June 18, 2024, Covington Alert

On June 12, 2024, the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”) and the U.S. Commerce Department, Bureau of Industry and Security (“BIS”) issued additional measures to counter Russia’s continued aggression in Ukraine. The measures, announced in advance of the G7 summit in Italy last week, are intended to “continue to drive up costs for the Russian war machine.”

The actions taken by OFAC and BIS include new prohibitions on providing certain information technology- and software-related services to persons located in Russia, establishing additional sanctions designed to target the Russian financial infrastructure, strengthening secondary sanctions that can be applied to non-U.S. persons (including in particular non-U.S. financial institutions), and expanding export controls restrictions on items destined for Russia and Belarus (including with respect to certain types of software). Along with the new rules, OFAC designated for property-blocking sanctions more than 300 individuals and entities (including parties identified for sanctions by the U.S. State Department), while BIS used its authority to make additions to the Entity List, issue Temporary Denial Orders, and notify U.S. distributors of additional restrictions on shipments to parties known to be supplying items to Russia. Significantly, BIS altered its Entity List rules to permit certain address-only designations to the Entity List and, among other designations, added to the Entity List eight addresses in Hong Kong with a high diversion risk. Exports, reexports, or transfers of certain items subject to the Export Administration Regulations (“EAR”) to purchasers, intermediate or ultimate consignees, and end ­users who use those addresses generally will require authorization from BIS.

Separately, on June 13, 2024, the UK Government imposed a new round of asset-freezing sanctions on a number of notable Russian entities. The European Union is also considering a 14th package of sanctions measures relating to Russia, although as of this writing the EU has not yet enacted the new package.

New U.S. Sanctions

Prohibition on Certain Information Technology and Software Services

As part of the joint actions, OFAC issued a determination pursuant to the authority of Executive Order 14071 (the “IT and Software Services Determination”) that prohibits the exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a U.S. person, wherever located, of (i) information technology (“IT”) consultancy and design services, and (ii) IT support services and cloud-based services for enterprise management software and design and manufacturing software (collectively, “Covered Software”) to any person located in the Russian Federation, unless licensed or otherwise authorized by OFAC. The IT and Software Services Determination is effective beginning at 12:01 eastern daylight time on September 12, 2024. “U.S. persons” include U.S. legal entities and their non-U.S. branches; U.S. citizens and lawful permanent residents, no matter where located or employed; and persons present in the United States.

Continue Reading U.S. Government Issues New U.S. Sanctions and Export Controls Targeting Russia and Belarus for Continued Aggression Against Ukraine; Update on European Sanctions Developments

1.  Background

Gene and cell therapies are on the rise. On June 12, 2024, the German Federal Government was handed the strategy paper for a National Strategy for Gene and Cell Therapies. The paper is intended to serve as a basis for policymaking to give Germany a leading role in the field of gene and cell therapies (GCT) in Europe. The German Government recognizes that the age of GCT has started but that there are many legal, regulatory and practical shortcomings that impedes research and development of GCTs in Germany.

Back in the fall of 2022, the German Federal Ministry of Education and Research (BMBF) had commissioned the Berlin Institute of Health (BIH) to coordinate and moderate the development of a National Strategy for GCT. Eight working groups were created to develop the National GCT Strategy, with a total of about 150 experts from various stakeholder groups. The result of their work is a document divided into eight fields of action, in which various measures are proposed to achieve strategic goals in the field of GCT.

The National GCT Strategy is one of several highly targeted measures with which the German Government aims to make Germany more attractive as a location for pharmaceutical and healthcare innovation. Just six months ago, in December 2023, the Federal Ministry of Health (BMG) presented a strategy paper for the new National Pharma Strategy. We reported on this in detail in an earlier Covington blog.

Unlike the National Pharma Strategy, which was developed under the Social Democrat-led Federal Ministry of Health (BMG), the National Strategy for GCT is an initiative led by the Federal Ministry of Education and Research which is led by the liberal party FDP. The BMBF appears keen to play a leading role in the establishment of GCT in Germany. Industry stakeholders may welcome this as the BMBF is known to be a more industry-friendly part of the German Government than the BMG.

