Tag: safe harbor

COVID-19: IRS Extends Production Tax Credit/Investment Tax Credit Safe Harbors

On May 27, 2020, the IRS issued Notice 2020-41, which responds to industry-wide supply chain disruptions due to the COVID-19 pandemic by giving renewable energy developers additional time to complete their projects. Most importantly, the Notice extends two safe harbors applicable to the renewable energy production tax credit (PTC) and investment tax credit (ITC).

First, the “Continuity Safe Harbor” is extended from four years to five years for projects that began construction in 2016 or 2017. Developers that put the project in service by the end of the fifth calendar year after the year construction began will be deemed to meet the continuous construction requirement.

Second, relief is provided for developers that intend to meet the beginning construction requirement by incurring 5% of project costs, i.e., by making payments for services or property they reasonably expected to receive within 3½ months (a/k/a the 3½ Month Rule). Developers that pay for services or property on or after September 16, 2019 and actually receive the services or property by October 15, 2020, will be deemed to satisfy the 3½ Month Rule.

This relief is available to developers of wind, solar, biomass, geothermal, landfill gas, trash, hydropower, fuel cells, microturbines, and combined heat and power systems.

©2020 Pierce Atwood LLP. All rights reserved.

For more on IRS Safe Harbors, see the National Law Review Tax Law section.

Announcement of "Privacy Shield" Gives Hope for U.S. Companies Who Previously Relied on Safe Harbor

We have previously discussed the EU Court of Justice’s invalidation of the long-standing Safe Harbor program, previously relied on by many organizations as a means of authorizing transfers of EU citizens’ private data to the United States. U.S. companies eagerly awaited news of a replacement for Safe Harbor and kept a close watch as the January 31, 2016, grace period on enforcement announced by the EU Article 29 Working Party expired. News of a new framework  broke in early February and the European Commission released extensive documentation revealing the details of Safe Harbor’s proposed replacement – the EU-U.S. Privacy Shield program (Privacy Shield) – on February 29, 2016.

Privacy Shield encompasses seven principles for assuring adequate protection when transferring and processing personal data originating in the European Union. Similar to Safe Harbor, organizations can self-certify their compliance with these principles, provided they (1) commit to the U.S. Department of Commerce that they will adhere to the Privacy Shield Principles, (2) publicly declare their commitment to the Privacy Shield Principles, and (3) actually implement the Principles. Once compliance is certified, organizations may seek inclusion on the Department of Commerce’s list of certified organizations, effectively authorizing them to transfer the personal data of EU residents to the United States.

Privacy Shield Principles

  1. Notice. Privacy Shield requires organizations to provide notice regarding the type of data collected, the purposes for which it is collected, any third parties to which the data may be transferred, individuals’ right to access their data, and how individuals can limit use and disclosure of personal data. The organization also must provide notice of its participation in Privacy Shield, acknowledge applicable enforcement authorities and describe recourse mechanisms available.

  2. Choice. Organizations must provide clear, conspicuous and readily available mechanisms allowing individuals to opt out of any disclosure of their personal data to third parties, or use of their personal data other than the purpose(s) for which it was initially collected or subsequently authorized by the individual. Certain sensitive information will require individuals to opt in affirmatively.

  3. Security. As under Safe Harbor, participating organizations must take “reasonable and appropriate measures,” based on the risks involved and the nature of the personal data, to protect the data “from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

  4. Access. Privacy Shield–certified organizations must provide individuals with access to and the opportunity to correct, amend or delete inaccurate or improperly processed personal data. Individuals also must be allowed to confirm that their personal data is being processed. An organization may restrict access to data “in exceptional circumstances.”

  5. Data Integrity and Purpose Limitation. Privacy Shield requires not only that any data collected be “relevant for the purposes of processing” but also that organizations limit collection to relevant data only. Participating organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

  6. Accountability for Onward Transfer. Certified organizations’ contracts with third parties receiving personal data must require that such data “may only be processed for limited and specified purposes” consistent with the level of consent given by the data subject. Third-party transferees also must agree to “provide the same level of protection as the [Principles].” Certified organizations also must “take reasonable and appropriate steps” to ensure third-party agents adhere to the Principles, and are required to stop and remediate any unauthorized processing by third parties, if necessary. Importantly, with limited exceptions, certified organizations remain liable to data subjects for any vendor’s violation of the Principles.

  7. Recourse, Enforcement and Liability. Perhaps Privacy Shield’s most significant new features are its recourse and dispute resolution provisions. Complaint-handling processes must be implemented to obtain Privacy Shield certification. To ensure effective enforcement, Privacy Shield requires (1) procedures for verifying representations made about privacy practices, (2) recourse for data subjects and (3) remedies for failures to comply with the Principles. These newly required “independent recourse mechanisms” are empowered to provide remedies separate from regulators’ enforcement authority.

