The Jenner & Block Report
Updates on US Law for the Japanese Legal and Business Communities
/ Topics / Featured Development / Corporate Update / Data Privacy
/ US Supreme Court
/ White Collar Defense & Investigation
/ Firm News
/ Editors' Note
CLOUD Clarifying Lawful Overseas Use of Data Act
Welcome to April 2018 edition of the Jenner & Block Report, a digest of updates about legal developments in the United States that we believe are noteworthy to our valued clients and other leaders in the Japanese legal and business communities.
This edition's Featured Development story focuses on the cross-border implications of the Clarifying Lawful Overseas Use of Data Act recently passed by US Congress, which is commonly referred to as the CLOUD Act. This new statute amends key aspects of US surveillance law, which are discussed in the article.
This issue also provides an update on the imminent EU General Data Protection Regulation (GDPR), which EU Data Protection Authorities can begin enforcing on May 25, 2018, and outlines steps organizations may take as they consider existing guidance.
Additional topics addressed in this edition of the Jenner & Block Report include the use of blockchain in the corporate context, the increasing popularity of representations and warranties insurance, and recent Delaware Supreme Court decisions concerning fair value analysis in mergers. Also discussed is a recent US Supreme Court decision on whistleblower protections available under Dodd-Frank, as well as the US Department of Justice's expansion of corporate self-disclosure policy under the Foreign Corrupt Practices Act (FCPA).
We hope that you find these summaries of interest and we thank you for taking the time to review the Jenner & Block Report.
The Jenner & Block Team
/ Featured Development
2018323 Clarifying Lawful Overseas Use of Data Act CLOUDUS surveillance law2 1Stored Communications Act, 18 U.S.C. 2701 SCA E 2
CLOUDSCA United States v. Microsoft Corp
E SCA 2 SCA
Jenner & Block
CLOUD SCA2713SCA SCA
CLOUD CLOUD 14
2 CLOUDSCA CLOUD
SCA E SCA
Congress Passes CLOUD Act Governing Cross-Border Law Enforcement Access to Data
By David Bitkower and Natalie K. Orpett
On March 23, 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), amending key aspects of US surveillance law. The Act addresses two problems: First, by amending the Stored Communications Act, 18 U.S.C. 2701 et seq. (SCA), it clarifies that American law enforcement authorities can compel providers of electronic communication services--such email and social media--to produce data stored outside the United States. Second, it establishes new rules facilitating foreign law enforcement's access to data stored inside the United States. This new legislation impacts any provider that may receive US or foreign orders to produce data in furtherance of criminal investigations.
1. Clarifying That the SCA Reaches Data Stored Outside the United States
The CLOUD Act expressly provides that SCA warrants have extraterritorial reach--that is, they can be used to order production of data located in a foreign country. This mooted a prominent case that had been pending in the Supreme Court, United States v. Microsoft Corp.
In that case, Microsoft had refused to comply with a federal warrant demanding production of email records, arguing that because the records were stored in Ireland, US law enforcement had no authority under the SCA to compel their production. The district court had upheld the warrant, but the Second Circuit reversed, holding that the location of the data--not whether a company could control it from inside the United States--was dispositive, and the SCA could only reach domestically-stored data.
(Jenner & Block filed an amicus brief in the Supreme Court on behalf of the European Commission in Microsoft. David Bitkower and Natalie Orpett previously discussed the Microsoft case and prospects for legislative fixes in this article.)
The CLOUD Act resolves what had been the central issue in Microsoft by creating a new Section 2713 of the SCA, requiring providers to comply with SCA obligations "regardless of whether [the targeted] communication, record, or other information is located within or outside of the United States." This new rule applies to a number of SCA obligations,
including production and preservation of data in response to law enforcement warrants.
2. Adopting Procedures to Address Potential Conflicts of Laws
The CLOUD Act also amends the SCA by adding new provisions to address a key question: What should a provider do if it is asked to produce data to US authorities, but doing so is forbidden by foreign law? The question is particularly pressing because the European Union's General Data Protection Regulation (GDPR) goes into effect on May 25, 2018.
