A new year means new state privacy bills introduced in states across the country.  With two additional states joining California last year with the passage of the Virginia Consumer Data Protection Act and the Colorado Privacy Act, it is likely that more states will join the fray this year in creating a patchwork of comprehensive privacy laws in the United States.

While some states will have these bills under consideration well into the fall, the vast majority of state legislatures will adjourn by early June and thirteen will adjourn before the start of April.

During this early year sprint, there are five general trends that observers will want to keep an eye on in state legislatures.


The big enforcement debate remains whether to include a private right of action or to vest government actors with enforcement authority.  Although the Universal Law Commission’s Personal Data Protection Act provides for a private right of action if the state’s existing consumer protection law provides for consumer redress through the courts, this approach has not been followed in the three privacy statutes passed to date.  State privacy laws in California, Colorado and Virginia all lack a comprehensive private right of action for violations of the statute, and the California law only provides one in limited circumstances related to data breaches.

The private right of action can often stall legislative proposals.  For example, disagreements over the exclusion of a private right of action have torpedoed the Washington Privacy Act for three years in a row and stalled Florida’s privacy bills at the close of last year’s session.  Meanwhile in places such as New York, every bill under consideration has some form of private right of action, but none have come close to passing thus far.

Kentucky State Senate bill has taken a third approach to enforcement.  In addition to Attorney General enforcement, this bill allows for consumers to bring an action for injunctive relief related to certain violations of the law and consumer rights.  In addition to injunctive relief, plaintiffs could seek reasonable attorneys’ fees and costs.  It remains to be seen how popular this third approach becomes amid debates over private rights of action in state privacy bills.


Europe’s GDPR set the stage for comprehensive privacy legislation and a few years later California brought its own approach to the concept and introduced new terms, definitions, and processes.  Over the past two years, state legislatures have varied in their approach to new privacy legislation with some modeling their bills on the CCPA and others modeling their bills on the GDPR.  Colorado and Virginia elected to more closely follow the GDPR’s approach, though they also adopted elements of the CCPA such as the jurisdictional requirement that a certain number of users’ data be processed by a business to fall under the law and opt-out rights for key activities such as the “sale” of covered data, profiling, and targeted advertising.  States during this legislative session have also pursued both frameworks at the same time.  In Florida, the House bill adopts GDPR/Virginia language while the Senate bill adopts CCPA language.  In the coming legislative session, the trend seems to be that states will follow the GDPR or CCPA approaches, though it will important to monitor for novel proposals.


To date, most state privacy legislation includes exemptions for data or entities that are regulated by federal privacy laws.  These exemptions cover a range of topics, but tend to center around the Gramm-Leach-Bliley Act (“GLBA”), Health Insurance Portability and Accountability Act, and Fair Credit Reporting Act.  Although some bills, such as the Massachusetts Information Privacy Act, omit nearly all of the exemptions, bills that omit the exemptions will likely engender significant opposition and challenges from businesses and industries that must already comply with their respective federal privacy laws and regulations.

Rather than omitting all exemptions, the exemption debate in most legislatures during the coming months is likely to focus on the scope of the exemptions: data only, entity, or entity and affiliates.  Elements of this are reflected in the Florida Privacy Protection Act.  During last year’s session, the Senate version had only a data-level GLBA exemption.  But when reintroduced this year, the exemption was expanded to include an exemption for a “financial institution to the extent regulated by” the GLBA.

Employment and Business-to-Business Data

Two other notable exemptions are the employment and business-to-business (“B2B”) data exemptions.  These exemptions exclude from the scope of the law data collected in commercial and employment contexts.  The CCPA included these exemptions through the amendment process, but both provisions are set to expire in California at the end of this year, and it remains uncertain at this stage whether they will be extended.

Proposed state privacy legislation this session reflects a mixed bag.  Some bills, such as the Ohio Personal Privacy Act, have both the employee and B2B exemption.  Meanwhile Illinois’ Consumer Privacy Act would contain neither exemption.  And other states have considered including one exemption but not the other, as the Oklahoma Computer Data Privacy Act of 2022 does.  Which structure prevails may depend on the relative strength of organized labor in a given state, but it is worth noting that the only non-CCPA privacy bills to become law (Colorado and Virginia) have permanent employment and B2B exemptions written into their laws.


Even though these state privacy regimes are often termed “comprehensive,” the legislative drafting generally leaves gaps and questions for businesses seeking to comply with the law.  Accordingly, California and Colorado established rulemaking mechanisms in their privacy laws.  Notably, Virginia did not establish a rulemaking process, and despite recommendations to do so from the Virginia Consumer Data Protection Act Work Group, no amendment has been proposed during the current legislative session to add rulemaking.

Proposed legislation similarly varies in its approach to rulemaking and states may wait to see how the process (or lack of process) plays out in California, Colorado, and Virginia before fully committing to one path or another.

On 22 December 2021, the conference of German data protection supervisory authorities (“DSK”) published its Guidance for Providers of Telemedia Services (Orientierungshilfe für Anbieter von Telemedien).  Particularly relevant for providers of websites and mobile applications, the Guidance is largely devoted to the “cookie provision” of the German Telecommunication and Telemedia Privacy Act (TTDSG), which came into force on 1 December 2021.  The publication  focuses on the consent requirement for cookies and similar technologies, as well as relevant exceptions, introduced by the law.