Legal Safeguards

Because the extent of U.S. government surveillance of personal data was a primary reason why the Safe Harbor program was invalidated, in support of Privacy Shield the U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have furnished letters outlining the legal safeguards that will limit U.S. government access to personal data transferred pursuant to Privacy Shield. In addition, the U.S. Secretary of State is set to appoint a Privacy Shield Ombudsperson, who will be responsible for handling European complaints regarding whether personal data transferred under Privacy Shield has been accessed by U.S. intelligence activities.

In addition, the Judicial Redress Act of 2015, signed into law on February 24, 2016, allows EU citizens to bring civil actions against U.S. government agencies under the Privacy Act of 1974 to access, amend or correct records about them or seek redress for the unlawful disclosure of those records.

Certification and Compliance

Privacy Shield is expected to be approved by the European Commission later this year and published in the Federal Register shortly thereafter. Organizations that self-certify within the first two months following publication will be given nine months to bring all third-party relationships into compliance. Two months after the effective date, the Principles become binding on an organization immediately upon certification. Privacy Shield will thereafter undergo annual joint reviews by EU and U.S. authorities.

All organizations that intend to become Privacy Shield certified are strongly encouraged to immediately begin updating their policies to meet Privacy Shield’s heightened obligations, including reviewing their third-party agreements to ensure compliance.

Article By Gregory Bautista & James F. Monagle of Wilson Elser Moskowitz Edelman & Dicker LLP
© 2016 Wilson Elser

Announcement of “Privacy Shield” Gives Hope for U.S. Companies Who Previously Relied on Safe Harbor

We have previously discussed the EU Court of Justice’s invalidation of the long-standing Safe Harbor program, previously relied on by many organizations as a means of authorizing transfers of EU citizens’ private data to the United States. U.S. companies eagerly awaited news of a replacement for Safe Harbor and kept a close watch as the January 31, 2016, grace period on enforcement announced by the EU Article 29 Working Party expired. News of a new framework  broke in early February and the European Commission released extensive documentation revealing the details of Safe Harbor’s proposed replacement – the EU-U.S. Privacy Shield program (Privacy Shield) – on February 29, 2016.

Privacy Shield encompasses seven principles for assuring adequate protection when transferring and processing personal data originating in the European Union. Similar to Safe Harbor, organizations can self-certify their compliance with these principles, provided they (1) commit to the U.S. Department of Commerce that they will adhere to the Privacy Shield Principles, (2) publicly declare their commitment to the Privacy Shield Principles, and (3) actually implement the Principles. Once compliance is certified, organizations may seek inclusion on the Department of Commerce’s list of certified organizations, effectively authorizing them to transfer the personal data of EU residents to the United States.

Privacy Shield Principles

  1. Notice. Privacy Shield requires organizations to provide notice regarding the type of data collected, the purposes for which it is collected, any third parties to which the data may be transferred, individuals’ right to access their data, and how individuals can limit use and disclosure of personal data. The organization also must provide notice of its participation in Privacy Shield, acknowledge applicable enforcement authorities and describe recourse mechanisms available.

  2. Choice. Organizations must provide clear, conspicuous and readily available mechanisms allowing individuals to opt out of any disclosure of their personal data to third parties, or use of their personal data other than the purpose(s) for which it was initially collected or subsequently authorized by the individual. Certain sensitive information will require individuals to opt in affirmatively.

  3. Security. As under Safe Harbor, participating organizations must take “reasonable and appropriate measures,” based on the risks involved and the nature of the personal data, to protect the data “from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

  4. Access. Privacy Shield–certified organizations must provide individuals with access to and the opportunity to correct, amend or delete inaccurate or improperly processed personal data. Individuals also must be allowed to confirm that their personal data is being processed. An organization may restrict access to data “in exceptional circumstances.”

  5. Data Integrity and Purpose Limitation. Privacy Shield requires not only that any data collected be “relevant for the purposes of processing” but also that organizations limit collection to relevant data only. Participating organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

  6. Accountability for Onward Transfer. Certified organizations’ contracts with third parties receiving personal data must require that such data “may only be processed for limited and specified purposes” consistent with the level of consent given by the data subject. Third-party transferees also must agree to “provide the same level of protection as the [Principles].” Certified organizations also must “take reasonable and appropriate steps” to ensure third-party agents adhere to the Principles, and are required to stop and remediate any unauthorized processing by third parties, if necessary. Importantly, with limited exceptions, certified organizations remain liable to data subjects for any vendor’s violation of the Principles.

