Global Health Care Compliance News & Analysis

GLOBAL HEALTH CARE COMPLIANCE NEWS & ANALYSIS

2016 - 2019 TABLE OF CONTENTS

I. International Risk a. In Bloomberg Law, Cross-Practice Team Analyzes Vertical Integration and Firewalls in Health Care Transactions b. Podcast: The Current Trade Secrets Landscape: Criminal and Civil Litigation Strategies and Tactics c. In Bio-IT World, Attorneys Address ROI of Health Care Compliance d. New International Pharmaceutical Practice Code Tightens Restrictions on Gifts e. Bid Rigging: For Multinationals, More Than Just a Local Law Violation f. Implications of Distributor Misconduct for Global Health Care and Life Sciences Companies g. Corporate Social Responsibility Compliance in 2018, and Beyond – An Overview for In-House Legal Counsel h. Globalizing Your Compliance Program i. DOJ Publishes New Guidance for Compliance Programs j. Forecasting International Risk Climate Under President Trump k. $519 million FCPA Payment by Teva Pharmaceuticals – Largest Ever FCPA Payment by a Pharmaceutical Company – Follows Large FCPA Plea Agreement with Odebrecht and Braskem l. Mondelēz Agrees to Pay $13 Million to Settle FCPA Charges Related to Inadequate Due Diligence and Accounting Controls over Third Party in India m. Hot Topics in Supply Chain Compliance n. Case Closed! – The Conflict Minerals Rule Litigation is Over, but the Drama Continues o. SEC Issues Updated Statement on Conflict Minerals Rule p. Evaluating the FCPA Pilot Program: The Data, The Trends q. Helping Piece Together the Life Sciences Puzzle r. Using Biospecimens Collected Abroad in Future Research: Key Considerations s. No Need to Overreact: Protecting Privilege in the U.S. and U.K. After the ENRC Decision t. Australia Proposes Modern Slavery Reporting Requirements for Multinationals u. Unintended Consequences: Ex-U.S. Activities Impacting U.S. Federal Health Care Business

II. Privacy & Data Security a. GDPR is here: the dawning of a new era? b. GDPR – No Notification Fees, But UK Regulator to Implement New “Data Protection” Fees c. New Draft Guidelines on GDPR Consent Requirement’s Application to Scientific Research d. The UK’s Data Protection Authority goes myth-busting: fining powers; consent; the “misconception” that the GDPR is an unnecessary burden; and data breach reporting e. Privacy Implications of President Trump’s Immigration Order f. The GDPR – Possible Impact on the Life Sciences and Healthcare Sections g. Cookies Crumble? The draft EU Regulation on Privacy and Electronic Communications h. Thoughts on EU’s Draft E-Privacy Regulation i. The Information Commissioner’s Guidance on Consent under the GDPR j. UK Government Sets Forth Approach for GDPR III. Brexit a. Implications of the UK’s Brexit Referendum b. An Update on Brexit and the Implications for General Data Protection Regulation (GDPR) c. Brexit White Paper Published IV. Asia a. In Asia-Pacific Biotech News, Life Sciences Partner Addresses Proposed China Pharmaceutical Regulatory Changes b. The Evolving Regulatory Landscape for Clinical Trials in India c. The China Drug Administration Proposes a Working Procedure for Pharmaceutical Study Data Protection d. Spotlight on Korea e. China FDA Clarifies Legal Consequences of Clinical Trial Data Inspections f. Donations and Grants in China: Compliance Controls Beyond T&E g. Recent Developments in Japanese Enforcement of Foreign Bribery Laws h. China Solicits Comments on Drug GCP a. CFA Amends Medical Device Recall Rules b. Hong Kong Proposes Enhanced AML Obligations for Professionals and Beneficial Owner Registries for Hong Kong Companies c. China’s State Council Announces Major Policies to Reform the Pharmaceutical Industry d. U.S. Department of Commerce Establishes Favorable Export Control Policies for India e. South Korea Fines Prominent Pharmaceutical Manufacturer in Latest Anti- Corruption Enforcement Efforts f. Shanghai Tightens Industry Interactions with HCPs V. European Union, Middle East, Africa a. De-Implementation Day: Preparing for Changes to U.S. Sanctions Targeting Iran b. European Health Care Compliance Challenges (And Solutions) c. EU Reaches Final Agreement on Conflict Minerals Regulation – An Overview d. The UK Modern Slavery Act – A Compliance Primer for Fund Managers e. Privacy Shield Dented? The EU Parliament’s Civil Liberties, Justice and Home Affairs Committee Identifies Deficiencies in U.S. Implementation of the Privacy Shield f. Excessive Pricing in Generic Drug Markets g. The EU Conflict Minerals Regulation – Frequently Asked Questions h. U.S. Announces Revocation of Sudanese Sanctions Regulations: New Opportunities and Familiar Risks VI. Latin America a. Mexico Enacts a Sweeping New Anti-Corruption Regime, Accompanied by a Public Apology from President Peña Nieto and Increased Attention on Mexico’s Energy Sector by U.S. Regulators b. Top 10 Anti-Corruption Red Flags in Latin America c. Update on the Anti-Corruption Landscape in Mexico d. A Judicial Reinterpretation of the Brazilian Constitution’s Right to Health Care

INTERNATIONAL RISK IN THE NEWS In Bloomberg Law, Cross-Practice Team Analyzes Vertical Integration and Firewalls in Health Care Transactions

June 20, 2019 Practices: Health Care, Health Care Finance & Restructuring, Data Practice, Digital Health, Health Privacy & Security, Technology, Media & Telecommunications, Antitrust

In a Bloomberg Law article published on June 19, health care partners Tim McCrystal and Adrianne Ortega (both of Boston) and antitrust associate David Young (Washington, D.C.) analyze the potential legal risks that arise in health care industry vertical transactions. The article also examines key issues to consider when creating firewall structures to mitigate risks.

The authors explain that a range of legal issues may arise when organizations integrate vertically beyond their current line of business, including data sharing, antitrust, fraud and abuse laws, conflicts of interest, confidentiality obligations and corporate practice of medicine.

Vertical Integration and Firewalls in Health-Care Transactions

Timothy M. McCrystal, Adrianne Ortega, and David A. Young, Ropes & Gray

Vertical Integration and Firewalls in Health-Care Transactions

Contributed by Timothy M. McCrystal, Adrianne Ortega, David A. Young, Ropes & Gray

Driven by a desire to reduce cost, improve care, keep up with competitors, and participate in evolving reimbursement programs, health-care providers are increasingly undertaking vertical integration transactions. While these transactions present opportunities for health-care organizations to expand their operations, they may also present a variety of legal risks related to the sharing and use of information and data.

Vertical integration is an expansion up or down the service or supply chain beyond a company's current line of business. In the health-care industry, vertical integration translates to organizations offering, directly or indirectly, a broader range of services on the continuum of the delivery of health-care services. Examples of vertical integration in the health-care industry include CVS Health's acquisition of insurance company Aetna, UnitedHealth's planned acquisition of DaVita's physician group, Cigna's acquisition of Express Scripts, a pharmacy benefit manager, and Medtronic's 2015 acquisition of Diabeter, a diabetes clinic and research center.

Health-care organizations that seek to integrate vertically should consider the attendant legal risks, including antitrust, confidentiality, and conflict of interest concerns, among others. To address these issues, acquirers should consider whether organizational and/or operational separation of certain functions of the combined organization is appropriate. These structural and/or operational constructs are commonly referred to as “firewalls.”

This article will discuss potential legal risks that arise in the context of vertical integration, and key issues to consider when creating firewall structures. Firewalls

Firewalls may help mitigate the legal and conflict of interest risks involved with vertical integration by insulating an organization, or a part of it, from sharing information that increases an organization's exposure to risk. Examples of this type of information include personal health information, and data belonging to an entity that competes with an organization's vertically integrated business.

Firewalls may be set up within the different parts of an organization, as well as between companies and other parties. The elements of a firewall may include structural, technical, or operational separation of one or more of the following business components:

• Separate organizations, to create a clear line of demarcation between the operations of affiliates

• Management and employee teams, to ensure that business objectives, financial goals, pricing, and compensation are not connected with the performance of the firewalled organization

• IT systems and servers, to limit flows of sensitive or protected data between organizations, such as patient or competitor data

• Compliance programs, with separate policies and procedures, to ensure that proper reporting mechanisms are in place for each organization and to ensure that both organizations property maintain the firewall

• Marketing and sales, to create independent business strategies, reduce potential for conflicts of interest, and establish sufficient brand uniqueness

• Infrastructure and workspace, including independent office space and employee equipment, to ensure the limited sharing of information between organizations

There is a broad range of potential legal issues that may arise when organizations integrate vertically, including risks related to data sharing, antitrust, fraud and abuse laws, conflicts of interest, and corporate practice of medicine.

Privacy and Data Sharing Issues

Under the Health Insurance Portability and Accountability Act of 1996, as amended, covered entities and their “business associates” must comply with requirements regarding the privacy and security of protected health information. Neither a covered entity nor a business associate may share PHI other than as permitted by HIPAA. States may also have their own restrictions on the use and disclosure of personal health information.

A great advantage of vertical integration is that it allows for data to be shared across the integrated organization. Any covered entity or business associate within a vertically integrated organization, however, must comply with HIPAA's requirements regarding the privacy and security of PHI regardless of how the organization is managed and structured. However, vertical integration may increase the risk of inadvertent data sharing or PHI disclosure between entities that may share common systems. Technical and administrative firewalls may aid in the safeguarding of PHI, and in the proper execution of business associate agreements governing the use of PHI within a vertically integrated organization.

Antitrust

Antitrust law may also affect a vertical health-care transaction. As a general matter, vertical transactions typically have less antitrust risk than the horizontal merger of two competitors. The former is typically associated with pro-competitive efficiencies and has only an indirect effect on competition, while the latter directly reduces competitive intensity.

Nonetheless, vertical integration may still create concerns at the antitrust agencies. Of greatest concern is the possibility that an integrated entity might either “foreclose” downstream rivals by depriving them of a key input, or harm upstream competitors by foreclosing a substantial share of the downstream customer base. Another risk is that vertical integration could facilitate coordinated activity in the market by encouraging actual or tacit collusion. Such collusive activity may be encouraged if the vertically integrated firm does substantial business with its rivals, thereby enabling that firm to view competitively sensitive price or output information.

Where the risk of anticompetitive coordination is significant, the antitrust agencies may insist on strict information firewalls as part of a consent decree. The firewalls would need to ensure that competitively sensitive information such as pricing, output, and research and development information is not shared with personnel at the integrated company who could use it to their advantage. Notably, however, the antitrust agencies are increasingly reluctant to impose behavioral remedies such as firewalls instead of structural remedies such as divestitures because of the difficulties ensuring that such decrees are followed.

Federal Fraud and Abuse Statutes

Vertical integration has the potential to implicate various federal health-care fraud and abuse laws, including the federal Anti-Kickback Statute and the Stark Law.

The Anti-Kickback Statute makes it a felony to solicit, receive, offer, or pay any remuneration (including any kickback, bribe, or rebate) to any person in return for or in an attempt to induce patient referrals for services reimbursed under a federal health-care program or to arrange, recommend, or order any item or service reimbursed by any federal health-care program. Vertical integration may increase anti-kickback risk if different services lines run by the same company are in a position to influence referrals or induce the purchase of products from other parts of the company.

Bloomberg Law ©2019 The Bureau of National Affairs, Inc. 3 The Stark Law prohibits physician referrals for a wide range of so-called designated health services if there is a financial relationship between the entity to which the referral is made and the referring physician, unless the arrangement meets an exception to the statute. Vertical integration may increase risk under the Stark Law if compensation paid to physicians is based on the volume or value of referrals made by the physician to the company.

To limit exposure to Stark violations, organizations must ensure that physician compensation generally is not based on any profits related to referrals for designated health services, and is based on the fair market value of the services. To the extent that physicians have ownership in a vertically integrated organization, the ownership interest should be structured consistent with the Stark Law.

Conflicts of Interest and Confidentiality Obligations

Conflicts of interests may also arise through vertical integration. Such conflicts may be actual or perceived conflicts. For example, conflicts of interest in vertical health-care transactions may arise with respect to medical decision-making in patient care and selection of best products or services for patients. Firewalls designed to limit the influence of medical decisionmakers by other constituencies within an organization, including sales and marketing, may aid in the mitigation of such potential conflict of interest risks.

Firewalls may also reduce the risk of a vertically integrated organization running afoul of its contractual obligations regarding information acquired by one component of a vertically integrated organization that may not be shared with other components. Separate contract management systems, along with policies and procedures related to the intra- company sharing of information subject to confidentiality restrictions, will reduce the risk of violating confidentiality and other similar contractual limitations.

Corporate Practice of Medicine and Fee-Splitting

Many states prohibit legal entities other than licensed physicians, such as corporations, from practicing medicine, employing physicians, and otherwise controlling a medical practice. These restrictions vary greatly by state. Companies that seek to integrate vertically through the acquisition of physician practices in corporate practice of medicine states must ensure that their physicians retain sufficient independence from the non-professional entity to comply with applicable state restrictions.

Although firewalls are effective at reducing the legal risk involved with vertical integration, they must be specifically tailored to the facts of the business structure at issue if they are to be successful. Each arrangement should be evaluated independently to determine the potential risks related to the arrangement, and the elements of a firewall that may mitigate such risks.

May 22, 2019 Time to Listen: 13:58 Practices: Trade Secrets, Business & Commercial Litigation, Government Enforcement / White Collar Criminal Defense, Intellectual Property, Intellectual Property Litigation, Anti-Corruption / International Risk

In this podcast, Ropes & Gray’s Mimi Yang, Peter Brody and Tony Biagioli discuss recent criminal and civil trade secrets enforcement strategies that companies can utilize when they believe they have been victimized by trade secrets theft, or when they are accused of trade secrets theft, including the so-called “China Initiative” announced by the Department of Justice in November 2018 and the Defend Trade Secrets Act of 2016 (DTSA). Mimi, Peter and Tony discuss implications companies may consider when pursuing criminal or civil litigation, as well as how the criminal and civil components can be interrelated.

Transcript:

Mimi Yang: Hi everyone, and thank you for joining us on this Ropes & Gray podcast. I’m Mimi Yang, a litigation & enforcement partner based in our Hong Kong office. Today, I am joined by my colleagues Peter Brody, an IP litigation partner, and Tony Biagioli, litigation & enforcement counsel, both based in our Washington, D.C. office. In this podcast, we are going to discuss recent criminal and civil trade secrets enforcement and strategies companies utilize both when they believe they have been victimized by trade secrets theft as well as when they are accused of trade secrets theft.

Just as some background for our listeners today, I am a white collar criminal and enforcement attorney, focusing on international risk issues in the Asia region. In my practice, I have represented multiple Asian companies under criminal investigation for allegedly stealing U.S. companies’ trade secrets. Peter is a civil IP litigator who has extensively litigated trade secrets theft cases, representing both plaintiffs and defendants. Peter also represented a Korean company criminally investigated for trade secrets theft. Tony is a white collar criminal and enforcement attorney who focuses his practice on trade secrets theft. He has represented companies accused of stealing trade secrets as well as alleged victims of trade secrets theft. He has been a featured speaker on trade secrets theft in front of pharmaceutical and technology industry associations. So just to set the stage a little bit, I thought we’d begin with some basics. Peter, what, precisely, is a trade secret? Now, before you answer, I know this seems like a basic question, but I actually think it has a lot of nuances. Peter Brody: Thanks Mimi. A trade secret is fairly broadly defined: it can be any information that is, in fact, secret – where first, the holder took reasonable steps to keep the information secret, and second, which derives value from being secret. The classic example, of course, is the recipe for Coca Cola – that recipe is a closely guarded secret. If there’s any doubt to the value of the secret, just ask anyone who won’t drink Pepsi. The key takeaway, though, is that any information can be a trade secret, if it meets the two elements that I just mentioned, and that can include manufacturing processes, research and development methods, a business plan, customer lists, financial data, on and on.

There are several important exceptions. First, if you independently discover the information without knowledge of someone else’s trade secrets, that’s acceptable. For example, if I experiment with different ingredients and I come up with a soda that happens to taste exactly like Coke, that’s not against the law if I did so through my own independent experimentation, without knowledge of or reliance on Coke’s process. Second, so called reverse engineering to arrive at a trade secret is permissible. For example, let’s say I start by pouring Coke out of the can and into a beaker, and then through chemical analysis, I break it down into its constituent ingredients, and I figure out the recipe that way – that’s also okay.

Mimi Yang: Thanks Peter. As we know, the Economic Espionage Act criminalizes theft of trade secrets, and the Defend Trade Secrets Act provides a federal civil right of action for victims of trade secrets theft. The enforcement and litigation landscape for both are critical to understand, because many thefts of trade secrets implicate both potential enforcement avenues. So let’s start with the criminal side. As we have discussed extensively in prior podcasts and articles, the U.S. government is focused heavily on alleged trade secrets theft by China. The alleged underlying misconduct spans industries and types of conduct, from traditional hacking to misappropriation by current or departing employees. So Tony, both potential victims and defendants in trade secrets investigations are increasingly trying to wrap their heads around the new enforcement landscape. So as an initial matter, can you tell us who are the key enforcement authorities within the U.S. government? Let us know where are they located and what are their respective roles?

Tony Biagioli: Thanks Mimi. As you alluded to, in November 2018, the Department of Justice announced a “China Initiative” focusing on alleged theft of U.S. companies’ trade secrets by Chinese companies. To meet the enforcers, this seems like a natural place to start. The leaders of the initiative include the Assistant Attorney General who heads the Department of Justice’s National Security Division, five U.S. Attorneys, and additional DOJ officials (including the Assistant Attorney General who heads the Criminal Division). But what’s often lost is that the U.S. government’s expertise in addressing computer crimes generally and trade secrets theft specifically has grown significantly and is currently robust and sophisticated. The FBI’s Cyber Division and Computer Crimes Task Forces employ specially trained professionals specializing in just these types of attacks. Similarly, at the Department of Justice, the Computer Crime and Intellectual Property Section as well as the Computer Hacking and Intellectual Property Network are the cornerstones of the DOJ’s response to trade secrets theft. In short, U.S. federal authorities are motivated to investigate trade secrets theft, not simply from China but from everywhere, including from within the United States – and they have constructed sophisticated enforcement units to accomplish just that. As a practical matter, this has increasingly provided victims of trade secrets theft confidence in the viability of reporting cyber intrusions and IP misappropriation to federal authorities, instead of attempting to address the issue without the government’s assistance.

Mimi Yang: Thanks Tony. So let’s stick with that theme. Clearly, when companies discover potential misappropriation – maybe they’ve been hacked, maybe they discover an employee walked out with a thumb drive full of sensitive files – they’re immediately confronted with choices and the need to respond quickly. Obviously, there is a technical component to this – ascertaining how someone accessed your systems, identifying what was stolen, plugging the holes, etc. But I want to focus on the legal response – Tony and Peter, what should a company do? Tony Biagioli: In some cases – I think in an increasing number of cases given the origin of the alleged theft from China – there is very little that you can do civilly. Who will you sue? In a hack, at least initially, you may not know who the wrongdoer is and you may need federal assistance to ascertain it. Even if you know who did it – if it’s a Chinese company without a U.S. presence – it’s not always clear how you’d ever collect on a judgment in Chinese courts. In other words, in an increasing number of cases, the potential federal criminal remedy may in fact be the only one. There of course is no guarantee the government will proceed with an investigation or prosecution when you report, but sometimes it may be a company’s best shot.

Mimi Yang: But there are significant tradeoffs, aren’t there, Tony? If you report the matter to the authorities, what are you potentially sacrificing? Peter, you want to take this?

Peter Brody: Well, potentially a lot. This is why the decision to disclose an attack to the U.S. government is highly fact- specific and depends heavily on the company’s goals. If you aren’t interested in suing or if success in a civil suit seems remote, there may be very little downside to the criminal route. Company personnel may have to devote some time to meet with the government and they might be witnesses, but beyond that, it may not be much hassle. Outside counsel can often help to streamline company presentations and focus the government on key facts in an organized way to maximize the chances of the government proceeding with the investigation and obviously minimize the burden on the company. However, there could be significant tradeoffs if civil litigation is both a goal and has realistic possibilities of success. One significant tradeoff is that, as a company, you sacrifice control. Not only would the government not be bound by any civil settlement between the parties, but the potential for ongoing criminal enforcement may undermine a company’s ability to resolve the matter to the satisfaction of both parties.

Tony Biagioli: Just to add to that, Peter – there are also, of course, the possibilities of disruptions to civil suits. The DOJ often moves for discovery stays – often successfully – in civil cases based on conduct that is subject of an ongoing investigation. And of course, employees of the defendant might decline to respond to certain discovery requests on Fifth Amendment grounds. The real key, in my experience, is for the white collar criminal attorneys who might liaise with DOJ and the litigation attorneys who would handle the civil suits to have these discussions with the company in a coordinated way. Frankly, in the criminal space, it’s critical to involve civil attorneys, not just for civil trade secrets expertise but for patent expertise, because so often the defense in these matters is that the alleged trade secret is publicly disclosed or derivable from public information, often from a patent. So even if the company simply discloses to the government, the team advising it will need that technical expertise to make an informed and persuasive presentation.

Mimi Yang: In prior podcasts, we’ve spoken about the idiosyncrasies of the Economic Espionage Act and its implications for companies seeking to prevent or respond to allegations of trade secrets misappropriation. We’ve also spoken about the importance of developing policies and procedures not only to protect a company’s own intellectual property, but to respect third parties’ intellectual property as well. But what I’d like to discuss now is potential civil exposure – how has the enforcement landscape there changed recently? Peter, what is important for companies to know?

Peter Brody: The Defend Trade Secrets Act, or DTSA, changed the civil exposure landscape significantly – it created the first-ever federal civil cause of action for trade secret misappropriation. This was a sea change, since before the DTSA, civil trade secrets lawsuits had to proceed under state law. Based on the data we’ve seen, there has been as much as a 30% increase in trade secrets case filings since the DTSA was enacted in 2016. There are a number of reasons for this: for one, the DTSA allows litigants to leverage stronger and more consistent rules of procedure, as well as enhanced protections and remedies. In addition, owing to changes in trends in patent law, many companies today are opting for trade secret protection instead of patent protection. And finally, with greater workforce, mobility in our economy has come increasing allegations that departing employees departed with something they shouldn’t have. Some remedies under the DTSA are new and present significant risk to companies. In particular, in extraordinary circumstances, courts can order ex parte orders to seize from the defendant property allegedly containing the stolen trade secrets, without the defendant first having a chance to be heard or even be given notice. Now, the DTSA also provides for all of the traditional remedies including injunctive relief, compensatory damages and the doubling of those damages as well as attorneys’ fees in cases of willful and malicious misappropriation, but because the statute is still fairly new – just three years old – there haven’t been that many cases that have gone all the way to a judgement.

One question we always receive is, “How is that ex parte seizure remedy being applied in practice?” Given how extraordinary the relief is and its great potential for abuse, it’s not surprising that while some such orders have issued, most courts are opting to hear and decide traditional TRO and preliminary injunction motions. Courts have generally held that bare allegations that a defendant will destroy relevant property or leave the jurisdiction are not sufficient. Courts have required showings of prior acts by the defendant indicating a propensity to do one or the other of those things before the court will grant the ex parte seizure order.

Tony Biagioli: And just to show how interrelated the criminal and civil components can be in these cases, it’s critical for companies to keep in mind their potential criminal exposure when litigating civilly. Admissions in civil litigation could of course be used in a criminal case. And the flip side is true as well – when resolving criminal matters, it is critical to think about the implications in civil cases. One strategy we have used is to resolve criminal matters on attempt or conspiracy grounds, without conceding actual misappropriation – this preserved our ability to contest damages on the civil side because we hadn’t conceded that the defendant actually obtained or used any of the trade secret information.

Mimi Yang: Well, that concludes our discussion for today. Thank you very much, Peter and Tony, for joining me. For additional information, please visit our website, www.ropesgray.com. And of course, if we can help you navigate any of these developments, please don’t hesitate to get in touch. Thanks for listening everyone.

IN THE NEWS In Bio-IT World, Attorneys Address ROI of Health Care Compliance

May 16, 2019 Practices: Health Care, Health Care Finance & Restructuring, Health Care Transactions, Life Sciences, Digital Health, Technology, Media & Telecommunications

Health care partner Michael Lampert (Boston) and corporate associate Richard Harris (New York) co-authored an article published on May 15 by Bio-IT World that discusses the return on investment of health care compliance.

The authors explain that health entrepreneurs and health-focused investors seeking to scale quickly may be tempted to view compliance programs as a luxury item to address when the business is more mature. But that fails to view compliance in its fullest form—which is ongoing confirmation that a business is on a sound track, and developing a reliable revenue model.

The Return on Investment of Healthcare Compliance Bio-IT World By Michael Lampert and Richard A. Harris II

May 15, 2019 - Compliance is foundational—it supports the sustainability of a business model and revenue. Noncompliance can yield assessment of penalties, revocation of licenses, distraction of management, reputational harm and loss of employees. It also can yield erosion of revenue, if the business model under it is found to be unstable, and significant value depletion.

Medical technology company Theranos’s $9 billion stock value suddenly collapsed when federal regulators found the company’s laboratory practices to “pose immediate jeopardy to patient safety.” The myriad of the company’s compliance failures resulted in the federal government’s banning the company from using its propriety finger-prick technology, and banning the Theranos CEO from owning or running a medical laboratory for two years, in addition to civil and criminal investigations followed by two class action fraud lawsuits. According to NAVEX Global, Inc. it is not surprising to find that companies with strong compliance programs tend to see greater overall profitability and productivity, fewer material lawsuits, lower litigation settlement costs, and fewer external whistleblower reports.

Healthcare is one of the most heavily regulated industries. Healthcare companies, especially in growth phase, must be able to demonstrate the ability to comply with the laws that control their business and to identify fissures in operations quickly. Entrepreneurs and investors should therefore view compliance as a competitive advantage that puts the company in a favorable position to avoid—and swiftly and effectively to tackle—potential regulatory challenges.

Seven Elements of a Compliance Program

The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services, in addition to other authorities, like the Department of Justice, has developed general expectations of compliance programs that organizations in the healthcare industry should operate. The scope of a company’s compliance program will vary depending on the size of the company and the risks that it faces. Extracted from OIG guidance, the discussion below outlines the seven elements that are expected to be part of an effective compliance program, and how startups may consider addressing them.

1. Policies, Procedures and Standards of Conduct

A foundational element is a written Code of Conduct that guides the company’s operations and articulates a commitment to compliance by all. Models are readily available and can be adapted with ease. Having a Code of Conduct is table stakes that any company can easily meet.

Next up are written policies and procedures. Here, companies should think about where their greatest risks lie in their space in the industry. Having even rudimentary policies appropriate for a startup in the core areas of risk is important, as policies provide an important launching point for basic training and articulation of standards.

2. Compliance Team

Mature companies will have not only a full-time compliance officer but a significant compliance staff. A startup just out of the gate obviously will not be at that stage. But a startup of any size should have a designated individual who is responsible for compliance, and, as the company grows, compliance should

become more and more of the person’s role—until there eventually is a freestanding compliance group. While OIG guidance leans against having the compliance officer be, or be subordinate to, a company’s general counsel, for smaller companies the commonalities in expertise often will support a dual legal and compliance role. The individual chiefly responsible for compliance should have access to the CEO and to the board as needed.

3. Training and Education

Companies that fail properly to train and educate their staff obviously risk greater likelihood of liability for violating healthcare laws, and greater penalties. They also deny themselves the opportunity to multiply— through their staff—the number of eyes out to identify areas of potential noncompliance to be addressed. Training should include the company’s Code of Conduct and key policies for the relevant personnel, and as a general matter should recur annually. Companies should keep track of training that they offer, and of individuals’ completion of it.

4. Effective Lines of Communication

Companies should educate their staff—including through the Code of Conduct and training—of the critical value of reporting compliance concerns. Key messaging for a startup can be that unsustainable practices should be nipped in the bud.

An important element of compliance programs for all companies is providing an opportunity for individuals to report their concerns anonymously. That arguably is even more important in a relatively smaller company where smaller staffs preclude natural opportunities for individuals with concerns to report them to someone not in a direct supervisory position. Messaging of the value of reporting therefore should emphasize not only that the company, from day one, has a policy of non-retaliation for good-faith reports of concerns, but also that individuals should make use of anonymous reporting means if they feel it necessary.

5. Well-Publicized Disciplinary Guidelines

As alluded to above, company staff should be educated on the critical importance of compliance and that noncompliance has consequences. At the minimum, the company’s Code of Conduct should set forth general expectations of disciplinary action, including termination for violations of the Code and applicable laws and regulations.

6. Internal Monitoring and Auditing

In a very small company, it is not hard for management to know everything that is happening. However, as companies grow, there comes a point at which it is impossible to know that. CEOs of quickly- developing companies probably will remember the first day when the company hired someone whom they did not know—and that day almost surely occurred long after the CEO no longer had visibility to all employees’ work. Companies in growth stage therefore need to consider what activities are occurring without natural oversight; which of those activities present the most risk; and how they might monitor them on an ongoing basis, and periodically audit them looking back.

Inherent in the process that we describe above is assessing which activities present the most risk. Periodically stepping back to conduct a risk assessment is a crucial element of compliance programs (indeed, OIG guidance suggests that the process be conducted annually). The nature of a risk assessment will change as a company matures, but, for companies of all sizes, the process is an important tool in assessing where to prioritize efforts and to focus resources to get the most bang for the buck. For companies in growth—and fundraising—modes, a risk assessment also presents an opportunity to demonstrate to potential partners and investors that the company has soundly plotted its future.

7. Development of Corrective Actions

Whenever an audit, ongoing monitoring, or a staff member’s concern has identified a problem, a company of course must address it. As a company grows, it should formalize a process to log material corrective actions, in order to demonstrate its responsiveness to concerns when they are raised. That not only establishes discipline to remediate problems, but also establishes a record of attentiveness and development to show prospective partners or investors the company’s stewardship of its business and its establishment of a platform for sustainable growth.

Health entrepreneurs and health-focused investors seeking to scale quickly may be tempted to view compliance programs as a luxury item to address when the business is more mature. But that fails to view compliance in its fullest form—which is ongoing confirmation that a business is sound, on a sound track, and developing a business and revenue model that is reliable. Attention to a compliance program as one of the many pillars that a company will need, and building it while building the other pillars at its side, can help to position a company for sustainable, and hopefully exponential growth.

Michael B. Lampert is a partner in the health care practice with global law firm Ropes & Gray in Boston. He provides clients with strategic, regulatory and transactional advice. He also guides clients in rigorous compliance assessment and development projects as a component of investigations arising from allegations of significant noncompliance. Michael can be reached at [email protected].

Richard A. Harris, II is an associate practicing health law in the corporate practice at Ropes & Gray in New York. He works with health care clients confronting a variety of complex transactional, regulatory and compliance issues including mergers and acquisitions, federal and state fraud and abuse laws, and government enforcement defense. Richard can be reached at [email protected].

February 27, 2019 New International Pharmaceutical Practice Code Tightens Restrictions on Gifts Introduction On January 1, 2019, the revised Code of Practice issued by the International Federation of Attorneys Pharmaceutical Manufacturers & Associations (IFPMA) went into effect. Among the most Mimi Yang consequential revisions to the Code, which is binding on all member companies and Bonnie Doyle associations wherever they operate, is a blanket prohibition on gifts provided to health care Adam T. Kennedy professionals (HCPs). Cultural courtesy gifts (such as mooncakes or condolence payments), as well as non-monetary promotional aids and reminder items for prescription-based medicines (branded Post-its, mouse pads, etc.), where previously permitted, are now banned. This brings the global IFPMA Code in line with similar prohibitions already in effect in Europe and the United States. In the medical device industry, AdvaMed, a global trade organization for medical technology companies, recently announced changes to their own Code of Ethics on Interactions with U.S. Health Care Professionals, which will go into effect in 2020.1 Among other revisions, these changes revise the Code’s gift policy to clarify that member companies are not permitted to provide gifts to HCPs even in recognition of life events, including funerals. While the AdvaMed Code currently only applies to interactions with U.S. HCPs, if past changes are any indicator, these changes will likely be rolled out to other geographies in the coming years. A recent example of this phenomenon can be seen in the global phase-out of direct sponsorship of HCPs for their attendance at conferences and events. In the United States, this practice was first banned by AdvaMed and PhRMA (AdvaMed’s counterpart in the pharmaceutical industry) in 2009, beginning years of discussion in other jurisdictions. Finally, prohibitions on direct sponsorship were rolled out in early 2018 by medical technology trade associations across the world, acting in coordination with and following the lead of the United States. Direct sponsorship has now been phased out in the AdvaMed China Code, the MedTech Europe Code, the Mecomed Code (regulating the Middle East and North Africa), and the APACMed Code (regulating the Asia-Pacific region). These changes are all part of a larger trend towards hostility to any type of gifts to HCPs within the life sciences industry more broadly. Indeed, there have been recent media reports of major pharmaceutical companies updating their global gifts policies to ban all gifts to HCPs. This article will provide an overview of these changes. We also discuss various compliance risks associated with the changes, in light of both the IFPMA and AdvaMed Codes and within the broader regulatory environment. Lastly, we will review recent cases brought under the United States Foreign Corrupt Practices Act (FCPA) against life sciences companies in connection with gifts given to HCPs to further illustrate the compliance challenges facing the industry. The 2019 IFPMA Code Changes and Global Effects Background of IFPMA The pharmaceutical industry is highly regulated, and the regulatory regimes are often complex and overlapping. Companies are generally subject to both the public laws and regulations of the states in which they operate, and self- regulation through trade associations such as IFPMA. One of IFPMA’s objectives is to provide integration and

1 Ropes & Gray has prepared an in-depth review of the new AdvaMed Code.

ATTORNEY ADVERTISING ropesgray.com

leadership to the many national and regional pharmaceutical industry trade associations, each of which typically has its own local code of conduct and mechanisms for administering complaints and violations. At least 50 national and regional associations are members of IFPMA, including EFPIA (Europe), PhRMA (United States), RDPAC (China), and AMIIF (Mexico). The 2019 revisions to IFPMA’s code of conduct are binding on all of these member associations, and their own local codes of conduct must meet IFPMA’s global minimum requirements. Overview of Changes to New 2019 IFPMA Code of Practice The previous version of the IFPMA Code, which was issued in 2012, prohibited gifts for the personal benefit of HCPs, but explicitly allowed promotional aids and stated in its Q&A section that social courtesy gifts such as those for significant “national, cultural or religious events” could be acceptable. With the explicit ban on social courtesy gifts and the removal of the provision for promotional aids when they are in connection with prescription drugs, the IFPMA brings its global 2019 Code more in line with the stricter guidelines already imposed by some of its member organizations on a regional or national level. IFPMA specifically cites the European Federation of Pharmaceutical Industries and Associations (EFPIA) and the Pharmaceutical Research and Manufacturers of America (PhRMA) codes as early leaders in the increased regulation of gifts to HCPs. The first key update to the gift-giving provisions in the 2019 Code is the addition of “social courtesy gifts” to the list of items considered improper gifts for the personal benefit of HCPs. In a supplemental Q&A provided by IFPMA to accompany the new Code, it states “[N]ow IFPMA members are banning any exceptions like customary gifts for significant national, cultural or religious events (for example mooncakes or condolence payments).” The second new gift-giving provision is a broad prohibition on giving HCPs promotional aids (a non-monetary item given for a promotional purpose) related to prescription-only medicines. This includes Post-its, calendars, diaries, and any similar “reminder” items with company or product logos. This breaks from the previous 2012 Code, which permitted promotional aids for prescription-only medicines as long as they were relevant to the HCP’s practice. The only narrow exception to this ban in the 2019 Code is for pens and notepads provided at company-organized events, solely for note-taking purposes. Even these materials, however, must be of the minimum value and quantity for their note-taking purpose. The new promotional aid restrictions are intended to avoid any perception of undue influence from the pharmaceutical industry on HCP prescribing decisions, and the IFPMA states that these changes are necessary to keep pace with society’s evolving and increasingly high expectations regarding the industry’s interactions with HCPs. Because of the emphasis on HCP prescribing decisions, the 2019 Code continues to allow providing promotional aids of minimal value and quantity to HCPs when the aids relate to over-the-counter medicines, provided that they are relevant to the HCP’s practice. The 2019 IFPMA Code also includes a new “Ethos,” which replaces the “Guiding Principles” of the previous Code. The stated goal of the new Ethos is to “shift from a rules-based approach to a Code based on values and above all, patients’ trust.” Rather than a list of numbered principles, the new Ethos is represented graphically in a chart, with “Trust” at the center supported by IFPMA’s other fundamental values, including honesty, care, fairness, and respect. The IFPMA intends this emphasis on patient trust to result in better business behaviors between its members and HCPs. Case Study: Chinese RDPAC Changes in Relation to IFPMA Code As many national trade associations have done, China’s R&D-based Pharmaceutical Association Committee (“RDPAC”) has consistently changed its code over the years to follow the IFPMA Code. A review of changes over

ropesgray.com ATTORNEY ADVERTISING

recent years serves to illustrate how the IFPMA Code guides the creation of national codes, while national codes may sometimes impose stricter requirements than the IFPMA Code itself.

• In 2012, IFPMA issued the previous version of its Code, which remained current until the present version in 2019. RDPAC amended its own code in 2012 as well, substantially adopting the new IFPMA requirements.

• RDPAC then revised its own code again in 2015, although no new IFPMA code had been issued. These changes included a prohibition on the giving of cultural gifts (“风俗礼品”; which is the same Chinese word later used to translate “social courtesy gifts” in the 2019 IFPMA Code) to HCPs. This change was above and beyond what IFPMA required at the time.

• In 2017, RDPAC again revised its code without changes to the gift-giving provisions.

• In late 2018, RDPAC announced that it had again issued a new Code, incorporating the changes to the 2019 IFPMA Code. The 2019 RDPAC Code is not yet available online at this time, but will presumably include updates reflecting the new IFPMA Code’s prohibition on prescription drug promotional aids and maintain its cultural gift ban.

Compliance Risks Associated With New IFPMA Code The impact these changes to the IFPMA Code will have from a compliance perspective merits careful consideration. As a trade association, IFPMA’s Code is self-regulatory “soft law” rather than state-enacted law, which would have corresponding investigative and enforcement bodies. While IFPMA does provide a limited process for hearing complaints, adjudicating disputes, and publishing opinions concerning its Code, its enforcement capability is limited. National IFPMA member organizations, for their part, often have their own complaint and enforcement processes. The practical result of this is that, while all IFPMA members and their affiliates are now subject to the cultural courtesy gift and prescription medication promotional aid bans, the full range of self-regulatory requirements and enforcement mechanisms will continue to differ country to country. Additionally, it is not always clear how much bite the new Code and the updated national codes have in practice. For instance, as discussed above, China’s IFPMA-affiliated industry group RDPAC implemented a ban on cultural gifts (“风俗礼品”) as early as 2015. However, the practice of giving gifts to doctors, including mooncakes, appears to have continued largely unchanged. For instance, it was reported in Chinese media that in September 2018, one Guangdong doctor received gifts valued at RMB 100,000 ($14,700 USD) in observance of the 2018 Mid-Autumn Festival, when mooncakes are traditionally given (link in Chinese). The degree to which compliance in China may change, in light of the new 2019 RDPAC code and Chinese press attention surrounding IFPMA’s new focus on cultural courtesy gifts, remains to be seen. The recent changes to the IFPMA Code have received coverage in Chinese press, in part because the IFPMA Code explicitly highlights the giving of mooncakes as being inconsistent with its new rules (link in Chinese). But while non-compliance with the IFPMA Code may not necessarily lead to sanctions from IFPMA or national member associations, as suggested by China’s example above, some conduct prohibited by the Code is also prohibited by a wide variety of local and international laws and regulations, depending on where the companies operate. Some of these laws are vigorously enforced by government regulators. For instance, interactions between pharmaceutical R&D companies and HCPs may be subject to more generalized national bribery and corruption

ropesgray.com ATTORNEY ADVERTISING

legislation, including the U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act, as well as local laws such as South Korea’s Kim Young-ran Act or Brazil’s Clean Companies Act. Specifically, anti-bribery legislation has potential application to the giving of gifts to HCPs; these acts criminalize (among other behavior) the giving of cash or gifts to foreign government officials intended to influence them or improperly secure business. In countries with state-run health systems, including China and various countries throughout Europe and South America, HCPs often qualify as foreign government officials. This has led to criminal enforcement and millions of dollars in penalties for numerous pay-to-prescribe schemes in the recent past, discussed below. Understanding the differences and overlap between the cultural courtesy gift ban under the IFPMA Code and anti-bribery legislation is an important part of managing risk for pharmaceutical companies. Key distinctions to highlight are whether the HCPs can be classified as foreign officials, and whether the gifts in question were made with the intent of influencing prescribing decisions or securing future business. While neither of these determinations matter under the IFPMA Code, which prohibits any gift by a pharmaceutical company to any HCP, regardless of intent and regardless of the nature of the countries’ health care system, these distinctions remain hugely important for anti-corruption enforcement. Member companies should consult with their legal counsel, including competent local counsel, to address individual compliance and enforcement risk at this level. Beyond direct enforcement risk, failing to comply with the new changes can lead to other types of risk. IFPMA is a leader in the pharmaceutical field, and part of its function is to set norms and expectations within the industry; failing to meet these norms creates reputational risks, and invites scrutiny from other actors, including the media and government regulatory bodies. Case Studies and Compliance Challenges By prohibiting “cultural courtesy gifts,” IFPMA is specifically targeting customs that are common business practices in certain parts of the world, but that may create the appearance of a bribe, conflict of interest, or improper influence when viewed outside of their cultural context (regardless of the intent behind the gift). This is in line with the IFPMA Ethos, also new to the 2019 Code, which “aims to shift from a rules-based to a values-based code.” It will also be challenging to implement for companies operating in regions where the giving of mooncakes and condolence payments remains a common practice. Even before these more stringent changes to the IFPMA Code were put into effect, many major pharmaceutical companies failed to prevent payments and gifts that amounted to bribes under the FCPA and other anti-corruption statutes, and faced enforcement actions and large penalties as a result. As recently as September 2018, Charles Cain—FCPA Unit Chief of the SEC Enforcement Division—remarked on the prevalence of pay-to-prescribe bribery in the pharmaceutical industry, and indicated that scrutiny and enforcement would continue: “While bribery risk can impact any industry…more work needs to be done to address the particular risks posed in the pharmaceutical industry.” A sample of recent FCPA cases demonstrates that bribes given to HCPs remain a huge compliance risk for life sciences companies throughout the world, especially in China: Orthofix (2017, Brazil); AstraZeneca (2016, China and Russia); Novartis (2016, China); Bristol Myers Squibb (2015, China). IFPMA and AdvaMed member corporations clearly face significant risk in this area; each of the companies listed above is a member of its respective trade association. These and similar FCPA cases have resulted in hundred of millions of dollars in penalties. Scrutiny is only expected to increase in light of IFPMA’s new Code. Companies that are members of any IFPMA-affiliated trade group are well advised to carefully scrutinize their own gift policies and internal controls, and consider how they will comply with these new, stricter rules. Those companies

ropesgray.com ATTORNEY ADVERTISING

doing business in regions where cultural courtesy gifts are commonplace, including China, South Korea, Vietnam, Japan, and many other parts of Asia, should do so with particular care.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you ropesgray.com ATTORNEY ADVERTISING are urged to consult your attorney concerning any particular situation and any specific legal question you may have. © 2019 Ropes & Gray LLP

September 5, 2018 Bid Rigging: For Multinationals, More Than Just a Local Law Violation Bid Rigging: An Introduction In many countries, purchases of products or services1 by government or public entities take place primarily through public tenders. The theory behind conducting such tenders is that they will allow the purchasing entity to evaluate competitive bids and to select those that are of the best quality and that represent the best value for money, increasing transparency in the purchasing process and reducing the risk of corruption. Generally, a public tender begins when a purchasing entity publicly issues a set of tender specifications for the type of product that it wishes to purchase, as well as instructions on how to prepare and submit a bid. After a specified number of bids are submitted or the allotted time for the public tender ends, the end user or a designated tender committee will evaluate the bids and select the one that they find to be the best fit according to defined criteria. Of course, the particular rules and procedures for public tenders vary from jurisdiction to jurisdiction. In China, for example, local law requires that for most purchases made by government entities, the purchasing entity must receive a minimum of three competitive bids and select one bid from among them. While public tenders have many uses, the significant value of the transactions that are often conducted through these tenders means that participating companies and/or their sales employees have an incentive to try to subvert the process. Therefore, participating companies and the third-party intermediaries that represent them in bidding often try to find ways to ensure that their company’s product is the one selected. This is an activity referred to as “bid rigging.” The most straightforward type of bid rigging involves collusion between a bidder (either a participating company or a third-party intermediary) and an individual at the purchasing entity who has decided that he or she favors the participating company’s product. In one version of such collusion, the individual at the purchasing entity may assist a bidder to win the bid by issuing technical specifications for the public tender that favor that bidder’s product or make it impossible or unlikely for other products to win. Alternatively, the individual at the purchasing entity may give information about the other bids to a bidder such that the bidder can craft its bid to ensure winning, or allow the bidder to revise its entry despite tender rules prohibiting such behavior. A somewhat more complicated version of bid rigging is where bidders engage in a system of “accompanying bidders,” in which multiple bidders (or multiple entities affiliated with the same bidder) conspire to determine the outcome of a bidding process. Again, this can be done either by participating companies or by third-party intermediaries acting for them. The most common approach is that one bidder is designated among the colluding parties as the “main bidder” that is intended to win the tender process. The main bidder’s proposal is submitted alongside bids from accompanying bidders that offer inferior products and/or higher pricing to ensure that the main bidder wins the tender, while the requirement of multiple bids for a public tender is nominally satisfied. Notably, this type of bid rigging may take place with or without knowledge by the purchasing entity. Sometimes, the purchasing entity has chosen which product it would like to purchase, and thus agrees to look the other way while

1 The behavior discussed in this Alert applies to public tenders both for product purchases and service contracts. For linguistic convenience, however, this alert refers only to product purchases.

ATTORNEY ADVERTISING ropesgray.com

accompanying bidders are organized and not to look too carefully into their bids. At other times, the purchasing entity may not be aware of the plan to present accompanying bidders. In that case, the individual colluding bidders may simply agree amongst themselves that some of them will put in sub-par bids, perhaps in exchange for a fee or with the understanding that the main bidder will in a future tender act as an accompanying bidder in order to repay the favor. In an alternate version of the accompanying bidder scheme, colluding third-party intermediaries may put forward fake bids for companies that are not even aware that the tender is taking place. Public Tenders and Bid Rigging in Asia Most countries have laws and regulations on bidding and tenders that prohibit bid rigging. For example, in China – where public tenders are common in industries that involve dealings with state-owned entities (“SOE”) or the use of government funds – the Bidding Law of the People’s Republic of China (“PRC Bidding Law”) issued in 2000 contains express provisions that, amongst others, prohibit:

• The tenderee disclosing information regarding potential bidders or other information that may affect fair competition; • The tenderee disclosing details of minimum bid; • The bidders colluding with each other or the tenderee; • The bidders paying bribes to the tenderee or the bid evaluation committee; • The bidders submitting bids that are lower than cost; • The bidders submitting bids in other persons’ names; and • The bidder using other fraudulent or deceptive methods to win the bid.

The prohibitions of the PRC Bidding Law are further clarified in the Regulations on the Implementation of the Bidding Law of the People’s Republic of China (“PRC Bidding Regulations) issued in 2011. For example, “bidders colluding with each other” includes situations where:

• bidders discuss with each other bidding prices or other substantive contents of the bidding documents; • bidders agree on the winning bidder; • bidders agree that some bidders would pursue or forego the tender; • bidders from the same group or organization agreeing to submit bids in accordance with the group’s or organization’s demands; • bidding documents for different bidders are drafted by the same individual or entity; • different bidders delegate tender-related affairs to the same individual or entity; • different bidders submit bids with suspicious pricing patterns; and • different bidders pay bid guarantee deposits from the same entity or bank account.

ropesgray.com ATTORNEY ADVERTISING

Violations of the PRC Bidding Law or the PRC Bidding Regulations may result in invalidation of the bid, confiscation of illegal gains, additional monetary penalties, suspension of bidding rights, and revocation of business license. Moreover, if any action violates applicable criminal laws, there may be further criminal liability as well, which includes monetary fines and imprisonment. In addition to this centralized guidance, there are also industry- and sector-specific rules and regulations regarding tenders with further prohibitions against bid rigging, such as the Construction and Engineering Design Bidding Management Measures for construction projects, and various municipal and/or provincial Measures for the Administration of Centralized Bidding Procurement of Drugs in Healthcare Institutions for drug procurements. Moreover, bid rigging activities may be in violation of laws and regulations governing antitrust and unfair competition, including the Anti-Unfair Competition Law of the People’s Republic of China, and the Anti-Monopoly Law of China. In Korea, public tenders are also common, as they are required for all construction contracts by central government agencies worth over 200 million won or for goods or services contracts by central government agencies worth over 20 million won, as well as many contracts by local government entities. The Act on Contracts to Which the State is a Party (the State Contract Act) mandates that all participating bidders in public tenders promise not to “offer or receive money, goods, entertainment, or any other benefit directly or indirectly in the course of making or accepting a tender or signing or performing a contract,” and, further, that they make an “integrity agreement” with the tendering entity specifying that the contract may be cancelled if this promise is broken. The State Contract Act further mandates that the determination of the successful bidder shall be made according to certain competitive factors based on price and the criteria specified in the tender notice, and that the bidding be carried out according to the principles of transparency and fairness. A person or entity found to have offered a bribe in relation to a public tender or who has engaged in collusive behavior in relation to such will be restricted from participating in public tenders for all central government agencies for a period of up to two years. Criminal penalties are also possible for involved individuals. Because numerous situations involving bid rigging have been uncovered in Korea, the country’s Fair Trade Commission (FTC) has implemented a Bid Rigging Indicator Analysis System (BRIAS) designed to identify cases of collusion. For bids above a certain price, BRIAS automatically analyzes data such as bid price as a percentage of the reference price and the number of participants in public tenders, and the method of competition, applying a formula that produces a score intended to show risk of bid rigging. For bids where the score is above a certain threshold, the FTC undertakes further investigation. Risks of Bid Rigging and Other Public Tender Manipulation In addition to local law risks, bribes or improper benefits are often provided to either the accompanying bidders or to the end users in connection with these arrangements. Thus, participation in public tenders brings with it an elevated risk of bribery. In bid rigging cases that involve collusion between a participating company and an end user, these payments will be direct; that is, a payment will be made by the company to an end user to pervert the public tender process. For example, a company may pay a customer to favor that company’s bid in the tender, to issue tender specifications in a manner favorable to the company, to falsify documents, to look the other way in the case of accompanying bidders, or to otherwise corrupt the bidding process in a manner favorable to the Company. Such payments may be cash or may come in the forms of gifts and entertainment provided to customers or tender officials during the tender process.

ropesgray.com ATTORNEY ADVERTISING

Where the arrangement of accompanying bidders or other bid rigging behavior is carried out not directly by the company but by a third-party intermediary, the company may make a payment directly to that intermediary that is either passed through to the purchasing entity or—in a case where the purchasing entity is unaware of the accompanying bidder situation—taken by that third-party intermediary as a fee for the service. Alternatively, the cost incurred by a third-party intermediary in making arrangements to win the bid may be considered and allowed for when sales employees at the company offer discounts to that intermediary, and will thus be paid out of that intermediary’s margin. Practical Case Studies As early as 1999, the United States Department of Justice had noted that payments as part of a bid rigging scheme may also be corrupt payments that violate the United States Foreign Corrupt Practices Act or local anti-corruption laws. In an unnamed case, U.S. regulators discovered that improper payments were made both to an intermediary to facilitate a conspiracy to rig bids, and to contracting government officials of companies preparing to award contracts, for the purpose of influencing the award decision. A publicized example that highlights the relationship between bid rigging and corruption is the recent allegations against pharmaceutical bidding agents in Malaysia. In or around June 2018, media sources reported that local bidding agents, with the assistance of international pharmaceutical companies, would engage in bid rigging known as “bid- rotation” to limit competition and take turns to secure supply contracts. The bidding agents allegedly pocketed close to 4 billion Malaysian Ringgits (approximately 990 million USD) through the alleged collusion. Moreover, some of these entities are allegedly close to or owned by Malaysian politicians, high-ranking government officials, and/or their family members. The allegation has led at least one Malaysian MP to urge the central government to cut out tendering agents with regard to public pharmaceutical procurements. In recent local enforcement matters, we see instances where one bidding agent, with the assistance of international product suppliers, would make improper payments to other bidding agents (who represented either the same supplier or competitor suppliers) in order to secure government procurement contracts on behalf of the international product supplier. In rare instances, the recipient of the improper payments may later be selected – either by chance or on purpose – to sit on the assessment committee of the relevant tenders. As a result of the recipients’ change in status, a payment that may have originally violated only local bidding laws could now be seen by regulators as an improper payment to a government official, which would be in violation of anti-bribery laws as well. Suggestions for Multinationals As highlighted above, bid rigging in public tenders is often difficult to detect and may lead to notable adverse consequences for implicated individuals and entities. Therefore, companies should incorporate measures in their internal control framework that help prevent, detect, remediate, and deter bid rigging. These measures may include:

• Adopting and implementing clear and reasonably detailed policies and procedures regarding public tenders, including specific provisions prohibiting bid rigging and other corrupt conduct; • Providing routine and periodic compliance trainings and policy reminders to all staff involved in the public tender process; • Maintaining a centralized database to record all public tender activities and documents, and conducting regular reviews of the database to understand statistical trends and look for potential anomalies;

ropesgray.com ATTORNEY ADVERTISING

• Conducting reasonable background checks on and justifying involvement of any third parties (e.g., distributors, agents, etc.) involved in the tender process; • Comparing bid quotations to entries in the accounting system to check for discrepancies or anomalies; • Regularly monitoring public tender announcements, including the final winning bid/price, and comparing the final bid to internal bid documents; • Establishing protocols that seek to fairly and adequately address allegations of bid rigging should such allegations arise; • Staying current on industry news and insights to understand new and/or prevalent forms of big rigging practices; and • Conducting periodic reviews, possibly with the assistance of professional external advisors, to assess adequacy of existing internal controls and make enhancements where needed.

Although the risk of bid rigging is inherent to public tenders and difficult to eliminate, these and other suitable internal control measures can help mitigate the relevant risks and provide a defense to government regulators. Many multinationals that rely on public tenders as part of their business strategies already have put some, if not all, of the above measures in place, and we urge those that still do not to do the same.

August 2, 2018 Implications of Distributor Misconduct for Global Health Care and Life Sciences Companies Health care and life sciences companies with operations in the United States and abroad face increased liability arising from their common reliance on third-party distributors in international markets. Third-party distributors are often responsible for the direct marketing and selling of a company’s products outside of the U.S. and provide value to multinational companies based upon their presence in local markets, including experience with local regulatory authorities, relationships with local businesses, and established on-the-ground infrastructures and resources. The U.S. Foreign Corrupt Practices Act (“FCPA”) and other nations’ anti-corruption laws specifically hold companies accountable for the actions of third parties, which may give rise to unanticipated material liabilities if companies do not adequately oversee third-party agents. Although all companies operating abroad should generally be aware of potential liability under the FCPA, health care and life sciences companies may be at even greater risk given the nature of their products, which often need regulatory approval, are paid for by government payors, and may involve risk to patient health and safety. Much like the domestic approach to addressing corruption in ex-U.S. operations through the FCPA, many nations have developed anti-corruption regimes that hold multinational companies accountable for third-party activity. For instance, the U.K. Bribery Act (2010) prohibits the promise or giving of financial or other advantage to induce or reward the improper performance of a relevant function or activity through a third party.1 Similarly, Brazil’s Clean Company Act (2013) prohibits the direct or indirect offer of an undue advantage to a public official or a third person related to the official.2 The Clean Company Act also generally prohibits a company’s use of an intermediary to conceal the company’s true interests or the identity of the beneficiaries of actions performed to the detriment of domestic or foreign public assets.3 Although China’s Anti-Unfair Competition Law traditionally did not address third-party liability expressly, a 2017 amendment to the law prohibits a business entity from providing or promising economic benefits to induce a third party to seek trading opportunities or competitive advantages on behalf of the business entity.4 These legal and enforcement changes showcase third-party misconduct as an area of increasing regulatory scrutiny. In 2017, corporate resolutions between health care and life sciences companies and the U.S. Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) constituted 27.3% of all FCPA- related corporate resolutions, and global trends suggest that foreign authorities have increasingly been cooperating with U.S. authorities in FCPA enforcement efforts over the past five years.5 If the increase in U.S. anti-corruption enforcement against health care and life sciences companies operating abroad is any indication, companies should prepare for increased anti-corruption activity internationally. To avoid costly anti-corruption enforcement, health care and life sciences companies should vet and monitor their third-party distributors closely and revisit their internal

1 Bribery Act 2010, c. 23, § 1(2) (Eng.). 2 Lei No. 12.846, de 1 de Agosto de 2013, DIARIO OFICIAL DA UNIAO [D.O.U] de 2.8.2013, Capitulo II, art. 5, sec. III (Braz.). 3 Id. at Capitulo II, art. 5, sec. II. 4 Zhonghua Renmin Gonghegue Fan Bu Zhengdang Jingzheng Fa (Xiudìng) (中华人民共和国反不正当竞争法 (修订)) [Anti- Unfair Competition Law of the People’s Republic of China] (promulgated by the Standing Comm. Nat’l People’s Cong., Nov. 4, 2017, effective Jan. 1, 2018) (China). 5 Mark F. Mendelsohn et al., FCPA Enforcement and Anti-Corruption Year in Review, HARV. L. SCH. F. CORP. GOVERNANCE AND FIN. REG. (Feb. 11, 2018), https://corpgov.law.harvard.edu/2018/02/11/fcpa-enforcement-and-anti- corruption-year-in-review/.

ATTORNEY ADVERTISING ropesgray.com

controls and compliance programs regularly to safeguard against liability under the FCPA and the evolving constellation of local anti-corruption laws.