The CLOUD Act's first approach to possible conflicts of law envisions executive agreements with "qualifying foreign governments" designed to streamline foreign and US law enforcement authorities' access to electronic data stored in each other's territories. A foreign country must meet many preconditions to be eligible for an agreement, including demonstrating that its laws afford "robust substantive and procedural protections for privacy and civil liberties."
Besides facilitating US access to cross-border data, these "CLOUD Act Agreements" would institute procedures for handling foreign production orders--such as providing exemptions from certain US data privacy laws--if certain requirements are met. For instance, orders must be highly particularized, and they must relate to a serious crime, not intelligence-gathering. Once a CLOUD Act Agreement is in place, providers have clear recourse if they receive a US warrant that may violate the partner country's law: they have 14 days to petition a court to modify or quash the warrant. The Act empowers the court to do so only after taking into account a number of factors designed to balance the interests of all involved.
The second approach, which applies in all other circumstances, reverts to a more ambiguous savings clause, which merely provides that the status quo continues to apply. Thus, for all cases not involving a qualifying foreign government, and for all cases implicating a US person or any person inside the United States, the CLOUD Act does not change "common law" comity standards that may currently apply to SCA process. Notably, however, the Act does not actually confirm that such comity analysis is available in the first place, let alone spell out what standards would govern it.
The CLOUD Act's most immediate effect will be in court. Warrants that were challenged based on extraterritorial reach will be upheld. As happened in the Microsoft case, other litigation already pending in the courts that confront similar questions, may now be moot.
The Act's clarification will be welcomed by both law enforcement and providers, who can now understand their respective obligations relating to cross-border data. And providers will embrace the new international framework as a means of moderating conflicts of law--a solution for which they have long advocated.
On the flip side, SCA warrant recipients confront a new, untested legal landscape. Providers are not the only ones
affected. Even companies that simply provide email services to their employees or use remote computing services
may also be affected. Companies should consider whether they are prepared to respond to an SCA warrant under this
/ Corporate Update
201781DGCL distributed ledger technology
DGCL219(c) stock ledger224 232DGCL
Cede & Co.DTC DTC DTC3 3680 4920
DBI UCC(1)UCC (2) UCC (3) (4)
201612 Overstock.com tZERO 2018116Kodak
State Blockchain Initiatives: Delaware and Beyond
By Mark A. Reinhardt
On August 1, 2017, the Delaware General Corporate Law (DGCL) was amended to, among other things, make it explicitly legal for entities incorporated in Delaware to use distributed ledger technology, including blockchain, for recordkeeping and administration of stock ledgers. Blockchain technology is most widely associated with cryptocurrencies such as Bitcoin, but its application to corporate recordkeeping and management could be significant as well.
The recent amendments to the DGCL include an amended definition of "stock ledger" in Section 219(c) that covers "records administered by or on behalf of the corporation" together with amendments to Section 224 that provide that records may be "administered by or on behalf of the corporation" through, among other things, distributed electronic networks or databases (e.g. a distributed ledger or blockchain). Additionally, Section 232 was amended to clarify that "electronic transmission" for purposes of the DGCL includes the use of, or participation in, distributed electronic networks or databases.
The implications of these amendments are potentially astounding. For many of the largest US public companies, a company called Cede & Co. (a nominee of the Depositary Trust Company (DTC)) is the "record owner" of most of those companies' stock. A broker keeps an entry in its database showing an investor as the stock's "beneficial owner," and DTC keeps an entry in its database showing the broker's ownership. Through blockchain, however, a corporation could issue its stock directly to investors who could then transfer such stock to other investors with those transfers settling in real time on a ledger the corporation may access at any time. By contrast, transfers that occur through DTC currently take three days to settle, which has created a number of recordkeeping and legal challenges. For example, in the recent Dole Food Company Class Action litigation, investors filed claims to 49.2 million Dole shares that were "facially eligible," when only 36.8 million shares were actually outstanding.
