Tag: safe harbor

BIOSECURE Act: Anticipated Movement, Key Provisions, and Likely Impact

Last night, the House of Representatives passed the BIOSECURE Act (BIOSECURE or the Act) by a bipartisan vote of 306 to 81.

The BIOSECURE Act prohibits federal agencies from procuring or obtaining any biotechnology equipment or service produced or provided by a biotechnology company of concern. Subject to some exceptions, it also prohibits federal agencies from contracting with a company that uses equipment or services produced or provided by a biotechnology company of concern. Further, the Act prohibits recipients of a loan or grant from a federal agency from using federal funds to purchase equipment or services from a biotechnology company of concern.

The Senate version of BIOSECURE, sponsored by Sens. Gary Peters (D-MI) and Bill Hagerty (R-TN), was voted out of the Senate Committee on Homeland Security and Governmental affairs with bipartisan support in March 2024. Given its passage in the House last night, the BIOSECURE Act is likely to be signed into law by the end of the year. The House version of BIOSECURE is likely to be the version that becomes law. President Biden is unlikely to veto the Act given its bipartisan support, his previous executive actions to support domestic biotechnology development, and his Administration’s approach towards competition with China.

The Act defines “biotechnology company of concern” as any entity that:

  • is subject to the jurisdiction, direction, control, or operates on behalf of the government of a foreign adversary (defined as China, Cuba, Iran, North Korea, and Russia);
  • is involved in the manufacturing, distribution, provision, or procurement of a biotechnology equipment or service; and
  • poses a risk to U.S. national security based on:
    • engaging in joint research with, being supported by, or being affiliated with a foreign adversary’s military, internal security forces, or intelligence agencies;
    • providing multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or
    • obtaining human multiomic data via the biotechnology equipment or services without express and informed consent.

Somewhat unusually, the Act names specific Chinese companies as automatically qualifying as “biotechnology companies of concern”:

  • BGI (formerly known as the Beijing Genomics Institute);
  • MGI;
  • Complete Genomics;
  • WuXi AppTec; and
  • WuXi Biologics.

Both categories include any subsidiary, parent, affiliate, or successor entities of biotechnology companies of concern.

The Act also has very broad definitions of “biotechnology equipment or service.” The definition of equipment encompasses any machine, device, or subcomponent, including software that is “designed for use in the research, development, production, or analysis of biological materials.” The definition of services is similarly broad.

The BIOSECURE Act also requires the Office of Management and Budget (OMB) to publish a list of additional biotechnology companies of concern. The list is prepared by the Secretary of Defense in coordination with the Secretaries of the Departments of Health and Human Services, Justice, Commerce, Homeland Security, and State, as well as the Director of National Intelligence and National Cyber Director. This list of companies must be published by OMB within one year of BIOSECURE’s enactment and reviewed annually by OMB in consultation with the other Departments.

Guidance and Regulatory Authorities

OMB is also tasked with developing guidance and has 120 days from enactment of the statute to do so for the named companies. For the list of biotechnology companies of concern, OMB’s guidance must be established within 180 days after the development of the list.

Beyond OMB, the Act requires the Federal Acquisition Regulatory Council to revise the Federal Acquisition Regulation (FAR) to incorporate its prohibitions. The FAR regulations must be issued within one year of when OMB establishes its guidance.

For named companies the Act’s prohibitions are effective 60 days after the issuance of the FAR regulations. For companies placed on the biotechnology company of concern list, the effective date for the Act’s prohibitions is 80 days after the issuance of FAR regulations.

Impact on Existing Business Relationships

In response to stakeholder concerns about disrupting existing commercial relationships and triggering delays in drug development, the House version of the BIOSECURE Act provides a five-year unwinding period for contracts and agreements entered into before the Act’s effective dates. Contracts entered into after the Act’s effective dates do not qualify for the five year unwinding period.

Process for Designating Companies

BIOSECURE specifies the process for designating a biotechnology company of concern. Critically, the Act does not require OMB to notify a company prior to the Department of Defense making the designation. Rather, a company will receive notice that it is being designated and placed on the biotechnology company of concern list. Moreover, the criteria for listing will only be provided “to the extent consistent with national security and law enforcement interests.” Thus, companies may face a circumstance where they are not provided the evidence supporting their designation.

Once a company receives the notice, it will have 90 days to submit information and arguments opposing the listing. The Act does not require a hearing or any formal administrative process. If practicable, the notice may also include steps the company could take to avoid being listed, but it is not required.

Safe Harbor, Waivers and Exceptions

The Act only has one safe harbor for biotechnology equipment or services that were formerly but no longer provided or produced by a biotechnology company of concern. This safe harbor seems intended to allow a biotechnology company of concern to sell their ownership of a product or service to another company without prohibitions applying to the new owner.

Agency heads may waive the Act’s prohibitions on a case-by-case basis, but only with the approval of OMB acting “in coordination with the Secretary of Defense.” Waivers must be reported to Congress within 30 days of being granted. The waiver may last for up to a year with an additional “one time” extension of 180 days allowed if an agency head determines it is “in the national security interests of the United States.” The 180-day extension must be approved by OMB and the agency head must notify and submit a justification to Congress within 10 days of the waiver being granted.

The Act has only two exceptions. First, its prohibitions do not apply to intelligence activities. Second, the prohibitions do not apply to health care services provided to federal employees, members of the armed services, and government contractors who are stationed in a foreign country or on official foreign travel.

Impact and Considerations for Clients

1. Increased Risk of Partnerships with Chinese Companies and Researchers:

Pharmaceutical and biotechnology companies that receive federal funding or contract with federal agencies should be prepared to wind down business ties to biotechnology companies in China. Impacted companies need to begin evaluating the risk to their supply chains, manufacturing capacity, and R&D pipelines in the event a business partner is listed.

Universities in the United States and other research institutes that receive federal funding will also need to undertake a similar assessment of their research partners and collaborators based in China.

