Implications of the 2018 Midterm Elections for U.S. National Defense Policy and Spending

The aerospace and defense industry, including those in the defense trade press, have since late evening of November 6, 2018 been wrestling with the implications of the midterm elections for U.S. defense policy and spending over the next two years.  Quite frankly, it is too early to say with certainty. As Leo Rosten, the famous political scientist and humorist, once said, “Some things are so unexpected that no one is prepared for them.” That statement seems an appropriate caution given the current tumult of U.S. domestic politics.

That caution given, we can offer a couple, dare we say, steadfast observations about what is likely to be “normal” even given change to control of the House:

  • The President retains significant power to determine national security policy, and often enjoys first-mover advantage in this area; continuity, rather than change, will likely be the broad theme.
  • Congress has passed an annual National Defense Authorization Act for 58 consecutive years, and we expect them to do so again. This remains a must-pass piece of legislation, including policy issues in the jurisdiction of other committees (for example, the Foreign Investment Risk Review Modernization Act that governs the Committee on Foreign Investment in the United States was included in last year’s defense bill).

But with the change in control of the House, we do expect a more contentious and potentially drawn out debate regarding key defense policy priorities of the Trump administration and congressional Republicans.  Continue Reading

Drug Pricing In The New Congress

  • Drug pricing presents intriguing political dynamics. Whether and what policy prescriptions actually come to fruition in the next two years remain to be seen, but the rhetoric around the imperative to lower drug pricing — and the political pressure to act — will be more intense than we have seen to date.
  • President Trump and House Democrats might vie for ownership of this populist issue that continues to resonate.  Ironically, there is substantively less distance between the Administration and Democrats in this space than perhaps any other.  The big question will be whether there is the political will to capitalize on this philosophical common ground and work together to legislate — as the President has already expressed interest in doing — or will the two sides instead engage in a rhetorical “can you top this” contest, teeing up drug pricing as a 2020 national election issue?
  • The President staked an early claim on drug pricing and has kept the drumbeat going — via tweets, issuance of the Blueprint and subsequent targeted rulemaking, including use of foreign reference pricing to force negotiations in Medicare Part B.  A Martian landing on Earth could reasonably conclude that this kind of proposal surely came from a progressive Democratic Administration!
  • So, what might actually happen in this world turned upside down in which a Republican Administration and a Democratic controlled House express support for similar drug pricing policy solutions?
  • Some “bridge too far” Democratic priorities will get air time but will not have the support needed to get done.  In this bucket is repeal of the non-interference clause to allow direct negotiations in Medicare Part D  — and authorization of compulsory licensing of intellectual property where negotiations do not bear fruit.  HHS Secretary Azar opposes these proposals, which also would not get through the Republican controlled Senate.
  • The “realm of the possible” bucket for bipartisan support includes:  the pending drug payment pilot and related negotiating mechanisms in Medicare Part B; revisiting of Part D “doughnut hole” responsibilities and related issues around the catastrophic coverage “cliff” for beneficiaries; rebate reform and additional pricing transparency for manufacturers and PBMs; passage of the CREATES Act and others means to speed development of generic drugs; DTC advertising disclosure requirements, promotion of value-based contracts, and possibly even some form of a price gouging enforcement.  Congress could also respond to the forthcoming Part D rule depending on its content.
  • Be on the lookout too for a long time Democratic favorite — drug importation, which was not in the President’s Blueprint and is not supported by Secretary Azar but remains a popular issue and is politically difficult to oppose on its face, including for many Republicans.
  • A Democratic House as well as the GOP Senate will see the ascendance of new leaders in committees of jurisdiction.
    • Frank Pallone will be chair of the full Energy and Commerce Committee — he represents a bio-pharma industry heavy district but has also been a drug pricing critic from time to time.
    • Democrats are expected to choose among up to three candidates for Chair of the Health Subcommittee — Anna Eshoo, who led the way on protection of intellectual property rights for innovative biologics and Diana DeGette, who co-led the landmark 21st Century Cures Act — or Jan Schakowsky, who has been a forceful critic of industry and drug pricing.  This decision could significantly impact the agenda next year on drug pricing.
    • Similar decisions and philosophical contrasts await in the House Ways and Means Health Committee, where potential chairmen include Lloyd Doggett, the leading proponent of compulsory licensing, and Mike Thompson, who has a more moderate approach on pharmaceutical issues.
    • There is also a significant Oversight and Investigations component of the drug pricing debate, which impacts the legislative agenda as well.
    • In the Senate, Finance Committee Chairman Orrin Hatch, the bio-pharma industry’s staunchest defender, has retired.  He is likely to be replaced by Charles Grassley — transparency champion, seasoned investigator and sponsor of the CREATES Act.  Expect more oversight and legislative challenges for industry under his watch.
  • Bottom line — stakeholders in the drug pricing sphere should buckle up for a wild ride.  We don’t know yet how the politics here will play out. What we do know is that this topic will be a hot one — if not the hottest — and industry innovators will be on the hot-seat more than ever before.