I. Enforcement: Anti-Corruption Laws and Improper Third-Party Actions The DOJ and SEC have imposed direct liability upon companies based on improper activities of third-party distributors acting on the behalf of the companies. Exposure to risk is created by activities such as failing to adequately oversee third-party distributors or disregarding these distributors’ corrupt activities and relationships to further business goals. A number of recent enforcement matters illustrate the behaviors of and interactions between companies and their distributors that the DOJ and SEC deemed problematic under the FCPA. In June 2016, Analogic Corporation (“Analogic”), a Massachusetts-based medical device company, and its wholly owned subsidiary in Denmark, BK Medical ApS (“BK Medical”), agreed to pay more than $14M under a nonprosecution agreement and settlement agreement with the DOJ and SEC, respectively. The company entered into these agreements to resolve FCPA charges for allegedly allowing BK Medical to be used as a “slush fund for its [third-party] distributors.”6 BK Medical’s distributors routinely requested that BK Medical create “special invoices” to exaggerate the sales price of BK Medical’s ultrasound equipment. After BK Medical received the inflated payments from distributors, it wired the excess funds to various third parties, as requested by the distributors, without determining whether there was an appropriate business reason for the payments. Altogether, BK Medical paid approximately $20 million over the span of nine years to third parties with whom it did not have established business relationships.7 The SEC asserted that BK Medical violated the FCPA’s books and records provisions when the company falsified its books (which rolled up into Analogic’s books), causing Analogic to document BK Medical’s doctored financials in Analogic’s books and records. These improper payments, the unjustified basis for the payments by distributors, and Analogic’s failure to devise and maintain an adequate system of internal controls exposed Analogic to significant FCPA risk.8 In addition to risk exposure at the entity level, this enforcement action also included imposition of individual liability upon executives who recklessly disregarded the corrupt actions of their corporations’ third-party distributors. BK Medical’s former Chief Financial Officer (“CFO”) paid a civil monetary penalty of $20,000 to the SEC to resolve charges that he knowingly disregarded the company’s internal controls and falsified its books and records.9 Prior to and during his tenure as BK Medical’s CFO, the executive personally authorized more than 140 suspicious payments to third parties at distributors’ requests, with knowledge

6 Press Release, U.S. Sec. Exch. Comm’n, SEC Charges Medical Device Manufacturer with FCPA Violations (June 21, 2016), https://www.sec.gov/news/pressrelease/2016-126.html; see also Press Release, U.S. Dep’t of Justice, Analogic Subsidiary Agrees to Pay More than $14 Million to Resolve Foreign Bribery Charges (June 21, 2016), https://www.justice.gov/opa/pr/analogic-subsidiary-agrees-pay-more-14-million-resolve-foreign-bribery-charges. 7 See generally Cease and Desist Order, In re Analogic Corp., Exchange Act Release No. 78,113, 114 SEC Docket 8 (June 21, 2016), https://www.sec.gov/litigation/admin/2016/34-78113.pdf. See also Press Release, U.S. Sec. Exch. Comm’n, SEC Charges Medical Device Manufacturer with FCPA Violations (June 21, 2016), https://www.sec.gov/news/pressrelease/2016-126.html. 8 Press Release, U.S. Dep’t of Justice, Analogic Subsidiary Agrees to Pay More than $14 Million to Resolve Foreign Bribery Charges (June 21, 2016), https://www.justice.gov/opa/pr/analogic-subsidiary-agrees-pay-more-14-million-resolve-foreign- bribery-charges. See also Press Release, U.S. Sec. Exch. Comm’n, SEC Charges Medical Device Manufacturer with FCPA Violations (June 21, 2016), https://www.sec.gov/news/pressrelease/2016-126.html. The FCPA includes a “books and records” provision, which requires companies to maintain their internal records in a manner that accurately reflects their transactions, including the transactions of third parties working on a company’s behalf. Foreign Corrupt Practices Act of 1977, Pub. L. 95- 213, 91 Stat. 1494 (1977), 15 U.S.C. §§ 78m(b)(2)(A)). 9 Press Release, U.S. Sec. Exch. Comm’n, SEC Charges Medical Device Manufacturer with FCPA Violations (June 21, 2016), https://www.sec.gov/news/pressrelease/2016-126.html.

ropesgray.com ATTORNEY ADVERTISING

that these actions violated the company’s internal accounting controls.10 As the Chief of the SEC Enforcement Division’s FCPA Unit noted in connection with this enforcement, “Issuers and their subsidiaries cannot turn a blind eye to suspicious payments, even if they believe they are simply ‘helping out’ a business partner.”11 The DOJ and SEC have also targeted distribution arrangements in which life science companies and their subsidiaries used distributors to exert improper influence over government decisions. In December 2016, Teva Pharmaceutical Industries Ltd. (“Teva”) and its Russian subsidiary (“Teva Russia”) agreed to pay approximately $520 million to the SEC in penalties for bribing government officials in Russia, Ukraine, and Mexico through illegal payments and improper discounts. One of the schemes involved Teva Russia allegedly issuing payments through the high profit margins that a Russian company earned as a third-party distributor. The distribution company was operated and partly owned by a government official, while the company’s controlling shares were held in name by the official’s wife. Teva Russia intended these payments to influence the official’s use of his authority to obtain approval in federal program tenders, faster drug registrations, and increased market access.12 Unlike BK Medical, which turned a blind eye to improper arrangements, Teva Russia offered discounts and unusually high profit margins to the distribution company, with the expectation that the government official exert his political influence on the Russian Ministry of Health for Teva’s benefit.13 Recent examples of anti-corruption enforcement by foreign governments against companies operating outside of the health care and life sciences sectors are also instructive. For example, the United Kingdom’s Serious Fraud Office entered into a Deferred Prosecution Agreement (“DPA”) in January 2017 with Rolls-Royce, a multinational manufacturer, for failing to prevent bribery committed by one of the company’s third-party distributors. Rolls-Royce entered into a distribution agreement with a Nigerian company to distribute gas compression engines to an oil and gas exploration company. This agreement permitted the distributor to charge a mark-up on Rolls-Royce products, the proceeds of which the distributor used to make improper payments to Nigerian officials in one of the country’s public entities that supervised the government’s investment in the oil and gas sector.14 Notably, Rolls-Royce was not blameless in this arrangement, as evidence indicates the company hired the third-party distributor intending to offer bribes to government officials to secure bids and gain unfair competitive advantages. The company hoped to receive confidential information on technical project details and competitor pricing, and even requested the distributor to stop certain competitor proposals from being accepted.15 However, the Crown Court in its judgment against Rolls- Royce noted that the actions of the third-party distributor were alone sufficient to impose liability on Rolls-Royce for failing to prevent bribery under section 7 of the U.K. Bribery Act.16 The Court treated Rolls-Royce’s bad-faith actions and willful disregard as “aggravating factors” in determining the company’s ultimate fine and whether a DPA (rather than immediate prosecution) was an appropriate remedy.17 While the judgment does not state what Rolls-

10 See generally Cease and Desist Order, In re Analogic Corp., Exchange Act Release No. 78,113, 114 SEC Docket 8 (June 21, 2016), https://www.sec.gov/litigation/admin/2016/34-78113.pdf. 11 See Press Release, U.S. Sec. Exch. Comm’n, SEC Charges Medical Device Manufacturer with FCPA Violations (June 21, 2016), https://www.sec.gov/news/pressrelease/2016-126.html. 12 SEC v. Teva Pharm. Indus., No. 1:16-cv-25298, 10 (S.D. Fla. Dec. 22, 2016), https://www.sec.gov/litigation/complaints/2016/comp-pr2016-277.pdf. 13 Id. at 14–15 (S.D. Fla. Dec. 22, 2016), https://www.sec.gov/litigation/complaints/2016/comp-pr2016-277.pdf. See also Press Release, U.S. Dep’t of Justice, Teva Pharmaceutical Industries Ltd. Agrees to Pay More than $283 Million to Resolve Foreign Corrupt Practice Act Charges (Dec. 22, 2016), https://www.justice.gov/opa/pr/teva-pharmaceutical-industries-ltd-agrees-pay- more-283-million-resolve-foreign-corrupt. 14 Statement of Facts, Serious Fraud Office v. Rolls-Royce PLC [2017], EWCC (QB) 36, [217]. 15 Id. at [224]. 16 Serious Fraud Office v. Rolls-Royce PLC [2017], EWCC (QB) 36, [34]. 17 Id. at [104].

ropesgray.com ATTORNEY ADVERTISING

Royce’s exposure to liability might have been had it not demonstrated bad faith, companies should take note that the U.K. Bribery Act considers adequate procedures to prevent corrupt activities to be a defense, and the willful hiring of the corrupt distributor by Rolls-Royce could be interpreted as a breakdown of the compliance process.18 In light of these enforcement risks, health care and life sciences companies engaging third-party distributors abroad should examine their compliance policies and internal controls using guidance from these agencies and industry best practices. The following sections outline some key considerations and safeguards that companies should take into account when implementing meaningful compliance controls over third parties.

II. DOJ and SEC’s Guidance on Identifying the Warning Signs for Improper Third-Party Conduct and the Development of Effective Global Compliance Programs In 2012, the DOJ and SEC published a resource guide on the FCPA that highlights warning signs of improper third- party activity. These signs include, but are not limited to: • “excessive commissions to third-party agents or consultants; • unreasonably large discounts to third-party distributors; • third-party ‘consulting agreements’ that include only vaguely described services; • the third-party consultant is in a different line of business than that for which it has been engaged; • the third party is related to or closely associated with the foreign official; • the third party became part of the transaction at the express request or insistence of the foreign official; • the third party is merely a shell company incorporated in an offshore jurisdiction; and • third party requests payment to offshore bank accounts.”19 The DOJ offered additional guidance in 2017 to assist multinational companies in developing effective global compliance programs. The guidance highlights elements and controls that multinational companies should consider to strengthen their compliance programs, such as establishing a business rationale for using third parties; developing mechanisms to guarantee that the contract terms with third parties clearly specify the services in which the third parties will be engaged; educating “relationship managers” about compliance risks with third parties; incentivizing compliance for third parties; developing a risk management process; strengthening due diligence protocols; and continuously auditing and improving anti-corruption policies and procedures.20 While it is important for companies to account for such guidance in structuring their compliance efforts, the SEC and DOJ have made clear that a checklist approach to implementing oversight of third-party agents is not sufficient for the establishment of an effective compliance program. Rather, a company subject to U.S. laws that operates abroad should tailor its safeguards against foreign corrupt practices to the specific risks that it encounters in its respective business.

18 Bribery Act of 2010, c. 23, § 7(2) (Eng.). 19 U.S. DEP’T OF JUSTICE AND U.S. SEC. EXCH. COMM’N, A RESOURCE GUIDE TO THE U.S. FOREIGN CORRUPT PRACTICES ACT 22, 23 (Nov. 12, 2012), https://www.justice.gov/sites/default/files/criminal- fraud/legacy/2015/01/16/guide.pdf. 20 U.S. DEP’T OF JUSTICE, EVALUATION OF CORPORATE COMPLIANCE PROGRAMS (Feb. 2017), https://www.justice.gov/criminal-fraud/page/file/937501/download.

ropesgray.com ATTORNEY ADVERTISING

III. Guidance for Health Care and Life Sciences Companies’ Compliance Programs Health care and life sciences companies in particular should be aware of the ways corruption may manifest through third parties, such as inflation of drug or device prices or costs to create a slush fund via a distributor; assertion of improper influence via distributors; and failure to properly oversee a distributor engaging in non-compliant activities. In particular, companies should closely monitor their relationships with third-party distributors and foster a culture of compliance. Key aspects of effective compliance programs include:

A. Monitoring: Companies and their subsidiaries should know their third-party distributors well, understand the business rationale for the third-party distributors’ decisions, and establish monitoring mechanisms to detect red flags and other activities prohibited by the various anti-corruption laws. For example, companies may audit distributor margins21 and conduct trend analysis and comparisons to identify suspicious trends in distributor payments. Companies may also monitor distributors’ interactions with health care professionals who may be considered government officials in some situations and subject to local anti-corruption laws. Further, companies should adopt measures that ensure sufficient oversight of third-party distributors and implement processes in which no single department, particularly sales departments that are more likely to be motivated by achieving sales targets, is unilaterally responsible for making final decisions. Finally, the integrity of these processes can further be protected using tools, such as decision matrices, that require approvals from multiple gatekeepers. Without these measures, unlawful payments to third parties can remain undetected for years.

B. Due diligence: Given the SEC and DOJ’s emphasis on conducting adequate due diligence, companies should be especially vigilant in conducting diligence of third-party distributors prior to starting business relationships. Some helpful tools to conduct more effective diligence include performing public reputation checks and checks to determine if the distributors are connected to politically exposed persons; requiring third-party distributors to complete and attest to a due diligence questionnaire containing questions about whether the company has an accounting system that can detect fraud and other controls that can prevent misconduct; for health care and life sciences products, conducting debarment checks against government payer databases; and requesting certifications from third parties that state that they understand and will adhere to the company’s anti-corruption policies and procedures as well as applicable laws and regulations. Further, while it is essential to conduct diligence at the start of a distributor relationship, it is also necessary to update such diligence periodically. The scope and depth of an appropriate diligence plan will depend on several factors, such as the industries and countries in which a company operates. Nevertheless, companies should engage in risk-based due diligence to adjust the degree of scrutiny as problematic activities are detected.

C. Training: Companies should train employees, particularly those who interact with third-party distributors on a regular basis, to identify potential red flags relevant for the areas where they operate. Useful topics include guidance on when health care professionals could be considered government officials and whether supplying gifts or entertainment to health care professionals could be considered improper payments under applicable local laws or trade association ethical standards. Employees should be retrained periodically, ideally at least annually. When possible, companies would conduct these trainings live and in the local language, to provide employees an opportunity to ask questions and fully comprehend the material. One effective approach involves the presentation of case studies, through which trainees can actively participate in analyzing common risk areas they

21 While a margin audit is an example of a tool that companies can use to identify suspicious trends in distributor payments, companies should not conduct or utilize margin analysis as a means of collusion or concerted effort to fix prices, in contravention of applicable antitrust laws.

ropesgray.com ATTORNEY ADVERTISING

might encounter in their day-to-day activities. Such training is particularly important for companies that operate internationally and may find it difficult to monitor the daily activities of third-party distributors centrally. Companies could provide similar trainings to third-party distributors directly, through summits and other distributor events, to create an opportunity for senior management to retrain their distributors and communicate to them the importance of avoiding corrupt behavior. It is important to stress that companies must ensure that trainings of employees and third parties are not a check-the-box exercise. Analogic’s case exemplifies an ineffective training program. In 2008, a Senior Vice President at Analogic believed that BK Medical posed significant FCPA risk for the corporation, so Analogic implemented an FCPA training program for the sales and finance staff of BK Medical. The program addressed business ethics and FCPA compliance. However, despite the training, the subsidiary failed to take any steps to determine whether its distributors were behaving in an unlawful manner, despite various red flags.22 While this is perhaps indicative of other issues such as a general lack of awareness towards compliance, the Analogic case also highlights authorities’ emphasis on the effectiveness of a compliance program. Companies should customize trainings to address the specific needs and situations of each jurisdiction, the unique risks that a company might encounter when conducting business internationally, and should include guidance on specific steps employees at all levels of the corporation may take when improper behavior is detected. In particular, passive distribution of knowledge on corruption-related issues is insufficient; rather, the company will need to have demonstrated that its employees have internalized the trainings and policies, and that the company has taken on an active role in monitoring and preventing third-party misconduct.

D. Culture of compliance: Companies should establish institutional commitment at the outset and foster a top- down culture of compliance to demonstrate their commitment to avoiding corrupt practices. They should widely distribute, and periodically redistribute, their policies and procedures that prohibit bribery to employees at all levels of the company. In addition to implementing training programs for employees, companies should raise awareness at the executive/leadership level of the importance of complying with the FCPA and other anti- corruption laws, and of establishing open lines of communication with employees regarding suspected noncompliance with these laws. Senior management should take particular care to foster an environment in which employees feel the company encourages reporting of concerns. As non-management employees are often responsible for maintaining third-party relationships and serve as gatekeepers, they may be the first to know if corrupt practices are occurring. Thus, companies should ensure that these employees are aware of the available channels of communication to report red flags, which can include anonymous hotlines, in addition to open-door policies with senior managers involved with compliance matters and the compliance department.

Both domestically and abroad, health care and life sciences companies must maintain strong compliance systems to safeguard against corrupt practices. However, the path to global compliance can be challenging, particularly when third parties are involved. Companies’ inability to exercise adequate oversight and control over third-party distributors creates risk, in particular when operating in environments of which they have little knowledge and jurisdictions that are associated with a high risk of corruption. In spite of these and other hurdles, health care and life sciences companies have an obligation to implement safeguards against prohibited activities using what resources they do have.

22 Cease and Desist Order, In re Analogic Corp., Exchange Act Release No. 78,113, 114 SEC Docket 8 (June 21, 2016), https://www.sec.gov/litigation/admin/2016/34-78113.pdf.

CSR & Supply Chain Compliance

March 12, 2018 Corporate Social Responsibility Compliance in 2018, and Beyond – An Overview for In-House Legal Counsel

After years of looming on the fringes, 2018 is likely to go down as the year that Lead Author: corporate social responsibility compliance became a core responsibility of in-house Michael R. Littenberg legal departments. Contributing Authors: The velocity of change has been accelerating and shows no signs of letting up any Nicholas M. Berg time soon. Some of the developments in CSR that are driving legal department Andrew J. Dale engagement include: (1) more regulation globally; (2) the mainstreaming of CSR in Isabel K.R. Dische the investment community, especially around environmental issues; (3) an increasing Keith F. Higgins focus on CSR at the board level; (4) more CSR disclosure and new disclosure Amanda N. Raad frameworks; (5) scrutiny by commercial customers, consumers and other Melissa C. Bender stakeholders; (6) high profile CSR issues in the press; and (7) an increasing Julia L. Chen willingness by CEOs to engage on social issues. Joanna Torode

This Article discusses many of the recent and emerging developments and trends that should be on the radar screen of in-house counsel. It also provides suggestions for legal departments that are building out their CSR compliance function.

Legal Requirements Have Proliferated

Corporate social responsibility has gone from a “nice to have” to a compliance requirement in the last several years. Most regulations have been adopted in the last few years, and these more recent regulations are described below. Regulations broadly (with some overlap) fall into three buckets: (1) disclosure-only, which require companies to discuss whether and how they address a particular issue; (2) those that require companies to put in place compliance programs to address particular CSR issues; and (3) trade-based regulations.

2015

U.S. Federal Acquisition Regulation anti-human trafficking provisions: Prohibits specified human trafficking conduct in connection with U.S. federal contracts and, under certain circumstances, requires a compliance plan to be adopted and certifications to be provided. For more information on the FAR anti-human trafficking provisions, see our Alert here.

U.K. Modern Slavery Act: Requires subject companies to annually prepare a slavery and human trafficking statement that indicates the steps taken to ensure that modern slavery is not occurring in the supply chain or business. See here for some of our resources on the U.K. Modern Slavery Act.

2016

U.S. Trade Facilitation and Trade Enforcement Act: Repealed the “consumptive demand exception” to the Tariff Act. This exception allowed the importation into the United States of goods made using forced labor.

ATTORNEY ADVERTISING ropesgray.com

March 12, 2018 ARTICLE | 2 Welsh Code of Practice for Ethical Employment in Supply Chains: The goal of the Code – which covers procurement, supplier selection, tendering and contract and supplier management – is to ensure that workers in public sector supply chains are employed ethically and in compliance with both the letter and the spirit of U.K., EU and international laws. Although not binding legislation, the Welsh government has indicated that it expects businesses involved in Welsh public sector supply chains to adhere to the Code.

2017

French Duty of Vigilance Law: Requires subject companies to establish a vigilance plan to allow for the identification and prevention of severe violations of human rights in its business and at certain subcontractors and suppliers.

EU Conflict Minerals Regulation: Requires EU importers of tin, tantalum, tungsten and gold in mineral or metallic form to conduct due diligence and make certain disclosures concerning the 3TG that they import into the European Union. The regulation also creates a voluntary reporting mechanism for downstream companies to encourage them to responsibly source 3TG. See here and here for some of our Alerts on the EU Conflict Minerals Regulation.

U.S. Countering America’s Adversaries Through Sanctions Act: Creates a presumption that goods, wares, articles and merchandise mined, produced or manufactured wholly or in part by the labor of North Korean nationals or citizens, wherever located, is forced labor. As a result, under the Tariff Act, the goods will be denied U.S. entry absent clear and convincing evidence that they were not produced using forced labor. For our Alert on the CAATSA, see here.

. . . And New Disclosures and More Regulation Are on the Horizon

Australia. During 2018, Australia is expected to propose modern slavery legislation that is modeled on the U.K. Modern Slavery Act. For more information on the proposed Australian modern slavery legislation, see our Alert here.

China. There is speculation that in 2018 China will introduce mandatory conflict minerals legislation that builds on the U.S. Conflict Minerals Rule, which has been in effect for more than four years, and the more recently adopted EU Conflict Minerals Regulation. In 2015, the China Chamber of Commerce of Metals Minerals & Chemicals Importers & Exporters published voluntary conflict minerals guidance.

European Union. The EU Non-Financial Reporting Directive will require an estimated 6,000 subject companies to disclose material information relating to environmental matters, social and employee matters, respect for human rights, anti-corruption and bribery matters and diversity. The first disclosures will be required to be made in 2018.

Hong Kong. A member of Hong Kong’s Legislative Council has sent a draft modern slavery bill to the Hong Kong Chief Executive for his consideration. The draft bill includes reporting provisions similar to those contained in the U.K. Modern Slavery Act. The threshold for reporting is not specified in the bill. At present, adoption of the draft bill is considered unlikely, and, in any event, is not imminent. However, it underscores the momentum that is building for mandatory modern slavery reporting in additional jurisdictions.

The Netherlands. In 2017, the Dutch Parliament adopted legislation that would require companies that sell or provide goods or services to consumers based in the Netherlands to engage in due diligence to mitigate the risk of child labor in their supply chains. The legislation is awaiting adoption by the Senate.

Switzerland. The Responsible Business Initiative, a coalition of Swiss civil society organizations, is seeking to amend the Swiss constitution to create a binding framework to protect human rights and the environment abroad. As proposed, the constitution would be amended to require companies that have their registered office, central

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 3 administration or principal place of business in Switzerland and their controlled companies to, among other things, carry out appropriate due diligence to identify impacts on human rights and the environment and take measures to prevent violations of human rights and environmental standards and account for the actions taken. Subject companies would be liable for damage caused by companies under their control where they have, in the course of business, committed violations of recognized human rights or environmental standards, unless they can show that they exercised due care.

Last year, the Swiss Federal Council recommended against the RBI’s proposed constitutional amendment and the Council of States has issued a counterproposal. A constitutional amendment is required to be voted on and approved by Swiss voters. The earliest that a proposal is expected to be voted on is late 2018.

United Kingdom. U.K. employers with 250 or more employees are required to annually publish gender pay gap information on their websites. The Gender Pay Gap Information Regulations require subject companies to publish their first statements by early April 2018.

United States. U.S. public companies are required to comply with the pay ratio rule beginning this year. Covered registrants will be required to disclose in their 2018 proxy statements the median of the annual total compensation of all employees and the ratio of the median to the CEO’s annual total compensation. Ropes & Gray client alerts on the pay ratio rule are available here, here, here, and here.

During June 2016, the Securities and Exchange Commission adopted a resource extraction issuer disclosure rule, as required by the Dodd-Frank Act. The rule required U.S. public companies to annually report on payments made to foreign governments and the U.S. federal government relating to the commercial development of oil, natural gas and minerals. Shortly after President Trump took office, the rule was disapproved pursuant to the Congressional Review Act, which allows a rule to be disapproved by Congress within a specified number of days after it receives the rule from the promulgating federal agency. However, the Dodd-Frank requirement to adopt a resource extraction issuer disclosure rule is still on the books, and the SEC has indicated that it is working on a new proposed rule. For more information on the Resource Extraction Issuer Disclosure Rule as adopted, see our Alerts here and here.

Although Selective and Sporadic, Enforcement of CSR Regulations Is Increasing

A common refrain heard from companies is that they do not need to pay much attention to CSR regulations because they are not enforced. To date, this has largely been the case. However, we are starting to see a change, especially with respect to trade-based regulations where enforcement is aligned with policy goals.

Since the repeal in 2016 of the consumptive demand exception to the Tariff Act, U.S. Customs and Border Protection has issued several Withhold Release Orders involving a diverse range of products produced in China using forced labor. In addition, last November, CBP requested information from a significant number of U.S. importers concerning their efforts to ensure that their supply chains are free from forced labor generally, including child and convict labor, and North Korean labor specifically. Among other things, CBP requested information on companies’ diligence findings, corrective actions and suppliers. For further information on these inquiries, see our Alert here.

Enforcement of disclosure-based CSR regulations has been more limited and the penalties for non-compliance are not as severe. In 2015, the California Department of Justice conducted a compliance review of disclosures under the California Transparency in Supply Chains Act. In connection with the review, letters were sent to a significant number of retail sellers and manufacturers that were believed to potentially be non-complaint.

In the United Kingdom, the Independent Anti-Slavery Commissioner has sent letters to over 1,000 companies encouraging improvements in reporting. Most recently, the IASC sent letters to 25 FTSE 100 companies that were identified in a report by the Business & Human Rights Resource Centre as non-compliant with basic requirements of

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 4 the U.K. Modern Slavery Act and which had not corrected their omissions by December 2017. The letters encouraged the companies to take improved efforts in the coming year. At some point, the United Kingdom is likely to conduct a compliance sweep similar to that undertaken by California.

In addition, public statements pursuant to CSR disclosure regulations that are boilerplate in nature may increase shareholder proposal risk for U.S. public companies. Shareholder proposals are discussed in more detail later in this Article.

Mainstream Investor Focus on ESG Is Increasing

Corporate social responsibility has historically been a focus primarily of niche investors and a handful of large public pension funds. In the years to come, 2018 is likely to be viewed as the tipping point when corporate social responsibility definitively became a mainstream investor consideration. (Note that, in this section and the next, we generally use the terms “ESG” or “E&S,” rather than CSR, since those terms are more commonly used in the investment community.)

Asset owners are increasingly expecting the managers with whom they invest – across a large number of asset classes – to take ESG factors and risks into account, and mainstream managers are increasingly viewing a focus on ESG as integral to the exercise of their fiduciary duties. Over the last few years, there has been a growing body of research asserting that companies that are strong on ESG factors have stronger financial performance over time and/or exhibit less financial risk. In addition, as discussed further below, the rise of index funds, which now represent more than 30% of global fund AUM according to Nasdaq, is changing how large asset managers view corporate engagement.

Underscoring these trends, Principles for Responsible Investment, an investor initiative in partnership with the UNEP Finance Initiative and the UN Global Compact, now has approximately 1,700 signatories. These signatories, which are mostly asset managers and asset owners, have more than $60 trillion of AUM, compared to $22 trillion of AUM in 2010. More than 400 PRI members are based in North America, dispelling the notion that ESG is just a “European thing.”

And asset managers are doing more than just signing on to aspirational responsible investment principles. Over the last couple of years, there has been a significant increase in managers adopting ESG guidelines and procedures for their investment professionals. There also has been an increase in demand for ESG tools and data to assist in evaluating companies on ESG metrics. For example, in 2017, PRI released an ESG due diligence checklist for hedge funds that was developed in conjunction with the asset management industry. This year, ISS has introduced a new E&S scoring methodology, which is discussed further below.

Further illustrating the mainstreaming of E&S, on January 6, Jana Partners and CalSTRS sent an open letter to Apple requesting it to offer parents more choices and tools to help them ensure that young consumers are using Apple’s products in an optimal manner, to enhance long-term value for all shareholders. Initial steps suggested in the open letter included convening a committee of experts, partnering with experts on research and making information resources available to assist additional research efforts, enhancing mobile device software, educational initiatives and periodic public reporting on this issue.

BlackRock’s 2018 Letter to CEOs

Thus far this year, BlackRock’s letter to CEOs has been one of the most widely reported on CSR developments. In his January 16 letter to CEOs, Larry Fink focused on evolving societal expectations of companies and the relationship between those expectations and long-term value creation. As the world’s largest asset manager, with more than $6 trillion in assets under management, when BlackRock speaks, public companies need to take notice.

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 5 In the letter, Fink noted that society is demanding that companies serve a social purpose. Tying this to corporate sustainability, he expressed the view that, “[t]o prosper over time, every company must not only deliver financial performance, but also show how it makes a positive contribution to society. Companies must benefit all of their stakeholders, including shareholders, employees, customers, and the communities in which they operate.” A paragraph later, tying CSR to financial performance, he expressed the view that, without a social purpose, a company cannot achieve its full potential, will succumb to short-term pressures and ultimately provide subpar returns to longer-term investors.

Fink noted that the increasing use of index funds is driving a transformation of BlackRock’s fiduciary responsibility and the wider landscape of corporate governance. In managing index funds, it cannot express disapproval of a company by selling its stock as long as the company remains in the index, requiring it to invest the time and resources necessary to foster long-term value. To meet this responsibility, Fink’s letter noted that BlackRock intends to double the size of its investment stewardship team over the next three years. According to media reports, this would take the team to more than 60 people.

In his letter, Fink also discussed board involvement in and public articulation of long-term strategy, including around ESG. Fink noted that “[a] company’s ability to manage environmental, social, and governance matters demonstrates the leadership and good governance that is so essential to sustainable growth, which is why we are increasingly integrating these issues into our investment process.”

ISS’ New Environmental & Social QualityScore

On February 5, ISS announced the launch of its Environmental & Social QualityScore. E&S QualityScore measures the quality of corporate disclosures on environmental and social issues, including sustainability governance, and identifies key disclosure omissions. The launch covered an initial set of 1,500 companies across industries viewed as being the most exposed to environmental and social risks, including energy, materials, capital goods, transportation, automobiles and components, and consumer durables and apparel. An additional 3,500 companies spanning 18 industries will be added later in 2018.

E&S QualityScore incorporates more than 380 environmental and social factors, at least 240 of which apply to each industry group. A score is provided for each company that measures environmental and social governance disclosure risk, both overall and within eight broad categories. Broad topic areas under the E&S QualityScore methodology for environmental disclosures include Management of Environmental Risks and Opportunities, Carbon and Climate, Natural Resources and Waste and Toxicity. Social topic areas include Human Rights, Labor, Health, and Safety, Stakeholder and Society and Product Safety, Quality and Brand.

Stock Exchange Guidance and Requirements

Stock exchanges continue to introduce ESG reporting guidance and requirements. Over time, these will impact ESG reporting norms globally. Thus far, 20 of the 69 stock exchanges that are members of the Sustainable Stock Exchanges Initiative or the World Federation of Exchanges have published ESG guidance. Another 12 have committed to do so.

For example, in late 2015, the Hong Kong Stock Exchange introduced more robust ESG guidance for listed companies. The guidance consists of both mandatory “comply or explain” provisions and recommended disclosures. Portions of the Exchange’s guidance took effect beginning with fiscal years commencing on or after January 1, 2016. The upgrading of environmental key performance indicators from recommended to "comply or explain" is effective for fiscal years commencing on or after January 1, 2017.

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 6 During February 2017, the London Stock Exchange published recommendations for ESG reporting for listed issuers. The guidance has been sent to more than 2,700 companies with securities listed on the LSE’s U.K. and Italian markets with a combined market capitalization of more than £5 trillion. The LSE’s guidance builds on the report of the Financial Stability Board’s Task Force on Climate-related Financial Disclosures and the United Nations’ Sustainability Development Goals, both of which are discussed later in this Article.

For further information on this topic, we recommend our webinar, “The Sustainable Stock Exchanges Initiative - An Overview for Issuers and Investors,” available here.

Continue to Expect a Significant Number of Environmental and Social Shareholder Proposals

Last year’s proxy season saw a record number of E&S proposals submitted, approximately 500 in total, although many were settled and withdrawn. There have been a significant number of E&S proposals this year as well.

Historical investor deference to company recommendations on E&S proposals is eroding where there is perceived to be a correlation between the subject matter of the proposal and financial performance. Last year, support from BlackRock, Fidelity, State Street and Vanguard resulted in 2 degrees Celsius proposals receiving majority support at ExxonMobil, Occidental Petroleum and PPL. These proposals requested that the companies publish reports assessing the long-term portfolio impacts of scenarios, including policies and technological advantages, to address climate change, including scenarios consistent with the Paris Agreement objective to limit global average temperature rise this century to below 2 degrees Celsius above pre-industrial levels. Even those climate change proposals that did not pass received on average substantially more support than in prior years.

Board diversity is another area where large asset managers are starting to break with companies. In 2017, board diversity proposals at Cognex and Hudson Pacific Properties received majority support. The proposal at Cognex requested that the company adopt a policy for improving board diversity requiring that the initial list of candidates from which new management-supported directors are chosen include qualified women and minority candidates. The Hudson Pacific Properties proposal requested that the board prepare a report on steps that the company is taking to foster greater board diversity.

Passage of the vast majority of E&S proposals continues to remain unlikely. However, when measured by whether they focus corporate attention on a particular issue and prod voluntary compliance, they are much more successful. For example, political spending disclosure has significantly increased over the last several years, even without majority support for these proposals.

This year has seen a significant number of climate change proposals, including proposals requesting companies to report on the impact of and strategies to address climate change, to set and report on carbon reduction targets and seeking action on renewable energy and recycling/waste reduction. According to Proxy Preview 2018 (a joint publication of Proxy Impact, Sustainable Investments Institute (Si2) and As You Sow), which was released last week, as of mid-February, 83 climate change proposals have been submitted for the 2018 proxy season.

Looking beyond climate change, as in prior years, E&S proposals this year have run the gamut, from broad-based to niche industry- and company-specific proposals, and have been submitted by a large number of proponents. In addition to climate change, other issues of broad applicability that have seen a significant number of shareholder proposals include board diversity, gender pay disparity and political contributions and lobbying.

Each year sees a new twist in E&S proposals, and 2018 is no different. For example, this year, a resolution on prison labor in supply chains already has come up for a vote, at Costco. The resolution called on Costco to adopt a policy committing the company to survey all suppliers to identify sources of prison labor in its supply chain, develop and

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 7 apply additional criteria or guidelines for suppliers regarding the use of prison labor and report to shareholders on its progress in implementing the policy. The resolution received support from less than 5% of the votes cast.

Other Shareholder Engagement. Formal proposals are only part of shareholder engagement on E&S matters. There has been a significant increase in one-on-one engagement between companies and investors around E&S issues outside of the shareholder proposal process. Most engagement still is due to inbound inquiries from investors. However, many companies are becoming proactive in their E&S outreach to investors and other stakeholders. This practice is likely to accelerate due to increasing investor focus on E&S issues.

The SEC’s Recent Shareholder Proposal Guidance

In November 2017, the SEC’s Division of Corporation Finance issued a Staff Legal Bulletin on shareholder proposals that provided guidance on the application of the “ordinary business” exception and the scope of the “economic relevance” exception. Both of these exceptions, when met, allow companies to exclude shareholder proposals from proxy statements. For a more detailed discussion of the Staff Legal Bulletin, see our Alert here.

In the Staff Legal Bulletin, the SEC acknowledged that the exceptions require judgment calls that are, in the first instance, matters that the board of directors is generally in a better position to determine and encouraged companies to submit, as part of their no-action request to exclude the proposal, the board’s analysis of the subject matter of the proposal. Some commentators predicted that the Staff Legal Bulletin would allow boards to run roughshod over the shareholder proposal process, enabling companies to exclude most E&S proposals. That prediction has, however, not come to pass.

Apple was the first company to seek to use the new guidance on the ordinary business exception, in response to a shareholder proposal requesting that Apple include in its proxy statement a proposal that it establish a human rights committee to review, assess, disclose and make recommendations to enhance its policy and practice on human rights. The proponent has made similar proposals at other companies. With respect to the Apple proposal, the proponent expressed concern about whether Apple’s operations in China sufficiently promote human rights by offering products designed to help internet users evade censorship by the Chinese government. Apple’s no-action request to exclude the proposal under the ordinary business exception was denied by the SEC staff.

The first post-SLB no-action letter was issued under the economic relevance exception in late February. In that instance, the SEC staff issued a favorable no-action response to Dunkin’ Brands Group, allowing it to exclude a shareholder proposal requesting that its board issue a report assessing the environmental impacts of continuing to use K-Cup Pods brand packaging. For a more detailed discussion of that no-action request, see our Alert here. (Ropes & Gray assisted Dunkin’ Brands in the preparation of its no-action request.)

The Quantity and Quality of CSR Disclosure Is Increasing, and There Is Movement Toward Greater Comparability

CSR disclosures are being driven by internal and external forces beyond just regulation and shareholder proposals (both of which are discussed above). Many companies are enhancing their disclosures to boost or at least maintain brand equity and to help them remain competitive in the labor market. Other external pressures to enhance CSR disclosures include one-on-one engagement, open letters and “name and shame” campaigns, public guidelines and expectations documents, multi-stakeholder initiatives and rankings and other reports.

In particular, pressure is increasing on companies to get more granular in their disclosures relating to risk assessments and strategies for addressing risk, and to provide relevant quantitative information. Pressure also is increasing for more consistent disclosures that allow investors, lenders, insurers and other stakeholders to better assess risk. For example, in BlackRock’s 2018 proxy voting guidelines published in February, it indicated that it

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 8 expects companies to identify and report on their material, business-specific environmental and social risks and opportunities and explain how these are managed. The explanation should make clear how the approach taken by the company best serves the interests of shareholders and protects and enhances the long-term economic value of the company. In addition, key performance indicators in relation to environmental and social matters should be disclosed and performance against the KPIs discussed, along with any peer group benchmarking and verification processes in place. Any global standards adopted also should be disclosed and discussed.

As CSR disclosures – both mandatory and voluntary – increase across many non-U.S. jurisdictions, larger companies should benchmark their disclosures against global peers and evolving global standards. Over time, enhancements in foreign disclosure practices are likely to drive disclosures by many U.S. companies.

Climate Change Disclosures

Not surprisingly, there is significant momentum behind enhancing climate change disclosures. According to a 2017 survey by KPMG, a majority of companies do not acknowledge climate change as a financial risk in their annual reports and, of those that do, very few quantify or model that risk using scenario analysis or other methodologies. And, according to a December 2017 report by The Conference Board, only 16% of the Standard & Poor’s Global 1200 publicly disclose climate change risks.

In 2017, BlackRock, State Street and Vanguard all had something to say on this topic. In its December 2017 open letter to approximately 120 energy, transportation and industrial companies, BlackRock urged them to improve their disclosure relating to material climate risk inherent in their business operations. In August 2017, State Street published guidance on climate change disclosure focused on companies in the oil and gas, utilities and mining sectors. Earlier in 2017, State Street provided high level guidance on communicating the influence of sustainability factors on strategy. In its 2017 Investment Stewardship Annual Report, Vanguard indicated that it will be focusing on companies’ public disclosures concerning climate risk and board and management oversight of that risk. It also indicated that it will be evaluating disclosures against both leading peers and evolving market standards.

Many other investors are of course also focused on climate change, including related disclosures, and have expressed views that are consistent with those of BlackRock, State Street and Vanguard. In addition, asset owners and managers are collaborating on climate change through multi-stakeholder initiatives, such as the U.S.-based Ceres Investor Network on Climate Risk and Sustainability and the London-based Institutional Investors Group on Climate Change. And new initiatives continue to be formed. For example, during December 2017, more than 250 investors and partner organizations with more than $30 trillion in assets under management launched Climate Action 100+, a five-year initiative to engage with large corporate greenhouse gas emitters to act on climate change. As part of the initiative, supporting investors will engage with target companies to improve climate change governance and strengthen climate-related financial disclosures. The first 100 companies targeted for engagement come largely from the oil and gas, electric power and transportation sectors. Additional companies that are considered by investors to be potentially exposed to climate-related financial risks are expected to be added to the focus list in 2018.

The TCFD Recommendations. During June 2017, the Financial Stability Board’s Task Force on Climate-related Financial Disclosures released its final recommendations. The Task Force’s objective is to encourage companies to evaluate and disclose, as part of their financial filing preparation and reporting processes, the material climate-related risks and opportunities pertinent to their business activities. This is intended to help investors and other financial market participants, such as lenders and insurance underwriters, to assess and price climate-related risks and opportunities. The TCFD’s high level recommendations for all sectors center around four elements: (1) governance; (2) strategy; (3) risk management; and (4) metrics and targets. The TCFD recommendations also include supplemental guidance for the financial sector (banks, insurance companies, asset owners and asset managers) and non-financial groups (energy, transportation, materials and buildings and agriculture, food and forest products),

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 9 including suggested metrics. Although the TCFD’s recommendations are voluntary, more than 240 institutional investors and corporates have thus far expressed support for the TCFD.

Emerging Broad-based Disclosure Standards and Guidance

The SASB Standards. Like the TCFD, the Sustainability Accounting Standards Board seeks to improve the effectiveness of public company reports filed with the SEC with standardized sustainability disclosure. Its standards, which are complementary with the TCFD recommendations, are more granular and go beyond climate-related factors.

The SASB framework covers approximately 30 different sustainability activities organized under five pillars: (1) environment; (2) human capital; (3) social capital; (4) business model and innovation; and (5) leadership and governance. The SASB has developed standards for 79 industries that identify material sustainability factors that are likely to impact financial performance. The standards for 72 of the 79 industries provide guidance on metrics and targets.

The SASB released its draft standards during October 2017. The public comment period on the draft standards ended on January 31, 2018. The final standards are expected to be released in mid-2018.

Please see here to view our webinar “An Overview of the SASB Sustainability Disclosure Standards for Issuers and Investors.”

The GRI Standards. The GRI Standards provide a voluntary framework for reporting on economic, environmental and social impacts to a wide variety of global stakeholders, ranging from civil society to investors. They can be used for comprehensive sustainability reporting or more narrowly for issue-specific disclosures.

The Standards came out in 2016. They take a modular approach, consisting of three universal standards – Foundation (101), General Disclosures (102) and Management Approach (103) – and 33 topic-specific standards organized into Economic (200), Environmental (300) and Social (400) topics.

The GRI Standards update in a new structure and format the widely used G4 Sustainability Reporting Guidelines. The Standards are required to be used instead of the G4 Guidelines for reports and other materials published on or after July 1, 2018. However, early adoption of the GRI Standards has been encouraged and many companies already have migrated to the Standards.

UN Sustainable Development Goals. The Sustainable Development Goals were adopted by the UN member states in late 2015. They include 17 economic, social and environmental goals with 169 associated targets. Many companies already are indicating support for the SDGs in their sustainability reports, although incorporation of the SDGs into CSR programs and related reporting are in the early stages. Multi-stakeholder efforts, such as that launched by the GRI and the UN Global Compact, are underway to harmonize corporate reporting on the SDGs.

Board Engagement Is Increasing

For all of the reasons discussed in this Article, there is more discussion of CSR at the board level. Boards are increasingly talking about CSR as part of their discussion of business strategy and risk management. There also is more event-driven board engagement around CSR. For example, at many companies, recent events such as the Parkland, Florida school shooting and changes in U.S. immigration policy have been discussed at the board level prior to companies making public statements and taking actions in response to these events. Additionally, there is more of a focus on CSR in audit and risk committees.

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 10 Furthermore, larger asset managers expect boards to be involved with material CSR issues. For example, in its 2018 proxy voting guidelines for U.S. securities, BlackRock indicates that, for companies in sectors that are significantly exposed to climate-related risk, it expects the whole board to have demonstrable fluency in how climate risk affects the business, and how management approaches adapting to and mitigating that risk.

Expect More Benefit Corporations

With the increasing focus on CSR, the time may finally have arrived for benefit corporations.

Thirty-four states have now adopted benefit corporation legislation. Under the Delaware statute, a public benefit corporation is a for-profit corporation that is intended to produce a public benefit and to operate in a responsible and sustainable manner. To that end, a public benefit corporation is managed in a manner that balances stockholders’ pecuniary interests, the best interests of those materially affected by the corporation’s conduct and the public benefits identified in its certificate of incorporation.

Laureate Education became the first public benefit corporation to go public, during February 2017. It redomiciled as a Delaware public benefit corporation in October 2015.

There also are now more than 2,000 privately held companies that are Certified B Corporations. Certifications are provided by B Lab, a not-for-profit organization. To become a Certified B Corporation, a company must satisfy certain social and environmental performance, public transparency and legal accountability requirements. It also must convert to a benefit corporation within a specified time frame if its jurisdiction of incorporation has benefit corporation legislation. Privately held Certified B Corporations include Patagonia, as well as subsidiaries of Campbell Soup Co. (Plum Organics), Danone (Happy Family Brands) and Unilever (Ben & Jerry’s and Seventh Generation).

But the benefit corporation progression has not been linear. When Etsy went public in 2015, it was a Certified B Corporation. The company ultimately decided to let its certification lapse. And, some commentators have expressed concern that publicly traded companies organized as benefit corporations may face increased shareholder litigation risk. Although it is likely that there will over time be more benefit corporations and Certified B Corporations that are publicly traded, expect growth to be incremental rather exponential. Growth will however likely continue to be robust on the private side.

CSR-focused Litigation and Investigations Have Been on the Uptick and Will Continue to Increase

Over the last few years, there has been a significant increase in CSR-related litigation and investigations. Activity has increased not only in the United States at the federal, state and local level, but also in several other countries. Proceedings and investigations have involved many different statutes and theories of liability. Some of the more significant recent developments are summarized below.

In addition, globally, the focus on access to remedy for human rights abuses is increasing. For example, access to remedy was the central theme of the United Nations Forum on Business and Human Rights held in Geneva in November 2017.

Climate Change Investigations and Litigation. Energy companies have been targeted by states attorneys general in Massachusetts and New York, which are seeking information concerning whether consumers and/or investors may have been misled with respect to the impact of fossil fuels on climate change and climate change-driven business risks. More recently, in mid-January, New York City filed suit against five oil companies, seeking damages for alleged contributions to global warming.

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 11 During July 2017, three coastal California communities sued 37 oil, natural gas and coal companies for damages arising out of rising sea levels brought on by climate change that threaten to flood portions of the communities. For further details, see our Alert here. This lawsuit was followed by lawsuits filed by San Francisco and Oakland in September 2017 against five producers of fossil fuels.

Litigation has not been limited to energy companies. In August 2017, Commonwealth Bank of Australia was sued by shareholders alleging that it did not adequately disclose the risk that climate change could pose to its financial stability.

Claims and Investigations Based on CSR Disclosures. Companies are increasingly being targeted for alleged inaccuracies in their public CSR disclosures. For example, class action lawsuits have been filed in California under state consumer protection laws in connection with alleged false and misleading statements in statements published under the California Transparency in Supply Chains Act. The CTSCA itself has no private right of action. These lawsuits illustrate how plaintiffs are seeking to tie mandatory CSR disclosures to other statutes and theories of liability.

Lawsuits have not been limited to the CTSCA and other mandatory CSR disclosures. They have involved voluntary CSR disclosures as well. Most recently, last month, two NGOs filed a lawsuit in France against a foreign global electronics company alleging misleading advertising practices. The plaintiffs are alleging that the ethical commitments published by the company are not consistent with its labor practices.

Inaccuracies in CSR disclosures do not only create litigation risk. Across several jurisdictions, companies also are receiving questions about CSR claims and other disclosures from regulators with increasing frequency.

This is an area where many companies could reduce their litigation and enforcement risk through better preventive compliance on the front end.

Other Civil Claims. During October 2017, the U.S. Supreme Court heard oral arguments in Jesner vs. Arab Bank. In that case, the Court has been asked to decide whether there can be corporate liability for violations of the Alien Tort Statute. The Alien Tort Statute provides U.S. federal district courts with original jurisdiction of civil actions by aliens for torts committed in violation of the law of nations, which has been interpreted to include certain human rights violations. A decision is expected in 2018.

During October, a lawsuit was filed in the United States against several drug and medical device companies on behalf of veterans who were killed or wounded in Iraq and their family members. The lawsuit was filed under the U.S. federal Anti-terrorism Act. The plaintiffs are alleging that they were attacked by a terrorist group funded in part by payments made by the defendants to the Iraqi Ministry of Health and other sales practices engaged in by the defendants. The plaintiffs have alleged that, at the time, the Iraqi MOH was under the control of a Shiite terrorist group.

In many jurisdictions, corporate civil liability for extraterritorial human rights abuses remains an open question and continues to evolve. Courts in both the United Kingdom and Canada have recently allowed suits to proceed against parent entities in those jurisdictions arising out of actions by subsidiaries in other parts of the world.

Criminal Cases. During December 2017, former executives of a large French company were indicted for alleged complicity in human rights violations in Syria. The charges arose out of payments allegedly made by a supplier of a subsidiary to ISIS to ensure that a Syrian plant could continue to operate. Also in France, in November, NGOs filed a criminal complaint with French prosecutors in connection with the sale by a French company of surveillance technology to Egypt, requesting that prosecutors launch a criminal investigation. The NGOs are alleging complicity in various human rights abuses.

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 12 Canadian Responsible Enterprise Ombudsperson. On January 17, Canada announced the establishment of an independent Canadian Ombudsperson for Responsible Enterprise (CORE). The CORE is mandated to investigate allegations of human rights abuses linked to Canadian corporate activity abroad. The Ombudsperson has a broader mandate than the Extractive Sector Corporate Social Responsibility Counsellor that it replaces. The CORE is empowered to start its own investigations, compel evidence, mediate disputes, make recommendations to the government for further action and monitor the implementation of remedies and recommendations. The Ombudsperson’s initial focus is the extractives (oil, gas and mining) and garment industries, although its jurisdiction is expected to be expanded to other sectors within a year.

Managing CSR Compliance – What Should the Proactive Legal Department Be Doing Now?

The involvement of in-house legal departments in CSR matters has been increasing due to the factors discussed in this Article. However, most legal departments still are playing catch-up.

We frequently are asked by legal departments “Where should we start?” or “What should we be doing now?” We offer below some suggestions on approach for legal departments that still are wading into CSR compliance. Although these suggestions are geared toward legal departments, they broadly apply to any corporate function with an evolving role in CSR.

Define the Role of the Legal Department in CSR

As a threshold matter, the legal department should, in conjunction with other relevant internal stakeholders, seek to define its role in the company’s CSR program. To date, the legal department’s involvement in CSR at many companies largely has been ad hoc, usually in response to a particular business unit’s request, regulation or crisis situation.

In connection with defining its role in CSR, if the legal department has not already done so, it should familiarize itself with the CSR risks and opportunities specific to the company and internal and external stakeholder expectations around CSR. It also should take inventory of current, pending and proposed CSR regulations facing the company, its CSR disclosures and commitments and relevant policies and procedures. In addition, the legal department should become familiar with internal coverage and expertise around CSR matters. Given the rapid evolution in regulation, disclosure and new substantive CSR issues, we often see gaps in coverage and expertise around CSR compliance.

At many companies, there are specific areas of CSR for which the legal department should have primary or shared responsibility. And, in any event, legal should be an active member of the core CSR team or working group, so that it can be proactive on relevant CSR matters.

Designate a CSR Point Person

Once the legal department’s role in the CSR program has been defined, a member of the department should be assigned overall responsibility for CSR matters in which the department is involved. At many companies, CSR compliance currently is dispersed throughout the legal department based on the particular issue, business unit or geography, often with limited coordination. This frequently results in inefficiency, which increases compliance costs, and inconsistencies in approach and gaps in coverage, which may increase risk.

The goal should be for a designated member of the legal department to, over time, become its CSR subject matter expert. In a smaller department, he or she may directly handle all CSR matters that touch the legal department. In a larger department, he or she may act in a coordinating role for lawyers in different legal disciplines, business units and geographies, manage legal’s involvement in more significant CSR matters, sit on internal CSR steering committees and interface on CSR matters with other departments.

ropesgray.com ATTORNEY ADVERTISING

March 12, 2018 ARTICLE | 13 Help Define the Scope of the CSR Compliance Program

CSR compliance programs at many companies suffer from a lack of clarity and common purpose. There is no single term used when describing this subject area. In addition, the terms used mean different things to different people.

In this Article, the term “corporate social responsibility” generally is used, since it encapsulates most of the topics discussed and is probably most familiar to readers. Many companies use that term, but some instead refer to “ESG” or “E&S.” Alternatively, companies are increasingly discussing “sustainability,” which has moved beyond just referring to environmental matters. Other companies talk about “business and human rights” or “responsible business.” Although there is significant overlap among all of these terms, they are not synonymous. Adding complexity, company personnel often use different terms than their colleagues. And, even when personnel use the same terminology, there often is not agreement as to what it means. The legal department can be helpful in focusing and guiding discussions around compliance nomenclature and its meaning and ensuring that compliance is tailored to how the company thinks about this subject area, whatever it is called and however it is defined, as well as the company’s risk profile.

Many companies also are grappling with how to determine the materiality and salience of particular CSR issues, the ramifications of those determinations and how to integrate materiality and salience into compliance. Legal departments are increasingly part of that dialogue as well.

Develop a CSR Compliance Action Plan

Once the framework for managing CSR compliance has been established, the legal department should develop near-, mid- and longer-term CSR compliance goals. Beyond the customary day-to-day blocking and tackling, some of the other areas of CSR compliance that we see legal departments proactively helping to address with increasing frequency include: (1) monitoring proposed CSR regulations and assessing their impact on the company; (2) following developments in voluntary third-party standards, guidance and initiatives; (3) board engagement; (4) assessing the adequacy and consistency of compliance policies and procedures, to address both existing and emerging CSR considerations; (5) developing an integrated CSR disclosure strategy; (6) benchmarking CSR policies, procedures and disclosures against peers, competitors, NGO and other third-party guidance and criteria of data analytics providers; and (7) anticipating new CSR risks.

About Our Supply Chain Compliance and Corporate Social Responsibility Practice

Ropes & Gray has a leading Supply Chain Compliance and Corporate Social Responsibility (business and human rights) practice. With team members in the United States, Europe and Asia, we are able to take a holistic, global approach to supply chain compliance and CSR. Senior members of the practice have advised on these matters for almost 30 years, enabling us to provide a long-term perspective that few firms can match.

For further information on the practice, click here.

Click here to visit our Supply Chain Compliance and CSR website.

To join our Supply Chain Compliance and CSR mailing list, click here.

January 29, 2018 Globalizing Your Compliance Program I. Legal Consequences of an Inadequate Compliance Program Multinational companies continue to face intense enforcement scrutiny related to their global compliance practices by oversight authorities worldwide. These companies rely heavily on local regulatory developments, evolving statutory structures such as the Foreign Corrupt Practices Act (“FCPA”) and UK Bribery Act, and trends raised by Deferred Prosecution Agreements (“DPAs”) and enforcement settlements for guidance on implementing an effective global compliance program. As recent U.S. settlements involving Orthofix, Teva Pharmaceuticals, and Olympus indicate, domestic companies that fail to adequately train, monitor, and audit compliance for ex-U.S. operations are particularly subject to intense scrutiny—each of these companies recently entered into DPAs related to FCPA allegations and settled with the U.S. Department of Justice (“DOJ”) or Securities Exchange Commission (“SEC”) for amounts ranging from $6 million (Orthofix) to $646 million (Olympus). In each case, the government found that compliance program implementation, oversight, and training were insufficient to prevent improper (and even overtly corrupt) conduct.1 Moreover, in the case of Teva, the DOJ found that compliance personnel were “unable or unwilling” to implement its anti-corruption programs, and for Olympus, the DOJ criticized the lack of an anti- corruption “tone at the top.” Accordingly, the DOJ and SEC are requiring health care companies conducting ex-U.S. operations to do more than just “check the boxes” in establishing a compliance program—an effective compliance program requires on-the-ground and executive commitment. The most effective programs establish institutional commitment at the very outset and require ongoing monitoring and continuous updates. Companies that internally identify and self-report (when appropriate) material non-compliance with applicable legal mandates can significantly decrease the risk of regulator-imposed compliance counsel or monitorships, mitigate the threat of substantial monetary penalties, and potentially avoid other adverse consequences, such as exclusion from U.S.-based health care programs, disqualification from government contracts, and widespread reputational harm. II. Globalizing Your Compliance Program Organizations implementing effective global compliance programs face particular challenges in navigating disparate regulatory regimes in the numerous jurisdictions in which they may operate. Maintaining and updating regional or country-specific policies and program oversight procedures requires substantial resources and continuous updates. Faced with these challenges, some multinational companies implement uniform global compliance policies that may include requirements that are more or less restrictive than local laws. Others develop policies that identify areas of regulatory overlap and apply some consistent standards globally, and then supplement with country-specific guidance that accounts for variation in local law.2 To account for the disparate requirements in the various

1 In the Teva settlement, the DOJ noted that the Company found FCPA violations through an internal audit, but failed for years to implement training around these issues. Department of Justice, Teva Pharmaceutical Industries Ltd. Agrees to Pay More than $283 Million to Resolve Foreign Corrupt Practices Act Charges, available here; in the Olympus settlement, the DOJ found that Olympus failed to appoint a compliance officer until 2009. Department of Justice, Medical Equipment Company Will Pay $646 Million for Making Illegal Payments to Doctors and Hospitals in United States and Latin America, available here. 2 In a recent survey of participants in a webinar on global compliance, including compliance officers and counsel for several multinational companies in various sectors, 64% of respondents indicated that they used global policies that set minimum standards with additional local SOPs, 4% used global policies with less strict local SOPs, and 32% used a code of conduct and all local policies/SOPs.

