European Union Finally Adopts Corporate Sustainability Due Diligence Directive

by Samantha Rowe, Patricia Volhard, Jin-Hyuk Jang, John Young, Ulysses Smith, Jesse Hope, Harry Just, and Andrew Lee

Photos of the authors

Top left to right: Samantha Rowe, Patricia Volhard, Jin-Hyuk Jang and John Young. Bottom left to right: Ulysses Smith, Jesse Hope, Harry Just and Andrew Lee. (Photos courtesy of Debevoise & Plimpton LLP)

On 24 May 2024, the European Council (the “Council”) formally adopted the Corporate Sustainability Due Diligence Directive (the “CSDDD” or the “Directive”). The regime introduces human rights, environmental and governance due diligence obligations for in scope companies’ and their subsidiaries’ operations, and in their “chain of activities”, which are companies’ supply and distribution chains.

Continue reading

The Need to Integrate Externalities, Market Failures, and Collective Action Problems in Antitrust Analysis—Thoughts on the US House Judiciary Committee Report on ESG Investigation and the Rebuttal Report

by Maurits Dolmans

Photo of the author.

Photo courtesy of Cleary Gottlieb Steen & Hamilton LLP.

On June 11, 2024, the US House Judiciary Committee released an interim staff report titled “Climate Control: Exposing the Decarbonization Collusion in Environmental, Social and Governance (ESG) Investing” (the “Majority Report). This was followed by a hearing by the House Judiciary Committee on June 12.

The Majority Report contains strongly worded conclusions.  It argues that a “climate cartel’ of left-wing environmental activists and major financial institutions has colluded to force American companies to ‘decarbonize’ and reach ‘net zero.’”  Organizations like Climate Action 100+, Ceres, CalPERS, and Arjuna, for instance, allegedly “declared war on the American way of life,” to limit how Americans “drive, fly, and eat.”  They did this “by forcing corporations to disclose their carbon emissions, to reduce their carbon emissions, and … handcuffing company leadership and muzzling corporate free speech and petitioning.”  Employing nice alliteration, it is said they “collude to kill carbon.”  It is suggested that corporate compliance with the goals of the Paris Agreement raises prices to American consumers—ignoring the OPEC+ output reductions, the wars in Ukraine and the Middle East, and the Houthi attacks on shipping, but also the long-term costs of climate change, the findings of the International Energy Agency that no new fossil fuel development is needed to meet current and expected demand, and that renewables and nuclear energy are increasingly cheaper than fossil fuels.  The Majority Report boasts of the effect of antitrust threats in causing firms to shy away from cooperation to mitigate the climate risk.

Continue reading

US Antitrust Regulators Threaten Ephemeral Messaging Users and Their Counsel with Obstruction Charges

by Jeremy Calsyn, Nowell Bamberger, Charles P. Balaan, and Joseph M. Kay

Photos of authors

Left to right: Jeremy Calsyn, Nowell Bamberger, Charles P. Balaan, and Joseph M. Kay (photos courtesy of Cleary Gottlieb Steen & Hamilton LLP)

In recent months, federal regulators have made statements that companies and their counsel may be subject to criminal prosecution if they fail to preserve ephemeral messaging data when they receive a subpoena or other legal process.  In January 2024, the Deputy Assistant Attorney General for Criminal Enforcement at the DOJ Antitrust Division warned “failure to produce” ephemeral messaging may result in obstruction charges.[1]  Speaking at the ABA Antitrust Spring Meeting in April 2024, a lawyer for the Antitrust Division echoed that the DOJ “will not hesitate to bring obstruction charges” against company counsel and their clients if clients fail to properly retain so-called “ephemeral messages.[2]  This is consistent with other recent warnings from the DOJ.[3]

The agencies’ focus on features of ephemeral messaging, which they argue can be used to hamper investigations, ignores the fact that ephemeral messaging applications have a legitimate role in the workplace where data security and management is paramount.  Despite the advantages of ephemeral messaging, clients should be aware of the legal and other risks presented by these applications and implement clear information retention policies that account for the organization’s duty to preserve information for litigation and government investigations. 

Continue reading

Recently Enacted AI Law in Colorado: Yet Another Reason to Implement an AI Governance Program

by Avi GesserErez Liebermann, Matt KellyMartha HirstAndreas Constantine PavlouCameron Sharp, and Annabella M. Waszkiewicz

Photos of the authors.

Top left to right: Avi Gesser, Erez Liebermann, Matt Kelly, and Martha Hirst. Bottom left to right: Andreas Constantine Pavlou, Cameron Sharp, and Annabella M. Waszkiewicz. (Photos courtesy of Debevoise & Plimpton LLP)

On May 17, 2024, Colorado passed Senate Bill 24-205 (“the Colorado AI Law” or “the Law”), a broad law regulating so-called high-risk AI systems that will become effective on February 1, 2026.  The law imposes sweeping obligations on both AI system deployers and developers doing business in Colorado, including a duty of reasonable care to protect Colorado residents from any known or reasonably foreseeable risks of algorithmic discrimination.

Continue reading

Succor Borne Every Minute

by Michael Atleson

Federal Trade Commission

Earnest chats with objects are not so unusual. Mark “The Bird” Fidrych, the famed Detroit Tiger, used to stand on the pitching mound whispering to the baseball. Forky, the highly animate utensil from Toy Story 4, once posed deep questions about friendship to a ceramic mug. And many of us have made repeated queries of the Magic 8 Ball despite its limited set of randomly generated answers.