2.  The National Pharma Strategy as a possible role model

The example of the National Pharma Strategy and its rapid implementation already indicates what the next steps in the National GCT Strategy may be. Shortly after the National Pharma Strategy was agreed upon, the first draft of the “Medical Research Act” was presented on 26 January 2024 to implement key elements of the Pharma Strategy, including amendments in the areas of clinical trials, ATMPs and pharmaceutical pricing and reimbursement (AMNOG). We reported on this in two earlier blogs that discussed the proposed changes for clinical trials and drug pricing. The draft Medical Research Act is expected to come into force in the fall of 2024. Hence, the current German Government is keen to act fast to strengthen Germany as a place for pharmaceutical innovation and R&D.

Continue Reading Germany prepares new National Strategy for Gene and Cell Therapies

On May 30, 2024, the Court of Justice of the EU (“CJEU”) handed down its rulings in several cases (C-665/22Joined Cases C‑664/22 and C‑666/22C‑663/22, and Joined Cases C‑662/22 and C‑667/22) concerning the compatibility with EU law of certain Italian measures imposing obligations on providers of online platforms and search engines.  In doing so, the CJEU upheld the so-called “country-of-origin” principle, established in the EU’s e-Commerce Directive and based on the EU Treaties principle of free movement of services.  The country-of-origin principle gives the Member State where an online service provider is established exclusive authority (“competence”) to regulate access to, and exercise of, the provider’s services and prevents other Member States from imposing additional requirements.

We provide below an overview of Court’s key findings.


The cases originate from proceedings brought by several online intermediation and search engine service providers (collectively, “providers”) against the Italian regulator for communications (“AGCOM”).  The providers, which are not established in Italy, challenged measures adopted by AGCOM designed to ensure the “adequate and effective enforcement” of the EU Platform-to-Business Regulation (“P2B Regulation”).  Among other things, those measures required the providers, depending on the case, to: (1) enter their business into a national register; (2) provide detailed information, including information about the company’s economic situation, ownership structure, and organization; and (3) pay a financial contribution to the regulator for the purposes of supporting its supervision activities. 

The Country-of-Origin Principle

In its rulings, the Court notes that the e-Commerce Directive’s country-of-origin principle relieves online service providers of having to comply with multiple Member State requirements falling within the so-called “coordinated field” (as defined in Article 2(h)-(i) of e-Commerce Directive), that is, requirements concerning access to the service (such as qualifications, authorizations or notifications), and the provision of the service (such as the provider’s behavior, the quality or content of services). 

Member States other than where the service provider is established cannot restrict the freedom to provide such online services for reasons falling within the coordinated field, unless certain conditions are met.  In particular, measures may be taken when it is necessary for reasons of public policy, protection of public health, public security, or the protection of consumers, among other conditions (Article 3(4) of e-Commerce Directive).

Continue Reading CJEU Upholds Country-of-Origin Principle for Online Service Providers in the EU

The Supreme Court will soon decide whether to hear two cases that could dictate the future of climate change tort suits.  Such suits have proliferated in recent years: several dozen active cases assert state tort law claims—like nuisance, trespass, and strict liability—against oil and gas companies for fueling and misleading the public about climate change.  The two pending cases go to the very foundations of these claims.

On February 28, 2024, a group of oil and gas companies filed a petition for a writ of certiorari in Sunoco LP v. City & County of Honolulu (No. 23-947).  In its decision below, the Supreme Court of Hawaii rejected the companies’ argument that federal law precludes application of state tort law in the climate change context.  See City & County of Honolulu v. Sunoco LP, 537 P.3d 1173, 1181 (Haw. 2023).  In their certiorari petition, the companies—supported by ten amicus briefs, including one filed by twenty states—encourage the Court to “provide clarity on whether claims seeking relief for global climate change can proceed” before parties and the judiciary incur significant costs.  The companies allege that Honolulu created a split with the U.S. Court of Appeals for the Second Circuit, which held that federal law precluded somewhat similar claims in City of New York v. Chevron Corp., 993 F.3d 81, 85 (2d Cir. 2021).