ATTORNEY ADVERTISING ropesgray.com

jurisdictions in which a company may operate, global organizations can develop analytic tools in order to identify and prioritize high-risk areas based upon locality. From there, global organizations can target these items for improvement through heightened training and monitoring programs. High-risk topics for global organizations to consider monitoring may include T&E; third-party due diligence; interactions with government entities; interactions with health care professionals; grants, donations, and sponsorships; and free product and price concessions.3 The DOJ recently offered guidance relevant to an increasingly globalized market and the unique compliance requirements associated with multinational business operations in its 2017 Evaluation of Corporate Compliance Programs guidance.4 The guidance emphasizes key elements and controls applicable to global compliance program operations, such as accessibility of policies and procedures, whether a company provides “gatekeepers” (persons with payment authority in applicable jurisdictions) clear guidance and training, and how the company uses incentives to promote ethical conduct. In addition, confidential reporting, risk assessment, auditing and control testing are emphasized as integral compliance processes. The U.S. Department of Health and Human Services, Office of the Inspector General (“OIG”) has also issued compliance guidance applicable to health care and life sciences companies, which may be useful to companies in these sectors.5 All of the traditional “seven elements” of compliance programs should be designed to meet evolving global requirements, such as policies and procedures; oversight; employee and third-party screening; training and communication; auditing, monitoring and internal reporting; disciplinary actions and incentives; and investigations and remediation.6 When developing training programs, companies should tailor presentations and materials to the roles of its workforce members, and policies and training should be presented in local languages and in person, to the extent possible, with real-world examples. Regulatory oversight bodies consistently demand that compliance programs evolve to meet developing statutory structures and industry standards, identify risks through internal monitoring, and promptly implement effective corrective action plans. Specific local requirements, such as meal or gift limits, are often best built into localized standard operating procedures and should be tied to other systems (i.e., expense control systems) in order to both facilitate with compliance tracking efforts and, to the extent possible, act as a stop-gap for instances of non-compliance. For example, companies operating in South Korea and Brazil require specific focus and robust monitoring for recently enacted laws imposing spending restrictions more burdensome than under the FCPA: South Korea’s “Kim Young-ran Act” sets a threshold for improper payments to public officials (whereas the FCPA prohibits certain payments regardless of amount), and includes a broader definition of public officials to encompass certain private actors, and Brazil’s “Clean Companies Act” applies strict liability to interactions with public officials. Establishing effective communications and audit processes between headquarters and regional business lines are essential for establishing accountability within global organizations. A centralized audit process is germane to an effective business model—multinational companies are advised, however, to consider implementing periodic audits

3 Based on a global survey of 300 senior-level executives working for multinational businesses in North America, EMEA, Asia Pacific and Latin America, in the health care, life sciences, asset management, banking, private equity and technology sectors (the “Risky Business Survey”), health care and life sciences companies identify regulation/compliance (62%), intellectual property (26%) and anti-money laundering (24%) and sanctions/export controls (24%) as high-risk topics for which they are least prepared, and therefore may require strengthened monitoring programs. More information available here. 4 Evaluation of Corporate Compliance Programs, February 2017, Department of Justice, available here. 5 Measuring Compliance Program Effectiveness: A Resource Guide, March 27, 2017, Department of Health and Human Services, Office of Inspector General (OIG), pp. 24-31. While the OIG’s compliance guidance includes similar themes present in the 2017 DOJ guidance, it provides more targeted, tactical content governing domestic conduct. 6 See United States Sentencing Commission, Guidelines Manual, 18 U.S.C.A. §8B2.1 (November 1, 2016).

ropesgray.com ATTORNEY ADVERTISING

as close to the ground as possible as well, to monitor training effectiveness and implementation. Single-country and even regional audits substantially increase the likelihood of identifying instances of noncompliance. Throughout the process, multinational companies should maintain strong communication channels so that if the company identifies a risk at the local level, headquarters can assess whether the problem exists elsewhere at the regional level or across multiple business lines, and can then continue to target these risks through updated training and monitoring initiatives.

Health care companies and institutions must be proactive in their review of the specific requirements associated with cross-jurisdictional operations and deployment of institutional and local oversight mechanisms. Such efforts will help meet the evolving expectations of regulatory and enforcement agencies to operate a risk-based, global compliance program. For more resources to help you navigate compliance obligations and risks related in an international environment, please visit our microsite: Global Health Care Compliance.

Anti-Corruption / International Risk ▪ Government Enforcement / White Collar Crime

March 1, 2017 DOJ Publishes New Guidance for Compliance Programs On February 8, 2017, the Fraud Section of the U.S. Department of Justice (the “DOJ”) Attorneys published a guide for companies called “Evaluation of Corporate Compliance Programs” (the Ryan Rohlfsen “Guidance”). The Guidance is composed of common questions that the DOJ asks when Amanda N. Raad evaluating a company’s compliance program. While the Guidance questions are largely based G. David Rojas on familiar sources, such as the United States Sentencing Guidelines and the “Principles of Grant Hodges Federal Prosecution of Business Organizations” in the United States Attorney’s Manual,1 the questions provide a greater degree of detail and insight into the DOJ’s process for evaluating compliance programs. Areas Covered The Guidance focuses on three overarching areas: (1) company culture, (2) compliance structure and resources, and (3) the effectiveness of company policies and procedures. Regarding company culture, the Guidance questions focus on the behavior of senior and middle management. The Guidance asks whether management and company leaders have encouraged or discouraged the misconduct in question, and whether their actions have demonstrated a commitment to ensuring compliance. Further, the Guidance inquires into the responsiveness of management to compliance concerns and the remedial steps taken after misconduct was discovered. The Guidance also asks whether management has incentivized compliance and ethical behavior, and whether the company has considered any potential negative compliance implications of its business model and incentive structure. Second, the Guidance lists questions related to the company’s compliance structure and resources. The Guidance inquires into the lines of communication that employees may use to convey compliance concerns to the board of directors and senior management, as well as the compliance structure’s role in the company’s strategic and operational decisions. Moreover, the Guidance clearly expects companies to employ experienced and qualified compliance personnel and allocate appropriate resources and funding to compliance-related items, such as internal audits, periodic control testing, and frequent updates to assessment procedures. Last, the Guidance engages with the company’s compliance policies and procedures. The Guidance asks detailed questions about the design, accessibility, and integration of the company’s policies. The Guidance also evaluates how employees are trained on company policies and procedures, and how the policies operate to ensure compliance in the context of mergers, acquisitions, and third-party management. Ultimately, the Guidance takes a multi-dimensional look at the effectiveness of the company’s policies and procedures, rather than how they are written or crafted. Key Takeaways Although the content of the Guidance is largely familiar to practitioners, it does give a clearer picture of the DOJ’s current approach to corporate compliance. The issuance of the Guidance underscores the DOJ’s renewed focus on the operation, rather than the appearance, of corporate compliance programs. Additionally, while the document is framed as guidance for companies, as opposed to a checklist or formula for compliance, the clear import of the Guidance is that companies will be asked detailed and challenging questions

1 The Guidance pulled topics and questions from various other sources, including DOJ corporate resolution agreements, DOJ and SEC publications, and publications from the Organization for Economic Cooperation and Development.

ropesgray.com ATTORNEY ADVERTISING

March 1, 2017 ALERT | 2 regarding the scope and effectiveness of their compliance programs. Accordingly, companies will need to seriously consider how their programs will withstand such scrutiny, or risk the possible consequences of loss of credit for their compliance programs, higher penalties, or even separate violations for inadequate internal controls. For more information, please feel free to contact a member of Ropes & Gray’s leading anti-corruption / international risk and government enforcement teams.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Anti-Corruption / International Risk

November 15, 2016 Forecasting International Risk Climate Under President Trump

The article by international risk counsel Michael Casey, international risk practice co- Attorneys chair Zachary Brez and associate Brendan Hanifin was originally published in Law360 on Zachary S. Brez November 13, 2016. Marcus Thompson Michael S. Casey Niels Bohr famously observed that “predictions are hard, especially about the future.” The Brendan C. Hanifin results of last week’s presidential election confirmed this adage, as prognosticators in the media, both political parties, and the financial and legal industries seemingly all failed to envisage Donald Trump’s victory. The aftermath of the election has indicated that a corollary to Bohr’s maxim also is true: commentators of all stripes will continue to try to forecast the future, regardless of the difficulty of doing so. In this article, we offer our best guesses about potential regulatory and enforcement changes that might occur in the international risk landscape after Inauguration Day. I. Iranian Sanctions

On January 16, 2016 (“Implementation Day”), the United States and the European Union lifted or amended many nuclear proliferation-related sanctions against Iran pursuant to the Joint Comprehensive Plan of Action (“JCPOA”). The United States eliminated most of its secondary sanctions, and also scaled back certain parts of its primary sanctions regime. Most notably, the Office of Foreign Assets Control (“OFAC”) within the U.S. Department of Treasury issued a general license (“General License H”) that permits foreign entities owned or controlled by U.S. companies (“Foreign Entities”), including foreign subsidiaries of U.S. companies and foreign portfolio companies of U.S. private equity sponsors, to conduct business with Iran, subject to various restrictions. The European Union significantly scaled back its sanctions against Iran as part of the JCPOA, and General License H permits, to some extent, Foreign Entities to compete alongside European companies to win new business in Iran.

During the election campaign, Mr. Trump sharply criticized the JCPOA. After becoming President, Mr. Trump could end the United States’ participation in the JCPOA. But as the JCPOA was negotiated in partnership with five other countries, it seems unlikely that President Trump would withdraw the United States from the JCPOA in its entirety. A more plausible scenario is that President Trump may undo certain aspects of the sanctions relief that the United States has granted Iran since Implementation Day, such as revoking General License H. This act alone would have significant consequences, as many Foreign Entities have spent significant time and money establishing policies and procedures designed to ensure compliance with General License H, developing relationships with Iranian counterparties, and even making capital investments in Iran. Some companies have approached new business opportunities in Iran cautiously, while others have jumped more aggressively. Regardless, a forced and time-limited wind-down of Iranian business dealings would impose financial and operational costs for even the best-prepared companies.

Alternatively, the Trump administration might accuse Iran of violating its obligations under the JCPOA, potentially resulting in the “snap back” of all of the U.S. sanctions that were in place prior to Implementation Day. This strategy—which Mr. Trump foreshadowed during an August 2015 interview (“I would police that contract so tough that they don’t have a chance”)—may earn President Trump the approbation of Republican lawmakers, many of whom vigorously opposed the JCPOA and favored imposing additional, new sanctions on Iran.

ropesgray.com ATTORNEY ADVERTISING

November 15, 2016 ALERT | 2 II. Russian Sanctions

Following Russia’s annexation of Crimea in March 2014, President Barack Obama issued an executive order authorizing the Treasury Department to impose sanctions on individuals and entities that operate in certain sectors of the Russian economy. Pursuant to the executive order, OFAC has issued sectoral sanctions targeting Russian financial institutions, defense companies, and energy firms. In addition, OFAC has targeted a number of persons in Russian President Vladimir Putin’s inner circle with list-based sanctions and imposed comprehensive sanctions on the Crimea region of Ukraine. The European Union imposed sanctions that are similar to the measures imposed by OFAC.

The European Union responded to the annexation of Crimea by Russian forces in a similar way and imposed sanctions against Russian and Crimean entities and individuals that are broadly similar to the measures imposed by OFAC. Russia’s response to these European sanctions has been to impose a ban on certain food and agricultural products from European countries.

Mr. Trump has indicated that he wishes to improve U.S. relations with Russia and both Mr. Trump and President Putin have spoken with apparent admiration for each other. In Europe, where the continuation of sanctions against Russia in 2017 will require the approval of all 28 Member States, there are signs that countries such as Italy, Cyprus and Greece favor relaxing some or all of the current sanctions in place. Many other European countries, however, have made it clear that they are unwilling to relax sanctions until Russia has demonstrated improved compliance with the Minsk Agreement, which calls for a cessation of hostilities in eastern Ukraine. Senior U.S. government officials in the Obama administration—including Secretary of State John Kerry—also have expressed skepticism about the continuing utility of at least some of these sanctions.

Against this backdrop, President Trump may unilaterally elect to end the U.S. sanctions on Russia, irrespective of contrary views expressed by NATO allies in Europe. Alternatively, he could seek to engage the Kremlin in negotiations over sanctions relief in exchange for (1) increased cooperation with respect to the ongoing Syrian conflict and/or (2) Russia’s agreement to reverse its military buildup in the Baltic region. Indeed, both President Putin and President Trump may view a negotiated solution as politically expedient. President Putin would achieve the lifting (or relaxation) of sanctions that have damaged the Russian economy, and Mr. Trump could claim that he defused an inherited political crisis. III. Cuban Sanctions

Since December 2014, President Obama has significantly changed the United States’ policy toward Cuba through modifications to the Cuban Asset Control Regulations and the Export Administration Regulations. These changes have created significant new opportunities for U.S. companies and some foreign companies to engage in certain types of business in and with Cuba and to export particular types of U.S.-origin products to Cuba.1 With the most recent amendments to the Cuban Assets Control Regulations, announced in October 2016, President Obama has taken virtually every step within his authority to relax the Cuban embargo; any further loosening—or the termination of—the Cuban sanctions would require Congressional action (for which there appears to be limited political appetite).

During the election campaign, Mr. Trump pledged to “reverse” President Obama’s executive orders related to Cuba, thereby reverting to the U.S. policy of non-engagement that prevailed from the early 1960s through 2014. This shift in U.S. policy toward Cuba would represent a significant setback for U.S. companies—including airlines and hospitality companies—that have made sizeable investments in anticipation of increased engagement with Cuba.

1 Even with these recent changes, primarily accomplished via executive orders, the Cuban sanctions continue to prohibit most transactions by U.S. companies (as well as U.S. companies’ foreign subsidiaries) involving Cuba.

ropesgray.com ATTORNEY ADVERTISING

November 15, 2016 ALERT | 3 IV. Scrutiny of Foreign Investors and Investments in the United States

Throughout his campaign, Mr. Trump repeatedly denounced the impact of foreign government and foreign commercial interests on the U.S. economy. One way in which President Trump may seek to address these perceived problems is by mandating increased scrutiny of prospective foreign investors and investments through the Committee on Foreign Investment in the United States (“CFIUS”) and Defense Security Service (“DSS”) review processes.2

After Mr. Trump becomes President, CFIUS might have the authority to review a wider range of transactions. Indeed, during the last few months, some (mostly Republican) Congress members have sought to increase the scope of CFIUS’s power in order to allow the interagency committee to address perceived national security concerns more effectively. Mr. Trump’s victory increases the likelihood that CFIUS’s power will be expanded.

Even if CFIUS’s or DSS’s jurisdiction remains the same, each may adopt a more aggressive approach when reviewing relevant transactions. Importantly, CFIUS and DSS each exercise considerable discretion in reviewing transactions within their jurisdiction. The Trump administration may encourage increased scrutiny of proposed transactions involving foreign entities, which, in turn, may result in CFIUS blocking more covered transactions and DSS imposing more onerous mitigation measures on transactions that result in U.S. companies coming under foreign ownership or control. Based on comments made during Mr. Trump’s campaign, it seems possible that CFIUS and DSS could take a particularly hard look at transactions involving foreign investors from China. V. Conclusion

During his campaign, Mr. Trump signaled dramatic changes to U.S. foreign policy that, if implemented, could produce significant financial, operational, and compliance-related consequences for U.S. and international companies. While it is too early to assess the impact of a Trump presidency on U.S. foreign policy, the next 70 days present an opportunity for companies to consider how to respond to the potential changes outlined above.

2 CFIUS is an interagency committee of the U.S. government authorized to review transactions that could result in control of a U.S. business by a foreign person. DSS is responsible for administering facility clearances (i.e., permission to access classified information of the U.S. government). When a foreign entity obtains a five percent or greater interest in a U.S. company that holds a facility clearance, the foreign entity’s interest must be reported to DSS, which may require the U.S. company to implement mitigation measures.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Anti-Corruption / International Risk ▪ Life Sciences

December 29, 2016 $519 million FCPA Payment by Teva Pharmaceuticals—Largest Ever FCPA Payment by Pharmaceutical Company—Follows Large FCPA Plea Agreement With Odebrecht and Braskem Summary Attorneys Isabelle Kinsolving Farrar On December 22, 2016, the world’s largest manufacturer of generic pharmaceuticals, Teva Pharmaceuticals (“Teva”), agreed to pay $519 million in FCPA-related criminal penalties, disgorgement, and interest. The Israeli company Teva entered into a deferred prosecution agreement with the U.S. Department of Justice (“DOJ”) to settle allegations that it had bribed government officials in Russia, Ukraine, and Mexico. Teva’s settlement is the fourth-largest Foreign Corrupt Practices Act (“FCPA”) settlement ever, and the largest-ever by a pharmaceutical company. The $519 million payment imposed on Teva is significantly higher than the next-highest FCPA-related payment imposed on a pharmaceutical company, $70 million imposed in 2011.

The Teva settlement came on the heels of Odebrecht and Braskem’s global $3.5 billion settlement with authorities in the United States, Brazil, and Switzerland, announced the day before, on December 21, 2016. The Brazilian-based construction company Odebrecht pleaded guilty to a conspiracy to violate the FCPA, with the fine to be determined in the future at sentencing on April 17, 2017. Braskem, Odebrecht’s petrochemical unit, also pleaded guilty. Teva: Bribes to Government Officials and Inadequate Internal Controls

The Teva agreement detailed the company’s payment of bribes to government officials in Russia, Ukraine, and Mexico, and the company’s lack of internal controls to prevent bribery.

In Russia, Teva executives and employees bribed a high-ranking government official in order to increase sales of Teva’s multiple sclerosis drug Copaxone, one of Teva’s most profitable products. The Russian government official influenced the Russian Ministry of Health’s annual drug purchase auctions to increase Copaxone sales. In return, Teva employed the Russian government official’s drug repackaging and distribution company. From 2010 until at least 2012, he earned approximately $65 million through inflated profit margins to his company.

In Ukraine, Teva also bribed a senior Ukrainian Ministry of Health official to influence Ukraine’s approval of Teva’s drug registrations, including those of Copaxone and insulins. These drug registrations were necessary to market and sell products within Ukraine. From 2001 to 2011, Teva employed the official as a “registration consultant,” paying him a monthly fee along with other items of value, including travel, totaling approximately $200,000.

In Mexico, Teva’s Mexican subsidiary bribed doctors starting in at least 2005 to prescribe Copaxone. Teva became aware of these bribes in 2009, when the company was developing its anti-corruption compliance program. Despite this awareness, Teva approved and implemented an anti-bribery compliance program that could neither prevent nor detect bribes. Additionally, compliance managers were put in place who either could not or would not enforce Teva’s anti-corruption policies.

ropesgray60161204_1.com ATTORNEY ADVERTISING

December 29, 2016 ALERT | 2 Teva: Deferred Prosecution Agreement Accounts for “Substantial Cooperation and Remediation”

The U.S. government’s investigation of Teva began in 2012 with a U.S. Securities and Exchange Commission (“SEC”) subpoena. Teva learned of its FCPA problems that same year, and immediately took steps to address the problems. In 2012, Teva voluntarily began a comprehensive investigation into its global operations and named a global head of compliance. Teva engaged independent counsel to conduct a global corruption risk assessment. In 2013, Teva replaced its entire Russian leadership team. Teva no longer employs the individuals involved in the bribes.

On December 22, 2016, Teva entered into a deferred prosecution agreement (“DPA”) with the DOJ, agreeing to pay criminal penalties of approximately $283 million. The DPA requires that Teva work with an independent compliance monitor for three years. Teva also agreed to pay the SEC approximately $236 million in disgorgement and pre- judgment interest. The DOJ charged the company with two counts: one of conspiracy to violate the FCPA and one of failing to implement adequate internal controls. Teva Russia pleaded guilty to one count of conspiracy to violate the FCPA.

Teva’s remediation efforts were noted by the DOJ, including (1) terminating employees, (2) enhancing compliance, (3) improving anti-corruption training, (4) adopting a stand-alone third-party due diligence program, (5) making Teva’s control functions more independent and establishing an office to address reports of misconduct, and (6) strengthening the internal audit and investigations teams.

While the DOJ reduced Teva’s criminal penalty by 20% from the bottom of sentencing guidelines because of “substantial cooperation and remediation,” Teva did not get the largest possible reduction due to actions that delayed the government’s investigation, including “overbroad assertions of attorney-client privilege” and slow responses to document requests. Additionally, Teva did not get any credit for self-disclosing. Odebrecht & Braskem: Bribery of Politicians and Political Parties

The December 21, 2016 settlement with Odebrecht and Braskem was part of “Operation Car Wash,” a long-running investigation by Brazil prosecutors into corruption at Petrobras, Brazil’s state energy company. Earlier in 2016, Odebrecht’s CEO had been sentenced to 19 years imprisonment.

Odebrecht admitted to a bribery and bid-rigging scheme that started as early as 2001, through which the company paid approximately $788 million in bribes to government officials and political parties in many countries. The bribes were directed by company management and were paid using shell companies, off-shore bank accounts, and off-book transactions. A dedicated department within Odebrecht, the “Division of Structured Operations,” administered these bribes. The Division of Structured Operations had an entirely separate off-books communications system that allowed communication using codenames and passwords via secure emails and instant messages.

As Odebrecht’s petrochemical unit, Braskem contributed about $250 million to Odebrecht’s bribe system. This money ended up with Brazilian politicians and political parties, as well as with a Petrobras official. In exchange, Braskem received benefits that included contracts with Petrobras, preferential rates for the purchase of Petrobras’ raw materials, and favorable legislation reducing Braskem’s Brazil tax liabilities.

On December 21, 2016, Odebrecht and Braskem settled with the DOJ, Brazil’s Ministerio Publico Federal, and Switzerland’s Office of the Attorney General. The plea agreements require that the companies employ an independent compliance monitor for three years. The agreements accounted for the companies’ failure to voluntarily disclose; the nature and seriousness of the offenses, which involved the highest levels of the companies, lasted many years, and occurred in multiple countries; and the lack of an effective compliance and ethics program at the time of the offenses.

ropesgray60161204_1.com ATTORNEY ADVERTISING

December 29, 2016 ALERT | 3 Odebrecht agreed that the appropriate criminal penalty would be $4.5 billion, but the company has claimed it can only pay $2.6 billion. The penalty will be determined during sentencing on April 17, 2017. Eighty percent of Odebrecht’s penalty will go to Brazil, with the United States and Switzerland each receiving 10 percent. Braskem pled guilty to one count of conspiring to violate the FCPA, agreeing to pay a $632 million criminal penalty. Braskem settled related charges with the SEC, agreeing to pay $325 million in disgorgement of profits. Seventy percent of Braskem’s penalty will go to Brazil, with the United States and Switzerland each receiving 15 percent. Between the penalties and the disgorgement, the United States will receive approximately $94.8 million from Braskem.

The companies’ remediation efforts were noted by the DOJ, including (1) disciplining and terminating employees, (2) heightening controls and compliance programs, and (3) “significantly increasing” compliance resources.

Odebrecht’s penalties were reduced by 25 percent from the bottom of sentencing guidelines as a result of Odebrecht’s “full cooperation,” and Braskem’s penalties were reduced by 15 percent from the bottom of sentencing guidelines as a result of Braskem’s “partial cooperation.” Implication

With the Odebrecht, Braskem, and Teva payments, U.S. authorities will have imposed a record-setting $2.15 billion in FCPA-related payments in 2016, greatly exceeding the previous annual record for FCPA-related payments of $1.6 billion set in 2014. None of the companies voluntarily self-disclosed, and the U.S. government insisted that all three employ independent compliance monitors for three years. These settlements show that companies must cooperate promptly and completely in order to receive full financial credit for cooperation.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. © 2016 Ropes & Gray LLP ropesgray60161204_1.com ATTORNEY ADVERTISING ALERT

Anti-Corruption / International Risk

January 11, 2017 Mondelēz Agrees to Pay $13 Million to Settle FCPA Charges Related to Inadequate Due Diligence and Accounting Controls over Third Party in India On January 6, 2017, the U.S. Securities and Exchange Commission (“SEC”) announced that Attorneys Illinois-based multinational confectionery company Mondelēz International Inc. and its Ryan Rohlfsen subsidiary Cadbury agreed to settle Foreign Corrupt Practices Act (“FCPA”) charges G. David Rojas relating to allegations of bribery in India. Mondelēz, formerly Kraft Foods Inc., and Bryan M. Weynand Cadbury will pay $13 million to settle the charges arising from payments Cadbury made to a consultant in India to obtain licenses and approvals for a chocolate factory. The SEC alleged due diligence failures by both Cadbury and Mondelēz. Allegedly, Cadbury failed to conduct adequate diligence on the consultant, whereas Mondelēz failed to conduct adequate diligence on Cadbury, both before and after acquiring the U.K. company. Resolution Details

An SEC investigation concluded that, in 2010, Cadbury India retained a consultant to represent the company in interactions with the Indian government. Cadbury India paid the agent $90,666 over the course of six months. The services detailed in the agent’s invoices included drafting license applications for a chocolate factory Cadbury India planned to build in Baddi, India. Nevertheless, Cadbury employees, not the agent, prepared these license applications. Moreover, the agent withdrew most of the funds in cash upon receipt of each payment. One such approval designated the chocolate factory as two distinct units for tax purposes, resulting in approximately $85 million in tax benefits for Mondelēz.

The SEC charged Mondelēz and Cadbury with violating the books-and-records and internal-controls provisions of the FCPA. Cadbury allegedly failed to maintain records that accurately reflected the nature and value of the services provided by the consultant. The SEC also found that Cadbury did not maintain internal accounting controls sufficient to reasonably prevent improper or unauthorized payments. Moreover, the SEC alleged that Cadbury failed to conduct appropriate due diligence on and monitor the activities of the agent, which created the risk that the funds could be used for improper or unauthorized purposes.

The SEC’s investigation also determined that parent company Mondelēz failed to perform adequate anti-corruption compliance diligence when it acquired Cadbury. Mondelēz acquired Cadbury on February 2, 2010, at the beginning of Cadbury’s relationship with the agent. Mondelēz did not conduct complete pre-acquisition due diligence, and its six-month post-acquisition due diligence did not identify the contemporaneous relationship between Cadbury and the agent. The SEC concluded that, as a result of Mondelēz’s acquisition of Cadbury, it is responsible for the subsidiary’s violations.

Mondelēz discovered the relationship in October 2010 and commenced an internal investigation, which resulted in the termination of Cadbury’s relationship with the consultant. Mondelēz then implemented its global compliance program at Cadbury and comprehensively reviewed Cadbury India’s use of third parties in its business. Mondelēz did not disclose the potential violations, which were reported to the SEC by a whistleblower in 2015. The SEC’s settlement order, however, noted Mondelēz’s cooperation with the investigation.

ropesgray.com ATTORNEY ADVERTISING

January 11, 2017 A LERT | 2 A dispute with the Indian government over the tax designation remains ongoing. Ke y T akeaways

This settlement illustrates the importance of several key principles for mitigating the anti-corruption risks associated with conducting business in high-risk markets:

• Perform robust anti-corruption due diligence prior to international acquisitions.

• Identify and monitor high-risk third-party relationships as part of a comprehensive compliance program.

• Demand accurate, itemized, and timely invoices and supporting documentation for all payments to third parties.

If you have any questions, please contact your usual Ropes & Gray advisor.

This alert s hould not be construed as legal advice or a l egal opinion on any s pecific f acts or circumst anc es. T his alert is not int ended t o create, and rec eipt of it does not constit ute, a lawyer-client relationshi p. The c ont ents are intended f or general infor mati onal purpos es onl y, and you ropesgray.com © are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING

January 23, 2017

Hot Topics in Supply Chain Compliance The last few years have seen a proliferation of new supply chain-focused regulations and Attorneys other compliance obligations, a trend which isn’t likely to abate any time soon. In this Michael R. Littenberg Alert, we provide an overview of selected supply chain compliance items that should be on the radar screen of healthcare industry legal and compliance professionals in 2017. Anti-Human Trafficking Anti-human trafficking compliance is a newer area of focus for many healthcare companies as a result of recently adopted disclosure and compliance requirements and increasing stakeholder scrutiny. The UK Modern Slavery Act (MSA). Starting this year, the MSA will require a significant number of healthcare companies to annually publish on their websites a statement describing the steps that they have taken during the preceding fiscal year to ensure that slavery and human trafficking are not taking place in any of their supply chains or in any part of their own businesses. This requirement applies to “commercial organisations” doing business in the United Kingdom, irrespective of home country, that provide goods or services and have worldwide turnover of at least £36 million. Each company will need to tailor its statement to its particular risk assessment and compliance program. There are no mandatory topics that must be covered in the statement, although the MSA recommends that the following disclosure topics be addressed: (1) organizational structure, business model and supply chain relationships; (2) policies in relation to slavery and human trafficking; (3) slavery and human trafficking due diligence processes; (4) the parts of the business and supply chains where there is a risk of slavery and human trafficking taking place and the steps taken to assess and manage that risk; (5) the effectiveness in ensuring that slavery and human trafficking are not taking place in the business or supply chains, measured against appropriate key performance indicators; and (6) the training available to staff. For additional Ropes & Gray resources describing the MSA in substantially more detail, including the statement requirement and action items for establishing a compliance program, see here. The UK Labour Standards Assurance System (LSAS). LSAS was commissioned by the UK Department of Health and NHS Supply Chain, which procures products for the National Health Service. LSAS is the foundation of NHS Supply Chain’s ethical procurement strategy. Initially introduced in 2012 in connection with its Framework Agreement for Surgical Instruments, NHS Supply Chain is introducing LSAS compliance into other contracts. LSAS has 15 action points, including the following supply chain facing items: (1) adopting a labor policy for the supply chain that among other things addresses the use of child and forced labor; (2) assessing the extent to which labor standards are at risk of being abused within the supply chain; (3) communicating the policy and other relevant information to identified suppliers, collecting and verifying information relating to labor standards performance and responding to the information and evidence collected to drive continual improvement of labor standards throughout the supply chain. There are four audit levels under LSAS, each of which requires a specified level of compliance with the LSAS action points: (1) Foundation - the vendor has begun to consider how labor standards relate to its business and there is some documentation in place for an auditor to review; (2) Implementation - the vendor has started to implement processes

ropesgray.com ATTORNEY ADVERTISING

and procedures to manage labor standards, including processes to identify risk in the supply chain; (3) Established - the vendor has in place a robust system for managing labor standards and risk is being effectively mitigated where uncovered; and (4) Progressive - the vendor demonstrates leadership level management of labor standards, going beyond audit to tackle the root cause of issues and risks uncovered and is engaging with key stakeholders, partnerships and projects to do so. Suppliers must at a minimum be audited to Level 1/Foundation within six months of contract launch for NHS Trusts to purchase supplies through NHS Supply Chain, with later deadlines to achieve compliance with higher LSAS levels. The US Federal Acquisition Regulation (FAR) Anti-Human Trafficking Provisions. The FAR governs the US Federal government’s procurement process and applies to not only prime contractors, but in many cases subcontractors and agents as well. The anti-human trafficking provisions of the FAR were significantly expanded in March 2015. Because the amendments apply only to contracts and new task orders under existing indefinite delivery/indefinite quantity contracts entered into after that time, the FAR anti-human trafficking compliance requirements are only now starting to impact the compliance programs at many companies. There are two principal compliance obligations under the FAR anti-human trafficking provisions. First, there are nine prohibited activities applicable to contractors and subcontractors (which also includes indirect subcontractors) and their employees and agents. This portion of the rule applies to all contracts. Second, the FAR anti-human trafficking provisions require a compliance plan and periodic certifications if the contract is for goods or services acquired or to be performed outside the United States with an estimated value that exceeds $500,000. For purposes of calculating the dollar threshold, commercially available off-the-shelf items are excluded. Companies must design the compliance plan to fit their particular facts and circumstances. The compliance plan must be appropriate to the size and complexity of the contract and the nature and scope of its activities, including the number of non-US citizens expected to be employed and the risk that the contract will involve services or supplies susceptible to trafficking in persons. In addition, the compliance plan must at a minimum include the following elements: (1) an awareness program; (2) a grievance process; (3) a recruitment and wage plan that meets specified requirements; (4) a housing plan, if the contractor or subcontractor intends to provide or arrange housing; and (5) procedures to prevent violations and to monitor, detect and terminate agents, subcontractors or subcontractor employees that have engaged in prohibited activities. If required, certifications must be provided in connection with the contract award and annually. The contractor must certify that: (1) a compliance plan and procedures to prevent prohibited activities and to monitor, detect and terminate a contract with a subcontractor or agent engaging in prohibited activities have been implemented; and (2) after having conducted due diligence, either, to the best of the contractor’s knowledge and belief, there have been no occurrences of prohibited activities or, if they have occurred, appropriate remedial and referral actions have been taken. For more information on the FAR anti-human trafficking rule, see our Alert here. Trade Facilitation and Trade Enforcement Act. This Act, which was adopted in early 2016, repealed the “consumptive demand” exception to the US Tariff Act. The Tariff Act bans the importation of foreign goods and merchandise produced or manufactured in whole or in part by convict, forced or indentured labor. However, under the consumptive demand exception, the prohibition did not apply to the extent that US demand exceeded domestic supply.

ropesgray.com ATTORNEY ADVERTISING

Since the adoption of the Act, several shipments of goods from China have been detained by US Customs and Border Protection for having been produced using forced labor. For purposes of assessing risk, commodities and products used in the healthcare industry appear on both the Department of Labor’s List of Goods Produced by Child Labor or Forced Labor and its List of Products Produced by Forced or Indentured Child Labor. Over time, third party tips alleging convict, forced or indentured labor in supply chains are likely to increase, which will put additional pressure on pre-emptive supply chain mapping for at-risk commodities and products. Proposed French Human Rights Legislation. During November 2016, the French National Assembly adopted a bill that would require large French companies to adopt a vigilance plan to identify and prevent serious human rights violations, including at the subcontractor and supplier level. Requirements of the vigilance plan would include: (1) risk mapping; (2) procedures for assessing subsidiaries, subcontractors and suppliers; (3) risk mitigation; (4) a reporting and grievance mechanism drawn up in consultation with representative trade union organizations; and (5) a mechanism for monitoring the compliance measures implemented and evaluating their effectiveness. If adopted into law, this legislation will impact the supply chains of large French companies, including those in the healthcare industry, irrespective of where the supplier is located. Conflict Minerals Conflict minerals regulation will continue to be dynamic in 2017. US Conflict Minerals Rule. The Conflict Minerals Rule was adopted pursuant to the Dodd-Frank Act. The Rule requires US public companies that manufacture or contract to manufacture products that contain tin, tantalum, tungsten or gold (3TG) to, among other things: (1) make supply chain inquiries to determine the source of the 3TG in their in-scope products; (2) if the 3TG originated or there is reason to believe may have originated in the Democratic Republic of the Congo region, conduct due diligence in accordance with the Organisation for Economic Co- operation and Development’s Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict- Affected and High-Risk Areas; and (3) annually publicly report on their compliance. President Trump and the Republican-majority Congress are expected to seek to roll back at least some aspects of Dodd-Frank. The repeal of the Conflict Minerals Rule is explicitly provided for in the Financial Choice Act, which was introduced in the House during the last term. However, at present, most of the Conflict Minerals Rule remains very much in effect and is likely to remain so for at least the current reporting period, which requires filings in respect of calendar 2016 to be made by May 31, 2017. In the meantime, the Securities and Exchange Commission’s April 2014 stay of the mandatory audit requirement under the Rule is expected to remain in effect for this year (see our Alert discussing the audit stay here). The ultimate fate of the Conflict Minerals Rule is likely to turn on whether Congress decides to take a narrow or broad brush approach to Dodd-Frank repeal. However, even if the Rule is repealed, many large companies have indicated that they will continue to expect suppliers to trace the origin of the 3TG in their products, maintain compliance programs and responsibly source 3TG. These requirements will ripple through many supply chains in much the same way as if the Rule were to remain in effect. Finally, NGOs continue to review and rank filings. This past year, one NGO survey ranked both medical device companies and drug manufacturers, the latter for the first time as a separate category. As is the case with other supply chain compliance and corporate social responsibility issues, larger consumer facing brands that are perceived as compliance laggards face the greatest risk of being targeted by NGOs and socially responsible investors. EU Conflict Minerals Regulation. During November 2016, the EU Council, Commission and Parliament reached an informal final agreement on a conflict minerals regulation. The Regulation generally will require EU smelters and

ropesgray.com ATTORNEY ADVERTISING

refiners and direct importers of 3TG into the European Union to conduct due diligence using the OECD Guidance framework if they are sourcing from conflict-affected and high-risk areas anywhere in the world. For more information on the pending Regulation, see our Alert here. The text of the final Regulation is expected to be released soon, after which it will be submitted for approval to the Council and the Parliament. The Regulation will take effect on January 1, 2021. The Regulation generally will not impose compliance obligations on manufacturers or sellers of components or finished products. However, many larger “downstream undertakings” will expect their suppliers to make supply chain inquiries and source 3TG from conflict-free smelters and refiners. This will result in compliance obligations, to meet commercial requirements, for a significant number of supply chain participants that are not subject to the Regulation. In addition, many larger downstream companies and the NGO community are expected to push for voluntary supply chain compliance prior to 2021. EU RoHS and REACH The continuing phase-in and expansion of RoHS (Restriction of Hazardous Substances) and REACH (Registration, Evaluation, Authorisation and Restriction of Chemicals) to new substances and product categories will require enhancements to supply chain compliance programs in 2017 and beyond. RoHS. RoHS prohibits electrical and electronic equipment that contains enumerated toxic substances in specified concentrations from being placed on the EU market. RoHS also contains affirmative compliance requirements, such as requiring “CE” markings and declarations of conformity. There currently are six restricted substances under RoHS, coupled with phase-ins for eleven product categories that run through July 2019 (many categories have already been fully or partially phased in). During mid-2015, four new substances – all phthalates – were added. Restrictions on the use of these substances generally will take effect during July 2019 and July 2021. REACH. REACH is more broadly intended to protect human health and the environment from risks posed by chemicals. REACH contains procedures for collecting, assessing and reporting information to customers and the European Chemicals Agency on substances manufactured in or imported into the European Union. For some substances, REACH goes further, requiring authorization or restricting how the substances can be supplied or used. There currently are approximately 170 substances of very high concern (SVHCs) on the REACH candidate list, and the list continues to grow. In addition, pursuant to a decision of the EU Court of Justice in September 2015, the .1% weight to weight REACH reporting threshold must be applied at the individual article or component level, rather than at the finished good or complex product level, which in many cases greatly expands the requirement to drill down and report on SVHC content in products. About our Supply Chain Compliance Practice Ropes & Gray has a leading supply chain compliance and corporate social responsibility practice. We advise clients across a broad range of regulations, commodities and geographies, and our clients include leading public and private companies and trade groups from every major industry. With on-the-ground expertise in the United States, Europe and Asia, we are able to take a holistic, global approach to supply chain compliance and CSR, to help clients efficiently and effectively structure and implement their supply chain compliance and CSR programs and mitigate risk.

ropesgray.com ATTORNEY ADVERTISING

For further information on our supply chain compliance practice or if you would like to learn more about the topics in this Alert, please contact your usual Ropes & Gray attorney or contact us here. Ropes & Gray Supply Chain Compliance and CSR Mailing List Click here to join the Ropes & Gray Supply Chain Compliance and CSR mailing list to receive Alerts, articles and program announcements relating to supply chain compliance, or to sign up for other Ropes & Gray mailing lists. Ropes & Gray Supply Chain Compliance and Corporate Social Responsibility Resource Center As part of our commitment to excellence in this area, we have developed the Resource Center as a free educational tool for our clients, friends and other stakeholders. The Resource Center is the most extensive complimentary collection of supply chain compliance resources and is frequently updated to reflect new developments in this dynamic area. Click here to go to the Resource Center.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

CSR & Supply Chain Compliance

April 4, 2017 Case Closed! – The Conflict Minerals Rule Litigation Is Over, but the Drama Continues After 1,627 days and enough law firm memos to deforest a small country, the litigation Attorneys relating to the Conflict Minerals Rule came to an end yesterday. In this Alert, we discuss Michael R. Littenberg what this means for calendar year 2016 compliance, as well as the many other moving Julia L. Chen pieces relating to the Rule. Emily K. Burke The Court’s Final Judgment Yesterday, Judge Ketanji Brown Jackson, a District Court Judge in the District of Columbia, entered a final judgment in the Conflict Minerals Rule case. In a short three paragraph opinion, the District Court (1) declared that Section 1502 of Dodd-Frank, Rule 13p-1 thereunder and Form SD violate the First Amendment to the extent that the statute and the rule require companies to report to the SEC and state on their websites that any of their products “have not been found to be ‘DRC conflict free,’” (2) held unlawful and set aside the Rule to the extent that it requires companies to report to the SEC and state on their websites that any of their products “have not been found to be ‘DRC conflict free’” and (3) remands to the SEC, to take action in furtherance of the Court’s decision.

Judge Jackson’s decision was expected. On March 10th, the parties submitted a Joint Status Report requesting that the Court enter a final judgment in accordance with the earlier decisions in the case by the Court of Appeals. The appellate court decision is discussed in our earlier Alert available here. But the Uncertainty Continues Although the litigation has come to a close, the uncertainty surrounding the Conflict Minerals Rule continues:

• The SEC is expected to publish a new Statement that supersedes its April 29, 2014 Statement, which was put out in response to the Court of Appeals’ April 14, 2014 decision. In its 2014 Statement, the SEC indicated that companies are not required to identify products as “DRC conflict free,” having “not been found to be ‘DRC conflict free’” or “DRC conflict undeterminable.” In addition, the Statement indicated that, pending further action, an independent private sector audit will not be required unless a company voluntarily elects to describe a product as “DRC conflict free” in its Conflict Minerals Report. The April 2014 Statement is discussed in our Alert available here.

The $64,000 question is whether the SEC will reinstate the mandatory audit requirement contemplated by the Conflict Minerals Rule. We think that the chances of this occurring for the upcoming calendar 2016 filing are nil. Looking further out, for various reasons, we think that the mandatory audit requirement is unlikely to be reinstated, but it is not impossible if the Rule survives.

• On January 31st, SEC Acting Chairman Piwowar published Statements directing the SEC staff to consider whether the SEC’s 2014 guidance is still appropriate and whether any additional relief is appropriate in the interim, and opening up a comment period on the Rule, which closed during the middle of March. Putting aside form letters, the SEC received approximately 300 comment letters, both supporting and against the Rule, as well as letters taking the middle ground by advocating for modifications to the Rule.

ropesgray.com ATTORNEY ADVERTISING

April 4, 2017 ALERT | 2 Last week, four Democrats on the Senate Banking Committee sent a letter to the SEC’s Inspector General asking him to conduct an investigation into whether this and other unrelated actions taken by Acting Chairman Piwowar were legally permissible.

Whether and when the SEC might modify the Rule in response to comments received and the lessons learned from four years of compliance by companies, and whether the letter to the IG might temper its appetite to do so, remain open questions.

• In early February, a draft of a purported Presidential Memorandum that would suspend the Conflict Minerals Rule began to circulate. Under Section 1502 of Dodd-Frank, the SEC is required to revise or temporarily waive the requirements of the Rule if the President transmits to the SEC a determination that doing so is in the national security interest of the United States and the President includes the reasons therefor. Under Section 1502, the revision or waiver can last for up to two years.

The draft Memorandum contemplates a two-year waiver. The draft Memorandum also directs the Secretaries of State and Treasury to propose an alternative plan to address problems in the DRC region that takes a targeted approach focused on breaking the link between commodities and armed groups in the region. Thus far, the White House has not commented on the draft Memorandum in circulation.

For more information on the draft Memorandum, please see the webinar hosted by Assent Compliance in which we participated, which is available here.

• On March 27th, the State Department announced that it, along with other agencies and departments, is seeking input from stakeholders to inform recommendations of how best to support responsible sourcing of 3TG. The Department will consider requests and comments received or postmarked by April 28th. • The Financial Choice Act introduced during 2016 contemplated the repeal of Section 1502 of Dodd-Frank. The chances are high that repeal of Section 1502 will be sought in successor legislation. • Finally, Jay Clayton, the President’s nominee for SEC Chairman, is moving closer to being seated. The Senate Banking Committee is scheduled to vote today, after which he will move to confirmation by the full Senate. As SEC Chairman, he will drive many aspects of the SEC’s agenda, including conflict minerals regulation.

Compliance in the Near Term So where does all of the above leave companies? For the time being, the status quo is maintained. Except as modified by the SEC’s April 2014 Statement, the Conflict Minerals Rule continues in effect and calendar year 2016 filings continue to be due on May 31st.

But, stay tuned. The roller coaster ride continues. Meanwhile, in the EU In other news, yesterday, the European Council voted to approve the pending EU conflict minerals regulation. The regulation was previously approved by the EU Parliament and follows on the November 22, 2016 political agreement reached by the Parliament and the Council.

The EU conflict minerals regulation, which places mandatory obligations on importers of 3TG but not product manufacturers and sellers, takes effect on January 1, 2021. Please see our earlier Alert for a summary of the EU regulation. More extensive commentary from Ropes & Gray on the final regulation will be forthcoming.

ropesgray.com ATTORNEY ADVERTISING

April 4, 2017 ALERT | 3 About Our Supply Chain Compliance and CSR Practice Ropes & Gray has a leading supply chain compliance and corporate social responsibility practice. We advise clients across a broad range of regulations, commodities and geographies, and our clients include leading public and private companies and trade groups from every major industry.

With on-the-ground expertise in the United States, Europe and Asia, we are able to take a holistic, global approach to supply chain compliance and CSR, to help clients efficiently and effectively structure and implement their supply chain compliance and CSR programs and mitigate risk.

For further information on our supply chain compliance and CSR practice or if you would like to learn more about the topics in this Alert, please contact your usual Ropes & Gray attorney or contact us here. Ropes & Gray Supply Chain Compliance and CSR Mailing List Click here to join the Ropes & Gray Supply Chain Compliance and CSR mailing list to receive Alerts, articles and program announcements relating to supply chain compliance and corporate social responsibility, or to sign up for other Ropes & Gray mailing lists. Ropes & Gray Supply Chain Compliance and Corporate Social Responsibility Resource Center As part of our commitment to excellence in this area, we have developed the Resource Center as a free educational tool for our clients, friends and other stakeholders. The Resource Center is the most extensive complimentary collection of supply chain compliance resources and is frequently updated to reflect new developments in this dynamic area. Click here to go to the Resource Center.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

CSR & Supply Chain Compliance

April 10, 2017 SEC Issues Updated Statement on Conflict Minerals Rule On Friday afternoon, the SEC’s Division of Corporation Finance issued an Updated Attorneys Statement on the Conflict Minerals Rule (the “Rule”). An updated Statement was widely Michael R. Littenberg anticipated. Earlier in the week, on April 3rd, the U.S. District Court for the District of Julia L. Chen Columbia entered its final judgment in the case and remanded to the SEC. This Alert Emily K. Burke discusses the Statement and other related developments, as well as short-term compliance considerations. The District Court Judgment – A Recap In its final judgment, the District Court (1) declared that Section 1502 of Dodd-Frank, Rule 13p-1 thereunder and Form SD violate the First Amendment to the extent that the statute and the rule require companies to report to the SEC and state on their websites that any of their products “have not been found to be ‘DRC conflict free,’” (2) held unlawful and set aside the Rule to the extent that it requires companies to report to the SEC and state on their websites that any of their products “have not been found to be ‘DRC conflict free’” and (3) remands to the SEC, to take action in furtherance of the Court’s decision. The judgment is discussed in our earlier Alert. The Division of Corporation Finance’s Statement According to the April 7th Statement of the SEC’s Division of Corporation Finance, the Court’s remand has presented significant issues for the SEC to address. In light of the uncertainty regarding how the SEC will resolve those issues and related issues raised by commenters in the recent open comment period on the Rule, the Division has indicated that it will not recommend enforcement action to the Commission if registrants, including those that are subject to paragraph (c) of Item 1.01 of Form SD, only file disclosure under the provisions of paragraphs (a) and (b) of Item 1.01 of Form SD. Paragraph (a) of Item 1.01 requires a reasonable country of origin inquiry (“RCOI”) if conflict minerals are necessary to the functionality or production of a product manufactured or contracted to be manufactured by a registrant. Paragraph (b) provides that, if, based on its RCOI, the registrant determines that its necessary conflict minerals did not originate in the DRC region or came from recycled or scrap sources, it has no reason to believe that its necessary conflict minerals may have originated in the DRC region, or it reasonably believes that its necessary conflict minerals did come from recycled or scrap sources, it must, in the body of its Form SD, disclose its determination and briefly describe the RCOI it undertook and the results of the inquiry it performed. For those registrants that are not able to stop at the RCOI, paragraph (c) of Item 1.01 generally requires the registrant to exercise due diligence and file a Conflict Minerals Report exhibit to its Form SD that contains enhanced disclosure on the registrant’s due diligence measures, its in-scope products and the processing facilities and countries of origin of the necessary conflict minerals. The Division’s Statement indicates that it is subject to any further action that may be taken by the SEC, expresses the Division’s position on enforcement action only and does not express any legal conclusion on the Conflict Minerals Rule. Acting Chairman Piwowar’s Statement Also on Friday, SEC Acting Chairman Piwowar published a separate Statement. In his Statement, he indicated that he has instructed the SEC staff to begin work on a recommendation for future SEC action and that, in preparing its

ropesgray.com ATTORNEY ADVERTISING

April 10, 2017 ALERT | 2 recommendation, the Staff will consider, among other things, the public comments received in response to the January 31st request for comment on the Rule. Acting Chairman Piwowar, who has made it well known that he is opposed to the Rule, further indicated in his Statement that “[t]he primary function of the extensive and costly requirements for due diligence on the source and chain of custody of conflict minerals set forth in paragraph (c) of Item 1.01 of Form SD is to enable companies to make the disclosure found to be unconstitutional.” and that “[i]n light of the foregoing regulatory uncertainties, until these issues are resolved, it is difficult to conceive of a circumstance that would counsel in favor of enforcing Item 1.01(c) of Form SD.” Early Reactions to the Statements News sources have reported that SEC Commissioner Kara Stein, a Democratic Commissioner and currently the only other seated SEC Commissioner, has taken exception to Acting Chairman Piwowar’s action. She has accused him of acting beyond his authority to engage in de facto rulemaking. As of Sunday afternoon when this Alert was prepared, the NGOs focused on this issue have not published statements, but we expect those to be forthcoming this week. We also would not be surprised to see another shot across the bow from Democrats on the Senate Banking Committee. On March 29th, four Democrats on the Senate Banking Committee sent a letter to the SEC’s Inspector General asking him to conduct an investigation into whether Acting Chairman Piwowar’s January 31st Statement opening up a comment period on the Rule and other unrelated actions taken by Acting Chairman Piwowar were legally permissible. Near Term Steps for Registrants The Statements will have little impact on the calendar year 2016 traceability process at most registrants. In most cases, that process has been completed or is close to completion. And, in any event, there is significant overlap between the RCOI and due diligence processes. For most registrants, the most immediate considerations will be how much to say in the calendar year 2016 Form SD and whether to include a separate Conflict Minerals Report exhibit. As a result of the Division of Corporation Finance’s Statement, we expect that there will be more variation in disclosure this year relative to calendar year 2015 reporting. Among the factors that registrants will be considering in crafting their disclosure are NGO and socially responsible investor pressure around responsible minerals sourcing and disclosure rankings, messaging to commercial customers and consumers, internal corporate social responsibility values and their best guestimate as to where the Rule and market practice will be heading over the next year. Some of the factors that will determine the ultimate outcome of the Rule are discussed in this Alert. In that Alert, we indicated that the drama around the Rule would continue, and, for now, it shows no sign of abating.

About Our Supply Chain Compliance and CSR Practice Ropes & Gray has a leading supply chain compliance and corporate social responsibility practice. We advise clients across a broad range of regulations, commodities and geographies, and our clients include leading public and private companies and trade groups from every major industry. With on-the-ground expertise in the United States, Europe and Asia, we are able to take a holistic, global approach to supply chain compliance and CSR, to help clients efficiently and effectively structure and implement their supply chain compliance and CSR programs and mitigate risk. For further information on our supply chain compliance and CSR practice, or if you would like to learn more about the topics in this Alert, please contact your usual Ropes & Gray attorney or contact us here.

ropesgray.com ATTORNEY ADVERTISING

April 10, 2017 ALERT | 3 Ropes & Gray Supply Chain Compliance and CSR Mailing List Click here to join the Ropes & Gray Supply Chain Compliance and CSR mailing list to receive Alerts, articles and program announcements relating to supply chain compliance and corporate social responsibility, or to sign up for other Ropes & Gray mailing lists. Ropes & Gray Supply Chain Compliance and Corporate Social Responsibility Resource Center As part of our commitment to excellence in this area, we have developed the Resource Center as a free educational tool for our clients, friends and other stakeholders. The Resource Center is the most extensive complimentary collection of supply chain compliance resources and is frequently updated to reflect new developments in this dynamic area. Click here to go to the Resource Center.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING

Evaluating FCPA Pilot Program: The Data, The Trends

This article by government enforcement partners Ryan Rohlfsen and Kim Nemirow and Attorneys associates Dante Roldan and Sarah Kimmer was published by Law360 on April 14, 2017. Ryan Rohlfsen Kim B. Nemirow April 5 marked the one-year anniversary of the "Foreign Corrupt Practices Act Enforcement Plan Dante Roldan and Guidance."1 Announced by the U.S. Department of Justice, Criminal Division's Fraud Sarah M. Kimmer Section, the guidance outlined three important steps employed by the DOJ in combating FCPA violations: increased FCPA enforcement resources, international cooperation and, most notably, the launching of the FCPA enforcement pilot program.

The pilot program formalized the DOJ’s practice of rewarding corporate cooperation and remediation with penalty reductions beyond what was historically available under the sentencing guidelines. Fashioned as both a carrot and a stick, the pilot program incentivizes companies who self-disclose potential violations to the DOJ and penalizes those who do not. Specifically, under the pilot program, a cooperating company could receive only up to a 25 percent reduction or “discount” from the bottom of the sentencing guidelines fine range if it did not disclose the wrongdoing whereas it could earn a possible declination or up to a 50 percent discount if it promptly self-disclosed the conduct.

The pilot program was initially designed to be a one-year test, during which time the Fraud Section would determine whether the program would be extended in duration or to modify its policies. On March 10, 2017, the DOJ announced that the pilot program would remain in place after its April 5, 2017, expiration while the DOJ continues to evaluate its efficacy.2

This article will discuss patterns and key takeaways from the pilot program’s first year. Notably, the DOJ has resolved 18 FCPA matters over the last 12 months, a significant increase compared to the seven resolutions from the prior 12-month period. As indicated in the scatter plot following the article, a close review of the 18 matters provides substantial data from which to analyze the pilot program’s short-term impact.

Year in Review

Since the announcement of the pilot program, the DOJ has resolved 18 FCPA cases. Geographically, there continues to be a concentration of cases with conduct originating in China (eight of 18). There is also growing number of actions related to activity in Latin America — six this year, compared to four in the preceding year. The rise in Latin American actions is likely the result of local enforcement agencies’ increased focus on anti-corruption in the wake of the Petrobras scandal, among other high-profile prosecutions.

Over the last year, seven companies resolved self-reported misconduct, and five received the pilot program’s maximum reward —a declination. This is once again an uptick from the prior year, when the DOJ issued

1 See Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance (https://www.justice.gov/criminal- fraud/file/838416/download). 2 Acting Assistant Attorney General Kenneth A. Blanco Speaks at the American Bar Association National Institute on White Collar Crime (https://www.justice.gov/opa/speech/acting-assistant-attorney-general-kenneth-blanco-speaks-american-bar- association-national).

ATTORNEY ADVERTISING ropesgray.com

declinations in only two cases. The two other companies that self-disclosed under the pilot program, but did not receive declinations, General Cable Corp. and Analogic Corp., received a 50 percent and 30 percent discount, respectively. Further, no company that self-reported was required to engage a corporate compliance monitor. All seven self-disclosing companies, however, were required to disgorge profits per the pilot program’s requirements.

Interestingly, the DOJ overwhelmingly imposed monitorships with both nonprosecution agreements and deferred prosecution agreements resolutions. Nine of the 11 NPA and DPA resolutions required the company to appoint a monitor. From this group, only Rolls Royce PLC and JPMorgan were spared the imposition of a monitor.

Key Trends Under the Pilot Program

The DOJ’s application of the pilot program over the last year has yielded some degree of consistency. Three trends — cooperation, monitorships and self-disclosure — have emerged as key considerations for companies investigating potential misconduct.

Cooperation Is Key

The pilot program allows for as much as a 25 percent reduction in fines for companies that cooperate with a DOJ investigation, but did not self-report the misconduct. Of the 11 settlements involving companies that did not self- report, nine received a discount of 25 percent or less. Five of the seven companies that self-reported and fully cooperated, received declinations from the DOJ and were required to pay disgorgement — but no fines or penalties — to resolve their FCPA misconduct. The prior year’s resolutions were arguably not as consistent on this point.3

Regardless of whether a company self-reports misconduct, the level of cooperation may also impact the potential discount. Companies that received less than the maximum discount also did not receive full cooperation credit from the DOJ. For example, Analogic did not initially disclose all relevant facts to the DOJ. As a result, it similarly received a 30 percent discount, instead of the full 50 percent available to self-disclosing companies under the pilot program.4 Similarly, according to the DPA, Embraer.

SA fully cooperated with the DOJ’s investigation but only partially remediated. The DPA notes that Embraer did not terminate a senior executive with knowledge of the conduct described in the DPA, which was a factor that the DOJ considered when determining that Embraer would receive a 20 percent discount in lieu of a potential 25 percent discount for companies who had fully cooperated and remediated.5 For Braskem SA, Teva Pharmaceuticals Industries Ltd. and Och-Ziff Capital Management Group LLC, delays during the early stages of the investigations, led to decreased discounts of 15 percent, 20 percent, and 20 percent, respectively, instead of the maximum 25 percent discount available to each company.

3 In 2015, the DOJ declined to take action in two cases, Petro Tiger and SAP, but only Petro Tiger self-disclosed its misconduct. In the remaining five cases, the fine discounts ranged from 0 percent to 45 percent, with no two companies receiving the same discount. 4 BK Medical ApS NPA at 1 (https://www.justice.gov/criminal-fraud/file/869661/download). 5 Embraer S.A. DPA at 4 ( https://www.justice.gov/criminal-fraud/file/904636/download).

ropesgray.com ATTORNEY ADVERTISING

Monitorships Are a Very Real Possibility

Recent resolutions confirm that self-reporting companies have been far less likely to receive a monitor. Comparatively, those companies that do not self-disclose have been increasingly subject to review by a monitor. The data over the last year bears this out — nine of the companies that did not self-report were required to appoint a monitor, compared to two self-reporting companies where a monitor was not required.

The DOJ’s decision to impose a monitorship generally turns on whether the company has “implemented an effective compliance program.” However, non-self-reporting companies that received full cooperation credit and implemented (according to the resolution papers) strong compliance enhancements, still overwhelmingly received monitorships. This trend is also noteworthy because the imposition of a monitorship may represent a significant expense for companies on top of any fines, and may exceed the value of a discount off the sentencing guidelines.

