Canada-U.S. Blog

Trade Lawyers Cyndee Todgham Cherniak and Susan K. Ross

OFAC Brings the Hammer

Posted in Aerospace & Defence, Border Security, Controlled Goods Program, Cross-border deals, Cross-border trade, Export Controls & Economic Sanctions, Exports, Government Procurement, Trade Remedies

In March, there was a good deal of consternation in the general press trying to understand news that President Trump had overruled the actions of the Office of Foreign Assets Control (“OFAC”) to impose additional sanctions on North Korea. Beside the oddity of a President overruling actions by a part of the Executive branch after they had been taken, it remains a mystery what The President was seeking to overrule. Not being deterred, OFAC marched on, and in so doing, it provided multiple examples again how compliance programs need to not be just written, but also followed and enforced, and cost at least one American company $1,869,144 plus significant compliance upgrade costs.

The President tweeted on March 22, 2018 that he was overruling OFAC’s actions, but no new sanctions had been announced, threatened or imposed. What OFAC did the day before was to issue an advisory, of which the Dept. of State and the Coast Guard were co-publishers, titled “Updated Guidance on Addressing North Korea’s Illicit Shipping Practices.”  In it, OFAC, State and the Coast Guard put “ship owners, managers and operators, brokers, flag registries, oil companies, port operators, shipping companies, classification service providers, insurance companies, and financial institutions” on notice to be cautious in their dealings with refined petroleum and coal. [The U.S. imposes comprehensive prohibitions on dealings with North Korea. However, the United Nations sanctions bar the importation and exportation of specific goods. For that reason, it would be wise for companies to review the full OFAC document which can be found here: https://www.treasury.gov/resource-center/sanctions/Programs/Documents/dprk_vessel_advisory_03212019.pdf.] The advisory goes on to publish several lists of ships identified as engaging in prohibited ship-to-ship transfers, along with summarizing deceptive shipping practices and proposing risk mitigation measures.

The deceptive practices include those ship-to-ship transfers, but also disabling and manipulating automatic identification systems (“AIS”) [if this sound familiar, you likely recall the plot line in Tomorrow Never Dies, the 1997 James Bond movie. The AIS was manipulated so the British Navy ship was actually in Chinese waters.], physically altering vessel identifications, and falsifying cargo and vessel documentation. Risk mitigation factors were identified to include research a ship’s history to identify regular AIS manipulation, monitor for AIS manipulation and disablement, promote continuous AIS broadcasts, conduct due diligence in the petroleum supply chain, conduct research re prior ship-to-ship transfers, review all applicable shipping documentation, clear communication with international partners and leverage available resources.  These points will be of particular interest to insurance companies and financial institutions that do business with or are located in the U.S. and American companies which find their goods on any of these ships.

Four days later, on March 25th, OFAC published a similar advisory. This one was entitled: “Sanctions Risks Related to Petroleum Shipments involving Iran and Syria.” The advisory reminds those who “deliver or finance petroleum shipments to the Government of Syria or government-owned entities” about similar deceptive shipping practices. Again, a list of vessels was published. In this context, the prohibition relates to the “purchase, acquisition, sale, transport, or marketing of petroleum or petroleum products from Iran or providing material support to certain Iran-related persons who are on existing government denied parties lists.  [Yes, according to OFAC, Iran is supplying Syria.]

The list of deceptive shipping practices mirrors, in large part, the list issued regarding North Korea: falsifying cargo and vessel documents, ship-to-ship transfers, disabling AIS and vessel name changes. Here, the first risk mitigation measure proposed is the strengthening of anti-money laundering and countering the financing of terrorism compliance. The same monitor for AIS manipulation is mentioned, to go along with clear communications with international partners, insurance and leveraging available resources. The new factor in this advisory is know your customer which is paired with review of shipping documents, both are discussed in some detail, and focus on identifying and dealing with red flags.  As with the North Korean advisory, insurance companies and financial institutions that do business with or are located in the U.S. and American companies which find their goods on any of these ships will be most interested.

Then, there is the sad but not unheard of tale of what befell Black and Decker which was announced on March 27, 2019.  Black and Decker acquired a company in China which was selling to Iran.  Black & Decker filed a voluntary disclosure when it learned that despite its compliance program and the training it provided, Chinese management had represented it ceased all sales to Iran, but was actually taking affirmative steps to evade the U.S. sanctions on Iran. OFAC points out that Black & Decker, in its opinion, did “not implement procedures to monitor or audit [the Chinese subsidiary’s] operations to ensure that its Iran-related sales had in fact ceased or did not recur post-acquisition.”  Those transactions eventually came out, and OFAC hit the company with a hammer.

In the course of the investigation, OFAC found several instances where Chinese managers and supervisors took steps we have all seen when adequate follow-up is not pursued. For example, business partners were told not to state Iran or Iranian ports on any of the shipping documents; China’s management continued to deal with buyers who it knew were selling into Iran, often through UAE trading companies; invoices were issued to Iranian buyers; shipment documents indicated contact details for one consignee, but the goods were actually shipped to a third party; there were also falsified bills of lading mentioned. OFAC states that in total “23 shipments of power tools and spare parts, with a total value of $3,201,647.73” were shipped.

While there was no finding of fault, Black and Decker was hit with a $1,869,144 fine. There is a long list of commitments to which senior management had to agree and will be costly to implement, including that

  • The CEO and General Counsel affirm they are committed to supporting the company’s OFAC compliance program.
  • To insure compliance units have adequate authority, autonomy and budget (including staffing and equipment).
  • The sanctions compliance program is reviewed and approved by senior management.
  • There is a “culture of compliance.”
  • Demonstration of “recognition of the seriousness” of the violations, “acknowledge[ment]” to an understanding of the violations at issue, “commit[ment] to implementing the necessary measures to avoid recurrence; and that it no longer employ and will not employ directly or indirectly “the managers responsible for, and involved” in the violations in question.

The company is also obligated to conduct an OFAC risk assessment “in a manner, and with a frequency, that adequately accounts for potential risks.”  It also must develop a methodology to “identify, analyze, and address” the risks discovered. There are 8 points it must address and strengthen when it comes to internal controls, plus a section on testing and auditing, and another on training,   Black and Decker is further obligated to provide an interim report signed by a senior manager on the actions taken within 180 days, and annually thereafter for five (5) years.

