On August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution 19/2024, approving the Regulation on international data transfers and the content of standard contractual clauses (the “Regulation”).  The Regulation implements the international data transfer framework under the Brazilian General Data Protection Law (“LGPD”).

Under the LGPD, international data transfers from Brazil to a third country are permitted if: (i) the ANPD recognizes the third country as providing adequate protection for personal data; (ii) the data exporter and data importer enter into standard contractual clauses (“SCCs”), binding corporate rules, or special contractual clauses; or (iii) one of the specific cases listed in the LGPD applies (e.g., the transfer is necessary to protect the life of the data subject, the data subject consents to the transfer, or the ANPD authorizes the transfer).  The Regulation relates to the data transfer instruments mentioned in (i) and (ii).

Standard Contractual Clauses
The Regulation approves and publishes SCCs for the transfer of personal data outside of Brazil without ANPD’s authorization.  The SCCs cover both controller-to-controller and controller-to-processor international data transfers.  Like the EU SCCs, they are contracts signed between the data exporter (in Brazil) and the data importer (in a third country).  The parties may not modify them.  The ANPD may allow the transfer of personal data outside of Brazil on the basis of “equivalent SCCs” adopted by third countries, provided that they are compatible with the LGPD.  The ANPD has not (yet) indicated that it would recognize the EU SCCs as equivalent.

Brazilian controllers that use contractual clauses to transfer personal data internationally must replace those contracts with the newly published SCCs by August 22, 2025.Continue Reading Brazil Issues New Regulation on International Data Transfers

This week, the Senate Committee on Health, Education, Labor, and Pensions (HELP) will vote to pursue civil enforcement and criminal contempt of Congress charges against Steward Health Care CEO Dr. Ralph de la Torre.  If the vote succeeds, and it is likely it will, Dr. de la Torre will be only the second corporate executive subject to a subpoena enforcement action in the history of the Senate.

The bipartisan enforcement action, announced by Committee Chairman Sen. Bernie Sanders (I-Vt.) and Ranking Member Sen. Bill Cassidy, M.D. (R-La.), followed a hearing last week for which Dr. de la Torre was subpoenaed to testify but failed to appear.

The use of an empty chair at a hearing to symbolize noncompliance with congressional requests has increased in recent years, but it is nonetheless a rare event on Capitol Hill.  Dr. de la Torre, remarkably, has been represented by an empty chair twice in less than six months.  In March 2024, Sen. Edward Markey (D-Mass.), chair of the Senate HELP Subcommittee on Primary Health and Retirement Security, launched an inquiry into financial mismanagement at Steward Health Care.  Senator Markey twice requested that Dr. de la Torre testify at a Subcommittee hearing on April 3, 2024.  Dr. de la Torre declined to appear, earning his first empty chair of the year.Continue Reading An Empty Chair and a Not-so-Empty Threat:  Senate HELP Committee to Vote on Rare Civil and Criminal Subpoena Enforcement Actions Against Steward Health Care CEO

The Senate Judiciary Committee is once again scheduled to markup the Inventor Diversity for Economic Advancement (IDEA) Act (S.4713/H.R.9455) this Thursday, September 19.

The bipartisan, bicameral IDEA Act was introduced in the Senate by Senators Mazie Hirono (D-HI) and Senate Judiciary Intellectual Property (IP) Subcommittee Ranking

Continue Reading Senate Judiciary Committee To Consider Inclusive Innovation Legislation

On August 29, California lawmakers passed the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act (SB 1047), marking yet another major development in states’ efforts to regulate AI.  The legislation, which draws on concepts from the White House’s 2023 AI Executive Order (“AI EO”), follows months of high-profile debate and amendments and would establish an expansive AI safety and security regime for developers of “covered models.”  Governor Gavin Newsom (D) has until September 30 to sign or veto the bill. 

If signed into law, SB 1047 would join Colorado’s SB 205—the landmark AI anti-discrimination law passed in May and covered here—as another de facto standard for AI legislation in the United States in the absence of congressional action.  In contrast to Colorado SB 205’s focus on algorithmic discrimination risks for consumers, however, SB 1047 would address AI models that are technically capable of causing or materially enabling “critical harms” to public safety. 