Required consent and exceptions under the TTDSG

Section 25 of the TTDSG provides that the storage of information on an end user’s device, or access to information already stored on such a device, shall be permitted only with consent of the end user.  Exceptions are listed in Section 25(2), which stipulates that consent is not required if:

  • The sole purpose of storing information on the end user’s device, or accessing information already stored on the end user’s device, is to carry out the transmission of a message over a public telecommunications network; or
  • The storage of information on the end user’s device, or the access to information already stored on the end user’s device, is “absolutely necessary” for providing a “service expressly requested by the user”.

The DSK explains the scope of the second exception as follows:

  • Service expressly requested by the user: A service (for example, a website) may be “expressly requested” by a user simply by accessing and using it.  However, the DSK notes that such a “request” does not automatically include all additional features that may be embedded in the website or other service.
  • Absolutely necessary: According to the DSK, a cookie must be technically necessary for the specific service expressly requested by the user.

The DSK’s advice on cookie banner design

Absolutely necessary cookies: To the extent that storage of or access to information on an end user’s device falls under one of the exceptions in Section 25(2), the DSK advises providers not to request consent.  The DSK reasons that such a cookie banner requesting consent would unnecessarily interfere with the service.  Further, the DSK asserts that a request for consent would be misleading in these circumstances, since the user does not in fact have a choice.

Cookies requiring consent: When storage or access requires consent under Section 25, the DSK notes:

  • Consent must be actively given. Opt-out mechanisms, browser settings accepting cookies generally, and the ongoing use of a mobile application or website after notice do not constitute active consent according to the DSK.
  • Consent must be free. “Nudging” can invalidate otherwise valid consent.  The DSK asserts that such nudging already exists when rejecting cookies requires more clicks than accepting them.  Users should be able to continue using the service without accepting, or even actively declining, cookies.
  • Consent must be informed. According to the DSK, a cookie banner should provide an overview of all processing operations that require consent, adequately explained, and including the names and functions of any relevant third-parties.  Additionally, access to necessary information, such as the imprint (= mandatory information on the provider of the service) and privacy policy, must not be hindered by the consent banner.

The DSK emphasizes that, as long as the user has not given his consent, his device must not be accessed by technologies requiring consent.

Data transfers

For all processing activities, processors must check whether such activities involve a transfer of personal data to any third countries outside the European Economic Area without an equivalent level of data protection.  The DSK opines that Article 49 of the GDPR, which allows transfers without appropriate safeguards on the basis of consent, cannot be used to justify transfers of personal data processed in connection with the regular tracking of user behavior on websites or in mobile applications.  According to the DSK, the scope and regularity of such transfers cannot be reconciled with the character of Article 49 of the GDPR, as an exception to the general rules regarding data transfers, and the requirements of Article 44 GDPR.


Intentional and negligent violations of Section 25 of the TTDSG constitute administrative offenses, subject to a penalty of up to EUR 10,000.00.  This is much lower than the fines that can be imposed under the GDPR.  However, the DSK emphasizes repeatedly that the lawfulness of any subsequent processing of information collected through cookies or other tracking mechanisms, but without further involving the end user device, is subject to the GDPR.

In a decision handed down on December 1, 2021, the Brussels Market Court (Court of Appeal) had an opportunity to consider the GDPR right of access.  The Belgian Ministry of Finance appealed the Belgian Supervisory Authority’s recent decision requiring the Ministry to grant a complainant access to her financial file and make corrections to the file which described the complainant as a “straw man”.

The Market Court’s reasoning was interesting on two fronts:

  • First, the Court held the Supervisory Authority must consider, and conduct some level of investigation into, whether a complainant’s request constitutes an abuse. In this case, the Court found that the complainant used the GDPR right of access to obtain information about possible fiscal investigations being conducted against her (the Court used the term “fishing expedition”) and thereby abused the GDPR right of access.  The Supervisory Authority violated its duty of due care by not considering the complainant’s intention behind the exercise of her right of access.  This decision could be relevant in other contexts, such as HR processing, where the right of access is also often (ab)used for purposes other than preventing or rectifying GDPR violations.
  • In respect to the one-month deadline to respond to an access request (Art. 12(5) GDPR), the Court indicated that “there is no immediate textual argument that allows to state that not complying scrupulously with the deadline unambiguously constitutes a violation.”  Still, the Court indicated that the one-month deadline is an end time within which a response should be provided, unless there is a reasonable justification for exceeding it.  As the Ministry granted access to the file under the freedom of information regulations within one month, the Court decided that there was not violation of the GDPR, despite the Supervisory Authority’s argument that these regulations represent two distinct legal regimes with separate standards that should be considered independently.

The U.S. Senate Judiciary Committee announced this week its plan to vote on the American Innovation and Choice Online Act (S. 2292), antitrust legislation that would impose obligations on certain online platforms regarding the treatment of their own goods and services relative to competing services on their platform.  This will be the third antitrust bill considered by the Committee this year, and it will be the most the controversial of the three.  The vote is expected to take place on January 27.

The bill defines an online platform as “a website, online or mobile application, operating system, digital assistant, or online service” that allows users to interact with other users or to generate content seen by other users; facilitates the sale, payment, or shipping of goods or services by third parties; or “enables user searches or queries that access or display a large volume of information.”  For a platform to be covered by the bill, it must have at least 50 million monthly active users or 100,000 monthly active business users; and sales or market capitalization of more than $550 billion.  It also has to be a “critical trading partner for the sale or provision of any product or service offered on or directly related to the online platform.”  Senator Amy Klobuchar introduced the bill, and it has support from Senators from both parties, including Judiciary Committee Chair Dick Durbin and Ranking Member Chuck Grassley.