For the full details about what the company must now do, please see the settlement agreement which can be found here – https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190327_decker_settlement

There seems little doubt that Black and Decker was penalized to the degree it was because either its compliance program did not cover what happens after the program is written, or it did and those steps were not adequate or were not followed. Either way, this fine in particular serves as another reminder that trust but verify needs to be practiced internally as well as externally, and regularly!

CA Consumer Privacy Act Gets a Rewrite

Posted in Cybersecurity and Privacy

When the law was signed by then Governor Brown (see our prior Alert here), the expectation was that Attorney General Becerra would issue the enabling regulations by July of this year, which would allow a phase-in period. Then by January 1, 2020, the requirements would be clear and companies would be able to properly formulate and implement their compliance policies. Regretfully, things are not going as expected.

First, in accordance with the law, General Becerra organized a series of public meetings:

  • San Francisco – January 8, 2019
  • San Diego – January 14, 2019
  • Inland Empire/Riverside – January 24, 2019
  • Los Angeles – January 25, 2019
  • Sacramento – February 5, 2019
  • Fresno – February 13, 2019

In the same press release which announced these meetings, General Becerra advised the regulations would be adopted by July 1, 2020 and went on to remind businesses that they must comply with the key provisions of the CCPA by January 1, 2020:

  • Disclose data collection and sharing practices;
  • Consumers have a right to request their data be deleted;
  • Consumers have a right to opt out of the sale or sharing of their personal information; and
  • Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.

While the lack of regulations any sooner is something of a challenge for businesses, it was the introduction of SB 561 on February 22, 2019 that was the real surprise. The bill was introduced by Senator Jackson with the full support of General Becerra, so it is reasonable to think it will pass and be signed into law by the end of the current legislative session later this year.

The changes were described as follows:

  • This bill would expand a consumer’s rights to bring a civil action for damages to apply to other violations under the act.
  • This bill would do away with any individual or entity seeking legal advice and instead specify the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the act.
  • This bill would remove the 30-day period in which a company may cure after receiving notice of an alleged violation.
  • The bill would also make related and conforming changes to those provisions.

These proposals are troubling for businesses in some obvious ways. We start with there being no definition in the law making clear who is a consumer. As such, the language must be read broadly to include anyone who resides in California. Next is the proposal is to amend Civil Code 1798.150 to read (the italicized language reflects the changes introduced):

(a) (1) Any consumer whose rights under this title are violated, or whose non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not great than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater. [emphasis added]

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

In other words, the plaintiff’s bar will be able to bring class action lawsuits whether or not actual damages were suffered. With the number and size of the breaches which have been reported in recent memory, one understands the frustration with data aggregators being subject to limited liability, but the solution then is to make clear that not all companies fall within the definition of data aggregators and so starting with an earnings amount includes too many entities whose business has nothing to do with the buying, selling or sharing of consumer data.

SB 561 removes requirements that the Attorney General provide, at taxpayers’ expense, businesses and private parties with individual legal counsel regarding CCPA compliance, removes language that allows companies a “free pass” to cure CCPA violations before enforcement may occur, and adds a private right of action, allowing consumers the opportunity to seek legal remedies for themselves under the act.

In short, companies that do not comply could find themselves with serious damages due to consumers, but also to the State of California (see CC 1798.155). On the one hand, that may not be a bad thing if your business is that of being a data aggregator and you are among the group of companies that have been involved with the massive data breaches which have been reported in recent memory. However, not all companies are data aggregators and so why not narrow the definition of companies that are covered by the CCPA? As it stands right now, companies of just about any size, regardless of industry, are subject to the CCPA:

  1. Annual gross revenues in excess of $25 million;
  2. Companies which alone or in conjunction with others annually buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
  3. Companies which derive 50% or more of their annual revenues from selling consumer personal information.

The law states that a company is subject to the CCPA if it “satisfies one or more of the [above] thresholds.” So, that means any company whose gross revenues are in excess of $25 million, regardless of whether they are a data aggregator, is subject to the requirements of the CCPA.

Then, we get to what does “receive” mean? For example, does the company receive data from the spouse or children of an employee qualify as consumer data? Does the company “share” that data if it gives the data to the company’s health insurance carrier or pension fund with the employee’s permission? Is doing so a “commercial purpose”? Hopefully the regulations which are yet to be written will answer some of these critical questions, but in the meantime, companies would be wise to get ready for January 1, 2020.

As with preparation for the European General Data Protection Regulation, companies should start by answering the following questions:

  • What consumer data do we collect?
  • From whom/what sources?
  • Where do we keep that data?
  • Who has access to it?
  • What do we do with it?
  • How long do we keep it?
  • What should be deleted?
  • What do we do with any databases that are not directly related to our core business (e.g. marketing)?

As part of the process, companies will want to form a Project Team. In doing so, some of the key points for it to address are:

  • Governance Committee
    • Who governs the project team?
    • As to the team itself –
      • Who is on it?
      • Who leads it?
      • What is its budget?
    • Inventory
      • Data we own and process
      • How we gain consent
      • What is our legitimate interest in that data
      • How we store and manage data
  • Centralized systems with proper controls in place
    • Right to be forgotten
    • Record of Processing Activities
    • Become and remain compliant!

Companies will also want to

  • Establish a written policy
  • Train employees
  • Create methods for consumers to assert their rights
  • Execute vendor contracts containing specific criteria

There is still time – will you be ready?

CA IoT Law: Devices at Risk?

Posted in Cybersecurity and Privacy, Intellectual Property, Trade Agreeements

In the last week, both the Dept. of Homeland Security and the Food and Drug Administration have issued a consumer alert about the potential hacking risk regarding cardiac devices, specifically because those devices have no encryption on their software. The devices in question are implantable cardiac devices, clinic programmers and home monitors which are used to regulate one’s heartbeat rate – to speed it up or show it down, as needed. The focus this time is on the Medtronic Conexus Radio Frequency Telemetry Protocol. Given this latest notice, one has to wonder what will be the impact of the California IoT law?