Covered Models.  SB 1047 establishes a two-part definition of “covered models” subject to its safety and security requirements.  First, prior to January 1, 2027, covered models are defined as AI models trained using a quantity of computing power that is both greater 1026 floating-point operations per second (“FLOPS”) and valued at more than $100 million.  This computing threshold mirrors the AI EO’s threshold for dual-use foundation models subject to red-team testing and reporting requirements; the financial valuation threshold is designed to exclude models developed by small companies.  Similar to the Commerce Department’s discretion to adjust the AI EO’s computing threshold, California’s Government Operations Agency (“GovOps”) may adjust SB 1047’s computing threshold after January 1, 2027.  By contrast, GovOps may not adjust the valuation threshold, which is indexed to inflation and must be “reasonably assessed” by the developer “using the average market prices of cloud compute at the start of training.”Continue Reading California Legislature Passes Landmark AI Safety Legislation

On August 14, the FTC announced a final rule that, according to the FTC, is intended to “combat fake reviews and testimonials.”  The rule will go into effect on October 21, 2024.  This final rule is the culmination of the FTC’s issuance of an advance notice of proposed rulemaking (ANPRM) in November 2022 and notice of proposed rulemaking (NPRM) in June 2023.  We previously analyzed the draft rule presented in the NPRM. 

In response to public comments, the FTC made several substantive changes in the final rule.  Many of these changes narrow the rule in helpful ways for businesses concerned about the breadth of the proposed rule, although a few changes arguably expand the rule.  We have outlined some of the major differences between the draft and final rules below:Continue Reading FTC Issues Final Rule on Reviews and Testimonials

In late August, the California legislature passed two bills that would limit the creation or use of “digital replicas,” making California the latest state to seek new protections for performers, artists, and other employees in response to the rise of AI-generated content.  These state efforts come as Congress considers the

Continue Reading California Passes Digital Replica Legislation as Congress Considers Federal Approach

On 18 July 2024, Ursula von der Leyen, the current President of the European Commission (“Commission”), was reconfirmed by the European Parliament for a second term. Ahead of her reconfirmation, President von der Leyen delivered a speech before the European Parliament, accompanied by a 30-page program (the “Guidelines”) that lays down the next five-year policy agenda she proposes for the Commission. This blog outlines the key points to look out for in the “mission letters” she is expected to issue to her Commissioners-designate later this week.

A European “Christmas Tree”

The Guidelines were designed to secure a majority in the European Parliament ahead of the crucial 18 July vote. They affirm that the “priorities set out draw on […] consultations and on the common ideas discussed with the democratic forces in the European Parliament” (a reference to the cordon sanitaire – the agreed common exclusion of far-right parties from political discussions).

However, whilst the Commission has the monopoly on the right of initiative in EU law-making, the European Council (the strategic body that comprises the EU heads of state and government) defines the general political direction and priorities of the European Union. Hence, the European Council is the ultimate agenda-setter. At their 27 June 2024 meeting, the European Council agreed on a draft 2024-2029 Strategic Agenda (“Strategic Agenda”). This sets in stone the European Council’s policy priorities and invites the Commission to put these “into action during the next institutional cycle”. Thus, the Strategic Agenda acted as the basis upon which Von der Leyen prepared her Guidelines.

Other workstreams also influenced the drafting of the Guidelines. Enrico Letta’s report on the future of the EU Single Market advocated for the Commission to propose the establishment of the European Savings and Investments Union. Mario Draghi’s report on competitiveness (published on September 9, 2024) also fed into the Guidelines. Finally, the Guidelines seek to establish a sense of continuity, allowing von der Leyen’s second mandate to build on her first, notably with regards to the Green Deal: “we have achieved a lot together in the last five years, […] we must and will stay the course on all of our goals, including those set out in the European Green Deal”.Continue Reading What do European Commission President von der Leyen’s Political Guidelines Mean for the 2024-2029 Mandate?

On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog post, we describe the specific new requirements for the processing of health and social data using cloud-computing. We will also discuss whether the new rules may impact medical research and other projects that utilize cloud-computing for processing health data.

