Final Rule on Whistleblower-Related Legal Costs Shows It Pays (Possibly Literally) to Comment on Proposed Regulations

This post was written by Joelle E.K. Laszlo and Lorraine M. Campos.

On July 25, 2014, the U.S. Department of Defense (“DOD”), General Services Administration (“GSA”), and National Aeronautics and Space Administration (“NASA”) adopted a Final Rule addressing the allowability of legal costs incurred by a contractor or subcontractor defending against a whistleblowing employee’s accusation of reprisal.  The Final Rule implements a provision of the 2013 National Defense Authorization Act (“2013 NDAA”), which included a number of enhanced whistleblower protections.  The Final Rule also includes one fairly significant change from the interim version, based apparently on a single set of comments received.

The 2013 NDAA and the Interim and Final Rules prohibit a contractor or subcontractor from being able to charge to a government contract any legal costs incurred while defending against a whistleblower’s reprisal complaint, if ultimately found liable.  Due to “urgent and compelling circumstances,” the Interim Rule was promulgated without the opportunity for public comment.  However, DOD, GSA, and NASA pledged to consider all comments received in response to the Interim Rule in formulating the Final Rule. 

Accepting this offer, the management and operating contractor for the Department of Energy’s Y-12 National Security Complex noted, among other things, that the rigid language of the Interim Rule could discourage settlements of whistleblower complaints.  The Councils responsible for developing the Final Rule agreed.  As a result, the Rule now provides that if a whistleblower’s complaint of reprisal is resolved by “consent or compromise,” a contractor’s or subcontractor’s “reasonable costs [associated with the proceeding] . . . may be allowed if the contracting officer, in consultation with his or her legal advisor, determined that there was very little likelihood that the [whistleblower] would have been successful on the merits.”

While the practical impact of this revision remains to be seen, anyone who doubts the benefit of participating in notice and comment rulemaking may want to reconsider that stance.  Submitting comments on a proposed or interim rule doesn’t have to cost a lot, and it may pay off, even when no one else speaks up.

New Russian legislation requires local storage of citizens' personal data

This post was written by Cynthia O’Donoghue and Kate Brimsted.

President Putin recently signed Federal Law No. 242-FZ (the “Law”) which amends Russia’s 2006 data protection statute and primary data security law (Laws 152-FZ and 149-FZ), to require domestic data storage of Russian citizens’ personal data. The Law will allow the websites that do not comply to be blocked from operating in Russia and recorded on a Register of organisations in breach.

The requirement to relocate database operations could place a significant burden on both international and domestic online businesses. All retail, tourism, and social networking sites, along with those that rely on foreign cloud service providers, could have their access to the Russian market heavily restricted by the Law. The Law takes effect 1 September 2016, which may not provide some organisations with enough of a transition period to make the necessary changes.

Earlier this year, the Brazilian government decided not to include a similar provision in their Internet bill in recognition of the draconian nature, the potential economic impact and the practical difficulties.  Russia has not taken this more pragmatic approach.  

Federal Circuit: VA May Refuse to Set Aside Contracts for Veteran-Owned Contractors

This post was written by Lorraine M. Campos and Carlos A. Valdivia.

Back in 2013, we reported that the Department of Veterans Affairs (“VA”) is not required to give veteran-owned small businesses (“VOSBs”) or service-disabled veteran-owned small businesses (“SDVOSBs”) preference for all contracts.  In Kingdomware Technologies, Inc. v. United States (“Kingdomware”), the United States Court of Federal Claims accepted the VA practice of purchasing off the Federal Supply Schedule (“FSS”) without first considering set-aside contracts for VOSBs or SDVOBs.  Last month, the U.S. Court of Appeals for the Federal Circuit upheld the precedent-setting Kingdomware decision. The 2-1 decision explains why the VA can refuse to set aside contracts for veteran-owned contractors despite small business goals required by law.

The dispute revolves around section 8127(d) of the Veterans Act of 2006, which provides that a contracting officer of the VA shall award contracts to VOSBs if the contracting officer reasonably expects offers from two or more VOSBs. This “Rule of Two” is a form of restricted competition meant to give VOSBs an opportunity to compete for set-aside contracts,  but veteran-owned status does not guarantee an award. Section 8127(d) expressly prefaces that contracting officers “shall” award contracts using the Rule of Two “for the purposes of meeting the goals under subsection (a) [i.e., the VA’s goals for participation in VA contracts by VOSBs and SDVOSBs].” The Federal Circuit held that this statutory language clearly expresses Congress’ intent to require restricted competition only when necessary to meet set-aside goals, and that the VA’s decision was entitled to Skidmore deference. The Rule-of-Two mandate cannot be divorced from the VA’s goal-setting authority.