As noted above, although they did not self-report, neither JPMorgan nor Rolls Royce received a monitor.6 The DOJ determined that “an independent compliance monitor was unnecessary” for JPMorgan based on the “state of [the company’s] compliance program” and its agreement to provide periodic reports to the DOJ and the U.S. Attorney’s Office for the Eastern District of New York.7 In the case of Rolls Royce, the U.K.-based company entered into $800 million global resolution with authorities in the United Kingdom, United States and Brazil. Of that amount, the U.K. received $605 million, the U.S. $170 million, and Brazil $25 million. Based on the size of the U.K. portion of the settlement, compared to those with the U.S. and Brazil, it is possible that the DOJ deferred to the U.K. regarding such issues as to whether to impose a Monitor.

DOJ Further Incentivizes Self-Disclosure

Over the last year, the majority of self-reporting companies (five of seven) received declinations. The remaining companies, Analogic and General Cable, received significant discounts and were not required to engage a monitor. Companies should consider these results when making a disclosure decision.

The terms of the DOJ’s settlement with Analogic, despite the company’s incomplete self-disclosure, signals the value the government places on self-reporting.8 While Analogic self-reported a scheme whereby a subsidiary funneled millions of dollars to third parties, including government officials in Russia, it failed to initially disclose all relevant facts. Nevertheless, the DOJ credited Analogic for its self-disclosure and cooperation during the investigation. As result, Analogic settled upon a $3.4 million fine — a 30 percent discount — and was not required to engage a monitor.

Limitations on Declinations

Despite the penalty consistency of the first year, the full impact of the pilot program remains to be seen. While the DOJ has resolved cases under the pilot program’s guidance, these matters were apparently reported prior to its launch. We expect that cases handled entirely within the pilot program’s framework will be resolved later in 2017 and may provide more clarity, particularly with respect to the use of declinations.

6 JPMorgan Securities NPA at 2 (https://www.justice.gov/criminal-fraud/file/911356/download); Rolls-Royce PLC DPA at 4-5 (https://www.justice.gov/criminal-fraud/file/929126/download). 7 JPMorgan NPA, supra note 6. 8 BK Medical NPA, supra note 4.

ropesgray.com ATTORNEY ADVERTISING

Contrary to the five self-disclosed cases that received declinations, General Cable’s resolution provides support for the notion that the size and scope of self-reported conduct will inform whether a company receives a declination. General Cable self-reported a scheme whereby foreign subsidiaries used third-party agents and distributors to make corrupt payments to foreign officials in Angola, Bangladesh, Indonesia, Thailand and China to obtain business. Disgorgement — typically calculated from the profits attributable to the misconduct — is at least one indicia of the size of a company’s misconduct. In addition to a three-year NPA with the DOJ, General Cable disgorged $55 million in a separate resolution with the U.S. Securities and Exchange Commission.

General Cable’s $55 million disgorgement payment was almost six times the highest amount paid by the five self- reporting companies that received declinations. Indeed, three of the five companies receiving declinations paid disgorgement that did not exceed $700,000. The size of General Cable’s disgorgement sheds light on the existence of an upper limit to the types of self-reported schemes that will receive declinations.

Looking Forward

While the pilot program continues, its future is by no means set in stone. Instead, the DOJ will continue to evaluate the pilot program’s “utility and efficacy” to determine “whether to extend it, and what revisions, if any” should be made.9

Importantly, the pilot program was announced also as an initiative to cooperate with international regulators. In fact, the DOJ has credited foreign authorities with providing valuable assistance in nearly ever resolution over the last year. Furthermore, a number of foreign jurisdictions have ramped up anti-corruption investigations and enhanced international cooperation. For example, prosecutors from 10 Latin American countries (Brazil, Argentina, Chile, Colombia, Ecuador, Mexico, Peru, the Dominican Republic, Venezuela and Panama) and one European country, Portugal, recently announced that they will form a task force to share evidence in the investigation of bribes paid by Odebrecht SA.10 The goal of the task force is to speed up the exchange of information between countries to avoid “bureaucratic hurdles” encountered when assessing penalties.11

In summary, the DOJ’s FCPA enforcement does not appear to be on the decline. Further anti-corruption developments abroad will only serve to increase pressure on the DOJ to strengthen its FCPA efforts.

9 Blanco Speaks at the American Bar Association National Institute on White Collar Crime, supra note 2. 10 Latin American Prosecutors Join Forces on Odebrecht Bribes (http://www.reuters.com/article/us-brazil-corruption- latinamerica-idUSKBN15W2H7) 11 Id.

ropesgray.com ATTORNEY ADVERTISING

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. © 2017 Ropes & Gray LLP CHICAGOLAWBULLETIN.COM MONDAY, APRIL 3, 2017

Volume 163, No. 64 Serving Chicago’s legal community for 162 years Helping piece together the life sciences puzzle Alison Fethke Kim B. Nemirow In this Q&A on M&A, two Ropes & Gray experts the international legal and com - headcount, but also the systems pliance infrastructure begin to and controls necessary to imple - gauge the biotech, pharma and medical markets catch up with the globalization ment the program, including fi - that has been going fast and furi - nance capabilities, the necessary BY LAUREN P. D UNCAN As life science companies ex - ous for a while. software, and third party ven - Law Bulletin staff writer pand, so do their compliance Fethke: To some degree we’re dors. These systems are critical programs. Ropes & Gray part - also seeing some consolidation in to the success of compliance pro - etting up a regulation ner Kim B. Nemirow and counsel the industry, which can lead to grams, particularly for domestic compliance program Alison Fethke, who work in the complications, particularly when companies entering international for a global pharmaceu - regulation compliance arena, you consider company integra - markets. tical or medical device weighed in on the challenges tion. Sometimes, in a merger or Fethke: I think there’s a pretty company is no simple that pharmaceutical and medical acquisition, one company has a set model for how to do this with - Spuzzle to piece together. device companies face as they stronger ex-U.S. presence than in a domestic company. I think Thanks in part to a few busy expand. another, but by combining them one of the very important com - years of mergers and acquisi - Nemirow has experience everything just gets bigger and ponents — and you see this all tions in the life science sector, working on both internal and De - more complicated. That applies throughout the writings both on companies in many instances are partment of Justice and Securi - to the compliance infrastructure the anti-corruption laws and on turning to outside counsel to ties and Exchange Commission as well and, in some cases, not the U.S. fraud and abuse laws — help set up their compliance pro - investigations regarding compli - only is the program getting big - is the government views tone at grams, according to two Ropes & ance matters involving pharma - ger, but the two companies’ dif - the top and the buy-in of an exec - Gray LLP attorneys who work in ceutical and medical device fering styles and approaches utive team into the compliance healthcare compliance and inves - companies. Fethke, who previ - have to mesh together. program as a totally essential el - tigations. ously worked in-house at Abbott, LB: What are some of the es - ement of how a compliance pro - In 2016, there was about $177 advises clients on regulatory is - sential components for a life sci - gram has to operate, because if billion worth of mergers and ac - sues in a variety of healthcare- ence company to consider in your executives and leaders quisitions in the pharma, medical related areas. creating a new compliance don’t believe in it, aren’t going to and biotech industries world - The following interview has program? resource it, aren’t going to en - wide, down from a record high of been edited for brevity. force discipline, aren’t going $298 billion in deals in 2015, ac - Law Bulletin: What are to message about it on a cording to a recent report from some of the biggest issues “There is no one way to do continual basis, your pro - Mergermarket. you two are dealing with in a compliance program because gram isn’t going to be effec - Despite a slow year in 2016, life science regulation com - tive, and so in reality, in an the U.S. remains a significant pliance? every company is different.” ideally operating compli - part of M&A activity in the glob - Nemirow: One of the ance program you have that al life sciences and health-care biggest overall trends relates to Nemirow: Infrastructure and strong tone from the top and you market, contributing to nearly 60 the globalization of companies. resources, resources, resources. have a shared ownership of com - percent of that $215 billion last Though life science companies Whether it is a major multina - pliance from everyone at your year, according to an analysis by have been expanding globally for tional or a smaller company with nstitution. accounting firm Deloitte. a while, over the past several a manufacturing facility in one Nemirow: There is no one way A few of those deals that years we’ve seen U.S. companies country in Europe, all companies to do a compliance program be - closed in recent years include the increasingly focusing resources need to have a capable compli - cause every company is different. $14 billion Zimmer-Biomet merg - on the creation of integrated ance infrastructure in place to A program must be tailored to er, Pfizer’s $16 billion purchase of global compliance programs. mitigate risks. While we can the specific business, culture and Lake Forest-based Hospira and Historically, companies have write a policy, and we can write a needs of each company. But, the the recent $25 billion acquisition grown the business first in a par - program, if you don’t have the in - whole reason these compliance of medical device company St. ticular country and then compli - ternal resources to implement it, programs exist is generally in re - Jude Medical, Inc. by Lake Bluff- ance or legal has to catch up it’s not going to be successful. And sponse to government regula - based Abbott Laboratories. later. More recently, we’ve seen we of course mean compliance tion, so your compliance

Copyright © 2017 Law Bulletin Publishing Company. All rights reserved. Reprinted with permission from Law Bulletin Publishing Company. program should be such that you employee there has never been monitored him and he was de - counsel. For instance, we recent - should be prepared to present it to Illinois, has never even met frauding us. ly helped a medical device com - to the U.S. Department of Justice anyone from the company head - Fethke: Most companies try pany strengthen its compliance and the SEC. quarters, and is selling only to to set out a compliance frame - infrastructure following a DOJ LB: How important is it that local hospitals. You have to con - work that is heavily based on inquiry. these global compliance pro - vince that person who is so far U.S. law but also incorporates LB: Amid impending adminis - grams educate employees across removed from headquarters globally understood standards. trative changes, what’s the fu - the world on U.S. laws? about the importance of comply - Nemirow: Part of the whole ture look like for life science Fethke: The goal of a compli - ing with laws from the United international legal compliance compliance? ance program is not to eliminate States. They’ve never heard of structure has to be getting the Fethke: It’s not entirely clear, misconduct. It happens. We say the U.S. Department of Justice. right advice in the right country but a lot of what companies do to people all the time, if you have How challenging is it for compa - in every country. They all have every day — at least in the drug a compliance program or you nies to do that? It’s very hard, slight nuances, and sometimes and device space — the [Good have a hotline, and you don’t get and so what companies need to significant nuances. Manufacturing Practices], ship - any reports or complaints, your be doing, the best practices of LB: Are you dealing with more ments, making sure your supply program’s not working. The goal the company, is getting to a place investigations these days as these chain is safe, your product is sta - is that you catch it first. It’s criti - so that their systems are strong companies become more global? ble, sterilized, none of that is cal that companies build a com - enough and their training pro - Nemirow: It’s increased sig - going to change. pliance program preemptively, as gram and their monitoring pro - nificantly over the last five years. Nemirow: There is a lot of opposed to when they urgently gram are strong enough that if A huge part of our practice is speculation right now on the en - need one, and educate employees an issue arises with that person doing global investigations. forcement side, in the govern - across the globe. in Chengdu, they can go to the Fethke: And companies have ment, DOJ, SEC, criminal and Nemirow: You think of the Department of Justice and say, built some of that capacity inter - civil enforcement, speculation place like a super-remote part of this issue happened, this guy was nally, but they have also contin - about what the future is going to Chengdu Province in China, an going rogue, we trained him, we ued to rely heavily on outside look like.

Reproduced with permission from Medical Research Law & Policy Report, 16 MRLR 08, 04/19/2017. Copyright ஽ 2017 by The Bureau of National Affairs, Inc. (800-372-1033) http:// www.bna.com

Biological Materials

Using Biospecimens Collected Abroad in Future Research: Key Considerations

HALEY BAVASI,LESLIE THORNTON,DAVID PELOQUIN vacy and data security laws, obtaining the informed consent of research subjects, and securing research eth- AND MARK BARNES ics committee review prior to beginning a clinical trial. linical research is an increasingly cross-national These legal issues have more subtle implications endeavor as research sponsors seek regulatory ap- when companies contemplate future research uses of C proval in multiple national markets, some of biospecimens collected in a given clinical trial, which which require, as a precondition for marketing ap- uses may be limited depending on the laws of the juris- proval, that at least some trials be conducted locally. In diction in which the biospecimens are collected. The ex- addition, ex-United States (‘‘U.S.’’) and ex-European portation of biospecimens out of the country of collec- Union (‘‘E.U.’’) settings offer the possibility of enrolling tion for storage or performance of the future research large numbers of treatment-naive and research naive- activities also can raise legal complications. patients, often leading to rapid trial initiation and In this brief overview, we discuss key legal issues that completion. With this shift in research activities, U.S.- must be considered when a U.S.-based company de- based life sciences companies must understand local signs an international trial involving collecting and re- regulatory requirements with respect to navigating pri- taining biospecimens for future research, or when such a company considers how it may use biospecimens that already have been collected. We also provide selected Haley Bavasi, Leslie Thornton, David Peloquin highlights of these considerations for the use of bio- and Mark Barnes are attorneys with Ropes specimens collected in the course of research con- & Gray LLP. ducted in China, Russia and the United Kingdom (‘‘U.K.’’).

1. Key Considerations When designing a clinical trial, the individual whose data are being processed. While a or determining whether biospecimens collected in a biospecimen itself is not ‘‘information,’’ the resulting previous trial may be used in future research, three data generally would be subject to these types of regu- types of laws generally need to be considered: (1) laws lations, which may give individuals a right to request governing informed consent for future research use of access to the information, place restrictions on the data biospecimens collected in the course of research involv- processer’s ability to share the information with third ing human subjects; (2) laws regulating the conduct of parties and impose requirements for retention and/or genetic tests and/or the acquisition of genetic informa- destruction of the data. tion; and (3) laws regulating the confidentiality of medi- Certain privacy laws restrict the export of data out- cal information and data protection laws. side the jurisdiction in which the data are collected, es- Informed Consent pecially when the information is flowing to a country Under the recently revised Common Rule, i.e., the set that is considered to have ‘‘inadequate’’ privacy protec- of federal regulations governing clinical research in- tions relative to the exporting jurisdiction. When ex- volving human subjects conducted or supported by the porting biospecimens, companies and research institu- U.S. government (see 45 C.F.R. part 46), researchers tions should consider whether the receiving country is may obtain broad consent with respect to the storage, a permissible recipient under the regulations of the maintenance and secondary research use of identifiable originating country. In addition to restrictions regard- private information and identifiable biospecimens. ing the flow of data, countries also may impose restric- However, when biospecimens are collected from re- tions on the export of biological material, such as cus- search sites outside of the U.S., the legal/ethical frame- toms import/export controls. work of the jurisdiction in which the sample is collected must be considered with respect to informed 2. Ex-U.S. Examples: China, Russia and the U.K. consent—in particular, how biospecimens gathered in China the course of the research may be used in future re- Under China’s Human Genetic Resources (‘‘HGR’’) search that may not be defined in the informed consent Guidelines, research sponsored by foreign firms in con- document signed by the subject. While the U.S. permits nection with Chinese-derived HGRs must take the form the obtaining of broad consent for future use, other of international collaboration projects with a Chinese countries require speciﬁc informed consent for such fu- partner, which may be subject to the prior approval of ture use. Therefore, in cases in which future use is not the HGR Administrative Office (see Interim Measures contemplated in an informed consent document, re- for the Administration of Human Genetic Resources searchers must determine whether an individual has (the ‘‘HGR Measures’’), Guidelines for Administrative consented to research that is separate—whether tempo- Approvals for Sampling, Collecting, Trading and Ex- rally, topically or both—from the original research to porting of Human Genetic Resources and Regulations which the subject expressly consented. In addition to on the Administration of HGRs, which were released in requiring specific consent to future research, draft form for public comment in 2016). Under the HGR jurisdiction-specific laws and regulations may require Measures, HGRs are defined as genetic materials such that the subject consent to the necessary storage/ as human organs, tissues, cells, blood and preparations retention of the sample itself for a period of time follow- of any type or recombinant DNA constructs, which con- ing completion of the original study, and that the tain human genome, genes or gene products as well as sample be destroyed if such consent has not been ob- the information related to such genetic materials. Inter- tained. national collaboration projects also must meet the fol- Genetic Testing lowing requirements, as relevant to this analysis: (a) As genetic testing becomes more advanced and ubiq- have clear research purposes and objectives; (b) obtain uitous in science and medicine, so do the laws regulat- the approval of ethics committees of the local collabo- ing conduct of genetic testing and acquisition of genetic rator, and the informed consent of HGR donors; and (c) information therefrom. Although genetic testing done be re-executed or otherwise obtained again in order to in ‘‘bench research’’ may not yield clinical information re-use specimens for new research programs. Based on that typically would be disclosed to subjects, the genetic these requirements, it is unlikely that informed consent testing laws in ex-U.S. countries that regulate genetic documentation that does not specify anything regard- testing in the clinical context could apply nonetheless— ing future research would be able to satisfy the HGR particularly with respect to consent and privacy. Be- Guidelines if a company or research institution desires cause future research often involves genetic testing, to use biospecimens collected in past studies for future such country-specific laws may cause additional research. hurdles to utilizing biospecimens collected in the course China also has strict regulations with respect to data of research. access: Sponsors of research generally are allowed to Conﬁdentiality and Data Protection Laws access only the anonymized study data transcribed by The interplay between confidentiality and data pro- investigators in the form of case report forms. The tection laws, consent and future research also is of im- source data and records are maintained and used by the portance. Country-specific data privacy laws— treating physicians exclusively (see China’s Regulations particularly those in the E.U., where it soon will be re- for the Administration of Medical Records). Finally, quired to follow the General Data Protection current regulations are silent as to export and retention Regulation—often apply to ‘‘health information’’ or of biospecimens collected in the course of clinical re- ‘‘personal information,’’ both of which generally would search after the research is concluded; however, the encompass the results of a genetic test that is run using draft Regulations on the Administration of HGRs pro- a biospecimen collected in the course of future re- vide that: (1) the Chinese collaborator may establish a search. These laws often require the entity processing biobank to store specimens for research purposes, and the information to have obtained the express consent of (2) any export of biospecimens collected from Chinese

4-19-17 COPYRIGHT ஽ 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. MRLR ISSN 1539-1035 3 subjects must be first approved by certain Chinese offi- search (see Federal Customs Service Letter dated May cials and approved and released by customs. 5, 2011, No. 01-19). However, given the past ambiguity, Russia companies should monitor carefully any developments Russia’s Circulation of Medicines Law and Good as to the export of biospecimens from Russia. Clinical Practice (‘‘GCP’’) Rules govern pharmaceutical U.K. development, including informed consent requirements U.K. law provides that samples may be used in future for clinical trials. These require, among other things, research despite the absence of express consent for that subjects be informed of the ‘‘purpose’’ of the clini- such future research if the data are anonymized and the cal trial (see Federal Law of April 12, 2010 on Circula- tion of Medicines No. 61-FZ; Order No. 200n of April 1, research has been approved by the National Health Ser- 2016 of the Ministry of Health). Thus, if no consent to vices Research Ethics Council (see Human Tissue Act future use biospecimens is specified (even in broad of 2004 (the ‘‘HTA’’)). Samples to be used in research form), it would be difficult to find that this requirement are ‘‘anonymous’’ if the researcher is not in possession, has been met with respect to future research. or is not likely to come into possession, of information Russia’s Data Protection Law requires subjects to from which the person whose body the material has provide consent to the processing of their data, includ- come can be identified. However, this does not mean ing use of samples when those samples are held with samples must be permanently delinked; rather, guid- associated data. Consent must include the purpose for ance from the U.K. Medical Research Council suggests the processing of the data, a list of personal data to that ‘‘coding is a good way to meet these requirements’’ which the subject is giving consent for future use, and a (see U.K. Medical Research Council Consent Sum- list of consented-to actions with respect to the personal mary). data (see Federal Law of the Russian Federation No. Finally, the U.K.’s Data Protection Act provides cer- 152-FZ on Personal Data (2006)). The Data Protection tain rules for the international transfer of personal in- Law also limits the processing of personal data to the formation outside of the E.U. Transfer of personal data achievement of specific, pre-defined and legitimate ob- to non-E.U. entities may only be carried out if the re- jectives, and requires that the content and scope of the ceiving state has an adequate level of protection for processing comply with stated objectives. Under this such data. Countries within the European Economic law, there is no exception for processing that is for the Area are deemed to have an adequate level of data pro- purpose of research, even if such data are anonymized. tection, as well as a handful of other countries outside Given the highly specific nature of the consent require- the E.U., although the U.S. is not among them. How- ments under the Data Protection Law, informed con- ever, the U.K., like other E.U. member state jurisdic- sent documentation that does not discuss future re- tions, has a general exception to this requirement if the search likely would not meet these requirements. subject has given unambiguous consent to the transfer There is some ambiguity as to whether genetic test- of personal data outside of the E.U. Therefore, any ing on samples collected within Russia may be pro- transfer of samples from the U.K. to the U.S. must be cessed outside of Russia, as Russia temporarily banned with the consent of the subject or have a separate basis the export of human tissue in 2007 (see Russian clinical of authority for transfer, such as E.U. Standard Con- research is threatened by ban on export of samples, tractual Clauses and Binding Corporate Rules, and NIH.gov (June 16, 2007)). Today, as a member of the eventually the July 12, 2016, E.U.-U.S. Data Privacy Eurasian Economic Commission (the ‘‘EEC’’), Russia Shield. restricts, but does not entirely ban, the export of human materials (see Federal Customs Service, Customs.RU). 3. Conclusion Keeping abreast of national regulatory The current restriction includes an exception for ‘‘hu- requirements can enable U.S.-based life sciences com- man biological material samples,’’ defined as cell panies to consider proactively these requirements when samples, tissue, human body fluids, secretions, excreta, drafting informed consent documents and thus enable physiological and pathological secretions, swabs, scrap- maximum uses of biospecimens in future research. On ings and swabs used for diagnostic and research pur- the other hand, when considering using, for additional poses, intended for external quality control studies or research, biospecimens that already were collected in received in the course of biomedical and (or) clinical the course of a clinical trial, life sciences companies trials. A letter from the Russian Federal Customs Ser- should consider what impediments these legal vice confirms that the aforementioned restrictive re- regimes—as well as the terms of the informed consent gime does not apply to the import/export of tissues and documents under which the specimens were collected— other biological materials for diagnostic and research may pose for the future research use and exportation of purposes or obtained in the course of biomedical re- the biospecimens into other national jurisdictions.

MEDICAL RESEARCH LAW & POLICY REPORT ISSN 1539-1035 BNA 4-19-17 www.fcpareport.com Volume 6, Number 12 To Be Published June 21, 2017

No Need to Overreact: Protecting Privilege in the U.S. and U.K. After the ENRC Decision By Amanda Raad, Kim Nemirow, Marcus Thompson, Mair Williams and Tom Littlechild Ropes & Gray

Companies around the world conduct internal SFO v ENRC – Background investigations to detect and remediate potential wrongdoing. Lawyers typically lead these ENRC launched an internal investigation in early investigations under the cover of legal privilege, 2011 following receipt of whistleblower allegations. meaning that companies cannot be forced to ENRC and its lawyers first liaised with the SFO in August produce their findings to third parties, 2011 and continued to do so on many occasions over the including the government. next two years. Indeed, there were over 30 meetings and discussions between ENRC or its law firm, Dechert, and The recent United Kingdom case of Serious Fraud Office the SFO between September 2011 and March 2013. v Eurasian Natural Resources Corporation Limited[1] limits These meetings were under the guise of what the the scope of legal privilege in internal investigations. SFO, rather than ENRC, deemed to be self-reporting More specifically, in this case, the Court ordered ENRC in line with the SFO’s 2009 Guidelines. Those Guidelines, to produce witness-interview summaries, forensic audit which incentivized cooperation with the possibility of a findings and draft investigative reports to the SFO to civil settlement, were replaced in 2012 by those which be used in the SFO’s investigation and potential reasserted the SFO’s role as a prosecutor. prosecution of ENRC for corruption charges. The SFO launched its own investigation in April Companies and their counsel are understandably 2013. As part of this investigation, the SFO used nervous about the potential implications from the s2(3) Criminal Justice Act 1987 notices to compel ENRC decision – they are worried that documents ENRC to produce certain documents generated by properly subject to privilege in the United States could accountants and lawyers during ENRC’s internal be deemed not privileged in the U.K. Making matters investigations, including interview summaries, worse, the production of any privileged documents to forensic audit reports and investigation summary the U.K. government would likely be deemed as a waiver materials. ENRC asserted litigation privilege and/or under U.S. law, thus eliminating the privilege entirely. legal advice privilege over these documents, and the SFO took the matter to the High Court. There remains some uncertainty in the scope of the ENRC decision, and it may yet be appealed, so drastic In reviewing the issue, the Court noted that it was changes in the ways companies undertake internal a matter of first impression where criminal proceedings, investigations are likely premature. However, there as opposed to civil, represented the potential “adversarial are a few prudent steps companies and their counsel litigation reasonably in contemplation” by the party should take to increase the likelihood their documents to support a claim for litigation privilege. And, it was are protected both in the U.S. and the U.K. the parameters of litigation privilege that the Court substantially limited.

Severe Limitation on Litigation Privilege Specifically, the Court warned companies to carefully consider the roles of the lawyers giving As set forth below, the Court denied ENRC’s claim the advice and drew a sharp distinction between for litigation privilege with respect to each category advisors and fact finders. During the relevant period of documents (interview summaries, third-party ENRC engaged a number of external law firms, and forensic audit materials, and investigation reports the Court distinguished Dechert’s role as “information and summaries). The Court concluded that a criminal gatherers” from the advisory role of the Addleshaw investigation is just a “preliminary step” and therefore Goddard solicitor who sat on ENRC’s Special not sufficient to qualify as “adversarial litigation.” Investigation Committee. Thus, the Court found that anticipation of a criminal investigation, even an imminent one, was not enough Further, in addition to external counsel, the Court also to support a claim for litigation privilege. revisited the role of lawyers within companies. ENRC claimed that documents created by Beat Ehrensberger, From an investigation timeline perspective, who was head of mergers and acquisitions in 2010 and this holding suggests that litigation privilege only became the general counsel in 2011, and sent to another attaches after criminal conduct warranting prosecution colleague in 2010 could be properly withheld because is uncovered and negotiations have broken down such they contained legal advice and Ehrensberger spent that litigation is the only alternative. The Court noted “virtually all” of his time acting as a lawyer. The Court that the documents at issue were created in this case was quick to shoot that point down, quoting ENRC’s to avoid prosecution, not for the dominant purpose own internal documents that made clear that of conducting or preparing to conduct litigation. Ehrensberger’s job description as head of mergers The logic here seems perverse given the trend towards and acquisitions made no reference to a legal function. cooperation with regulators in the U.K., as companies The Judge said even though Mr. Ehrensberger may have can only potentially assert privilege in the U.K. where felt that he was acting as a lawyer, his role pre-2011 they adopt an adversarial approach with regulators was one of a “man of business” and, as such, from the outset. Further, now litigation privilege in privilege did not attach. criminal matters offers less protection than its civil counterpart in the U.K. This will have particular knock-on The Court also suggested that companies should effects for relationships between companies and bodies consider the roles of those receiving legal advice to that have a regulatory and prosecutorial function (such ensure those individuals are authorized to seek and as the Financial Conduct Authority) where it may be receive legal advice on behalf of the company. even harder to determine the line between an investigation and a prosecution and at what point litigation can be properly foreseen.

Reminder of the Boundaries of Legal Advice Privilege

The only privilege claim the Court upheld was for legal advice privilege attaching to the investigative summaries and reports that lawyers presented to ENRC’s Special Committee and Board. And, the Court warned that the materials in the reports would not otherwise be privileged. While the decision did not redefine legal advice privilege, it did offer reminders about the parameters of the privilege.

Nature of documents Nature of ENRC’s privilege claim Ruling and reasoning

Interview Notes:Notes taken by ENRC’s Litigation privilege Denied because ENRC was not “aware of circumstances which rendered litigation

lawyers of investigative interviews with between itself and the SFO a real likelihood rather than a mere possibility.”

employees and third parties

Even if a prosecution had been reasonably in contemplation, the documents were

not created with the dominant purpose of conducting litigation. Rather, the

dominant purpose was to avoid prosecution.

Legal advice privilege Denied because there was no evidence that any of the persons interviewed

were authorized to seek and receive legal advice on behalf of ENRC, or that

those communications conveyed instructions or advice.

Additionally, the interview notes formed part of the preparatory work of compiling

information for the purpose of enabling the corporate client to seek and receive

legal advice and therefore are not privileged.

Third-Party Forensic Documents: Litigation privilege Denied because the dominant purpose of the documents was to meet compliance

Documents created by accountants requirements or obtain accountancy advice, not to prepare to defend a prosecution.

as part of a “books-and-records” review ENRC retains the right to claim legal advice privilege in respect These proceedings did not determine this issue.

of any individual document which falls within this category.

Investigation Summaries and Reports: Litigation privilege Denied because ENRC did not establish that at the time it was “aware

Documents presented by lawyers to of circumstances which rendered litigation between itself and the SFO

ENRC’s Committee and Board a real likelihood rather than a mere possibility.”

Even if a prosecution had been reasonably in contemplation, the documents

were not created with the dominant purpose of being used in the conduct

of such litigation. Rather, the dominant purpose was to avoid prosecution.

Legal advice privilege Allowed because the lawyers’ presentation contained legal advice even though

it made reference to the investigation’s factual information and findings which

would not otherwise be privileged.

Third Party Forensic Documents:- Litigation privilege Denied because the dominant purpose of the documents was to meet compliance

Documents comprising the forensic requirements or obtain accountancy advice, not to prepare to defend a prosecution.

accountants’ reports referred to in letter

sent to the SFO by ENRC’s lawyers

In-house Legal Communications: Legal advice privilege. Denied because ENRC’s own documents did not provide any evidence that Ehrens-

Communications between Ehrensberger berger’s role was a legal one, and therefore legal advice privilege did not attach even

and a senior ENRC executive, also referred if the documents contained legal advice.

to in the letter sent to the SFO by

ENRC’s lawyers

See “Rolls Settlement Illuminates SFO Expectations for Cooperation and Compliance” (Mar. 15, 2017).

The Findings of an Internal Investigation access to interview summaries and witness first Should Be Privileged accounts as a means of showing cooperation, not as a matter of right. In comparison, the U.S. Attorneys’ Managing international risks such as bribery and Manual expressly prohibits conditioning cooperation corruption, money laundering and economic sanctions credit on a company’s decision to waive privilege. violations is difficult for both companies and prosecutors. Instead of demanding interview summaries or These matters often involve conduct occurring on the other privileged investigative materials, U.S. other side of the world, and the only way to remedy regulators leave it to counsel to determine how wrongdoing is to find it. As such, regulators around best to share the underlying facts, some of which may the world emphasize the importance of internal come from otherwise privileged interview summaries. controls, including ongoing monitoring and investigative For example, the U.S. Attorneys’ Manual states: functions. Regulators also encourage self-reporting and cooperation to incentivize companies to find By way of example, corporate personnel and bring forward potential wrongs. are usually interviewed during an internal investigation. If the interviews are conducted Until now, the one benefit companies received by counsel for the corporation, certain notes for shouldering the substantial investigative and memoranda generated from the interviews costs associated with finding and fixing potential may be subject, at least in part, to the protections misconduct has been that they can control if and of attorney-client privilege and/or attorney work how that information is ultimately disclosed to anyone. product. To receive cooperation credit for providing Companies should retain the right to make their own factual information, the corporation need not decisions about whether to disclose the findings of produce, and prosecutors may not request, their investigations, particularly where the investigations protected notes or memoranda generated were carefully designed by counsel for the purpose of by the interviews conducted by counsel for advising their clients. While prosecutors have every the corporation. To earn such credit, however, the right to conduct their own investigations, they should corporation does need to produce, and prosecutors not be entitled to the work product of a company’s may request, relevant factual information – including counsel. The public policy danger is that companies relevant factual information acquired through those will question the prudence of conducting these interviews, unless the identical information has reviews and leave it to the prosecutors to identify otherwise been provided – as well as relevant the wrongdoing in the first instance. non-privileged evidence such as accounting and business records and emails between See “Supreme Court’s Refusal to Review Crime-Fraud non-attorney employees or agents. See Case Could Have Chilling Effect on Attorney-Client Section 9-28.720 – Cooperation: Disclosing Relationship” (Nov. 19, 2014). the Relevant Facts

A Further Divide Between the U.K. and U.S. This flexibility in approach and appreciation for the Approach to Internal Investigations role of privilege in internal investigations from U.S. and Cooperation prosecutors has likely resulted in increased disclosure and cooperation in the U.S. as compared to the U.K.

Prior to the ENRC decision, the privilege discussion comparing U.K. and U.S. practices focused on the The ENRC decision altered the underlying impact of waiver on cooperation, not the underlying definition of privilege in the internal-investigations definition of privilege. Specifically, SFO representatives context. Now, in addition to considering whether clearly articulated their belief that companies should a company should disclose otherwise privileged waive privilege to show cooperation. They demanded material for cooperation credit in the U.K.,

©2017 The FCPA Report. All rights reserved. 4 www.fcpareport.com Volume 6, Number 12 To Be Published June 21, 2017 companies must first meet a heightened burden to reported (as of June 5, 2017) that the SFO itself has demonstrate the underlying privilege. At least in this asserted legal privilege over its interviews with suspects case, interview summaries, third-party audit findings in the Barclays Qatar investigation, in order to prevent used in the investigation and investigation summaries third parties accessing the transcripts. This claim must are not privileged unless delivered in a presentation be in respect of litigation privilege given that there is to the client and subject to legal advice privilege. All no legal advice being provided by an SFO investigator of these materials are not only likely subject to privilege to a subject under investigation, which means that in the U.S., but regulators are prohibited from even this assertion by the SFO appears to fly in the face of asking that these materials be disclosed as part of the SFO’s submissions and the Court’s findings in the evaluating cooperation. This sharp distinction makes ENRC case that the investigative stage is not adversarial. it challenging for companies to navigate regulator The SFO has yet to argue its case on this and will have expectations in cross-border investigations. additional claims, such as Public Interest Immunity, to try and keep these transcripts out of the hands of third See The FCPA Report’s three-part series on protecting parties. Whether the Court will see fit to allow the SFO attorney-client privilege and work product while to play by seemingly different rules than those it cooperating with the government: “Establishing Privilege insists others play remains to be seen. and Work Product in an Investigation” (Feb. 1, 2017); “Cooperation Benefits and Risks” (Feb. 15, 2017); and See “Navigating Privilege and Data-Privacy Challenges “Implications for Collateral Litigation” (Mar. 1, 2017). in a Cross-Border Bribery and Corruption Investigation” (May 10, 2017). No Need to Overreact Three Ways to Protect Privilege Those conducting internal investigations will no doubt find the ENRC decision frustrating. That said, For now, while we wait for a decision from the it leaves enough room to successfully litigate future U.K. Court of Appeal, companies must navigate requests from the SFO for privileged documents. seemingly competing and uncertain standards. There is no doubt that U.S. regulators expect and reward Limiting the scope of internal investigations or the full and thorough investigations while respecting rightful number of witness interviews for fear of those materials claims to privilege in the internal investigations context. becoming subject to production demands would be Meanwhile, companies will need to be careful to clearly an overreaction to this new development. Witness articulate their claims to privilege in the U.K., while interviews are an essential part of any fact-finding expecting pressure from regulators to waive any exercise designed to detect and remediate wrongdoing. existing privilege. Here are a few practical tips: Employees must be afforded the opportunity to respond to evidence collected during an investigation, not only 1) Clearly Articulate the Bases for Privilege for employment law purposes, but also to ensure the investigation uncovers the true facts. In short, One of the key criticisms of ENRC in this case companies must continue to exercise their corporate is the lack of evidence submitted by ENRC to support duties, but they should carefully consider how to scope its claim of privilege. As such, companies should clearly their investigations and interact with regulators articulate the privilege claim and basis at the start of in the U.K. and abroad. the investigation, including pursuant to U.S. law or other applicable jurisdictions. Additionally, ENRC is appealing the decision and many are hoping the Court of Appeal takes a different approach. And in an unexpected twist adding to the confusion following the ENRC case, it has been

Specifically, engagement letters between external 3) Clearly Define Roles counsel and companies should clearly specify the grounds for privilege (both in the U.K. and other Companies should also be sure to clearly define relevant jurisdictions). To assert litigation privilege at the outset who the counsel is and who the client in the U.K., companies should ensure that engagement is for purposes of reporting. The client must be a small letters clearly state that the dominant purpose of the and defined group of individuals who are able to give investigation is to prepare to defend a prosecution. instructions and receive legal advice on behalf And, where there is no threat of prosecution at the of the company. beginning of an investigation, companies should consider how to best protect their investigation Given that legal advice privilege does not as a general materials pursuant to legal advice privilege. rule apply to third parties in the U.K. (such as forensic experts) the way that litigation privilege does, companies Documents produced during the investigation should carefully consider how these services are used should similarly indicate the grounds for privilege and documented in the U.K. until the boundaries (both in the U.K. and other relevant jurisdictions). of litigation privilege in the criminal context are more clearly settled. 2) Focus on Legal Advice Privilege See “Attorney-Consultant Privilege? Key Considerations Given there is more certainty in the U.K. around for Using the Kovel Doctrine (Part One of Two)” (Dec. 21, legal advice privilege, counsel should use interview 2016); and Part Two (Jan. 18, 2017). summaries, third-party forensic audit findings, and investigation reports and summaries to provide legal advice to clients.

Amanda Raad, a U.S. lawyer who is also admitted as a solicitor in England & Wales, co-leads Ropes & Gray’s London government enforcement group. She has substantial experience negotiating with U.S. regulators on behalf of companies and individuals concerning cross-border matters involving corruption, money laundering and other forms of financial fraud.

Kim Nemirow, a partner in Ropes & Gray’s Chicago office, and a registered foreign lawyer in Hong Kong, recently returned to the U.S. after several years in Ropes & Gray’s Hong Kong office, where she served as the firm’s first government enforcement partner in the region. Kim has extensive experience advising multinational organizations and individuals in a wide variety of DOJ and SEC investigations, internal investigations and compliance matters.

Mair Williams and Tom Littlechild are London-based associates in Ropes & Gray’s business and securities litigation and government enforcement practices, respectively.

[1] The Director of the Serious Fraud Office and Eurasian Natural Resources Corporation Limited [2017] EWHC 1017 (QB).

Supply Chain Compliance & Corporate Social Responsibility

September 20, 2017 Australia Proposes Modern Slavery Reporting Requirements for Multinationals – An Overview and Comparison to Existing Corporate Modern Slavery Disclosure Legislation

The Australian Government has released a consultation paper proposing the adoption Attorneys of legislation that would require many multinationals operating in Australia to Michael R. Littenberg publicly report on modern slavery risk in their business and supply chains and their Andrew J. Dale related compliance practices. “Modern slavery” includes human trafficking, slavery Amanda N. Raad and slavery-like practices such as servitude, forced labor and debt bondage, which Julia L. Chen have been found to exist to varying degrees in many supply chains across a large Karen Oddo number of countries. If adopted, Australia would join the United Kingdom and Joanna Torode California in adopting similar reporting requirements. In this Alert, we discuss the proposed legislation and provide a comparison to the UK and California modern slavery reporting requirements. The Proliferation of Corporate Modern Slavery and Related Legislation Over the last several years, legislation addressing corporate responsibility for modern slavery has been adopted in several jurisdictions. California was first out of the gate when it adopted the California Transparency in Supply Chains Act, requiring companies to make disclosures concerning their efforts to address modern slavery. This Act took effect in 2012. The UK Modern Slavery Act, which was based on the California Act, was adopted in 2015 and required disclosures beginning last year. The U.S. Federal Acquisition Regulation anti-human trafficking provisions, which among other things require U.S. federal contractors to put in place specified compliance procedures, also were adopted in 2015. And last year saw the repeal of the consumptive demand exception under the U.S. Tariff Act. This year has been especially active for corporate human rights legislation. Early in the year, France adopted a corporate duty of vigilance law that requires large French companies to take steps to identify and prevent serious human rights impacts, which would include modern slavery, in their supply chains. At around the same time, the Dutch Parliament adopted child labor due diligence legislation, which is awaiting Senate approval. In addition, the Welsh Government released a Code of Practice for Ethical Employment in Supply Chains that businesses involved in Welsh public sector supply chains are expected to sign on to. Next year, many EU companies will begin making disclosures under the EU non-financial reporting directive, which for some companies are expected to include modern slavery-related disclosures. Shifting over to Australia, corporate human rights legislation has been under discussion for some time. In 2013, a Parliamentary committee recommended that the Australian Government adopt legislation to improve supply chain transparency. In 2016, a multi-stakeholder working group convened by the Government recommended that it consider adopting a modern slavery reporting requirement. Last month, on August 16, the Commonwealth Minister for Justice announced the Australian Government’s proposal to enact an Australian Modern Slavery in Supply Chains Reporting Requirement and released a Consultation Paper outlining the proposed regulation. That Paper and the public consultation process are discussed below.

ropesgray.com ATTORNEY ADVERTISING

September 20, 2017 ALERT | 2 The Proposed Regulation Definition of Modern Slavery. “Modern slavery” will encompass slavery, servitude, forced labor, debt bondage and deceptive recruiting for labor or services. The Australian Government proposes that the definition incorporate conduct that would constitute a relevant offense under existing human trafficking, slavery and slavery-like offense provisions contained in the Commonwealth Criminal Code. The definition will exclude practices such as forced marriage that are unlikely to be present in business operations and supply chains. Subject Entities. The Australian Government proposes that the revenue threshold for the reporting requirement be set no lower than AUD100 million in total annual revenue (approximately USD80 million as of the date of this Alert). For purposes of its cost analysis, at this monetary threshold, the Government has assumed that approximately 2,000 large corporations and entities operating in Australia will be subject to the regulation. The regulation would allow for periodic adjustments. Entities below the threshold would be able to opt in to the reporting requirement. The Australian Government has indicated that, in the public consultation process, it will collaborate with business and civil society to define the types of entities that the reporting requirement will apply to and to clarify how the proposed revenue threshold will apply. At this stage, the Australian Government proposes to define “entity” broadly to include a broad range of entity types, including bodies corporate, unincorporated associations or bodies of persons, superannuation funds and approved deposit funds. The Australian Government does not propose to limit the application of the reporting requirement to high risk sectors or importers. Subject to consultation with the business community and civil society, the Australian Government anticipates the reporting requirement will apply to not only entities headquartered in Australia, but also to entities that have any part of their operations in Australia, in each case subject to the revenue threshold. Covered Business Activities. Entities that are subject to the reporting requirement will be required to report on their actions to address modern slavery in both their operations and their supply chains. The Australian Government intends to provide detailed guidance concerning the definition of “operations” and “supply chains,” in collaboration with the business community and civil society. The Australian Government notes in the Consultation Paper that it proposes that the definition of “supply chains” extend beyond first tier suppliers. Statement Content. The Australian Government proposes that subject entities be required to report on substantially the same topics as are contained in the UK Modern Slavery Act. However, under the Modern Slavery Act, reporting on the enumerated topics is optional. Subject to feedback received through the consultation process, the Australian Government proposes that entities be required to, at a minimum, report against a consolidated set of four mandatory criteria:

• the entity’s structure, operations and supply chains;

• the modern slavery risks present in its operations and supply chains;

• the entity’s policies and process to address modern slavery in its operations and supply chains (such as codes of conduct, supplier contract terms and training for staff) and their effectiveness; and

• the entity’s due diligence processes relating to modern slavery in its operations and supply chains and their effectiveness.

The Consultation Paper indicates that entities will have the flexibility to determine what, if any, information they provide against each of the four criteria and whether to include any additional information. The Australian

ropesgray.com ATTORNEY ADVERTISING

September 20, 2017 ALERT | 3 Government intends to provide detailed guidance concerning the nature and extent of the information that should be included in statements. Approval Requirements. Statements will be required to be approved at the equivalent of the board level and signed by a director. Statement Publication. Entities will be required to publish their statements on their website. Subject to feedback obtained through the consultation process, the Australian Government also proposes to provide for a free, publicly accessible and searchable central repository. Reporting Due Date. The Australian Government proposes that entities be required to publish modern slavery statements within five months after the end of the Australian financial year. The Consultation Paper indicates that, if necessary, the Australian Government will provide for a phased introduction of the reporting requirement to ensure the business community has sufficient preparation time. Compliance Mechanism; Penalties. The regulation would not include punitive penalties for non-compliance. However, the Consultation Paper indicates that the Australian Government will monitor general compliance with the reporting requirement and entities that do not comply may be subject to public criticism. The Australian Government also is considering options for oversight of the reporting requirement, including the feasibility of and requirement for independent oversight. In addition, the Australian Government is considering ways to support business groups and civil society to undertake analysis and benchmarking of modern slavery statements. Subsequent Review of the Legislation. The Australian Government proposes to review the legislation three years after its introduction. The review will include further public consultation. The Australian Government also will establish a mechanism for the business community to provide feedback to the Government pertaining to the operation and effectiveness of the reporting requirement. Consumers and civil society also will be consulted. A Comparison to Existing Corporate Modern Slavery Legislation The table below provides a high-level comparison of the proposed Australian regulation, the UK Modern Slavery Act and the California Transparency in Supply Chains Act. Australian modern slavery reporting requirements are expected to be further fleshed out in draft legislation during 2018. For additional information on the UK Modern Slavery Act and the California Transparency in Supply Chains Act, see our earlier publications here, here, here and here. Additional publications and source materials are available on our Supply Chain Compliance & Corporate Social Responsibility website.

ropesgray.com ATTORNEY ADVERTISING

September 20, 2017 ALERT | 4

Australia United Kingdom California Subject Companies To be defined broadly; not Supplier of goods or Manufacturer or retailer limited to high risk sectors or services, including a importers trade or profession Annual Turnover Not lower than AUD100 £36 million USD100 million Threshold million, subject to periodic adjustment Jurisdictional Nexus Entities headquartered in Doing business in the California Revenue and Australia or having any part of United Kingdom Taxation Code their operations in Australia Covered Business The subject entity’s operations Any of the subject Direct supply chain for Activities and supply chains entity’s supply chains, tangible goods offered for and any part of its own sale business Statement Content Required topics Suggested topics Required topics (Substantially similar across all three jurisdictions) Publication Website; potentially also a Website, with a Website, with a central repository prominent homepage conspicuous and easily link, or upon written understood homepage link, request or upon written request Signature/Board Required Required None Approval Frequency Annual Annual Not specified; on an as- needed basis Due Date Within five months after the No mandatory due date; Not specified end of the Australian financial recommended within six year, potentially subject to a months after fiscal year phased introduction end

Next Steps The Australian Government is holding a public consultation process with the business community and civil society to refine its proposal. The Commonwealth Attorney-General’s Department is leading this process. Written submissions can be made through October 20, 2017. A series of stakeholder roundtables also will be convened during the remainder of 2017. The reporting requirement will be established through a new Act of Parliament. Taking into account feedback provided during the consultation process, the Minister for Justice proposes to seek to bring forward draft legislation in the first half of 2018. As noted earlier in this Alert, the legislation may include a phase-in period to allow businesses additional time to prepare their first annual statement.

ropesgray.com ATTORNEY ADVERTISING

September 20, 2017 ALERT | 5 Thoughts on the Proposed Legislation and the Continuing Evolution of Modern Slavery Compliance There Isn’t Much for Multinationals to Do Now under the Proposed Legislation, but There Are a Couple of Near-Term Action Items to Consider At this point, it is premature for multinationals to begin preparing for compliance with Australian modern slavery legislation. Many details remain to be worked out through the ongoing public consultation and the legislative process to follow. In addition, aspects of the legislation may change from what is described in the Consultation Paper, with some NGOs and other constituencies continuing to advocate for a more expansive approach. Finally, the timing of both the adoption of legislation and the due date of the first statements remain unknown. With that said, there are two nearer-term action items to consider. The more immediate action item is to consider whether to participate in the consultation process. As noted earlier in this Alert, submissions can be made through October 20, 2017. This is something that larger multinationals should consider, either individually or through their trade associations, given their substantial experience reporting under existing corporate modern slavery legislation. The second action item is to determine which entities in the consolidated group may be subject to the proposed legislation, and whether those entities present modern slavery risks that may require different disclosures and/or compliance procedures than other group companies already publishing modern slavery statements. The Proposed Australian Modern Slavery Legislation Will Accelerate the Movement Toward Combined Disclosure Statements Many multinationals that are subject to both the UK Modern Slavery Act and the California Transparency in Supply Chains Act already have opted to prepare a single combined statement to address both requirements, since this tends to be more efficient and substantive modern slavery compliance procedures typically are the same across the consolidated group. With potentially three jurisdictions at issue, we expect most of the remaining holdouts to move over time to combined statements. Notwithstanding the trend toward combined statements, at many multinationals, responsibility for CSR disclosures remains spread out across functions, business units and geographies. With the increase in mandatory human rights disclosures on modern slavery and other topics, and potentially more on the way in addition to Australia, this approach is becoming unwieldy and is in some instances creating risk. We are already starting to see more multinationals move global responsibility for modern slavery and other human rights-related disclosures into a single team and expect this trend to continue as well. Keep the Big Picture in Mind – Mandatory Disclosures Are Only One Piece of Modern Slavery Compliance As articulated in both the Consultation Paper and previously by the UK Home Office, modern slavery disclosure requirements are intended to create a “race to the top.” NGOs and other stakeholders already have published several expectations documents and assessments and rankings of California and UK modern slavery disclosures and company compliance practices, and we expect to see these continue to spring up like wildflowers after a rainstorm. In addition, companies are benchmarking their modern slavery disclosures and compliance programs against those of peers and competitors. These factors – along with greater awareness of modern slavery, more supply chain transparency and an increasing focus on ethical sourcing generally – will continue to drive enhancements to compliance programs and disclosures, well beyond what is required by California, UK or Australian legislation, for the foreseeable future.

ropesgray.com ATTORNEY ADVERTISING

September 20, 2017 ALERT | 6 About Our Supply Chain Compliance and Corporate Social Responsibility Practice Ropes & Gray has a leading Supply Chain Compliance and Corporate Social Responsibility practice. With team members in the United States, Europe and Asia, we are able to take a holistic, global approach to supply chain compliance and CSR. Senior members of the practice have advised on these matters for almost 30 years, enabling us to provide a long-term perspective that few firms can match. For further information on the practice, click here. Click here to visit our Supply Chain Compliance and CSR website. To join our Supply Chain Compliance and CSR mailing list, click here.

Given the uptick in global awareness and enforcement of anti-bribery and corruption laws, most health care companies are attuned to the risks associated with legal infractions caused by ex-U.S. activities. However, ex-U.S. activities may also impact health care companies’ ability to conduct business within the U.S. For example, overseas conduct could trigger exclusion, debarment or suspension from federal procurement or health care programs, such as Medicare and Medicaid, even if the alleged wrongdoing (e.g., conduct relating to bribery or corruption) occurs entirely outside of the U.S. and has no tie to any federal program. Further, quasi-government entities, such as the World Bank, also have debarment policies which can impact U.S. health care companies. This alert first explores the interaction between the OIG exclusion statute and the Foreign Corrupt Practices Act (“FCPA”). Second, it discusses how debarment of federal contractors participating in development programs run by quasi-governmental organizations (such as the World Bank) could lead to unexpected scrutiny by U.S. federal agencies. I. The FCPA and Mandatory Exclusion

A felony FCPA plea or conviction triggers fines and penalties under U.S. securities laws, and could also impact a company’s ability to participate in U.S. federal health care programs. The Office of Inspector General of the Department of Health and Human Services (“OIG”) has the authority to exclude individuals and entities from all federally funded health care programs as required by statute (“Mandatory Exclusion”)1, or based on OIG’s discretion (“Permissive Exclusion”).2 A company charged with a violation of the FCPA books and records and internal controls provisions,3 a felony under federal law4 could be excluded based on: (i) a guilty plea or conviction in a court with competent jurisdiction; and (ii) OIG’s determination that the underlying conduct meets the language of the Mandatory Exclusion statute. Mandatory Exclusion compels OIG to exclude individuals and entities convicted of certain offenses, including felony convictions relating to health care fraud, from participation in all federal health care programs for a minimum of five years.5 The consequences of exclusion, either mandatory or permissive, are severe: exclusion prevents items or equipment sold by an excluded manufacturer that are used in the care or treatment of federal health care program beneficiaries from being reimbursed, directly or indirectly, by any federal health care program. Although OIG has not yet excluded a company for an FCPA violation, the self-executing nature of the statute and OIG’s lack of discretion leave open the real possibility that such an exclusion could happen in the future,6 a fact which the Department of Justice has acknowledged.7 This threat of exclusion has doubtless impacted

142 U.S.C. § 1320a-7(a). 2 42 U.S.C. § 1320a-7(b). 3 See 15 U.S.C. § 78m(b)(2)(A)–(B). 4 See 15 U.S.C. § 78m(b)(5); 15 U.S.C. § 78ff(a). 5 42 U.S.C. § 1320a-7(c)(3)(B). 6 See Travers v. Sullivan, 791 F. Supp. 1471, 1480–81 (E.D. Wash. 1992), aff'd sub nom.Travers v. Shalala, 20 F.3d 993 (9th Cir. 1994); Diane Amicucci, DAB No. CR540, 1998 WL 479299 (H.H.S. June 29, 1998); see also Harkonen v. Sebelius, No. C 13-0071 PJH, 2013 WL 5734918, at *2 (N.D. Cal. Oct. 22, 2013). 7 See, e.g., Deferred Prosecution Agreement with Johnson & Johnson, United States v. DePuy, Inc., ¶ 4.j (D.D.C. filed Apr. 8, 2011); see also U.S. Dep’t of Justice & U.S. Sec. Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act 69-70 (2012); Lanny A. Breuer, Assistant Attorney Gen., Criminal Div., U.S. Dep’t of Justice, Keynote Address to the

ropesgray.com ATTORNEY ADVERTISING

numerous companies facing prosecution in their decisions to cooperate and enter into Deferred Prosecution Agreement, despite the high associated costs of compliance.

To determine whether a violation triggers Mandatory Exclusion, OIG evaluates the conduct underlying the guilty plea or conviction. For an FCPA books and records and internal controls violation, OIG would consider whether the misconduct was undertaken: (1) “in connection with the delivery of a health care item or service”; and (2) “relating to fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct.”8 Unlike other parts of the statute governing Mandatory Exclusion, a violation under § 1320a-7(a)(3) does not require any nexus to a government health care item or service, but broadly covers “any felony conviction under Federal, State, or local law related to health care fraud, even if governmental programs are not involved.”9

OIG has wide latitude in determining whether an offense was carried out “in connection with . . . a health care item or service” and “relat[ed] to fraud . . . or other financial misconduct”—which could be interpreted to incorporate a broad range of conduct.10 For the first prong, OIG need only determine that the conduct underlying the FCPA violation was carried out “in connection with . . . a health care item or service,” which just requires a “common sense connection” or “nexus” between the “underlying facts and circumstances of the offense and the delivery of health care items or services to individuals for their health care needs.”11 As to the second prong, OIG may look to the conduct as plead and courts have consistently held—both in the context of exclusion jurisprudence and more broadly—that the terms “in connection with” and “relates to” are “generally interpreted expansively.”12 In this case, whether a failure to satisfy the accounting provisions would be “relat[ed] to fraud . . . or other financial misconduct” likely would turn on the facts underlying the company’s conduct. Courts have noted, however, that the statute does not require a felony for health care fraud, but only a felony relating to health care fraud—a distinction that is bound to encompass more conduct rather than narrow the potential applicability of 42 U.S.C. § 1320a-7(a)(3).13

Tenth Annual Pharmaceutical Regulatory and Compliance Congress and Best Practices Forum (Nov. 12, 2009) (warning that FCPA conviction could lead to “possible exclusion from Medicare and Medicaid”). 8 42 U.S.C. § 1320a-7(a)(3). 9 See Health Care Programs: Fraud and Abuse, 63 Fed. Reg. 46,676, 46,676 (to be codified at 42 C.F.R. pt. 1001); Harkonen, 2013 WL 5734918, at *2, 8-9; see also Medicare and State Health Care Programs: Fraud and Abuse, 79 Fed. Reg. 26,810, 26,810. 10 See Friedman v. Sebelius, 686 F.3d 813, 821 (D.C. Cir. 2012). Under Friedman, even if the text of the FCPA accounting provisions itself does not require proof of fraud, misrepresentation, or other direct showing of financial misconduct as an element of the criminal offense, OIG can look beyond the “technical components” of the law to determine whether the statutory criteria for Mandatory Exclusion are met. 11 Harkonen, 2013 WL 5734918, at *4. 12 Id. at 7 (citing Metro. Life Ins. Co. v. Massachusetts, 471 U.S. 724, 739 (1985) (“relate to” has a “broad common-sense meaning” and a statutory provision containing the phrase therefore has “broad scope”); see also Ellen L. Morand, DAB No. 2436, 2012 WL 369634, at *8-9 (H.H.S. Jan. 17, 2012); Charice D. Curtis, DAB No. 2430, 2011 WL 7444589, at *2-5 (H.H.S. Dec. 21, 2011); Kenneth M. Behr, DAB No. 1997, 2005 WL 2835001, at *4 & n.5 (H.H.S. Sept. 28, 2005) (all applying “common sense connection” or “nexus” interpretation of phrase “in connection with” together with “delivery” in context of § 1320a-7(a)(3)). 13 See, e.g., Morand, 2012 WL 369634, at *7 (finding that 42 U.S.C. § 1320a-7(a)(3) “does not require a ‘felony conviction for health care fraud,’ but rather a ‘[f]elony conviction relating tohealth care fraud’” (emphasis and brackets in original)); Curtis, 2011 WL 7444589, at *4 (finding that 42 U.S.C. § 1320a-7(a)(3) “does not require that the felony conviction be for an offense specified as ‘health care fraud,’” that the plain language “encompasses felonies ‘relating to’ fraud,” and, by including the term “other financial misconduct” within the scope of offenses, “Congress clearly intended to broadly encompass financially-related offenses”).

ropesgray.com ATTORNEY ADVERTISING

If OIG does determine that the requirements for Mandatory Exclusion have been met, it has no discretion pursuant to statute and exclusion must follow. In light of the above, U.S. health care companies should carefully consider all potential applicable laws, including the OIG exclusion statute, when resolving FCPA matters. II. Development Bank Debarments and Their Domestic Consequences

Health care companies with federal procurement arrangements may also face unexpected consequences from ex-U.S. activities if they find themselves debarred by an international development bank, such as the World Bank. In 2016, the World Bank alone invested over $64 billion in both private and public sector organizations.14 In order to protect current investments and deter bad actors, development banks employ sanctioning regimes that rely heavily on debarments, which exclude entities from eligibility for World Bank financing for a period of time. The World Bank identifies five forms of misconduct subject to sanctions: corrupt practices, fraudulent practices, coercive practices, collusive practices and obstructive practices,15 covering activities such as bribes, misrepresentations, collusive pricing, threats of force, as well as interfering with World Bank investigations.16

Development bank debarment actions are public and may be highly publicized depending on the situation and underlying conduct in order to deter future misconduct.17 Further, in 2010, a consortium of major development banks, including the World Bank, executed a cross-debarment agreement, which provides that debarment of an entity by one bank triggers exclusion by all.18 Additionally, the World Bank at times refers the results of its investigations directly to state authorities.19 Given the broad scope of development banks’ public and private sector activities, companies with any type of federal contract should be aware of the potential effects of debarment. This quasi- governmental debarment action could cause a U.S. federal agency to view the debarred contractor as an unreliable partner, leading to a potential investigation or debarment action in accordance with General Services Administration (“GSA”) regulations.