Canadian Privacy Commissioner Releases Official Guidance as Data Breach Law Takes Effect

Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under the new law, an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a “real risk of significant harm” to an individual, regardless of the number of individuals affected. (The guidance states a covered breach that affects only one individual would nonetheless require reporting and notification.) Importantly, the organization that controls the data is required to report and notify individuals of the breach—the guidance clarifies that even when an organization has transferred data to a third-party processor, the organization remains ultimately responsible for reporting and notification. The guidance encourages organizations to mitigate their risk in the event their third-party processor faces a breach by entering sufficient contractual arrangements.

Notification to individuals must be given “as soon as feasible” after the organization has determined a covered breach has occurred. The guidance states the notification must be conspicuous, understandable, and given directly to the individual in most circumstances. It must include enough information to communicate the significance of the breach and allow the those affected to take any steps possible to reduce their risk of harm. The regulations further specify the information a notification must include. In certain circumstances, organizations are also required to notify governmental institutions or organizations of a covered breach; for example, an organization may be required to notify law enforcement if it believes it may be able to reduce the risk of harm.

“Real Risk of Significant Harm”

The ultimate question for organizations to answer, to determine whether their reporting and notification obligations are triggered, is whether the breach creates a “real risk of significant harm.” The guidance defines “significant harm” as bodily harm, humiliation, reputation or relationship damage, loss of employment, business, or professional opportunities, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property. Whether a breach of personal information creates a “real risk” of significant harm is determined by the sensitivity of the information and the probability it has been, is, or will be misused. The guidance further explains an organization should determine the “sensitivity” of information by looking to what personal information has been breached and the circumstances of the breach, but some information may be “clearly sensitive.” The guidance also lays out a number of questions an organization should consider to determine the probability of misuse, including whether a number of pieces of personal information were breached, how long the information was exposed, and whether there is evidence of malicious intent.


Finally, the guidance explains the law requires an organization to keep and maintain records of every breach of personal information for two years, regardless whether the breach created a real risk of significant harm. These records must contain sufficient information to enable the Office of the Privacy Commissioner to verify the organization’s compliance with the law. At a minimum, this includes the date or estimated date of the breach, a general description of its circumstances, the nature of the information involved, whether the breach was reported and individuals were notified, and how the organization determined there was not a real risk of significant harm for breaches it did not report.

“Hey Big Spender . . .”: GAO Reiterates That Agencies Must Meaningfully Consider Price In Best Value Tradeoffs

In three related bid protest decisions made public last week, the Government Accountability Office (“GAO”) reaffirmed the principle that agencies must meaningfully consider price when making best value tradeoff decisions.  GAO sustained the protests, stressing that merely paying lip service to price while selecting a more expensive, higher-rated offeror is not sufficient — agencies must provide a rational explanation for why they have decided to pay a premium for the awardee’s technical superiority.

In Solers, Inc., B-414672.3 et al.; Technatomy Corporation, B-414672.5; and OGSystems, LLC, B-414672.6 et al., three disappointed offerors challenged the Defense Information Systems Agency’s (“DISA”) award of Multiple Award Task Order contracts to 14 contractors as part of the Systems Engineering, Technology, and Innovation program.

The solicitation provided that DISA would make award on a best-value tradeoff basis considering price and four technical factors that, when combined, were significantly more important than price.  The agency made award to the 14 highest rated proposals in the non-price factors, opining — without elaboration — that “the technical merit of those proposals justifies paying a price premium over lower-rated, lower-priced proposals.”  Indeed, throughout the evaluation process, the agency repeatedly noted — again without elaboration — that the awardees’ proposals were worth a premium.

The three protestors raised a host of different claims, but each one challenged the best value determination, arguing that DISA failed to meaningfully consider price.  GAO agreed, holding that the agency had performed a mechanical tradeoff that relied exclusively on adjectival ratings and excluded technically acceptable proposals without any meaningful consideration of their price.  GAO was unimpressed by the agency’s “one-sentence conclusion” — repeated “nearly verbatim” throughout the evaluation record — that, “due to strengths on the non-price factors, the 14 awardees merited selection over lower-rated, lower-priced proposals[.]”  It found “such consideration of price to be nominal” and opined that “anything less would be to ignore price completely.”