  7. Recourse, Enforcement and Liability. Perhaps Privacy Shield’s most significant new features are its recourse and dispute resolution provisions. Complaint-handling processes must be implemented to obtain Privacy Shield certification. To ensure effective enforcement, Privacy Shield requires (1) procedures for verifying representations made about privacy practices, (2) recourse for data subjects and (3) remedies for failures to comply with the Principles. These newly required “independent recourse mechanisms” are empowered to provide remedies separate from regulators’ enforcement authority.

Legal Safeguards

Because the extent of U.S. government surveillance of personal data was a primary reason why the Safe Harbor program was invalidated, in support of Privacy Shield the U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have furnished letters outlining the legal safeguards that will limit U.S. government access to personal data transferred pursuant to Privacy Shield. In addition, the U.S. Secretary of State is set to appoint a Privacy Shield Ombudsperson, who will be responsible for handling European complaints regarding whether personal data transferred under Privacy Shield has been accessed by U.S. intelligence activities.

In addition, the Judicial Redress Act of 2015, signed into law on February 24, 2016, allows EU citizens to bring civil actions against U.S. government agencies under the Privacy Act of 1974 to access, amend or correct records about them or seek redress for the unlawful disclosure of those records.

Certification and Compliance

Privacy Shield is expected to be approved by the European Commission later this year and published in the Federal Register shortly thereafter. Organizations that self-certify within the first two months following publication will be given nine months to bring all third-party relationships into compliance. Two months after the effective date, the Principles become binding on an organization immediately upon certification. Privacy Shield will thereafter undergo annual joint reviews by EU and U.S. authorities.

All organizations that intend to become Privacy Shield certified are strongly encouraged to immediately begin updating their policies to meet Privacy Shield’s heightened obligations, including reviewing their third-party agreements to ensure compliance.

Article By Gregory Bautista & James F. Monagle of Wilson Elser Moskowitz Edelman & Dicker LLP
© 2016 Wilson Elser

IRS Expands Ability of Safe Harbor Plan Sponsors to Make Mid-Year Changes

The Internal Revenue Service (IRS) recently issued Notice 2016-16, which provides safe harbor 401(k) plan sponsors with increased flexibility to make mid-year plan changes.  Notice 2016-16 sets forth new rules for when and how safe harbor plan sponsors may amend their plans to make mid-year changes, a process which traditionally has been subject to significant restrictions.

Background

“Safe harbor” 401(k) plans are exempt from certain nondiscrimination tests (the actual deferral percentage (ADP) and actual contribution percentage (ACP) tests) that otherwise apply to employee elective deferrals and employer matching contributions.  In return for these exemptions, safe harbor plans must meet certain requirements, including required levels of contributions, the requirement that plan sponsors provide the so-called “safe harbor notice” to participants, and the requirement that plan provisions remain in effect for a 12-month period, subject to certain limited exceptions.

Historically, the IRS has limited the types of changes that a safe harbor plan sponsor may make mid-year due to the requirement that safe harbor plan provisions remain in effect for a 12-month period.  The 401(k) regulations provide that the following mid-year changes are prohibited, unless applicable regulatory conditions are met:

  • Adoption of a short plan year or any change to the plan year

  • Adoption of safe harbor status on or after the beginning of the plan year

  • The reduction or suspension of safe harbor contributions or changes from safe harbor plan status to non-safe harbor plan status

The IRS has occasionally published exceptions to the limitations on mid-year changes.  For example, plan sponsors were permitted to make mid-year changes to cover same-sex spouses following the Supreme Court of the United States’ decision in United States v. Windsor in 2013.

Aside from these limited exceptions, safe harbor plan sponsors were generally not permitted to make mid-year changes.  This led to some difficulties for plan sponsors, particularly in situations where events outside the plan sponsor’s control might ordinarily cause a plan sponsor to want to make a mid-year plan change.

Permissible Mid-Year Changes

Notice 2016-16 clarifies that certain changes to safe harbor plans made on or after January 29, 2016, including changes that alter the content of a plan’s required safe harbor notice, do not violate the safe harbor qualification requirements simply because they occur mid-year.  A “mid-year change” for this purpose includes (1) a change that is first effective during a plan year, but not effective at the beginning of a plan year, or (2) a change that is effective retroactive to the beginning of the plan year, but adopted after the beginning of the plan year.

Mid-year changes that alter the plan’s required safe harbor notice content must meet two additional requirements:

  1. The plan sponsor must provide an updated safe harbor notice that describes the mid-year change and its effective date must be provided to each employee required to receive a safe harbor notice within a reasonable period before the effective date of the change.  The timing requirement is deemed satisfied if the notice is provided at least 30 days, and no more than 90 days, before the effective date of the change.