2. Loss of CDMO capacity:

Wuxi App Tec is a large, global provider of contract development and manufacturing (CDMO) services to the life sciences industry. According to the New York Times “[b]y one estimate Wuxi has been involved in developing one-fourth of the drugs used in the United States.” BIOSECURE would effectively ban Wuxi from conducting business in the United States, and if passed, risks causing delays, shortages, and cost increases as companies seek to transition to other CDMOs. It will likely take years for competitors to replace the lost CDMO capacity.

3. Fate of Wuxi U.S. Facilities:

Wuxi has a large presence in the United States. It operates 12 facilities and employs almost 2,000 people. Normally, Wuxi would be expected to sell its U.S.-based facilities. However, based on Tiktok’s experience, it is unclear if the Government of China will permit Wuxi to sell its facilities as opposed to dismantling and/or relocating facilities outside of the United States.

4. OMB’s Management of Biotechnology Companies of Concern List

OMB does not typically manage processes like the one envisioned by BIOSECURE. How OMB interprets the broad criteria for listing companies will be critical. Which Departments, beyond the Department of Defense, will have the greatest influence on OMB’s decision making and how open OMB is to evidence from companies seeking to avoid listing will also need to be watched closely. Until OMB starts preparing its guidance and the FAR regulations are proposed, it is hard to anticipate the rate at which new companies will be added to the list. How the process established by BIOSECURE will interact with or leverage existing entity lists will be another development to closely monitor.

5. Retaliation by China

BIOSECURE’s passage is likely to trigger a response from the Government of China. Responses could range from imposing its own export controls to using the country’s sweeping national security laws to harass United States businesses and their employees. Companies doing business in China, particularly those in the pharmaceutical or biotech industries need to be prepared.

© 2024 Foley & Lardner LLP
For more on Biotechnology, visit the NLR Biotech Food Drug section

The Domestic Content Bonus Credit’s Promising New Safe Harbor

On May 16, 2024, the Internal Revenue Service (IRS) published Notice 2024-41 (Notice), which modifies Notice 2023-38 (Prior Notice) by providing a new elective safe harbor (Safe Harbor) that will allow taxpayers to use assumed domestic cost percentages in lieu of percentages derived from manufacturers’ direct cost information to determine eligibility for the domestic content bonus credit (Domestic Content Bonus). The Notice grants a promising reprieve to the Prior Notice’s relatively inflexible (and arguably impracticable) standard on seeking direct cost information from manufacturers, raising novel structuring considerations for energy producers, developers, investors and buyers.

The Notice also expands the list of technologies covered by the Prior Notice (Applicable Projects).

In this article, we share key takeaways from the Notice as they apply to energy producers, developers and investors and provide a brief overview of the Domestic Content Bonus as well as a high-level summary of the Notice’s substantive content.

IN DEPTH

KEY TAKEAWAYS FROM THE NOTICE

The Notice provides a key step forward in eliminating qualification challenges for the Domestic Content Bonus by providing an alternative to the Prior Notice’s stringent requirement of seeking direct cost information from manufacturers. In short, a taxpayer can aggregate the assumed percentages in the Notice that correspond with the US-made manufactured products in its project. If the assumed percentages total is greater than the manufactured product percentage applicable to such project (currently 40%), then the taxpayer is treated as satisfying the manufactured product requirement. Although the Notice promises forthcoming proposed regulations that could amend or override the Notice, this gives taxpayers time to appropriately interpret the latest rules and respond accordingly.

The new guidance’s impact will likely require restructuring to the existing development of energy projects as it relates to the Domestic Content Bonus. Below, we outline some key considerations for energy producers, developers, investors and buyers alike:

  • The Safe Harbor is expected to dramatically increase the availability of the Domestic Content Bonus. The Prior Notice’s challenging cost substantiation requirements left most industry participants on the sidelines. Initial feedback from developers, investors and credit buyers was extremely positive, and we have already seen fulsome renegotiation and speedy agreement between counterparties over domestic content contractual provisions in project documents.
  • While the Safe Harbor eliminates the requirement to seek direct cost information from manufacturers for certain Applicable Projects, a taxpayer’s obligations with respect to substantiation requirements for manufacturers’ US activities is not clear in the Notice. Given the standing federal income tax principles on recordkeeping and substantiation, taxpayers should carefully reconsider positions on diligence and review existing relationships with manufacturers.
  • Although the Notice expressly provides that the Safe Harbor is elective with respect to a specific Applicable Project, it’s unclear whether the Safe Harbor is extended by default to any and all of a taxpayer’s Applicable Projects upon election effect or whether an elective position is required with respect to each Applicable Project. Taxpayers, especially those with multiple Applicable Projects, should consider the various implications resulting from an elective position prior to reliance on the Safe Harbor.
  • For Safe Harbor purposes, the Notice provides a formula for computing a single domestic cost percentage for solar energy property and battery energy storage technologies that are treated as a single energy project (PV+BESS Project), but ambiguity exists as to whether such technologies should be aggregated for other purposes under the investment tax credit.
  • It’s unclear how the calculations would operate for repowered facilities given the assumed domestic cost percentage approach.
  • The Notice limits the Safe Harbor to solar photovoltaic, onshore wind and battery energy storage systems, leaving taxpayers with other types of Applicable Projects stranded with the Prior Notice. For example, the Notice does not cover renewable natural gas or fuel cell. The IRS seeks comments on whether the Safe Harbor should account for other technologies, the criteria and how often the list of technologies should be updated. Affected taxpayers should fully consider the requested comments and provide feedback as necessary.
  • The IRS seeks comments on various issues with respect to taxpayers who have a mix of foreign and domestic manufactured product components (mixed source items). Taxpayers with mixed source items that the Notice attributes as disregarded and entirely foreign sourced (notwithstanding the domestic portion) should take cautionary note and provide feedback as necessary.

BACKGROUND: THE DOMESTIC CONTENT BONUS CREDIT

The Inflation Reduction Act of 2022 spurred the creation of “adder” or “bonus” incentive tax credits. In pertinent part, Applicable Projects could further qualify for an increased credit (i.e., the Domestic Content Bonus) upon satisfaction of the domestic content requirement.