Administering stock on a blockchain would also allow shareholders to vote their shares directly on that blockchain, rather than relying on the proxy voting process which is prone to inaccuracy. Moreover, using smart contracts, companies could issue shares only to the digital wallets of those who qualify as "accredited investors" under US Securities laws, and preprogram those shares to be tradeable only in situations where such transfers qualify for an exemption to share registration obligations. The value of blockchain is not limited to shareholders, however. A corporation could also use blockchain to, among other things, record director votes and ensure board and management acts comply with the corporation's governing documents and other corporate policies that could be programmed into a corporate governance blockchain. In addition, future proposed phases of the DBI also include the proposed creation of "smart UCC" filings, using blockchain, that "will (1) automate the release or renewal of UCC filings and related collateral, (2) increase the speed of searching UCC records, (3) reduce mistakes and fraud and (4) cut cost."
However, uncertainty still exists around the use of blockchain in the corporate context. Indeed, Delaware seems to be slowing down its push to adopt the technology more widely and it is unclear when, if ever, it will launch its smart UCC filing system. But Delaware is not the only state with a blockchain initiative. For example, as part of the Illinois Blockchain Initiative, the Cook County Recorder of Deeds conducted a successful pilot program to test the use of blockchain technology with respect to its land records. Others are also considering how blockchain could revolutionize Medicaid and utilities regulation, among other things. Even Wyoming is trying to become a haven for companies looking to take advantage of blockchain technology.
Unlike in Japan, US federal regulation of cryptocurrencies and other blockchain-based assets is still fragmented and sometimes conflicting. Despite this regulatory uncertainty, early adopters are forging ahead in the United States. In December 2016, Overstock.com became the first publicly traded company to issue stock via blockchain. An Overstock subsidiary, tZERO, is also developing an exchange to facilitate the trading of blockchain-based assets, including securities. On January 16, 2018, Overstock announced that Kodak's virtual security, KODAKCoin would be the first token security offered on the tZERO exchange. Although blockchain is a new legal and technological frontier, two things are
certain: (1) blockchain technology is not going away and (2) those looking to adopt the technology will need competent legal counsel to help them navigate and adapt to this new and quickly evolving area of the law.
R&WM&A 2010 20171400 2017 R&W
1 354 10% 15% 2.5% 2.8% 3 6 PCB "No-Survival Deal"
2 (1) "materiality scrape" materiality qualifiers"read out"(2)
Representations and Warranties Insurance Continues to Grow in Popularity
By Matthew L. Jacobs and Mark A. Reinhardt
Representations and warranties insurance (R&W) provides coverage for breaches of representations and warranties in mergers, acquisitions and other transactions, as a supplement or even replacement for contractual indemnity. It was very rare outside of certain private equity circles before 2010, but its recent use has grown exponentially, with 1400 policies being placed in 2017. 2017 in particular saw a dramatic increase in use in cross border deals, especially with US and Asian acquirers in Europe looking for the broader coverage, with further growth expected in the energy, media and technology sectors. Moreover, while historically such insurance has been more popular on the buy side, there has been an increasing trend in sell-side policies over the last few years.
Although the underwriting process now takes only around a week and policy language is becoming more standardized, coverage is customized for each deal, and many terms are negotiable. The charge for the underwriting process is typically $35,000-$40,000, which is usually non-refundable if the coverage is not purchased. The most common approach is to secure a policy that covers up to 10% or 15% of the deal's enterprise value--usually the value of the target's debt plus equity. In the US, the premiums have dropped significantly, and are now generally 2.5% to 2.8% of the policy limit. A common survival period is three years for breaches of nonfundamental representations (like the accuracy of financial statements and customer contracts) and six years for breaches of fundamental representations (core issues like whether the seller actually owns the company being acquired). The policies do not cover covenant breaches, purchase price adjustments and other payments obligations. Most policies also carve out coverage for liabilities such as asbestos, PCB and certain types of accrued or deferred tax liabilities. The buyer generally agrees to pay for the first layer of liability, in an amount typically equal to an indemnity deductible and then the seller agrees to pay for the next layer of liability (which may be funded through an escrow), with the policy kicking in thereafter for the buyer's exposure up to the policy amount. Increasingly, however, deals are being structured with no seller contribution for an increased premium (sometimes referred to as a "No-Survival Deal"). In a No-Survival Deal, limiting or eliminating the seller's indemnity can materially shorten the negotiating timeline.