GAO also noted that the source selection authority (“SSA”) missed the point when it concluded that there was a “clear break” between the offerors who received award and the disappointed offerors who purportedly “d[id] not have sufficient technical merit to justify making additional awards.”  In GAO’s view, the SSA failed to consider the relevant question, which was “whether the higher-rated proposals were worth the associated price premium.”  GAO explained that “there is no indication that price played a role in determining the ‘clear break’ in the proposals.”

These decisions serve as an important reminder that disappointed offerors who lose best value tradeoff procurements to a higher-priced, higher-rated offeror should try to assess during the debriefing process whether the agency can articulate a rational justification for paying a premium to the awardee.  If the agency is unable to do so, the disappointed offeror should consider filing a bid protest.

Litigation Options For Post-Cyberattack ‘Active Defense’

In March 2017, Rep. Tom Graves, R-Ga., introduced a draft bill titled the Active Cyber Defense Certainty Act. The bill would amend the Computer Fraud and Abuse Act to enable victims of cyberattacks to employ “limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”[1] More specifically, the ACDC would empower individuals and companies to leave their own network to ascertain the perpetrator (i.e., establish attribution), disrupt cyberattacks without damaging others’ computers, retrieve and destroy stolen files, monitor the behavior of an attacker, and utilize beaconing technology.[2] An updated, bipartisan version of the bill was introduced by Rep. Graves and Rep. Kyrsten Sinema, D-Ariz., in October 2017.[3]

There has been significant debate on whether the types of “self-help” measures that the ACDC expressly authorizes — sometimes referred to as “active defense” — are currently prohibited by the CFAA. While no court has yet ruled on the issue, several commentators (and the U.S. Department of Justice) have long argued that because the CFAA prohibits accessing computers without “authorization,” cyberattack victims expose themselves to criminal liability if they venture outside their network to unmask an attacker and disrupt, disable or destroy the attacker’s system.[4] The purpose of the ACDC is to reduce legal uncertainty by, in effect, providing a statutory safe harbor for victims of cyberattacks to “hack back” — under the right circumstances, and subject to limitations.

In addition to the legal question of whether active defense is currently barred by the CFAA, the desirability of active defense as a policy matter has also been debated. Advocates of the ACDC have argued that companies, no matter how sophisticated their preventive cyber defenses, continue to suffer major breaches, and that the number of cyberattacks far exceeds the government’s ability to identify and prosecute criminals. They argue that in a lopsided cyber battlefield, victims need additional tools to actively respond to ongoing attacks. In critics’ view, however, the bill will promote cyber-vigilantism by victims who are overeager to aggressively strike back at cyber intruders and thieves — thereby creating tit-for-tat patterns of retribution and a significant risk of collateral damage to innocent third-party computer systems.

While the legal and policy debates raised by the ACDC are important, they often overlook the fact that victims of hostile cyber activity may already be able to avail themselves of the judicial process to lawfully engage in the types of “active defense” measures that the ACDC would expressly authorize. Several such techniques of “active defense through litigation” are relatively well-established; others are untested. Because active defense through litigation necessarily involves the judicial process, moreover, it can be relatively time-consuming (particularly in comparison with the more immediate responsive measures contemplated by the ACDC). Although courts can provide certain forms of expedited relief in a matter of days or even less, this time frame may be prohibitive in some cases. Nevertheless, for victims of cyberattacks that are weighing an active response, it may be worth considering one or more of these options.

The most established and typical form of active defense through litigation is using third-party discovery to obtain information about the perpetrators of a cyber-intrusion and, potentially, establishing “attribution” of the culprit. In Liberty Media Holdings LLC v. Does 1-59, for example, hackers unlawfully accessed copyrighted materials on a company’s protected website.[5] The company brought suit against the unknown culprits — named “John Does” in the complaint — for violating the CFAA, the Electronic Communications Privacy Act and the Copyright Act.[6] It then provided the court with the internet protocol addresses of each defendant.[7] The court granted the company’s motion that it be allowed to serve subpoenas on the defendants’ internet service providers and cable providers to compel them to “produce all documents and/or information sufficient to identify the users of the IP addresses.”[8] Continue Reading

China in Africa: Recent Developments

In 1998, China announced its “go out” or “go global” policy aimed at encouraging its enterprises to invest overseas. In 2013 this policy was reinforced with China’s introduction of its One Belt, One Road (OBOR) or “Belt & Road” initiative, which seeks to enhance development and trade routes in the region, connecting China with other countries along the ancient Silk road and a new Maritime Silk Road. Significant international anxiety has been expressed about China’s global ambitions generally, and as it pertains to Africa in particular, with some calling China’s OBOR initiative “neo-colonial” and raising concerns about China’s investments in Africa serving as a possible “debt trap.” On the other hand, China’s general policy of non-interference has led African leaders to describe China’s partnership with African countries as a “win-win.”