To qualify for the Domestic Content Bonus, taxpayers must meet two requirements. First, steel or iron components of the Applicable Project that are “structural” in nature must be 100% US manufactured (Steel or Iron Requirement). Second, costs associated with “manufactured components” of the Applicable Project must meet the “adjusted percentage” set forth in the Internal Revenue Code (Manufactured Products Requirement). For projects beginning construction before 2025, the adjusted percentage is 40%.

The Prior Notice provided guidance for meeting these requirements. Taxpayers should begin by identifying each “Applicable Project Component” (i.e., any article, material or supply, whether manufactured or unmanufactured, that is directly incorporated into an Applicable Project). Subsequently, taxpayers must determine whether the Applicable Project Component is subject to the Steel or Iron Requirement or the Manufactured Products Requirement.

If the Applicable Project Component is steel or iron, it must be 100% US manufactured with no exception. If the Applicable Project Component is a manufactured product, such component and its “manufactured product components” must be tested as to whether they are US manufactured. If the manufactured product and all its manufactured product components are US manufactured, then the manufacturer’s cost of the manufactured product is included for purposes of satisfying the adjusted percentage. If any of the manufactured product or its manufactured product components are not US manufactured, only the cost to the manufacturer of any US manufactured product components are included.

The core tension lies in sourcing the total costs from the manufacturer of the manufactured product or its manufactured product components. There’s a substantiation requirement on the taxpayer imposed by the Prior Notice, but there’s also a shrine of secrecy from the corresponding manufacturer.

Apparently acknowledging the need for reconciliation, the Notice aims to pave a promising path for covered technologies (i.e., solar, onshore wind and battery storage).

THE MODIFICATIONS: A PROMISING PATH FOR THE DOMESTIC CONTENT BONUS CREDIT

NEW ELECTIVE SAFE HARBOR

Generally

The Safe Harbor allows a taxpayer to elect to assume the domestic percentage costs (assumed cost percentages) for manufactured products. Importantly, the election eliminates the requirement for a taxpayer to source a manufacturer’s direct costs with respect to the taxpayer’s Applicable Project and instead allows for the reliance on the assumed cost percentages. The Notice prohibits any partial Safe Harbor reliance, meaning taxpayers who elect to use the Safe Harbor must apply it in its entirety to the Applicable Project for which the taxpayer makes such election.

The Safe Harbor only applies to the Applicable Projects of solar photovoltaic facilities (solar PV), onshore wind facilities and battery energy storage systems (BESS). Taxpayers with other technologies must continue to comply with the Prior Notice. Notably, the Notice expands Solar PV into four subcategories: Ground-Mount (Tracking), Ground-Mount (Fixed), Rooftop (MLPE) and Rooftop (String), each having differing assumed cost percentages for the respective manufactured product component. Similarly, BESS is expanded into Grid-Scale BESS and Distributed BESS, each with differing assumed cost percentages for the respective manufactured product component.

For solar PV, onshore wind facilities and BESS, the Safe Harbor provides a list via Table 1[1] (Safe Harbor list) that denotes each relevant manufactured product component with its corresponding assumed cost percentage. Each manufactured product component (and steel or iron component) are classified under a relevant Applicable Project Component.

Of note are the disproportionately higher assumed cost percentages of certain listed components within the Safe Harbor list. For solar PV, cells under the PV module carry an assumed cost percentage of 36.9% (Ground-Mount (Tracking)), 49.2% (Ground-Mount (Fixed)), 21.5% (Rooftop (MLPE)) or 30.8% (Rooftop (String)).

For onshore wind facilities, blades and nacelles under wind turbine carry an assumed cost percentage of 31.2% and 47.5%, respectively.

For BESS, under battery pack, Grid-scale BESS cells and Distributed BESS packaging carry an assumed cost percentage of 38.0% and 30.15%, respectively. Accordingly, projects incorporating US manufactured equipment in these categories are likely to meet the Manufactured Products Requirement with little additional spend. Conversely, projects without these components are unlikely to satisfy the threshold.

Mechanics of the Safe Harbor

Reliance on the Safe Harbor is a simple exercise of component selection and subsequent assumed cost percentage addition. Put more specifically, a taxpayer identifies the Applicable Project on the Safe Harbor list and assumes the list of components within (without regard to any components in the taxpayer’s project that are not listed). Then, the taxpayer (i) identifies which of the components within the Safe Harbor list are in their project, (ii) confirms that any steel or iron components on the Safe Harbor list fulfill the Steel or Iron Requirement, and (iii) sums the assumed cost percentages of all identified listed components that are 100% US manufactured to determine whether their Applicable Project meets the relevant adjusted percentage threshold.

The Notice addresses nuances in situations involving mixed 100% US manufactured and 100% foreign manufactured components that are of like-kind, component production costs and treatment for PV+BESS Projects.

The Notice also provides that a taxpayer adjusts for a mix of US manufactured and foreign manufactured components by applying a weighted formula to account for the foreign components.

Consistent with the Prior Notice, the Notice provides that the assumed cost percentage of “production” costs may be summed and included in the domestic cost percentage only if all the manufactured product components of a manufactured product are 100% US manufactured.

Lastly, in accordance with the view that a PV+BESS Project is treated as a single project, the Notice provides that a taxpayer may use a weighted formula to determine a single domestic content percentage for the project.

The numerator is the sum of the (i) aggregated assumed cost percentages of the manufactured product components that constitute the solar PV multiplied by the solar PV nameplate capacity and (ii) aggregated assumed cost percentages of the manufactured product components that constitute BESS multiplied by the BESS nameplate capacity and the “BESS multiplier.” The BESS multiplier converts the BESS nameplate capacity into proportional equivalency (i.e., equivalent units) to the solar PV nameplate capacity. The denominator is the sum of the solar PV nameplate capacity and the BESS nameplate capacity. Divided accordingly, the final fraction constitutes the single domestic content percentage that the taxpayer uses to determine whether its PV+BESS Project meets the relevant manufactured product adjusted percentage threshold.

