The final version of the California Consumer Privacy Act of 2018 is coming into view.

On October 10, California’s Attorney General released the long-anticipated draft regulations to implement the CCPA, and on October 12, the Governor signed into law five amendments to the CCPA passed during the 2019 legislative session.  (We previously discussed the CCPA here and the amendments here.)  While the Regulations are currently subject to public comment and may be further modified by the Attorney General in response to such comments, the shape of the law that will come into effect on January 1 seems largely in place.

Given the scope of the Regulations and some unanticipated new requirements they contain, this alert memorandum provides a guide for understanding the Regulations by (i) highlighting some welcome clarifications included in the Regulations; (ii) identifying unexpected new obligations they impose; (iii) describing inconsistencies between the Regulations and the CCPA; and (iv) discussing other provisions in the Regulations that implement the CCPA.

Please click here to read the full memorandum.

On October 11, 2019, the leaders of the Commodity Futures Trading Commission, Financial Crimes Enforcement Network, and Securities and Exchange Commission issued a joint statement to remind businesses that engage in digital asset activities of their anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) obligations under the Bank Secrecy Act (“BSA”).

As market participants increasingly become involved with digital assets and related activities or services, the agencies clarified that their regulatory treatment is determined by the underlying facts, circumstances, uses, and economic realities, and not the label or terminology used to describe them.

In addition to providing a brief overview of the AML/CFT obligations that apply to certain market participants, the statement also emphasized that the nature of companies’ digital asset-related activities is the key factor in determining their registration requirements with the respective agencies. Each agency further highlighted particular concerns:

  • The CFTC reminded introducing brokers and futures commission merchants that they are required to report suspicious activity and implement reasonably-designed AML programs. These requirements apply to digital assets that qualify as commodities or which are used as derivatives, and to activities that are not subject to regulation under the Commodity Exchange Act.
  • The SEC informed broker-dealers and mutual funds of their similar obligations and that the rules are not limited in their application to activities involving digital assets that qualify as securities under the federal securities laws. It also noted that securities market participants that transactions in digital assets present similar or additional risks, including AML/CFT risks, as transactions in cash and cash equivalents.
  • FinCEN called attention to its May 2019 interpretive guidance describing the application of FinCEN regulations governing money services businesses to certain business models involving money transmissions denominated in convertible virtual currencies. FinCEN also clarified that “any person ‘registered with, and functionally regulated or examined by, the SEC or the CFTC,’ would not be subject to the BSA obligations applicable to MSBs, but instead . . . would be subject to the BSA obligations of such a type of regulated entity.”

On October 3, 2019, the governments of the United Kingdom and United States signed the first-ever executive agreement governing cross-border data requests (the “Agreement”) pursuant to the US Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”).[1]  As contemplated by the CLOUD Act, the Agreement provides a mechanism for the governments to access and share data stored abroad by electronic communications services providers (“CSP”) in their respective countries in a timely manner.  The Agreement will enter into effect following a 180 day Congressional review period required by the CLOUD Act and a similar review by the UK Parliament.    Continue Reading United Kingdom and United States Governments Sign First-Ever CLOUD Act Agreement

On September 24, 2019[1], the Court of Justice of the European Union (the “CJEU”) handed down its much anticipated follow-on judgment[2] in connection with an individual’s right to have links removed from search results displayed following a search of that individual’s name on Google’s search engine.

Building on its recognition of a “right to de-referencing” in its landmark 2014 Google Spain judgment[3] (establishing the so-called “right to be forgotten” or “RTBF”), the CJEU now further clarified the territorial scope of such right, and limited the de-referencing obligation to Google’s search engine websites corresponding to EU Member States, as opposed to all domain name extensions (e.g., the obligation applies to domain names with top-level domain (“TLDs”) corresponding to EU Member States, such as “google.fr” for France or “google.be” for Belgium). The Court added that Google may need to use, “where necessary”, measures effectively preventing or seriously discouraging an internet user from accessing (on other versions of the search engine, which are not subject to the de-referencing obligation) the links at issue from an EU Member State. As a consequence, Google has no obligation to remove the links at issue on all Google websites worldwide (such as on “google.com”), but may need to implement sufficiently effective measures to prevent Internet users from accessing the links from the EU. Continue Reading RTBF Stops at the Border: CJEU Sides with Google on the Scope of De-Referencing