GSA regulations give broad discretion to agency officials to determine whether to debar a firm with a federal contract, including for “[c]ommission of any . . . offense indicating a lack of business integrity or business honesty that seriously and directly affects the present responsibility of a Government contractor or subcontractor.”20 While this provision only permits agencies to issue debarments, rather than mandating they do so, it captures a wide range of misconduct, similar to the activities identified in the debarment provisions of development banks.

14 See World Bank, Annual Report 2016 3. 15 See International Finance Corporation, World Bank Group, Definitions and Interpretive Guidelines (2009). 16 See Sope Williams, The Debarment of Corrupt Contractors from World Bank-Financed Contracts, 36.3 Pub. Cont. L. J. 277, 287–88 (Spring 2007); World Bank, Guidelines on Preventing and Combating Fraud and Corruption in Projects Financed by IBRD Loans and IDA Credits and Grants (Oct. 15, 2006). 17 See Anne-Marie Leroy & Frank Fariello, The World Bank Group Sanctions Process and Its Recent Reforms, The World Bank 15 (2012) (“The Bank Group’s sanctions regime has the dual purpose of protecting Bank Group funds and also promoting both specific and general deterrence.”). 18 Agreement for Mutual Enforcement of Debarment Decisions, dated as of April 9, 2010, by and among the African Development Bank Group, Asian Development Bank, European Bank for Reconstruction and Development, Inter-American Development Bank Group and World Bank Group. 19 See, e.g. Integrity Vice Presidency, The World Bank Group, Annual Update, Fiscal Year 201640 (2016) (listing referrals made to state governments during fiscal year 2016). 20 F.A.R. § 9.406-2(a)(5).

ropesgray.com ATTORNEY ADVERTISING

In assessing whether to debar, the government agency will decide whether the firm’s conduct “indicate[s] a lack of business integrity” and whether that lack of integrity is closely enough related to the firm’s “present responsibility.”21 Triggering conduct need not directly arise from the firm’s conduct related to a government contract, nor must it take place under U.S. jurisdiction. Debarment from U.S. government contracts is meant only to protect the public interest, not to punish supposed wrongdoers, and GSA regulations provide agencies with broad discretion to decide what facts to consider in judging a firm’s integrity.22

Health care companies with federal contracts should proceed carefully when faced with a quasi-governmental debarment, given the possible impact on their U.S. government business. GSA regulations do weigh timely disclosure of misconduct as a mitigating factor in an agency’s determination of whether to debar a firm, and as a result, proactive disclosure to the applicable federal agency, particularly in the event of highly publicized misconduct, may be a course worth considering.23

Click here to visit our Global Health Care Compliance website.

21 If a contracting agency initiates an investigation, those questions are answered pursuant to a formal process mandated by GSA regulations. For example, the Veterans Administration requires an extensive reporting process for complainants, after which notice is given to the accused firm along with an opportunity to respond. Depending on an informal review of that response, the accusation is dismissed or a formal hearing resembling a lawsuit begins. SeeF.A.R. § 809.406-3. 22 See F.A.R. § 9.402 (setting out the policy that debarment and suspension from U.S. government contracts shall be imposed “only in the public interest for the Government’s protection and not for purposes of punishment”); Federal Acquisition Institute, Transcript: Suspension and Debarment, last accessed September 13, 2017, (noting that this “broad” mandate encompasses behavior that does “not . . . relate to work on a federal government contract”). 23 See F.A.R. § 9.406-1 (“Before arriving at any debarment decision, the debarring official should consider factors such as . . . [whether] the contractor brought the activity cited as a case for debarment to the attention of the appropriate Government agency in a timely manner.”).

Privacy & Cybersecurity

May 25, 2018 GDPR is here: the dawning of a new era?

May 25, 2018. The sun rose as usual, the clocks did not stop, the sky did not go Armageddon-black, and, of course, GDPR became effective. Were you ready? Any loose ends? All GDPR-compliant contracts with processors in place? All pre-GDPR consents to processing checked and, if necessary, renewed? All data protection impact assessments done for current processing operations likely to result in a high risk? Breach notification procedures drawn up, staff trained, the DPO who had a nervous breakdown replaced? Are you granular and transparent? Are you fully “accountable”. If not, perhaps you’ve left it too late. But now it’s a case of better late than never and those still striving to be fully GDPR-compliant are unlikely to be publicly pilloried or the first to be fined up to 2% or 4% of global turnover. When it comes to compliance priorities, high risk operations take precedence as they will for the national data protection authorities when enforcing the new laws. In view of this, it helps to appreciate what those priority areas are. We consider some of these below.

Of course, GDPR has a defined territorial scope, and many organizations outside of Europe may not fall within its purview. For those controllers and processors subject to GDPR, the past 18 months have likely been spent processing the guidance of the national data protection authorities and Article 29 Working Party, proposed or final, and assessing their relevance to their data processing and gearing up in terms of technical capacity and appointment of personnel to deal with the new laws. Impact assessments

DPIAs, for example, are mandatory for certain types of processing and for any other processing that is “likely to result in a high risk to the rights and freedoms of natural persons”. The UK’s data protection authority, the ICO, has stated it will expect a DPIA to be carried out by any organisation that plans to use new technologies to process personal data, or to match data or combine datasets from different sources, for example. For organisations that already carry out PIAs in accordance with the ICO’s PIA Code, the ICO reassuringly suggests “the new process will be very familiar”. Data controllers are encouraged to see DPIAs not only as an insurance policy against reputational damage resulting from failure to identify risks that ultimately become realities, but also against being seen not to care sufficiently in the post-Cambridge Analytica world about individuals’ fundamental rights. DPIAs can therefore also be a means of fostering trust and potentially gaining competitive advantage. Legitimate interests

The concept of legitimate interests is also not new and while the GDPR provides more detail, the rules are essentially the same as under the previous data protection regime. The main change is that any decisions taken on using legitimate interests as a basis for processing should be documented, and information on the decision should be set out in the privacy policy. GDPR transparency dictates that individuals should be made aware of the basis for processing and their rights, including their right to object to the processing. In light of the potential difficulties obtaining valid consent may present, data controllers may see legitimate interests as the go-to justification for the processing of personal data. The basis should not, however, be seen as a general panacea and should be balanced not only against the rights, but also the expectations of the individual.

ATTORNEY ADVERTISING ropesgray.com

May 25, 2018 ALERT | 2 Consent

As regards consent, the GDPR sets higher standards in relation to “regular” and “explicit” consent, which may require data controllers to alter their practices and change the way they request consent for data processing. Consent under GDPR requires a clear affirmative action. If a controller finds that the consent previously obtained under the Data Protection Directive is not GDPR-compliant, then it may want to assess whether the processing may be based on a different lawful basis under the GDPR. This can be done on a one-off basis as controllers move to the new regime. Otherwise, non-compliant consents may need to be refreshed. Under GDPR, a controller relying on consent as its basis for processing should be able to demonstrate that valid consent was obtained: presumed consents of which no references are kept will need to be renewed for further processing. The Article 29 Working Party (WP29), which will become the European Data Protection Board, has discussed some golden rules: consent should not be bundled up as a non-negotiable part of terms and conditions; several purposes for processing require separate “granular” consents; consent for special category data must be “explicit”; withdrawal of consent should be as easy as giving it; employee consent is unlikely to be valid in many circumstances. Data breach notification

The WP 29 advises both controllers and processors to have in place processes to be able to detect and promptly contain a personal data breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate any high risk breaches to the individuals concerned. Failure to notify could mean a substantial fine. And beware the knock-on effect: failure to notify a breach could reveal either an absence or an inadequacy of security measures which might attract a further sanction.

Joint controllers are required to determine their respective responsibilities for GDPR compliance and contractual arrangements; joint controllers may need to include provisions that determine which controller will take the lead or be responsible for breach notification. A controller may need a breach response plan that caters for potential breaches affecting the personal data of individuals in more than one Member State, by assessing the lead supervisory authority that it would notify. While the controller has ultimate responsibility for assessing risk associated with a breach, a processor who becomes aware of a breach must notify the controller without undue delay. Controller and processor

Also not new is the requirement for a contract between controller and processor. The level of detail and mandatory terms under the GDPR, however, represent a significant change. Controllers were urged by regulators last year to check contracts with processors, negotiate and implement changes where necessary. For those with large numbers of non-EU processors, this may not have been as straightforward a task as some regulators appeared to suggest. Transparency

Transparency is key. Information or communication with individuals should be concise, transparent, intelligible, easily accessible and in clear and plain language. Changes to the contents or conditions of existing privacy notices, the WP29 suggests, should be communicated by way of an appropriate modality, the emphasis being on the layering of information and the use of “push” and “pull” notices such as ad hoc just-in-time notices and privacy dashboards. In particular, data controllers who carry out profiling and automated decision-making should consider proactively engaging with individuals whose data they are processing by providing clear information about how their data is being used and how the processing might affect them. Accountability

Closely linked to transparency is the new GDPR principle of accountability which in broader terms requires controllers and processors to demonstrate GDPR compliance. In many larger organisations, the embodiment of the principle will be the DPO and the privacy management framework that the DPO oversees. Although, for example,

ropesgray.com ATTORNEY ADVERTISING

May 25, 2018 ALERT | 3 recording processing activities and maintaining clear records of consent are specifically called out by GDPR, failure to keep such records could also indicate a lack of accountability, as could undue delay in dealing with subject access requests or failure to carry out a DPIA when necessary. Data portability

The GDPR, as everyone knows, brings with it new rights for the individual including a right to data portability which applies to processing operations that are based on consent or a contract with the individual concerned. For controllers, the right is potentially onerous insofar as it requires technical capabilities not just to identify and retrieve personal data efficiently, but to allow onward transmission to another controller while guaranteeing the security and integrity of that data, something that will require a degree of standardisation and cooperation within organisations and the particular sectors in which they operate. What now?

One can only hope that the GDPR compliance frenzy now abates but there may be concerns that we are only entering the eye of the storm with national data protection authorities poised to unleash a typhoon of massive fines on non- compliant organisations. This is of course unrealistic. Fears may not subside until one or more of the regulators has shown its hand in that regard, but as the UK’s Information Commissioner has said repeatedly and as echoed in the ICO’s draft Regulatory Action Policy currently open to consultation, regulatory action will be targeted and proportionate focussing on the most serious cases involving high-impact, intentional, wilful, neglectful or repeated breaches. Additionally, the ICO has openly acknowledged, recently through James Dipple-Johnstone, Deputy Commissioner for Operations at the ICO, that its ability to levy fines will be hampered “unless we have the powers to move at pace and obtain the information and evidence to determine what’s happened”, so the regulators have their challenges too as GDPR takes hold for all.

London ▪ Privacy & Cybersecurity

March 1, 2018 GDPR – No Notification Fees, But UK Regulator to Implement New “Data Protection” Fees

Although the GDPR does not include a requirement for data controllers to notify national Attorneys regulators, the draft Data Protection (Charges and Information) Regulations 2018 currently Rohan Massey before the UK Parliament set out a new model for funding the data protection work of the UK Information Commissioner’s Office, which requires national notifications to continue in the UK. The new structure for data controllers will come into effect on 25 May 2018 to coincide with the General Data Protection Regulation becoming effective. Until then, organisations are legally required to pay the current notification fee, unless they are exempt. The ICO has also published a Guide to the Data Protection Fee to help organisations work out what fee, if any, they are likely to need to pay under the new regime. Introduction The UK’s data protection regulator’s data protection work is currently funded through fees levied on organisations that process personal data as data controller, unless they are exempt, under powers granted in ss 18 and 19 of the Data Protection Act 1998. When the GDPR comes into effect on 25 May 2018, it will remove the requirement for data controllers to pay the ICO a fee. However, under the Digital Economy Act 2017, it remains a legal requirement in the UK for data controllers to pay the ICO a data protection fee. The UK Government, which also has a statutory duty to ensure the ICO is adequately funded, has proposed the new funding structure based on the relative risk to the data that an organisation processes. The New Model The new fee model is divided into three tiers and is based on a number of factors including size, turnover and whether an organisation is a public authority or charity. For very small organisations, the fee will not be any higher than the £35 they currently pay (if they take advantage of a £5 reduction for paying by direct debit). Larger organisations will be required to pay £2,900. The ICO explains that the fee is higher because these organisations are likely to hold and process the largest volumes of data, and therefore represent a greater level of risk. There will continue to be financial penalties for not paying fees, but these will be in the form of civil monetary penalties rather than the current criminal sanction. The fees are:

i. Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 (or £35 if paid by direct debit); ii. Tier 2 – SMEs. Maximum turnover of £36 million or no more than 250 members of staff. Fee: £60; iii. Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900.

ATTORNEY ADVERTISING ropesgray.com

March 1, 2018 ALERT | 2 Comment Most data controllers formerly paying the £500 fee are, under the new structure, likely to have to pay a charge of £2,900. The Explanatory Memorandum to the Regulations accepts that this represents an above-inflation increase (an inflationary increase would have seen the £500 fee rising to £623.61 in 2017), but says that this reflects the “increased level of information risk inherent in this category of data controllers”. The new charge levels are based on the income required to enable the ICO to adequately deliver on their expanding remit following the implementation of the GDPR. A consultation on a proposed model was undertaken by the Department for Culture, Media and Sport through a third party, using organisations that had previously responded to ICO research, and the results have been reflected in the final design of the new charge structure. So it appears that the quid pro quo of greater self-evidencing of data processing compliance by organisations under the GDPR will not, in the UK at least, be offset by even a modest saving, either financially or administrationally, which was expected as the requirement to register was dropped. A silver lining on this cost may be that it is better than the regulator raising its operating funds by way of administrative fines. Organisations will have to wait and see what other national regulators decide to do about registration fees, but the UK may be the start of a significant and expensive trend, which is not based on the text of the GDPR but on the wider burden it has created.

Reproduced with permission from Medical Research Law & Policy Report, 17 MRLR 02, 01/17/2018. Copyright ஽ 2018 by The Bureau of National Affairs, Inc. (800-372-1033) http:// www.bna.com

New Draft Guidelines on GDPR Consent Requirement’s Application to Scientific Research

BY MARK BARNES,ROHAN MASSEY,DAVID I. Overview of New Guidelines PELOQUIN,LESLIE THORNTON, AND NICHOLAS While the Guidelines address the topic of consent WALLACE generally with respect to the GDPR, a few pages of the The Article 29 Data Protection Working Party (the Guidelines focus specifically on the topic of consent in ‘‘Working Party’’), a European Union (‘‘EU’’) advisory scientific research. We focus on this portion of the body that issues non-binding guidance on EU data pro- Guidelines, as certain statements made therein may be tection law, recently provided draft guidelines on apply- very problematic for the research community’s practi- ing the consent requirements under the EU’s General cal implementation of GDPR requirements. Data Protection Regulation (the ‘‘GDPR’’). See Guide- The Guidelines begin their discussion of scientific re- lines on Consent under Regulation 2016/679 (WP259) search by addressing the types of activities that may be (Nov. 28, 2017) (hereinafter the ‘‘Guidelines’’). In the considered ‘‘scientific research’’ under the GDPR. The Guidelines, the Working Party addressed, among other Guidelines note that the GDPR contains two recitals in issues, the use of consent as a basis for processing per- which processing personal data for scientific research sonal data in connection with scientific (including medi- is discussed, although the term ‘‘scientific research’’ is cal or clinical) research. Comments on these draft not itself defined in the GDPR. See Guidelines at 27. Guidelines may be submitted until Jan. 23, 2018. While the GDPR’s recitals provide that ‘‘the processing Understanding the GDPR’s requirements for consent of personal data for scientific research purposes should is critical to the research community because consent of be interpreted in a broad manner,’’ the Guidelines note the data subject is the most typically used basis for pro- that the Working Party considers that scientific re- cessing personal data of research subjects. A previous search ‘‘may not be stretched beyond its common Bloomberg Law article by the present authors provided meaning’’ and thus for purposes of the GDPR should be a more general overview of issues regarding consent as taken to mean ‘‘a research project set up in accordance a basis for processing personal data in connection with with relevant sector-related methodological and ethical scientific research under the GDPR. (Barnes, et al., Rec- standards.’’ GDPR Recital 159; Guidelines at 27. This onciling Personal Data Consent Practices in Clinical language suggests a fairly flexible definition of ‘‘scien- Trials with the EU General Data Protection Regulation, tific research’’ and also that activities meeting the defi- Bloomberg BNA Med. Res. L. & Pol’y Rep. (Sept. 20, nition of ‘‘research’’ found in the Health Insurance Por- 2017)). tability and Accountability Act (ЉHIPAAЉ) and the Com- This article provides an overview of the Guidelines’ mon Rule, i.e., a systematic investigation, including treatment of subjects’ consent in scientific research and research development, testing, and evaluation, de- identifies certain problems posed by the Guidelines for signed to develop or contribute to generalizable knowl- scientific research. edge, will qualify as ‘‘scientific research’’ for purposes of the GDPR. See 45 C.F.R. § § 164.501, 46.102 Unfortunately, the remainder of the Guidelines’ dis- Mark Barnes, Rohan Massey, David Peloquin, cussion of scientific research potentially is more prob- Leslie Thornton, and Nicholas Wallace are lematic to the research community. The GDPR’s Recital attorneys with Ropes & Gray LLP 33 could be read on its face to allow researchers to obtain a general consent for future processing in connec-

COPYRIGHT ஽ 2018 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 1539-1035 2 tion with ‘‘areas of scientific research,’’ regardless of clear that consent can be withdrawn and controllers whether detailed plans have been finalized for such re- must act upon this [because] there is no exemption to search. Specifically, Recital 33 states: this requirement for scientific research.’’ Id. at 29. If a ‘‘It is often not possible to fully identify the purpose researcher receives a notice that the data subject has of personal data processing for scientific research pur- withdrawn consent to data processing, the Guidelines poses at the time of data collection. Therefore, data sub- conclude that the controller ‘‘should delete or anony- jects should be allowed to give their consent to certain mise the personal data straight away.’’ Id. The Guide- areas of scientific research when in keeping with recog- lines, however, fail to address the difficulties in meeting nised ethical standards for scientific research. Data the standards for both deletion or anonymization under subjects should have the opportunity to give their con- the GDPR, especially with respect to the sensitive cat- sent only to certain areas of research or parts of re- egories of data that often are used in research. search projects to the extent allowed by the intended purpose.’’ However, the Guidelines take the position that ‘‘Re- II. Problems Posed for the Research cital 33 does not disapply the obligations with regard to Community the requirement of specific consent’’ and notes that a ‘‘well-described purpose’’ must be included in the con- Breadth of Consent sent to comply with the GDPR’s consent requirements. When the GDPR initially was proposed, one concern Guidelines at 27. Confusingly, the Guidelines then state of the research community was that its requirement for that, ‘‘[R]ecital 33 allows as an exception that the pur- specific consent for processing of personal data would pose may be described at a more general level.’’ Id. at stifle the ability of researchers to obtain broad consent 28. The Guidelines propose that, in such circumstances, for future research purposes. This possibility was espe- data subjects should be asked to consent for the re- cially problematic for U.S.-based researchers, whose research in more general terms at the outset and to con- search activities in the U.S. are allowed, under revisions sent to specific stages of research that are already in the 2013 HIPAA Omnibus Rule and the revisions an- known at the outset of the primary study. Id. Subse- nounced to the Common Rule in early 2017, to solicit quently, the Guidelines suggest, additional consent from research subjects a broad authorization for data must be sought from the subject when additional stages use and a broad consent to future research, respec- of research (unknown at the outset of the primary tively. Many in the research community were pleased to study) are identified and proposed. Id. see that the GDPR drafters appeared at least to ac- The Guidelines also specify that further safeguards knowledge the needs of the research community for should be put in place when research purposes cannot some level of broad consent, as the GDPR recitals rec- be fully specified at the time of initial consent. These ognize that ‘‘[i]t is often not possible to fully identify the common safeguards include data minimization, anony- purpose of personal data processing for scientific re- mization, and data security. The Guidelines further sug- search purposes at the time of data collection.’’ GDPR gest that ‘‘transparency’’ should be incorporated into Recital 33. The Recital further recognizes that consent the consent process when circumstances do not allow is possible for ‘‘certain areas of research’’ – i.e., it is pos- for specific consent. Id. The approach to transparency sible under the GDPR to obtain from research subjects contemplated by the Guidelines involves a series of con- consent for ‘‘areas’’ of research, as opposed to specific tinued contacts between researchers and subjects de- research activities. It is troubling for scientific research signed to inform the subjects of evolving purposes: ‘‘[a] that the Guidelines appear to narrow the scope of this lack of purpose specification may be offset by informa- Recital. tion on the development of the purpose being provided The solutions proposed by the Guidelines for obtain- regularly by controllers as the research project pro- ing consent for future research are unlikely to be fea- gresses so that, over time, the consent will be as specific sible in many circumstances. For example, the sugges- as possible.’’ Id. As discussed more fully below, this ap- tion that ‘‘[a]s the research advances, consent for sub- proach of a ‘‘rolling consent’’ process, with the data sequent steps in the project can be obtained before that subject offered new consent for each separate stage of next stage begins’’ would impose a burden on research- the study, fundamentally is different than the way in ers (including researchers who are direct employees of which medical research typically has been conducted sponsors) continually to re-contact research subjects to and poses enormous implementation problems. Fur- obtain additional consent. This could prove infeasible in ther, the Guidelines recommend ‘‘having a comprehen- multi-year biobanking studies in which research sub- sive research plan available for data subjects,’’ with the jects’ biological specimens and associated phenotypic research plan ‘‘specify[ing] the research questions and data (which are likely to be considered ‘‘personal data’’ working methods envisaged as clearly as possible.’’ Id. under the GDPR) are stored and used for many differ- at 28-29. Transparency, the Guidelines indicate, is de- ent research projects over the course of several years. sirable because it allows data subjects to have ‘‘at least Researchers often lose contact with subjects who par- a basic understanding of the state of play, allowing ticipate in such studies, making it impossible to re- [subjects] to assess whether or not to use, for example, contact such subjects to obtain additional consent as the right to withdraw consent.’’ Id. at 28. additional research uses of the specimens and data are Perhaps most problematic for the research commu- carried out. Moreover, even if feasible logistically, sub- nity, the Guidelines emphasize the importance of subjects could become fatigued by repeated requests for jects’ ability to withdraw their consent, if consent has additional consent and cease responding to such re- been relied upon as the basis for processing. The Work- quests. Further, these requirements also would mean ing Party ‘‘notes that withdrawal of consent could un- that researchers employed by sponsors would need to dermine types [of] scientific research that require data contact subjects and request consent for additional re- that can be linked to individuals, however the GDPR is search conducted by sponsor staff using identifiable

1-17-18 COPYRIGHT ஽ 2018 BY THE BUREAU OF NATIONAL AFFAIRS, INC. MRLR ISSN 1539-1035 3 biospecimens and personal data, even though subjects Withdrawal of Consent would not ever have had any previous contact with Equally problematic to the Guidelines’ narrow inter- sponsor staff. Being contacted directly by industry pretation of consent for future research is the Guide- sponsors could prove disturbing and seem intrusive to lines’ requirements for the deletion or anonymization of some subjects, and would mark a radical departure personal data upon a subject’s withdrawal of consent. from research norms that long have regarded the re- The research community, in many instances, faces a search relationship as between the institution-based re- conflict between (i) the Guidelines’ strict interpretation searcher and the subject, rather than between the in- of the research subject’s right to withdraw consent to dustry sponsor and the subject. personal data processing under the GDPR and (ii) inde- The Guidelines also are unclear regarding the nature pendent legal and ethical obligations to maintain per- of the obligation imposed on researchers to re-contact sonal data for the integrity of a clinical trial and/or ad- research subjects as a research project further devel- verse event reporting. Because mere storage of data is ops: is the researcher required to obtain additional con- considered ‘‘processing’’ of data under Article 4 of the sent from the research subject or could the provision of GDPR, researchers and sponsors cannot, under the an informational notice to the research subject suffice? Guidelines, continue even to ‘‘store’’ personal data after As noted above, the Guidelines state at one point that a subject has withdrawn consent – even though data re- when the purposes of research are not known with tention is required for regulatory purposes. specificity at the outset the researcher can obtain con- Researchers may be able to maintain copies of the sent for subsequent steps in the project as the research data for clinical trial integrity and/or adverse event advances. Guidelines at 28. This language suggests an monitoring when a subject withdraws consent on the obligation on the part of the researcher to obtain addi- basis that ‘‘processing is necessary for reasons of pub- tional affirmative consent from the research subject be- lic interest in the area of public health, such as...en- fore advancing to the next stage of a research project. suring high standards of quality and safety of health The Guidelines also state, however, that a lack of pur- care and of medicinal products or medical devices...’’ pose specification can be offset by providing ‘‘informa- GDPR Article 9(2)(i). The Guidelines appear to support tion on the development of the purposes’’ at regular in- reliance on this as a second, alternate basis for process- tervals as the research project progresses, noting that ing after consent is withdrawn because ‘‘it is possible to providing this information will permit the consent to be rely on more than one lawful basis to legitimize pro- as specific as possible while providing subjects with the cessing if the data [are] used for several purposes, as each purpose must be connected to a lawful basis.’’ information they need to determine whether or not to Guidelines at 22. ‘‘However,’’ the Guidelines note, ‘‘the exercise their right to withdraw consent. Id. at 28. This controller must have identified these purposes and their statement suggests that providing regular notice could appropriate lawful bases in advance.’’ Guidelines at 22. suffice rather than obtaining a fresh affirmative consent Thus, there is a colorable argument that (i) process- as the research project advances. Providing periodic in- ing of personal data for the conduct of research and (ii) formational notices to research subjects also would be maintenance of data collected in research to meet legal a departure from current research practices and would obligations are separate purposes and may, under the be significantly burdensome, though somewhat less so GDPR, have distinct lawful bases. To rely on separate than obtaining additional affirmative consents during bases for such distinct processing purposes, the con- the course of research. In any event, as described troller should identify the dual purposes and their re- above, even such a requirement for additional informa- spective bases for processing to the subjects at the time tional notices to subjects would fall most often on the of consent. Incorporating such information into the sponsor, not research site staff, which would be incon- consent form both provides the subject a full view of the sistent with current practices in which sponsors have potential uses of their data and creates documentation no direct relationship or contact with subjects. that would help to refute potential concerns that reli- In addition, a requirement to obtain additional con- ance on a second basis for processing could call into sent for future research appears contrary to the policy question the validity of the subject’s consent. announced by the European Medicines Agency (EMA) in its Policy 0070 on ‘‘Publication of Clinical Data for Medicinal Products for Human Use,’’ which will require Conclusion sponsors of clinical trials from which data are used in The Guidelines do not clearly define how and under support of a marketing authorization before the EMA to what circumstances researchers will be unable to ob- make available publicly individual subject-level data tain full consent to future uses of data at the time of ini- collected in such studies to permit, among other things, tial consent and fail to identify when additional commu- future research use of such data. While the EMA policy nications with subjects may be required to alert them states that all data submitted should be anonymized, in of, and seek their new consent for, procedures and ar- the case of pediatric or rare disease studies it may not eas of research that were not specified in adequate de- be feasible to anonymize data to the strict standards set tail at the outset. Further, the Guidelines do not directly forth in the GDPR. Thus, consent may be the only basis address how a researcher and sponsor can retain cop- on which data could be made available for future re- ies of a subject’s personal data after withdrawal of con- search under the policy. The consent practices advo- sent, to satisfy ongoing independent legal obligations, cated by the Working Party in the Guidelines (as dis- which require the retention, maintenance, and in some cussed above) limit the ability to obtain general consent cases (such as adverse event causation analysis) use, of for future research purposes, and thus may frustrate the subject-level personal data. ability of researchers and sponsors to obtain such con- The Guidelines’ failure to contemplate and appreci- sent and thereby prevent sponsor compliance with ate these various problems suggests that the Working Policy 0070. Party lacks a clear understanding of how and by whom

MEDICAL RESEARCH LAW & POLICY REPORT ISSN 1539-1035 BNA 1-17-18 4 medical research is conducted, how personal data are Working Party website, located at http://ec.europa.eu/ necessary for regulatory and research integrity pur- newsroom/article29/item-detail.cfm?item_id=611232. poses, and how the GDPR itself poses challenges to the Members of the research community may wish to sub- use of personal data in scientific research. The Guide- mit comments to the Working Party in advance of that lines are open for comment through Jan. 23, 2018, with date, to highlight the challenges that the Guidelines instructions for submitting comments found on the may pose to research.

1-17-18 COPYRIGHT ஽ 2018 BY THE BUREAU OF NATIONAL AFFAIRS, INC. MRLR ISSN 1539-1035 ALERT

London

October 24, 2017 The UK’s Data Protection Authority goes myth-busting: fining powers; consent; the "misconception" that the GDPR is an unnecessary burden; and data breach reporting

The UK’s Information Commissioner’s Office has published a series of blog pieces to “bust some Attorneys myths” about the General Data Protection Regulation, which comes into effect on 25 May 2018. Rohan Massey According to the Information Commissioner, Elizabeth Denham, “there is a lot of misinformation out there …” and “I am worried that the misinformation is in danger of being considered truth”. She gives the following examples: “the GDPR will stop dentists ringing patients to remind them about appointments” or “cleaners and gardeners will face massive fines that will put them out of business” or “all breaches must be reported under GDPR”. All of these are wrong. The blog series seeks to sort the fact from the fiction and covers: (i) the ICO’s fining powers; (ii) the issue of consent; (iii) the “misconception” that the GDPR is an unnecessary burden on organisations; and (iv) data breach reporting. Myth 1: the biggest threat to organisations from the GDPR is massive fines

“This law is not about fines”, Ms Denham says. “It’s about putting the consumer and citizen first. We can’t lose sight of that.”

It is true that the ICO will have the power to impose fines much bigger than the £500,000 limit the law currently allows, Ms Denham explains. It is also true that the maximum penalty that can be imposed will be a huge £17 million or 4% of annual global turnover allowed under the new law. But, she describes it as “scaremongering” to suggest that the ICO will be making early examples of organisations for minor infringements or that maximum fines will become the norm.

Ms Denham says that the ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR: “We have always preferred the carrot to the stick”.

Issuing fines has always been and will continue to be, a last resort, Ms Denham continues. Last year (2016/2017) the ICO concluded 17,300 cases, only 16 of which resulted in fines for the organisations concerned.

In addition, the ICO has, in fact, still not invoked its maximum powers.

However, Ms Denham says, heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But the ICO intends to use those powers “proportionately and judiciously.” They are also not the only tools in the ICO’s toolbox. There are “lots of other tools that are well-suited to the task at hand and just as effective.”

Like the DPA, the GDPR gives the ICO a suite of sanctions to help organisations comply: warnings, reprimands, corrective orders. Using these does not hit organisations in the pocket, but they can deal a significant blow to their reputations, Ms Denham says.

ropesgray.com ATTORNEY ADVERTISING

October 24, 2017 ALERT | 2

Myth 2: you must have consent if you want to process personal data

Here, Ms Denham says, it is true that the GDPR is raising the bar to a higher standard for consent.

However, under data protection law consent “has always required a clear, affirmative action”. All the GDPR does is clarify that pre-ticked opt-in boxes are not indications of valid consent.

The GDPR is also explicit, she says, in stating that organisations must make it easy for people to exercise their right to withdraw consent. The requirement for clear and plain language when explaining consent is now “strongly emphasised”, she says. Further, organisations must make sure the consent they already have meets the standards of the GDPR. If not, it will have to be refreshed.

Ms Denham says that she has heard some “alternative facts”. For example, that “data can only be processed if an organisation has explicit consent to do so”. Ms Denham explains that the rules around consent “only apply if you are relying on consent as your basis to process personal data”. In other words, consent is one way to comply with the GDPR, but it’s not the only way.

The new law provides five other ways of processing data that may be more appropriate than consent, Ms Denham explains. “Legitimate interests” is one such ground and the ICO recognises that organisations want more information about it. Guidance will be published next year. Myth 3: I can’t start planning for new consent rules until the ICO’s formal guidance is published

For those organisations that do rely on consent, there is no need to wait for the ICO final guidance on the subject before beginning preparations to comply with the new rules, Ms Denham says. The ICO is waiting until Europe-wide consent guidelines have been agreed before it publishes its final guidance. The current timetable is December.

However, Ms Denham says the ICO’s draft guidance on consent is “a good place to start right now”. It is “unlikely that the guidance will change significantly in its final form”. Finally, when the formal guidance on consent is published, it will not include guidance on legitimate interests or any other lawful bases for processing. Myth 4: GDPR is an unnecessary burden on organisations

This blog piece by Steve Wood, Deputy Commissioner (Policy), was published to deal with the misconception that the new regime is an “onerous imposition of unnecessary and costly red tape”. Mr Wood says that, in fact, the new law is “an evolution in data protection, not a revolution”.

Mr Wood explains that the ICO recognises that the GDPR is no different from any other new legislation in that it will have some sort of impact on an organisation’s resources. However, thinking about burden indicates “the wrong mindset to preparing for GDPR compliance”, he says.

The GDPR demands more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals. The GDPR is in fact building on foundations already in place for the last 20 years.

Organisations that already comply with the terms of the DPA, and have an effective data governance programme in place, are already well on the way to being ready for the GDPR. Many of the fundamentals remain the same and have been known about for a long time, Mr Wood explains. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data an organisation wants to process, are all things they should already be doing with data. The GDPR seeks only to build on those principles.

ropesgray.com ATTORNEY ADVERTISING

October 24, 2017 ALERT | 3 That does not mean, however, that there is any room for complacency, Mr Wood warns. There are new provisions to comply with and organisations should start making preparations now, if they have not done so already. “But by and large, the new GDPR regime represents a step change, rather than a leap into the unknown”, he says.

Much of the criticism about the GDPR has focused on the perceived burdens it will place on SMEs and smaller organisations. However, Mr Wood continues, many of these criticisms fail to recognise the flexibility that the key principles in the DPA and GDPR provide: they scale the task of compliance to the risk. Many of the principles reinforce tasks businesses will already undertake in relation to record keeping, for example, the principle on data minimisation.

The principles are essentially the same for small businesses and multinational corporations. It is not the size of the organisation that is relevant so much as the risk that particular businesses and types of data processing pose, Mr Wood says, for example, those handling particularly sensitive data, or processing personal data in potentially intrusive ways.

Whatever the size of the organisation, the GDPR is essentially about trust, Mr Wood says: “Building trusted relationships with the public will enable you to sustainably build your use of data and gain more value. Through changing their data handling culture, organisations can derive new value from customer relationships.”

On the other hand, failing to get data protection right is likely to damage reputation, customer relationships and, ultimately, finances.

The ICO’s annual research on privacy and data protection consistently shows that levels of public trust remain low. Conversely, it also shows that they would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly. Mr Wood says that this provides “a major opportunity and competitive advantage for those who can demonstrate that they get data protection right.” Myth 5: All personal data breaches will need to be reported to the ICO

Here, Ms Denham explains that under the new GDPR it will indeed be mandatory to report a personal data breach if it is likely to result in a risk to people’s rights and freedoms. However, if there is no such risk, there is no need to report.

In fact, Ms Denham continues, under the current UK data protection law, most personal data breach reporting is best practice, but not compulsory. Ms Denham recognises that mandatory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be a new requirement for many. Therefore, the new GDPR reporting requirements will mean some changes to the way businesses, organisations (and the ICO) identify, handle and respond to personal data breaches.

Ms Denham explains that the threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved. Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be, she says, for organisations to start examining the types of incidents they face and develop a sense of what constitutes a serious incident in the context of their data and their customers.

Organisations need to remember that if there is the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.

The ICO has provided some initial guidance in its GDPR overviews that high risk situations are likely to include the potential of people suffering significant detrimental effects, for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.

ropesgray.com ATTORNEY ADVERTISING

October 24, 2017 ALERT | 4 If organisations are not sure about who is affected, Ms Denham says that the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk. Myth 6: all details need to be provided as soon as a personal data breach occurs

Here, Ms Denham explains that under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms “without undue delay” and, where feasible, not later than 72 hours after having become aware of it.

Ms Denham says that organisations will have to provide certain details when reporting, but if not all the details are available at the time, they can be provided later. Ms Denham says that her office does not expect to receive comprehensive reports at the outset of the discovery or detection of an incident. But the ICO will want to know the potential scope and the cause of the breach, mitigation actions the organisation plans to take, and how it plans to address the problem. Myth 7: if you don’t report in time a fine will always be issued and the fines will be huge

Here, Ms Denham reassures us that under the GDPR, fines will be “proportionate and not issued in the case of every infringement.”

However, organisations do need to be aware that the ICO will have the ability to issue fines for failing to notify and failing to notify in time. It is important that organisations that systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks, know that the ICO has that sanction available, Ms Denham says.

In any event, Ms Denham says that fines can be avoided if organisations are “open and honest and report without undue delay”. This goes alongside the basic transparency principles of the GDPR.

Ms Denham confirms that the ICO is currently working alongside other EU data protection authorities as part of the Article 29 Data Protection Working Party to produce guidance that will set out when organisations should be reporting, and the steps they can take to help meet their obligations under the new reporting requirements.

Organisations should be preparing now by putting in place the roles, responsibilities and processes for reporting, Ms Denham says. This is particularly important for medium to large organisations that have multiple sites or business lines.

Over the coming months the ICO will be introducing a new phone reporting service to enable businesses and organisations to report current personal data breaches and future breaches under the GDPR. It will sit alongside a web reporting form and provide organisations with a quicker and easier way of reporting to the ICO, enabling them to receive immediate advice. Comment

The blog pieces, the ICO says, have proved to be “incredibly popular”, perhaps proving the point that there are indeed many misconceptions and misunderstanding about what exactly the GDPR will entail and how disruptive and expensive it will be for businesses. Hopefully, the blog pieces have brought some comfort to those who have been concerned. In any event, the key to successful compliance must surely be preparation so that by the time the new law becomes effective in May 2018, the transition is as smooth as possible, resulting in less risk of the ICO having to become involved at all. Nevertheless the GDPR poses some significant challenges which can only be met if organisations implement systemic change to cater to the broader protections for individuals including the rights to data portability and free access to their data.

Privacy & Data Security

February 1, 2017 Privacy Implications of President Trump’s Immigration Order On Wednesday, January 25, President Donald J. Trump directed federal agencies, “to the extent consistent with applicable law,” to ensure that “their privacy policies exclude persons who are not U.S. citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” That directive, Section 14 of an Executive Order that expands enforcement of U.S. immigration laws, is a departure from how the federal government previously has treated personally identifiable information (“PII”) of those who are not U.S. citizens or lawful permanent residents (“non-U.S. persons”) in many contexts, including the processing of visas and immigration records. The Privacy Act of 1974 requires federal agencies to meet specific minimum privacy standards with respect to PII in databases they maintain. The Privacy Act is frequently recognized for promoting the Fair Information Practice Principles (“FIPPs”), which have become a widely accepted framework for evaluating and considering systems, processes or programs that impact individual privacy. The FIPPs have served as a model for the privacy laws of many U.S. states, foreign countries and international organizations.1 Although the Privacy Act only requires that federal agencies apply minimum privacy standards to the PII of U.S. citizens and lawful permanent residents,2 many agencies historically have applied the same standards to the PII of non-U.S. persons as well.3 In addition, the Judicial Redress Act of 20154 gives the Attorney General discretion to extend the rights and remedies of the Privacy Act to citizens of specific regional economic integration organizations and foreign countries to the extent they are so designated in the Federal Register. Pursuant to the Judicial Redress Act, outgoing Attorney General Loretta Lynch officially designated the EU and most EU member countries as “covered” countries whose citizens are afforded Privacy Act protections, effective February 1, 2017.5 As a result, the Privacy Act now covers the processing of personal data of EU citizens by federal agencies in the United States. Nothing in Section 14 changes this coverage, because the Executive Order does not trump the Judicial Redress Act or the Federal Register designations. A. Initial Privacy Impact In order to comply with Section 14, federal agencies will need to revise their privacy policies to exclude non-U.S. persons. In the short term, these changes primarily will impact non-U.S. persons who are citizens of countries outside of the EU, because any changes must be consistent with the Judicial Redress Act, which extends the protections of the Privacy Act to EU citizens based on the current Federal Register designations. Pursuant to their revised privacy policies, however, agencies lawfully may ignore the FIPPs when processing the PII of non-U.S. persons who are citizens of countries outside of the EU. For example, agencies may disclose the PII of such non-U.S. persons without their consent to other agencies or third parties. While disclosures of this sort

1 See, e.g., United States Department of Homeland Security, Privacy Policy Guidance Memorandum (Dec. 29, 2008). 2 See 5 U.S.C. § 552a(a)(2). 3 See, e.g., Department of Homeland Security Privacy Policy Guidance Memorandum No. 2007-1 (2007) (“As a matter of DHS policy, any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system by DHS shall be treated as a System of Records subject to the Privacy Act regardless of whether the information pertains to a U.S. citizen, Legal Permanent Resident, visitor, or alien.”). 4 Pub. Law No. 114-126 §2(d). 5 The designations will become effective simultaneously with the U.S.-EU Data Protection and Privacy Agreement (DPPA). Congress passed the Judicial Redress Act in order to implement the redress right provisions of the DPPA.

ropesgray.com ATTORNEY ADVERTISING

February 1, 2017 ALERT | 2 presumably include the Executive Order’s proposed publication of lists of crimes committed by aliens,6 the ability to share information freely appears to sweep more broadly. Agencies may no longer be able to:

• provide non-U.S. persons who are citizens of countries outside of the EU with access to PII concerning them that is maintained in agency databases;

• devote resources to ensure that PII of such persons is accurate, relevant, timely and complete; or

• consider requests from such persons that their records be amended.

As a result, non-U.S. persons from countries outside the EU may be unable to confirm that data held about them is correct, or request that mistakes in such data be corrected. B. Longer-Term Privacy Impact Although some European commentators have voiced concern that the Executive Order threatens the viability of the recently enacted EU-U.S. Privacy Shield framework for regulating transatlantic data transfers, the EU Commission reportedly indicated in an emailed statement that such concerns are unfounded. The Commission added that the U.S.- EU Data Protection and Privacy Agreement, which establishes a set of protections, including specific judicial redress rights, for PII exchanged between the United States and the EU for law enforcement purposes, also will remain in place. Once confirmed, the new Attorney General will have some discretion under the Judicial Redress Act to remove the designations of the EU and most EU member countries as “covered” countries whose citizens are afforded Privacy Act protections. Nonetheless, the new Executive Order does not require such removal explicitly. Unless the European Commission decides to reconsider whether the privacy rights afforded EU citizens under the Judicial Redress Act adequately protect their PII, it is too soon to say whether the Executive Order specifically will impact the Privacy Shield status quo.

6 See Section 9(b) of the Executive Order.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING

February 14, 2017 The GDPR – Possible Impact on the Life Sciences and Healthcare Sectors

Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, (the “GDPR”) came into force in May 2016 and introduced a number of changes to European data protection law. Such changes will impact many entities conducting business within the European Union (the “EU”); however, the implications for organizations operating in the life sciences and healthcare sectors are likely to be particularly far-reaching. Life sciences and healthcare-related businesses often collect and/or use large amounts of sensitive health-related data in respect of living individuals, such as patients and clinical trial subjects, so the new data protection requirements will be particularly relevant for them.

We set out below a summary of some of the more significant changes that are likely to impact stakeholders within these sectors. Extra Territorial Effect

Previously, European data protection legislation only applied to organizations that collected and/or used personal data if such organizations were established within the EU, or if they were established outside the EU, but used equipment within the EU to process personal data (unless this was only for transit purposes).

The GDPR will continue to apply to organizations established within the EU which process personal data; however, organizations established outside the EU will now also be subject to the GDPR if such organizations process the personal data of EU-based individuals and either (i) offer goods or services to individuals within the EU; and/or (ii) monitor the behavior of data subjects within the EU. Any non-EU-based entities to which the GDPR applies will be obliged to appoint a representative within the EU to ensure that they comply with the requirements of the GDPR when processing the personal data of European citizens in the ways set out above.

This means that more non-EU-based organizations operating in the life sciences and healthcare sectors (for example, contract research organizations involved in clinical trials, providers of healthcare services and health insurance companies) are likely to be subject to the GDPR, going forward, than were subject to previous European data protection legislation. Special Categories of Personal Data

The GDPR prohibits the processing of certain special categories of personal data (or “sensitive personal data”), subject to certain exceptions. The special categories of personal data include, among other things, genetic data and data concerning health.

“Genetic data” is defined by the GDPR for the first time. “Genetic data” includes personal data relating to the inherited or acquired genetic characteristics of a natural person that give unique information about the physiology or health of that natural person and that result, in particular, from an analysis of a biological sample from the natural person in question.

ropesgray.com ATTORNEY ADVERTISING

Although data concerning health was protected as a special category of data under the previous EU data protection legislation, the GDPR also defines “data concerning health” for the first time. “Data concerning health” includes personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status.

Organizations operating in the life sciences and healthcare sectors that collect and/or use any data concerning health, genetic data, or other types of sensitive personal data will need to ensure that they fall within one of the exceptional circumstances set out in the GDPR when the prohibition on the processing of sensitive personal data is deemed not to apply. Among others, these include circumstances where:

i. the individual to whom the sensitive personal data relates has given his/her explicit consent to the processing for one or more specified and lawful purposes (unless such consent is prohibited by applicable EU or Member State law). Obtaining consent from individuals under the GDPR is discussed further below;

ii. the processing is necessary to protect the “vital interests” of the individual to whom the relevant data relate or another individual where the data subject is physically or legally incapable of giving consent (generally, this exception can only be relied on in “life or death” type situations);

iii. the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to contract with a health professional and subject to certain conditions and safeguards; and

iv. the processing is necessary for public interest reasons in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of EU or Member State law that provides for suitable and specific measures to safeguard the rights and freedoms of data subjects, in particular professional secrecy.

It should also be noted that Member States may maintain or introduce further conditions, including limitations, regarding the processing of genetic data or data concerning health, so organizations will need to be confirm whether any such additional restrictions exist in the relevant EU Member States where they process any such data. Consent

Many organizations and businesses operating in the life sciences and healthcare sectors rely on obtaining the explicit consent of individuals to justify the collection and use of their sensitive personal health-related or genetic data (although this is not the only legal basis for processing of such data that can be relied on). The GDPR introduces a number of additional requirements that must be met to ensure that any consents that are obtained can be relied upon.

The GDPR introduces a new definition of “consent”. “Consent” is defined to mean any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Valid consent can be obtained in various ways (e.g., by requiring individuals to sign consent forms, or by clicking on an electronic “I consent” button).

ropesgray.com ATTORNEY ADVERTISING

If processing is based on consent, organizations must be able to show that individuals have agreed to the processing of their personal data. Furthermore, if consent is given in a written declaration that also relates to matters other than the consent, the consent request must be presented in a way that is clearly distinguishable from the other matters, intelligible, easily accessible and in clear and plain language in order to be valid.

The GDPR also makes clear the fact that individuals have the right to withdraw their consent to the processing of their personal information at any time (although this will not affect the lawfulness of any personal data processing that was carried out before consent was withdrawn). Individuals must also be informed that they have the right to withdraw their consent before consent is given and withdrawing consent must be as easy as giving consent.

The GDPR also provides that consent is unlikely to be deemed to be freely given where the performance of a contract, including the provision of a service, is made conditional on consent to the processing of personal data that is not necessary in order to perform the contract.

Life sciences and healthcare-related businesses that are subject to the GDPR should consider the procedures and wording that they use when obtaining consent from individuals, for example, informed consent forms used in connection with clinical trials or patient treatment. Informed consent forms that complied with the requirements of the previous EU legislation are unlikely to be adequate to comply with the consent requirements of the GDPR, so these should be updated as necessary to make sure that they are robust. Some commentators have observed that the GDPR’s consent requirements are likely to make valid consent difficult to obtain in practice, so it will be interesting to see whether data controllers continue to rely on individual consent or seek to rely on alternative justifications for their processing of personal and sensitive personal data. Anonymisation and Pseudonymisation

Many life sciences and health sector businesses use coded data, particularly in the context of clinical trials. The issue of whether or not such data constitutes personal data and therefore whether or not European data protection legislation applies to it has long been a controversial topic.

The GDPR defines “pseudonymisation” for the first time. Essentially, pseudonymisation is defined to mean the processing of personal data in such a way that the personal data can no longer be attributed to a specific individual without using additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

Among other things, the GDPR provides that data protection principles should apply to any information concerning an identified or identifiable individual. It also makes clear that personal data that has undergone pseudonymisation that could be attributed to an individual by the use of additional information should be considered to be information on an identifiable individual (in other words, pseudonymised personal data which allows re-identification of individuals will often be considered to be personal data).

The GDPR provides that, in order to decide whether an individual is identifiable, all the means reasonably likely to be used, either by the relevant data controller or a third party to identify the individual directly or indirectly, should be considered. In deciding whether means are reasonably likely to be used to identify an individual, various objective factors should be considered, for example, the costs of and amount of time required for identification, taking into account the technology available at the time the data is processed and technological developments.

ropesgray.com ATTORNEY ADVERTISING

Life sciences and health sector businesses will need to consider carefully whether individuals who are the subjects of any coded data that they collect and/or use would be deemed to be identifiable for the purposes of the GDPR. If so, then they will need to comply with the provisions of the GDPR in respect of such pseudonymised personal data. Certain commentators have observed that effective pseudonymisation of personal data that does not allow re- identification of individuals will be difficult to achieve in practice. Pending further guidance from European regulators on this point, it is probably safer to assume as a default position that any coded data constitutes personal data for the purposes of the GDPR and comply with the GDPR’s requirements in respect of such data. Data Protection Design and Default and Privacy Impact Assessments

The GDPR introduces new formal requirements in respect of data protection by design and default principles. When deciding on a system for personal data processing and also when using that system to carry out such processing, data controllers must now implement appropriate technical and organizational measures, such as pseudonymisation, that implement data protection principles (for example, data minimisation) effectively and incorporate appropriate safeguards into the processing of personal data to meet the GDPR’s requirements and protect individuals’ rights. The state of the art, costs of implementation and the nature, scope, context and purposes of the intended personal data processing must be considered, together with the risks of varying likelihood and severity for individuals’ rights and freedoms that are raised by the processing.

Data controllers must also put in place appropriate technical and organizational measures to ensure that, by default, only personal data that is necessary for each specific purpose of the processing is processed and that by default personal data is not made accessible without the individual’s intervention to an indefinite number of people.

Life sciences and healthcare organizations will need to introduce appropriate policies and procedures to ensure that appropriate measures and safeguards are incorporated when introducing new personal data processing systems, products or processes and to ensure that data protection by design and default principles are respected.

The GDPR also formally requires data controllers to carry out privacy impact assessments in relation to any personal data processing that is likely to result in high risks to individuals’ rights and freedoms, particularly where the processing uses new technologies. Privacy impact assessments must be carried out, in particular, in a number of specified circumstances, including where personal data processing involves large scale processing of certain sensitive personal data, including genetic data and data concerning health. Privacy impact assessments should include various elements and, where appropriate, data controllers are obliged to seek the views of data subjects or their representatives on the intended processing (without prejudice to the protection of commercial or public interests or the security of the processing).

Life sciences and healthcare organizations should carry out privacy impact assessments in any circumstances when they are proposing to process large amounts of sensitive health-related data (e.g., when designing and running clinical trials and introducing new products and/or services for patients). Potentially, they may also have to seek the views of the relevant individuals or their representatives about their intended personal data processing in these circumstances, at least to some extent. Data Processors

In addition to imposing new requirements on data controllers, the GDPR imposes various data protection obligations directly on data processors for the first time (data processors include any natural or legal person, public authority, agency or other body that processes personal data on behalf of a data controller). For example, the GDPR extends to

ropesgray.com ATTORNEY ADVERTISING

data processors the requirement to ensure an adequate level of protection for personal data that is transferred outside the European Economic Area. Similarly, data processors must put in place appropriate technical and organizational security measures to protect personal data to create and maintain certain records of their personal data processing activities (among other things).

Life sciences and healthcare organizations who are acting as data processors on behalf of data controllers (e.g. contract research organizations acting on behalf of clinical trial sponsors) will need to ensure that they comply with all relevant requirements of the GDPR, going forward. Group Actions

The GDPR gives individuals the right for the first time to mandate not-for-profit bodies, organizations or associations, which have been properly constituted under the law of an EU Member State, that have statutory objectives in the public interest and which are active in protecting individuals’ rights and freedoms regarding protection of their personal data, to take various actions on their behalf. Such bodies, organizations and associations may lodge complaints on the relevant individuals’ behalf, exercise certain rights to obtain effective judicial remedies against data protection regulators and data controllers and processors and receive compensation on the individuals’ behalf in certain circumstances.

The GDPR thus increases the possibility of “group action” style data protection claims within Europe. Such claims, which may increase the frequency and costs of data protection-related proceedings, could be especially relevant for life sciences and healthcare-related organizations that infringe individuals’ privacy rights, given the large amounts of sensitive health-related personal data that such organizations typically collect and use. Penalties

The GDPR considerably increases the sanctions and penalties that can be imposed on organizations that breach its requirements. In particular, the maximum monetary penalties that can be imposed by European data protection regulators for serious breaches have been substantially increased to up to: (i) €20,000,000; or (ii) 4% of an undertaking’s global annual turnover, whichever is the greater.

Clearly, for life sciences and healthcare sector organizations that handle significant amounts of sensitive personal health related data, the imposition of such increased monetary penalties in the event of a serious breach could be highly significant, so ensuring that a robust data protection compliance program is in place will be critical. Summary of Significant Issues

A checklist of significant issues that life sciences and healthcare sector organizations need to consider is set out below:  Does the GDPR apply to your organization, even if it is based outside the EU?  Has your organization established a robust data protection compliance program to ensure compliance with the GDPR?  Has your organization established a valid legal basis for processing personal data, particularly data concerning health, genetic data and any other relevant special categories of personal data?

ropesgray.com ATTORNEY ADVERTISING

 Has your organization updated its procedures, forms and wording for obtaining individual consents to ensure compliance with the GDPR?  Does your organization use pseudonymised or “coded” data from which living individuals can be re- identified? If so, does your organization comply with the GDPR’s requirements in respect of it?  Has your organization implemented appropriate policies and procedures to ensure that data protection by design and default principles are respected?  Has your organization implemented appropriate policies and procedures to ensure that data protection impact assessments are carried out where required?  If your organization acts as a data processor in any circumstances, is it able to comply with its new obligations under the GDPR? Conclusion

Although officially in force, the GDPR will not be enforced by European regulators until 28th May 2018. The matters discussed above highlight some of the issues that are likely to impact life sciences and healthcare-related organizations; however, there are also other, more general, issues raised by the GDPR that such organizations will need to consider.

Life sciences and healthcare-related businesses should take steps now to ensure that they are able to comply with the new requirements of the GDPR. This should help such organizations to build and maintain the trust and confidence of their customers, business partners, patients and other individuals whose personal data they collect and process and avoid breaches of relevant data protection rules. Organizations that are prepared for the GDPR are also more likely to avoid enforcement action by European regulators, legal action from data subjects, significant monetary penalties and the attendant reputational damage and negative publicity that can result.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Privacy & Data Security

March 3, 2017 Cookies Crumble? The draft EU Regulation on Privacy and Electronic Communications Background

The European Commission recently published a proposed Regulation on Privacy and Electronic Attorneys Communications (the “Regulation”). The Regulation aims to update and broaden the scope of Rohan Massey current rules under the ePrivacy Directive (2002/58/EC) on confidentiality of electronic communications as well as align the rules for electronic communications, cookie usage and direct marketing with the forthcoming General Data Protection Regulation (“GDPR”). In line with the GDPR, penalties for infringement may be severe, with fines for infringement of the cookies and unsolicited communication rules potentially amounting to the greater of €10 million or up to 2% of the worldwide annual revenue. Infringements of the rules relating to confidentiality of content and metadata may be higher, with fines capped at the greater of €20 million or up to 4% of the worldwide annual revenue. Though the new Regulation is planned to come into effect at the same time as the GDPR on 25 May 2018, it must first be formally approved by both the Parliament and the Council on a relatively ambitious timetable before it becomes law. Ultimately, the Commission hopes that the proposed Regulation will increase the protection of people’s private lives and open up opportunities for new businesses. Scope of the Proposed Regulation The Regulation covers almost all businesses that operate in Europe but, like the GDPR, also extends to businesses outside the EU if they provide services to users in the EU (including where such services are offered free of charge). The Regulation applies to the processing of communications data carried out in connection with electronic communications services and to information related to end users’ terminal equipment. The Regulation proposes extending coverage from telecoms companies and ISPs to also include providers of over-the-top (“OTT”) services, including popular instant messaging applications. It further covers anyone using cookies or similar tracking technologies as well as anyone engaging in electronic marketing, whether or not they are providing an electronic communications service. The Regulation does not apply to electronic communications services that are not publicly available. It also is inapplicable to government authorities engaged in detecting crime or otherwise protecting public safety. Electronic Communications Data The Regulation distinguishes between two types of electronic communications data: electronic communications content and electronic communications metadata. Content refers to the actual information exchanged in an electronic communication, including text, voice, videos, images and sound, including, for example, a picture or video sent using instant messaging. Metadata refers to data processed by a network for the purposes of transmitting content, including information relating to the source and destination of a communication; the location, date, and duration of a communication; and the method of communication. For instance, data identifying that an instant message was sent at a specified time is metadata. Many of the rules in the regulation require consent. Consent must be “freely given, specific, informed and unambiguous,” which is the same standard as the GDPR. Consent can be expressed by a statement or clear

ropesgray.com ATTORNEY ADVERTISING

March 3, 2017 ALERT | 2 affirmative action. This allows consent to be expressed by using the settings of an application, which simplifies the acceptance or refusal process for users. Confidentiality Under the Regulation, both electronic communications content and metadata must be kept confidential and must not be interfered with. However, the Regulation permits a limited number of exceptions to this basic rule in the following circumstances:

• Both content and metadata may be processed in order to (1) transmit the communication; (2) maintain or restore security; or (3) detect technical faults or errors in the transmission of the communication.