On June 10, 2024, the Supreme Court called for the views of the Solicitor General as to whether it should hear the case, an order that often constitutes a “significant sign that there is a much higher likelihood that cert. may ultimately be granted in [a] case.”  Justice Alito recused himself without stating a reason, although his recusal likely stems from his previously disclosed holdings in one or more of Petitioner-Companies.

Separately, on May 22, 2024, nineteen states filed a motion for leave to file a bill of complaint in Alabama v. California (No. 22O158).  In their bill of complaint, Plaintiff-States ask the Supreme Court to exercise its original jurisdiction to bar a different group of states from using state laws “to regulate activity or extract liability for emissions by or wholly within Plaintiff States” or “to regulate interstate gas emissions.”  Motivating this suit, the five Defendant-States—California, Connecticut, Minnesota, New Jersey, and Rhode Island—have all filed state tort law claims against oil and gas companies, similar to the claims at issue in Honolulu.  Plaintiff-States argue that such suits “exceed state authority, flout the horizontal separation of powers, usurp federal authority over a federal issue, and violate the prohibition on extraterritorial regulation embodied in the Commerce Clause.”

Should the Supreme Court grant the Honolulu petition or the Alabama motion, it could expand or narrow a significant avenue through which states and municipalities seek to hold oil and gas companies liable for climate change.  Supreme Court decisions in these matters could also carry significance outside the climate change context, either strengthening or limiting plaintiffs’ ability to utilize state law claims to address issues with nationwide salience.

On June 6, the Texas Attorney General published a news release announcing that the Attorney General has opened an investigation into several car manufacturers.  The news release states that the investigation was opened “after widespread reporting that [car manufacturers] have secretly been collecting mass amounts of data about drivers directly from their vehicles and then selling that data to third parties.”  Further, the release states that “car manufacturers and the third parties to whom they sold data are being instructed to produce documents relevant to their conduct. . .[and] to produce documents showing the disclosures they made to customers about the extent of their data collection practices and subsequent sale of their customers’ data.”  This announcement follows an earlier news release from the Attorney General describing the launch of a data privacy and security initiative, which will enforce Texas’s privacy protection laws, including the Texas Data Privacy and Security Act that goes into effect on July 1.

On May 31, 2024, Colorado Governor Jared Polis signed HB 1130 into law. This legislation amends the Colorado Privacy Act to add specific requirements for the processing of an individual’s biometric data. This law does not have a private right of action.

Similarly to the Illinois Biometric Information Privacy Act (BIPA), this law requires controllers to provide notice and obtain consent prior to the collection or processing of a biometric identifier. The law also prohibits controllers from selling or disclosing biometric identifiers unless the customer consents or unless disclosure is necessary to fulfill the purpose of collection, to complete a financial transaction, or is required by law.

The law contains several novel requirements. For instance, it prevents a controller from purchasing a biometric identifier unless: (a) they pay the consumer, (b) they obtain the consumer’s consent, and (c) the purchase is unrelated to the provision of a product or service to the customer. Additionally, it requires companies meeting certain thresholds to disclose detailed information about their biometric data collection and use upon consumer request, including the source from which the controller access the data and the purpose for which it was processed.

The law also sets forth retention requirements that differ from those of BIPA. Specifically, controllers processing biometric data must adopt written guidelines that require the permanent destruction of a biometric identifier by the earliest of: (a) the date upon which the initial purpose for collecting the biometric identifier has been satisfied; (b) 24 months after the consumer last interacted with the controller; or (c) the earliest reasonably feasible date. The earliest reasonably feasible date must be no more than 45 days after a controller determines that storing the biometric identifier is no longer necessary or relevant to the express processing purpose, as identified by an annual review. The controller may extend the 45 day period by up to 45 additional days if necessary given the complexity and amount of biometric identifiers to be deleted. The written policy must also establish a retention schedule for biometric identifiers and include a protocol for responding to a breach of security involving biometric data. Note that the controller need not publish policies applying only to current employees or internal protocols for responding to security incidents.