  2. Each employee required to be provided a safe harbor notice must also have a reasonable opportunity (including a reasonable time after receipt of the updated notice) before the effective date of the mid-year change to change the employee’s cash or deferred election.  Again, this timing requirement is deemed satisfied if the election period is at least 30 days.

Mid-year changes that do not alter the content of the required safe harbor notice do not require the issuance of a special safe harbor notice or a new election opportunity.

Prohibited Mid-Year Changes

Certain mid-year changes remain prohibited, including:

  • A mid-year change to increase the number of years of service that an employee must accrue to be vested in the employee’s account balance under a qualified automatic contribution arrangement (QACA) safe harbor plan

  • A mid-year change to reduce the number of employees eligible to receive safe harbor contributions

  • A mid-year change to the type of safe harbor plan, such as changing from a traditional 401(k) safe harbor plan to a QACA

  • A mid-year change to modify or add a matching contribution formula, or the definition of compensation used to determine matching contributions if the change increases the amount of matching contributions

  • A mid-year change to permit discretionary matching contributions

In addition, mid-year changes that are already subject to conditions under the 401(k) and 401(m) regulations (including changes to the plan year, the adoption of safe harbor status mid-plan year, and the reduction or suspension of safe harbor contributions, as described above) are still prohibited, unless applicable regulatory conditions are met.  These changes are also not subject to the special notice and election opportunity requirements.

Conclusion

Notice 2016-16 fundamentally changes the rules regarding mid-year changes to safe harbor 401(k) plans.  Prior to Notice 2016-16, mid-year changes were assumed to be impermissible, subject to the limited exceptions described above.  Going forward, however, mid-year changes that are not specifically prohibited are permitted, so long as the notice requirements, where applicable, are met, and other regulatory requirements are not violated.

Notice 2016-16 should prove particularly helpful for safe harbor plan sponsors that have struggled with the limitations imposed on safe harbor plans by the inability to make mid-year changes when non-safe harbor plans would do so (for example, if a record-keeper changes administrative procedures or other events outside the plan sponsor’s control require mid-year changes).  However, safe harbor plan sponsors wishing to make mid-year changes will still need to consult with advisors to determine whether a proposed amendment is permissible, or whether the amendment is subject to additional regulatory requirements.  In addition, plan sponsors wishing to make a mid-year change that would alter the plan’s required safe harbor notice content must assume the additional cost of issuing a special safe harbor notice and must plan ahead to make sure the supplemental notice is delivered on time.

The IRS is also requesting comment on additional guidance that may be needed with respect to mid-year changes to safe-harbor plans, and specifically as to whether additional guidance is needed to address mid-year changes relating to plan sponsors involved in mergers and acquisitions or to plans that include an eligible automatic contribution arrangement under Section 414(w) of the Internal Revenue Code.  Comments may be submitted in writing not later than April 28, 2016.

Article By Jeffrey M. HoldvogtStephen Pavlick, PC & Sarah G. Raaii of McDermott Will & Emery
© 2016 McDermott Will & Emery

Department of Commerce Releases Fact Sheet on EU-U.S. Privacy Shield

As we reported yesterday, the United States and the European Commission have reached a political agreement on a new framework for transatlantic data flows, referred to as the EU-U.S. Privacy Shield.  The U.S. Department of Commerce (“Commerce”) released a fact sheet yesterday to coincide with the announcement of the agreement.

The fact sheet includes a series of bullet points listing ways in which the Privacy Shield (1) “significantly improves commercial oversight and enhances privacy protections,” and (2) “demonstrates the U.S. Commitments to limitations and safeguards on national security.”  On the first point, Commerce states that “EU individuals will have access to multiple avenues to resolve concerns,” including alternative dispute resolution at no cost to individuals.  In addition, Commerce “will step in directly and use best efforts to resolve referred complaints” using a “special team with significant new resources.”  On the second point, the fact sheet references President Obama’s executive actions to enhance privacy protections and oversight relating to U.S. government surveillance activities.  Finally, Commerce states that “the United States is making the commitment to respond to appropriate requests” regarding U.S. intelligence activity, in a manner that is consistent with national security obligations.

Article By David J. Bender of Covington & Burling LLP
© 2016 Covington & Burling LLP

Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

On February 2nd, 2016, the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.

The EU-U.S. Privacy Shield

According to the Commission press release, there will be several new elements to the EU-U.S. Privacy Shield, as compared with the invalidated EU-U.S. Safe Harbor framework.  For instance, in addition to subjecting participating U.S. companies to certain as-yet unspecified safeguards, the Privacy Shield will include:

  • An annual joint review of the program performed by the European Commission and U.S. Department of Commerce – to which European data protection authorities will be invited – to ensure its proper functioning.  This will include a review of access by U.S. intelligence agencies to EU-originating data.