Based on how the Committee dealt with the previous two pieces of antitrust legislation that it recently considered, the bill will almost certainly be altered before the vote, and some Committee members will still raise concerns about it.  For example, the last time the Committee considered a far less controversial piece of antitrust legislation, members raised concerns about the bill’s retroactivity before voting in favor of it.  Relatedly, some technology firms have raised issues with the substance of the bill and have voiced concerns that its consideration is being rushed without more process, such as a full Committee hearing which often takes place for important legislation.  That mix of concerns is likely to make the bill’s path to final passage more difficult.

Last June, the House Judiciary Committee approved companion legislation to the American Innovation and Choice Online Act (H.R. 3816).  The full House of Representatives, however, has yet to consider that bill or related ones partially because of issues raised by the California Congressional delegation about their scope and about the possibility that they may cause more economic harm than good.  The path to passage by the full Senate is similarly unclear.  What is more certain is that the next two weeks are a key window for stakeholders to try and offer any changes to the bill before the Committee approves it.  Any changes after that will be more difficult to make.

When he was running to win the White House, President Joe Biden’s campaign committed to implement a “bold strategy” toward Africa, and one that would be based on a “mutually respectful engagement” and a reinvigorated diplomacy, if elected. Indeed, the campaign was the first-ever to outline how it would promote the interests of the African diaspora in the United States. On his sixteenth day in office, President Biden sent a video message to African leaders attending the 34th African Union Summit that promised American partnership and solidarity on a range of critical issues. The message was a welcome departure from former President Donald Trump’s disparaging characterization of the continent.

Given this promising start, few would have predicted that almost one year later the Biden Administration would have imposed an Omicron-inspired travel ban on eight countries in southern Africa. The ban, which was criticised by regional leaders as “unfair, discriminatory and unnecessary,” coincided with the withdrawal of benefits of the African Growth and Opportunity Act (AGOA) from three other African countries. As surprisingly, some in the African diaspora—especially those from Ethiopia—were vocal in their criticism of the administration’s handling of the Ethiopian conflict, or what they claimed to be the “pain of neglect.” In fact, ending the conflict and the devastating humanitarian crisis in the Tigray region consumed much of the administration’s attention to Africa last year.

Despite these discouraging developments, it would be premature to write-off Biden’s Africa policy.

The November visit by Secretary of State Tony Blinken to Kenya, Nigeria and Senegal advanced an important set of priorities for Biden’s Africa policy: COVID-19 recovery, combatting climate change, support for democracy and greater trade and investment.

Blinken’s announcement of an African leaders’ summit in late 2022 will help to galvanize progress on implementing the Biden Africa agenda.

Investing in Africa’s Public Health Institutions

Central to Blinken’s trip to Dakar was his visit to the well-respected Pasteur Institute, where the U.S. Development Finance Corporation has invested $3.5 million to bolster the production of vaccines on a continent that imports 99 percent of its vaccines. More investments like this are needed.

It is encouraging that the Biden administration is looking to support Africa’s health security in other ways: In October 2021, the National Institutes of Health invested $75 million in seven research hubs in South Africa, Nigeria, Uganda and Cameroon to advance data science and catalyze research and innovation across Africa. This collaboration between the NIH and African research institutions needs to be accelerated as quickly as possible. The African genome is the oldest human genome, and there is more genetic diversity in Africa than on any other continent. Despite this, fewer than three per cent of analyzed genomes come from Africans, making it an inherently rich source of new genetic information for health and diagnostic research and development. Africa has the potential not only to help detect and defend against future pandemics but to provide African solutions for global problems. It is for this reason that South Africa should have been applauded—not punished—for discovering the omicron variant of the coronavirus and promptly alerting the world.

The Trade and Investment Scorecard

Also in Senegal, the Secretary of State signed construction deals worth $1 billion that will include an 111-mile highway linking Dakar to Saint-Louis. Drawing a sharp contrast with China, Blinken noted that the U.S. would not saddle African countries with unmanageable debt. The secretary also said that the infrastructure projects would “build on the values we share as democracies,” namely, transparency, accountability and the rule of law. These themes would be central to the Summit for Democracy that the Biden administration hosted several weeks later in which 17 African nations participated.

A challenge for the Biden administration will be the roll out of other infrastructure investments in Africa in the coming year. The trend line is not positive. U.S. direct investment into the region has declined from a peak of $69 billion in 2014 to $46 billion in 2020. In the decade prior to 2020, bilateral trade between the U.S. and Africa fell from $113 billion to $44 billion.

The implementation of administration’s Build Back Better World initiative, launched by President Biden at the G7 Summit in June, could help to reverse this trend. So can the U.S.-Africa leaders’ summit. The African leaders’ summit in 2014 generated $37 billion in new investment commitments from U.S. companies. The $8.5 billion financing package to help South Africa transition from coal to renewable energy that the U.S. and its European partners agreed to at COP26 could also be a model for more American investment in the region while mitigating climate change. The promise of a Digital Africa initiative in support of connectivity, up-skilling and expanded e-commerce could further enhance the U.S. commercial position on the continent.

Nevertheless, robust commercial diplomacy will be essential to reversing the erosion of the U.S. commercial position in Africa. The last commerce secretary to visit the continent was Wilbur Ross, who spent just one day in Africa, in Ghana, during the course of his four years in office. Hopefully, Secretary Gina Raimondo and a revitalized Presidential Advisory Committee for Doing Business in Africa (PAC-DBIA) will spark renewed investor interest in the region.

Vice President Kamala Harris, who met with Ghana’s president, Nana Akufo-Addo, and Zambia’s president, Hakainde Hichilema, at the White House in September, can also be helpful. Her ongoing involvement in African issues would give a welcome boost to the continent on the Biden foreign policy agenda.