Lastly, the law contains guidance on the use of biometric systems by employers. It specifies that employers may collect biometric identifiers as a condition of employment, but only to: permit access to secure physical locations or hardware (and not to track a current employee’s location or how much time they spend using an application); to record the start and end of a work day; and to improve workplace and public safety. The collection of biometric identifiers from employees for other reasons may not be a condition of employment and may occur only with consent. The law contains a broad statement that employers may still collect and process employees’ biometric identifiers for uses aligned with the employee’s reasonable expectations based on the role.

On May 20, 2024, a proposal for a law on artificial intelligence (“AI”) was laid before the Italian Senate.

The proposed law sets out (1) general principles for the development and use of AI systems and models; (2) sectorial provisions, particularly in the healthcare sector and for scientific research for healthcare; (3) rules on the national strategy on AI and governance, including designating the national competent authorities in accordance with the EU AI Act; and (4) amendments to copyright law. 

We provide below an overview of the proposal’s key provisions.

Objectives and General Principles

The proposed law aims to promote a “fair, transparent and responsible” use of AI, following a human-centered approach, and to monitor potential economic and social risks, as well as risks to fundamental rights.  The law will sit alongside and complement the EU AI Act (for more information on the EU AI Act, see our blogpost here).  (Article 1)

The proposed law sets out general principles, based on the principles developed by the Commission’s High-level expert group on artificial intelligence, pursuing three broad objectives:

  1. Fair algorithmic processing. Research, testing, development, implementation and application of AI systems must respect individuals’ fundamental rights and freedoms, and the principles of transparency, proportionality, security, protection of personal data and confidentiality, accuracy, non-discrimination, gender equality and inclusion.
  2. Protection of data. The development of AI systems and models must be based on data and processes that are proportionate to the sectors in which they’re intended to be used, and ensure that data is accurate, reliable, secure, qualitative, appropriate and transparent.  Cybersecurity throughout the systems’ lifecycle must be ensured and specific security measures adopted.
  3. Digital sustainability. The development and implementation of AI systems and models must ensure human autonomy and decision-making, prevention of harm, transparency and explainability.  (Article 3)
Continue Reading Italy Proposes New Artificial Intelligence Law

Updated May 28, 2024.  Originally posted May 10, 2024.

The U.S. Federal Communications Commission (FCC) is set to reopen the public comment period on potential further amendments to its orbital debris mitigation rules, providing space industry stakeholders with a new opportunity to provide input on regulations with far-reaching implications.  Further illustrating the FCC’s commitment to leadership in regulating commercial space operations, stakeholders have until Thursday, June 27 to provide input on the agency’s regulation of orbital debris.  Today’s Federal Register sets this comment deadline, as well as a cutoff of Friday, July 12 for any reply comments.

The relevant action is a Public Notice issued by the FCC’s Space Bureau, which the agency created last year as part of an effort to increase its role in regulating the fast-growing space economy.  The Public Notice seeks to refresh the FCC’s record concerning proposed amendments to its orbital debris mitigation rules, which generally require that U.S. satellite operators (and non-U.S.-licensed satellite operators seeking U.S. market access) submit to the FCC satellite design and operational strategies intended to minimize the risk of orbital debris.

The FCC last sought comment on these issues in April 2020, when it expanded and refined its existing orbital debris mitigation framework.  In a corresponding move, the FCC also sought input, through a Further Notice of Proposed Rulemaking (FNPRM), on additional rule amendments and proposals related to, among other issues:

  1. How satellite operators may demonstrate that they have adequately assessed and limited the probability of accidental explosions;
  2. How the FCC should evaluate the collision risk presented by large, multi-satellite constellations;
  3. Whether the FCC should adopt a requirement that all non-geostationary orbit (NGSO) satellites planned for operation above a certain altitude maintain propulsion capabilities designated for station-keeping and collision-avoidance maneuvers;
  4. How the FCC should consider human casualty risk, particularly with regard to large, multi-satellite constellations; and
  5. Whether, as a condition of an FCC satellite license, the FCC should require satellite operators to commit to indemnifying the U.S. government for any liability from claims for damage resulting from satellite operations.
Continue Reading FCC’s Space Bureau Seeks Further Input on Regulation of Orbital Debris; Comments Due June 27

On May 16, the U.S. Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P, which implements the Gramm-Leach Bliley Act (“GLBA”) for SEC-regulated entities such as broker-dealers, investment companies, registered investment advisers, and transfer agents.