  • Enhanced rights of redress for European data subjects, including (i) subjecting U.S. organizations to firmer deadlines when responding to complaints, (ii) allowing EU citizens and EU data protection authorities to refer complaints to the U.S. Department of Commerce and the U.S. Federal Trade Commission, (iii) establishing, as a last resort, a new binding alternative dispute resolution mechanism to resolve complaints that will be voluntary and free to data subjects, capable of issuing binding injunctive orders, and subject to judicial review consistent with the U.S. Federal Arbitration Act, and (iv) creating a new “Ombudsperson” within the U.S. State Department to handle complaints – channeled through EU Member State representatives – that relate to U.S. intelligence agencies’ access to data.  Disputes relating to human resources/employee data will remain subject to an alternative process that entails somewhat closer involvement of EU data protection authorities, similar to the current Safe Harbor.

Moreover, it is reported that the U.S. Director of National Intelligence will confirm by official letter to the EU that U.S. intelligence agencies do not engage in “indiscriminate mass surveillance” of data transferred under the new arrangement.

The Privacy Shield is expected to retain or enhance many of the elements contained in the original Safe Harbor framework, including substantive commitments made by U.S. companies on such matters as furnishing appropriate notices to EU citizens, maintaining the security of transferred data, and tightened restrictions on onward transfers.  The precise nature of these obligations is not yet known, but will become clearer in the weeks ahead.

Next steps

The EU College of Commissioner’s has mandated Vice-President Ansip and Commissioner Jourová to, over the coming weeks, prepare a draft Decision declaring the U.S. to ensure an adequate level of protection.  The adoption of such a Decision by the Commission must follow a “comitology” procedure which will involve:

  • a proposal from the Commission;

  • an opinion by EU Member States’ data protection authorities and the European Data Protection Supervisor (“EDPS”), in the framework of the Article 29 Working Party;

  • an approval from the “Article 31 Committee”, composed of representatives of Member States, under the comitology “examination procedure”;

  • the formal adoption of the Decision by the College of Commissioners;

  • at any time, the European Parliament and the Council may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the Directive.

The effect of such a Commission Adequacy Decision is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to the U.S. without any further safeguards being necessary.

Commissioner Jourová hopes for the new arrangement to be in force in approximately 3 months’ time.  The U.S. Government, in the meantime, will make the necessary preparations to put in place the new framework, monitoring mechanisms, and new Ombudsperson.

Tomorrow (February 3rd, 2016), Commissioner Jourová will attend the plenary meeting of the Article 29 Working Party to discuss the role of the EU data protection authorities under the EU-U.S. Privacy Shield.  The U.S. Department of Commerce is, in parallel, planning further briefings about the text.

Article By Daniel P. CooperPhilippe Bradley-Schmieg & Joseph Jones of Covington & Burling LLP
© 2016 Covington & Burling LLP

Are UK-to-US employee data transfers sunk by ECJ’s torpedoing of Safe Harbor regime?

So there it is – in a tremendous boost for transatlantic relations, the European Court of Justice has decided that America is not to be trusted with the personal data of EU residents.  That is not exactly the way the decision is phrased, of course, which (so far as relevant to UK HR) is more like this:

Under the Eighth Principle of the UK’s Data Protection Act (and all or most of its EU cousins) the personal data of your employees can be transferred outside the EU only where the recipient country ensures an adequate level of protection for the rights and freedoms of data subject.

Until now an EU employer has been able to rely in this respect on a US company’s registration with the Safe Harbor (sic) scheme, a series of commitments designed to replicate the safeguards of EU law for that data.  As of this week, however, that reliance has been deemed misplaced – the ability and tendency of the US security agencies to access personal data held by US employers has been found to compromise those commitments beyond immediate repair.  In addition, one of the EU “model clauses” which can legitimise international data transfers requires the US recipient to confirm that it is aware of no legislation which could compel it to disclose that personal data to third parties without the employee’s consent.  New US laws enacted to boost homeland security mean that this can simply no longer be said.  Therefore Safe Harbor has been comprehensively blown up and can no longer be used as automatic air-cover for employee data transfers to the US.

This creates two immediate questions for HR in the UK.  First, what exposure do we have for past data transfers to the US on a basis which is now shown to be illegitimate?  Second, what do we do about such transfers starting now?

  • Don’t panic! To make any meaningful challenge out of this issue, the UK employee would need to show some loss or damage arising out of that transfer.  In other words, even if the data has been used in the US as the basis for a negative decision about him (dismissal or demotion or no bonus), the employee would need to show that that decision would have been more favourable to him if it had been taken by the same people based on the same data but physically within the EU.  Clearly a pretty tough gig.