• Metadata may also be processed if (1) it is necessary to meet mandatory EU quality of service requirements; (2) it is necessary for billing; (3) it is necessary for detecting or stopping fraud or abuse; or (4) the end user consents to the processing for a specified purpose which could not be carried out using anonymised data.

• Content may also be processed if (1) for the sole purpose of providing a specific service, if the service cannot be provided without such processing and provided the end user has consented to the processing; or (2) the end user consents to the processing for a specified purpose which could not be carried out using anonymised data and the provider consults the GDPR’s supervisory authority.

Data Erasure Electronic communications service providers must either erase or anonymise content after its receipt by the intended recipient. Metadata must similarly be erased or anonymised when it is no longer needed for transmitting the communication. The same exceptions of confidentiality listed above also apply to erasure of data. Metadata may be further retained until the end of a period in which a bill or payment may be lawfully challenged under national law. Cookies and Terminal Equipment The Regulation prohibits the use of cookies (and similar tracking technologies, such as hidden identifiers and device fingerprinting) unless (1) it is necessary for the sole purpose of transmitting the communication; (2) the end user has consented; (3) it is necessary for providing an information society service (e.g., to add items to an online shopping basket) requested by the end user; or (4) it is necessary for web audience measuring if carried out by the information society service requested by the end user. No consent is needed for first-party cookies used by a website to carry out web audience measuring. In addition, if cookies are used, the Regulation prohibits collecting device information unless (1) it is done only to establish a connection; or (2) users are notified how the data will be collected, the purposes for which it will be used; and certain other information. All communications software (e.g., web browsers and other applications allowing the retrieval and presentation of information on the internet) must offer functionality to prevent the use of third-party cookies. Upon installation, the software must inform the end user about the privacy settings options. To continue with the installation, the end user must consent to one of the settings. For software already installed as of 25 May 2018, these requirements must be complied with by the first update of the software and no later than 25 August 2018. Direct marketing The rules in relation to electronic direct marketing are broadly equivalent to current legislation under the ePrivacy Directive – subject to limited exceptions, opt-in consent will still be required before businesses are permitted to send electronic direct marketing. However, notable changes include the widening of the scope of the application of the rules to cover all electronic communications services, which include communications sent through instant messaging applications and Bluetooth.

ropesgray.com ATTORNEY ADVERTISING

March 3, 2017 ALERT | 3 For telephone calls, however, Member states may permit the placing of direct, non-automated, voice-to-voice marketing calls, provided that the end user has not expressed an objection to receiving such communications. Those placing marketing calls must inform end users of the marketing nature of the communication and of their identity. They must also give the end user the chance to easily exercise his/her right to withdraw his/her consent. Comment The proposed scope of the Regulation is quite broad, encompassing almost all modern businesses and providers of electronic communications services. By replacing the current e-Privacy directive with a regulation, the Commission aims to provide a uniform set of rules that protect privacy for people and businesses. The Regulation may allow for new business opportunities, as traditional telecoms operators will have more opportunities to use data and provide additional services once consent is given. The Commission also says that the rules on cookies have been simplified, for example by not requiring consent for cookies to simply monitor web traffic, although given the stricter consent requirements in respect of other cookies used, even with browser level consent controls, those cookie pop-ups look unlikely to disappear or even to crumble.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING

Thoughts On EU's Draft E-Privacy Regulation

This article by privacy & data security partner Rohan Massey was originally published Attorneys by Law360 on April 10, 2017. Rohan Massey Aside from Brexit, the outlook in Europe is focused on harmony and unity, measures well reflected in the Digital Single Market initiative. As part of this initiative, the European Commission recently published a proposed Regulation on Privacy and Electronic Communications. The regulation is aimed at creating a harmonious pan-European approach to e-privacy, replacing the current directive with a directly effective regulation designed to address the complexities of privacy in the age of social media and networked computing; to simplify and clarify the EU approach to the use of cookies and data harvesting; and to align e-privacy with the data protection principles enshrined in the General Data Protection Regulation, and the EU Charter of Fundamental Rights. Ultimately, the commission hopes that the proposed regulation will increase the protection of individuals’ private lives, open up opportunities for new businesses and simplify and streamline current rules on cookies, which should result in greater trust and security in the Digital Single Market.

Though the new regulation is planned to come into effect at the same time as the GDPR on May 25, 2018, it must first be formally approved by both the Parliament and the Council on a relatively ambitious timetable before it becomes law.

Objectives of the E-Privacy Regulation

There are three clear objectives underpinning the revision of the e-privacy regime in Europe. The first is a desire to protect both the privacy and confidentiality of electronic communications. This is to be achieved by controlling the ways in which network and service providers process electronic communications data, whether it be the content of electronic communications such as email or instant message, or whether it be metadata relating to the electronic communication itself, such as the place, time or identity of person sending the communication. The second objective is the protection of the individual’s right to privacy with regard to their activities when browsing the internet or using electronic devices. This is to be achieved by the regulation of tracking technology such as cookies. The final objective is the control of direct marketing communications to ensure that electronic communications are carried out efficiently without individuals being exposed to unsolicited commercial communications or spam.

Scope of the Proposed Regulation

The regulation applies to the processing of communications data carried out in connection with electronic communications services and to information related to end users’ terminal equipment. The regulation proposes extending coverage from telecoms companies and internet service providers to also include providers of over-the-top (“OTT”) services, including popular instant messaging applications. It further covers anyone using cookies or similar tracking technologies, as well as anyone engaging in electronic marketing, whether or not they are providing an electronic communications service.

The regulation does not apply to electronic communications services that are not publicly available. It also is inapplicable to government authorities engaged in detecting crime or otherwise protecting public safety.

ropesgray.com ATTORNEY ADVERTISING

The regulation covers almost all businesses that operate in Europe but, like the GDPR, also extends to businesses outside the EU if they provide services to users in the EU (including where such services are offered free of charge).

Electronic Communications Data

The regulation distinguishes between two types of electronic communications data: electronic communications content and electronic communications metadata. Content refers to the actual information exchanged in an electronic communication, including text, voice, videos, images and sound. For example, a picture or video sent using instant messaging is electronic communications content. Metadata refers to data processed by a network for the purposes of transmitting content, including information relating to the source and destination of a communication; the location, date, and duration of a communication; and the method of communication. For instance, data identifying that an instant message was sent at a specified time is metadata.

Many of the prohibitions set out in the regulation can be overcome where there is “end user consent.” “Consent” in this context is aligned with the GDPR and so must be “freely given, specific, informed and unambiguous.” Consent can be expressed by a statement or clear affirmative action. However, the regulation does add that, where feasible, consent may be expressed by using appropriate software settings of an application. This is intended to simplify the acceptance or refusal process for users as consent may be given by browser settings, provided that the software informs end users of privacy settings options and obliges the end user to consent to or select such privacy setting as part of the set up of the service. Software must also offer end users the option to prevent the placing of third party cookies.

What is not so clear is who the “end user” actually is for the purposes of the regulation. It is clear that an end user is a user of a service, though it is unclear whether the end user includes the sender, the recipient or both, in relation to any electronic communication.

Confidentiality

Under the regulation, both electronic communications content and metadata must be kept confidential and must not be interfered with. However, the regulation permits a limited number of exceptions to this basic rule in the following circumstances: • Both content and metadata may be processed in order to: (1) transmit the communication; (2) maintain or restore security; or (3) detect technical faults or errors in the transmission of the communication. • Metadata may also be processed if: (1) it is necessary to meet mandatory EU quality of service requirements; (2) it is necessary for billing; (3) it is necessary for detecting or stopping fraud or abuse; or (4) the end user consents to the processing for a specified purpose that could not be carried out using anonymized data. • Content may also be processed: (1) for the sole purpose of providing a specific service, if the service cannot be provided without such processing and provided the end user has consented to the processing; or (2) if the end user consents to the processing for a specified purpose that could not be carried out using anonymized data and the provider consults its relevant supervisory authority for the purposes of the GDPR.

ropesgray.com ATTORNEY ADVERTISING

Data Erasure

Electronic communications service providers must either erase or anonymize content after its receipt by the intended recipient. Metadata must similarly be erased or anonymized when it is no longer needed for transmitting the communication. The same exceptions of confidentiality listed above also apply to erasure of data. Metadata may be further retained until the end of a period in which a bill or payment may be lawfully challenged under national law.

Cookies and Terminal Equipment

The regulation is technology neutral and thus covers PCs, laptop, smartphones and tablet devices. Across all devices it prohibits the use of cookies (and similar tracking technologies, such as hidden identifiers and device fingerprinting) unless: (1) it is necessary for the sole purpose of transmitting the communication; (2) the end user has consented; (3) it is necessary for providing an information society service (e.g., to add items to an online shopping basket) requested by the end user; or (4) it is necessary for web audience measuring if carried out by the information society service requested by the end user. No consent is needed for first-party cookies used by a website to carry out web audience measuring.

In addition, if cookies are used, the regulation prohibits collecting device information unless: (1) it is done only to establish a connection; or (2) users are notified how the data will be collected, the purposes for which it will be used; and certain other information.

All communications software (e.g., web browsers and other applications allowing the retrieval and presentation of information on the internet) must offer functionality to prevent the use of third-party cookies. Upon installation, the software must inform the end user about the privacy settings options. To continue with the installation, the end user must consent to one of the settings. For software already installed as of May 25, 2018, these requirements must be complied with by the first update of the software and no later than Aug. 25, 2018.

Direct Marketing

The rules in relation to electronic direct marketing are broadly equivalent to current legislation under the e-privacy directive. However, “direct marketing communication” is defined as any form of advertising whether written or oral, sent to one or more identified or identifiable end users of electronic communication services, which include communications sent through instant messaging applications and Bluetooth. Subject to limited soft opt-in exceptions as under the current regime, opt-in consent will still be required before businesses are permitted to send electronic direct marketing.

Comment

Is the scope too broad for effective enforcement?

The commission has flagged that reform is necessary to keep up with recent developments in IT-based services such as voice over internet protocol as well as the forthcoming GDPR. In particular, the commission has specifically named key OTT service providers, as needing to offer the same level of confidentiality as traditional telecommunication operators. The proposed scope of the regulation is consequently quite broad, encompassing almost all modern businesses and providers of electronic communications services — the likely result being that, if

ropesgray.com ATTORNEY ADVERTISING

adopted as drafted, the regulation will provide for a more level playing field among traditional, modern and future electronic communications service providers.

However, as with the GDPR, there still remain concerns over data protection authorities’ ability to successfully enforce the extraterritorial effect of the proposed new rules. European electronic communications service providers may therefore, quite legitimately, question whether the rules are actually stacked against them. It will remain to be seen what action, if any, European data protection authorities can and do take against entirely non-EU electronic communication service providers who fail to comply with the regulation’s requirements. If the rules are not, or cannot be, successfully enforced against such providers, then there is potential for the regulation to stifle business and innovation in the EU, as non-EU jurisdictions consequently become more attractive.

In line with the GDPR, penalties for infringement may be severe, with fines for infringement of the cookies and unsolicited communication rules potentially amounting to the greater of €10 million or up to 2 percent of the worldwide annual revenue. Infringements of the rules relating to confidentiality of content and metadata may be higher, with fines capped at the greater of €20 million or up to 4 percent of the worldwide annual revenue. How “proportionate and dissuasive” fines will be assessed for noncompliance for the proposed rules on cookies and similar technologies remains to be seen. Historically, this area has not been heavily enforced under the current regime, with very few examples of fines being levied for infringement (and even then the level of those fines has been generally low), which has been a major criticism of the current regime, with those who are playing by the rules understandably arguing that more needs to be done to ensure the rules are actually enforced. This may have an impact on the quantum assessment however, given that many European data protection authorities already have limited resources and will likely be concentrating on the GDPR enforcement. For this reason, it is difficult to see this situation changing substantially.

Will a borderless Digital Single Market be hampered by national security protections?

By replacing the current e-privacy directive with a regulation, the commission aims to provide a uniform set of rules that protect the privacy of people and businesses. However, as with the GDPR, specific national (i.e., member state) derogations may still apply.

In particular, similarly to the GDPR, the regulation fails to provide for specific provisions in relation to data retention, and individual member states are free (subject to compliance with EU law) to provide for their own retention rules and to limit the confidentiality of communications in order to safeguard “general public interests.” This general position is likely to conflict with the balance of necessity, legality and proportionality set out in recent rulings of the Court of Justice of the European Union. The result may be that although there is an overarching general compliance regime across the EU, communications service providers may still have to navigate a patchwork of different member-state national rules as far as data retention is concerned.

Privacy for communications content and metadata?

The regulation aims to guarantee the privacy of communications content and metadata, particularly since both can potentially reveal highly sensitive information and personal data about end users and other legal persons (e.g., businesses). It will be interesting to see how many OTT service providers attempt to obtain user consent for the retention and further processing of such data and how they do this — ultimately this could lead to new privacy banners and pop-ups when using OTT services. However, the regulation makes no provision for standardized

ropesgray.com ATTORNEY ADVERTISING

security measures to be applied, such as the requirement for end-to-end encryption and instead references the appropriate technical and organizational security measures of the GDPR. The obligation or lack of obligation to provide security is likely to be a point of tension in the EU Parliament as there are clear voices from politicians, law enforcement, privacy campaigners and consumer bodies supporting both sides of the argument.

Will this be the end of the cookie consent pop-up?

The commission believes that the rules on cookies have been simplified, for example by not requiring consent for strictly necessary cookies, nor first-party cookies used to simply monitor web traffic. Together with the ability to accept or refuse cookies through web browser settings, this is intended, at least partly, to remove or reduce the need for cookie banners and pop-ups. This is welcome news, but in reality, is likely to present further complications.

In particular, most websites use third-party and other nonstrictly necessary cookies, especially for the purposes of advertising on free-to-use internet services, in order to monetize internet content and services. As a result, such websites will likely prefer control of cookie consent at a website level, as opposed to relying on choices made by end users at a browser level. For instance, it would be reasonable to assume that if end users choose not to accept third- party cookies within their browser settings, websites using such cookies will therefore want, and need, to obtain end users’ consent to do so. This means that it is unlikely that cookie consent banners will disappear under the regulation, which somewhat defeats the purpose of the new changes in the first place.

A similar issue arises in respect of certain third-party cookies. For example, if an end user consents to certain businesses using their analytics cookies on third-party websites, or similarly to use cookies for upvoting or liking content on other websites — will such consent apply across all third-party websites in which those cookies are used, or will the relevant websites need to obtain consent again if such cookies are used on their sites? If the former, it is unclear how both web browsers and websites would be able to determine whether such consent has been given, again potentially resulting in the need to obtain consent in any case.

In addition, it is currently difficult to predict how the concept of “necessity” will be applied under the current draft of the regulation, as this could severely impact many information society service business models. For example, if a free news website, as with most such sites, is funded by advertising revenues and uses cookies to display videos, which may or may not include advertisements, it is arguable whether such cookies are necessary for the provision of the service. If they are not, this would leave consent as the only alternative to use such cookies in accordance with the regulation. Given that the conditions for consent under the regulation are proposed to be the same as under the GDPR, we know that consent will be presumed to not be freely given if the provision of the service is dependent on the consent, despite such use of cookies not being necessary for the provision of the underlying service. While perhaps being economically necessary to use such cookies in this scenario, it is unlikely to be technically necessary; meaning any consent could be deemed invalid. The regulation therefore clearly threatens such business models if there is no valid way to legitimize the use of such cookies.

Furthermore, there is also the technical question as to how websites will recognize what cookie choices end users have made in their web browsers. This process may be facilitated by the key browser players agreeing on a common, universal standard, meaning websites would not have to code for each and every browser available. However, assuming the relevant players are amenable to this approach, this is a process that would likely take time, and may be difficult to reconcile with the commission’s aggressive timetable.

ropesgray.com ATTORNEY ADVERTISING

The above suggest that the “simplified” changes within the regulation may not actually provide for the “streamlined” mechanisms envisaged. We expect many businesses will lobby the commission on these points, requesting for rules that closer reflect the balance between commercial practicality and individuals’ rights. However, it remains to be seen whether this will result in any changes to the draft.

Conclusion

The regulation sets out to align the requirements of e-privacy and data protection in Europe for the benefits of the Digital Single Market initiative, with an aggressive timetable for implementation to coincide with that of the GDPR in May 2018. This combination of factors may not work in the draft’s favor. There is also a risk that in wanting to find an acceptable compromise EU Parliament may seek material changes in certain areas of the draft, which could delay the adoption of the regulation. However, there is clearly a desire to try and make this work and so much will depend on the exactly what pushback the EU parliament seeks.

As with the GDPR, the intention of harmonization is somewhat undermined by the number of derogations contained within the legislation giving each member state a general power to restrict obligations and rights where necessary and proportionate to safeguard general public interests. Therefore, it will be interesting to see if the EU Parliament seeks to restrain the scope and/or derogations contained in the draft or accept them to facilitate swift passage of this piece of legislation, relying on the jurisprudence of the CJEU to find a balance not set out in the regulation.

In parallel with preparations for the GDPR, and for those affected, the Network Information Security Directive, it would be wise to bear in mind the requirements of the regulation when reviewing policies, procedures and services in the next 12 months. If the regulation is adopted as intended, those taking this approach will mitigate the risks of the greatly increased administrative fining regime set out under both the GDPR and the regulation.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Privacy & Data Security

May 9, 2017 The Information Commissioner’s Guidance on Consent under the GDPR The General Data Protection Regulation (the “GDPR”) came into force in May 2016 and makes Attorneys numerous changes to European data protection laws. Among other things, the GDPR updates the Rohan Massey rules on the use of consent by data controllers to justify their processing of personal data in Clare Sellars various circumstances. The UK Information Commissioner’s (the “ICO”) consultation on its draft GDPR Consent Guidance (the “Guidance”) ended on 31 March 2017. The ICO reported on 13 April that over 300 responses have been received and these are now being analysed. The draft Guidance is generally helpful and provides clear practical advice regarding many aspects of consent. However, there are some elements of the draft Guidance which are likely to prove contentious. It is clear that valid consent will become significantly harder to obtain and that it will often be more appropriate for data controllers to rely on an alternative legal basis other than consent to justify their personal data processing. What Has Changed? The Guidance confirms that the basic concept of consent and its main role as one potential lawful basis (or condition) for processing personal data has not changed; however, the GDPR builds on the existing definitions and standards of consent in various ways, setting a high standard for consent. Current methods of obtaining consent will need to be reviewed and refreshed. Clearer and more granular opt-in consent methods, good consent records and easy ways to withdraw consent will all be required. The definition of consent set out in the GDPR includes additional requirements regarding how consent should be given. Consent is defined to mean “any freely given specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data relating to him or her” (emphasis added). The new elements of the definition are considered in more detail below. For those involved in scientific research or processing children’s personal data online, there are new provisions on consent for scientific research purposes and children’s consent for online services. Consent and explicit consent, respectively, can also legitimise restricted processing and automated decisionmaking and profiling and international transfers of personal data if adequate safeguards are not in place. Consent can also give individuals stronger rights in some cases (e.g., the rights to data portability and erasure). The ICO makes it clear that, if consents have been obtained previously, data controllers will not be required to refresh such consents if they meet the GDPR’s standards and have been properly documented, although they will need to implement mechanisms allowing individuals to withdraw their consent easily. In the light of the Guidance, it seems unlikely that many (if any) existing consent mechanisms will meet GDPR standards and, if they do not, fresh GPDR compliant consent will need to be sought. This may well involve significant work for data controllers who have historically relied on consent to justify their personal data processing. When is Consent Appropriate? A significant issue that the Guidance addresses is the fact that, under the GDPR, consent may well not always be required to provide a legal basis for processing personal data and may not always be the most appropriate basis or the easiest to achieve (there are six lawful bases for processing personal data, including consent). Essentially, data

ropesgray.com ATTORNEY ADVERTISING

May 9, 2017 ALERT | 2 controllers are likely to need to obtain consent when no other lawful basis is available, but it is less likely to be appropriate in other circumstances. Consent will only be the most appropriate legal basis for processing when people are offered real and ongoing choice and control over how their personal data will be used. If a genuine choice cannot be offered, the ICO is clear that asking for consent could be considered misleading and unfair. Valid Consent The draft Guidance focuses on the various elements required to obtain valid consent. First, to ensure that consents are freely given, individuals must be able to refuse consent without penalty and withdraw consent easily at any time. Consents must be unbundled from other terms and conditions (with granular options provided for different types of processing) and not made a condition of receiving a service unless the relevant personal data processing is necessary for that service. For example, requiring individuals to agree to the use of their personal data for direct marketing purposes in order to receive a “free” online service, where the processing of personal data is not required for the individual to receive the service, is unlikely to be regarded as valid consent. Employers and public authorities in particular should note that the Guidance also stresses that it will be difficult to obtain freely given consent in any relationship where there is an imbalance of power and they are likely to need to identify an alternative legal basis for personal data processing in many cases. Of particular interest to data controllers involved in areas such as direct marketing is the fact that the ICO stresses that consents must specifically identify the data controller and any third party who will be relying on the consent and state the purposes of the processing. Consent for categories of third-party organisations will not be sufficiently specific. The requirement to specifically name each third party to whom personal data will be made available may well restrict certain data controllers’ ability to send direct marketing communications to potential customers. Granular options to consent separately to separate purposes must also be provided covering each type of processing activity, where possible (unless such activities are clearly interdependent). Details of how to withdraw consent at any time must also be provided. Wording must be prominent, concise, separate from other terms and conditions and in plain language. For data controllers who wish to process personal data in various different ways for various different purposes, there may be a risk that complying with these requirements will confuse data subjects instead of clarifying the use of their data for them. Electronic consent requests must not be unnecessarily disruptive to users, and the ICO recommends the use of user- friendly layered information and “just-in-time” notices. Data controllers are likely to have to make changes to their existing electronic consent procedures in many cases to ensure that these requirements are adhered to. The GDPR requires it to be obvious that individuals have consented and what they have agreed to and a clear signal that they give consent is required. Clear affirmative action requires individuals to take deliberate action to opt in. The draft Guidance suggests that various forms of action will comprise a valid opt-in, for example, ticking an opt-in box (on paper or electronically), clicking a link online, signing a consent statement, making an equally prominent binary choice, or switching technical settings away from the default, among others. Relying on acceptance of general terms and conditions, failure to opt out, default settings, silence, pre-ticked boxes or inactivity will not constitute valid consent. Implied Consent The draft Guidance adopts a pragmatic approach to implied consent, confirming that it can still constitute an affirmative act in some circumstances, especially more informal offline situations, although it must also be possible to verify consent. The ICO has confirmed, however, that implied consent cannot be explicit consent. Duration of Consent Data controllers should note that consent is not static and that the validity of consent is contextual. Consents should be reviewed regularly as they will probably degrade over time, although this depends on the context, the scope of the

ropesgray.com ATTORNEY ADVERTISING

May 9, 2017 ALERT | 3 original consent and the data subject’s expectations. If processing operations change, consents may no longer be sufficiently specific or informed and data controllers will need to seek refreshed consents unless another lawful basis for processing exists, (as a default position, the ICO recommends considering refreshing consent every two years, but this may not always be appropriate). The draft Guidance requires that withdrawal of consent should be an easily accessible one-step process and, if possible, data subjects should be able to withdraw their consent in the same way that they gave it (e.g., if consent is given using an online form, it should also be possible to withdraw consent using an online form). Data controllers should consider publicising both online preference management tools (such as privacy dashboards) so that individuals can access and update their consent settings easily and other easy ways of withdrawing consent (e.g., customer service phone numbers) and should also offer opt-out by reply to every contact (e.g. opt-out phone numbers, addresses or unsubscribe links in e-mails). Children For service providers targeting online services at children, the draft Guidance emphasises the new GDPR provisions which increase protection for children’s personal data and are additional to those already considered above. Subject to certain exceptions, if “information society services” (essentially, services requested and delivered over the internet) are offered to children and data controllers want to rely on consent as a lawful basis for processing, then consent from the child’s parent or guardian is required for any child under 16 (although Member States may impose a lower age not below 13). Data controllers will need to introduce age verification measures and must make reasonable efforts to verify parental responsibility for those under the relevant age. Data controllers who process children’s personal data other than in the context of information society services should decide whether the child has the capacity to understand and consent for themselves. Age verification measures and steps to verify parental consent for children who cannot consent may still be needed. It is worth considering whether legitimate interests rather than consent could form a legal basis for the processing of children’s personal data in some circumstances. Records Data controllers will need to be able to show that individuals have consented to personal data processing, and effective audit trails of how and when consent was given should be established to provide evidence if challenged. The draft Guidance includes some useful examples of what consent records should include. Details should be kept of (i) who consented; (ii) when (e.g., the ICO suggests retaining copies of a dated document or online records that include timestamps); (iii) what they were told at the time; (iv) how they consented (e.g., if consent was given online, records should include the data submitted and a timestamp to link it to the relevant version of the data capture form); and (v) whether consent has been withdrawn and, if so, when. The Guidance suggests that records should also be specific and granular to show exactly what the consent relates to. Comment The Guidance sets out some helpful practical suggestions regarding how data controllers should obtain and manage consents in the context of personal data processing; however, some aspects of the Guidance may be controversial. For example, as noted above, there is a concern that the requirement to specifically identify every third party who will be relying on the consent rather than being able to list categories of third-party organisations will raise challenges for many data controllers. Similarly, there is a concern that the required level of granularity regarding opt-in mechanisms may, in practice, serve to confuse individuals rather than giving them enhanced choice and control over how they consent to the use of their personal data. Based on the draft Guidance, it seems likely that consent will be used by data controllers significantly less often to justify their personal data processing than has been the case prior to implementation of the GDPR. It will be interesting to see whether and, if so, in what ways, the Guidance is updated following the ICO’s consultation (the ICO hopes to publish the final version of the Guidance in June 2017).

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

London

August 23, 2017 UK Government Sets Forth Approach for GDPR With its “Statement of Intent” published on 7 August 2017, the UK Government has taken the Attorneys first step in the process of cementing the General Data Protection Regulation into UK law. In the Rohan Massey statement, entitled “A New Data Protection Bill: Our Planned Reforms” (the “Bill”), the Clare Sellars Government commits to updating and strengthening data protection laws through the new Bill in order to fulfil its vision of the UK being “the best and safest place to live and do business online”. The statement explains that the Government is determined to ensure that the GDPR best supports UK interests and sets out the necessary changes that the Bill will make to the GDPR to this end. Inevitably, it recognises that the proposed Data Protection Bill must be consistent with the GDPR to ensure that safe and uninterrupted data flows continue between the UK, the EU and other key markets such as the US. Some of the main points arising from the statement are considered below, including how the Government intends to invoke any derogations permitted by the GDPR to allow “a simpler shift for both businesses and consumers”. Personal data – Reflecting the growth in technology, the definition of personal data will be expanded to include IP addresses, internet cookies and DNA. Consent to profiling – The rules around consent are strengthened and subject to additional conditions, such as being “unambiguous” and easy to withdraw. Consent must also be “explicit” when processing sensitive personal data. Reliance on default opt-outs or preselected “tick boxes” will become a thing of the past. The GDPR provides that parents or guardians must give consent to personal data processing on behalf of young children using information services. It allows the UK to set the minimum age at which a child can consent to data processing to any age between 13 years and 16 years. As expected, the Data Protection Bill will legislate to allow a child aged 13 years or older to consent to his or her personal data being processed. Improved data access – Individuals will find it easier to require an organisation to disclose the personal data it holds about them at no charge. The statement says that data controllers will provide better information on how to access information and empower people to take ownership. The Bill will also create a new offence of altering records with intent to prevent disclosure following a subject access request. Data portability – New rules will make it easier for customers to move data between service providers. The statement explains, for example, that where an individual changes internet service providers, if he or she is using email or file storage services to store personal photographs or other personal data, he/she should be able to move that data. Right to be forgotten – Subject to certain exceptions, individuals will be able to ask for their personal data to be erased in certain circumstances. This will include provision to allow people to require social media platforms to delete information they posted during their childhood. In certain circumstances, individuals will have the ability to ask social media companies to delete any or all of their posts. For example, a post on social media made as a child would normally be deleted upon request, subject to very narrow exemptions. Profiling and automated processing – Individuals will have greater say in decisions that are made about them based on automated processing. Where decisions are based on solely automated processing, individuals can request that processing be reviewed by a person rather than a machine. The GDPR allows exemptions where suitable measures are put in place to safeguard the individual’s rights. In this respect, the statement says that there are also legitimate functions which are dependent on automated decision-making. For example, a bank, before agreeing to provide a

ropesgray.com ATTORNEY ADVERTISING

August 23, 2017 ALERT | 2 loan, would be entitled to check the creditworthiness of an applicant. In this context, an automated credit reference check would be an appropriate means of achieving this outcome. In light of this, the Government says that it will legislate to implement this exemption with a view to ensuring legitimate grounds for processing personal data by automated means. Enforcement – The ICO will continue to have the ability to request information from data controllers and processors, enter and inspect premises, carry out audits and require remedial action. The maximum fine for serious data protection breaches is increased from £500,000 to €20m or, in the case of undertakings, 4% of global turnover, whichever is the greater. The statement adds that offences will be modernised to ensure that prosecutions continue to be effective, and new offences will be introduced to deal with emerging threats. In particular, the Bill will create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence, and the maximum penalty would be an unlimited fine. Processing criminal conviction and offence data – The GDPR only permits bodies vested with official authority to process personal data on criminal convictions and offences. However, the GDPR does allow the UK to legislate to permit other bodies to process this category of personal data. For example, UK legislation could permit a private or third sector employer to obtain details of criminal convictions in order to carry out a criminal records check. To preserve continuity, the statement of intent says the Government will legislate to extend the right to process personal data on criminal convictions and offences so as to enable organisations other than those vested with official authority to process criminal convictions and offences data. Freedom of expression in the media – The GDPR provides for exemptions to certain areas of data protection to allow for journalistic activity in the public interest. Currently, under s 32 of the Data Protection Act, exemptions exist for personal data which are processed for special purposes if the processing is undertaken with a view to publication, that publication is in the public interest, and compliance with the data protection principles is incompatible with the special purposes. The Government believes that the existing exemptions set out in s 32 “strike the right balance between freedom of expression of the media and the right to privacy for individuals”. It therefore intends broadly to replicate s 32. The main difference will be to amend provisions relating to the ICO’s enforcement powers to strengthen the ICO’s ability to enforce the re-enacted s 32 exemptions effectively. Comment No surprises here – the Bill will be consistent with the GDPR. This is good news for any organisation planning its UK and EU compliance strategy in preparation for May next year. The derogations set out in the Bill are by definition only such as permitted by the GDPR and the Bill will use them largely to minimise disruption to existing practices which have worked well, for example legitimate processing of offence data and legitimate processing by automated means. The Bill, once enacted, should pave the way for GDPR compliance in the UK and itself become the corner stone for an adequacy finding if Brexit moves the UK out of the EU.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING BREXIT IMPLICATIONS OF THE UK’S BREXIT REFERENDUM BULLETIN | 1 SEPTEMBER 2016

CONTENTS As autumn approaches and preparation for the next round of Brexit discussions begins, this note summarises the current position and analysis following the UK’s vote to leave the EU on the 23rd Introduction — “keep calm and carry on”...... 1 June (the “Referendum”). Whilst the debate on the implications of Brexit, including the proposed shape and form the UK’s new relationship with the EU is constantly evolving, it is clear that firms Exit procedure and operating within the UK and the EU need to continue to do business throughout. Consequently, this negotiation process...... 2 note highlights steps that firms may wish to take during this interim period between now and the UK’s Formal exit procedure...... 2 actual exit from the EU.

Trade relationships...... 2

Issues under debate...... 3 “KEEP CALM AND CARRY ON” In addition, Lord Hill resigned as the Constitutional issues...... 3 UK’s EU commissioner in the wake of

Timing...... 3 From a legal perspective, nothing has the Referendum, and his role overseeing changed following the Referendum. financial services regulation has been Potential models for the future The UK remains a member of the reassigned to Valdis Dombrovskis from relationships of the UK with EU and applicable EU law remains Latvia. Consequently, although the UK the EU...... 3 in force. Although the outcome of remains a member of the EU until Brexit the Referendum is not legally binding and maintains its position as having one What does Brexit mean for the 1 City of London?...... 4 on the UK government (it is merely of the largest GDPs in the EU, it is inevi- advisory), it appears highly unlikely table that the UK’s influence in current Key considerations...... 4 that the UK Parliament will ignore EU negotiations may diminish in the

Impact on contracts...... 5 the decision of the electorate. Conse- interim period prior to Brexit. Conversely, quently, this note sets out some of the given that substantial pieces of financial Impact on the use of financial potential legal implications which services legislation (often based on UK services passport...... 6 may affect your business upon Brexit2. principles of operation or UK legislation) Tax...... 7 have already been drafted and approved Cross-border Insolvency...... 8 There were various immediate by the EU, the effective influence of

Arbitration...... 9 economic consequences following the UK should continue within the EU the Referendum, including an initial financial services. Private Equity Transactions...... 9 fall in sterling and a decline in the Real Estate...... 10 stock market, but the UK economy Despite the above, currently, it is Loan and High Yield has already shown signs of resilience “business as usual” in relation to day to Bond Market...... 10 following the immediate days after day operations within the UK and the EU.

Securitisations and CLOs...... 12 the Referendum. The UK government However, businesses should monitor and confirmed that it will relinquish its track developments as the discussions Derivatives...... 13 six month rotational presidency role and negotiations between the UK and the Competition...... 13 of the European Council in 2017 EU unfold and ensure amendments are Data Protection...... 14 with the President of the European implemented in future business plans. Council (Donald Tusk) confirming Firms may consider how to streamline Intellectual Property...... 15 that Estonia will take over this role. Government Enforcement/ White collar crime...... 16

1 The European Referendum Act 2015 made provision for holding the Referendum, but did not make the vote legally binding on the government. 2 In this note, the term “Brexit” shall mean the point at which the UK leaves the EU.

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 1 their operations on a cross-border basis but also identify in Article 50 and it seems unlikely that the UK will take and take advantage of opportunities from the potential an alternative route. effects of the current market dislocation within the UK and EU. The withdrawal agreement requires approval by a qualified majority of the EU Council (being 72% of the member states representing at least 65% of the EXIT PROCEDURE AND NEGOTIATION total EU population (excluding the UK)), which means PROCESS that a single member state cannot block the vote. At this stage the shape and form of the withdrawal Formal Exit Procedure agreement (or agreements) is unclear, but will include Article 50 of the Treaty on European Union (“TEU”) technical details regarding allocation of surplus budgets, sets out the procedure for a member state to withdraw and other transitional issues. Decisions from the EU. Article 50 states that a decision to leave regarding the fundamental nature in which the UK should be made in accordance with a member state’s and the EU work together going forward will be constitutional requirements. Once the UK notifies the made, including agreeing on the future of the four EU European Council of its intention to withdraw under freedoms and whether these will be upheld in any way. Article 50, the UK will remain a member of the EU until Questions will need to be answered as to whether there the earlier of: (a) the date on which an agreement to will be an agreement to maintain key principles such withdraw from the EU is finalised; or (b) the expiry of as the freedom of movement of people or the freedoms a two year period from the date of notification (unless to provide goods or services across the EU if the UK there is unanimous approval for an extension from were to leave the EU. the other 27 EU member states). Under Article 50 the exiting member state cannot participate in discussions Trade Relationships of the European Council regarding its exit. The UK currently trades with approximately 50 non-EU countries on the basis of preferential trade deals The general view amongst commentators is that the negotiated by the EU. As the UK will likely no longer withdrawal notice is irrevocable, as Article 50 does not benefit from these trade agreements following Brexit, provide for a revocation of the withdrawal notice, and it has started informal discussions for its own deals. therefore the trigger of Article 50 should not be used Other trade relationships with around 100 countries to renegotiate a member state’s position within the are governed by World Trade Organisation (“WTO”) EU. (However, we do note that recent expert analysis3, rules, which is the default position in absence of any commissioned by the House of Lords, indicated that other agreement. It would benefit the UK to negotiate the decision to leave the EU can be reversed after an more bespoke deals with these other countries. Techni- Article 50 notice had been delivered provided that this cally under current EU rules, member states cannot was prior to the withdrawal date.) Once the withdrawal enter into separate trade deals with either individual agreement has taken effect, the decision to leave the member states or third countries, therefore formal EU is final. If the UK wishes to rejoin, it will need trade agreements can only be signed once the UK has unanimous approval of all EU member states. Alter- left the EU. The government has three key members native options to implement the exit of the UK from the of the cabinet dealing with trade negotiations: the EU, such as treaty amendment under Article 48 TEU Brexit secretary (David Davis); the foreign secretary or repealing the European Communities Act 1972, (Boris Johnson); and the international trade minister have been put forward. These options are undeveloped (Dr Liam Fox). The European Commission (“EC”) and potentially more complicated. Furthermore, the has appointed Michel Barnier, who was involved in European Council has made it clear that withdrawal Europe’s post-financial crisis, as its chief negotiator should occur in accordance with the procedure set out over the Brexit terms.

3 Sir David Edward KCMG, QC, PC, FRSE, a former Judge of the Court of Justice of the European Union and Professor of Law, University of Edinburgh; and Professor Derrick Wyatt QC, Professor of Law, Oxford University, and also of Brick Court Chambers.

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 2 ISSUES UNDER DEBATE… a formal ‘trigger’, the UK government has begun its efforts to engage with leaders of EU members Whilst the UK government has given every indication states informally, though it should be noted that key that it will implement Brexit there are a few EU leaders and Members of European Parliament issues under debate, which require resolution, (“MEPs”) have stated that minimal negotiations (or in relation to the formal notification of Article 50 decision making) may occur prior to the UK serving (including if and when the trigger will be invoked by the Article 50 notice and commencing formal discus- the UK government). sions. Aside from discussions at the government level, there are further informal discussions between UK Constitutional Issues institutions and their counterparts in other EU juris- The UK government has not yet taken any steps to dictions (including at a regulator to regulator level), formalise the exit of the UK from the EU. While primarily with the aim of ensuring a smooth contin- Theresa May, the new UK prime minister, has said uance of business now and preparing for an effective “Brexit means Brexit”, there has been much debate transition of relevant legal entity permissions if and as to whether formal withdrawal from the EU under when this may become necessary. Article 50 requires parliamentary approval to be constitutionally valid. Government lawyers have stated that withdrawal under Article 50 does not POTENTIAL MODELS FOR THE FUTURE require an approval by the UK Parliament, but there RELATIONSHIP OF THE UK WITH THE EU are several pending legal challenges as to whether the Article 50 notice can be served by the government The European single market guarantees the “four (acting through the prime minister) based solely on freedoms” in the EU-free movement of goods, persons, the exercise of royal prerogative. Some academics capital and services. The UK may seek to maintain have argued that since the Parliament introduced EU certain aspects of these arrangements with the EU, law into UK domestic law, only the Parliament can while negotiating to remove less advantageous aspects. trigger the steps to remove it. Others argue that the The UK’s continued access to the EU single market withdrawal decision falls under the government’s following Brexit appears, to a certain extent, to depend inherent prerogative powers to conduct foreign affairs. on the continuation of all four freedoms. The use of prerogative powers to invoke Article 50 could be challenged as ultra vires if the authorisation There are a number of more “established” options of Parliament is not sought. We note that the UK Prime available to the UK on exit from the EU including: Minister and her cabinet have indicated they do not intend to seek prior parliamentary approval or require n Membership of the European Economic Area (“EEA”)4 a general election prior to triggering Article 50. and European Free Trade Association (“EFTA”) (such as Norway). This allows access to the EU’s internal Timing market without a vote on policy or law-making and The UK government has indicated that it will only requires a financial contribution to the EU budget invoke Article 50 after further domestic consideration (the “Norwegian Model”). To become a member of and analysis has been undertaken in relation to the the EEA, the UK would need to re-join the EFTA5 to exit process, and that it is unlikely to occur before the enable it to benefit from the economic co-operation, end of 2016. Commentators have discussed that the free movement of goods between the EFTA states timing of the submission of the formal notice under (Iceland, Liechtenstein, Norway and Switzerland) Article 50 may also be influenced by general elections and also possibly access the EFTA’s existing free in Germany and France in 2017. Despite the lack of trade agreements with over 35 countries;

4 EEA membership is available to member states of the EU and EFTA. 5 The UK historically was a member before leaving to join what is now the EU.

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 3 n Customs union (such as Turkey). This allows limited However, it should be noted that financial services are access to the single market for goods, but not services; a major part of the UK economy (around 10% of UK’s gross domestic product) and London’s established n Bilateral arrangements with the EU (such as capital markets account for about three quarters of Switzerland). This provides access in part to the EU European capital market business. These factors, single market and requires a financial contribution to along with the sophisticated legal regime, language the EU budget. Negotiations with Switzerland were advantages and the geographical appeal of London lengthy and resulted in over 200 trade agreements; have made the City attractive as headquarters for European financial activity and business. The City is n Free trade agreement (such as Canada). This would home to key personnel, with a wealth of specialist be a more bespoke option with a trade agreement expertise, who may be reluctant to leave London. between the UK and the EU bloc, but could take time; Consequently, despite that announcement of certain banks that the possible loss or partial loss of the EU n Continuing membership of World Trade Organisation passport may result in a downsizing of their London (“WTO”). This would rely on general international operations and trigger a move of certain functions trading rules, which would be the default model if to other EU countries or even the United States, we no other agreement was reached between the EU and are of the view that London will continue to have the UK; or much to offer within the global financial services industry. We also note that differing financial services n Renegotiation of the EEA Agreement. An alternative entities and sectors will approach Brexit differently, approach has been suggested where the UK could re- with some industries such as the asset management join the EFTA and then attempt to renegotiate the industry recognising that in many instances they EEA Agreement with the EU as a bloc with the other already have operations set up in both the UK and EFTA member states. Continental Europe, diluting the potential effect of Brexit on existing operations. However, there is also the possibility that the UK will aim to craft a “UK specific” agreement which may London’s appeal to international litigants should be an amalgamation of elements of the options stated remain untarnished following Brexit. The popularity of above. Again, it is hard to predict which approach the the English courts as a forum of choice in international government is likely to take at this stage. transactions should continue due to their efficiency, accessibility and record of impartiality. English contract law is largely unaffected by Brexit and is likely to retain WHAT DOES BREXIT MEAN FOR THE its prevalence as the governing law for international CITY OF LONDON? contracts, as its relative predictability (due to precedent case law), commerciality and familiarity will remain Much has been written about the effects of Brexit attractive. and how it could impact London’s position as the EU’s principal financial centre if the UK loses its access to the EU single market and associated KEY CONSIDERATIONS “passporting” rights. The use of the EU passport allows a firm to establish in one EU jurisdiction and Whilst it is still too early to provide a definitive legal obtain a passport to provide services in another EU analysis of the effect of Brexit, firms should begin their jurisdiction. This can be achieved either on a cross- analysis on the potential impact of Brexit on their border basis or through establishing a branch. The business. The remainder of this note provides more use of passporting is discussed in more detail below detail in relation to some of the key areas that may in the “Regulatory” section, as well as in our separate affect businesses and sets out some issues that will need client briefing on passporting, available here. to be monitored as the Brexit discussion progresses.

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 4 Impact On Contracts Lugano Convention or the Hague Convention on Choice Whilst we believe that it is unlikely that Brexit will have of Court Agreements (which goes even further geograph- a significant impact on the interpretation and enforce- ically than the Brussels I Regulation and includes ability of existing or new contracts governed under Singapore and Mexico) to try and preserve the status quo English law, it will still be necessary to conduct further as much as possible, but these agreements do not provide analysis in the coming months on the potential conse- the same level of protection as the Brussels I Regulation. quences of Brexit on contracts governed by English law. Crucially, the UK will need to find an agreement that means that English judgments can be enforced, without Governing Law, Jurisdiction And Enforceability delay or additional cost (for example having to sue on The choice of governing law for new contracts may be a judgment), in the other EU member states in order to a consideration for lawyers and businesses following stem any potential flow of litigation on to the continent. the Referendum but the possible changes have, in the main, in our view, been overstated. The concern is that Contractual Clauses leaving the EU will mean that English courts are no A further discrete point is whether or not parties longer bound by the Rome I Regulations6 and the Rome may consider challenging the validity of contracts on II Regulations7 which currently require member states’ the basis that Brexit represents a force majeure. For courts to respect an agreed choice governing of law example if tariffs are imposed between the EU and UK clause (which will mean that the other member states that significantly change the nature of an agreement, will continue to give effect to English law contracts). it will be a matter for the court to decide if Brexit can However, even if the UK reverts to English common be considered an “exceptional event”. Timing of agree- law without entering in to a new arrangement with the ments will be crucial in this regard because in order EU, the common law had a solid history of upholding to successfully argue that an event is a force majeure parties’ choice of law. Where the parties have not it must be unforeseeable at the date of the contract. In specified a governing law, the principles that would be practice, it will be difficult for a party to argue that applied under English common law are broadly similar Brexit was unforeseeable following the Conservative to those that would be applied under the Rome I & II Party’s election win in 2015. Regulations. Given the courts’ willingness to uphold governing law clauses, the most effective way to remedy Contracts which reference the EU as a territorial juris- any uncertainty surrounding governing law is to include diction may also be the subject of review following an explicit governing law clause in all contracts. Brexit. For example, this will be most relevant in distribution agreements where parties may wish to consider In contrast to governing law, Brexit does raise questions amending terms, where possible, to specifically include about the appropriate jurisdiction arrangements post- or exclude the UK. Brexit when parties have not specified jurisdiction in commercial agreements. At present, the Brussels I Next Steps? Regulation (recast)8details how jurisdiction should be Whilst there is probably no need for a comprehensive determined including factors such as the location of document review at present, it would be prudent to defendants and the place where the “harm” occurred. consider documentation which may warrant a deeper The Brussels I Regulation also introduced the current analysis to identify any potential key issues regarding enforcement framework for the EU, allowing the governing law or the potential trigger of force majeure or enforcement of member state judgments in any other material adverse change, or review key contracts which member state without any need for further hearings. may include references or reliance on the existence of EU/ Brexit will mean that the UK is no longer part of the EEA laws or EU/EEA/EFTA membership. In addition, Brussels I Regulation. The UK may seek to join the it may be useful to insert “Brexit proof” clauses either

6 EC/593/2008 7 EC/864/2007 8 EU/1215/2012

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 5 by amending existing key contracts or when entering whilst there may not be an immediate need for a firm into new contractual documentation. In relation to which has established both a retail fund platform in financial services, there is already a concerted effort the UK and the EU to change anything other than to to pool together thought on drafting “Brexit proof” monitor whether their EU entity will be allowed to clauses and/or concepts of grandfathering provisions, delegate certain functions to the UK entity, this may not particularly in relation to references to the applicability be the case for banks headquartered in the UK who rely of EU Directives or Regulations. on their EU/EEA passport to conduct banking services.

Impact On The Use Of The Financial Obtaining Passport On The Basis Of ‘Equivalence’ Services Passport If the UK leaves the EU (and is not a member of the While it is uncertain which model the UK will adopt EEA either), it would be treated as a “third country” following Brexit, for now (and unless a “UK specific” for the purposes of EU financial services legislation. alternative is found) only UK membership of the As indicated above, some EU Directives grant rights to EEA would guarantee the continued use of EU/EEA third country firms to conduct business in the EU on the passporting rights for regulated financial services firms same basis as EU firms, namely MiFID II, the AIFMD (the “EU/EEA Passport”). Under certain Directives, the and the Solvency Directive. The question of what meets UK could obtain passporting rights (in respect of some the criteria for “equivalence” is likely to draw much services and for some types of clients) as a “third country”, attention over the coming months and years, particu- conditional on the UK’s financial services regime being larly as (at present) there is no uniform approach to determined to be equivalent by the European Securities equivalence across all EU Directives. In addition, the and Markets Authority (“ESMA”) (the “3rd Country concept of equivalence is fairly new under EU legis- Passport”). Please see our previous client alert and blog lation; consequently, it is hard to draw firm conclusions on passporting for a more detail. on what tests the UK will need to complete to meet the equivalence test under each EU Directive that provides The availability of a passport varies under each EU for a 3rd Country Passport. It is useful to look at the Directive, with some Directives such as the Markets commentary provided by ESMA for the purposes of in Financial Services Directive II (“MiFID II”) and the the use of the 3rd Country passport under the AIFMD Alternative Investment Fund Managers Directive (the detailed below as at least an initial indicator of what “AIFMD”) providing for the availability of both an may be expected by the EU (please see our client alert EU/EEA Passport and a 3rd Country Passport, whilst on the AIFMD 3rd Country passport). the Capital Requirements Directive IV (“CRD IV”) does not contemplate for a 3rd Country Passport and However, the story of equivalence may not be that the Undertakings in Collective Investment Schemes simple when we look at the terms set out in ESMA’s Directive (“UCITS”) does not allow for third country advice on the AIFMD, which reviewed whether there access either. Consequently, firms will need to conduct was a level playing field for competition between the an analysis on which of its entities is affected under a EU and a third country. For example, if the UK were to potential Brexit and what potential options they have opt for a “twin track” approach, allowing for parallel available to them if the UK is no longer part of the EU/ tracks for firms to operate or products to be sold in the EEA. From a timing perspective, whilst it is too early UK with one set being held out as “EU equivalent” and to set out in stone what the future relationship the UK another set of domestic “regulatory–light” rules for will have with the EU, in the next few months and likely UK firms, a question would open up as to whether this before a Brexit occurs, firms will need to start forming would meet ESMA’s criteria for a level playing field for views as to what steps (if any) they need to take to ensure competition purposes? they can carry out their business plan effectively within the UK and the rest of the EU going forward. MiFID II envisages a regime to allow third country firms to provide cross-border services covered by MiFID (such This decision making may vary depending on the types as broker-dealer services) only to more sophisticated of activity your entity conducts and what other entities or institutional EU clients (namely, per se professional you have in the EU outside of the UK. For example,

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 6 clients and eligible counterparties). This regime will only UK retains its AIFMD rules (potentially as an “opt-in” be implemented at some point following the application for UK managers), there appears to be no reason why date of MiFID II, January 2018. The principle condition the UK cannot obtain the third country passport – but is that the EC adopts an “equivalence” decision in relation this is in part a political decision, raising uncertainties to the relevant third country if the EC determines that as to the criteria which the EC might apply. the third country has prudential and business conduct rules which have equivalent effect to the CRD and Tax MiFID (and the detailed implementing measures made The EU oversees national tax rules to ensure that these thereunder). The EC must also determine that the third are compatible with EU law and policy, but tax rate country has an effective equivalent system for the recog- setting and tax collection generally remains a matter for nition of foreign investment firms. On the assumption individual member states. The direct impact of Brexit is that the UK will largely retain the same rules as under likely to be felt only in those areas where the UK regime CRD and MiFID, the UK’s regime may be considered originates from EU law (such as VAT). Other aspects “equivalent” at some date in the future, but this is may change following Brexit, for instance following not certain – particularly if the UK sees a competitive extrication from EU state aid restrictions and the advantage in diverging from some aspects of CRD and single market. Much will depend on the precise UK-EU MiFID in the future. In addition, there is no particular relationship post-withdrawal, and (as always in fiscal timetable for the Commission to adopt an equivalence affairs) the prevailing economic climate and impact of decision. In the meantime, local rules on access by third Brexit on HM Treasury revenues. Implementation of countries will apply which can be restrictive. the OECD’s Base Erosion and Profit Shifting project (“BEPS Project”) is entirely separate to the question of There is no third country passport under MiFID for the UK’s EU membership and the changes in law arising services provided to retail clients (including individuals from the BEPS Project are not expected to be affected by and local authorities (and potentially their pension the UK’s withdrawal. However, on leaving the EU the schemes). MiFID allows member states to require any UK would not, prima facie, be obliged to implement the third country firm to establish a branch in the state recently approved EU Anti-Tax Avoidance Directive, the service is provided. In practice, third country firms or any other EU measures, aimed at harmonizing the that intend to actively solicit business from retail clients implementation of the BEPS Project throughout the EU, in more than one or two member states will need to other than by virtue of any terms relating to the UK-EU establish a separate entity in one state, obtain authori- relationship post Brexit. sation for that entity and use the MiFID passport to provide services in all other states. Value Added Tax The VAT system within the EU (UK included) is The grant of the passport under AIFMD to third country broadly aligned under EU law. As a large and well firms is at a more advanced stage. ESMA recently established source of revenue for HM Treasury, published its final advice to the EC, giving the green there is a strong incentive for the UK to maintain light to the grant of the passport to managers and funds alignment with the EU system immediately following established in (inter alia) the United States, Guernsey, withdrawal. However, the UK would also gain the Jersey, Switzerland and Japan. The conditions in the ability to adjust rates and alter VAT exemptions/ AIFMD for the grant of the passport are similar (but reliefs after Brexit. not identical) to the conditions in MiFID. ESMA’s work to date indicates that the key conditions are, firstly, that Some implementation and compliance costs of transi- the third country’s regime is suitably robust in terms of tioning to any new domestic VAT system should be supervision and investor protection, and, secondly, that anticipated. Some areas could be simplified, such as there is a level playing field between EU and non-EU removing the current requirement to submit European managers as regards market access, in particular Sales Lists of intra-EU B2B supplies. However, there whether the third country regime allows marketing by may be a cash flow cost for importers in paying and EU managers of their funds on reasonable terms. If the recovering import VAT on goods received from other EU member states.

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 7 Withholding Tax/Double Taxation Additional areas to consider The UK has an extensive network of double tax treaties On occasion, other aspects of the UK’s direct tax regime (“DTT”), which operate to reduce or eliminate a number have been held to be incompatible with EU law. A stamp of instances of double taxation and the imposition of duty reserve tax of 1.5% on UK company shares issued withholding tax on certain payments made to and from the into depository receipt and clearance systems (e.g. UK. The Referendum and Brexit are not expected to affect Euroclear, Clearstream etc) could be applied, along with their operation. As it currently stands, these DTTs are the introduction of targeted tax incentive regimes that overlaid by two key Directives that eliminate withholding might previously have been considered as unlawful state taxes on certain dividends, interest and royalty payments aid. Conversely, the UK is likely to lose ‘protection’ from made between associated companies within the EU. In being discriminated against by other member states. If addition, double taxation of dividend payments between the UK is no longer bound to respect the EU funda- parents and subsidiaries within the EU is prevented. Fully mental freedoms, we may also see a broadening of the outside of the EU, payments made intra-group to and from current UK Controlled Foreign Companies rules. With the UK/EU will cease to benefit from these Directives. the UK outside of the EU, developments towards the EU Financial Transactions Tax and Common Consolidated In many cases, the relevant DTT should provide equiv- Corporation Tax Base could be accelerated. alent relief to the Directives, but there are cases where coverage from the relevant DTT is incomplete. This Transaction documentation will need to be carefully could affect (i) interest payments between certain juris- considered to ensure the risks from changes in law dictions such as the UK and Italy and Portugal (and vice arising from the UK’s departure are considered and versa), and (ii) relief from withholding tax on dividends adequately addressed. The impact of Brexit on the paid to the UK out of certain jurisdictions such as eventual enforcement of judicial tax decisions that Austria, Germany, Italy and Portugal. In addition involve questions of EU law is also in question, although (unless a domestic participation exemption applies), current and future litigation will of course be decided domestic tax charges for dividend income received by on the law in force at the relevant time. an EU parent entity from the UK may not be fully eliminated under the relevant DTT. Cross-Border Insolvency The EU Insolvency Regulation10 (“EIR”) is currently Recent UK draft legislation9 increases the scope for directly applicable in the UK. Its successor, the recast UK withholding tax on royalties, to include payments EU Insolvency Regulation11 (“recast EIR”) will apply to from non-UK companies “in connection with a trade proceedings commenced on or after 26 June 2017, until carried on by that person through a permanent estab- the occurrence of Brexit. Both regulations focus on the lishment in the UK”. The UK DTTs with, for example, allocation of jurisdiction between the courts of member Luxembourg, Italy and Portugal do not give zero rates states, with a view to minimising or entirely avoiding on withholding on royalties, so both payer and recipient competing proceedings. It remains to be seen whether companies should consider whether a UK withholding the continued application of the EIR or the recast EIR tax liability would arise under these new rules. can or will be negotiated, once the UK leaves the EU.