What both federal agencies had to say is short range access allows interference with, generation, modification or interception of communications. There is also the ability to read/write any valid memory location on the implanted device and, therefore, impact its intended functionality.

Between them, the agencies recommended the following mitigation steps:

  • Maintain good physical control over home monitors and programmers;
  • Use only home monitors, programmers and implantable devices obtained directly from your healthcare provider or a Medtronic representative;
  • Do not connect unapproved devices to home monitors and programmers through USB ports or otherwise;
  • Only use programmers to connect and interact with implanted devices in physically controlled hospital and office environments;
  • Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment;
  • Report any concerning behavior;
  • Restrict access to authorized personnel only and follow at least privilege approach;
  • Apply defense-in-depth strategies; and
  • Disable unnecessary accounts and services.

Last October, the FDA itself issued updated cybersecurity recommendations to makers of medical devices, such as pacemakers.  Specifically, those companies should look at: “FDA In Brief: FDA proposes updated cybersecurity recommendations to help ensure device manufacturers are adequately addressing evolving cybersecurity threats” which can be found here: https://www.fda.gov/NewsEvents/Newsroom/FDAInBrief/ucm623624.htm. Medical device manufacturers should also consult the FDA’s Premarket notification or 510k filing recommendations: https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf.

The CA IoT law takes effect on January 1, 2020 and requires a manufacturer of a “connected device” to equip that device with reasonable security features. Exactly what the CA IoT law requires is set out at Civil Code 1798.91.04:

(a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:

(1) Appropriate to the nature and function of the device.

(2) Appropriate to the information it may collect, contain, or transmit.

(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:

(1) The preprogrammed password is unique to each device manufactured.

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

The relevant definitions are found at Civil Code 1798.91.05:

  • “Authentication” means a method of verifying the authority of a user, process, or device to access resources in an information system.
  • “Connected device” means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.
  • “Manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.
  • “Security feature” means a feature of a device designed to provide security for that device.

(e) “Unauthorized access, destruction, use, modification, or disclosure” means access, destruction, use, modification, or disclosure that is not authorized by the consumer.

There is no duty of compliance on the manufacturer if the user chooses to install third party software or applications; or on any party which provides an electronic store, gateway, marketplace or other means of purchasing or downloading software or applications. The user must be given full control over the device, including the ability to modify the software or firmware running on the device at the user’s discretion. Similarly excluded are any devices subject to the law, regulations or guidance of any federal regulatory agency. No private right of action is created, law enforcement remains able to obtain related data pursuant to appropriate request, and any entity subject to HIPAA is not subject to this law to the extent the relevant activity is regulated under HIPAA or the Confidentiality of Medical Information Act (CA HIPAA).

While medical devices come to mind quickly as covered devices given the very recent notice to consumers by DHS and FDA, these requirements will also apply to Amazon’s Echo©, Google’s Home©, and Ring© doorbell. One can quickly see how any device which can be connected to the Internet is covered, such as your refrigerator, coffee pot and any other connected device a consumer would want shielded from disclosure.   What about the security system on your home?

For consumers, the question is how many such devices do you have at home? When was the last time you changed any of their passwords? Do any of these devices even have passwords?  All too often, a major hack which results in data being stolen occurs because cyber criminals are able to get into their target’s computer system piggybacking off of third party access. Do you want your office coffee pot being the weak link that lets the bad guys get access to your company’s trade secrets?  Do you want your home router or computer to become one of a string of such devices that cyber criminals use to launch a Distributed-Denial-of-Service attack? How about if someone could hack into your home webcam or digital video recorder and start saying “bad” things to your children or pets, or spy on you or your guests! Do you really want everyone to know who you date/see or where you worship? These are all too real possibilities without strong password and encryption protection.

As with the California Consumer Privacy Act, the CA IoT is the first of its kind at the state level. It seems reasonable to think that manufacturers will find it more convenient and cost-effective to make all of their devices with these means of security, which would result in both laws setting a national standard without there being any federal law on the books!

Whither Goeth Government Contracting?

Posted in Aerospace & Defence, Border Security, Corporate Counsel, Criminal Law, Cross-border deals, Cross-border trade, Export Controls & Economic Sanctions, Government Procurement, Legal Developments

Originally published by the Journal of Commerce in March 2019

On the trade with China front this week, the news is Huawei Technologies Co, of China sued the U.S. government regarding provisions in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (“NDAA”).  The timing of the lawsuit is drawing interest as is its very existence. in the face of the other legal actions involving the company and its executives. The basis for the lawsuit is Section 889 which bars the purchase of Huawei and ZTE technology. The relevant provision reads:

(a)(1) The head of an executive agency may not— (A) procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system; or [emphasis added]

(B) enter into a contract (or extend or renew a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.

(f)(3) The term “covered telecommunications equipment or services” means any of the following: [emphasis added]

(A) Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities).

(B) For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities).

And extends to any telecommunications or video surveillance services provided by these entities or using such equipment, along with similar equipment from an entity that the Secretary of Defense, the Director of the National Intelligence and/or the Director of the Federal Bureau of Investigation together reasonably believe to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.

The outright prohibition in Section 889 takes effect one year from date of enactment with certain contract provisions taking effect in the second year.  A waiver provision is included.  The language of the law also calls out the following federal entities: Federal Communications Commission, Department of Agriculture, Department of Homeland Security, Small Business Administration, and Department of Commerce which are to “prioritize available funding and technical support” to assist organizations to obtain replacement equipment and services in a way that ensures communications continue.

As the general press has noted, Huawei filed suit in the Eastern District of Texas where its American company is headquartered. The basis of the lawsuit is claims that 889 violates the U.S. Constitution and bars Huawai and (as it calls it – one other entity) from doing business with the U.S. government, with no opportunity for Huawei to defend the claims made against it or what will be deemed its affiliates and subsidiaries. Of course, Huawai’s concern is that it is being blacklisted at time when decisions are being made about the next generation of telecommunications equipment, called 5G.

It is equally important to keep in mind there are two other provisions in the NDAA which are drawing attention – 1654 and 1655.