Our talking to computers also goes way back, and that history is getting weirder. We’re seeing a wave of avatars and bots marketed to provide companionship, romance, therapy, or portals to dead loved ones, and even meet religious needs. It may be a function of AI companies making chatbots better at human mimicry in order to convince us that chatbots have social value worth paying for. Consider that some of these companies compare their products to magic (they aren’t), talk about the products having feelings (they don’t), or admit they just want people to feel that the products are magic or have feelings.

Continue reading

DOJ National Security Division Issues First-Ever Declination Under Enforcement Policy

by Satish M. Kini, David A. O’Neil, Jane Shvets, Rick Sofield, Douglas S. Zolkind, Carter Burwell, Connor R. Crowley, and Hillary Hubley

Photos of the authors

Top left to right: Satish M. Kini, David A. O’Neil, Jane Shvets, and Rick Sofield. Bottom left to right: Douglas S. Zolkind, Carter Burwell, Connor R. Crowley, and Hillary Hubley. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

  • Even in criminal national security matters, early self-reporting, remediation and cooperation can enable companies to avoid prosecution and penalties.
  • Federal enforcement agencies are continuing to collaborate in investigating and prosecuting criminal cases at the intersection of national security and corporate crime.
  • Multinational corporations and academic institutions should be aware of the risk of outsiders fraudulently affiliating themselves with legitimate institutions to skirt export control laws.

Continue reading

Land of 10,000 Data Lakes: Minnesota Consumer Data Privacy Act Signed into Law

by Nancy Libin, John D. Seiver, and Jevan Hutson

Photo of the authors.

From left to right: Nancy Libin, John D. Seiver, and Jevan Hutson. (Photos courtesy of Davis Wright Tremaine LLP)

Minnesota is the 18th state to enact a consumer data privacy law.

On May 25, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (the “Act”), which takes effect on July 31, 2025, for most controllers and on July 31, 2029, for certain postsecondary educational institutions. Minnesota is the 18th state to enact a comprehensive consumer data privacy law.

The Act adopts the same framework as most other state privacy laws but includes several novel provisions, including broader rights for Minnesota residents who are subject to profiling in furtherance of decisions that produce legal or similarly significant effects.

We highlight key aspects of the Act below.

Continue reading

CFPB “Firing On All Cylinders” After Surviving Constitutional Challenge To Funding Structure

by Nowell D. Bamberger, Elsbeth Bennett, and Andrew Khanarian

photos of the authors

From left to right: Nowell D. Bamberger, Elsbeth Bennett and Andrew Khanarian. (Photos courtesy of Cleary Gottlieb Steen & Hamilton LLP)

The Supreme Court recently upheld the Consumer Financial Protection Bureau’s funding structure in a 7–2 decision that will likely pave the way for renewed regulatory activity by the agency in the near future. 

Enacted as part of the Dodd-Frank Act, the CFPB’s unique funding structure permits the agency to annually request an unspecified portion of funds from the Federal Reserve System, subject to an inflation-adjusted cap. In rejecting a constitutional challenge to this funding structure by several trade associations, the Supreme Court held in Consumer Financial Protection Bureau v. Community Financial Services Association of America that the Appropriations Clause merely requires Congress to identify the source and purpose of federal funds, and that Congress’s one-time appropriation for the CFPB in the Dodd-Frank Act meets that minimal constitutional standard. The seven-member majority largely aligned in their reasoning that the Constitution’s text and history, as well as early congressional practice, endorsed funding mechanisms such as this one, and thus provided broad legal support for the fiscal independence of agencies that are delegated substantial powers. As a practical matter, this decision will likely jumpstart long-delayed regulatory and enforcement work at the CFPB, including the vacated payday lending rules that were the subject of this litigation.

Continue reading

Understanding the FTC’s Non-Compete Clause Rule and Its Impact on NDAs

by Joshua H. Lerner, Laura E. Schneider, and Andrew Stauber

photos of the authors

From left to right: Joshua H. Lerner, Laura E. Schneider, and Andrew Stauber (Photos courtesy of WilmerHale)

As we previously reported, the Federal Trade Commission (FTC) announced on April 23, 2024, its Non-Compete Clause Rule (Final Rule), which aims to ban all new post-employment non-competition restrictions and invalidate most existing ones. The Final Rule already has sparked multiple lawsuits seeking to prevent it from taking effect as scheduled on September 4, 2024. The United States District Court for the Northern District of Texas is expected to make a decision in one such lawsuit by July 3, 2024.

As September 4 approaches, many questions remain regarding the potential impact and scope of the Final Rule. This alert focuses on how the Final Rule might affect confidentiality and non-disclosure agreements (NDAs) that employers use to protect their trade secrets and other confidential information.

Continue reading

EU Digital Operational Resilience Act (“DORA”): Incident and Cyber Threat Reporting and Considerations for Incident Response Plans

by Robert MaddoxStephanie ThomasAnnabella M. Waszkiewicz, and Michiko Wongso 

Photos of the authors

Left to right: Robert Maddox, Stephanie Thomas, Annabella M. Waszkiewicz, and Michiko Wongso (photos courtesy of Debevoise & Plimpton LLP)

With the EU Digital Operational Resilience Act (“DORA”) implementation deadline set for January 2025, many financial services firms are spending 2024 preparing for the new regime. Amongst many operational resilience and management oversight requirements, DORA will require covered entities to monitor for, identify, and classify Information and Communications Technology (“ICT”)-related incidents (“incidents”) and cyber threats and report them under certain circumstances to regulators, clients, and the public.

In this post, we take a closer look at DORA’s ICT-related incident and cyber threat reporting obligations (which can require notifications as fast as four hours) and how covered entities can prepare to address them within their existing incident response plans (“IRPs”).

For a more general overview of DORA’s requirements, please see our previous blog post here, along with our coverage of management obligations for covered entities under DORA and how DORA will impact fund managers and the insurance sector in Europe.

Continue reading