Among other requirements, the amendments require SEC-regulated entities to adopt written policies and procedures for an incident response program that is “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”  Under the required incident response program, SEC-regulated entities must provide timely notification to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.  Other provisions address record keeping, annual privacy notices, and oversight of service providers, as well as expanding the scope of financial institutions and “customer information” covered by the rule.

The SEC had previously issued a proposed rule for comment in the Federal Register in April 2023.  Industry representatives raised a number of concerns with the rule, including conflicts between the proposed rule and state data breach laws and a lack of consistency with the safeguarding standards promulgated by other federal prudential regulators.  Despite these concerns, the final rule is substantially as proposed and reflects only minor revisions.  For example, the following changes have been made to the notification provisions of the final rule:

  • Clarification that the requirement does not apply in cases where a SEC-regulated entity reasonably determines that a specific individual’s sensitive customer information was not accessed or used without authorization.
  • Broadening the scope and timing requirements of the so-called “law enforcement exception” to allow delays in providing notifications where the Attorney General determines that notice would pose a substantial risk to public safety, in addition to national security.
  • No longer requiring that notifications include “what has been done to protect the sensitive customer information from further unauthorized access or use” given the risk that this information could advantage threat actors.

The final rule will become effective 60 days after publication in the Federal Register.

As the energy transition gathers pace, the need for access to the essential raw materials which underpin it, is also accelerating:

  • An electric car needs six times more rare earth minerals than a conventional vehicle;
  • An onshore wind plant needs nine times more materials than a comparable gas facility;
  • Between 2017 and 2022, the energy sector drove a tripling of global demand for lithium, whilst demand for cobalt and nickel rose by 70% and 40%[1] respectively;
  • Between three to 6.5 billion tonnes of transitional minerals will be needed over the next three decades if the world is to meet its climate goals[2].

The current and future global demand for transitional metals and minerals offers a potentially huge economic opportunity[3]. This is particularly the case for Africa, where more than 50% of the world’s cobalt and manganese, 92% of its platinum and significant quantities of lithium and copper are to be found. Almost all of the continent’s current output is presently shipped as ore for processing in third countries, meaning the potential economic benefit of this enormous mineral wealth has not filtered through to the real economics in its African source countries[4].  Africa exports roughly 75% of its crude oil, which is refined elsewhere and re-imported as (more expensive) petroleum products; and exports 45% of its natural gas, whilst 600 million Africans have no access to electricity (approximately 53% of the continent’s population)[5].

A number of African governments have expressed their determination to avoid repeating the ‘resource curse’ mistakes of the past, by using the continent’s natural resources to drive domestic economic growth, while creating meaningful domestic job opportunities, rather than exporting them and the consequent economic growth elsewhere.  This approach has led a number of African countries to impose export restrictions on raw minerals; promote domestic processing; and demand that agreements with third countries promote technology transfers and improve domestic processing capacities and workforce skills.

Sustainable use of transition minerals

A resolution to promote equitable benefit-sharing from extraction was recently presented at the UN environmental assembly in Nairobi calling for the sustainable use of transitional minerals[6].  The Resolution, which was supported by a group of mainly African countries including the DRC, Senegal, Burkina Faso, Cameroon and Chad, was described as being ‘crucial for African countries, the environment and the future of [African nations’] populations.”

A number of African countries have already taken steps to protect their natural resources and move up the processing value chain[7].

Continue Reading African Raw Material Export Bans: Protectionism or Self-Determination?