As Judge Reyna points out in his dissent, however, the court may be giving too much weight to the prefatory language in section 8127(d), and the use of the word “shall” could require use of restricted competition under the Rule of Two. Ignoring the mandate in section 8127(d) expands the VA’s discretion when it comes to applying Rule-of-Two analyses, potentially undermining congressional intent. Moreover, the VA’s regulations do not use the prefatory language tying mandatory set-asides to goal-setting, other than in the non-controlling preamble to the regulations. In effect, the majority’s decision gives the VA the discretion to ignore mandatory set-aside requirements once it meets its small business contracting goals.

What does this mean for veteran-owned contractors? That veteran-owned status is no guarantee of a set-aside award, at least not where the VA is concerned.

The opinions can be read here (PDF). The case is Kingdomware Technologies, Inc. v. United States, No. 2013-5042, before the U.S. Court of Appeals for the Federal Circuit.

FTC Commissioner Brill Urges State AGs to Up the Ante

This post was written by Divonne Smoyer and Christine Czuprynski.

Businesses that think they know what privacy issues are on the minds of the state attorneys general (AGs) should be aware that AGs are being urged to take action, either on their own, or in concert with the FTC, on key cutting edge privacy issues. At a major meeting of state AGs this week at the Conference of Western Attorneys General, FTC Commissioner Julie Brill, one of the highlighted speakers at the event, emphasized the importance of the AGs’ role in privacy regulation, and encouraged AGs to collaborate and cooperate on privacy investigations consistent with FTC efforts.

Commissioner Brill, a former assistant AG in two influential state attorney general offices, Vermont and North Carolina, outlined for the AGs several high-level privacy priorities for the FTC, including: (1) user-generated health information; (2) the Internet of Things; and, (3) mobile payments and mobile security. She invited the states to follow these and other privacy issues, and to complement the FTC’s actions in these areas in appropriate ways.

Also a focus: the Commission’s “Big Data” data broker report. Commissioner Brill emphasized her concerns about data broker practices, including their use of terms to describe and categorize individuals, such as “Urban Scramble,” “Mobile Mixers,” “Rural Everlasting,” and “Married Sophisticates.” She stressed that the information gathered by data brokers about these groups may allow businesses to make inferences about people, which in turn could impact access to credit, and in other ways. She pointed out that the FTC unanimously called for legislation to increase transparency and provide consumers with meaningful choices about how their data is used.

Building on her comments about data brokers, Commissioner Brill voiced concerns about the United States’ sectoral approach to privacy law and stressed that there needs to be gap-filling in areas outside of those sector-specific laws, and, since Congress is focused elsewhere on privacy issues, state action may be the best option to take on these issues and fill the gaps. This is not the first time Commissioner Brill has called on the states to take decisive action, and it won’t be the last.

Finally, Commissioner Brill addressed the FTC’s case against Wyndham in particular, noting that the FTC is aggressively fighting challenges to its Section 5 authority. She reminded the states that they have an interest in this fight given that state UDAP statutes share a common blueprint as so-called “mini-FTC Acts,” and invited collaboration on future challenges.

It is likely that many of the states will take action consistent with Commissioner Brill's urging.

UK set to implement emergency Data Retention and Investigatory Powers Bill

This post was written by Cynthia O'Donoghue, Angus Finnegan and Kate Brimsted.

In April, the Court of Justice of the European Union (‘Court’) declared Directive 2006/24/EC on the Retention of Data to be invalid, creating uncertainty for telecommunications operators across the region. In a controversial move by the UK Government, the Data Retention and Investigatory Powers Act 2014 (‘Act’) has been passed using emergency procedures.

Formulated in 2006, the Directive aimed to harmonise the laws of Member States in relation to the retention of data. It introduced an obligation on telecommunications operators to retain a wide range of traffic and location data, which could then be accessed by national authorities for the purpose of detecting and investigating serious crime. The Directive was implemented in the UK through the Data Retention (EC Directive) Regulations 2009.

In its judgment, the Court stated that the obligation to retain communications data and the ability of national authorities to access them constituted an interference with both Articles 7 and 8 of the Charter of Fundamental Rights. Whilst this satisfied the objective of general interest, it was not proportionate or limited to what was strictly necessary. There was concern that the data collected “may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.”