Second, all this case does is remove the presumption that Safe Harbor registrants are safe destinations – it does not prove that they are not, either now or historically.  The question of adequacy of protection is assessed by reference to all the circumstances of the case, including the nature of the personal data sent, why it is sent to the US and what relevant codes of conduct and legislative protections exist there.

Last, Schedule 4 of the DPA disapplies the Eighth Principle where the data subject (the employee) has given his consent to the international transfer, or where the transfer is necessary for the entering or performance of the employment contract between the employee and the UK employer.  It will rarely be the case that neither of these exceptions applies.

If you have not previously had complaints from your UK employees that their personal data has been misused/lost/damaged in the US, nothing in this decision makes that particularly likely now.

  • Still don’t panic.

  • However, do be aware that this case is likely to lead to stricter precautions being required to ensure that what is sent to the US is genuinely only the bare minimum.

  • On its face, Schedule 4 should allow most reasonable international transfers of employee data anyway, pretty much regardless of what level of protection is offered in the destination country. However, there is a strong body of opinion, especially in Continental Europe, that reliance on this provision alone is unsafe and that it is still appropriate for the EU employer to take specific steps (most usually, some form of data export agreement with its US parent) to satisfy itself that a reasonable level of protection for that data exists. It may also wish to be seen to reconsider how far those HR decisions need to be made in the US at all, and whether EU employee data could be kept on an EU-based server if that is not currently the case.

  • To the extent that employment contracts do not already include it, amend them to include an express consent to the transfer of relevant personal data to the US (but do note another possible avenue of attack much mulled-over in Europe, i.e. that consent in an employment contract is not freely given because the job hangs upon it). Last, be seen to prune the UK employee data you do hold in the US back to what is strictly necessary and get rid of stuff which is no longer (if it ever was) relevant to the performance of the employment contract.

Article By David Whincup of Squire Patton Boggs (US) LLP

© Copyright 2015 Squire Patton Boggs (US) LLP

EU Official Calls for Invalidation of EU–U.S. Safe Harbor Pact

A European Court of Justice (ECJ) advocate general, Yves Bot, has called for the European Union–U.S. Safe Harbor Agreement to be invalidated due to concerns over U.S. surveillance practices (press release here, opinion here). The ECJ has discretion to reject the recommendation, but such opinions are generally followed. A final decision on the issue is expected to be issued late this year or next year.

The issue arises out of the claims of an Austrian law student, Max Schrems, who challenged Facebook’s compliance with EU data privacy laws. (The case is Schrems v. (Irish) Data Protection Commissioner, ECJ C-362/14.) He claims that the Safe Harbor Framework fails to guarantee “adequate” protection of EU citizen data in light of the U.S. National Security Agency’s (NSA) surveillance activities. Although the Irish data protection authority rejected his claim, he appealed and the case was referred to the ECJ.

The European Data Protection Directive prohibits data of EU citizens from being transferred to third countries unless the privacy protections of the third countries are deemed adequate to protect EU citizens’ data. The U.S. and EU signed the Safe Harbor Framework in 2000, which permits companies self-certify to the U.S. Department of Commerce (DOC) annually that they abide by certain privacy principles when transferring data outside the EU. Companies must agree to provide clear data privacy and collection notices and offer opt-out mechanisms for EU consumers.

In 2013, former NSA contractor Edward Snowden began revealing large-scale interception and collection of data about U.S. and foreign citizens from companies and government sources around the globe. The revelations, which continue, have alarmed officials around the world, and already prompted the European Commission to urge more stringent oversight of data security mechanisms. The European Parliament voted in March 2014 to withdraw recognition from the Safe Harbor Framework. Apparently in response to the concern, the Federal Trade Commission (FTC) has taken action against over two dozen companies for failing to maintain Safe Harbor certifications while advertising compliance with the Framework, and in some cases claiming compliance without ever certifying in the first place. For more, see here (FTC urged to investigate companies), here (FTC settles with 13 companies in August 2015), and here (FTC settles with 14 companies in July 2014).

Advocate General Bot does not appear to have been mollified by the U.S. efforts, however. He determined that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU,] which is transferred under the [S]afe [H]arbor scheme, without those citizens benefiting from effective judicial protection.” He concluded that this amounted to interference in violation of the right to privacy guaranteed under EU law, and that, notwithstanding the European Commission’s approval of the Safe Harbor Framework, EU member states have the authority to take measures to suspend data transfers between their countries and the U.S.

While the legal basis of that opinion may be questioned, and larger political realities regarding the ability to negotiate agreements between the EU and the U.S. are at play, if followed by the ECJ, this opinion would make it extremely difficult for companies to offer websites and services in the EU. This holds true even for many EU companies, including those that may have cloud infrastructures that store or process data in U.S. data centers. It could prompt a new round of negotiations by the U.S. and European Commission to address increased concerns in the EU about surveillance.