Additionally, the Notice confirms that taxpayers can ignore any components not included in the Safe Harbor list. Compared with the Prior Notice, this can be a benefit for taxpayers with non-US manufactured products that are not on the Safe Harbor list. Conversely, for taxpayers with US manufactured products that are not on the Safe Harbor list, they lose the benefit of including such costs in the Manufactured Products Requirement. However, this is mostly a benefit because it eliminates any ambiguity surrounding the treatment of components not listed in the Prior Notice.

EXPANSION OF COVERED TECHNOLOGIES

The Notice adds “hydropower facility or pumped hydropower storage facility” to the list of Applicable Projects as a modification to Table 2 in the Prior Notice. The modification is complete with a list of a hydropower facility or pumped hydropower storage facility’s Applicable Project Components that are delineated as either steel or iron components or manufactured products, though no assumed cost percentages are provided. Further, the Prior Notice’s “utility-scale photovoltaic system” is redesignated as “ground-mount and rooftop photovoltaic system.”

CERTIFICATION

To elect to rely on the Safe Harbor, in its domestic content certification statement, a taxpayer must provide a statement that says they are relying on the Safe Harbor. This is submitted with the taxpayer’s tax return.

RELIANCE AND COMMENT PERIOD

Taxpayers may rely on the rules set forth in the Notice and the Prior Notice (as modified by the Notice) for Applicable Projects, the construction of which begins within 90 days after the publication of intended forthcoming proposed regulations.

Comments should be received by July 15, 2024.

CONCLUSION

While this article provides a high-level summary of the substantive content in the Notice, the many potential implications resulting from these developments merit additional attention. We will continue to follow the development of the guidance and provide relevant updates as necessary.

© 2024 McDermott Will & Emery
For more news on IRS Taxpayer Safe Harbor, visit the NLR Tax section.

COVID-19: IRS Extends Production Tax Credit/Investment Tax Credit Safe Harbors

On May 27, 2020, the IRS issued Notice 2020-41, which responds to industry-wide supply chain disruptions due to the COVID-19 pandemic by giving renewable energy developers additional time to complete their projects. Most importantly, the Notice extends two safe harbors applicable to the renewable energy production tax credit (PTC) and investment tax credit (ITC).

First, the “Continuity Safe Harbor” is extended from four years to five years for projects that began construction in 2016 or 2017. Developers that put the project in service by the end of the fifth calendar year after the year construction began will be deemed to meet the continuous construction requirement.

Second, relief is provided for developers that intend to meet the beginning construction requirement by incurring 5% of project costs, i.e., by making payments for services or property they reasonably expected to receive within 3½ months (a/k/a the 3½ Month Rule). Developers that pay for services or property on or after September 16, 2019 and actually receive the services or property by October 15, 2020, will be deemed to satisfy the 3½ Month Rule.

This relief is available to developers of wind, solar, biomass, geothermal, landfill gas, trash, hydropower, fuel cells, microturbines, and combined heat and power systems.

©2020 Pierce Atwood LLP. All rights reserved.

For more on IRS Safe Harbors, see the National Law Review Tax Law section.

Announcement of "Privacy Shield" Gives Hope for U.S. Companies Who Previously Relied on Safe Harbor

We have previously discussed the EU Court of Justice’s invalidation of the long-standing Safe Harbor program, previously relied on by many organizations as a means of authorizing transfers of EU citizens’ private data to the United States. U.S. companies eagerly awaited news of a replacement for Safe Harbor and kept a close watch as the January 31, 2016, grace period on enforcement announced by the EU Article 29 Working Party expired. News of a new framework  broke in early February and the European Commission released extensive documentation revealing the details of Safe Harbor’s proposed replacement – the EU-U.S. Privacy Shield program (Privacy Shield) – on February 29, 2016.

Privacy Shield encompasses seven principles for assuring adequate protection when transferring and processing personal data originating in the European Union. Similar to Safe Harbor, organizations can self-certify their compliance with these principles, provided they (1) commit to the U.S. Department of Commerce that they will adhere to the Privacy Shield Principles, (2) publicly declare their commitment to the Privacy Shield Principles, and (3) actually implement the Principles. Once compliance is certified, organizations may seek inclusion on the Department of Commerce’s list of certified organizations, effectively authorizing them to transfer the personal data of EU residents to the United States.

Privacy Shield Principles

  1. Notice. Privacy Shield requires organizations to provide notice regarding the type of data collected, the purposes for which it is collected, any third parties to which the data may be transferred, individuals’ right to access their data, and how individuals can limit use and disclosure of personal data. The organization also must provide notice of its participation in Privacy Shield, acknowledge applicable enforcement authorities and describe recourse mechanisms available.

  2. Choice. Organizations must provide clear, conspicuous and readily available mechanisms allowing individuals to opt out of any disclosure of their personal data to third parties, or use of their personal data other than the purpose(s) for which it was initially collected or subsequently authorized by the individual. Certain sensitive information will require individuals to opt in affirmatively.

  3. Security. As under Safe Harbor, participating organizations must take “reasonable and appropriate measures,” based on the risks involved and the nature of the personal data, to protect the data “from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

  4. Access. Privacy Shield–certified organizations must provide individuals with access to and the opportunity to correct, amend or delete inaccurate or improperly processed personal data. Individuals also must be allowed to confirm that their personal data is being processed. An organization may restrict access to data “in exceptional circumstances.”

  5. Data Integrity and Purpose Limitation. Privacy Shield requires not only that any data collected be “relevant for the purposes of processing” but also that organizations limit collection to relevant data only. Participating organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

  6. Accountability for Onward Transfer. Certified organizations’ contracts with third parties receiving personal data must require that such data “may only be processed for limited and specified purposes” consistent with the level of consent given by the data subject. Third-party transferees also must agree to “provide the same level of protection as the [Principles].” Certified organizations also must “take reasonable and appropriate steps” to ensure third-party agents adhere to the Principles, and are required to stop and remediate any unauthorized processing by third parties, if necessary. Importantly, with limited exceptions, certified organizations remain liable to data subjects for any vendor’s violation of the Principles.

  7. Recourse, Enforcement and Liability. Perhaps Privacy Shield’s most significant new features are its recourse and dispute resolution provisions. Complaint-handling processes must be implemented to obtain Privacy Shield certification. To ensure effective enforcement, Privacy Shield requires (1) procedures for verifying representations made about privacy practices, (2) recourse for data subjects and (3) remedies for failures to comply with the Principles. These newly required “independent recourse mechanisms” are empowered to provide remedies separate from regulators’ enforcement authority.