As underwriters gain more experience with claims under R&W policies, they have become more likely to provide coverage for certain problem areas, such as environmental and regulatory action exposure. Current R&W policies also will typically include two coverage enhancements: (1) a full "materiality scrape," meaning that they will "read out" materiality qualifiers in the representations and warranties for purposes of determining whether the representation or warranty have been breached and (2) no damages exclusions on the buyer's recovery, permitting coverage for losses such as consequential and multiplied damages. These enhancements are often only available if the deal documents include a full materiality scrape and do not include a damages exclusion. Another advantage of placing R&W coverage is that, following a loss, buyers can deal with a creditworthy insurer rather than having to pursue the seller, which still may have management personnel involved in the surviving entity. Sellers on the other hand might consider R&W insurance where they are looking to accelerate the distribution of sale proceeds by avoiding a large escrow or holdback.
2 DFC Global CorporationMuirfield Value Partners LP DCF PetSmart, Inc.
Dell Inc. Magnetar Global Event Driven Master Fund Ltd. 28
DFCDell SWS Group Inc.SWS SWSSWS SWS 2018221 ACP Master, Ltd. Sprint Corp
1Solera Holdings Inc.Bouchard
Delaware Courts Grapple with Fair Value Analysis in Appraisal Litigation
By Mark A. Reinhardt
As we previously noted here, in June of 2016, Delaware amended DGCL Section 262 to mitigate the use of the appraisal process as leverage in settlement negotiations. Moreover, a number of recent decisions have cut back on the use of purely disclosure-based settlements in such litigation. These actions have rendered disclosure-based settlements in Delaware nearly extinct, and now other issues are getting more focus--in particular, how much weight should courts give deal price in analyzing the fair value of a company's shares?
Two recent Delaware Supreme Court decisions have clarified that courts should generally give significant weight to deal price when analyzing fair value for companies involved in mergers that are conducted at arm's length. In DFC Global Corporation v. Muirfield Value Partners LP, the court explained that deal price may be "the best evidence of fair value" in conflict-free mergers, but declined the opportunity to impose a presumption that deal price equals fair price. Following DCF, the Chancery Court in In re Appraisal of PetSmart, Inc. deferred to the deal price in its appraisal evaluation, given the healthy auction process and negotiation that resulted in the deal price.
Further, in Dell Inc. v. Magnetar Global Event Driven Master Fund Ltd., the Delaware Supreme Court determined that a Chancery Court had abused its discretion by relying on a discounted cash flow analysis and giving no weight to the deal price. The Supreme Court suggested that on the record in that case, deal price deserved heavy, if not dispositive, weight. Accordingly, the Supreme Court reversed the Chancery Court's determination that the company's appraised value was nearly 28% above the negotiated merger price.
Despite the decisions in DFC and Dell, the Chancery Court has since determined that it in certain circumstances it remains inappropriate to rely on deal price when evaluating fair value. For example, in In re Appraisal of SWS Group Inc., the court relied on a discounted cash flow analysis because it determined that "certain structural limitations unique to SWS make the application of the merger price not the most reliable indicia of fair value," for example, the potential acquirer of SWS was party to a credit agreement with SWS that gave it a partial veto right over competing offers for SWS. This decision, however, has been appealed and the Delaware Supreme Court heard oral argument in the case on February 21, 2018. Additionally, in ACP Master, Ltd. v. Sprint Corp, although the court determined that the ultimate purchase price was fair, it expressly did not consider deal price in conducting its fair value analysis, in part based on allegations of misconduct by the bidder.
In another recent case, In re Appraisal of Solera Holdings Inc., Chancellor Bouchard chose to recruit an independent thirdparty expert to aid in the court's appraisal analysis. While it is too early to tell, the use of court-appointed experts has the potential to become a common practice for courts grappling with fair value disputes that historically have involved dueling litigant-hired experts pushing very different analyses, and results, as to what should be the fair value of a company. For the time being, however, a common thread running through all of the cases above is that, the closer companies can adhere to a fair process involving robust negotiations, the more likely the court will defer to the ultimate deal price as the fair value of the company at issue. As such, though companies may not be able to guess in advance what a court would feel is a fair value of their shares, they can exercise extra care to maintain a fair bidding and negotiation process to increase the odds the court will defer to the price at which they ultimately arrive.