Section 1654 deals with “Identification of Countries of Concern Regarding Cybersecurity” and requires within 180 days of enactment the creation by the  Secretary of Defense of a list of countries that pose a cybersecurity risk to the U.S. defense and national security systems and infrastructure.  The list is to reflect the level of threat posed by each country and the following factors are to be considered:

(1) A foreign government’s activities that pose force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.

(2) A foreign government’s willingness and record of providing financing, logistics, training or intelligence to other persons, countries or entities posing a force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.

(3) A foreign government’s engagement in foreign intelligence activities against the United States for the purpose of undermining United States national security.

(4) A foreign government’s knowing participation in transnational organized crime or criminal activity.

(5) A foreign government’s cyber activities and operations to affect the supply chain of the United States Government.

(6) A foreign government’s use of cyber means to unlawfully or inappropriately obtain intellectual property from the United States Government or United States persons.

(b) Updates.—The Secretary shall continuously update and maintain the list under subsection (a) to preempt obsolescence.

(c) Report to Congress.—Not later than one year after the date of the enactment of this Act, the Secretary shall submit to the appropriate committees of Congress the list created pursuant to subsection (a) and any accompanying analysis that contributed to the creation of the list

Section 1655 addresses: “Mitigation of Risks to National Security Posed by Providers of Information Technology Products and Services Who Have Obligations to Foreign Governments.” It calls for the Department of Defense to not use any product, service, or system relating to information or operational technology, cybersecurity, an industrial control system, or weapons system unless the supplier discloses to the Secretary of Defense the following within the prior five years or at any time after enactment

(1) A foreign government has been permitted to review the code of a non-commercial product, system, or service developed for the Department, or whether there is any obligation to allow a foreign person or government to review the code as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.

(2) The person allowed a foreign government (see Section 1654) to review the source code of a product, system, or service that the Department is using or intends to use, or is obligated to allow a foreign person or government to review the source code as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.

(3) Without any time limit, whether or not the person holds or has sought a license pursuant to the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations, or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the non-commercial product, system, or service the Department is using or intends to use.

The law also includes provisions for the establishment of a registry containing the information disclosed pursuant to 1655(a) and a means to make that information available to agencies conducting procurement. A report on at least a yearly basis is also mandated, along with a disclosure process and the use of the information disclosed for national security actions, as warranted.

The actions by Huawei are seen as an attempt to change the dynamics of the case pending against it and its CFO Wanzhuo Meng. She, of course, continues to face extradition proceedings in Canada arising out of the criminal indictment of Huawei for conducting business through American banking channels by way of processes seeking to mask its sales to Iran in violation of U.S. economic sanctions law.

Why Are My Goods Being Inspected?

Posted in Aerospace & Defence, Agriculture, Antidumping, Corporate Counsel, Criminal Law, Cross-border deals, Cross-border trade, Customs Law, Export Controls & Economic Sanctions, Exports, Government Procurement, Imports Restrictions, Legal Developments, tariffs, Trade Agreeements, Trade Remedies

Originally published by the Journal of Commerce in February 2019

Of all the questions asked of trade attorneys, this is likely the most frequent one.  The answer is both a study in current events, but also much more complex.  Let’s start at the obvious beginning point. Customs and Border Protection (“CBP”) receives advance information about shipments which arrive in the U.S. Whatever is the required data (and it differs a bit by mode of transportation and whether the di minimis rule applies), it is reported to CBP electronically and routed to the targeting center aka the Commercial Targeting and Analysis Center (CTAC).  In addition to CBP, 11 partner agencies have staff stationed at the CTAC with the goal of coordinating their targeting through a variety of means, including intelligence sharing. The public list of agencies is:

Alcohol and Tobacco Tax and Trade Bureau (TTB)

Animal Plant Health Inspection Service (APHIS)

Consumer Product Safety Commission (CPSC)

Environmental Protection Agency (EPA)

Fish and Wildlife Service (FWS)

Food and Drug Administration (FDA)

Food Safety and Inspection Service (FSIS)

Immigration and Customs Enforcement (ICE)

National Highway Traffic Safety Administration (NHTSA)

National Marine Fisheries Services (NMFS)

Pipeline and Hazardous Materials Safety Administration (PHMSA)

CBP is also a member of the Border Interagency Executive Committee or BIEC.  Whereas CTAC was set up post- 9/11, BIEC was established in 2014 with the twin goals of the completion and government-wide utilization of the International Trade Data System by year end 2016, and establishment of a two-tiered governance structure to manage implementation.  The BIEC mission statement now reads: “The BIEC serves as an Executive Advisory Board charged with assisting federal agencies in their efforts to enhance coordination across customs, transport security, health and safety, sanitary, conservation, trade, and phytosanitary agencies with border management authorities and responsibilities to measurably improve supply chain processes and the identification of illicit and non-compliant shipments.”

BIEC participants represent the Departments of Agriculture, Commerce, Health and Human Services, Interior, Treasury, Transportation,  EPA, CPSC and the Federal Communications Commission, along with FSIS, AMS and the parts of APHIS dealing with Animal Care, Veterinary Services, Biotech’s Regulatory Services, the Lacey Act and Plant Protection & Quarantine (PPQ).

Bearing in mind the many law enforcement and intelligence agencies which form key parts of the U.S. government, there is no doubt intelligence sharing occurs and what is shared in used to update risk factors, and that includes for purposes of identifying terrorism and other national security threats.

Taking the information at hand, CBP publishes what it calls the Priority Trade Issues. These are the major issues on which CBP focuses year over year. The current list has remained unchanged for quite a while:

Agriculture and Quota

Antidumping and Countervailing Duty

Import Safety

Intellectual Property Rights

Revenue

Textiles/Wearing Apparel, and

Trade Agreements

To experienced American importers, none of these topics is a surprise. Every one of them carries some level of complexity that stands out from the many “routine” shipments.  It may be due to food or consumer safety concerns, evidence of widespread violations (such as seizure rates or audit results regarding inability to support free trade agreement claims), high rates of duty (textiles, antidumping and countervailing duties) or failing to pay the right duty amount due to misclassification, all of which ratchet up enforcement efforts and so increase inspections.

