Trade Law

On February 2, 2017, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued Cyber-related General License (GL) 1, a general license that authorizes certain transactions with Russia’s Federal Security Service (Federalnaya Sluzhba Bezopasnosti or FSB).  GL 1 authorizes U.S. persons (i.e., individuals and companies) to request, receive, use, pay for or deal in licenses, permits, certifications, or notifications issued or registered by the FSB for information technology (IT) products in Russia, provided that (i) the relevant IT goods or technology are subject to the U.S. Export Administration Regulations (EAR) and are licensed or otherwise authorized by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS); and (ii) payment of fees to the FSB for such licenses and other authorization or notification does not exceed $5,000 in any calendar year. GL 1 also authorizes transactions or activities that are necessary and ordinary incident to complying with law enforcement or administrative actions or investigations involving the FSB or rules and regulations administered by the FSB.

Overview of Actions Taken by the United States

On December 29, 2016, President Obama announced that he was sanctioning nine individuals and entities: the Main Intelligence Directorate (aka Glavnoe Razvedyvatel’noe Upravlenie) (GRU) and the Federal Security Service (aka Federalnaya Sluzhba Bezopasnosti) (FSB), two Russian intelligence services; four individual officers of the GRU; and three companies that were stated to have provided material support to the GRU’s cyber operations. In addition, two Russian individuals were sanctioned for using cyber-enabled means to cause misappropriation of funds and personal identifying information. These actions mark the first expansion of the Specially Designated Nationals (SDN) List to include entities and individuals under the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) cybersecurity program since it was established on April 1, 2015. The 2015 client alert can be found here.

On December 23, 2016, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a Final Rule amending the Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560 (ITSR) to expand the scope of permissible exports/re-exports of medicine, medical devices and agricultural commodities to Iran. 

On August 1, 2016, the Department of Commerce began accepting applications for self-certification under the new Privacy Shield requirements. Privacy Shield was approved by the European Union (EU) on July 12, 2016, and replaces Safe Harbor, which had been widely used as a mechanism to transfer personal data from EU nations to the United States until invalidated by a 2015 court decision. The Department of Commerce will review the filings and self-certifications that it receives to check conformity with Privacy Shield, including ensuring that there is a privacy policy that incorporates the necessary information and that there are operative and adequate recourse mechanisms in place.

On April 3, 2016, it became public that an anonymous source had leaked 11 million confidential documents, known as the “Panama Papers,” belonging to the Panama-headquartered international law firm Mossack Fonseca. As more of the Panama Papers become public over the coming months, they will raise a host of issues for parties identified in the papers, as well as the business partners, customers, suppliers and other entities connected to those parties. This alert summarizes key legal issues for consideration as companies attempt to understand, assess and mitigate the potential impact and exposure of the Panama Papers on their business.

Wednesday, February 3, brought additional developments pertaining to the transfer of personal data from the EU to the U.S. consistent with EU privacy law. Just one day prior, we reported on the announcement by the EU and U.S. of an agreement called the EU-U.S. Privacy Shield (Privacy Shield), which is intended to replace the Safe Harbor arrangements struck down by the Court of Justice of the EU in the Schrems decision. We noted that the “reaction of the Data Protection Authorities will also be watched, and important developments may come quickly.” Consistent with that advice, Working Party 29 (WP29), which includes the Data Protection Authorities (DPAs) from across the EU that conduct relevant enforcement, met on Wednesday and issued a statement affecting companies that have continued to depend on Safe Harbor to transfer data during this period while an agreement was being negotiated and reported several times to have been close at hand.

The European Union and United States announced today that they reached a new agreement, referred to as the EU-U.S. Privacy Shield (“Privacy Shield”), to replace the Safe Harbor Agreement struck down by the European Court of Justice in the Schrems decision, which more than 4,000 companies were able to use for the transfer of personal information concerning European citizens to the United States in the course of business.

Chinese President Xi Jinping’s visit to Washington D.C. led to a very significant agreement on cybersecurity, as reflected by The White House fact sheet released Friday (excerpted below). The agreement addresses a core U.S. economic interest that analysts didn’t expect to become the subject of agreement during the Chinese President’s U.S. visit.