Congressional action already underway may help release some tension, with the House Judiciary Committee unanimously approving legislation that would give EU consumers a judicial right of action in the U.S. for violations of their privacy. This legislation was a key requirement of the EU in an agreement in principle that would allow the EU and U.S. to exchange data between law enforcement agencies during criminal and terrorism investigations.

Although the specific outcome of this case will not be known for months, the implications for many businesses are clear: confusion and continued change in the realms of privacy and data security, and uncertainty about the legal rules of the game. Increased fragmentation across the EU may result, with a concomitant need to keep abreast of varying requirements in more countries. Change and lack of harmonization is surely the new normal now.

Article By Sheila A. MillarTracy P. Marshall & Nathan A. Cardon of Keller and Heckman LLP

© 2015 Keller and Heckman LLP

Unlucky 13: FTC Settles Charges under International Safe Harbor Framework

Thirteen companies have agreed to settle with the Federal Trade Commission (FTC) charges relating to their participation in the U.S.–EU and U.S.–Swiss Safe Harbor Frameworks. Seven companies allegedly failed to renew their Safe Harbor self-certifications, including a sports marketing firm, two software developers, a research organization, a business information firm, a security consulting firm, and an e-discovery service provider. Another six allegedly failed to seek certification under the Frameworks, but nevertheless claimed in their privacy policies to be certified, including an amusement park, two sporting companies, a medical waste service provider, a food manufacturer, and an e-mail marketing firm. Last year, fourteen companies settled with the FTC over similar claims, and advocacy group named 30 companies in a complaint alleging that they were out of compliance with the Safe Harbor Frameworks.

The European Commission’s Directive on Data Protection prohibits the transfer of personal data to non-EU countries that do not meet the EU standard for privacy protection, so the U.S. Department of Commerce (DOC) negotiated the Safe Harbor Frameworks to allow U.S entities to receive such data provided that they comply with the Directive. To participate in the Safe Harbor Frameworks, companies must annually self-certify that they comply with seven key privacy principles for meeting EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Only appropriately self-certified companies may display the Safe Harbor certification mark on their websites, and the FTC is charged with enforcing violations.

This enforcement action is a reminder of the importance of maintaining current Safe Harbor status for those who elect to participate the program. It is also a reminder that companies must act in accordance with their published privacy policies, and periodically review their privacy policies to ensure that they remain current and reflect companies’ actual practices.

ARTICLE BY Sheila A. MillarTracy P. Marshall & Nathan A. Cardon of Keller and Heckman LLP

© 2015 Keller and Heckman LLP

Patent Safe Harbor Applies To Supplemental New Drug Applications

On May 13, 2015, the Federal Circuit confirmed in Classen Immunotherapies, Inc. v. Elan Pharmaceuticals, Inc. that the safe harbor provisions of 35 U.S.C. § 271(e)(1) can shield post-FDA approval activities from liability for patent infringement when the activities generated information that was submitted to the FDA to support a supplemental New Drug Application andCitizen’s Petition. However, the Federal Circuit remanded the case to the district court to determine whether other allegedly infringing activities, such as using the information to file a patent application, also were shielded by the statute.

The Claims At Issue

The patent at issue was Classen’s U.S. 6,584,472, directed to a method for accessing and analyzing data on a commercially available drug to identify a new use of that drug, and then commercializing the new use. Claim 36 (which depends from claim 33, which was canceled during reexamination) is representative of the asserted method claims, and claim 59 is representative of the asserted kit claims:

33. A method for creating and using data associated with a commercially available product, wherein the method comprises the steps of:
accessing at least one data source, comprising together or separately, adverse event data associated with exposure to or use of the product and commercial data regarding marketing, sales, profitability or related information pertaining to the product;
analyzing the accessed data to identify (i) at least one new adverse event associated with exposure to or use of the product, (ii) at leastone new use for the product responsive to identification of the at least one new adverse event, and (iii) the potential commercial value of the at least one new use for the product; and
commercializing the newly identified product information based upon the analyzed data.

36.  The method of claim 33, wherein the commercializing step comprises formatting the data relating to at least one new adverse event associated with exposure to, or use of the product, or documenting same, such that a manufacturer or distributor of the product must inform consumers, users or individuals responsible for the user, physicians or prescribers about at least one new adverse event associated with exposure to or use of the product.

59.  A proprietary kit comprising (i) product and (ii) documentation notifying a user of the product of at least one new adverse event relating to the product, wherein determination of the new adverse event is based upon the data provided by the method of claim 36.

Footnote 1 of the Federal Circuit decision states, “Because issues of validity are not before us in this appeal, we express no opinion as to whether the asserted claims cover patent ineligible subject matter in light of the Supreme Court’s decision in Alice Corp. v. CLS Bank International, 573 U.S. __, 134 S. Ct. 2347 (2014).”