Below we examine recent trends related to China’s activity in Africa, including China’s 2018 FOCAC pledge of US$60 billion in financing, recent commitments made at the BRICS Summit, and China’s increasing foreign direct investment (FDI) on the continent.

Forum on China-Africa Cooperation (FOCAC)

On September 3, 2018, Chinese President Xi Jinping pledged US$60 billion in financing for projects in Africa. Of this total pledge, US$15 billion will take the form of grants, infrastructure, and concessional loans; US$20 billion will be available in credit lines; US$10 billion for development financing; and US$5 billion to buy imports from Africa. China made a similar US$60 billion pledge in 2015.

At the opening ceremony, President Xi emphasized China’s “five-no” approach to Africa:

[N]o interference in African countries’ pursuit of development paths that fit their national conditions; no interference in African countries’ internal affairs; no imposition of our will on African countries; no attachment of political strings to assistance to Africa; and no seeking of selfish political gains in investment and financing cooperation with Africa.

It is China’s policy of non-interference that leads many African leaders to echo South African President Ramaphosa’s rejection of the view that a new colonialism is taking hold in Africa regarding China’s investment in Africa. Continue Reading

The Week Ahead in the European Parliament – October 26, 2018


This past week, the European Parliament held a plenary session in Strasbourg.

On Tuesday, 23 October, Members of the European Parliament (“MEPs”) approved the amendments on the proposal for a Directive on the quality of water intended for human consumption.  The amendments call for increasing consumers’ confidence in drinking water from the tap.  To do so, Member States should also provide universal access to clean water and improve water access in cities and public spaces.  The measures of the Directive are intended to contribute to reducing plastic usage and litter – plastic bottles are one of the most common single-use plastic products found on Europe’s beaches and seas.  See the amendments adopted here.

On Wednesday, 24 October, MEPs agreed their position on the proposal for a Single-Use Plastics Directive.  The purpose of the proposal is to prevent and reduce the impact of certain plastic products on the environment.  The new rules target the ten single-use plastic products found most often on Europe’s beaches and seas.  The new rules also include obligations for producers to help cover the costs of waste management, collection targets, and a short timeline for achieving reductions in the consumption of certain single-use plastic products, including plastic tobacco filters.  See the text adopted here.

On Thursday, MEPs approved a motion for a resolution on the use of Facebook users’ data by Cambridge Analytica and the impact on data protection.  The resolution calls for Facebook and other platforms to allow EU bodies to audit users’ data security.  The resolution also calls for the prevention of election manipulation on social media platforms, and for a reform of EU competition rules to take greater account of data held by undertakings.  See the text adopted here.

Meetings and Agenda

  • No official meetings in the European Parliament are planned before October 26, 2018.

The European Commission finds no illegal State aid was provided by Luxembourg’s non-taxation of McDonald’s

On 19 September 2018, the European Commission (“Commission”) issued a press release declaring that Luxembourg did not provide illegal State aid to McDonald’s with regards to two tax rulings that resulted in double non-taxation of franchise profits in Luxembourg. The Commission’s three-year-long in-depth investigation established that Luxembourg had merely acted in compliance with its national tax laws and that the double non-taxation was the result of a mismatch between Luxembourg and US tax law, as opposed to a more favourable treatment given to McDonald’s compared to other companies in Luxembourg.

The Commission’s initial concerns

In December 2015, the Commission launched an investigation into McDonald’s Europe Franchising (“MEF”), a EU subsidiary of the US-based McDonald’s Corporation. At issue were two tax rulings regarding MEF, a tax resident of Luxembourg with one Swiss branch and one US branch, that received franchisee royalties from outlets in Europe, Ukraine and Russia.

Under the first tax ruling, the authorities in Luxembourg exempted MEF from having to pay corporate tax by reference to the Luxembourg-US Double Taxation Treaty (the “Treaty”). The Treaty states that company profits cannot be taxed by Luxembourg if the company may be taxed in the US by virtue of it having a “permanent establishment” there, from which permanent establishment business is carried out, as well as a taxable presence. Using the Luxembourg definition of “permanent establishment”, the US branch of MEF may have been subject to taxation in the US and therefore exempted from corporate tax in Luxembourg. Despite this, MEF was still required to provide the Luxembourg authorities with annual proof that royalties transferred to the US via Switzerland were declared and subject to taxation.