While perhaps not surprising, given current events, now comes a chilling reminder of how fragile is the supply chain. The 2019 National Intelligence Strategy (NIS) report was issued last month. It specifically calls out the threats posed by “Russian efforts to increase its influence and authority…” and the “Chinese military modernization and continued pursuit of economic and territorial predominance in the Pacific region…” There is also a discussion about the threats related to weapons of mass destruction, including biological, chemical and nuclear weapons.  Of course, much of the discussion is about the seriousness of the cybersecurity threat, but the theft of trade secrets is equally concerning. While the U.S. intelligence community does not generally warn industry when a threat is uncovered due to policies which do not permit distinctions between business competitors, there are a couple of public-private partnerships which can be helpful (the FBI’s Infragard and the Secret Service’s Electronic Crimes Task Force). The democratization of space by way of the development of anti-satellite weapons is also described in the NIS report. The growth of non-state actors and individual dictators who wish the U.S. ill is also discussed.  Why mention any of this? Because on page 14 of the report is a reference to “supply chain exploitation.”  While only the one mention about the supply chain appears, it should remind all of us there are things going on in the world far beyond what we do in our daily lives, that have a very direct impact on our businesses. Frankly, this really is just a reminder. You need look no further for an example than last July when OFAC published guidelines dealing with the bar on the use of North Korean labor and inputs.  A more subtle reminder comes for some companies when overseas funds being received for payment of goods which were sold is seized by the U.S. government as proceeds of money laundering. Not run into this one?  It happens when the U.S. has evidence the foreign buyer or third party making payment is engaged in money laundering (even though you sold them legitimate goods and had no idea they were crooks) and so, you do not get paid and do not get your goods back!

If you are a C-TPAT (Customs-Trade Partnership Against Terrorism) partner, you presumably have a pretty good idea where are the risks in your supply chain, but things change. Obviously, keeping up with those changes will help manage your supply chain risks, so you presumably can sort out the nature of your risks. If you have a recent violation, you should not be surprised if CBP inspects subsequent shipments.  Where one violation is found, others are suspected. CBP has to make sure one way or the other.

While the discussion has focused on imports to this point, CBP targets export shipments as well, usually for export license and intellectual property reasons. To exporters of licensed goods, the inclusion of WMD was totally predictable.

If you start wondering why your goods are inspected, it could be routine, but think first about which CBP priority industry you fall into, where your goods were sourced (did you usually source from China and are now sourcing from Vietnam? did you recently change the classification of your imported goods? are your goods from China and on a 301 list?). Hopefully a bit of thought will lead to an obvious answer as to why the goods are being inspected. If you are still not sure, your trade attorney should be able to give you an educated guess.

Website Accessibility – Americans with Disabilities Act Impact

Posted in Corporate Counsel, Cross-border deals, Cybersecurity and Privacy

Background

Title III of the Americans with Disabilities Act (“ADA”) mandates that public accommodation must be provided to disabled persons to allow for the “full and equal enjoyment” of the related privileges, goods, services, advantages and accommodations as those provided to able bodied persons.  The owner of any business is responsible for making sure those accommodations are made with “reasonable modification.”  The ADA makes it very clear that a business that does not provide for that accommodation is engaging in unlawful discrimination 42 U.S.C. section 12182(b)(2)(A)(iii).

The statute provides for various examples of where public accommodations must be provided, including locations such as an inn, a restaurant, a theater, an auditorium, a bakery, a laundromat, a depot, a museum, a zoo, a nursery, a day care center, and a gymnasium.  Noticeably absent from that list are websites. That’s because websites did not exist at the time the statute was passed, and Congress has not expressly addressed the issue in the interim.

Over the last twenty years, the Courts have weighed in, with conflicting perspectives, on the topic of website accommodation and how the statute can or should be interpreted for this purpose:

  • The Ninth Circuit of the Court of Appeals (the court with jurisdiction over California and other parts of the Western states) takes the position, based on examples provided by the statute, that public accommodations refers to a “physical space.” See Weyer v Twentieth Century Fox Film Corp., 198 F3.d 1104, 2000 WL 1643 (9th Cir. 2000). Under that interpretation, websites per se would not qualify as subject to public accommodation.
  • A leading case discussing this issue is National Federal for the Blind v Target, 582 F.Supp.2nd 1185 (N.D. CA 2007). There the court held that website non-accessibility for disabled persons may give rise to a claim if there is a sufficient “nexus” between the website and the goods and services of public accommodation.

There have been a number of cases since then that address this topic, mostly in a manner adverse to website owners. Some of these cases adjudicated in other parts of the country have decided websites are public accommodations.  See, for example, Castillo v Jo- Ann Stores, 2018 U.S. Dist. LEXIS 23020, 2018 WL 838771 (ND Ohio 2018).

What Has Changed?

 The most recent case from the Ninth Circuit Court addressing this subject is Robles v. Domino’s Pizza, Inc., 2019 WL 190134, decided on January 15, 2019.  There, the court reaffirmed the rule adopted by “the many district courts that have confronted this issue[;]” i.e., that the ADA applies to websites and mobile apps that connect customers to the goods and services of restaurants and other places of public accommodations.

The Department of Justice (DOJ), which is charged with enforcement of Title III of the ADA, was moving toward incorporating the website accessibility guidelines established in WCAG 2.0 AA (which can be found here: http://www.w3.org/WAI/standards-guidelines/wcag/) during the Obama administration.  However, the Trump administration has put this on hold.  So, for now, we are left in a sea of uncertainty to be guided by court decided law, of which there is little.  However, one should not assume the absence of DOJ promulgated regulations or other guidelines will provide a “due process” defense to claims that a website connected to a place of public accommodations fails to comply with accessibility requirements under the ADA.  See Roble v. Domino’s Pizza, Inc., supra (due process argument based on DOJ’s withdrawal of regulations regarding website accessibility to disabled individuals rejected by court – “[w]hile we understand why Domino’s wants DOJ to issue specific guidelines for website and app accessibility, the Constitution only requires that Domino’s receive fair notice of its legal duties, not a blueprint for compliance with its statutory obligations.”)