Procedural Background

Classen asserted U.S. Patent No. 6,584,472 against Elan, alleging that Elan infringed the patent by (i) studying the effect of food on the bioavailability of the FDA-approved muscle relaxant Skelaxin, (ii) using the clinical data to identify a new use for the drug, and (iii) commercializing the new use. In particular, after Skelaxin was approved, Elan conducted clinical studies on the effect of the drug when administered with or without food, and then submitted the results to the FDA when seeking approval of a supplemental New Drug Application (“sNDA”) to revise the labeling for Skelaxin and in a Citizen’s Petition proposing changes to the approval requirements for generic versions of Skelaxin. Additionally, Elan filed patent applications based on the new clinical data and sold kits with the revised label containing information derived from the data.

The U.S. District Court for the District of Maryland granted Elan’s motion for summary judgment of non-infringement, finding that Elan’s activities were “reasonably related to the submission of information” under the Federal Food, Drug, and Cosmetic Act (FDCA), and were therefore protected by the safe harbor provision of 35 U.S.C. § 271(e)(1). Classen appealed to the Federal Circuit.

The Federal Circuit Decision

The Federal Circuit decision was authored by Judge Lourie and joined by Chief Judge Prost and District Judge Gilstrap (of the Eastern District of Texas) sitting by designation.

On appeal, Classen argued that Elan’s activities are not exempt under the safe harbor because they involved merely “routine” post-approval reporting to the FDA, which the Federal Circuit held in its 2011 decision in Classen Immunotherapies, Inc. v. Biogen IDEC lies outside the scope of the § 271(e)(1) safe harbor.

This statute provides in relevant part:

It shall not be an act of infringement to make, use, offer to sell, or sell within the United States or import into the United States a patented invention . . . solely for uses reasonably related to the development and submission of information under a Federal law which regulates the manufacture, use, or sale of drugs . . . .

In Classen v. Biogen, the court indicated that the safe harbor applies only to pre-marketing activities, and held that the safe harbor “does not apply to information that may be routinely reported to the FDA, long after marketing approval has been obtained.” However, a year later in Momenta Pharmaceuticals, Inc. v. Amphastar Pharmaceuticals, Inc., the Federal Circuit held that the safe harbor can shield post-approval activities from giving rise to liability for patent infringement where the information submitted to the FDA “is necessary both to the continued approval of the ANDA and to the ability to market the … drug.” Thus, it is not surprising that in this case the Federal Circuit noted that the statutory language does not “categorically exclude post-approval activities from the ambit of the safe harbor.”

Turning to the activities at issue, the Federal Circuit found that post-approval studies conducted to support an sNDA “serve similar purposes as pre-approval studies in ensuring the safety and efficacy of approved drugs.” Thus, the court reasoned, “As an integral part of the regulatory approval process, those activities are ‘reasonably related to the development and submission of information’ under the FDCA, 35 U.S.C. § 271(e)(1), and are therefore exempt from infringement liability.” The court  therefore concluded that the post-approval clinical trials, sNDA and Citizen’s Petition “clearly fall within the scope of the safe harbor.”

Although the Federal Circuit remanded to the district court to determine whether Elan’s activities related to “reanalyzing the clinical data to identify patentable information and filing patent applications are commercial activities outside the scope of the safe harbor,” and whether “selling Skelaxin with the revised label that contained the information derived from the clinical study” infringed the Classen kit claims, the court took it upon itself to “assist the district court in its analysis of infringement . . . [by] mak[ing] the following observations of the record:”

  • Filing a patent application is generally not an infringement of a patent

  • Filing a patent application is not commercialization of an invention, and so a method claim requiring commercialization is likely not infringed by Elan’s actions

  • Placing information submitted to the FDA on a product label generally cannot be an act of infringement.

Given these “observations,” it seems unlikely that the district court will find that Elan infringed the claims at issue.

The Wide Mouth of the Safe Harbor

This decision is one of many Federal Circuit decisions that broadly construe the safe harbor of § 271(e)(1). Indeed, less than one year after the court seemed to draw a bright line around the scope of the safe harbor that excluded post-approval activities, the court blurred that line in Momenta and now it has erased it further in this case.

The Commercial Value of Patent Applications

Although the Federal Circuit’s “observation” that filing a patent application generally is not an act of infringement may be correct, we question its suggestion that filing a patent application is not a commercial activity. To the contrary, filing a patent application can be an essential step of a commercialization plan, and can increase the commercial value of the invention. On the other hand, we would agree that it is unusual that a patent could be infringed by “commercializing … information,” as recited in the Classen patent.