Legal Safeguards

Because the extent of U.S. government surveillance of personal data was a primary reason why the Safe Harbor program was invalidated, in support of Privacy Shield the U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have furnished letters outlining the legal safeguards that will limit U.S. government access to personal data transferred pursuant to Privacy Shield. In addition, the U.S. Secretary of State is set to appoint a Privacy Shield Ombudsperson, who will be responsible for handling European complaints regarding whether personal data transferred under Privacy Shield has been accessed by U.S. intelligence activities.

In addition, the Judicial Redress Act of 2015, signed into law on February 24, 2016, allows EU citizens to bring civil actions against U.S. government agencies under the Privacy Act of 1974 to access, amend or correct records about them or seek redress for the unlawful disclosure of those records.

Certification and Compliance

Privacy Shield is expected to be approved by the European Commission later this year and published in the Federal Register shortly thereafter. Organizations that self-certify within the first two months following publication will be given nine months to bring all third-party relationships into compliance. Two months after the effective date, the Principles become binding on an organization immediately upon certification. Privacy Shield will thereafter undergo annual joint reviews by EU and U.S. authorities.

All organizations that intend to become Privacy Shield certified are strongly encouraged to immediately begin updating their policies to meet Privacy Shield’s heightened obligations, including reviewing their third-party agreements to ensure compliance.

Article By Gregory Bautista & James F. Monagle of Wilson Elser Moskowitz Edelman & Dicker LLP
© 2016 Wilson Elser

Announcement of “Privacy Shield” Gives Hope for U.S. Companies Who Previously Relied on Safe Harbor

We have previously discussed the EU Court of Justice’s invalidation of the long-standing Safe Harbor program, previously relied on by many organizations as a means of authorizing transfers of EU citizens’ private data to the United States. U.S. companies eagerly awaited news of a replacement for Safe Harbor and kept a close watch as the January 31, 2016, grace period on enforcement announced by the EU Article 29 Working Party expired. News of a new framework  broke in early February and the European Commission released extensive documentation revealing the details of Safe Harbor’s proposed replacement – the EU-U.S. Privacy Shield program (Privacy Shield) – on February 29, 2016.

Privacy Shield encompasses seven principles for assuring adequate protection when transferring and processing personal data originating in the European Union. Similar to Safe Harbor, organizations can self-certify their compliance with these principles, provided they (1) commit to the U.S. Department of Commerce that they will adhere to the Privacy Shield Principles, (2) publicly declare their commitment to the Privacy Shield Principles, and (3) actually implement the Principles. Once compliance is certified, organizations may seek inclusion on the Department of Commerce’s list of certified organizations, effectively authorizing them to transfer the personal data of EU residents to the United States.

Privacy Shield Principles

  1. Notice. Privacy Shield requires organizations to provide notice regarding the type of data collected, the purposes for which it is collected, any third parties to which the data may be transferred, individuals’ right to access their data, and how individuals can limit use and disclosure of personal data. The organization also must provide notice of its participation in Privacy Shield, acknowledge applicable enforcement authorities and describe recourse mechanisms available.

  2. Choice. Organizations must provide clear, conspicuous and readily available mechanisms allowing individuals to opt out of any disclosure of their personal data to third parties, or use of their personal data other than the purpose(s) for which it was initially collected or subsequently authorized by the individual. Certain sensitive information will require individuals to opt in affirmatively.

  3. Security. As under Safe Harbor, participating organizations must take “reasonable and appropriate measures,” based on the risks involved and the nature of the personal data, to protect the data “from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

  4. Access. Privacy Shield–certified organizations must provide individuals with access to and the opportunity to correct, amend or delete inaccurate or improperly processed personal data. Individuals also must be allowed to confirm that their personal data is being processed. An organization may restrict access to data “in exceptional circumstances.”

  5. Data Integrity and Purpose Limitation. Privacy Shield requires not only that any data collected be “relevant for the purposes of processing” but also that organizations limit collection to relevant data only. Participating organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

  6. Accountability for Onward Transfer. Certified organizations’ contracts with third parties receiving personal data must require that such data “may only be processed for limited and specified purposes” consistent with the level of consent given by the data subject. Third-party transferees also must agree to “provide the same level of protection as the [Principles].” Certified organizations also must “take reasonable and appropriate steps” to ensure third-party agents adhere to the Principles, and are required to stop and remediate any unauthorized processing by third parties, if necessary. Importantly, with limited exceptions, certified organizations remain liable to data subjects for any vendor’s violation of the Principles.

  7. Recourse, Enforcement and Liability. Perhaps Privacy Shield’s most significant new features are its recourse and dispute resolution provisions. Complaint-handling processes must be implemented to obtain Privacy Shield certification. To ensure effective enforcement, Privacy Shield requires (1) procedures for verifying representations made about privacy practices, (2) recourse for data subjects and (3) remedies for failures to comply with the Principles. These newly required “independent recourse mechanisms” are empowered to provide remedies separate from regulators’ enforcement authority.

Legal Safeguards

Because the extent of U.S. government surveillance of personal data was a primary reason why the Safe Harbor program was invalidated, in support of Privacy Shield the U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have furnished letters outlining the legal safeguards that will limit U.S. government access to personal data transferred pursuant to Privacy Shield. In addition, the U.S. Secretary of State is set to appoint a Privacy Shield Ombudsperson, who will be responsible for handling European complaints regarding whether personal data transferred under Privacy Shield has been accessed by U.S. intelligence activities.

In addition, the Judicial Redress Act of 2015, signed into law on February 24, 2016, allows EU citizens to bring civil actions against U.S. government agencies under the Privacy Act of 1974 to access, amend or correct records about them or seek redress for the unlawful disclosure of those records.