Under the second tax ruling, McDonald’s subsequently highlighted a discrepancy between the US and Luxembourg jurisdictions. It claimed that, although MEF’s US branch could be considered a “permanent establishment” under Luxembourg tax law, it could not be classified as such under US tax law. On this basis, it argued that (i) the royalty income should be exempt from corporate tax in Luxembourg, under the interpretation given of “permanent establishment” by Luxembourg national tax law, and that (ii) MEF did not have to prove that the royalty income was subject to tax in the US. The authorities in Luxembourg agreed with these points and issued a second tax ruling.

As a consequence, both Luxembourg tax rulings resulted in a double non-taxation as MEF’s royalty income would be taxable neither under Luxembourg nor US tax law.

The Commission’s findings

In its examination, the Commission concluded that the Luxembourg authorities had not misapplied the Treaty in exempting the income of the US branch of MEF from Luxembourg corporate taxation. In particular, the Commission could not establish that the interpretation given by the second tax ruling to the Treaty was incorrect, even if it resulted in a double non-taxation of the royalties awarded to MEF’s US branch. Therefore, no special, more favourable treatment had been provided to McDonald’s that would have constituted illegal State aid.

However, Commissioner Vestager expressed concerns from a tax fairness point of view and emphasized that “the fact remains that McDonald’s did not pay any taxes on these profits – and this is not how it should be from a tax fairness point of view”. Consequently, the Commission welcomed actions taken by the Luxembourg government to combat situations of double non-taxation including the presentation of draft legislation that aims to:

  • strengthen the conditions required to determine the existence of a permanent establishment under Luxembourg law; and
  • require companies, under certain conditions, to provide confirmation that they are subject to the taxation in another country, where such a claim is made.


The Commission has investigated individual tax rulings of Member States under EU State aid rules since June 2013, with this being the first investigation which has not resulted in a finding by the Commission of illegal State aid. To companies under investigation the decision offers hope, by illustrating that there are situations where the specificities of the national tax laws are recognised, even if they may result in special treatment. However, the decision also demonstrates the influence the Commission has and that it can successfully urge Member States to make legislative amendments to change the current situation even if this situation is legally accepted. This can also prevent future situations of non-taxation, even if the Commission did not find the current situation to result in illegal State aid.

Are You Ready For Your Congressional Investigation?

If the current polls and predictions are accurate, the Democratic party is poised to take control of the House of Representatives next year, for the first time since 2010.  Congressional investigations thrive in divided government, and Democratic leaders in Congress are already promising a new wave of investigations.

My new article in Law360 examines the strategies for predicting whether a company or industry is likely to receive congressional scrutiny, the steps that companies and executives can take to prepare for congressional investigations, and the unique characteristics of congressional investigations that make them particularly challenging to navigate.  Companies that are likely targets for congressional investigations can prepare now by anticipating areas of inquiry, assessing vulnerabilities, and preparing response plans with guidance from counsel experienced in handling congressional investigations.

The Week Ahead in the European Parliament – October 19, 2018


Next week, there will be a plenary sitting of the European Parliament in Strasbourg, France. Several significant debates and votes will take place.

On Monday, MEPs will vote on the proposal for a Single-Use Plastics Directive.  The purpose of the proposal is to prevent and reduce the impact of certain plastic products on the environment.  More specifically, the new rules target the ten single-use plastic products most often found on Europe’s beaches and seas.  Also, the new rules include obligations for producers to help cover the costs of waste management, collection targets and short timeline for achieving reductions in the consumption of some single-use plastic products, including plastic tobacco filter.  The European Parliament’s plenary session will vote on the proposal on Wednesday. See the report here and the proposal for a Directive here.

On Tuesday, MEPs and European Commission President Jean-Claude Juncker will debate the Future of Europe together with special guest, Romanian President Klaus Iohannis.  This is the eleventh discussion in a series between MEPs and EU leaders on the future of the EU.

On Wednesday, the plenary session of the European Parliament will debate, together with European Council President Donald Tusk,  the conclusions reached by EU leaders at the European Council Summit on October 17-18, 2018.  Among other issues, MEPs will discuss migration, internal security and Brexit.

On Thursday, MEPs will debate and vote on a motion for a resolution on the use of Facebook users’ data by Cambridge Analytica and the impact on data protection.  The resolution calls for Facebook to permit EU bodies to carry out a full audit to evaluate the security of Facebook users’ personal data.  The resolution also calls for the prevention of election manipulation on social media platforms, and for a reform of EU competition rules to take greater account of data held by undertakings. See the draft resolution here. Continue Reading