A court could look to WCAG 2.0 AA for guidance to decide website accessibility issues; but there still must be sufficient nexus between the website and a physical place of public accommodation for the ADA to apply. Assuming a sufficient nexus is established, the question of website accessibility is an easier one to address where the disability in question is sight.  There is software that can read text and translate it into audio, provided the visual content on the website has embedded code permitting the software to perform the audio translation.  With the use of a braille keyboard, a blind person could navigate through the website with this type of software.  Whether this is a “reasonable modification” of “policies, practices and procedures” will probably turn on the expense, the resources of the defendant, the intended users/audience, and any other relevant facts which are typically case specific.

In contrast to Title III, to this point, there do not appear to be any cases discussing website accessibility in connection with employer obligations under Title I which deals with employment discrimination against individuals with disabilities.  Unlike Title III, Title I is enforced by the EEOC or Equal Employment Opportunity Commission.

Employment Related Issues

Title I prohibits employers from discriminating against “qualified individuals with a disability” in connection with hiring, firing, promotions, compensation, training, job application procedures and other terms and conditions of employment. Title I defines a “qualified individual with a disability” as someone who, with or without a reasonable accommodation, is able to perform the essential functions of the job he/she is seeking or performing.

Employers under Title I must engage in the interactive process to explore whether “reasonable accommodations” exist to address the work limitations presented by the individual’s disability. The employer must take these reasonable affirmative steps to accommodate a disabled person only if asked, or if the person has a known disability that affects the individual’s ability to perform essential job functions. The employer need not provide the most reasonable accommodation, nor the one requested or preferred by the individual.  The obligation only is to provide or offer a “reasonable accommodation.”

In the last Congress, the House passed a bill, the ADA Education and Reform Act of 2017 (H.R. 620), which sought to curb lawsuits brought by “serial plaintiffs” alleging barriers to access to public accommodations, and the burden they place on business. Although not specifically aimed at a particular type of ADA lawsuit, it was hoped the reforms contained in this bill would provide relief from the explosion of website accessibility lawsuits filed over the past few years.

How Do You Prepare?

The Act would impose certain preconditions before a lawsuit could be filed. For example, a  potential plaintiff would have to provide written notice to a business owner of an alleged accessibility barrier and permit the opportunity to respond in writing about how the barrier may be addressed.  The businesses would then have four months to demonstrate a willingness to correct a purported ADA violation. Only if the business owner does not remove the barrier, or does not demonstrate substantial progress in removing the barrier, would the individual be permitted to sue. No comparable bill has so far been introduced in this session of Congress, but it is still early in the legislative calendar.  In the meantime, those owning and operating physical locations which provide public accommodations will have to decide for themselves how best to deal with the large number of lawsuits regarding website accessibility facing those providing goods and services to the public.

No Further Shutdown – Hooray!!!! List 3 Exclusion Process Coming – Hip, Hip Hooray !!!

Posted in Aerospace & Defence, Agriculture, Border Security, Corporate Counsel, Cross-border deals, Cross-border trade, Customs Law, Exports, Government Procurement, Imports Restrictions, Legal Developments, tariffs

The Consolidated Appropriations Act of 2019 was signed into law on Friday, February 15, 2019, so the potential for another shutdown was averted, but there was a hidden gem buried in a related document. This new law contains a specific appropriation for the U.S. Trade Representative’s office which reads: “For necessary expenses of the Office of the United States Trade Representative, … $53,000,000, …”

Of particular interest to international traders is an interpretive statement which explains the content of the funding bill in more detail (all 218 pages, as opposed to the 465 page length of the actual bill). It is entitled:  “EXPLANATORY STATEMENT SUBMITTED BY MRS. LOWEY, CHAIRWOMAN OF THE HOUSE COMMITTEE ON APPROPRIATIONS REGARDING H.J. RES. 3.”

It refers to the “$53,000,000 for … USTR,” but – here comes the hidden gem –

Section 301 Exclusion Process.-USTR has finalized tariffs on goods from China under Section 301 of the Trade Act of 1974 in three separate rounds, and provided an exclusion process that allows U.S. businesses to obtain relief from the Section 301 tariffs for goods subject to tariffs in rounds 1 and 2. It is concerning that there is no exclusion process for goods subject to tariffs in round 3 of the Section 301 proceedings, as was done in the first two rounds. USTR shall establish an exclusion process for tariffs imposed on goods subject to Section 301 tariffs in round 3. This process should be initiated no later than 30 days after the enactment of this Act, following the same procedures as those in rounds 1 and 2, allowing stakeholders to request that particular products classified within a tariff subheading subject to new round 3 tariffs be excluded from the Section 301 tariffs. USTR shall consult with the Committees on Appropriations, the House Committee on Ways and Means, and the Senate Committee on Finance regarding the nature and timing of the exclusion process. USTR shall also report to such committees no later than 30 days after enactment of this Act on the status of the exclusion process. [emphasis added]

March 17, 2019 (a Sunday) is 30 days, so now we wait to see how USTR responds. When will we know anything more? What can we expect to see published in the Federal Register or elsewhere that explains the status of any List 3 exclusion process?   When might the List 3 exclusion process open? How it will work? Will it be different from the process to seek exclusion for the products on Lists 1 and 2? These are all critical questions needing answers, and there are many others, including whether enough additional funding has been provided so as to allow USTR to more quickly move exclusion requests through the process to decision and publication.

Given the extent of the rumors circulating around the still pending List 1 and List 2 exclusion requests, including those lamenting the possibility no action will be taken on any pending requests beyond those approved in December 2018, the exclusion process remains a troubling situation which builds off of growing displeasure with the intent to use tariffs as a tool of trade policy. However, at this moment, the most worrying topic is will the rate on the List 3 goods increase to 25% on March 1st?

Happy New Year – Now Let’s Get Back to Business!

Posted in Aerospace & Defence, Controlled Goods Program, Corporate Counsel, Cross-border deals, Cryptocurrencies, Customs Law, Export Controls & Economic Sanctions, Exports, Imports Restrictions, Legal Developments, tariffs, Trade Agreeements, Trade Remedies

Originally published by the Journal of Commerce in January 2019

One of the topics that consistently makes the top 5 in just about every survey of issues of concern to companies is the cost of regulatory compliance. This is true in large measure because the complexity of the issues covered by those regulations keeps increasing and the cost of compliance moves in the same upward direction.