Important trade and investment issues remain to be addressed. Negotiations on the U.S.-Kenya free trade agreement, started under the Trump administration, should be resumed given the significance of Kenya to the United States as a commercial and strategic partner. This issue went unaddressed when presidents Biden and Kenyatta met in the Oval Office in October, and during Blinken’s November visit to Kenya.

The recent hearings in the Senate and the House (where I was a witness) on the future of the African Growth and Opportunity Act (AGOA) suggests that Congress is giving attention to the U.S. position in the African market well before the legislation is set to expire in 2025. This attention is welcome given that AGOA remains the cornerstone of the U.S.-Africa commercial relationship. Nevertheless, key elements of AGOA need to be modernized. In December, Senator Chris Van Hollen and Congresswoman Karen Bass urged President Biden to reconsider the Administration’s decision to terminate Ethiopia’s AGOA’s benefits, noting the decision “will hurt the nation’s most vulnerable and reverse hard-won economic gains without reducing hostilities in the ongoing civil war.”

Preparing for 2022

Late last year, the experienced former intelligence official, Judd Devermont, joined the Biden administration to help craft a new Africa strategy. Several key issues, such as U.S. support for the implementation of the African Continental Free Trade Agreement and follow-up to COP26 in Glasgow, presumably will be central to the new strategy.

At the same time, President Biden would send a positive signal if he were to start 2022 as he did 2021: with a targeted video-taped message for African leaders. This time, however, the administration would need to follow up quickly with convincing actions that Africa is indeed a priority for the United States. Announcing visits by Vice President Harris and Commerce Secretary Raimondo early in the New Year would be a good place to start.


For any questions, please contact Witney Schneidman or Mosa Mkhize.

This article originally appeared on Brookings and can also be found on CovAfrica, the firm’s blog on legal, regulatory, political and economic developments in Africa.

Senate Majority Leader Chuck Schumer (D-NY) is trying to modify the Senate’s Rules so that voting rights legislation can pass with just support from 50 Democratic Senators. It is clear that all of the Senate’s 50 Republicans take issue with the need for any Rules reform at all. And though formal changes to the Senate’s Rules require 2/3 of the Senate in support, the parties have in recent years forced reinterpretations of existing Senate Rules by a bare majority.  President Biden is also now urging the Senate to act on a Rules reform package. But what will be in that package? A major change that allows a bare majority of Senators to pass the voting rights bill, with little or no Republican support? Or a more minor set of changes that allows for debate and that perhaps makes some special exception for voting rights bills?

Regardless, what is being overlooked is that modest changes to the filibuster would still leave in place its two main features — (1) a 3/5 supermajority threshold vote to invoke cloture (end debate); and (2) the ability of even just one Senator to block legislation or a nomination where there are not the votes to invoke cloture.  This leaves room to appeal to Senators like Joe Manchin (D-WV) and Kyrsten Sinema (D-AZ) who have expressed opposition to outright repeal of the Filibuster for legislation.  While advocates of major change to the Filibuster Rule (Senate Rule XXII) may be at least two votes shy, there are more tailored options that can be offered:

  1. No Filibusters on Motions to Proceed. When a motion to proceed (which triggers the start of debate on a bill) gets filibustered, the Senate never even debates the bill’s merits. So a filibuster of the motion to proceed has the perverse effect of preventing debate from ever occurring, which is the stated objective of allowing a minority to filibuster. This has left the world’s most deliberative body often in recent years unable to even begin to deliberate the pressing issues of the day. Making motions to proceed ‘non-debatable’ would solve that problem.
  1. Talking Filibuster.  A “talking filibuster” or actual, live in-person filibuster requirement would hue to the traditional concept in most people’s heads about what a filibuster is. Senators would have to exhaust themselves in-person, conjuring up stories about senators putting salt in their pockets, reading from ‘Green Eggs & Ham’, late nights and staff or Senators sleeping in cots off of the Senate Floor, trading off in shifts. But just how logistically this new requirement would work is unclear. One eminent expert of the Senate’s Floor management once told me that the Senate can’t turn the lights on, or off, without Unanimous Consent. So how will the talking filibuster be enforced without impacting other business of the Senate? Still, Senator Manchin has indicated he could support something like this, and maybe the quest for 50 supporters will outweigh questions about feasibility.
  1. Requiring Those Filibustering to Actually Vote No. One irritant during filibusters is that those seeking to move forward and break a filibuster must vote to do so (at least 60 of them), yet the minimum 41 opponents need not show up to vote. In other words, the onus is on the supermajority. It is possible to revise Senate Rule XXII to structure an end to debate, where 41 or more Senators would have to vote no in order to keep the debate going (against cloture). This could have some effect around the edges, making surprise late night votes more potent and keeping filibustering Senators ‘in the building’ so to speak.
  1. Carveout for Voting Rights Legislation. Some Democrats are calling for putting an end to the filibuster for voting rights legislation only, arguing that those rights are different as the foundation of our democracy. Each political party has carved out aspects of nominations in recent years from the reach of the filibuster. So in that sense, there is precedent for a surgical strike. But again, feasibility and workability could be a challenge. For instance, could the next Senate reduce voting rights within the confines of the carveout? How does one define enhancing or reducing voting rights? And how much of a bill must be about voting rights in order for it to be excepted? 51%? What’s in the rest of the bill? Also, Senate Republicans may believe that a range of other issues have equal or greater heft than voting rights too. So as a result we could see a 50 vote arms race on the Senate Floor as control of the Senate flips back and forth.