The Act seeks to maintain the status quo by preempting any legal challenge to the Regulations, and allows the Secretary of State to issue a notice requiring the retention of all data, or specific categories of data, for a period of 12 months. Whilst the effect of the Act is largely similar to its predecessor, the language used is more expansive and appears to be capable of encompassing a broader range of data.

The Act also amends certain provisions of the Regulation of Investigatory Powers Act 2000, allowing for the extra-territoriality of warrants in certain circumstances. This is a major step not only for UK interception powers, but for interception powers globally. Last month, we reported that Microsoft would continue to challenge a U.S. court ruling that effectively allowed an extra-territorial warrant to be issued; it appears that the legal basis for similar powers could be being introduced by the back door in the UK.

It is unclear whether the Act will be a temporary piece of legislation, staying in place until a more permanent solution is implemented at EU level, or whether it will be permanent. However, one positive effect will be that telecommunications operators will know what their retention obligations are. That is not the case in almost all other Member States at present.

Has Facebook been evil? It's down to the regulators to decide

This post was written by Cynthia O'Donoghue and Kate Brimsted.

In June, Facebook came under public scrutiny after it was revealed that the company carried out research in 2012 that manipulated the News Feeds of 689,000 users. Several regulators are now poised to investigate Facebook’s conduct.

The study exposed users to a large amount of either positive or negative comments in order to observe the effect of this on the way that they used the site. It found that “emotional states can be transferred to others via emotional contagion, leading people to experience the same emotions without their awareness.”

Facebook’s behavior will now be scrutinized by data protection regulators, with the UK’s Information Commissioner’s Office indicating on 1 July that it will work with the Irish Data Protection Commissioner to learn more about the circumstances surrounding the research. The regulators are likely to be particularly interested in the terms of use and privacy policy that applied at the time of the research, and whether they contained adequate notices.

Meanwhile, on 3 July, the Electronic Privacy Information Centre (‘EPIC’) filed a formal complaint with the U.S. Federal Trade Commission, requesting that the regulatory body undertake an investigation of Facebook’s practices. The FTC has not yet responded to this request.

Although perhaps an extreme example, this issue highlights the challenges that organisations can face when using data for a purpose that goes beyond what users would expect. Given the mysterious algorithms that underlie what any Facebook user sees (contrary to common belief, it is not simply a chronological list of activities), it is arguable that the issue here arises out of functionality that is not far removed from Facebook’s everyday operations. It will be interesting therefore to see whether the regulators take any robust action.

Italian Data Protection Authority issues new EU guidelines

This post was written by Cynthia O’Donoghue, Kate Brimsted, and Matthew N. Peters.

In early May the Italian data protection authority (“Garante”) issued “Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies” (“Guidelines”).  These are intended to provide clarity on the application of Legislative Decree No. 69/2012 (the “2012 Act”), which implemented the EU Cookie Directive in Italy.

The Guidelines synthesize the findings of a public consultation and set out simple methods for informing website users about the use of cookies and procuring their consent.

Key topics include:

i) Distinguishing technical cookies from profiling cookies: technical cookies only require users to be clearly informed and include browsing/session cookies, first-party analytics cookies and functional cookies; while profiling cookies require users’ consent to create a user profile and for the website operator and any third parties to carry out marketing and promotional activities.

ii) A ‘double decker’ approach to inform users and obtain consent by providing summary cookie by means of a ‘banner’ on a website landing page with more detailed information included in a full privacy notice that is linked to the banner.

iii) Links to third parties that also place cookies on a user’s device to each respective third party’s own consent and privacy notices so users remain fully informed and retain their ability to consent.   

iv) Implementation and sanctions: Garante has given data controllers one year from the date of publication of the Guidelines to meet these requirements. Failure to do so carries a range of sanctions, including a maximum fine of €300,000 and ‘naming and shaming’.

Foreign Investment in the United States: D.C. Circuit Reversal Could Lead to Increased Transparency for CFIUS

This post was written by Michael J. Lowell and Bethany R. Brown.

On July 15, the D.C. Circuit held that a presidential order requiring Ralls Corporation to divest its interests in Oregon windfarms because of national security concerns deprived Ralls of its constitutionally protected property interests without due process of law.  In doing so, the D.C. Circuit reversed a district court decision that had emphasized the president’s near-absolute, discretionary authority when responding to national security threats raised by foreign investment in the United States.  [link to Oct. 21, 2013 blog]

The presidential order was the end result of the Committee on Foreign Investment in the United States’ (“CFIUS”) review of the national security implications of Ralls’ acquisition of the four companies developing the windfarms.  Ralls – a Delaware corporation privately owned by two Chinese nationals – submitted the transaction to CFIUS for review after the acquisition had closed.  Following CFIUS’ review, President Obama ordered divestiture of Ralls’ acquisition of the membership interests in the four companies, citing national security concerns posed by the transaction.  Ralls brought suit against CFIUS, claiming, in part, that the presidential order deprived Ralls of its ownership interests in the companies without due process of law.  The case will now be returned to the district court for further review.

Though the decision does not affect the president’s ultimate power to order divestiture, the decision could have a significant impact on the manner in which CFIUS reviews proceed in the future.  Under the decision, CFIUS, before ordering divestiture, will be required to:  (1) inform the property owner about its action; (2) provide access to the unclassified evidence that supports its decision; and (3) provide the property owner with an opportunity to rebut the evidence.  This could lead to a review process that is much more transparent than current practice, wherein parties before CFIUS are often in the dark about the government’s concerns.

European Commission Releases Cloud Computing Service Level Agreements

This post was written by Cynthia O’Donoghue and Kate Brimsted.

Back in 2012, the European Commission (‘Commission’) adopted the Cloud Computing Strategy to promote the adoption of cloud computing and ultimately boost productivity. In June 2014, the Cloud Select Industry Group – Subgroup on Service Legal Agreements published Standardisation Guidelines for Cloud Service Level Agreements (‘Guidelines’) as part of this strategy.

To achieve standardisation of Service Level Agreements (‘SLAs’), the Guidelines call for action “at an international level, rather than at national or regional level”, and cite three main concerns. Firstly, SLAs are usually applied over multiple jurisdictions, and this can result in the application of differing legal requirements. Secondly, the variety of cloud services and potential deployment models necessitate different approaches to SLAs. Finally, the terminology used is highly variable between different service providers, presenting a difficulty for cloud customers when trying to compare products.

A number of principles are put forward to assist organisations through the development of standard agreements, including technical neutrality, business model neutrality, world-wide applicability, the use of unambiguous definitions and comparable service level objectives, standards and guidelines that span customer types, and the use of proof points to ensure the viability of concepts.

The Guidelines also cover the common categories of service level objectives (‘SLOs’) typically covered by SLAs relating to performance, security data management and data protection.  In particular, SLOs cover availability, response time, capacity, support, and end-of-service data migration, as well as authentication and authorization, cryptography, security incident management and reporting, monitoring, and vulnerability management.  Some of the important data-management SLOs cover data classification, business continuity and disaster recovery, as well as data portability. The personal data protection SLOs address codes of conduct, standards and certification, purpose specification, data minimization, use, retention and disclosure, transparency and accountability, location of the personal data, and the customer’s ability to intervene.

The Commission hopes the Guidelines will facilitate relationships between service providers and customers, and encourage the adoption of cloud computing and related technologies.

Indonesia's Presidential Elections Dispute and Idul Fitri 2014 - Are You and Your Company Prepared?

This post was written by Charles Ball, Paul Alfieri, John Tan, and Ruth M. Thomas.

On July 9, within just a few hours of the polls closing in the tightly contested presidential election in the world’s third-largest democracy – the Republic of Indonesia – the only two contestants running had claimed victory. Nearly 200 million people in the world’s fourth-largest country had turned out to vote for either the current Jakarta Governor Joko “Jokowi” Widodo or former military general Prabowo Subianto. Despite seven of the independently run “Quick Count” exit polls indicating that Jokowi had won the election by a margin of roughly 3 percent to 5 percent, Prabowo declared victory of his own citing three Quick Count results that supported his own victory by narrower margins.

Click here to read the full issued Client Alert.

OFAC Targets Russia's Financial and Energy Sectors in New Sectoral Sanctions

This post was written by Hena M. Schommer and Leigh T. Hansson.

As a result of the ongoing Crimea conflict, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) has issued new sanctions targeting Russian banks and energy companies.  This week, OFAC issued a Ukraine-related Sectoral Sanctions Identifications List (“SSI List”) and Directives 1 and 2 pursuant to Executive Order 13662 (the “Directives”) that provide two lists of sectoral sanctions designations.  On or after July 16, 2014, the Directives, generally, prohibit U.S. persons – wherever located – from entering into “new debt” transactions, including “transacting in, providing financing for, or otherwise dealing in debt with a maturity of longer than 90 days…on behalf of, or for the benefit of the entities listed on the SSI List, their property, or their interests in property.” Directive 1 entities are also prohibited from entering into “new equity” transactions meeting the definition above. Entities included on the list are Russian banks and energy sector entities; the Directives also extend prohibitions to entities owned 50 percent or more by an entity designated on the SSI List.  According to OFAC’s website, transactions that will be caught under the “new debt” and “new equity” prohibitions include:

  • Debt defined as “bonds, loans, extensions of credit, loan guarantees, letters of credit, drafts, bankers acceptances, discount notes or bills, or commercial paper,” and
  • Equity defined as “stocks, share issuances, depositary receipts, or any other evidence of title or ownership” 

Further, the prohibitions in both Directives “extend to rollover of existing debt, if such rollover results in the creation of new debt with a maturity of longer than 90 days.”  Additionally, OFAC has issued General License No. 1, authorizing U.S. persons to engage in transactions of “derivative products whose value is linked to an underlying asset” that falls within the definition of the Directives.

OFAC has limited the scope of the SSI List by clarifying that the entities are not included on the OFAC Specially Designated Nationals List (“SDN List”), unless specifically designated by OFAC.  All prior designations on the SDN List and other trade restrictions that have not been lifted by OFAC remain in place.  Reed Smith’s other blog posts related to the U.S. Ukraine-related sanctions can be found here.

July Sanctions Update: Ukraine and Iran

This post was written by Siân Fellows, Lisa Mason, David Myers, Alexandra E. Allan, Alexandra Gordon, and Laith Najjar.

Since March 2014, we have been closely monitoring the developments relating to the situation in the Ukraine and reporting them as Client Alerts and blog updates.

We have set out below a summary of the recent changes in respect of the Ukraine as well as an update on the position regarding the “Joint Plan of Action” in respect of Iran.

For more detail on this topic, please see our Client Alert.

European Commission releases communication on building a data-driven economy, calling for a rapid conclusion to data-protection reform

This post was written by Cynthia O'Donoghue and Kate Brimsted.

In July, the European Commission (‘Commission’) published a communication titled “Towards a thriving data-driven economy” (‘Communication’), setting out the conditions that it believes are needed to establish a single market for big data and cloud computing. The Communication recognizes that the current legal environment is overly complex, creating “entry barriers to SMEs and [stifling] innovation.” In a press statement, the Commission also called for governments to “embrace the potential of Big Data.”

The Communication follows the European Council’s conclusions of 2013, which identified the digital economy, innovation and services as potential growth areas. The Commission recognizes that for “a new industrial revolution driven by digital data, computation and automation,” the EU needs a data-friendly legal framework and improved infrastructure.

Citing statistics about the amount of data being generated worldwide, the Commission believes that reform of EU data-protection laws and the adoption of Network and Information Security Directive will ensure a “high level of trust fundamental for a thriving data-driven economy.” To this end, the Commission seeks a rapid conclusion to the legislative process.

The Commission’s vision of a data-driven economy is founded on the availability of reliable and interoperable datasets and enabling infrastructure, facilitating value and using Big Data over a range of applications.

To achieve a data-driven economy, coordination among Member States and the EU is necessary. The key framework conditions are digital entrepreneurship, open data incubators, developing a skills base, a data market monitoring tool and the identification of sectorial priorities, and ensuring the availability of infrastructure for a data-driven economy, along with addressing regulatory issues relating to consumer and data protection, including data-mining and security.

In an atmosphere of increasingly complex regulation anticipated by the Draft Data Protection Regulation and rulings of Europe’s senior courts, a positive slant on the use of data should be refreshing to organisations that depend on it in their operations. The test for the recommendations will be in how the Commission and the EU seek to implement them.

Apps and Data Privacy - New Guidelines from the German DPAs

This post was written by Dr. Thomas Fischl and Dr. Alin Seegel.

Under the auspices of the Bavarian state data protection authority, the so-called Düsseldorfer Kreis (an association of all German data privacy regulators for the private sector) on June 23 published guidelines for developers and providers of mobile apps.  Since mobile applications increasingly become the focus of regulators, the guide points to data privacy and technical requirements regarding the field of app development and operation, and provides practical examples.

In spring, the Bavarian data privacy regulatory agency had randomly selected 60 apps for closer examination. In the process, the agency looked at privacy notices and compared them with the type of data that, at first glance, was transmitted.  In its conclusion, the agency noted that “every app provides some data privacy information, but that this information cannot be adequately reviewed.”  Based on this finding, the agency has more closely examined 10 apps, and subsequently created an orientation guide for app-developers and app-providers.

Among other things, the 33-page guide addresses the applicability of German data privacy laws, permit-related statements of fact regarding the collection and processing of personal data in the context of operating a mobile application, technical data privacy, and the notification obligations to be adhered to by the app provider. In addition to the legal notice, the latter include an app-specific privacy statement and other legal obligations.

With regard to app development, the guide of the German DPAs recommends that by utilizing data privacy preferences (“privacy by default”), one must ensure that the app can later be offered without deficiencies in data privacy.

Regarding technical data privacy, the guide elaborates on secure data transmission, as well as the application’s access to the location data of the respective device.

In addition to the above aspects, the guide addresses specific issues arising during the development of mobile applications, such as the integration of functions for payments or apps for young people and children.

For the future, regulators can be expected to be even more concerned with infringements related to apps, and will also be expected to initiate procedures to impose fines. The guidelines are a must-read for every app developer making apps available in Germany and throughout Europe.

EY Appeals Hong Kong Court Order To Produce Audit Working Papers Notwithstanding Holding That EY 'Deliberately Withheld From SFC' and State Secrets Not at Issue

This post was written by Joan Hon.

More than a year ago, we began following the so-called Ernst &Young (“EY”) State Secrets Case in Hong Kong.  On 23 May 2014, the High Court of Hong Kong finally concluded that there was no “reasonable excuse” for EY’s failure to comply with Securities and Futures Commission (“SFC”) notices seeking information and documents, and that EY had “deliberately withheld from SFC.” Though EY has since produced a disc of documents it held in Hong Kong, EY filed a Notice of Appeal 20 June taking issue with the Court’s position on documents held in the Mainland by its PRC affiliate, Ernst & Young Hua Ming (“HM”).

When this case kicked off in April 2013, many watched carefully, wondering how the Court might deal with Chinese state secrets and archives laws, in addition to others, that supposedly prevented the cross-border transmission of certain documents, and accordingly, EY’s ability to comply with the SFC notices.  These laws have also been the purported excuse for non-cooperation in regulatory investigations in the United States, and have resulted in bans and censures of Chinese accounting firms in the United States.*  However, the Hong Kong Court emphasized that it is “concerned with and only with the obligation of EY as a firm in Hong Kong to comply with the Notices issued under the SFO as part of the laws of Hong Kong,” suggesting a strong reluctance to interpret the controversial Chinese laws.

In an interesting “eve of trial” twist, EY suddenly discovered a laptop in Hong Kong that had been used by the EY partner involved in the engagement with HM.  Incidentally, identification of this engagement partner was only revealed by affirmation filed in relation to these proceedings, despite numerous previous requests by the SFC for such identification.  These “sudden,” last-minute discoveries, which included two additional hard drives, alongside EY’s production of a single witness who repeatedly claimed he either had no personal knowledge or memory of the relevant facts, led Mr. Justice Peter Ng Ka-fai to conclude EY had been deliberately withholding information. With respect to any documents HM may possess in the Mainland, the Court concluded that EY, subject to any legal restrictions on cross-border transmission, has a currently enforceable legal right under PRC laws to demand production of the audit working papers from HM. Thus, EY could not argue that it did not have possession – including custody or control – of the documents the SFC sought, whether in the Mainland or not.

As to whether there was any legal restriction on the cross-border transmission of documents in the Mainland, the Court was reluctant to comment on PRC laws, suggesting they were a “complete red herring” since any legal effect was hypothetical until any analysis of the actual contents of the audit working papers could be made:

The burden is on EY to show an applicable restriction on the transmission of the audit working papers and other relevant documents from the PRC to Hong Kong. If it cannot do that by showing the papers or other documents do contain State secrets or commercial secrets, that is the end of the matter, as far as EY’s case is concerned.

This begs the question as to how EY could possibly submit such evidence if its submission is that such transmission would be illegal. However, the Court accepted that if its finding on the absence of legal impediments under PRC laws is wrong, then it was EY’s (and not the SFC’s) burden to make an application to the China Securities Regulatory Commission for approval.

So far, no hearing date has been set for EY’s appeal. 

*  Incidentally, the Hong Kong Court made reference to these American cases, and have noted that the SFO does not purport to have any extraterritorial effect in the same way that section 106 of the U.S. Sarbanes-Oxley Act of 2002 does.