In addition, certain US DTTs with EU member states, Existing alternative provisions are of limited assistance. such as the Luxembourg–US DTT provide an exclusion The Insolvency Act requires the UK courts having juris- from the limitation of benefits clause where, inter alia, diction in relation to an insolvency court to assist courts 95% of a company’s shares are owned by seven or fewer having the corresponding jurisdiction in “any relevant EU (or in certain cases, EEA) companies. Following country or territory”, but a) that provision only assists Brexit, unless something changes in these DTTs, subsid- in relation to inbound requests to UK and b) no member iaries of UK parent entities will lose this protection. state is currently designated a “relevant country or

9 Once enacted, the rules will be backdated to apply from 28 June 2016. 10 EC/1346/2000

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 8 territory”. The UK’s Cross-Border Insolvency Regula- the inevitable uncertainty of the English legal system tions12, implementing the UNCITRAL Model Law, for the next few years. Arbitration may be particularly provide for co-operation and recognition between attractive to claimants whose counterparties have assets courts and competent authorities involved in cases located in jurisdictions where an English judgment of cross-border insolvency, but again, this will only would not be enforceable, such as Russia. The reason assist with inbound requests, as only Greece, Poland, for this is that the New York Convention on the Recog- Romania and Slovenia of the other member states have nition and Enforcement of Foreign Arbitral Awards has signed up to UNCITRAL. a much broader reach and therefore offers enforcement protections even wider than the Brussels I Regulation. Schemes Of Arrangement There is also the potential for English litigation to be Over the past 10 years, the restructuring of companies slow and costly as the courts wade through the new incorporated in member states other than the UK via framework and, as a result, arbitration is likely to be schemes of arrangement sanctioned by the UK courts considered a solid option for disputes in the short to has become increasingly popular. While the EIR and medium term. the recast EIR have no application to schemes, it is arguable that the EU Judgments Regulation13 does Private Equity Transactions apply. This is relevant for two reasons. First, it has Following the Referendum very little has changed or been argued that its conditions need to be satisfied to is likely to change in terms of the legal framework for establish the jurisdiction of the UK court to sanction carrying out private equity transactions in the UK. a scheme. That argument against scheme jurisdiction Ultimately, this is a matter of domestic (and not EU) could no longer be run if the Judgments Regulation law. Implications following Brexit from a tax struc- ceased to apply to the UK. Second, it has been turing and merger control perspective should also be argued that the UK court’s decision will be recog- considered in PE transactions (and these are discussed nised in other member states because the Judgments separately in this note). By way of contrast, the uncer- Regulation applies. That is crucial where most of the tainty surrounding the terms of the UK’s continuing company’s assets are in other member states, as the relationship with the EU and the likely timeframe for court wants to be satisfied that its sanction order concluding these negotiations has had a significant will have substantive effect. While that argument in impact on market confidence. favour of jurisdiction could no longer be relied upon, evidence that the order would be recognised on local From a legal perspective at this stage, it is not possible or private international law grounds has already to provide much clarity as to the legal framework that been accepted by the UK courts in a number of cases will apply to UK businesses. That said, from a legal due covering the key EU jurisdictions other than the UK. diligence perspective, there are strategies that can be Consequently, while it remains to be seen whether the developed to help navigate this uncertainty in terms of continued application of the Judgments Regulation assessing the impact that Brexit might have on possible can or will be negotiated, schemes of arrangement UK-based investment targets for a PE purchaser (or, should largely be unaffected. indeed, for a vendor diligence piece in respect of existing portfolio companies). Even at this stage, it is possible Arbitration to identify those sectors and businesses that are more In the short-term there may be an increase in the vulnerable in certain Brexit scenarios. Obvious examples popularity of Alternative Dispute Resolution. In the of these would include any business with significant UK this may lead to more parties seeking to mediate cross-border sales of goods or services, which will need their disputes, but in terms of international disputes, to consider the potential impact of customs tariffs, if arbitration is likely to be a more suitable option given the UK loses access to the single market. Equally, any

11 EC/1346/2000 12 SI 2006/1030 13 EC/1215/2012

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 9 business whose workforce relies heavily on non-UK EU number of private equity real estate investors are primed citizens may be impacted if any UK exit treaty involves to invest in discounted UK real estate in the next six to restrictions on such EU citizens coming to (or continuing eighteen months, including from those property funds to) work in the UK. which have suspended trading.

Monitoring the UK’s negotiations with the EU and Loan And High Yield Bond Market how the UK’s exit deal is likely to be structured will be The Referendum result does not trigger any immediate crucial. As this process evolves, any potential investment legal issues for loan and bond deals whilst the UK in a target with UK operations will need to involve a remains part of the EU. Due to the expectation that careful analysis as part of the legal due diligence process Brexit is unlikely to occur before the end of 2016 (and to assess how its business may be affected by changes the assumption that there will be a two year window in law or regulation following Brexit. Furthermore, as once Article 50 is served), the Referendum result we get closer to the date of the UK’s exit, transaction appears to have had minimal impact on the loan and documents may include specific provisions relating to bond market at this point. Brexit and its implications. Commitment Paper Terms Real Estate n Flex Property laws in the UK are fundamentally domestic Prior to the Referendum there was discussion of systems and consequently Brexit should have a very flex terms linked specifically to the Referendum, limited legal effect on UK real estate transactions. to enable lenders to re-price or restructure the Where EU laws impact on UK real estate, such as some deal to optimise syndication. These were largely environmental and planning legislation which has been resisted with strong borrowers suggesting the risk implemented into domestic legislation, the expectation should have already been priced into the deal. In is that this legislation will remain in effect post-Brexit. the aftermath of the Referendum flex terms appear to be based on the standard risk analysis. In the For the broader UK real estate sector, it is too soon future this risk analysis may include the invocation to draw any meaningful conclusion on the long term of Article 50 and the actual event of Brexit two impacts (if any) of Brexit. In the short term however, years later, whilst taking into account the term and there is some market reaction as a result of concerns, timing of the commitment period. for example, over occupier demand, the future viability of some development schemes and a fall in valuations. n Leverage Currently issues such as excess demand from the In addition, a number of UK open ended real estate buy side, quantitative easing and other actions by funds have restricted redemptions (“gates”) to protect central banks, and US leveraged lending guidelines the funds’ cash buffers and consequently liquidity has are more likely to influence leverage levels rather been exhausted. Investors have sought to redeem their than the prospect of Brexit. investments following fund managers revaluing their portfolios after the Referendum. To date, the funds n Pricing concerned hold a combined estimated total of £15 Recently increased search in the market for yield billion of UK property and industry analysts estimate has influenced pricing more predominantly than that £3 billion to £5 billion of those assets could be put concerns related to the Referendum. In the weeks up for sale and these assets are likely to be subject to a following the Brexit vote, a number of deals discount. priced in the market at levels lower than pricing indications provided prior to the Referendum and There are undoubtedly opportunities for overseas there have also been some reversed flexed deals. investors to take advantage of the pressure on sterling, However, we will need to wait post-summer to see a low interest rates and Brexit discounts on assets. A more accurate state of the market and pricing levels. large amount of capital has been raised in recent years to invest in UK and European real estate and therefore a

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 10 Foreign Exchange Issues well as consideration for new financing arrangements. In respect of borrowers with sterling revenue but euro Typically a loan document includes various covenants or dollar denominated debt and/or multi-currency linked to a business material adverse change clause, operating costs which are unhedged (or insufficiently which generally should not result in the Referendum hedged), fluctuations in the value of sterling (including or Brexit triggering a specific event of default which the significant drop following the Referendum) could would ultimately allow the lenders to accelerate the have an impact on the cash flow of a company as well debt. Lenders have historically been reluctant to call a as the financial covenants. Financial statements for business MAC, as it is highly subjective and a direct the period ending 30 June 2016 may adversely affect causal link is required between the event and adverse financial covenant ratios if a spot rate is used rather effect on the business of the borrower group as a whole. than an average exchange rate for these UK businesses. Going forward, caution should be exercised when The possibility of further currency movements and drafting a MAC clause which specifically contemplates exchange rate risks may result in borrowers revisiting Brexit as case law precludes lenders from invoking a their financial covenants and also assessing whether MAC if the parties could have anticipated the adverse further hedging would be prudent. The potential events at the time of drafting the provisions. increased cost of borrowing sterling and uncertainty in the European loan market may make “Yankee loans” The loss of the EU passport may create issues for UK more appealing to European borrowers who can accom- lenders providing funding to EU entities following modate the exchange rate costs of borrowing in dollars. Brexit, unless separate licences have been negotiated where necessary. A practical solution may be for a UK Tax Implications financial institution to lend the funds through one of Borrowers should consider the tax implications its facility offices in the EU. Illegality provisions in resulting from their EU group structure. Finance existing loan documentation may be triggered on Brexit transactions are typically structured to eliminate requiring prepayment and cancellation in respect of a withholding tax by ensuring lenders qualify for exemp- lender’s commitment, so drafting to enable replacement tions and the borrowers are therefore not obliged to at par, or the flexibility for the lender to transfer the gross-up their interest payments. These exemptions loan to an EU authorised affiliate should be considered are generally governed by domestic law, but in certain (if not already included). circumstances the domestic exemption links to EU law and therefore on Brexit may no longer provide relief on Industry bodies such as the LMA, the Association for withholding tax. In many cases the relevant DTT will Financial Markets in Europe and ESMA are monitoring provide an equivalent exemption, but some DTTs do developments and will attempt to address issues that not completely eliminate withholding tax. The impact arise in relation to the finance market. The LMA recom- of Brexit on tax issues are discussed further in this note mended forms of financing documents contain specific above. references to EU regulations and directives, although the interpretation provisions qualify that these refer- Drafting Considerations ences are to those laws as amended or re-enacted, which Bond issuers could consider the inclusion of a risk should minimise the impact of potential legislative factor in their bond documents warning that market change upon Brexit. Certain clauses (e.g. the represen- volatility and uncertainty resulting from the Refer- tation relating to COMI and the increased costs clause endum may have an impact upon earnings and ability that refers to CRD IV) may require further amendment to access the credit markets. Exposure will be greatest when the UK leaves the EU. The LMA will also incor- with companies where there is a significant UK business porate any new or replacement laws into their standard or other UK exposure. forms in due course. In relation to the Bank Recovery and Resolution Directive (“BRRD”), on Brexit EEA Various Loan Market Association (“LMA”) provi- lenders will need to include a contractual recognition sions will require additional scrutiny, possibly of bail-in provision in relevant English-law-governed requiring amendments to existing documentation as contracts.

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 11 Securitisations And CLOs risk in the loans or bonds which they contribute: the EUR CLOs, the vast majority of which are managed requirement is that the manager originator be exposed by UK firms, provide around 30% of the funding to the credit risk of the loans or bonds before they settle to non-investment grade borrowers in the EU. The into the CLO issuer. There is no prescribed minimum majority of EUR CLOs are managed by UK MiFID holding period, but 15 business days has been seen as firms which qualify as “sponsors” under the Capital the period of credit risk in a number of transactions. Requirements Regulations (“CRR”) and in this capacity they are eligible to act as risk retainers under the CRR. Regulatory Changes If the UK does not join the EEA and where ESMA has In addition to Brexit, the securitisation and CLO not otherwise recognised the UK regulatory regime as markets are also due to be regulated under a new Securi- “equivalent” for the purposes of MiFID II, UK managers tisation Regulation promulgated by the EC as part of would no longer qualify as ‘sponsors’ under the CRR the Capital Markets Union initiative (sponsored by UK’s and so would cease to be eligible in this capacity to act former EU commissioner). Under the EC’s draft Securi- as risk retainers in respect of the EUR CLOs which they tisation Regulation (as approved by the EU Council), manage. the main change proposed to the risk retention regime is the additional requirement that originators estab- Manager Originator Structures lished or operated for the “sole purpose of securitising For new transactions, it is possible for a UK manager exposures” would not be eligible to act as risk retainers: to “Brexit proof” the structure by changing from a this requirement (if enacted) would not cause issues for “sponsor” risk retention structure to a “manager origi- manager originator structures which have the economic nator” structure which does not require the manager purpose of receiving management fees in addition to originator to have an EU or EEA regulatory status14. the returns expected from acting as manager origi- This structure has already been used by some US nator risk retainer (this new test would however require managers since 2015 to enable them to market USD non-manager originators to demonstrate their economic CLOs to EU regulated investors. The manager origi- purpose beyond acting as risk retainer). Prior to the nator structure, as well as requiring the manager origi- Referendum MEP Paul Tang unexpectedly proposed nator to manage the CLO, also requires that the manager some significant amendments to the draft Securitisation originator contributes some of the loans or bonds Regulation including proposals (i) to increase the risk which are acquired by the CLO issuer. The CRR and retention requirement from 5% to 20% and (ii) to limit the delegated regulations thereunder do not prescribe a eligible risk retainers to EU regulated entities. The EC minimum percentage of loans or bonds which must be has since attempted to reassure the market that they do contributed by a manager originator (whereas the alter- not support increasing the risk retention requirement. native originator structure, the “non-manager origi- The Tang proposal to limit eligible risk retainers to EU nator” structure, requires non-manager originators to regulated entities would however cause issues for UK contribute over 50% of the loan or bonds); prior to the manager originator structures (in the absence of the UK Brexit vote, a number of USD CLOs were sold to EU remaining in the EEA or otherwise having its regulatory regulated investors with the manager originator contrib- regime deemed equivalent once MiFID II is in force). uting 5% of the CLO’s assets and since the Brexit vote, the expectation is that more manager originators will Existing sponsor transactions are expected to be grand- come to market having contributed around 5% to 10% fathered but if there is imperfect grandfathering which of the loans or bonds. There has been some discussion does not extend to secondary market purchases, this of manager originators contributing less than 5% of the would be an issue for EU investors, who might ask UK loans or bonds which is possible under the CRR delegated sponsors to redeem legacy deals by refinancing via new regulations though some investors may prefer a higher manager originator structures. level of contribution. The manager originator structure does not require the manager originator to take market

14 A major debt fund has already priced a manager originator structure in the weeks following the Referendum.

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 12 UK securitisations involving a single originator acting Competition as risk retainer (for example most RMBS, credit card, The impact of Brexit on the merger control process auto and corporate securitisations) will continue to be for M&A transactions involving a UK component will eligible as non-manger originator risk retainers in a very much depend on the post-exit model chosen. For full Brexit scenario but, as with CLO manager origi- merger control purposes, the key distinction will be nator structures, they would also require restructuring whether the UK adopts: (if marketing to EU regulated investors is required) if Tang’s proposal, to limit risk retainers to EU regulated n the Norwegian Model following the model adopted entities, is implemented. by Norway, Liechtenstein and Iceland, which is implemented through the EEA and EFTA agreements Derivatives and allows the EC to retain exclusive competence European Market Infrastructure Regulation (“EMIR”) over merger control transactions with EEA-wide stems from commitments made by the G20 nations impact; or in 2009, and it will therefore need to be replaced in the UK by a similar piece of national legislation on n any of the other models currently under discussion Brexit. Under EMIR, OTC derivatives can be cleared (the so-called Swiss, Canadian, Turkish and WTO through an authorised EU clearing house (“CCP”) or models as detailed above), each of which would a non-EU CCP that has been “recognised” by ESMA. result in the UK coming out of the EU merger control An equivalence determination by the EC is a precon- regime. dition to non-EU CCPs of a particular jurisdiction being granted recognition, therefore a key question If Brexit takes the form of the Norwegian Model, will be whether UK CCPs will be granted recognition it will largely be business as usual: the EC would under EMIR following Brexit. Another question is the retain exclusive jurisdiction for mergers with an EU extent to which non-UK CCPs (e.g. US or EU CCPs) dimension, whilst the UK’s Competition and Markets will be granted recognition under any UK version of Authority (“CMA”) would retain its current role for EMIR. A reciprocal system for recognising overseas transactions that do not qualify for EC review. CCPs is required in order to gain the equivalence determination by the EC. Under EMIR, “substituted If Brexit follows any of the other models, the EC would compliance” with the requirements of another juris- no longer have exclusive competence for merger control diction is possible if an equivalence determination has in relation to concentrations impacting UK trade. been made by the EC in relation to that jurisdiction Depending on whether jurisdictional thresholds are and at least one of the parties to the derivatives is met, this could result in the CMA and the EC having established in that jurisdiction. At this point we do concurrent jurisdiction to review certain transactions. not know if an equivalence decision will be made in Overall, this would likely result in a greater filing relation to any UK regulatory regime that replaces burden and cost for private equity buyers than under EMIR (no equivalence determinations of this type the current one-stop shop regime, although the impact under EMIR have been made by the EC to date.) A on individual transactions would be fact-specific: in similar question will arise under any UK version of practice, for as long as the UK’s merger control regime EMIR: will it be open to the parties to comply with remains voluntary and non-suspensory, a private equity the EU or US requirements instead? acquisition which does not give rise to UK competition concerns should continue to proceed without a UK Other issues affecting derivatives that will need to be filing. However, in the minority of cases, if deals do monitored include: (i) choice of law/courts; (ii) BRRD give rise to competition concerns in the UK, they may e.g. bail-in clauses; (iii) Financial Collateral Directive, be subject to review by both the CMA and the EC. All and the associated UK regulations; and (iv) insolvency, things being equal, we would not expect an exit on a especially the Credit Institutions Winding-up Directive. non-Norwegian model to result in a change in merger control policy or significant divergence between the EC and the CMA, at least in the short term. The CMA will

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 13 likely remain a member of several international compe- What Is The Impact On Data Protection tition law networks, the aim of which is to promote Under The Potential Future Options? alignment of competition law application. However, The future of UK data protection law will be influenced if there were to be a more protectionist steer from the by the agreements that the UK reaches with the EU. UK government post-Brexit, and if the current trends Possible data scenarios are set out below. of increased UK government influence over the CMA’s activities continue, there is a possibility of divergence in n Implement the GDPR (or an equivalent) the future. The UK may decide to implement the GDPR (or something very similar) and repeal the DPA. This There are two other potential developments to highlight should assist in the facilitation of continued trade if Brexit involved the UK falling outside the EU merger links with the EU, and would likely result in an control regime. First, this may prompt the CMA to adequacy finding in the UK’s favour. reconsider the nature of its own regime, and a potential move to a mandatory and suspensory model. Clearly, n The Norwegian Model this would result in greater cost and complexity for Under a Norwegian Model, the UK would need to private equity deals involving the UK. Secondly, there adhere to the GDPR from 25 May 2018, both before is a possibility that English may cease to be a working and after Brexit. Under this option, data transfers language of the EC. That would mean either that EC from the UK across the EEA would be permitted merger control notifications would require translation freely. The UK would likely also be able to continue or that private equity firms may choose to use European to rely on any EC adequacy decisions in respect of lawyers with appropriate language skills. non-EU countries, as well as the EU-US Privacy Shield decision. Data Protection The UK Data Protection Act 1998 (“DPA”) currently n The Adequacy Route remains in force. All processing of personal data must If the UK were to leave the EU and does not become be undertaken in accordance with the DPA, and the EU part of the EEA, it would be treated as a third General Data Protection Regulation (“GDPR”) will be country by the EU for the purposes of international enforced within the EU from 25 May 2018. Organisa- personal data transfers. If the UK retains the DPA tions that provide goods and/or services in or to the and does not implement an equivalent to the GDPR, EU are, for the most part, preparing for GDPR imple- then it is likely that no finding of adequacy would mentation and UK organisations should continue to do be made in respect of the UK, as the GDPR is more the same. Reform of UK data protection law remains robust in its protection and requirements than the necessary, but it is unclear whether the GDPR will be DPA (the Investigatory Powers Bill also makes an adopted in the UK. adequacy decision even less likely). In this scenario, all personal data transfers to the UK from the EU Currently, the DPA allows for personal data to be would need to be legitimised by model clauses, transferred freely between member states and those BCRs, consent or any of the other safeguards countries covered by EC adequacy findings. The DPA or derogations available under the GDPR. This also provides that consent, model clauses, binding would likely require many organisations to review corporate rules (“BCRs”) and self-assessed adequacy commercial contracts and data sharing arrange- may be used to legitimise transfers of personal data ments that are currently in place to ensure ongoing outside the EU. The EU-US Privacy Shield was also compliance. adopted on 12 July 2016 as a means for legitimising data transfers to the USA. n An EU-UK Privacy Shield? If the UK decided to remain outside the EEA and no EC adequacy decision was made in respect of the UK, it might be possible to implement an EU-UK

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 14 “privacy shield” type arrangement similar to the Patent Convention, as these are all treaties outside of EU-US Privacy Shield. the EU.

n A Dual System? However, Brexit may influence the UK’s introduction Finally, the DPA could remain in force and be applied of the Unitary Patent Scheme and the Unified Patent to all international data flows from the UK outside Court (“UPC”), which are due to take effect in 2017– the EEA when a controller is established in the UK, although ratification of the agreement is still legally where the processing of personal data takes place possible. exclusively in the UK and the processing is limited to UK citizens. For all other international transfers the Brexit will likely delay and potentially impair the GDPR would apply. Although this could assist small introduction of the UPC throughout Europe. Before UK businesses, the complexity of administration the UPC can start, it must be ratified by at least 13 makes this impractical. member states, including the UK. The UPC thus cannot start anywhere in Europe while the UK remains an EU It remains unclear which option the UK government member but has not ratified the UPC, unless the UPC will choose prior to May 2018. For most organisations, agreement were to be renegotiated to remove the UK the prudent course of action based on the information ratification requirement. available would be to continue with preparations for GDPR compliance. Trade Marks Following Brexit the Trade Marks Act 1994 (unless Intellectual Property repealed) would remain in force for the regulation On Brexit the UK intellectual property, (“IP”) scheme of registered trade marks in the UK. The UK would (and to some extent the European IP scheme) is likely no longer be part of the EU Trade Mark (“EUTM”) to become more complex. Harmonized EU IP laws may system, as it is only accessible to member states. change in time, resulting in potential inconsistency. This would undermine the enforceability in the UK Individual IP rights are likely to be affected differently, of existing European Trade Mark registrations. It is with pan-EU rights, such as registered EU Community possible that a conversion process will be needed to trade marks and designs, being more affected than convert EU Trade Marks to UK National Trade Marks national rights such as patents, copyrights and rights and ensure the continuity of rights. Until then, all EU to prevent passing off/unfair competition. When Brexit Trade Marks registered or awaiting registration will occurs, unless specifically addressed in UK legislation, continue to benefit from protection within the UK and EU derived IP rights will no longer be recognised in other member states. the UK. EU Design Rights Consideration will also need to be given to the impact Registered EU Community design rights cover all of cases that have been decided in accordance with prior member states and further legislation will be expected EU judgments or decisions. in order to preserve them. The UK may allow all existing EU designs to apply and later allow conversion Patents into UK designs. Until Brexit occurs, unless repealed, the Patents Act 1977 would remain in force regulating patents Copyrights in the UK. In most cases, UK patents are nation- Copyright protection is not fully harmonized in the EU alized versions of European patents granted by the and is mostly based on domestic law. It is unlikely that European Patent Office (“EPO”). There would be no Brexit will impact significantly on UK copyright. legal impact on the existing patent rights, as the EPO is independent of the EU. Brexit is also unlikely to Database Rights affect the UK’s participation in the Patent Cooper- Database rights are protected in the UK under the ation Treaty, the Paris Convention and the European Copyright and Rights in Databases Regulations 1997.

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 15 Like copyright, such rights are automatic and Brexit Prior to the Referendum the UK had opted in to a small is unlikely to affect their formalities or protections. number of EU criminal law measures (such as child However, the Regulations refer to an individual or a body sexual abuse and human trafficking) and a handful incorporated in an EEA state in order for the database of measures relating to the rights of suspects. It seems right to be qualified, which would, perhaps, require unlikely that these measures will be reversed in the UK amendment. on Brexit.

Conclusion Most EU law in the field of criminal justice (since the Given the uncertainty surrounding Brexit, the long term Lisbon Treaty in 2009) has been enacted via EU Direc- impact on IP rights in the UK is still unclear. The UK tives that are then implemented in the UK by way government will have to work closely with the EU in the of secondary legislation. Noteworthy among these future to fill the gaps in the areas of EU trade marks and Directives is the forthcoming 4th Money Laundering design rights and, possibly, in unitary patents and the Directive (“4MLD”). There are, at the time of writing, UPC. The UK Government will likely delegate the respon- proposals for the implementation date of 4MLD to sibility for scoping the new IP landscape to the UK Intel- be brought forward to early 2017 in response to the lectual Property Office and the increase in its administrative increase in terror-related attacks in Europe. Whether function may result in increased filing costs for those regis- these proposals are adopted or not, the UK will be tering or renewing IP rights in the UK. required to give effect to 4MLD well before the UK has formally left the EU. Moreover it seems unlikely that Government Enforcement/White Collar Crime the UK will want to undo the effects of 4MLD as many EU influence over criminal law and criminal justice is of the changes contained in 4MLD come themselves exercised in five general areas: from Financial Action Task Force recommendations.

n Substantive criminal law legal instruments such as Following Brexit it remains to be seen how the UK Directives and Regulations intended to harmonise the might adopt or follow criminal laws originating in the development of the substantive criminal law in areas EU. It seems unlikely that the UK will want to withdraw such as money laundering and people trafficking; completely from areas such as cross border policing cooperation. It also seems unlikely that any significant n Criminal procedure measures intended to influence consequences would follow from the UK’s ceasing to be national criminal procedure such as those concerning bound by the EU instruments designed to harmonise the standing of victims in criminal proceedings and aspects of substantive criminal law or procedure such the rights of defendants; as cybercrime or people-trafficking.

n Police cooperation measures intended to enhance police cooperation such as sharing of fingerprint and DNA information;

n Mutual recognition measures intended to enhance the recognition of criminal decisions and warrants between member states, such as the European Arrest Warrant and mutual assistance in freezing assets; and

n EU policing agencies Europol (which plays a coordination and intelligence role between the policing agencies of member states) and Eurojust (which plays a coordination role for prosecutors).

1 SEPTEMBER 2016 | IMPLICATIONS OF THE UK’S BREXIT REFERENDUM | 16 LONDON OFFICE | PARTNER CONTACTS

FINANCE HIGH YIELD PRIVATE EQUITY

Maurice Allen Robert Haak John Newton Partner Partner Partner +44 20 3201 1508 +44 20 3201 1532 +44 20 3201 1640

Tania Bedi Michael Kazakevich Will Rosen Partner Partner Partner +44 20 3201 1623 +44 20 3201 1634 +44 20 3201 1644

Matthew Cox Jane Rogers Philip Sanderson Partner Partner Partner +44 20 3201 1626 +44 20 3201 1643 +44 20 3201 1646

Mike Goetz SPECIAL SITUATIONS Kiran Sharma Partner Partner +44 20 3201 1629 +44 20 3201 1647 Peter Baldwin Partner Benoit Lavigne +44 20 3201 1604 GOVERNMENT ENFORCEMENT Partner AND BUSINESS SECURITIES +44 20 3201 1551 LITIGATION James Douglas Partner Chris McGarry +44 20 3201 1628 Amanda Raad Partner Partner +44 20 3201 1637 Tony Horspool +44 20 3201 1642 Partner +44 20 3201 1632 Partha Pal Thomas Ross Partner Partner +44 20 3201 1641 Dan Martin +44 20 3201 1645 Partner +44 20 3201 1635 Mark Wesseldine Marcus Thompson Partner Partner +44 20 3201 1648 +44 20 3201 1649 ASSET MANAGEMENT

Fergus Wheeler Anand Damodaran REAL ESTATE Partner Partner +44 20 3201 1650 +44 20 3201 1627 Carol Hopper Partner +44 20 3201 1631 ANTITRUST AND Monica Gogna COMPETITION Partner +44 20 3201 1630 Iain Morpeth Ruchit Patel Partner +44 20 3201 1639 Partner Matthew Judd +44 20 3201 1702 Partner +44 20 3201 1633 IP TRANSACTIONS TAX Michelle Moran Rohan Massey Partner Partner Brenda Coleman +44 20 3201 1638 Partner +44 20 3201 1636 +44 20 3201 1625

© 2016 Ropes & Gray LLP. All rights reserved. Prior results do not guarantee a similar outcome. Communicating with Ropes & Gray LLP or a Ropes & Gray lawyer does not create a client-lawyer relationship. L16_0082_0901 ALERT

Privacy & Data Security

November 2, 2016 An Update on Brexit and the Implications for General Data Protection Regulation (GDPR) Following the “Leave” result of the United Kingdom’s referendum on its membership in the Attorneys European Union, there has been uncertainty regarding the implementation of the General Data Rohan Massey Protection Regulation (GDPR) due to come into effect on 25 May 2018. Our report on the GDPR explains the key changes to Data Protection Law. On 24 October 2016, the Secretary of State for Culture, Media and Sport, Karen Bradley MP, confirmed that the UK will still be in the EU in 2018 and will be opting-in to the GDPR. As a result, businesses collecting or using personal data while providing goods or services in the EU of EU data subjects will be subject to the new regulations. The UK’s data protection authority, The Information Commissioner’s Office, supports this stance taken by the government and has confirmed it will issue a statement in the next month setting out a timeline for publishing its guidance on the GDPR in the upcoming months. Both the ICO and UK government have reiterated the necessity of complying with the GDPR. In light of the increased scope of fines for non-compliance with the GDPR, it is imperative that businesses assess the steps they need to take to ensure compliance by May 2018. For more information regarding the GDPR and its potential impact, please contact Ropes & Gray’s leading privacy & data security team.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING

02 February 2017 BREXIT WHITE PAPER PUBLISHED

Earlier today, the UK government published an official policy paper (the White Paper) setting out the government’s approach to leaving the European Union (EU). The publication of the White Paper follows the House of Commons vote yesterday in favour of the European Union (Notification of Withdrawal) Bill, which provided Theresa May with the authorization needed to invoke Article 50 in order for the UK to leave the EU.

Building on last week’s speech by the Prime Minister on the government’s plan for Brexit, the White Paper sets out once again the 12 principles that will guide the government during its negotiations with the EU. The White Paper sets out the government’s basis for each of the 12 principles and the broader strategy underlying them. From the perspective of financial services, rather than providing new material information, key themes from Theresa May’s speech are reiterated.

The Principles are as follows:

1. Providing certainty and clarity. 2. Taking control of the UK’s laws. 3. Strengthening the Union. 4. Protecting our strong historic ties with Ireland and maintaining the Common Travel Area. 5. Controlling immigration. 6. Securing rights for EU nationals in the UK and UK nationals in the EU. 7. Protecting workers’ rights. 8. Ensuring free trade with European markets. 9. Securing new trade agreements with other countries. 10. Ensuring the UK remains the best place for science and innovation. 11. Cooperating in the fight against crime and terrorism. 12. Delivering a smooth, orderly exit from the EU.

The Great Repeal Bill

With respect to the first and second principles, the White Paper confirms the Government’s intention to introduce a “Great Repeal Bill” to remove the European Communities Act 1972 and to preserve EU law. All EU laws which are directly applicable in the UK (such as EU regulations) and all laws which have been made in the UK to implement the UK’s obligations as a member of the EU will be “preserved” – and so will remain part of domestic law on the day the UK leaves the EU. The White Paper also confirms that the preserved law will continue to be interpreted in the same manner as currently – whether this will be workable remains to be seen.

Parliament will also determine the content of other primary legislation if there are any significant policy changes. The Government expects to introduce separate bills on immigration and customs, and there will be a programme of secondary legislation under the Great Repeal Bill to address so-called “deficiencies” in the preserved law, the details of which are not provided. The government will eventually publish a White Paper

ropesgray.com ATTORNEY ADVERTISING

on the Great Repeal Bill. As we have highlighted in our previous alerts, the introduction of the Great Repeal Bill will no doubt result in a number of complex discussions, and analysis will be required for a smooth transition of such a vast body of law, regulation and guidance.

Withdrawal from Single Market Access

In connection with Principle 8 (Ensuring free trade with European markets), the White Paper reiterates the Government’s position that it will not seek membership of the EU Single Market but will instead pursue a new strategic partnership with the EU, including a Free Trade Agreement and a new customs agreement. As outlined in Theresa May’s speech last week, the agreement may well reflect elements of the existing Single Market arrangements. No further details of the agreement are provided in the White Paper.

With respect to the provision of financial services across the European Union, the White Paper does not provide any additional information to that which was provided in Theresa May’s speech. The White Paper confirms that the aim of the government is for the “freest possible trade in financial services between the UK and EU Member States”. This is clearly a “watch this space” element of future negotiations, much of which we have discussed in previous alerts on the implications of Brexit on financial services: Click Alerts.

For The United Kingdom’s exit from, and new partnership with, the European Union White Paper, click Here.

For more detailed analysis of the issues, please contact your usual Ropes & Gray partner. For additional Brexit resources, please refer to the Ropes & Gray Brexit webpage.

ropesgray.com ATTORNEY ADVERTISING London Office Your Partner Contacts 60 Ludgate Hill | London EC4M 7AW | +44 20 3201 1500 email: [email protected]

If you have any questions on this Alert or Brexit-related queries, then please contact your usual Ropes & Gray contact or reach out to our UK Asset Management team.

FINANCIAL REGULATION / PRIVATE EQUITY GOVERNMENT ENFORCEMENT INVESTMENT MANAGEMENT AND BUSINESS SECURITIES LITIGATION Helen Croke Monica Gogna Partner Partner +44 20 3847 9035 Amanda Raad +44 20 3201 1630 Partner +44 20 3201 1642 John Newton Michelle Moran Partner Partner +44 20 3201 1640 Thomas Ross +44 20 3201 1638 Partner +44 20 3201 1645 Will Rosen Partner PRIVATE INVESTMENT FUNDS +44 20 3201 1644 Marcus Thompson Partner Anand Damodaran +44 20 3201 1648 Partner Philip Sanderson +44 20 3201 1627 Partner +44 20 3201 1646 FINANCE Matthew Judd Partner Kiran Sharma Matthew Cox +44 20 3201 1633 Partner Partner +44 20 3201 1647 +44 20 3201 1626

TAX REAL ESTATE Mike Goetz Partner Brenda Coleman +44 20 3201 1629 Partner Carol Hopper +44 20 3201 1625 Partner +44 20 3201 1631 Benoit Lavigne Partner Andrew Howard +44 20 3201 1551 Partner Iain Morpeth +44 20 3201 1538 Partner +44 20 3201 1639 Chris McGarry Partner HIGH YIELD +44 20 3201 1637 David Seymour Partner Robert Haak +44 20 3201 1575 Partner Partha Pal Partner +44 20 3201 1532 +44 20 3201 1641 SPECIAL SITUATIONS Michael Kazakevich Mark Wesseldine Partner Peter Baldwin +44 20 3201 1634 Partner Partner +44 20 3201 1649 +44 20 3201 1604 Jane Rogers Partner James Douglas Fergus Wheeler Partner +44 20 3201 1643 Partner +44 20 3201 1628 +44 20 3201 1650

ANTITRUST AND COMPETITION Tony Horspool IP TRANSACTIONS Partner +44 20 3201 1632 Ruchit Patel Rohan Massey Partner Partner +44 20 3201 1702 Dan Martin +44 20 3201 1636 Partner +44 20 3201 1635

June 14, 2019 Practices: Life Sciences, China Life Sciences, Digital Health, Asia Pacific, Health Care

The Chinese government recently submitted a second draft of the Drug Administration Law of the People’s Republic of China to the Standing Committee of the National People’s Congress of China for deliberation. Life sciences partner Katherine Wang (Shanghai) authored an article published by Asia-Pacific Biotech News on June 12 that discusses the major changes.

Ms. Wang notes that while the proposed draft codifies many reform initiatives that accelerate market access of innovative drugs, it also signals aggressive post-approval enforcement and severe sanctions.

HOME ABOUT CONTACT AVAILABLE ISSUES SUBSCRIBE MEDIA & ADS

FEATURES SPOTLIGHTS NEWS CRUNCH COLUMNS EYE ON CHINA INSIDE INDUSTRY BIOBOARD

LATEST UPDATES » Vol 23, No 06, June 2019 – Clinical trials — What's in a name? » Study reveals mechanism behind ginger's warming effect on body » China propo

EYE ON CHINA

China proposes major changes to pharmaceutical regulations

By Katherine Wang, Ropes & Gray life sciences partner

On 20 April 2019, the Chinese government submitted a second draft of the Drug Administration Law of the People's Republic of China (Second Draft for Deliberation) (DAL) to the Standing Committee of the National People’s Congress of China (NPC) for deliberation.

Compared with the previous draft amendments to the DAL, the second draft contains some noteworthy additions.

1. The draft states the principle that pharmaceutical innovation should be based on clinical value. New drug research and development should focus on new therapeutic mechanisms, address multiple targets, or involve interventions that systemically affect biological functions. 2. The MAH system will be implemented equally for domestic and imported drugs. Subject to approval by the National Medical Products Administration (NMPA), MAHs will be allowed to transfer their marketing authorisations. 3. MAHs and retail pharmacies will be able to establish an online presence on third party portals registered with local drug administrations. Online sales of prescription drugs, however, will continue to be restricted.

Most importantly, penalties for violations will be significantly increased. For example, the first draft of the DAL proposed administrative fines for selling counterfeit drugs up to 10 times the sales value of the affected products, while the second draft of the DAL increases the fines up to 15 to 30 times. Victims of counterfeit drugs will also be entitled to punitive damages. Likewise, China legal agents of foreign MAHs will also be subject to administrative fines ranging from 100,000-200,000 RMB if found to be in violation of the DAL.

Certain policies proposed in the second draft have triggered fierce discussions among NPC members, including the complete ban on the online distribution of prescription drugs.

The industry also has questions about the second draft’s unexplained removal of provisions on GMP/GSP certification, which has been mandated on drug manufacturers and distributors for nearly 20 years in China.

Lastly, regulatory data protection and patent linkage is not mentioned in the second draft. As a result, it is unclear whether these two important mechanisms will be addressed in the Implementing Regulations of the DAL or Drug Registration Rules.

The DAL and the VAL are fundamental to pharmaceutical companies’ operations in China. While the proposed draft codifies many reform initiatives that accelerate market access of innovative drugs, it also signals aggressive post-approval enforcement and severe sanctions.

It is advised that pharmaceutical manufacturers and distributors closely monitor the progress or this legislation and carefully review their operations in China to ensure compliance with the new regulations.

Source: Ropes & Gray

Click here for the complete issue.

http://www.asiabiotech.com/23/2306/23060007b.html 6/24/2019 IN THE NEWS Health Care Attorneys Author Article on Evolving Regulatory Landscape for Clinical Trials in India

December 3, 2018 Practices: Health Care, Health Privacy & Security, Clinical Research, Life Sciences, India, Asia Pacific

Health care partner Mark Barnes and associate Minal Caron (both of Boston) have co-authored an article in the Food and Drug Law Institute’s Food and Drug Law Journal that describes the significant transformation India has undergone since 2013 in regard to clinical trials regulations.

In 2013, the Indian government – in an effort to bolster its regulatory framework – released a number of new and complex regulations that unfortunately made India an unpredictable jurisdiction in which to site and conduct clinical trials.

The article is a comprehensive treatment of the events and regulatory changes that have shaped India’s clinical trial landscape over the past several years and documents current efforts in India to re-revise and improve its regulation of clinical trials.

The Evolving Regulatory Landscape for Clinical Trials in India

MARK BARNES, JAMIE FLAHERTY, MINAL CARON, ALISHAN NAQVEE, BARBARA BIERER*

ABSTRACT

Since 2013, India has undergone a significant regulatory transformation in regard to clinical trials. Following controversial media coverage of deaths that were allegedly related to clinical trials, the Indian government attempted to bolster its regulatory framework by releasing a number of new and complex regulations that quickly made India an unpredictable jurisdiction in which to site and conduct clinical trials. This article describes the events and regulatory changes that have shaped India’s clinical trial landscape over the past several years. The article ultimately concludes that many of the well-meaning requirements imposed on researchers and sponsors beginning in 2013 chilled the clinical trial environment, yet the requirements also brought appropriate attention to complex ethical issues. While many of the more stringent regulations have since been clarified or withdrawn through the Indian government’s continuing reform efforts, the recent India experience demonstrates how regulatory uncertainty can deter advances in clinical research.

Over the past several years, India has undergone a significant transformation in its clinical trial activity and provides a useful case study in the revision and implementation of clinical trials regulations. By 2009, clinical trial research in India was experiencing significant growth. While the Drug Controller General of India (DCGI) granted only 65 approvals for clinical trials in 2008, it granted 391 in 2009 and 500 in 2010.1 However, controversial media coverage of multiple deaths allegedly

* Mark Barnes is a partner in the health care group at Ropes & Gray LLP in Boston, Massachusetts, and serves as faculty co-director & co-chair of the Multi-Regional Clinical Trials Center of Brigham and Women’s Hospital and Harvard University (MRCT Center). Jamie Flaherty is an associate at Ropes & Gray LLP in Boston, Massachusetts, where she practices health care law. Minal Caron is an associate at Ropes & Gray LLP in Boston, Massachusetts, where he practices health care law. Alishan Naqvee is a founding Partner of LexCounsel, Law Offices in New Delhi, India, and heads the Firm’s health care and pharmaceuticals practice and corporate litigation practice. Mr. Naqvee acts as the ‘lawyer member’ at significant Ethics Committees, including Medanta Hospital in Delhi. He served as a member of the committee constituted under the aegis of the Indian Council of Medical Research that prepared the ethical guidelines for biomedical research involving children, published in 2017. Barbara E. Bierer, M.D. is a Professor of Medicine, Harvard Medical School and Brigham and Women’s Hospital (BWH), Boston, and a hematologist/oncologist. She is the faculty director of the MRCT Center. In addition, Dr. Bierer is the Director of the Regulatory Foundations, Ethics, and the Law program at the Harvard Catalyst, the Harvard Clinical and Translational Science Award, working across the academic spectrum to enable the clinical trial enterprise from study planning through recruitment to data acquisition and dissemination.

1 Post Stringent Norms, Clinical Trials in India Plummet, HINDU (June 13, 2016), http://www.thehindu.com/sci-tech/health/policy-and-issues/post-stringent-norms-clinical-trials-in-india-

601 602 FOOD AND DRUG LAW JOURNAL VOL. 73 related to clinical trials led the Indian government to release a number of new, and in some cases onerous, regulations between 2013 and 2015 in an effort to bolster its regulatory framework and protect trial participants. The new regulations quickly made India an unpredictable jurisdiction in which to site and conduct clinical trials. Despite India’s diverse patient pool, well-trained physician workforce, and relatively low health services costs, the government’s new regulations and orders— and the uncertainty they created—led to a decline in the number of clinical trials approved by DCGI and a concomitant rapid deterioration of research infrastructure within India.2 At the same time, the rapid changes and the debate surrounding them exposed a variable and often inadequate infrastructure for clinical research and led to major regulatory changes regarding difficult issues, including, most prominently, mandatory compensation for research-related injuries and deaths. While several of the new rules seem untenable in clinical research, over the past several years the Indian government has made an attempt to clarify and refine its revised clinical trials regulations. DCGI and other relevant regulatory bodies have begun using amendments and interpretations to scale back and clarify many of the earlier, most problematic rules and orders. Additionally, India’s Ministry of Health and Family Welfare (MoHFW) issued new draft rules in February 2018 (2018 Draft Rules), discussed further herein, addressing the full spectrum of clinical trials activities in an effort to improve the country’s regulations. However, even if the 2018 Draft Rules are adopted, the rules likely will not allay all stakeholder concerns, as they do not clarify many of the provisions that have been widely debated over the past several years, and they do not fully address the chilling effects that the regulatory changes adopted beginning in 2013 have had on clinical trials activities in India. While India may yet be able to reclaim its status as a major hub for clinical research, stakeholders continue to grapple with the changing regulatory landscape, and the recent India experience demonstrates how regulatory uncertainty can deter advances in medical research and impede a population’s voluntary access to experimental treatments.

plummet/article4639976.ece [https://perma.cc/PC26-JF5Y]. See also Shruti S. Bhide et al., Assessment of Clinical Trials Registered at Clinical Trial Registry of India over Past Decade: An Audit, 3 INT’L J. CLINICAL TRIALS 238, 240 (2016), http://www.ijclinicaltrials.com/index.php/ijct/article/download/149/90 [https://perma.cc/8ZZS-V5H4] (stating that number of clinical trials from India registered on www.clinicaltrials.gov increased until 2010). 2 See Y.K. Gupta & B. Dinesh Kumar, Clinical Trials And Evolving Regulatory Science in India, INDIAN J. PHARMACOLOGY 575, 575 (2014), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4264069/ [https://perma.cc/TQB2-J8DT] (“This resulted in the sharp decline in the number of clinical trials (from 529 in 2010 to nearly 250 in 2012 to just over 100 in 2013) approved by DCGI.”); HINDU, supra note 1 (stating that following 500 clinical trials being approved by the DCGI in 2010, 325 were approved in 2011 and 262 were approved in 2012); Bhide et al., supra note 1, at 240 (showing a significant decline in the number of clinical trials from India registered on ClinicalTrials.gov since 2010). See also Aditi Tandon, Clinical Trial Rules to Be Relaxed to Aid Research, TRIBUNE (Jan. 17, 2016), http://www.tribuneindia.com/ news/nation/clinical-trial-rules-to-be-relaxed-to-aid-research/184473.html [https://perma.cc/56XY-3ZEG] (quoting the Director General of the Indian Counsel of Medical Research, stating “after the new clinical trial guidelines . . . we witnessed a significant decline in the number of academic research trials for existing disease”); Thomson Reuters, Overcoming Clinical Challenges in BRIC Markets: A White Paper, 9 (Apr. 2014), http://bibliotecadigital.puc-campinas.edu.br/services/e-books/D_BRIC_nations_white_paper_ final__201404.pdf (“Since 2010, the initiation of clinical trials in India has declined sharply. Sponsors such as Eli Lilly, AstraZeneca, Pfizer, and GSK have either pulled back or out completely, waiting for the regulatory landscape to stabilize.”). 2018 CLINICAL TRIALS IN INDIA 603

This article describes the various events and regulatory changes that have shaped India’s clinical trial landscape over the past several years. The article ultimately concludes that many of the well-meaning requirements imposed on researchers and sponsors beginning in 2013 have corroded the clinical trial environment, yet have also focused attention on complex ethical issues inherent in conducting advanced research among a comparatively indigent population. Many of the regulations or government orders have since been clarified or withdrawn, and the focus on training and education of investigators and ethics committee members, and on ethical conduct of clinical trials more generally, have arguably defined and improved the climate for human participant research. The impact of the proposed 2018 Draft Rules will still need to be assessed, if and in what form they are approved.

I. BACKGROUND: CLINICAL TRIAL RESEARCH IN INDIA

Issues with widespread drug alteration and fraud in the Indian market in the early 20th century led to the passage of India’s Drugs and Cosmetic Act of 1940 and the Drugs and Cosmetics Rules of 1945, which regulate the import, manufacture, distribution, and sale of drugs and cosmetics in India.3 Those legislative measures established the Central Drugs Standard Control Organization (“CDSCO”), a division of the MoHFW.4 In 1988, the Indian government recognized, as other countries had, that the introduction of new drugs directly depends on the conduct and results of clinical trials and that trials using the local population are needed to assess the safety and efficacy of new medicinal products; as a result, the government established a set of guidelines and requirements for clinical trials, known as Schedule Y.5 The Indian Council of Medical Research (“ICMR”), an entity funded through the Indian government, subsequently issued the Ethical Guidelines for Biomedical Research on Human Subjects in 2000.6 In response to this increased clarity regarding legal requirements for human subjects research, India experienced a significant increase in the level of clinical trial activity taking place within the country, and the number of clinical trials peaked in 2010.7 India’s regulatory landscape was soon dramatically altered as a result of two public interest litigation (“PIL”) petitions that claimed violations of India’s clinical trial regulations, and by the Indian government’s response to the petitions and public opinion. In early 2010, the Indian media reported that several participants had died in a human papillomavirus (“HPV”) vaccine study funded by the Bill and Melinda Gates Foundation (“BMGF”) and managed in India by a U.S.-based international NGO,

3 See Mohammed Imran et al., Clinical Research Regulation in India-History, Development, Initiatives, Challenges and Controversies: Still Long Way to Go, 5 J. PHARM. BIOALLIED SCI. 2, 2–9 (2013), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3612334/ [https://perma.cc/2X8Z-LMEV]. 4 Id. 5 See Drugs and Cosmetics Rules, 1945, Schedule Y, http://cdsco.nic.in/html/D&C_ Rules_Schedule_Y.pdf [https://perma.cc/HMU7-Y98J].; Urmila M. Thatte & Padmaja A. Marathe, Ethics Committees in India: Past, Present and Future, 8 PERSP. CLINICAL RES. 22, 22–30 (2017), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5299801/ [https://perma.cc/B69R-HKWS]. 6 Imran et al., supra note 3. 7 See supra notes 1–2. 604 FOOD AND DRUG LAW JOURNAL VOL. 73

Program for Appropriate Technology in Health (“PATH”).8 The trial involved vaccinating 13,000 girls ages 10–14 with Gardasil® and 10,000 with Cervarix®, both of which are recombinant HPV vaccines that had been approved by the U.S. FDA for the prevention of cervical cancer and cervical intraepithelial neoplasia.9 Scheduled to run until 2011, ICMR halted the study in early 2010 based on reports of safety and ethical violations in the trial.10 The Indian government then set up an inquiry committee to look into alleged irregularities in the conduct of the HPV studies.11 Although the committee found inadequacies with respect to the documentation of informed consent, the government initiated no legal action against the researchers, their institutions, PATH, or BMGF at that time.12 Nearly concurrently, the U.S. Office for Human Research Protections (“OHRP”) in 2012 investigated a complaint and determined that subjects involved with long- running randomized cervical cancer trials in India funded by the U.S. National Cancer Institute (“NCI”) had not been provided with adequate information about trial participation.13 Beginning in 1998, trials funded by the NCI and BMGF that aimed to validate cervical cancer screening as a cost-effective prevention method reportedly compared cervical cancer death rates among 224,929 women who were offered cervical cancer screening to 138,624 women in a control group who were offered the

8 DEP’T OF HEALTH RES., MINISTRY OF HEALTH AND FAMILY WELFARE (INDIA), SEVENTY SECOND REPORT: ALLEGED IRREGULARITIES IN THE CONDUCT OF STUDIES USING HUMAN PAPILLOMA VIRUS (HPV) VACCINE BY PATH IN INDIA, at 1 (Aug. 30, 2013), http://164.100.47.5/newcommittee/reports/English Committees/Committee%20on%20Health%20and%20Family%20Welfare/72.pdf [https://perma.cc/ ZGU8-YFVM] [hereinafter HPV Vaccine Report]. See also SAMA: RESOURCE GROUP FOR WOMEN AND HEALTH, MEMORANDUM TO THE HEALTH MINISTER ON WORLD HEALTH DAY OPPOSING HPV VACCINATIONS (Apr. 2010), https://samawomenshealth.wordpress.com/2010/04/08/memorandum-to-the- health-minister-on-world-health-day-opposing-hpv-vaccinations/ [https://perma.cc/G9YJ-NSQ3]; L.J. Devon, Bill Gates’ Philanthropy: 30,000 Indian Girls Used as Guinea Pigs to Test Cancer Vaccine, NATURAL NEWS (Oct. 3, 2016), http://www.naturalnews.com/055513_Gates_Foundation_vaccine_ experiments_human_guinea_pigs.html [https://perma.cc/SFE5-P4JK].

9 Sanjay Kumar & Declan Butler, Calls in India for Legal Action Against US Charity, NATURE (Sept. 9, 2013), http://www.nature.com/news/calls-in-india-for-legal-action-against-us-charity-1.13700? referral=true [https://perma.cc/JW8U-KAKB]. 10 See A Nair, Clinical Research: Regulatory Uncertainty Hits Drug Trials in India, PHARMACEUTICAL JOURNAL (Mar. 12, 2015), http://www.pharmaceutical-journal.com/news-and- analysis/features/clinical-research-regulatory-uncertainty-hits-drug-trials-in-india/20068063.article [https://perma.cc/ACB2-HX7H]; Kumar, supra note 9. 11 HPV Vaccine Report, supra note 8, at 9; Carolijn Terwindt, Health Rights Litigation Pushes for Accountability in Clinical Trials in India, 16 HEALTH & HUMAN RIGHTS J. 84, 87 (2014), https://cdn2.sph.harvard.edu/wp-content/uploads/sites/13/2014/12/Terwindt-final1.pdf [https://perma.cc/R4N7-H9ZK]. 12 See Terwindt, supra note 11, at 87. In terms of identified failings in the informed consent process, the committee reportedly found, for example, that school principals had signed the consent forms on behalf of the children. Id. 13 See Dep’t of Health & Hum. Servs., Division of Compliance Oversight, Letter on Human Research Protections Under Federalwide Assurance FWA-6143 (July 5, 2012), http://archive.azcentral.com/ ic/pdf/OHRP-letter-jul12.pdf [https://perma.cc/H8T6-Q8XH]; Eric J. Suba, US-Funded Measurements of Cervical Cancer Death Rates in India: Scientific and Ethical Concerns, 11 INDIAN J. MED. ETHICS 167, 167–175 (2014), https://www.ncbi.nlm.nih.gov/pubmed/25101547 [https://perma.cc/U33W-HNPD]. See also Rema Nagarajani, Row Over Clinical Trial as 254 Indian Women Die, TIMES OF INDIA (Apr. 21, 2014), http://timesofindia.indiatimes.com/india/Row-over-clinical-trial-as-254-Indian-women-die/articleshow/ 34016785.cms [https://perma.cc/G5ST-6ZYT]; Bob Ortega, Ethical Questions Linger in Cervical Cancer Study, USA TODAY (Aug. 31, 2013), http://www.usatoday.com/story/news/nation/2013/08/31/ethical- questions-linger-in-cervical-cancer-study/2751705/ [https://perma.cc/TYD9-3ZJE]. 2018 CLINICAL TRIALS IN INDIA 605 usual standard of care, but no cancer screening.14 In an article in the Indian Journal of Medical Ethics, Dr. Eric Suba criticized the trials and, instead of concluding that cervical cancer screening was a compelling preventive measure that deserved government support, highlighted the fact that at least 254 women in the unscreened control and standard of care group died from cervical cancer.15 The article attracted media and advocacy group attention to trials in India and how the women involved with the trial were of low socioeconomic status and were residents of “Mumbai slums” and poor villages across India.16 In January 2012, the non-governmental organization Swasthya Adhikar Manch filed a PIL petition against the Indian government, alleging that inadequate government oversight of clinical trials had resulted in multiple participant deaths.17 Women’s health activists filed a second PIL petition relating to alleged inappropriate handling of the HPV trial by the Indian government, which was admitted for consideration by the Indian Supreme Court in January 2013.18 During the January 2013 consideration of the petitions, India’s Supreme Court members stated from the bench that the Indian government had fallen into a “deep slumber” and had not been ensuring that companies sponsoring research had complied with India’s clinical trials regulations.19 The court criticized CDSCO, asking for urgent action and ordering drug trials to be conducted under the supervision of the Health Secretary.20 In addition, a report released by the Parliamentary Standing Committee on Health and Family Welfare on August 30, 2013 found that the study of the HPV vaccine had violated ethical norms, as informed consent had not been properly obtained from the parents or guardians of all study participants, many of whom were illiterate.21 Although the report concluded that participant deaths were likely not causally associated with the vaccine, as the deaths were from seemingly unrelated causes such as suicide, drowning, and malaria, the report still opined that those involved with the trial had failed to look into the deaths in a satisfactory manner and to maintain adequate study records. The report’s conclusions gave rise to significant

14 Suba, supra note 13, at 167. 15 Id. We note that other commentators sharply criticized Dr. Suba’s article, stating that he was “distorting facts and persistently disseminating biased and misleading views” and flagging “ethical concerns [that] are unsubstantiated by the evidence.” Rengaswamy Sankaranarayanan et al., Response to Article Titled “US-Funded Measurements of Cervical Cancer Death Rates in India: Scientific and Ethical Concerns” by Eric J Suba, 11 INDIAN J. MED. ETHICS 175, 175 (2014), https://www.ncbi.nlm.nih.gov/ pubmed/25101550 [https://perma.cc/L589-F7YG]. 16 Nagarajani, supra note 13. 17 See Swasthya Adhikar Manch v. Union of India (UOI), W.P.(C) No. 33/2012 (India), http://cdsco.nic.in/writereaddata/SC%20Order%2030th%20Sept%202013.pdf [https://perma.cc/D48U- 2BA9]; Barbara E. Bierer & Rebecca H. Li, MRCT Center: India Regulatory Update, The MRCT Center of Brigham and Women’s Hospital and Harvard (Mar. 9, 2016), http://mrctcenter.org/wp- content/uploads/2016/03/GHRT-Webinar-India-2016-Mar-9s1.pdf [https://perma.cc/BP4Z-CX6E]. 18 Terwindt, supra note 11, at 88.