In the end, perhaps discussions among the White House and Senate Democrats will result in an attempt to fundamentally restructure Senate Rule XXII and put an end to the filibuster in its entirety — or maybe they will reduce the threshold for defeating a filibuster from 60 votes down to 55 or some other number. There is no question that the U.S. House of Representatives operates efficiently on majority rule, debates virtually any important issue that the majority chooses to debate, puts an end to debate, votes and passes legislation.

The Senate would retain features that distinguish it from the House, even if it opts to relinquish this one important distinction. Some more modest options would not by themselves result in Senate passage of voting rights legislation. But in the barest of bare 50 Democratic Senate vote majority, no reform measure can survive any dissension in Democratic ranks. For Leader Schumer, we return to the initial question, what options have the votes of 50 Senators, and which if any of those options will he choose? At some point in the coming days or weeks, the Senate appears likely to end debate on that question and take a very consequential vote.

On 25 November 2021, the Commission adopted its revised Communication on the Criteria for the analysis of the compatibility with the internal market of State aid to promote the execution of important projects of common European interest (“IPCEI”). This is particularly relevant for companies who have breakthrough innovative projects and need to seek public support for their projects. For example, under the current Communication, the Commission approved public support to two major research and innovation projects of European interest along the battery value chain for electric vehicles (“summer” and “autumn” projects) and a project in microelectronics. Various other projects are being assessed, for instance on Next Generation Cloud Infrastructure and Services and on green hydrogen.

The revised communication sets out the criteria following which the Commission will approve IPCEI with the State aid rules as of 1 January 2022.

The revision aims to take into account recent EU policies and strategies such as the European Green Deal, the Digital Strategy, the New Industrial Strategy for Europe, the European Strategy for Data and Next Generation EU and to allow larger participation of SMEs and start-ups.

In substance, for a project to be eligible to IPCEI aid, it must:

  • represent an important contribution to the Union’s objectives or strategies and have a significant impact on sustainable growth;
  • overcome important market or systemic failures not otherwise adequately addressed or remedied;
  • involve at least 4 EU Member States and benefit to a wider part of the Union;
  • present positive spillover effects beyond the undertakings or sector aided;
  • involve important co-financing by the beneficiary;
  • comply with the new principle of ‘do no significant harm’ to the environment according to the EU taxonomy.

To be considered as important, the project must fulfil the following criteria:

  • R&D&I projects must be of a major innovative nature;
  • projects comprising of first industrial deployment must allow for the development of a new product or service with high research and innovation content or the deployment of a fundamentally innovative production process. First industrial deployment means the upscaling of pilot facilities, demonstration plants or of the first-in-kind equipment and facilities, covering the steps after the pilot line, following R&D&I activities, but not mass production or commercial activities;
  • infrastructure projects in the environmental, energy, transport, and with the 2021 revision, health and digital sectors, must be of great importance for the environment, climate, energy (including energy security), transport, health, industrial or digital strategies of the Union or contribute significantly to the internal market.

Concretely, the Commission would approve the public funding if it is necessary and proportionate, and if, on the basis of a balancing test, the expected positive effects of the aid in contributing to the objective of common European interest, outweigh its possible negative effect on competition.

The aid is deemed to be necessary if it does not compensate for normal business risk, meaning that without the aid, the realization of the project would be impossible or only possible in a manner restricting the benefits expected from the aided project. This is examined through a counterfactual scenario of absence of aid for instance where there is not any alternative project possible or where there is an alternative project outside the EU. The revised communication stresses that the counterfactual scenario must be credible to be taken into account. The aid is proportionate if it does not exceed the existing funding gap. To avoid any overcompensation where a project turns out to be more profitable than expected, the revised communication allows the Commission to request from the granting authorities to implement a claw-back mechanism. Finally, to prevent the negative undue distortions of competition, the Commission will verify that there is not any less distortive policy instruments or other less distortive types of aid instruments to achieve the same result.

The revised communication makes it easier for Member States to support large, pan-European projects that support environmental objectives. It also makes some openings to projects pursuing industrial policy objectives, for instance to address a strategic dependency, provided that the project relates to a first industrial deployment, following an R&D&I activity and containing itself, that is even after the pilot phase, an important R&D&I component. R&D&I content of an IPCEI project is not defined, but referring to the decisional practice and communication of the Commission in the area of State aid for R&D&I, such content relates to any or a combination of fundamental research, industrial development and experimental development.

PM Boris Johnson is under political pressure over a number of issues, including the UK’s response to Covid and the potential for the NHS to become overwhelmed; the looming cost of living crisis (a combination of tax rises, inflation and rising energy costs); and disquiet over allegations of sleaze and corruption that have recently bedeviled his Government.  The loss of two recent by-elections and a succession of poor opinion polls mean rumblings of discontent have begun to sound like a potential Conservative Party leadership challenge – though no one wants to be seen to be scheming to seize the reins of power in the midst of a pandemic, especially not with local elections looming in May.

There appears to be an ideological split over what the future of the UK outside the EU should look like. Many ‘traditional’ Conservatives viewed Brexit as offering the UK an opportunity to redefine itself as a small State, light tax, light regulation jurisdiction which would unleash the entrepreneurialism they argued had been held back by over-regulation from Brussels.  On the other hand, the 2019 intake of Conservative MPs from traditional Northern Labour seats (the so-called ‘Red Wall Tories’) were elected not just on the promise of ‘Get Brexit Done’, but the ‘Build back better’ mantra with ‘levelling up’ at its core. With investment in schools, hospitals, policing, roads and other infrastructure, ‘levelling up’ will require a larger, not smaller State.  But both sides of the Party want the UK to start demonstrating the benefits of Brexit.