/ Data Privacy
2016EUEU1995 GDPREUEUGDPR 2018325GDPRGDPR
GDPREUGDPR EU29 EU
1. GDPRGDPREUEU EU
2. GDPR GDPR6
4. DPOData Protection OfficerDPIAData Protection Impact Assessment
5. GDPR 6. GDPR
GDPR cookies2009ePrivacy 20171ePrivacy GDPR
Update on the EU General Data Protection Regulation: Countdown to Implementation
By Emily A. Bruemmer and Jennifer J. Yun
In 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR) to replace the Data Protection Directive, which has governed data protection in the EU since 1995. EU Data Protection Authorities can begin enforcing
the GDPR on May 25, 2018, with no further action required by EU Member States to bring the GDPR into effect. The GDPR has some important differences from the Data Protection Directive, including new rights for data subjects; new data breach notification requirements; and much stricter penalties and fines for non-compliance.
While preparing for implementation, companies can benefit from guidance on the GDPR at the EU and national levels. At the EU level, the main source is the Data Protection Working Party or, as it is commonly known, the "Article 29 Working Party," an independent body tasked with advising the European Commission on data protection issues. EU Member State data protection authorities, including those in the United Kingdom, Ireland, Spain, Belgium, and France, have published their own guidance.
Steps Organizations Should Take
As companies sift through this guidance, they should keep several high-level considerations in mind:
1. Companies should determine whether the GDPR applies to them: the GDPR applies to companies that are established in the European Union, offer goods and services to EU residents, or track EU residents online.
2. If the GDPR applies, companies must determine the legal basis for each personal data processing activity. A company must justify processing personal data based on one of the six lawful bases under the GDPR in order for the processing to be deemed lawful. Importantly, the selection of the legal basis for processing will impact the applicable rights of data subjects.
3. Companies must determine which of the data subject rights apply and ensure that they can comply with data subjects' requests to exercise their rights. Additionally, companies should check whether they are processing any "special categories" of personal data or data related to criminal convictions or offenses, and, if so, what additional requirements apply to the collection and use of such data.
4. Companies should determine whether they need to appoint a DPO or conduct a DPIA. 5. Companies must develop breach notification procedures that comply with the new requirements under the
GDPR. 6. Companies must review existing contracts with third parties to ensure that they appropriately allocate
responsibilities required under the GDPR. 7. Companies must notify data subjects how they process personal data and provide information required by the
GDPR's new notice provision.
The European Commission has expressed concerns regarding Member State readiness for the new regime. Although the GDPR will take effect in Member States automatically, Member States nonetheless need to implement national legislation to address important administrative issues, such as funding data protection authorities. As of March 2018, only four Member States (Austria, Belgium, Germany and Slovakia) have passed the necessary national legislation.
Finally, organizational awareness of European data protection and privacy law should not stop at the GDPR. The European Commission proposed updates to its 2009 ePrivacy Directive, which addresses topics such as network security, "cookies," and unsolicited email marketing, in January 2017. Companies should be aware of this proposed legislation, as--like the GDPR--the ePrivacy Regulation promises to significantly impact multinational companies' business operations.
/ US Supreme Court
2017626SEC SEC20176 262018221Digital Realty Tr., Inc. v. Somers
anti-retaliation SECDigital Realty, No. 16-1276, 2018 WL 987345 , at *4 (US Feb. 21, 2018) ()
SEC 9 1995 SEC ( Asadi v. G.E. Energy (USA), L.L. C., 720 F.3d 620, 630 (2013))2 (Berman v. NEO @OGILVY LLC, 801 F.3d 145, 155 (2013))
Supreme Court Unanimously Decides That Whistleblower Protections Only Extend To Those Who Report To SEC
By Brian M. Adesman
On June 26, 2017, the US Supreme Court agreed to review the issue of whether Dodd-Frank's whistleblower protections extend to those who report concerns either internally or to agencies other than the SEC, but not to the SEC itself. See June 26, 2017 Order List (attached). On February 21, 2018, in Digital Realty Tr., Inc. v. Somers, the Court unanimously decided that "[t]o sue under Dodd-Frank's anti-retaliation provision, a person must first provide information relating to a violation of the securities laws to the [Securities and Exchange] Commission." Digital Realty, No. 16-1276, 2018 WL 987345, at *4 (US Feb. 21, 2018) (internal quotation marks, brackets, and ellipses omitted).