Certification and Compliance

Privacy Shield is expected to be approved by the European Commission later this year and published in the Federal Register shortly thereafter. Organizations that self-certify within the first two months following publication will be given nine months to bring all third-party relationships into compliance. Two months after the effective date, the Principles become binding on an organization immediately upon certification. Privacy Shield will thereafter undergo annual joint reviews by EU and U.S. authorities.

All organizations that intend to become Privacy Shield certified are strongly encouraged to immediately begin updating their policies to meet Privacy Shield’s heightened obligations, including reviewing their third-party agreements to ensure compliance.

Article By Gregory Bautista & James F. Monagle of Wilson Elser Moskowitz Edelman & Dicker LLP
© 2016 Wilson Elser

IRS Expands Ability of Safe Harbor Plan Sponsors to Make Mid-Year Changes

The Internal Revenue Service (IRS) recently issued Notice 2016-16, which provides safe harbor 401(k) plan sponsors with increased flexibility to make mid-year plan changes.  Notice 2016-16 sets forth new rules for when and how safe harbor plan sponsors may amend their plans to make mid-year changes, a process which traditionally has been subject to significant restrictions.

Background

“Safe harbor” 401(k) plans are exempt from certain nondiscrimination tests (the actual deferral percentage (ADP) and actual contribution percentage (ACP) tests) that otherwise apply to employee elective deferrals and employer matching contributions.  In return for these exemptions, safe harbor plans must meet certain requirements, including required levels of contributions, the requirement that plan sponsors provide the so-called “safe harbor notice” to participants, and the requirement that plan provisions remain in effect for a 12-month period, subject to certain limited exceptions.

Historically, the IRS has limited the types of changes that a safe harbor plan sponsor may make mid-year due to the requirement that safe harbor plan provisions remain in effect for a 12-month period.  The 401(k) regulations provide that the following mid-year changes are prohibited, unless applicable regulatory conditions are met:

  • Adoption of a short plan year or any change to the plan year

  • Adoption of safe harbor status on or after the beginning of the plan year

  • The reduction or suspension of safe harbor contributions or changes from safe harbor plan status to non-safe harbor plan status

The IRS has occasionally published exceptions to the limitations on mid-year changes.  For example, plan sponsors were permitted to make mid-year changes to cover same-sex spouses following the Supreme Court of the United States’ decision in United States v. Windsor in 2013.

Aside from these limited exceptions, safe harbor plan sponsors were generally not permitted to make mid-year changes.  This led to some difficulties for plan sponsors, particularly in situations where events outside the plan sponsor’s control might ordinarily cause a plan sponsor to want to make a mid-year plan change.

Permissible Mid-Year Changes

Notice 2016-16 clarifies that certain changes to safe harbor plans made on or after January 29, 2016, including changes that alter the content of a plan’s required safe harbor notice, do not violate the safe harbor qualification requirements simply because they occur mid-year.  A “mid-year change” for this purpose includes (1) a change that is first effective during a plan year, but not effective at the beginning of a plan year, or (2) a change that is effective retroactive to the beginning of the plan year, but adopted after the beginning of the plan year.

Mid-year changes that alter the plan’s required safe harbor notice content must meet two additional requirements:

  1. The plan sponsor must provide an updated safe harbor notice that describes the mid-year change and its effective date must be provided to each employee required to receive a safe harbor notice within a reasonable period before the effective date of the change.  The timing requirement is deemed satisfied if the notice is provided at least 30 days, and no more than 90 days, before the effective date of the change.

  2. Each employee required to be provided a safe harbor notice must also have a reasonable opportunity (including a reasonable time after receipt of the updated notice) before the effective date of the mid-year change to change the employee’s cash or deferred election.  Again, this timing requirement is deemed satisfied if the election period is at least 30 days.

Mid-year changes that do not alter the content of the required safe harbor notice do not require the issuance of a special safe harbor notice or a new election opportunity.

Prohibited Mid-Year Changes

Certain mid-year changes remain prohibited, including:

  • A mid-year change to increase the number of years of service that an employee must accrue to be vested in the employee’s account balance under a qualified automatic contribution arrangement (QACA) safe harbor plan

  • A mid-year change to reduce the number of employees eligible to receive safe harbor contributions

  • A mid-year change to the type of safe harbor plan, such as changing from a traditional 401(k) safe harbor plan to a QACA

  • A mid-year change to modify or add a matching contribution formula, or the definition of compensation used to determine matching contributions if the change increases the amount of matching contributions

  • A mid-year change to permit discretionary matching contributions

In addition, mid-year changes that are already subject to conditions under the 401(k) and 401(m) regulations (including changes to the plan year, the adoption of safe harbor status mid-plan year, and the reduction or suspension of safe harbor contributions, as described above) are still prohibited, unless applicable regulatory conditions are met.  These changes are also not subject to the special notice and election opportunity requirements.

Conclusion

Notice 2016-16 fundamentally changes the rules regarding mid-year changes to safe harbor 401(k) plans.  Prior to Notice 2016-16, mid-year changes were assumed to be impermissible, subject to the limited exceptions described above.  Going forward, however, mid-year changes that are not specifically prohibited are permitted, so long as the notice requirements, where applicable, are met, and other regulatory requirements are not violated.

Notice 2016-16 should prove particularly helpful for safe harbor plan sponsors that have struggled with the limitations imposed on safe harbor plans by the inability to make mid-year changes when non-safe harbor plans would do so (for example, if a record-keeper changes administrative procedures or other events outside the plan sponsor’s control require mid-year changes).  However, safe harbor plan sponsors wishing to make mid-year changes will still need to consult with advisors to determine whether a proposed amendment is permissible, or whether the amendment is subject to additional regulatory requirements.  In addition, plan sponsors wishing to make a mid-year change that would alter the plan’s required safe harbor notice content must assume the additional cost of issuing a special safe harbor notice and must plan ahead to make sure the supplemental notice is delivered on time.

The IRS is also requesting comment on additional guidance that may be needed with respect to mid-year changes to safe-harbor plans, and specifically as to whether additional guidance is needed to address mid-year changes relating to plan sponsors involved in mergers and acquisitions or to plans that include an eligible automatic contribution arrangement under Section 414(w) of the Internal Revenue Code.  Comments may be submitted in writing not later than April 28, 2016.