The Government shares that aim and has already made clear it is focused on delivering the benefits that Brexit promised to offer.  In a speech to the House of Lords in September 2021, Lord Frost, when he was Minister of State, set out the Government’s objective of undertaking a thorough-going review of Retained EU law with the objective of repealing or amending it.

In reviewing that legislation, the UK will seek legislative divergence from the EU in those sectors where it feels it already has (or could quickly build) a competitive advantage.

This blog looks at some of these areas.


Last week saw the introduction of the new agricultural subsidy regime, which aims to change the way in which agricultural subsidies are distributed.  Many Conservatives felt that the EU Common Agricultural Policy scheme awarded subsidies to farmers based solely on the size of their farms: the larger a farm, the larger the subsidy, which risked driving smaller farmers out of business.

The new system is intended to reward farmers, instead, for their environmental stewardship of the land – funding is available to farmers who restore wildlife habitat, including making significant land-use changes such as creating nature reserves, woodlands or wetlands or restoring flood plains.  Farmers will also be eligible for subsidies to encourage landowners to cut fertiliser use, or restore peatland.

These changes already represent a major change in the way that UK farmers can/will use their land, but there is potential for the UK to go further.  The UK Government’s September 2021 response to the gene editing consultation demonstrated its willingness to go beyond the EU in this area.  The official response set out how the UK plans to change its regulation of genetic technologies to take into account new technologies and scientific discoveries; facilitate research and development; and enable gene editing to breed crops that are more nutritious and productive and more resistant to pests and disease – hence reducing pesticide use.

Although researchers will still need to register their study plans with the UK Government,  department, those who want to conduct field trials of gene-edited plants will no longer need to submit risk assessments.  Accelerated approval pathways for gene edited crops would encourage greater international investment in the sector and create a potentially significant market advantage for the UK, building a new base for biotech and agri-science, with the opportunity in the future for greater flexibility on research into genetic modification. 

Foreign Investment

On 4 January, the National Security & Investment Act came into force.  Taken alongside changes to the Takeover Code, this is a major shake-up of the UK investment regime with implications for M&A and other transactions – not least, the introduction of mandatory filing requirements for transactions occurring in 17 core sectors.  The UK Government now has broader powers of oversight of transactions that have the potential to threaten national security in the UK – see our blogs for more detail. The Act seeks to balance encouraging FDI against a desire to prevent more UK companies in certain sensitive sectors falling into ‘foreign’ control and ownership.

State Aid & Subsidy Control

The UK government has brought in a Subsidy Control Bill to replace the existing EU-wide state aid rule (the ability to allocate subsidies was a major point of contention in the UK-EU post-Brexit trade negotiations). The Bill is still making its way through the Parliamentary process and is likely to enter into force later this year.

The Bill is one of the most significant post-Brexit legislative changes yet made.  The Bill establishes the Competition and Markets Authority (CMA) as the UK’s subsidy regulator and moves the subsidy authorisation from pre-grant permission to a self-assessment of the subsidy against a list of nine principles (including whether the subsidy makes a positive contribution to specific public policy objectives; remedies identified market failures; delivers good value for money; and helps hit decarbonising targets).  Devolved Administrations and Local Authorities are given the ability to allocate subsidies to companies to support the Government’s ‘levelling up’ agenda and create more equal economic growth across the whole of the UK, whilst avoiding ‘bidding wars’ that could cause an inefficient relocation of businesses and jobs from one part of the UK to another.

Immigration and Asylum

The UK has introduced a new Nationality and Borders Bill (currently making its way through Parliament).  This Bill includes new provisions on immigration, asylum and nationality as well as sanctions against people smugglers.  The Bill is partly intended to demonstrate that the Government is making good on the Leave Campaign’s ‘Take Back Control’ slogan, which was focused, at least in part, on the control of borders.

Chemical Safety

Another major area of policy change is the UK’s new chemical safety regime. In a Policy Paper released last month, the UK set out how its regulation of hazardous chemicals would diverge from the EU’s REACH chemical safety regime.  Key areas of difference include a two-year transition period for UK companies to register chemicals on the UK equivalent list; shortening the list from that in use in the EU; reducing the amount of chemical data required; and relying partly on evidence voluntarily provided by industry to assess chemicals.


The UK’s has stated its ambition to become a global trading nation, targeting trade deals with a range of with new jurisdictions from the USA to Singapore, many of which will seek to include free cross-border data transfer. This global strategy does not sit easily with the EU adequacy decision, which assumes EU nationals’ data will continue to receive adequate protection even if the data are transferred to a third country. The UK will eventually need to decide on the relative importance it places on its EU data transfer capability.

Currently, the UK’s ability to diverge from EU data laws is constrained by the need to preserve its European data adequacy certification, the loss of which would have significant cost consequences for UK companies operating in the EU. However,  Lord Frost’s September House of Lords speech noted GDPR reform; and the appointment of the New Zealander John Edwards to lead the UK’s Data Protection Authority are indicators of the direction of travel:  maximum possible divergence – stretching EU adequacy to its limits.  The UK Government will have noticed that the EU’s decision is limited to four years and may calculate that the importance of the EU decision will decline as the UK begins to trade in increasing volumes with other markets and the UK and EU drift inevitably apart.  In time, the UK Government may come to assess that the political compromises necessary to maintain the EU adequacy are too great, leading to the decision that its loss is simply an unavoidable consequence of increased trade with other, digitally-enhanced global economies.