In looking forward into the new year, looking back is instructive as well to identify at least one consistent theme when it comes to enforcement actions – the quality of the company’s compliance program, which includes the clarity of that compliance program and also the quality of the training given to staff, but then there is also the what were you thinking factor !!!!

In 2015, PayPal paid $7.65 million to settle a series of Office of Foreign Assets Control or OFAC violations. As many will recall, PayPal had screening software in place. Whether it worked as intended or not, what came through loud and clear in the settlement agreement was regardless of how well the software worked, the staff was not properly trained.

OFAC described the situation up to 2013 as one where the company did “not appear to have implemented effective compliance procedures and processes to identify, interdict, and prevent transactions” violating various OFAC sanctions programs. For many, the saga was an old one. The system gave alerts, the staff did not understand the reason for the alerts, and initially ignored them. When there were enough of them, corrective action was taken, but it was insufficient. Eventually, PayPal realized how non-compliant were its operations and took serious remedial action. That action included a voluntary self-disclosure which acknowledged:

A) 98 violations of the Cuba sanctions, involving goods worth $19,344.89;

B) 25 violations of one set of Iran sanctions, goods worth $2,109.82;

C) 100 violations of a different set of Iran sanctions, goods worth $6,147.84;

D) 33 violations of the Sudan sanctions, goods worth $3,314.43;

E) 94 violations of the terrorism sanctions, goods worth $5,925.27; and

F) 136 transactions of the weapons of mass destruction sanctions, worth $7,091.77.

Perhaps equally devastating to PayPal’s circumstances was the violations occurred over a 9 year period! As noted, eventually PayPal resolved the matter by paying a hefty fine, but it was also required within 6 months of settlement to make a presentation to OFAC establishing it had put effective internal controls in place so the problems did not continue.

Looking further back in time and focused on cybersecurity, there is the Target breach case. Readers will remember the Target system was hacked using stolen credentials. The first successful intrusion occurred on November 15, 2013, subsequent intrusions occurred triggering alerts which were not understood or timely acted upon. Target ended up paying $10 million to settle the class action lawsuit, $16.7 million to settle the payment processor/credit card companies litigation, another $18.5 million to settle claims brought by State Attorneys General. Target also reportedly spent more than $100 million to upgrade its system. This all occurred because the internal controls in place were neither precise, tested nor upgraded over time.. Alerts were not understood, timely acted upon and others were ignored, certain functionality had been turned off, the system did not work on a need to have access basis, and worst of all, the corporate (located locally and in a third country) IT staff did not communicate well among themselves or timely agree upon the seriousness of the situation and the first steps to be taken to minimize the damage.

One can look as well at the Equifax data breach case, where the hackers had 76 days to exfiltrate data! That hack was successful because a device meant to assist with detection was misconfigured and a digital certificate had expired. It also did not help that Equifax took approximately six (6) weeks to publicly announce the breach.

Then there is the Uber 2017 breach. Uber paid $148 million to various States to settle litigation. A 2014 breach was reported but with the 2016 breach, Uber sought to conceal it. Uber settled with the Federal Trade Commission which found the Uber system lacked unique access credentials, failure to limit access to a need to know basis, failed to employ multi-factor authentication, failed to store dats in the cloud encrypted. The FTC settlement terms are numerous, but perhaps most notable is the requirement for Uber to issue a yearly compliant report under penalty of perjury.

What the Equifax and Uber cases tell us is it is not enough to have a set of internal controls. First, you have to put them in place., then make sure everyone is adequately trained on those procedures. Then you implement them and then you test them. In reality this is a circular situation. The internal controls should be regularly updated and improved, and so should the training.

All that having been said, there is also the what were you thinking factor? And we have a very recent example of that. Zoltek Corporate and its affiliates settled a case with OFAC at the end of 2018. The company paid $7.772,102 which could have been avoided if only the right questions had been asked of the right people at the right time. The settlement agreement itself can be found at: https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20181220_zoltek_settlement.pdf and is worth reading. What you find is the American management was repeatedly made aware a supplier was listed on a denied parties list associated with the Belarus sanctions. Despite repeated email exchanges and discussions among executives within the firm, Zoltek kept doing business with the sanctioned entity, going so far at one point as to pivot the business to a third party trading company. To his credit, at least one executive questioned whether the trading company was a sham, but the transactions continued. This saga starts when the Belarus oil and chemical entity was put on the sanctions list in November 2007. This listing invoked OFAC’s 50% rule for that supplier, i.e., any entity (the supplier) owned 50% or more by a sanctioned party (the Belarus oil and chemical company) is itself sanctioned. Several years later, the supplier was itself designated as a sanctioned party. However, in the meantime, it had acquired one of Zoltek’s primary suppliers of a specific raw material and the business continued uninterrupted.

While all of this is going on, there are emails exchanged within management about the supplier itself being sanctioned. There are emails about seeking legal advice, which would have been the prudent step to take, but the advice sought was from a lawyer in a third country where Zoltek’s affiliate was located. Not surprisingly, he concluded U.S. law did not apply in that third country. You also have executives within the company refusing to sign any contract with the sanctioned supplier. There are outside third parties explaining repeatedly to Zoltek’s upper management that purchases from the sanctioned supplier are barred under U.S. law. Through it all, Zoltek’s upper management kept saying it was consulting with the U.S. government and never did. In the end, Zoltek made 13 purchases from the affiliate, later sanctioned party, with a total value of $10,390,920. How much more efficient and less costly would it have been for management to call a U.S. lawyer familiar with U.S. sanctions laws?

What these cases reminder us as the new year launches is internal controls continue to be one of the most important tools companies have to manage their risk. At the same time, the best internal controls program works only if staff is properly trained, the program is regularly tested, updated and improved. Even Zoltek could have avoided its problems if it had a robust sanctions program in place. When was the last time your internal controls were tested and upgraded? It’s the new year, now is the time to start!

To GDPR or Not To GDPR – That Remains the Question !!!!