In a 19-page unanimous opinion authored by Justice Ruth Bader Ginsberg, the Court reversed the Ninth Circuit's ruling that Dodd-Frank's anti-retaliation employment protections applied to whistleblowers who report alleged wrongdoing to agencies or persons other than the SEC. The Court acknowledged that it granted certiorari to resolve a circuit split between the Fifth Circuit, which held that employees must provide information to the SEC to avail themselves of DoddFrank's anti-retaliation safeguard (Asadi v. G.E. Energy (USA), L.L. C., 720 F.3d 620, 630 (2013)), and the Second Circuit, which reached the opposite conclusion (Berman v. NEO @OGILVY LLC, 801 F.3d 145, 155 (2013)).
The Court's ruling confirms that whistleblowers who fail to report to the SEC are not protected by Dodd-Frank's antiretaliation employment protections.
/ White Collar Defense & Investigation
201831DOJFCPA FCPA DOJ
FCPA Jenner & Block DOJ Formalizes FCPA Enforcement Policy Reinforcing Incentives for Disclosure and Cooperation Under the FCPA Pilot Progra m and Creating a "Presumption" in Favor of a Declination of Prosecution for Companies that Voluntarily Disclose Misconduct.
DOJ Announces Expansion of Corporate Self-Disclosure Policy
By Sandra Hanian
On March 1, 2018, the Department of Justice (DOJ) announced that the Criminal Division may apply the self-disclosure principles set forth in the Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy to non-FCPA corporate criminal matters. The Policy includes a presumption towards declining to prosecute companies that self-disclose criminal conduct, cooperate with DOJ's investigation of the wrongdoing, timely remediate their controls and compliance programs, and disgorge any ill-gotten gains. Corporate counsel should be cautious, however, as this expansion of declination is not binding on prosecutors in US Attorneys' Offices throughout the country.
For additional analysis of the FCPA Corporate Enforcement Policy, please see the linked Client Alert: DOJ Formalizes FCPA Enforcement Policy Reinforcing Incentives for Disclosure and Cooperation Under the FCPA Pilot Program and Creating a "Presumption" in Favor of a Declination of Prosecution for Companies that Voluntarily Disclose Misconduct.
/ Firm News
418 2028 FIFA
On April 18, Jenner & Block's Los Angeles office hosted a panel discussion of the US Department of Justice's efforts to prosecute corruption in the sports world. Partner Brandon Fox was joined on the panel by the US Attorney for the Central District of California, the Chief Legal Officer for the organizing committee for the Los Angeles Olympics in 2028, and the General Counsel for the US Soccer Federation. The panel discussed the DOJ's prosecutions in college basketball, FIFA, and past Olympics, and efforts sports organizations are taking to prevent future scandals.
Terrence J. Truax Managing Partner firstname.lastname@example.org
Brent Caslin Partner email@example.com
Miwa Shoda Special Counsel firstname.lastname@example.org
Donald E. Batterson Partner email@example.com
Louis E. Fogel Partner firstname.lastname@example.org
Brandon D. Fox Partner email@example.com
Gabriel A. Fuentes Partner firstname.lastname@example.org
Brian M. Adesman Fumiya Beppu David Bitkower Emily A. Bruemmer Sandra Hanian Soh Inoue Matthew L. Jacobs
Kelly M. Morrison Partner email@example.com
Natalie K. Orpett
Mark A. Reinhardt Jennifer J. Yun
Nick G. Saros Partner firstname.lastname@example.org G. Thomas Stromberg Partner email@example.com
Brian Adesman Associate firstname.lastname@example.org Amy Inagaki Associate email@example.com
Visit Jenner.com 2018 Jenner & Block LLP. Attorney Advertising. Jenner & Block is an Illinois Limited Liability Partnership including professional corporations. This publication is not intended to provide legal advice but to provide information on legal matters and firm news of interest to our clients and colleagues. Readers should seek specific legal advice before taking any action with respect to matters mentioned in this publication. The attorney responsible for this publication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome.