrinth
by Avi Gesser, Matt Kelly, Martha Hirst, Samuel J. Allaman, Melissa Muse, and Samuel Thomson
From left to right: Avi Gesser, Matt Kelly, Martha Hirst, Samuel J. Allaman, and Melissa Muse. Not pictured: Samuel Thomson. (Photos courtesy of Debevoise & Plimpton LLP).
As legislators and regulators around the world are trying to determine how to approach the novel risks and opportunities that AI technologies present, the draft European Union Artificial Intelligence Act (the “EU AI Act” or the “Act”) is a highly anticipated step towards the future of AI regulation. Despite recent challenges in the EU “trilogue negotiations”, proponents still hope to reach a compromise on the key terms by 6th December, with a view to passing the Act in 2024 and most of the provisions becoming effective sometime in 2026.
As one of the few well-progressed AI-specific laws currently in existence, the EU AI Act has generated substantial global attention. Analogous to the influential role played by the EU’s GDPR in shaping the contours of global data privacy laws, the EU AI Act similarly has the potential to influence the worldwide evolution of AI regulation.
This blog post summarizes the complexities of the EU legislative process to explain the current status of, and next steps for, the draft EU AI Act. It also includes steps which businesses may want to start taking now in preparation of incoming AI regulation.
$10 Million Penalty Against D.E. Shaw a Major Step in SEC’s Enforcement of Rule 21F-17(a)
Benjamin Calitri (Photo courtesy of Kohn, Kohn & Colapinto LLP
The SEC recently charged an investment advisor, D. E. Shaw, with Rule 21F-17(a) violations for including clauses in their employment and severance agreements that prohibited whistleblowing. For these violations, D.E. Shaw was fined $10 million. This is a significant development for enforcement of Rule 21F-17(a) as it is over twenty times larger than the previous highest penalty for a Rule 21F-17(a) violation.
It remains to be seen whether sanctions of this size are the new normal for Rule 21F-17(a) actions, but the D.E. Shaw case is undoubtedly a major development. The action dramatically changes the cost-benefit analysis for companies seeking to use contracts to silence whistleblowers and sends a clear message that the SEC is taking violations of Rule 21F-17(a) seriously.
An Ounce of Prevention is Worth a Pound of Cure . . . or an Imposed Compliance Monitorship: A Fresh Look at the DOJ’s Corporate Enforcement Toolkit Applied to Sanctions and Export Controls Enforcement
by Brent Carlson and Michael Huneke
From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)
In our last article, we discussed the evolution of export controls penalties.[1] Beyond monetary penalties, the U.S. Department of Justice (“DOJ”) has additional items in its corporate enforcement toolkit that dramatically increase the cost of non-compliance. These include the DOJ’s new policies requiring companies to claw back or withhold executive compensation, requiring CEOs and chief compliance officers to make pre-release compliance certifications, and expanding the grounds for appointing independent compliance monitors.
Such corporate enforcement trends significantly increase the value of making front-end investments to avoid the “pound of cure.” In this post, we take a “fresh look” at these trends with an eye towards sanctions and export controls enforcement and offer practical guidance for dealing with them. Continue reading
Former Prosecutors and Crypto Experts Comment on the Binance/Changpeng Zhao Enforcement Actions
The NYU Program on Corporate Compliance and Enforcement (PCCE) is following the recent federal enforcement actions against Binance, the world’s largest cryptocurrency exchange, and its founder Changpeng Zhao. In this post, crypto experts, former prosecutors, and the former Superintendent of the New York Department of Financial Services offer their expert insights on these developments.
Left to right: Maria Vullo, Eugene Ingoglia, Daniel Payne, Ijeoma Okoli, and Paul Krieger (Photos courtesy of authors)