Financial Services Sector

The Treasury is known to be keen on reform to the Solvency II Regulations to ease capital requirements, since it would give insurers greater flexibility to invest in UK infrastructure and business. Although progress on this reform has slow, commentators expect some movement this year.

The Kalifa review on Fintech is also expected to report later this year, with anticipated proposals for reform to create conditions for the widespread adoption of financial technology, and incentivise innovation in the sector to promote the integration of new technologies across financial services.

The Treasury and FCA accepted Lord Hill’s Report into Listings Reform and will be bringing in changes to implement his recommendations later this year.

Medicines and Medical Devices

In 2022, the Government is likely to use the provisions of the 2021 Medicines and Medical Devices Act to make changes to the UK’s clinical trial frameworks with the intention of boosting the UK’s R&D sector and accelerating the route to market for new treatments and medicines. It is likely that the UK Government will try and promote growth in the use of data, artificial intelligence and machine-learning in the health sector.  In this context, it is worth noting that one of the major reasons for the UK-Japan Trade Agreement was UK access to Japanese robotics and Japanese access to UK AI expertise.

The above are but a few areas where Brexit divergence will make significant changes to the UK’s legislative system.  It is certain there will be more and the process of divergence is likely to accelerate through 2022 and beyond.

Covington will continue to monitor those changes and to write regularly on those which seem of greatest importance.

The UK’s new National Security and Investment Act (NSIA) entered into force on January 4, 2022. The NSIA marks a considerable change in the UK’s investment screening powers and adds to an increasingly complex European and global landscape of investment regulation (or FDI) filings necessary for the execution of M&A and other transactions.

The Act is accompanied by new machinery of Government – the Investment Security Unit (ISU), which also became fully operational on January 4.  Sitting within the Department of Business, Energy and Industrial Strategy (BEIS), the ISU is the single point of contact for businesses wishing to understand the Act and/or to notify the government about acquisitions. It will receive NSIA filings and function as the central organising hub for the investment screening process.  The ISU reports directly to the Business Secretary, who is now empowered by the Act as the final decision-maker in respect of investment screening and intervention.

Covington and the Act

Given the importance of the NSIA and the penalties for non-compliance, Covington has been working closely with the ISU for the last 15 months to help shape how the Act will function in practice.  This relationship means that Covington is well-placed to assist clients understand and comply with the UK’s new investment regime.

Throughout the passage of the legislation we have maintained a watching brief on the legal and political aspects of this important update to the powers of the UK Government to scrutinise corporate and other transactions. Most recently, we considered the implications of the NSIA for the life sciences, technology and energy sectors.

This alert highlights some of the key elements of the UK’s new national security and investment regime and includes some useful web-links.

Mandatory and Voluntary Filing

The Act introduces – for the first time in the UK – mandatory filing obligations and pre-clearance requirements for transactions occurring in ‘core’ sectors that the UK Government views as most sensitive to national security. These obligations apply to all investors, including those from the UK.

There are currently 17 ‘core’ sectors (which may be amended over time):

  • Advanced Materials
  • Advanced Robotics
  • Artificial Intelligence
  • Civil Nuclear
  • Communications
  • Computing Hardware
  • Critical Suppliers to government
  • Cryptographic Authentication
  • Data Infrastructure
  • Defence
  • Energy
  • Military and Dual-Use
  • Quantum Technologies
  • Satellite and Space Technologies
  • Suppliers to the Emergency Services
  • Synthetic Biology
  • Transport

Mandatory filing obligations will be triggered on acquisitions in these core sectors if, as a result of the transaction:

(i) an interest of 25% or greater is being acquired;

(ii) an investor’s interest in shares or voting rights exceeds either a 25%, 50% or 75% threshold ; and/or

(iii) an investor gains the ability to secure or block any resolution of a target company active in a core sector.

There is no monetary threshold for the filing obligation, so if the equity threshold is met, a compulsory filing will be required, even for low-value transactions such as early-stage VC and development investments.

Investors can elect to notify transactions voluntarily, if concerned about potential national security implications of a transaction. Voluntary filing is also possible for all transactions not at an entity level, e.g., business/asset transfers and licensing arrangements. The primary benefit to investors of filing voluntarily is to obtain certainty that a transaction will not be subject, at a later date, to the exercise of NSIA call-in powers (see below).

The Act sets out detailed timescales within which the Government must respond to a filing – whether submitted on a voluntarily or mandatory basis. Review periods can extend up to around 5 months (or longer in exceptional cases) but a significant majority of cases – 80-90% according to UK Government estimates – are expected to be cleared within an initial 30 working day review period. These timelines are designed to create certainty for investors, whilst the scope of the notification requirements is designed to enable quick identification of those transactions which present a national security risk. The 80-90% figure reflects the fact that filing requirements are fixed more broadly than the area of actual national security concern and represent an initial filter through which those transactions presenting greatest national security interest/risk can be identified.

Overseas Transactions

Although the UK Government has made it clear that UK companies and UK based assets are its priority, the Act will also apply to any cross-border transaction (e.g. through the acquisition of a US parent company or group) that involves indirect acquisition of a UK subsidiary entity.

In addition,  other transactions that occur substantially outside the country but have a connections to the UK can be covered by the Act. In many instances, only call-in powers in the Act will be relevant (see below) but occasionally mandatory filing obligations may also apply. Depending on the circumstances, the provisions of the Act may extend to:

  • entities that carry on activities in the UK (for example from an R&D facility or those doing business from a regional office in the UK);
  • producers and distributors which supply goods or services to people in the UK;
  • assets used in connection with activities carried on in the UK (for example machinery physically located overseas that produces equipment used in the UK) or those in connection with the supply of goods or services to people in the UK.