Article By Jeffrey M. HoldvogtStephen Pavlick, PC & Sarah G. Raaii of McDermott Will & Emery
© 2016 McDermott Will & Emery

Department of Commerce Releases Fact Sheet on EU-U.S. Privacy Shield

As we reported yesterday, the United States and the European Commission have reached a political agreement on a new framework for transatlantic data flows, referred to as the EU-U.S. Privacy Shield.  The U.S. Department of Commerce (“Commerce”) released a fact sheet yesterday to coincide with the announcement of the agreement.

The fact sheet includes a series of bullet points listing ways in which the Privacy Shield (1) “significantly improves commercial oversight and enhances privacy protections,” and (2) “demonstrates the U.S. Commitments to limitations and safeguards on national security.”  On the first point, Commerce states that “EU individuals will have access to multiple avenues to resolve concerns,” including alternative dispute resolution at no cost to individuals.  In addition, Commerce “will step in directly and use best efforts to resolve referred complaints” using a “special team with significant new resources.”  On the second point, the fact sheet references President Obama’s executive actions to enhance privacy protections and oversight relating to U.S. government surveillance activities.  Finally, Commerce states that “the United States is making the commitment to respond to appropriate requests” regarding U.S. intelligence activity, in a manner that is consistent with national security obligations.

Article By David J. Bender of Covington & Burling LLP
© 2016 Covington & Burling LLP

Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

On February 2nd, 2016, the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.

The EU-U.S. Privacy Shield

According to the Commission press release, there will be several new elements to the EU-U.S. Privacy Shield, as compared with the invalidated EU-U.S. Safe Harbor framework.  For instance, in addition to subjecting participating U.S. companies to certain as-yet unspecified safeguards, the Privacy Shield will include:

  • An annual joint review of the program performed by the European Commission and U.S. Department of Commerce – to which European data protection authorities will be invited – to ensure its proper functioning.  This will include a review of access by U.S. intelligence agencies to EU-originating data.

  • Enhanced rights of redress for European data subjects, including (i) subjecting U.S. organizations to firmer deadlines when responding to complaints, (ii) allowing EU citizens and EU data protection authorities to refer complaints to the U.S. Department of Commerce and the U.S. Federal Trade Commission, (iii) establishing, as a last resort, a new binding alternative dispute resolution mechanism to resolve complaints that will be voluntary and free to data subjects, capable of issuing binding injunctive orders, and subject to judicial review consistent with the U.S. Federal Arbitration Act, and (iv) creating a new “Ombudsperson” within the U.S. State Department to handle complaints – channeled through EU Member State representatives – that relate to U.S. intelligence agencies’ access to data.  Disputes relating to human resources/employee data will remain subject to an alternative process that entails somewhat closer involvement of EU data protection authorities, similar to the current Safe Harbor.

Moreover, it is reported that the U.S. Director of National Intelligence will confirm by official letter to the EU that U.S. intelligence agencies do not engage in “indiscriminate mass surveillance” of data transferred under the new arrangement.

The Privacy Shield is expected to retain or enhance many of the elements contained in the original Safe Harbor framework, including substantive commitments made by U.S. companies on such matters as furnishing appropriate notices to EU citizens, maintaining the security of transferred data, and tightened restrictions on onward transfers.  The precise nature of these obligations is not yet known, but will become clearer in the weeks ahead.

Next steps

The EU College of Commissioner’s has mandated Vice-President Ansip and Commissioner Jourová to, over the coming weeks, prepare a draft Decision declaring the U.S. to ensure an adequate level of protection.  The adoption of such a Decision by the Commission must follow a “comitology” procedure which will involve:

  • a proposal from the Commission;

  • an opinion by EU Member States’ data protection authorities and the European Data Protection Supervisor (“EDPS”), in the framework of the Article 29 Working Party;

  • an approval from the “Article 31 Committee”, composed of representatives of Member States, under the comitology “examination procedure”;

  • the formal adoption of the Decision by the College of Commissioners;

  • at any time, the European Parliament and the Council may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the Directive.

The effect of such a Commission Adequacy Decision is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to the U.S. without any further safeguards being necessary.

Commissioner Jourová hopes for the new arrangement to be in force in approximately 3 months’ time.  The U.S. Government, in the meantime, will make the necessary preparations to put in place the new framework, monitoring mechanisms, and new Ombudsperson.

Tomorrow (February 3rd, 2016), Commissioner Jourová will attend the plenary meeting of the Article 29 Working Party to discuss the role of the EU data protection authorities under the EU-U.S. Privacy Shield.  The U.S. Department of Commerce is, in parallel, planning further briefings about the text.

Article By Daniel P. CooperPhilippe Bradley-Schmieg & Joseph Jones of Covington & Burling LLP
© 2016 Covington & Burling LLP

Are UK-to-US employee data transfers sunk by ECJ’s torpedoing of Safe Harbor regime?

So there it is – in a tremendous boost for transatlantic relations, the European Court of Justice has decided that America is not to be trusted with the personal data of EU residents.  That is not exactly the way the decision is phrased, of course, which (so far as relevant to UK HR) is more like this:

Under the Eighth Principle of the UK’s Data Protection Act (and all or most of its EU cousins) the personal data of your employees can be transferred outside the EU only where the recipient country ensures an adequate level of protection for the rights and freedoms of data subject.

Until now an EU employer has been able to rely in this respect on a US company’s registration with the Safe Harbor (sic) scheme, a series of commitments designed to replicate the safeguards of EU law for that data.  As of this week, however, that reliance has been deemed misplaced – the ability and tendency of the US security agencies to access personal data held by US employers has been found to compromise those commitments beyond immediate repair.  In addition, one of the EU “model clauses” which can legitimise international data transfers requires the US recipient to confirm that it is aware of no legislation which could compel it to disclose that personal data to third parties without the employee’s consent.  New US laws enacted to boost homeland security mean that this can simply no longer be said.  Therefore Safe Harbor has been comprehensively blown up and can no longer be used as automatic air-cover for employee data transfers to the US.