1. Scope and Background of Sec. 393 SGB V

The new Section 393 SGB V (Social Security Code – Book V) has been enacted with the recent “Digital Act” (see our earlier blog on the Digital Act). The title of Section 393 SGB V is “Cloud-Use in the Healthcare System“. Hence, it aims to impose specific requirements for healthcare service providers, statutory health insurances and their contract data processors when they process health data and social data using cloud-computing services. According to the German legislator, the provision aims at enabling the secure use of cloud services as a “modern, generally widespread technology in the healthcare sector and to create minimum technical standards for the use of IT systems based on cloud-computing”.

The new requirements apply to data processing using cloud-computing irrespective of whether the cloud-computing is offered by an external vendor or utilizes a tool that the healthcare providers or health insurance has developed on their own.

The term “cloud-computing service” is defined in the law as “a digital service that enables on-demand management and comprehensive remote access to a scalable and elastic pool of shared computing resources, even if these resources are distributed across multiple locations” (Section 384 Sentence 1 No. 5 SGB V). This reflects the corresponding definition of cloud-computing in Article 6 (30) of the NIS2-Directive (EU) 2022/2555 on cybersecurity measures. Services that fall under this definition include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).Continue Reading Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical Devices

The European Commission’s draft guidelines on exclusionary abusive conduct by dominant firms under Article 102 TFEU (the “Draft Guidelines”) were published on 1 August 2024. They show a marked change from the 2009 Article 82 [now Article 102] Enforcement Priorities Guidance (the “Priorities Guidance”): economic concept has largely been replaced with the Commission’s interpretation of the European Courts’ caselaw.

The consultation on the Draft Guidelines is open until 31 October 2024. Practical suggestions rooted in and developing the caselaw appear more likely to influence the Commission’s final version of the Draft Guidelines than statements of economics.

Like the Priorities Guidance before it, the Draft Guidelines cover exclusionary conduct that the Commission views as concerning – conduct that benefits the dominant firm by excluding competitors from the market – and not exploitative conduct which benefits the dominant firm by exploiting its market power such as excessive pricing or the use of unfair trading conditions. Though in a departure from the Priorities Guidance, the Draft Guidelines do note overlaps between exclusionary and exploitative analysis: “the principles relevant to the assessment of dominance (section 2) and the justifications based on objective necessity and efficiencies (section 5) are also relevant for the assessment of other forms of abusive conduct, such as exploitative abuses” (paragraph 11 of the Draft Guidelines) and “the same conduct by a dominant undertaking may have both exclusionary and exploitative effects” (footnote 17 of the Draft Guidelines).

The Draft Guidelines also now cover collective dominance and not only single dominance, of which more below.

The Draft Guidelines are important because they signal not only how the Commission intends to apply Article 102 to dominant companies – arguably it is already doing so – but also how the Commission interprets the European Courts’ caselaw since the Priorities Guidance was adopted, and how the Commission wishes to influence the development of the caselaw in the future. In the period since the publication of the Priorities Guidance in 2009, the concepts set out in the Priorities Guidance have had mixed success in front of the European Courts. Some examples:

  • The Court of Justice in the Telia Sonera preliminary ruling said that there can be a margin squeeze even absent an obligation to deal (paragraph. 59), in implicit contradiction of the Priorities Guidance;
  • The General Court in Qualcomm, overturning the Commission’s decision, seemingly extends the relevance of the as efficient competitor test beyond the area of pricing abuses in the Priorities Guidance to exclusivity arrangements;
  • The Court of Justice in the Unilever Italia preliminary ruling and the Intel appeal affirming the use of the as efficient competitor test; and
  • The Court of Justice in the Post Danmark II preliminary ruling noting that less efficient competitors can sometimes constrain dominant companies (paragraph. 60).

Continue Reading From Concept to Precedent: The 2024 Draft Guidelines on Article 102

August 23, 2024, Covington Alert

The Securities and Exchange Commission (SEC) this week issued a cease-and-desist order that demonstrates the SEC pay-to-play rule’s expansiveness and the SEC’s readiness to enforce it to the letter, even when it is virtually impossible that a political contribution could have influenced a government entity’s

Continue Reading SEC Enforcement Order Highlights Far Reach of Pay-to-Play Restrictions