Powers to Intervene in Transactions

If the UK Government has a reasonable concern that a national security risk might arise, the Act bestows broad call-in powers.  These powers are available in respect of any transaction (not just those in the core sectors) in which “material influence” is acquired. As a rule of thumb (notably borrowed from the application of merger control rules), material influence is not usually expected to arise in acquisitions of less than a 15% interest in shares or voting rights. However, it is a flexible and potentially evolving concept to be assessed based on specific circumstances – for example, other rights acquired by an investor, such as board seats, influence over important strategic decisions, or wider commercial relationships among those involved in the transaction may form part of an overall picture of influence.

The UK Government may exercise this call-in power for up to five years post-closing (by which time national security considerations may have evolved) – although this period is reduced to six months if the UK Government becomes aware of the acquisition (for example, from press reporting or informal (email) notification). The Act enables the UK Government to call in transactions which completed after 12 November 2020.

Finally, the Act gives the UK Government the power to impose conditions on an acquisition falling under the jurisdiction of the NSIA, including the power to unwind completed acquisitions or block anticipated deals. While these powers are expected to be exercised rarely and most remedies will be behavioural, the more immediate concern for M&A transactions is that any acquisition requiring mandatory notification and completed without approval will be regarded as void.

Understanding the NSIA Regime

We have set out below some of the most useful links to the UK government’s published guidance as well as to the online notification portal:

  • The UK Government has developed guidance in consultation with an expert panel (of which Covington is a member). This guidance outlines:
    • The types of acquisition covered by the new rules and how the UK Government will scrutinise notified acquisitions;
    • The activities that are in scope of mandatory notification in the 17 core sectors;
    • How the Act could affect people or acquisitions outside the UK;
    • How to complete and submit a notification form;
    • How the Act works alongside regulatory requirements; and
    • Guidance for the higher-education and research sectors.
  • A link to the collection of guidance is here.
  • The UK Government’s November 2021 Statement to Parliament (referred to as the Section 3 Statement) is intended to describe circumstances in which an acquisition is likely to be called-in for detailed national security review. It explains how the UK Secretary of State expects to exercise this power and sets out the factors the UK Government will consider when assessing an acquisition – ‘target risk,’ ‘acquirer risk,’ and ‘control risk’.

While many transactions will be able to proceed without the need to submit an NSIA filing, investors (including those in and from the UK) should diligence their filing obligations pursuant to the Act early in the transaction process, alongside any assessment of required antitrust and other regulatory filings.

We look forward to working with you as the investment community becomes accustomed to the UK’s new NSIA.

On January 4, 2022, the Federal Trade Commission published a warning to companies and their vendors to take reasonable steps to remediate the Log4j vulnerability (CVE-2021-44228).  The FTC provided a list of recommended remedial actions for companies using the Log4j software.  The FTC’s warning references obligations under the FTC Act and Gramm Leach Bliley Act (“GLBA”) to take reasonable action to remediate vulnerabilities, and hints at potential inquiries and enforcement actions against companies and vendors that fail to do so.  As the FTC notes in its warning, the “FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

The Log4j Vulnerability.  According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), Log4j is widely-used software that has been integrated into many consumer-facing and enterprise services, websites, and applications to log security and performance information.  The Log4j vulnerability became broadly publicly known in early December 2021 and is described by CISA as a “critical remote code execution” vulnerability that could allow an “unauthenticated remote actor . . . to take control of an affected system.”  CISA has since observed “active, widespread exploitation” of this vulnerability.

Duty to Take Reasonable Steps to Mitigate Vulnerabilities.  Because of the risk of loss arising from software vulnerabilities, such as “a loss or breach of personal information, financial loss, and other irreversible harms,” the FTC warned that companies and their vendors have a “duty to take reasonable steps to mitigate known software vulnerabilities” such as Log4j.  The FTC’s recent warning states that this duty to mitigate implicates “the Federal Trade Commission Act and the Gramm Leach Bliley Act,” among other federal laws.  Accordingly, the FTC noted that it “is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

Enforcement Precedent.  The FTC’s warning cites its prior enforcement actions against companies for failing to patch known vulnerabilities that expose the personal information of consumers.  In its warning, the FTC states that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

Recommended Remediation.  The FTC directs companies and their vendors to check whether they use the Log4j software library by consulting CISA guidance.  For companies that use Log4j, the FTC recommends that the companies take immediate steps to remediate the vulnerability, including:

Updating the “Log4j software package to the most current version.”

Consulting CISA’s guidance to mitigate the Log4j vulnerability.

Ensuring that “remedial steps are taken to ensure that your company’s practices do not violate the law.”  The FTC explicitly warns that failure “to identify and patch instances of this software may violate the FTC Act.”

Distributing “this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.”

Potential Enforcement Actions.  The FTC’s Log4j warning suggests that the FTC may begin inquiring into companies’ remediation of this vulnerability and that the FTC is preparing to bring enforcement actions against companies that fail to remediate the known vulnerability under the FTC Act, the GLBA, and other federal laws.

Looking Forward.  The FTC’s warning follows shortly after CISA warned in late December 2021 that “[m]alicious cyber actors are actively scanning networks to potentially exploit” the Log4j vulnerability.  The FTC’s focus on the remediation of known software vulnerabilities is consistent with the U.S. government’s ongoing focus on strengthening cybersecurity and its warnings about cyber threats over the holidays.  Companies and their vendors should review (and, if appropriate, implement) recommendations from the FTC and CISA on remediating the Log4j vulnerability to mitigate the risk of potential FTC inquiries and enforcement actions in this area.