Posted in Aerospace & Defence, Agriculture, Anti-Trust/Competition Law, Constitutional Law, Corporate Counsel, Cross-border deals, Cybersecurity and Privacy, Legal Developments

Published originally by the Journal of Commerce in December 2018

When the General Data Protection Regulations (“GDPR”) took effect on May 25, 2018, American companies found themselves in a quandary. The language of the regulations was sufficiently broad to initially conclude that even if a company had no presence or operation in Europe, it would be required to comply. As a reminder, the EU member countries are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom. Iceland, Lichtenstein, and Norway are also impacted by way of their domestic laws which adopted the GDPR principles. These countries are together referred to as the European Economic Area or EEA.

GDPR Article 3.2(1) addresses processing personal data by those operating with the EEA. Article 3.2(2) added the processing was to be related to the offering of goods or services, irrespective of whether a payment is required, or the monitoring of the behaviour of those within the EEA. This language led to questions such as was a company subject to the GDPR if it published a website which could be accessed by residents in an EEA country? What kind of activity was needed to constitute the offering of goods or services? What constituted monitoring?

The Information Commissioner’s Office (“ICO”) directly addressed the website question when it admonished The Washington Post about its cookie policies in response to a complaint. The ICO is: “[t]he UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” The Register, a UK publication, broke the story on November 19, 2018. The Washington Post offers articles on its website. The options are to receive a limited number of them for free, pay $6 per month for unlimited articles or pay $9 per month and turn off tracking and cookies. The ICO found the website did not comply with the GDPR because there was no free of charge option to refuse to accept cookies or tracking. At the same time, the ICO acknowledged the difficulty of doing anything more. It is quoted by The Register as saying “[w]e hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter.”

Additional clarification now comes from the European Data Protection Board (“EDPB”) through its “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (the “Guidelines”), see https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf for the full publication. There are a number of fact patterns presented as a way to illustrate the conclusions of the EDPB: “an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities.”

There is little doubt about GDPR’s application if a company operates in the EEA and processes personal data within the territory. If the company is in the EEA and the processing occurs outside the EEA, the company continues to be required to comply and is expected to take steps to make sure its data processor meets the GDPR requirements. Similarly, if the company which controls the data is outside the EEA, but the data is processed within the EEA, the data processor must comply with the GDPR, even if the company is not subject to its requirements. It was also clear from the outset the GDPR applies to anyone who is within the EEA, even if a resident elsewhere, and does not apply if an EEA resident is outside the territory. What the guidance did was reinforce those points and clarify a few others.

The EEA’s broad definition of personal data is found at Article 4(1) and defines personal data as “any information relating to an identified or identifiable natural person” and includes name, identification number, location data, online identifier or to one or more “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Again by way of a reminder, a data controller is the party which determines the purposes and means of the processing of the personal data. The data processor is the party that actually conducts the processing on behalf of the data controller. Where things get more complicated is when goods and services are offered by a company outside the EEA. The EDPB makes clear that offering a website alone does not equate to having a presence in the EEA. On the other hand, having one agent or employee in an EEA country may be sufficient to make the company subject to the GDPR. At the same time, just because a company has a presence in an EEA country does not mean the GDPR applies to its activities. In short, as is often the case, this all comes down to the facts and circumstances. The recommended thought process is first determine whether personal data is being processed. Then identify links between the activity for which the data is being processed and the activities of the organization. If such a link exists, then look even further. One example provided reads as follows: “A hotel and resort chain in South Africa offers package deals through its website, available in English, German, French and Spanish. The company does not have [a presence] in the [EEA]. In this case, in the absence of any [presence] within the territory… , it appears that no entity linked to this data controller in South Africa can qualify as an [operation] in the [EEA] within the meaning of the GDPR. Therefore the processing at stake cannot be subject to the provisions of the GDPR…”

Coming out the other way: “A start-up established in the USA, without any business presence … in the [EEA], provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app… once they start using [it] in the city they visit, in order to offer targeted advertisement for places to visit, restaurants, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, London, Paris and Rome. The US start-up, via its city mapping application, is offering services to individuals in the [EEA] .. The processing of the [EEA]-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR …”

Another relevant illustration: “A U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist’s personal data via the app by the U.S. company is not subject to the GDPR.”

These seemingly contradictory outcomes are easily reconciled by the Guidelines. First, one needs to figure out if the company is offering any goods or services directed to EEA residents, whether or not a payment is made for those services. If not, the GDPR does not apply. If yes, then the relevant criteria to making the determination (which should be considered together) include

  • The [EEA] or at least one State is designated by name with reference to the good or service offered;
  • The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the [EEA]; or the controller or processor has launched marketing and advertisement campaigns directed at an [EEA] country audience.
  • The international nature of the activity at issue, such as certain tourist activities;
  • The mention of dedicated addresses or phone numbers to be reached from an [EEA] country;
  • The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
  • The description of travel instructions from one or more other [EEA] States to the place where the service is provided;
  • The mention of an international clientele composed of customers domiciled in various [EEA] States, in particular by presentation of accounts written by such customers;
  • The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more [EEA] States;
  • The data controller offers the delivery of goods in [EEA] States.

Illustrating two more possible outcomes are additional examples. In the first, the GDPR applies: “[a] website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany. In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of [EEA] law. The fact that the website is available in four languages of the [EEA] and that photo albums can be delivered by post in six [EEA] States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the [EEA]. As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the [EEA] and is therefore subject to the obligations and provisions of the GDPR …”

The opposite result derives from these facts: “A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents. In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company, cannot be considered as an offer of service … The processing at stake does not relate to the offer of goods or services to data subjects in the [EEA] (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR …”

These Guidelines serve as a reminder to American companies with no presence in any EEA country that if you are engaging with any person (even at a company) who resides in an EEA country, you should have in place a GDPR compliance policy. Given the high priority placed on GDPR compliance, you will want to make sure that your GDPR policy is adequate for your circumstances, that you have appropriately documented your conclusions about how you are compliant, and you have updated your Terms of Use and Privacy Policy accordingly. While the Washington Post letter and the Guidelines give comfort to companies that do you not have a presence in the EEA, your business partners there will have their own compliance concerns. It is wise to know those compliance challenges going into the negotiations. Otherwise, you could end up taking on unnecessary legal obligations that could come back to haunt you!  Also, be aware that local laws apply and are equally important in protecting yourself!