This creates two immediate questions for HR in the UK.  First, what exposure do we have for past data transfers to the US on a basis which is now shown to be illegitimate?  Second, what do we do about such transfers starting now?

  • Don’t panic! To make any meaningful challenge out of this issue, the UK employee would need to show some loss or damage arising out of that transfer.  In other words, even if the data has been used in the US as the basis for a negative decision about him (dismissal or demotion or no bonus), the employee would need to show that that decision would have been more favourable to him if it had been taken by the same people based on the same data but physically within the EU.  Clearly a pretty tough gig.

Second, all this case does is remove the presumption that Safe Harbor registrants are safe destinations – it does not prove that they are not, either now or historically.  The question of adequacy of protection is assessed by reference to all the circumstances of the case, including the nature of the personal data sent, why it is sent to the US and what relevant codes of conduct and legislative protections exist there.

Last, Schedule 4 of the DPA disapplies the Eighth Principle where the data subject (the employee) has given his consent to the international transfer, or where the transfer is necessary for the entering or performance of the employment contract between the employee and the UK employer.  It will rarely be the case that neither of these exceptions applies.

If you have not previously had complaints from your UK employees that their personal data has been misused/lost/damaged in the US, nothing in this decision makes that particularly likely now.

  • Still don’t panic.

  • However, do be aware that this case is likely to lead to stricter precautions being required to ensure that what is sent to the US is genuinely only the bare minimum.

  • On its face, Schedule 4 should allow most reasonable international transfers of employee data anyway, pretty much regardless of what level of protection is offered in the destination country. However, there is a strong body of opinion, especially in Continental Europe, that reliance on this provision alone is unsafe and that it is still appropriate for the EU employer to take specific steps (most usually, some form of data export agreement with its US parent) to satisfy itself that a reasonable level of protection for that data exists. It may also wish to be seen to reconsider how far those HR decisions need to be made in the US at all, and whether EU employee data could be kept on an EU-based server if that is not currently the case.

  • To the extent that employment contracts do not already include it, amend them to include an express consent to the transfer of relevant personal data to the US (but do note another possible avenue of attack much mulled-over in Europe, i.e. that consent in an employment contract is not freely given because the job hangs upon it). Last, be seen to prune the UK employee data you do hold in the US back to what is strictly necessary and get rid of stuff which is no longer (if it ever was) relevant to the performance of the employment contract.

Article By David Whincup of Squire Patton Boggs (US) LLP

© Copyright 2015 Squire Patton Boggs (US) LLP

EU Official Calls for Invalidation of EU–U.S. Safe Harbor Pact

A European Court of Justice (ECJ) advocate general, Yves Bot, has called for the European Union–U.S. Safe Harbor Agreement to be invalidated due to concerns over U.S. surveillance practices (press release here, opinion here). The ECJ has discretion to reject the recommendation, but such opinions are generally followed. A final decision on the issue is expected to be issued late this year or next year.

The issue arises out of the claims of an Austrian law student, Max Schrems, who challenged Facebook’s compliance with EU data privacy laws. (The case is Schrems v. (Irish) Data Protection Commissioner, ECJ C-362/14.) He claims that the Safe Harbor Framework fails to guarantee “adequate” protection of EU citizen data in light of the U.S. National Security Agency’s (NSA) surveillance activities. Although the Irish data protection authority rejected his claim, he appealed and the case was referred to the ECJ.

The European Data Protection Directive prohibits data of EU citizens from being transferred to third countries unless the privacy protections of the third countries are deemed adequate to protect EU citizens’ data. The U.S. and EU signed the Safe Harbor Framework in 2000, which permits companies self-certify to the U.S. Department of Commerce (DOC) annually that they abide by certain privacy principles when transferring data outside the EU. Companies must agree to provide clear data privacy and collection notices and offer opt-out mechanisms for EU consumers.

In 2013, former NSA contractor Edward Snowden began revealing large-scale interception and collection of data about U.S. and foreign citizens from companies and government sources around the globe. The revelations, which continue, have alarmed officials around the world, and already prompted the European Commission to urge more stringent oversight of data security mechanisms. The European Parliament voted in March 2014 to withdraw recognition from the Safe Harbor Framework. Apparently in response to the concern, the Federal Trade Commission (FTC) has taken action against over two dozen companies for failing to maintain Safe Harbor certifications while advertising compliance with the Framework, and in some cases claiming compliance without ever certifying in the first place. For more, see here (FTC urged to investigate companies), here (FTC settles with 13 companies in August 2015), and here (FTC settles with 14 companies in July 2014).

Advocate General Bot does not appear to have been mollified by the U.S. efforts, however. He determined that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU,] which is transferred under the [S]afe [H]arbor scheme, without those citizens benefiting from effective judicial protection.” He concluded that this amounted to interference in violation of the right to privacy guaranteed under EU law, and that, notwithstanding the European Commission’s approval of the Safe Harbor Framework, EU member states have the authority to take measures to suspend data transfers between their countries and the U.S.

While the legal basis of that opinion may be questioned, and larger political realities regarding the ability to negotiate agreements between the EU and the U.S. are at play, if followed by the ECJ, this opinion would make it extremely difficult for companies to offer websites and services in the EU. This holds true even for many EU companies, including those that may have cloud infrastructures that store or process data in U.S. data centers. It could prompt a new round of negotiations by the U.S. and European Commission to address increased concerns in the EU about surveillance.

Congressional action already underway may help release some tension, with the House Judiciary Committee unanimously approving legislation that would give EU consumers a judicial right of action in the U.S. for violations of their privacy. This legislation was a key requirement of the EU in an agreement in principle that would allow the EU and U.S. to exchange data between law enforcement agencies during criminal and terrorism investigations.

Although the specific outcome of this case will not be known for months, the implications for many businesses are clear: confusion and continued change in the realms of privacy and data security, and uncertainty about the legal rules of the game. Increased fragmentation across the EU may result, with a concomitant need to keep abreast of varying requirements in more countries. Change and lack of harmonization is surely the new normal now.

Article By Sheila A. MillarTracy P. Marshall & Nathan A. Cardon of Keller and Heckman LLP

© 2015 Keller and Heckman LLP