On September 18, 2019, the Securities and Exchange Commission (“SEC”) filed its first civil suit alleging violations of broker-dealer registration requirements in U.S. digital asset markets.  In a case filed in the U.S. District Court for the Central District of California, the SEC alleged that Defendants ICOBox and its founder, Nikolay Evdokimov, illegally conducted an unregistered public securities offering for their 2017 initial coin offering (“ICO”), and have operated an unregistered brokerage service facilitating the launch of ICOs in digital asset securities since 2017. Continue Reading SEC Files First Suit Against Alleged Unregistered Broker-Dealer Operating in Digital Asset Markets

Global Crisis Management Series:  This post is part 12 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

One critical issue to consider in responding to an investigative request is whether by producing the requested data, the company will be waiving a privilege or violating legal confidentiality obligations, including data privacy restrictions.  To avoid inadvertently waiving protections over the company’s information or violating any legal restrictions on the production, companies should consider whether any of the following are implicated by the information requested by the authority: Continue Reading Before You Press Send: Protecting Privilege and Complying With Limitations on Data Dissemination When Responding to an Investigative Request

California’s 2019 legislative session has drawn to a close with passage of five amendments to the California Consumer Privacy Act (CCPA) during the final days of the session.  Assuming that the bills are timely signed by the Governor before the October 13 deadline, businesses will finally have the complete version of the statute that will come into effect January 1, 2020 (with the exception of regulations expected to be issued by the California Attorney General in the coming months).

The amendments, which were contained in Assembly Bills 25, 874, 1146, 1355 and 1564, provide some relief in the compliance burden placed on businesses in certain areas, such as with respect to employee and B2B data, as well as some helpful clarifications and clean ups to the CCPA.  However, the legislature left the law largely intact, and covered businesses face significant challenges in meeting the law’s requirements by January 1.  Moreover, some of the most significant changes are only temporary, setting the scene for additional amendments in next year’s legislative session.

Please click here to read the full alert memorandum.

While the EU General Data Protection Regulation 2016/679 (the “GDPR”) has grabbed headlines due to its extraterritorial reach and administrative fining regime (which permits fines for non-compliance up to the higher of €20 million or 4% of global, annual turnover),[1] a recent decision in the Northern District of California – Finjan v. Zscaler (“Finjan”)[2] – suggests that U.S. Courts won’t view the EU data protection legislation as an absolute obstacle to domestic discovery.  Finjan, as the first post-GDPR ruling of its kind, suggests that it will be business as usual navigating between U.S. civil discovery and EU law, at least from the U.S. courts’ perspective. Continue Reading Can the GDPR Tip the Scales in U.S. Discovery – <i>Finjan v. Zscaler</i>

Responding to a request by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), the EU’s data protection supervisory bodies released an initial joint opinion on the impact of the U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) on the EU data protection framework.

The preliminary assessment by the European Data Protection Supervisor (“EDPS”) and European Data Protection Board (“EDPB”) leaves service providers facing a familiar dilemma.

Although the CLOUD Act now makes clear that U.S. disclosure orders have an extraterritorial reach, the EDPS and EDPB see very limited options for service providers to comply with such orders without breaching the EU’s General Data Protection Regulation (“GDPR”).

Companies will have to carefully consider whether to store data with service providers that may be subject to the Act.

Please click here to read the full alert memorandum.

In February of this year the German antitrust agency, the Federal Cartel Office (“FCO”), issued a decision against Facebook regarding their handling of user data. Please see our previous blog-post detailing the FCO’s arguments here

Facebook appealed and on August 26, 2019, the Düsseldorf Court of Appeal (“DCA”) in an interim decision granted suspensive effect to Facebook’s appeal against the FCO decision.

The DCA can order suspensive effect to an appeal if it has serious doubts whether the prohibition decision is legally valid.  Despite the preliminary character of the DCA’s decision, this could represents a significant setback for the FCO and have signaling effect beyond the German borders,. The DCA made certain important points on issues of law, which it will likely not revers during its main proceedings. Continue Reading German Court Divorces GDPR and Competition Law in Facebook Appeal