19 Id.; Illegal Clinical Trials Creating ‘Havoc’: Supreme Court, HINDU (Jan. 3, 2013), http://www.thehindu.com/news/national/illegal-clinical-trials-creating-havoc-supreme- court/article4268671.ece [https://perma.cc/GB8Q-PDEP]. 20 Id. 21 See HPV Vaccine Report, supra note 8 at 11. See also Kumar, supra note 9. 606 FOOD AND DRUG LAW JOURNAL VOL. 73 media attention on clinical trials in India and the related PIL petitions.22 In light of its order requiring clinical trials of new chemical entities to be “conducted strictly in accord with the procedure prescribed in Schedule ‘Y’ of Drugs & Cosmetics Act, 1940 under the direct supervision” of the MoHFW Secretary, the Supreme Court of India announced on September 30, 2013 the establishment by the MoHFW of “a system of supervision of clinical trials of new chemical entities by constituting Apex Committee and Technical Committee.”23

II. FALLOUT FROM CLINICAL TRIAL-RELATED MEDIA ATTENTION: RESTRICTIVE 2013 REGULATIONS

Media coverage of the PATH-managed HPV vaccine study and the deaths associated with the cervical screening study conducted by the NCI and BMGF shone a bright light on clinical trials activity in India. Even though the media reports appear to have exaggerated or misrepresented the number and severity of participant injuries that were directly related to trial participation, the media attention and the Supreme Court’s call for urgent action led the Indian government to release a number of regulations imposing rigorous new requirements for conducting clinical trials in India.24 As a first measure, India adopted sweeping compensation requirements for those injured during participation in a clinical trial. In January 2013, the MoHFW enacted Rule 122-DAB, entitled Compensation in case of injury or death during clinical trial.25 For those suffering any injuries during a trial, even injuries unrelated to the trial, the original Section 1 stated that “[i]n the case of an injury occurring to the clinical trial subject, he or she shall be given free medical management as long as required.”26 This broad provision required a sponsor to provide free medical care for any injuries that occur to the trial participant; it was not limited to injuries caused by or resulting from participation in the trial. The provision was also imposed irrespective of any fault or culpability for injuries on the part of the academic or industry sponsor. One year later, in 2014, the breadth of the provision was somewhat narrowed to require that medical management would be provided “as long as required or till such time it is established that the injury is not related to the clinical trial, whichever is earlier.”27 Nevertheless, proving that an injury is not related to trial participation is an uncertain

22 See HPV Vaccine Report, supra note 8, at 6; Andrew Buncombe & Nina Lakhani, Without Consent: How Drugs Companies Exploit Indian ‘Guinea Pigs,’ INDEPENDENT (Nov. 14, 2011), http://www.independent.co.uk/news/world/asia/without-consent-how-drugs-companies-exploit-indian- guinea-pigs-6261919.html [https://perma.cc/U5TE-P8DN]; Nair, supra note 10. 23 See Swasthya Adhikar Manch, W.P.(C) No. 33/2012 (India). 24 See Press Information Bureau, Gov’t of India, Press Release on Drug Trial Policy (Aug. 28, 2013), http://pib.nic.in/newsite/erelease.aspx?relid=98830 [https://perma.cc/CLA4-V9VH]. 25 See Drugs and Cosmetics (First Amendment) Rules, 2013, 47 Gazette of India, pt. II sec 3(i), G.S.R. 53(E) (Jan. 30, 2013), http://www.cdsco.nic.in/writereaddata/GSR%2053(E).pdf [https://perma.cc/22CL- MCZZ] [hereinafter G.S.R. 53(E)]. 26 Id. at 9 (emphasis added). 27 This rule was amended in December 2014. See Drugs and Cosmetics (Sixth Amendment) Rules, 2014, 666 Gazette of India, pt. II sec 3(i), G.S.R. 889(E), at 5 (Dec. 12, 2014), http://www.cdsco.nic.in/writereaddata/Notificatiohn%20on%20Compensation%20on%20clincial%20trial %20(1).pdf [https://perma.cc/Y9WH-YBSS] (emphasis added) [hereinafter G.S.R. 889(E)]. 2018 CLINICAL TRIALS IN INDIA 607 and difficult endeavor. Further, under Section 2 of Rule 122-DAB, for injuries “related to” the clinical trial, “such subject shall also be entitled for financial compensation . . . over and above any expenses incurred on the medical management of the subject.”28 Thus, even after reform in 2014, Rule 122-DAB entitled a clinical trial participant to have his or her medical costs covered by the sponsor for any injury received during the clinical trial, even injuries entirely unrelated to the participant’s participation in the trial or use of the investigational agent, for “as long as required” or until it is established that the injury is not related to the clinical trial, and to additional “financial compensation” if the injury is “related to the clinical trial.” Although compensation for clinical trial participants who suffer injuries “related to the clinical trial” seems reasonable on its face, the first iteration of Section 5 of Rule 122-DAB provided a surprisingly broad list of circumstances under which an injury to a clinical trial participant may be considered “clinical trial related.”29 Such circumstances included many risks that are attendant to any clinical trials participation, including adverse effect of the investigational product, “failure of investigational product to provide intended therapeutic effect,” and “use of placebo in a placebo- controlled trial.”30 The breadth of these provisions is striking. Considering “adverse effect of the investigational product” to be a compensable trial-related injury fails to acknowledge that the purpose behind phase I-III clinical trials is to assess the safety and efficacy of an investigational drug. It is antithetical to the goal of a clinical trial to require compensation for injuries stemming from an adverse effect of the investigational product when the risks are ever-present and when study participants have been fully informed and have consented to the risks after receiving appropriate risk and benefit information during the informed consent process. The “adverse effect of the investigational product” provision also does not accommodate the reality of trials of “high risk, high reward” therapies, such as cancer treatment, in which there is a high risk of adverse effect of the investigational product, yet the trial participant— after being informed of all these risks—chooses to proceed given the significant potential benefits. Trial-related adverse events cannot be known in advance, which is why proper protections are in place, including institutional review board (IRB) or ethics committee (EC) review and approval and the informed consent process. These “related to” provisions, therefore, fail to acknowledge that all interventional trials of an investigational drug necessarily carry the risk that the product may not perform as expected or that patients receiving the standard of care or placebo arm may receive less effective care. In fact, clinical research could reach no reliable scientific conclusions without such results. In December 2014, these provisions were narrowed, such that “failure” of the investigational product thereafter would only be considered grounds for compensation “where, the standard care, though available, was not provided to the subject as per the clinical trial protocol.”31 The new iteration of the list of “related to” circumstances

28 G.S.R. 53(E), supra note 25, at 9. 29 Id. 30 Id. 31 See G.S.R. 889(E), supra note 27, at 5. The full list is as follows: (i) adverse effect of investigational product(s); (ii) violation of the approved protocol, scientific misconduct, or negligence by the Sponsor or his representative or the investigator; (iii) failure of investigational product to provide intended therapeutic effect where, the standard care, though available, was not provided to the subject as per the clinical trial protocol; (iv) use of placebo in a placebo-controlled trial where, the standard care, though available, was 608 FOOD AND DRUG LAW JOURNAL VOL. 73 nevertheless retained “adverse effect of investigational product.” Therefore, the “related to” provisions still failed to recognize that the primary goal of an investigational trial is to compare the safety and efficacy of the investigational product to the standard of care. In addition, the Indian government amended the provision to require compensation for any injury due to the “use of placebo in a placebo-controlled trial where, the standard care, though available, was not provided to the subject as per the clinical trial protocol.”32 The revision offered no clarity, however, as to the meaning of “standard” and “available,” both of which are of crucial importance in applying this standard. Second, the provision is particularly confusing in light of how these concepts are traditionally understood in clinical trials. On the one hand, when standard of care for treating serious illness is reasonably available, it is generally considered unethical for a study design to include placebo, but this provision of the Indian regulations was not limited to serious illnesses. On the other hand, for conditions that do not pose a serious threat to an individual’s health, the use of placebo may be appropriate because it allows a more rapid and definitive proof of efficacy (or lack of efficacy) of the comparator agent. Thus, the placebo provision, even as amended, does not capture the salient issues, or reflect the complexities, surrounding the use of placebos in trials. CDSCO has issued an order stating that “compensation in case of injury or death discerned at a later stage should be paid to the trial participant/his/her nominee as the case may be, if any drug-related anomaly is discerned at a later stage and accepted to be drug related.” 33 While reasonably aimed at better protecting Indian clinical trial subjects, this change has the consequence of extending sponsor and researcher anxiety about compensation well into the future. Under this provision, if a sponsor fails to provide proper medical management and/or compensation to the subject, DCGI may suspend or cancel the trial, and/or “restrict the Sponsor including his representative(s) [from] conduct[ing] any further clinical trials” in India or “take any other action deemed fit.”34 Although the Indian MoHFW later clarified that compensation need not be paid for injury or death due to “totally proven unrelated causes,”35 even as amended the compensation provisions still suffer from the issues raised above and lack clarity

not provided to the subject as per the clinical trial protocol; (v) adverse effects due to concomitant medication excluding standard care, necessitated as part of approved protocol; (vi) for injury to a child in- utero because of the participation of parent in any clinical trial; [and] (vii) any clinical trial procedures involved in the study. 32 Id.

33 CENT. DRUGS STANDARD CONTROL ORG., 12-01/14-DC Pt. 47, ORDER ON CLINICAL TRIAL– COMPENSATION IN CASE OF INJURY OR DEATH DISCERNED AT A LATER STAGE (July 3, 2014), http://www.cdsco.nic.in/writereaddata/oo4.pdf [https://perma.cc/3EQV-CX9H]. One example of such drug-related injury compensation can be seen with those who suffered deformities due to use of Thalidomide, a drug prescribed to pregnant women to combat morning sickness that resulted in thousands of children being born with severe disabilities. Some individuals affected were able to receive compensation from distributors through the Thalidomide Trust. See generally Angus Crawford, Were more babies affected?, BBC NEWS (Oct. 14, 2013), http://www.bbc.com/news/health-24472269 [https://perma.cc/ SM32-JHHZ]. 34 G.S.R. 53(E), supra note 25, at 10. 35 See MINISTRY OF HEALTH & FAM. WELFARE, ACTIONS ON THE RECOMMENDATIONS OF PROF. RANJIT ROY CHAUDHURY EXPERT COMMITTEE TO FORMULATE POLICY AND GUIDELINES FOR APPROVAL OF NEW DRUGS, CLINICAL TRIALS AND BANNING OF DRUGS, 7 (Nov. 6, 2013), http://www.cdsco.nic.in/writereaddata/Action_RR_Choudhury_Committee__06.11.2013.pdf [https://perma.cc/BAS2-BSK4] (emphasis added). 2018 CLINICAL TRIALS IN INDIA 609 as to what is considered “standard care” or “available.” It would be preferable if the rules were to address what is meant by standard care, such as providing that “standard care” is not considered “available” unless the participant would have sought and reasonably would have been expected to receive the standard treatment but for his or her enrollment in the trial.36 In its rules mandating compensation for injuries sustained by participants, the Indian Government has essentially embraced a principle of no-fault liability whereby participants stand to receive compensation without having the burden of proving that their injuries stemmed from negligence or willful noncompliance of the investigator, sponsor, or contract research organization. The rules create an inversion of general legal concepts relating to liability and causation where the onus is typically on the participant to prove any injury suffered was directly caused by the negligence or reckless acts of another. Some have praised the Indian government’s approach, explaining how “it enables participants to receive compensation in situations where negligence cannot be proved” which is “of critical importance especially in clinical trials where the injuries sustained are often independent of any negligent act.”37 Another argument for such an approach is that the certainty of compensation calculations actually favors research sponsors; this compensation system, with its well-defined payment formulae, is “favorable for the sponsor/investigator[,] as the amount payable can be calculated on the basis of certain parameters such as age, salary, previous medical history etc.,” instead of the unpredictability associated with damages calculations typically seen in the United States under a negligence theory in a tort action.38 Nevertheless, a no-fault approach assigns financial liability to sponsors irrespective of fault or culpability, holding them responsible for many potential adverse outcomes of a trial, even in the absence of negligence or error and despite the myriad risks about which individuals are informed prior to the trial. These broad provisions and potentially higher compensation costs have made academic institutions and pharmaceutical companies hesitant to site clinical trials in India. Not only are such provisions a financial risk concern for trial sponsors, but they are also an ethical concern from an undue inducement standpoint, as the potential opportunity to receive mandatory compensation in a number of different situations might arguably cloud an individual’s decision-making when choosing whether or not to participate in a trial.39 The 2013 regulatory changes also added a number of requirements for ECs—the Indian equivalent of IRBs or research ethics committees under U.S. and EU law. First, effective February 2013, ECs were required to be registered with the Indian

36 This standard continues to be heightened in the global North, such that a treatment, even if not available in the community, might be considered standard and given to patients who become known to investigators. See Ruth Macklin, Standard of Care: An Evolution in Ethical Thinking, 372 LANCET 284, 284 (2008), https://www.thelancet.com/journals/lancet/article/PIIS0140-6736(08)61098-3/fulltext (discussing those arguing that “when a proven intervention exists anywhere in the world, it should be provided to the control group, even if that intervention would not be available outside the clinical trial in the developing country”).

37 Renuka Munshi & Urmila Thatte, Compensation for Research Related Injury, PERSP. CLINICAL RES. 61, 61–69 (2013), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3601709/ [https://perma.cc/F5VF- 8XFC]. 38 Id. 39 See id. 610 FOOD AND DRUG LAW JOURNAL VOL. 73 government.40 Following the required registration, CDSCO released specific rules for serious adverse event (“SAE”) reporting.41 Specifically, G.S.R. 53(E) sets forth detailed timeframes and obligations on the sponsor, investigator, and EC regarding reporting obligations for SAEs in clinical trials.42 Perhaps most importantly, in the case of an SAE occurring to the clinical trial subject, including death, the EC must formulate and submit an SAE report along with “its opinion on the financial compensation, if any, to be paid by the Sponsor or his representative” within 30 days of the occurrence of the SAE.43 The sponsor and the investigator are required to send their reports on SAEs to the central licensing authority, chairperson of the EC and head of the institution, all on a compressed timeframe. This has proven difficult to implement, as investigators may have difficulty meeting their reporting deadline given the possibility of delay between the occurrence of the adverse event and when the investigator becomes aware of the event, which in turn would hinder the EC’s ability to make such a report within the prescribed 30-day period. It would be more reasonable to expect such reports to be due within 30 days of discovery—rather than occurrence —of the SAE. Other CDSCO rules instituted around the same time were intended to strengthen India’s clinical trial regulatory structure but made commencing and conducting clinical trials more complex. For example, rules required that no investigator could conduct more than three trials at any time and that only multispecialty hospitals having at least 50 beds and adequate emergency facilities and ECs could be considered as eligible to be trial sites.44 The latter provision ignores the fact that trials studying many conditions (e.g., psoriasis, vaccine prevention studies) do not require in-patient facilities and may take place in a variety of locations, without requiring hospital facilities at all. As part of the Indian government’s effort to improve clinical trials regulation, the government empaneled an expert committee chaired by Dr. Ranjit Roy Chaudhury (the “Chaudhury Expert Committee”), an éminence grise of allopathic medicine in India. In July 2013, the Chaudhury Expert Committee released a report laying out numerous recommendations for improving clinical trials in India.45 In November

40 See Drugs and Cosmetics (Third Amendment) Rules, 2013, 65 Gazette of India, pt. II sec. 3(i), G.S.R. 72(E), 8 (Aug. 2, 2013), http://cdsco.nic.in/writereaddata/G.S.R%2072(E)%20dated%2008.02. 2013.pdf [https://perma.cc/B6EA-LFQG]. Prior to reviewing and approving a clinical trial protocol, an ethics committee must register with the Licensing Authority. 41 G.S.R. 53(E), supra note 25 at 10–11. “A serious adverse event is an untoward medical occurrence during clinical trial that is associated with death, in patient hospitalization (in case the study was being conducted on out-patient), prolongation of hospitalisation (in case the study was being conducted on inpatient), persistent or significant disability or incapacity, a congenital anomaly or birth defect or is otherwise life threatening,” id. at 12. 42 Id. at 8–17. 43 G.S.R. 889(E), supra note 27, at 6. 44 CENT. DRUGS STANDARD CONTROL ORG., 12-01/14-DC Pt. 74, ORDER LIMITING NUMBER OF CLINICAL TRIALS AN INVESTIGATOR CAN UNDERTAKE AT A TIME (July 3, 2014), http://www.cdsco.nic.in/writereaddata/officer%20order%202.pdf [https://perma.cc/32J4-M4HY]; CENT. DRUGS STANDARD CONTROL ORG., MINUTES OF 15TH TECHNICAL COMMITTEE MEETING HELD ON 04.06.2014 (June 4, 2014), http://www.cdsco.nic.in/writereaddata/15th_TC_Meeting__04%2006% 202014(1).pdf [https://perma.cc/78SZ-QUTF].

45 See RANJIT ROY CHAUDHURY ET AL., CENT. DRUGS STANDARD CONTROL ORG., REPORT OF PROF. RANJIT ROY CHAUDHURY EXPERT COMMITTEE 2–6 (2013), http://www.cdsco.nic.in/ 2018 CLINICAL TRIALS IN INDIA 611

2013, the MoHFW responded to the committee’s suggestions, adopting some but rejecting others.46 One of the Committee’s suggestions included accreditation requirements for all institutional entities in the clinical trial enterprise, including the investigator, EC, and study site. MoHFW agreed with the Chaudhury Expert Committee recommendation and issued a statement that it would adopt and implement mandatory accreditation of ECs, investigators and research sites.47 The National Accreditation Board for Hospitals and Healthcare Providers (“NABH”) was given the mandate and funds to establish accreditation standards and has since developed standards for accreditation of the investigator, EC, and trial site.48 In November 2016, the MoHFW released an order approving mandatory accreditation of ECs effective January 1, 2018, and the NABH subsequently announced it had begun accepting applications from ECs for accreditation.49 Under the NABH standards, EC accreditation involves the development of standard operating procedures and an onsite assessment, among several other requirements. As one Indian commenter noted, the process likely will prove “long, arduous, and demanding,” and importantly, it is unclear “whether such process improvements . . . can translate into benefits for subjects – high quality of care, subject safety, respect and protection of rights and welfare of the subjects.”50 The Indian government’s clinical trial rules went beyond what is required in almost all other jurisdictions: EC accreditation in many other countries, including the United States, is voluntary. The Chaudhury Expert Committee’s report also endorsed another new requirement for those conducting clinical trials: audio–video (“AV”) recording of the informed consent process. Draft rules for AV recording were initially proposed in a MoHFW notification released in June 2013.51 The proposal had also been supported by the Honorable Supreme Court of India, which, in response to the Swasthya Adhikar Manch PIL, issued an order requiring AV recording of the informed consent process

writereaddata/Report_of_Dr_Ranjit_Roy.pdf [https://perma.cc/4HB9-WXWG] [hereinafter, Report of Chaudhury Committee].

46 See MINISTRY OF HEALTH & FAM. WELFARE, supra note 35, at 1–15. 47 Id. at 1. 48 See NAT’L ACCREDITATION BD. FOR HOSP. & HEALTHCARE PROVIDERS, ACCREDITATION STANDARDS FOR CLINICAL TRIAL IN INDIA 4–5 (2015), http://www.cdsco.nic.in/writereaddata/ finalAccreditation%20Standards.pdf [https://perma.cc/5TRC-3QD7].

49 See R.G. SINGH, MINISTRY OF HEALTH & FAM. WELFARE, 12-01/14-DC Pt. 47, ORDER REGARDING ACCREDITATION OF ETHICS COMMITTEES (Nov. 28, 2016), http://www.nabh.co/Announcement/Accreditation_ECApproval.pdf [https://perma.cc/TC5G-H45G]; NAT’L ACCREDITATION BD. FOR HOSP. & HEALTHCARE PROVIDERS, NOTICE http://www.nabh.co/ Announcement/CTNotice.pdf [https://perma.cc/82LA-9DYA].

50 Arun Bhatt, Ethics Committees: Challenge of Evidence-Based Accreditation, 8 PERSP. CLINICAL RES. 105, 105–106 (2017). See also NAT’L ACCREDITATION BD. FOR HOSP. & HEALTHCARE PROVIDERS, INFORMATION BROCHURE FOR ETHICS COMMITTEE ACCREDITATION PROGRAM (2016), http://www.nabh.co/Ct_Brochure.aspx [https://perma.cc/4JQS-T4ZX]. 51 Drugs and Cosmetics (Second Amendment) Rules, 2013, 279 Gazette of India pt. II sec. 3(i), G.S.R. 364(E), 2 (June 7, 2013), http://www.cdsco.nic.in/writereaddata/GSR%20364Ejune13.pdf [https:// perma.cc/N6ZH-DVKN]. See also CENT. DRUGS STANDARD CONTROL ORG., DRAFT GUIDELINES ON AUDIO-VISUAL RECORDING OF INFORMED CONSENT PROCESS IN CLINICAL TRIAL 4 (Jan. 9, 2014), http://www.cdsco.nic.in/writereaddata/Guidance_for_AV%20Recording_09.January.14.pdf [https://perma.cc/2A2L-8DRK]; G.N. SINGH, CENT. DRUGS STANDARD CONTROL ORG., GCT/20/SC/Clin./2013, ORDER (Nov. 19, 2013), http://cdsco.nic.in/writereaddata/Office%20Order%20 dated%2019.11.2013.pdf [https://perma.cc/A2XY-RCGS]. 612 FOOD AND DRUG LAW JOURNAL VOL. 73 for the five clinical trials that had been approved by DCGI from January through August of 2013.52 In November 2013, the MoHFW finalized the AV requirement for all clinical trials by releasing an order directing “all the sponsors/investigators/institutes/organizations and other stakeholders involved in conduct of clinical trials . . . to adhere to the [ ] requirement of audio-visual recording of informed consent process of trial subjects.”53 Requiring AV recording of informed consent was intended to protect research participants, but it also raised a myriad of practical, cultural, and privacy concerns, which hindered participants from enrolling in studies. One of the primary obstacles to complying with the AV recording requirement was infrastructure. AV recordings require proper equipment and adequate space to accommodate those involved in the consent process. The requirement also resulted in “lack of participation for religious, cultural or social reasons that [led] to a reluctance to be recorded on video.”54 For example, in rural parts of India, women often wear headscarves and avoid eye contact with men, and were often reportedly uncomfortable with being filmed on camera.55 Additionally, one study of individuals in rural South India found that “[a]ll the study subjects who gave verbal consent also gave written informed consent. However . . . almost one-third (34%) refused to give consent for A-V recording.”56 There were also privacy and confidentiality concerns, as the regulations did not specify who would be allowed to view the consent recordings. The regulations failed to address the increased obligations and security concerns associated with storing and safely maintaining these recordings; “The investigators will have to strengthen the governance at the site to ensure that there is no theft . . . [and] will have to assure the participants by explaining what this information will be used for and how it will be stored.”57 The rules also did not specify for how long investigators must maintain such recordings or whether and to what extent sponsors may also be responsible for maintaining such recordings. CDSCO addressed some of these concerns in its January 2014 guidelines, explaining how “the Investigator must safeguard the confidentiality of trial data, which might lead to the identification of the individual subjects” and that “[i]n order to maintain the confidentiality, the videographer should be engaged as part of the study team.”58 Nevertheless, these guidelines, while helpful, do not address many of the other practical, cultural, and security-related concerns. In July 2015 CDSCO recognized these difficulties and significantly reduced and narrowed the mandate. The new CDSCO rule provided that an AV recording of the informed consent session must be maintained by the investigator “in case of vulnerable

52 SINGH, supra note 51. 53 Id. at 2.

54 Gagandeep Kang, Video Informed Consent, 376 N. ENGL. J. MED., 856, 864 (2017), https://www.nejm.org/doi/pdf/10.1056/NEJMra1603773. 55 Niranjan G. Kulkarni et al., Audio-Video Recording of Informed Consent Process: Boon or Bane, 5 PERSP. CLINICAL RES. 6, 6–10 (2014). 56 Ramesh Chand Chauhan et al., Consent for Audio-Video Recording of Informed Consent Process in Rural South India, 6 PERSP. CLINICAL RES. 159, 159–162 (2015). 57 Kulkarni et al., supra note 55. 58 CENT. DRUGS STANDARD CONTROL ORG., supra note 51, at 8. 2018 CLINICAL TRIALS IN INDIA 613 subjects in clinical trials of New Chemical Entity or New Molecular Entity.”59 The new rule scaled back the burden of the provision by limiting its application only to trials of new chemical or molecular entities. Also, the revised regulation permits audio recording alone, without video recording, to satisfy the requirement for trials related to human immunodeficiency virus and leprosy, presumably to reduce the possibility of confidentiality breaches regarding those sensitive conditions.60 The CDSCO revision nevertheless requires further explanation as to which patients will be considered “vulnerable” and therefore for whose informed consent the AV recording requirement remains applicable. Although the new rule appeared to narrow the scope of the AV requirements, the rule would still be applicable in most instances if vulnerability is defined broadly to include characteristics—such as relative indigence—that apply to a large proportion of the Indian population. Indeed, under the current regulations, a section on ECs under Schedule Y provides the following examples of vulnerable subjects: “members of a group with hierarchical structure (e.g. prisoners armed forces personnel, staff and students of medical, nursing and pharmacy academic institutions), patients with incurable diseases, unemployed or impoverished persons, patients in emergency situation, ethnic minority groups, homeless persons, nomads, refugees, minors or others incapable of personally giving consent.”61 It is unclear whether the approach to “vulnerable subjects” in this EC-related section would be adopted in the context of the AV requirements. If it were, the breadth of this list and the inclusion of unemployed and impoverished individuals might sweep in a large portion of the Indian population, depending on how “impoverished” and other terms are defined and interpreted. The Indian government has been working continuously to address these ambiguities. The ICMR even recently released revised ethical guidelines that offer some additional helpful insight into which groups might be considered “vulnerable.”62 Specifically, ICMR’s 2017 Ethical Guidelines describe certain “[c]haracteristics that make individuals vulnerable,” such as “legal status – children; clinical conditions – cognitive impairment, unconsciousness; or situational conditions – including but not limited to being economically or socially disadvantaged . . . .”63 Neither the aforementioned provisions in Schedule Y nor these guidelines have shed much light

59 Drugs and Cosmetics (Fifth Amendment) Rules, 2015, 489 Gazette of India, pt. II sec. 3(i), G.S.R. 611(E), 3 (July 31, 2015) (emphasis added), http://www.cdsco.nic.in/writereaddata/Gazette%20 Notification%2031%20July%202015.pdf [https://perma.cc/72X3-Q2AY]. 60 Id. 61 Drugs and Cosmetics Rules, 1945, Schedule Y, 506-07, http://cdsco.nic.in/html/D&C_Rules_ Schedule_Y.pdf [https://perma.cc/HMU7-Y98J].

62 See generally INDIAN COUNCIL OF MED. RESEARCH, NATIONAL ETHICAL GUIDELINES FOR BIOMEDICAL AND HEALTH RESEARCH INVOLVING HUMAN PARTICIPANTS (Oct. 2017) (emphasis added), https://icmr.nic.in/sites/default/files/guidelines/ICMR_Ethical_Guidelines_2017.pdf [https://perma.cc/U5T4-64US]; Draft Medical Device Rules, 724 Gazette of India 145, 218 (Oct. 17, 2016) (explaining that, for trials of medical devices, “vulnerable subjects” means “members of a group with hierarchical structure (e.g. prisoners, armed forces personnel, staff and students of medical, nursing and pharmacy academicians institutions), patients with incurable diseases, unemployed or impoverished persons, patients in emergency situation, ethnic minority groups, homeless persons, nomads, refugees, minors or others in capable of personally giving consent.”) (finalized as Medical Devices Rules, 2017, 70 Gazette of India 143 (Jan. 31, 2017), http://www.cdsco.nic.in/writereaddata/Medical%20 Device%20Rule%20gsr78E.pdf [https://perma.cc/EHE4-HRBH]). 63 INDIAN COUNCIL OF MED. RESEARCH, supra note 62, at 10–11. 614 FOOD AND DRUG LAW JOURNAL VOL. 73 on the parameters of impoverished or “economically or socially disadvantaged” status, or how those characteristics would be assessed. Nevertheless, these provisions coupled with India’s demographics, including estimates that one in five Indians are poor and 80 percent live in rural areas,64 suggest that many Indian trial participants would be considered economically or socially disadvantaged, and hence vulnerable, thereby triggering the stringent AV informed consent requirements for many participants in trials for new molecular or chemical entities. The Chaudhury Expert Committee also recommended that the government promulgate a “strong provision for ancillary care to cater for patients suffering from any other illness during the trial,” even if unrelated to the trial itself.65 Consequently, on July 3, 2014, CDSCO issued an order that sponsors must provide “ancillary care . . . to the clinical trial subject for brief illness in the same hospital/trial site, wherever required.”66 Yet that order defines neither “ancillary care” nor “brief illness” and could benefit from further clarification. Under the provision as written, the academic or industry sponsor automatically is responsible to provide care for trial participants for any “brief illness,” regardless of relatedness to the trial. The provision has not only increased uncertainty regarding the obligation of a sponsor to provide care for trial participants outside of the treatment set forth in the protocol, but also has created the possibility that individuals with serious preexisting medical conditions may enroll in trials in order to receive free medical care. This incentive for trial enrollment could predictably result in adverse selection in the subject population and trigger the ethical problem of “undue influence” over potential subjects who may otherwise struggle to afford necessary care relating to their illnesses. In sum, the “ancillary care” provision likely discourages sponsors from siting clinical trials in India and may unduly incentivize persons to seek to enroll in trials. The Indian Parliament subsequently became active in proposing strict legislation regarding clinical trials issues. In an effort to address perceived gaps in the Indian clinical trials regulatory regime, a new comprehensive regulatory reform bill—the Drugs and Cosmetics Amendment Bill 2013 (the “2013 bill”)—was introduced in Parliament in August 2013, but ultimately was not enacted.67 Section 4ZE of the 2013 bill provided that any clinical researcher (including the institution, sponsor, or investigator) who fails to conduct a clinical trial in accordance with “the conditions of permission” imposed by the Central Licensing Authority may be punished with a minimum of two years imprisonment and a fine in the amount of Rs. 5 lakhs.68 In addition, section 4ZG of the 2013 bill provided that any researcher who fails to compensate a subject suffering a trial-related injury “shall be punishable with

64 India’s Poverty Profile, WORLD BANK (May 27, 2016), http://www.worldbank.org/ en/news/infographic/2016/05/27/india-s-poverty-profile [https://perma.cc/3ZRT-L6JP]. 65 Report of Chaudhury Committee, supra note 45, at 3.

66 G.N. SINGH, CENT. DRUGS STANDARD CONTROL ORG., 12-01/14-CD Pt. 47, ORDER REGARDING PROVIDING ANCILLARY CARE TO THE CLINICAL TRIAL SUBJECTS (July 3, 2014), http://www.cdsco.nic.in/ writereaddata/oo5.pdf [https://perma.cc/QE6S-42VT]. 67 The Drugs and Cosmetics (Amendment) Act Bill, 2013, No. LVIII, 2013 (India), http://www.prsindia.org/uploads/media/Drugs%20and%20Cosmetics/drugs%20and%20cosmetics%20bill. pdf [https://perma.cc/47HM-7TZP]. 68 Id. at 13. See also Mark Barnes et al., Clinical Trial Research Is No Crime, HINDU BUSINESSLINE (Dec. 1, 2014), http://www.thehindubusinessline.com/opinion/clinical-trial-research-is-no-crime/article 6652150.ece [https://perma.cc/YA8N-L4XH]. 2018 CLINICAL TRIALS IN INDIA 615 imprisonment which may extend to two years and with fine which shall not be less than twice the amount of the compensation.”69 Given the uncertain scope of these harsh penalties, the provisions were met with resistance. During his 2013 deposition for Parliament’s Committee on Health and Family Welfare, Dilip G. Shah, then- secretary general of the Indian Pharmaceutical Alliance, expressed concern that the penalties would stunt the siting of clinical trials in India and were “without adequate safeguards and prone to abuse.”70 By June 2016, the Indian government decided to withdraw the 2013 proposed bill.71 On December 31, 2014, India’s new Bharatiya Janata Party government released a new proposed bill to amend the Drugs and Cosmetics Act of 1940 (the “2015 reform bill”).72 Instead of clarifying the subject injury compensation requirements, however, the bill delegated the resolution of those issues to the proper regulatory authority, including the power to define “injury . . . in the course of a clinical trial” and the power to determine the compensation provisions for such injuries.73 In addition, the 2015 reform bill was similar to the 2013 bill in that it set forth criminal penalties for those who conduct trials without proper authorization to do so or those who conduct trials in violation of the clinical trial regulations.74 Specifically, Section 4K essentially created criminal liability for conducting a clinical trial without permission.75 Also, under Section 4-O “[w]hoever, himself or by any other person on his behalf, conducts clinical trials with any new drug . . . in contravention of the conditions of permission issued under section 4A and rules made thereunder” that causes adverse effects on participants shall be punishable with imprisonment and/or a fine.76 While these proposed criminal provisions suggested an intent to make more rigorous India’s clinical trials regulatory protections, they nevertheless are troubling, as they reflect a lack of understanding “that the conditions, requirements and conduct of clinical trials are enormously complex, and that strict adherence to all conditions of a protocol is almost never possible.”77 Importantly, however, neither the 2013 bill nor the 2015 reform bill was enacted.

69 The Drugs and Cosmetics (Amendment) Act Bill, 2013, supra note 67, at 14. 70 Barnes et al., supra note 68. 71 See The Drugs and Cosmetics (Amendment) Bill, 2013, PRS LEGISLATIVE RESEARCH, http://www.prsindia.org/billtrack/the-drugs-and-cosmetics-amendment-bill-2007-2903/ [https://perma.cc/AH8K-H3CM]; Cabinet Withdraws Drugs & Cosmetics (Amendment) Bill 2013, To Bring New Draft, HINDUSTAN TIMES (June 22, 2016, 19:13 IST), http://www.hindustantimes.com/india- news/cabinet-withdraws-drugs-cosmetics-amendment-bill-2013-to-bring-new-draft/story- wssy9Lfwm2NZNRFqzxYDyL.html [https://perma.cc/QKW8-F9BS]. 72 See Draft Drugs and Cosmetics (Amendment) Bill, 2015 (Dec. 31, 2014), http://www.cdsco.nic.in/writereaddata/D&%20C%20AMMENDMENT%20BILL(1).pdf [https://perma.cc/LQ57-YSML]. See also Mark Barnes et al., India’s Proposed Amendments to the Drug and Cosmetics Act: Compensation for Injuries to Clinical Trial Participants and the Criminalization of Clinical Research, 9 LIFE SCI. LAW & INDUS. REP. 117, 7 (2015), BNA 1935–7257. 73 Draft Drugs and Cosmetics (Amendment) Bill, 2015, supra note 72, at 7. See also Barnes et al., supra note 72, at 4. 74 See Draft Drugs and Cosmetics (Amendment) Bill, 2015, supra note 72, at 10. 75 Id. (“Whoever himself, or by any other person on his behalf, conducts clinical trial of . . . any new drug . . . in contravention of section 4A and the rules made thereunder, shall be punishable with imprisonment which may extend to three years or fine which may extend to five lakh rupees or both.”). 76 Id. at 11. 77 Barnes et al., supra note 72, at 7. 616 FOOD AND DRUG LAW JOURNAL VOL. 73

III. EFFECT OF NEW REGULATIONS

According to some observers, the series of stringent regulations and proposed bills since 2013 has hindered meaningful clinical trials of new therapeutic agents. As the President of the Indian Society for Clinical Research stated in a 2016 article, these “hasty regulatory reforms . . . have posed a challenge to conducting clinical [research] in the country.”78 The well-intentioned, yet largely unproductive, regulation-making affected much of the human subjects research infrastructure in India. It led to a significant reduction in clinical trial activity by leading industry sponsors and other organizations, including, for a time, the U.S. National Institutes of Health (“NIH”).79 In response to India’s new regulations, the NIH placed several ongoing clinical trials on hold in 2013.80 In addition, NIH elected to forego starting or funding major new drug and medical device trials in India.81 In so doing, NIH issued a public statement: “Because of the uncertainties posed by the new requirements, NIH and some grantees have suspended new patient enrolment for some of its ongoing interventional trials. Some NIH-funded trials and other planned activities have been postponed pending clarification of the new regulations.”82 The aggregated regulatory changes and the proposed Parliamentary bill’s criminalization of deviations from trial protocols led to a precipitous decline in the number of clinical trials approved in India.83 As a 2013 article in The Hindu reported, “[c]linical trials of drugs in India have seen a drastic fall this year after toughened norms were introduced following Supreme Court directives,” and how, consequently,

78 Melissa Fassbender, Trust Needed to Bring Back Clinical Trials to India, Says ISCR President, OUTSOURCINGPHARMA.COM (Jan. 21, 2016), http://www.outsourcing-pharma.com/Clinical-Development/ Trust-needed-to-bring-back-clinical-trials-to-India [https://perma.cc/WC9J-UW4B]. 79 See Press Information Bureau, supra note 24 (“The National Institutes of Health (NIH), have raised concerns about how these new requirements will be implemented, particularly the specific provision related to compensation. NIH have suspended enrolment of participants in 35 interventional trials in India.”). Biogen Idec also suspended trials for six months to assess the impact of these changes. Overcoming Clinical Challenges in BRIC Markets: A White Paper, supra note 2, at 9. See also Chirang Shah et al., Regulatory Approval in India: An Updated Review, APPLIEDCLINICALTRIALS.COM (May 4, 2016), http://www.appliedclinicaltrialsonline.com/regulatory-approval-india-updated-review [https://perma.cc/RS9N-MPEY] (“Because of these changes to the regulatory framework, many multinationals withdrew their clinical studies from India. This resulted in a standstill for the entire clinical research industry in India.”). 80 See Sara Reardon, NIH Makes Wary Return to India, NATURE (Feb. 11, 2014), http://www.nature.com/news/nih-makes-wary-return-to-india-1.14699; [https://perma.cc/9D7U-8R4N]; American Research Centre Stops Clinical Trials in India, FIRSTPOST (July 28, 2013), http://www.firstpost.com/world/american-research-centre-stops-clinical-trials-in-india-991725.html; [https://perma.cc/WSY7-QWL6]; Press Information Bureau, supra note 24.

81 Barbara Bierer & Mark Barnes, Clinical Trials, A Lost Opportunity for India, FINANCIAL EXPRESS (Nov. 3, 2014), http://www.financialexpress.com/archive/clinical-trials-a-lost-opportunity-for-india/ 1303767/. [https://perma.cc/TB4K-85KK]. 82 Andrew Buncombe, “A Heaven for Clinical Trials, a Hell for India”: Court Orders Government to Regulate Drugs Testing by International Pharmaceutical Companies, INDEPENDENT (Sept. 30, 2013), http://www.independent.co.uk/news/world/asia/a-heaven-for-clinical-trials-a-hell-for-india-court-orders- government-to-regulate-drugs-testing-by-8849461.html [https://perma.cc/6EDX-EPQV]. 83 See Reconsidering India as a Clinical Trial Location: Revised Regulations Warrant a Fresh Look, PHARM-OLAM INTERNATIONAL, 6 (2016), https://cdn2.hubspot.net/hubfs/4238150/PharmOlam_ March2018/PDF/pharm-olam_india_clinical_trials_white_paper_1.pdf?t=1539471111921 [https://perma.cc/M9EL-RV62]. 2018 CLINICAL TRIALS IN INDIA 617

“there has also been a significant reduction in the number of sponsoring pharma firms applying for such approvals.”84 Additionally, following the flurry of new rules and orders, many Indian-owned, India-based contract research organizations (“CROs”) ceased operations in India. Max India, for example, announced the sale of its clinical research business to a Canadian CRO, stating that the regulatory challenges had made it difficult to scale up the business.85 Reports also suggest that due to these regulatory revisions, multinational pharmaceutical companies generally reduced their presence and activity in India.86 It is difficult to avoid the conclusion that some of the harsher regulatory reforms harmed the clinical enterprise throughout India, resulting in fewer trials of new, experimental therapeutic products and shutting off the availability of experimental products to persons in India, who would have accessed them through a clinical trial. Declining pharmaceutical investment in India would be regrettable in light of India’s enormous potential as a location for clinical trials and, more importantly, because it would hinder the Indian population’s access to novel, innovative investigational therapies that may meet unmet medical needs. Promoting and bolstering clinical trials activity in India would also be a boon to the Indian economy, spurring many jobs such as those in research, clinical data management, biostatistics, and IT services.87 These trends may now begin to be reversed or at least stabilize, as some regulatory reforms have been scaled back or implemented in a less severe way than originally feared. Reports indicate that since 2013, the number of clinical trials approved by DCGI has increased.88 Since 2015, Phase IV trials have increased, perhaps reflecting a lower risk of compensable injury in post-marketing studies.89 Some sources suggest that CRO presence in India is also rebounding. For example, in September 2017, Quanticate expanded its presence in India by opening a new office in Bangalore and announcing plans to increase its workforce in order to meet increased demand in India.90 Further, as a result of ongoing efforts on the part of the government to clarify

84 HINDU, supra note 1. 85 Nair, supra note 10. The article also states that “[m]any CROs say that conducting clinical trials in India is now difficult and cumbersome, and have not gone ahead with trials despite getting government approval.” Id.

86 Datamonitor Healthcare, Indian Pharmaceutical Market, PHARMA INTELLIGENCE, 2 (2013), https://pharmaintelligence.informa.com/~/media/Informa-Shop-Window/Pharma/Files/PDFs/whitepapers/ Indian-Pharmaceutical-Market-White-paper_11-2016.pdf. This white paper further suggests that the “use of compulsory licenses for patented drugs is further contributing to the loss of faith in the Indian patent system among Western manufacturers.” Id. at 3. 87 See, e.g., Global Pharma Looks to India: Prospects for Growth, PRICEWATERHOUSECOOPERS 1, 5, https://www.pwc.com/gx/en/pharma-life-sciences/pdf/global-pharma-looks-to-india-final.pdf [https:// perma.cc/732H-9JRW].

88 Jyoti Shelar, After a Lull of Five Years, Clinical Trials on the Rise in India, HINDU (June 2, 2018), https://www.thehindu.com/news/national/after-a-lull-of-five-years-clinical-trials-on-the-rise-in- india/article24069487.ece (“There is a gradual revival in the number of clinical trials being done in India. From an all-time low of 17 clinical trials approved by the Drug Controller General of India (DCGI) in 2013, the number has slowly increased to 97 in 2017, a more than 400% jump in five years.”). 89 Mathini Ilancheran, Measuring the Impact of Reforms on India’s Clinical Trial Environment, CLINICAL LEADER (Oct. 12, 2017), https://www.clinicalleader.com/doc/measuring-the-impact-of-reforms- on-india-s-clinical-trial-environment-0001. [https://perma.cc/3J99-TLC9]. 90 See UK CRO Quanticate Doubles its Footprint in India, PHARMATIMES (Sept. 27, 2017), http://www.pharmatimes.com/news/uk_cro_quanticate_doubles_its_footprint_in_india_1206470. [https://perma.cc/4V5P-KLBQ]. 618 FOOD AND DRUG LAW JOURNAL VOL. 73 requirements, many industry observers remain optimistic regarding India’s future as a center for clinical research.91

IV. MORE RECENT CLARIFICATIONS OF STRINGENT REGULATIONS

Given the adverse effects of revised regulations on India’s clinical trial enterprise, the Indian government appears to now be clarifying many of the new requirements, presumably to correct excessive regulations and thereby reinvigorate clinical research. For example, in an effort to decrease administrative burden and speed up review of proposed research in India, India launched an online submission system for permission to conduct clinical trials in 2015.92 Moreover, evidence suggests that certain regulations have not been enforced strictly as written, with governmental authorities instead showing flexibility in the implementation and enforcement of the rules. Specifically, despite the ambiguity and potential breadth of the compensation provisions, governmental authorities in India have stated in public fora that compensation, in practice, has only been afforded to a clinical trial subject when the SAE or death has been determined to be causally related to the investigational drug— which is a much more rigorous standard than what is reflected in the current revised regulation.93 Moreover, the aforementioned ICMR 2017 Ethical Guidelines provide additional guidance regarding India’s clinical trials rules, including specifying that with respect to the compensation provisions, “[m]edical management should be free if the harm is related to the research” and that “[c]ompensation should be given to any participant when the injury is related to the research.”94 This suggests a more strict causation standard for compensation than is set forth in the applicable national regulations. The 2017 ICMR guidelines are evidence of efforts by the Indian

91 See e.g., Amita Bhave & Suresh Menon, Regulatory Environment for Clinical Research: Recent Past and Expected Future, 8 PERSP. CLINICAL RES. 14, 11-16 (2017), http://www.picronline.org/ article.asp?issn=2229-3485;year=2017;volume=8;issue=1;spage=11;epage=16;aulast=Bhave (“Indian regulations have been evolving positively in the recent past and are expected to be much more conducive for clinical research facilitating faster approval timelines, increased transparency while fully ensuring patient safety. This will help bring newer innovative medicines to Indian patients at an earliest.”); Sanil Manavalan & Catherine Sinfield, Conducting Clinical Trials in India: Opportunities and Challenges, CLINICAL LEADER (Aug. 8, 2017), https://www.clinicalleader.com/doc/conducting-clinical-trials-in-india- opportunities-and-challenges-0001 (“More checks and balances have been put in place for certification of sites, ethics committees, and limiting the number of concurrent trials by a principal investigator. Central Drug Standards Control Office (CDSCO) has also issued GCPs inspection checklist recently in August 2016 and is helpful for sponsors and sites. Overall, this translates into better quality trials and cleaner data than what existed prior to the overhaul, the evolving process positively supports clinical research in India while appropriately balancing patient safety.”) [https://perma.cc/7SNC-8BE9].

92 See CENT. DRUGS STANDARD CONTROL ORG., 04-01/2012-Misc.-159, NOTICE REGARDING IT ENABLED SYSTEM FOR ONLINE SUBMISSION OF APPLICATIONS OF CLINICAL TRIAL-REG. (Sept. 9, 2015), http://www.cdsco.nic.in/writereaddata/latestNotice%20for%20website%20OCTAMS.pdf [https://perma.cc/WK99-9B99]. 93 Bierer, supra note 17 (“Verbal reports from governmental authorities have assured us that compensation has only been awarded when SAEs and death have been determined to be causally related to investigational drug.”). 94 INDIAN COUNCIL OF MED. RESEARCH, supra note 62 (emphasis added). See also id. at 81 (“Provision of free treatment and compensation for any study-related injury must be ensured for the trial participant. The EC must determine the compensation amount after the investigator has described the relatedness.”). 2018 CLINICAL TRIALS IN INDIA 619 government to clarify and remedy some of the harsher regulatory changes imposed beginning in 2013. Another example of easing of regulatory requirements came in November 2015, when CDSCO released a regulatory circular allowing ECs to approve requests for new clinical trial sites and new investigators to be added to a clinical trial without CDSCO’s approval as long as the ECs conduct “due diligence” on new sites and investigators.95 ECs must still inform DCGI of additions or deletions of sites and investigators, and DCGI may object to any such additions or deletions, but clinical trial sponsors are no longer required to obtain a “no objection” certificate from DCGI each time they add a site or investigator to a study.96 The government has scaled back requirements for trials that have an “academic/research” purpose and are not conducted in preparation for a regulatory submission; beginning in October 2015, permission from DCGI is no longer required for “clinical trials for academic/research purposes that are non-regulatory in nature . . . provided that, the trials were approved by the respective Ethics Committee and they are not for regulatory submissions (i.e., if the trial are not for claiming permission of New Drug for marketing as per Drugs and Cosmetics Rules).”97 Other changes were made in August 2016 in an effort to ease regulatory hurdles to conducting clinical trials. Specifically, in August 2016, CDSCO released an order removing the prohibition on investigators conducting more than three trials at a time, stating: “[the] Ethics Committee after examining the risk and complexity involved in the trial being conducted/proposed shall decide about how many trials an investigator can undertake.”98 At the same time, CDSCO released an order effectively eliminating the requirement that trials be conducted only at sites with more than 50 hospital beds, requiring instead that the EC must decide whether the trial site is suitable.99 As described above, in June 2016 the Indian government withdrew the previously discussed Drugs and Cosmetics (Amendment) Bill, 2013.100 Additionally, CDSCO released a notice stating that the MoHFW plans to “re-visit the Drugs and Cosmetics Act, 1940 and Rules, 1945 to match up with the current regulatory requirements related to safety, efficacy and quality of drugs, medical devices and cosmetics.”101 The

95 CENT. DRUGS STANDARD CONTROL ORG., 12-01/14-DC Pt. 47, CIRCULAR REGARDING REQUIREMENT OF NOC FROM DCGI FOR ADDITION OF NEW CLINICAL TRIAL SITE OR INVESTIGATOR (Nov. 10, 2015), http://www.cdsco.nic.in/writereaddata/NOC%20for%20DCGI.pdf [https://perma.cc/8D4M- ZADY]. 96 Id. 97 CENT. DRUGS STANDARD CONTROL ORG., 12-01/14-DC Pt. 47, CIRCULAR REGARDING REQUIREMENT OF PERMISSION FOR CONDUCT OF CLINICAL TRIALS FOR ACADEMIC/RESEARCH PURPOSES THAT ARE NON-REGULATORY IN NATURE (Nov. 10, 2015), http://www.cdsco.nic.in/writereaddata/ Requirement%20of%20permission%20for%20conductd.pdf [https://perma.cc/E75Y-5BUA].

98 CENT. DRUGS STANDARD CONTROL ORG., 12-01/14-DC Pt. 47, CIRCULAR REGARDING RESTRICTION OF CONDUCTING THREE CLINICAL TRIALS PER INVESTIGATOR (Aug. 2, 2016), http://www.cdsco.nic.in/writereaddata/restricion%20of%20conducting%20three.pdf [https://perma.cc/G8PG-SJ9N].

99 CENT. DRUGS STANDARD CONTROL ORG., 12-01/14-DC Pt. 47, CIRCULAR REGARDING REQUIREMENT OF 50 BEDDED SITE FOR CLINICAL TRIAL (Aug. 2, 2016), http://www.cdsco.nic.in/ writereaddata/requirement%20of%2050%20bedded%20.pdf [https://perma.cc/66GK-URF8]. 100 See Cabinet Withdraws Drugs & Cosmetics (Amendment) Bill 2013, To Bring New Draft, supra note 71.

101 C ENT. DRUGS STANDARD CONTROL ORG., D-21013/63/2016-DC, NOTICE REGARDING REVISIT OF DRUGS AND COSMETICS ACT 1940 AND RULES 1945 (June 6, 2016), http://www.cdsco.nic.in/ writereaddata/Noticedatede06_6_2016.pdf [https://perma.cc/K6EE-98R8]. See CENT. DRUGS STANDARD 620 FOOD AND DRUG LAW JOURNAL VOL. 73 government has suggested that it plans to draft a fresh law, although its timeframe for doing so is presently unclear. It is also unclear what effect, if any, this has on the draft 2015 bill, which—unlike the 2013 bill—remains available on CDSCO’s website.102 On January 31, 2017, the Indian government released rules relating to the regulation of medical devices, including provisions relating to clinical investigations of such devices.103 The rules demonstrate additional strides the Indian government has taken to further clarify its regulatory framework. Previously, medical devices simply had been regulated as drugs under the Drugs and Cosmetics Rules, 1945, while other devices largely went unregulated.104 In September 2017, the Technical Committee headed by Dr. Jagdish Prasad, the Director General of Health Services, made an additional effort to promote ethical clinical trials activity in India and bolster the market for India-based CROs and hospitals by announcing that companies would be required to include Indian patients in global clinical trials in order to market in India a new drug developed outside of the country.105 The Technical Committee stated that “[a]ny firm intending to market a new drug which is being developed outside the country, should include Indian patients in the Global Clinical Trial.”106 Although it is unclear what the overall effect of this change will be, it nevertheless demonstrates the government’s continued focus on ensuring the safety and efficacy of drugs marketed in India. Further, the change will require pharmaceutical companies wishing to market their products in India to conduct clinical trials in India, which presumably will lead to an increase in the volume of clinical trials activity in the country. Finally, the 2018 Draft Rules described above consolidate and clarify many of the previously discussed notices and orders released over the years, yet also include disconcerting compensation-related provisions.107 Of particular concern is the fact that the 2018 Draft Rules not only preserve the requirement that the sponsor compensate trial participants for all injuries deemed “related to” a clinical trial under a broad list,

CONTROL ORG., ACTS AND RULES, http://www.cdsco.nic.in/forms/contentpage1.aspx?lid=1888 [https://perma.cc/C26C-4DAV] (last updated Jan. 19, 2017). 102 See CDSCO, Acts and Rules, https://cdsco.gov.in/opencms/opencms/en/Acts-Rules/index.html [https://perma.cc/C26C-4DAV] (last updated Jan. 19, 2017). 103 See Medical Device Rules, 2017, 70 Gazette of India, pt. II sec. 3(i), G.S.R. 781(E) (Jan. 31, 2017), http://www.cdsco.nic.in/writereaddata/Medical%20Device%20Rule%20gsr78E(1).pdf [https://perma.cc/7PNQ-S45L]. Chapter VII covers clinical investigations of medical devices and clinical performance evaluations of new in vitro diagnostic devices. Id. at 157. 104 See Bhavik Narsana & Minhaz Lokhandwala, India: The Medical Devices Rules – An Analysis, MONDAQ.COM (Sept. 11, 2017), http://www.mondaq.com/india/x/627736/Life+Sciences+Biotechnology/ The+Medical+Devices+Rules+An+Analysis. [https://perma.cc/AP9H-MSU3].

105 C ENT. DRUGS STANDARD CONTROL ORG., MINUTES OF 42ND TECHNICAL COMMITTEE MEETING HELD ON 25.09.2017 (June 25, 2017), http://www.cdsco.nic.in/writereaddata/technical%20 committee%2042%2025_9_2017.pdf, [https://perma.cc/XZL5-TB45]; Sushmi Deyl, To Market New Drugs in India, Global Trials Must Include Indians, TIMES OF INDIA (Oct. 11, 2017), https://timesofindia.indiatimes.com/india/to-market-new-drugs-in-india-global-trials-must-include- indians/articleshow/61029119.cms; [https://perma.cc/6J7T-CJTD].

106 C ENT. DRUGS STANDARD CONTROL ORG., supra note 105, at 2. 107 See Draft New Drugs and Clinical Trials Rules, 2018 (2017), http://www.cdsco.nic.in/ writereaddata/Draft%20CT%20Rules%20sent%20for%20Publication.pdf [https://perma.cc/4NE2-8UYP]. Seeking to speed up the trial application process, the 2018 Draft Rules also provide that an application to conduct a clinical trial of a new drug that was either discovered in India or will be manufactured and marketed in India must be processed within 45 days. Id. at Ch. VI, Section 23. 2018 CLINICAL TRIALS IN INDIA 621 but the 2018 Draft Rules also would increase the burden on sponsors, even in excess of the existing regulations. Under the 2018 Draft Rules, for example, if a research subject dies or suffers a permanent disability during a trial, and if the EC finds the injury to be “related to” the trial under the broad existing definition of “related to”, then (1) the EC must determine in its opinion the compensation to be paid based on the formulae the government have developed (which are based on certain factors such as age of the subject) and (2) the trial sponsor, within 15 days of the EC’s determination, must pay an interim compensation of 60 percent of the full compensation.108 More concerning still is an explanatory footnote to the rules explaining that interim compensation would be irrevocable, meaning even if it is later determined that the death or injury was not related to the clinical trial, the interim compensation must stand and is not reimbursable to the sponsor: “For removal of doubt it is hereby declared that the amount paid as an interim compensation as referred to in sub-rule (1) to the trial subject or its legal heir, as the case may be, shall not be recoverable irrespective of the cause of the death or permanent disability during the clinical trial.”109 Under the proposal, the sponsor is automatically assessed at least 60 percent of total compensation if the EC determines that a research participant’s death or permanent disability is indeed related to the trial. The 2018 Draft Rules also generally preserve the broad list of circumstances deemed “related to” a clinical trial, which are much broader than would be determined through longstanding methods of assessing causality of injuries in clinical trials.110 The 2018 Draft Rules’ version of this list misses the mark in the same way as its predecessor currently still in effect: by holding sponsors responsible for injuries irrespective of fault, and by failing to acknowledge that the purpose of conducting clinical trials, in part, is to determine adverse events and safety of the investigational product. These rules are not only onerous, by requiring the sponsor or person who has obtained permission to pay interim compensation irrespective of whether the injury indeed is related to the trial or due to fault, but are also complicated, which alone could deter the siting of clinical trials in India. In regard to medical management of trial participants, sponsors would be, under these Draft Rules, financially responsible for all participants’ other non-trial related illnesses: “Where the trial subject is suffering from any other illness during participation in clinical trial or bioavailability and bioequivalence study, the sponsor shall provide necessary medical management and ancillary care.”111 The extreme breadth and unworkability of such a provision is best illustrated by an example. Pursuant to the rule as written, if a participant in a trial for an experimental new kind of eye drop has cancer, the sponsor of the trial would be responsible for providing “medical management and ancillary care” in connection with the participant’s cancer, leaving the sponsor exposed to high, unpredictable costs that are completely unrelated to the treatment being provided pursuant to the protocol. Once again, these proposed measures—though undoubtedly intended to benefit clinical trial participants—go beyond what other countries’ regulatory regimes typically demand of trial sponsors, and full implementation of the proposed provisions would likely continue to deter the

108 Id. at Ch. VI, Section 39. 109 Id. 110 Id. at Ch. VI, Section 41. 111 Id. 622 FOOD AND DRUG LAW JOURNAL VOL. 73 siting of clinical trials in India. The 2018 Draft Rules have been published for public objections and suggestions and are expected to be finalized after review of the comments and suggestions received from the stakeholders. One can hope that the final rules will roll back some of the provisions of these 2018 Draft Rules that put extraordinary burden on the sponsors.

V. CONCLUSION

After extensive national media attention following multiple deaths of participants allegedly related to participation in clinical trials, India took aggressive regulatory measures in order to address perceived risks for clinical trial participants. India has made important strides in developing a robust regulatory framework around clinical trials, the central focus of which is the protection of Indian clinical trial participants. While other countries mandate clinical trials insurance, India became one of few countries to mandate compensation for research-related injury, and specifically one of the only countries to provide compensation for economic losses.112 The Indian government also has taken steps to make sure ECs are properly formed, trained and operated through accreditation. These and other initiatives, including the desire to compensate and make whole, individuals who are injured in connection with clinical trials, are all commendable. These measures were intended to bolster and strengthen India’s clinical trial regulatory system and protect human subjects, but many of the regulatory changes exceeded clinical trials regulations in other countries and lacked definition, clarity, and compelling public policy rationale. In injury compensation, for example, assuring compensation to participants who are injured during a trial but whose injuries were not directly caused by participation in the trial may appear to vindicate important social justice values, but it also disincentivizes sponsors and trial funders from initiating trials in the country. Although many of these regulatory requirements recently have been clarified and scaled back, this regulatory experience has threatened the increasingly robust system surrounding, and enormous potential of, clinical research in India. More recent efforts to clarify and mitigate the harsher aspects of India’s clinical trials regulations, however, suggest that India retains great promise as a site for clinical research of new, significant medicinal products, due, among other factors, to the diversity of its people, its relatively low labor and capital costs, and a corps of well-trained physicians working in a set of modern medical centers. The Indian government’s recent clarifications, reversals, and revisions of a number of its new rules have spurred optimism about the clinical research climate in India, even as

112 See Munshi, supra note 37 at 66-67 (“In the USA, it is not mandatory by law for sponsors and Institutions to provide either free medical care or compensation for research related injuries to trial participants . . . . The Association of the British Pharmaceutical Industry (ABPI) guidelines . . . have been modified and adopted by many other countries such as South Africa, Australia and New Zealand. Unfortunately, these guidelines clearly state that there is ‘no legal commitment’ to pay compensation for research related injuries.”). See also George Rugare Chingarande & Keymanthri Moodley, Disparate Compensation Policies for Research Related Injury in an Era of Multinational Trials: A Case Study of Brazil, Russia, India, China and South Africa, BMC MED. ETHICS. 2018, 10, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5816510/ [https://perma.cc/KH5J-V423] (discussing how “Brazil, India and South Africa have regulations that cover both medical treatment and financial compensation over and above the medical expenses,” but that “[o]nly India provides for the compensation of economic losses . . . [o]f the five countries under comparison India has by far the most comprehensive and most stringent regulations.”). 2018 CLINICAL TRIALS IN INDIA 623 the episode provides an important global lesson in how significant changes in a regulatory regime can profoundly affect clinical research activity.113 During the media attention in 2013 and 2014, it was often said that, “there is no smoke without fire”— meaning the reported problems of clinical trial injuries in India must point to an underlying problem with how trials have been regulated. In the recent clarifications and proposed revisions of the regulations, the Indian government continues to seek to strike a balance between the safety of its population and the scientific requirements and needs for clinical research in India. Although that balance has not yet been struck in a fully sustainable and satisfactory way, the ongoing regulatory efforts and continued responsiveness of the Indian government give some reason for optimism about the future of India as a robust center of clinical research.

113 See e.g., Reconsidering India as a Clinical Trial Location: Revised Regulations Warrant a Fresh Look, supra note 83 at 11 (stating that India as a destination for clinical trials deserves a “fresh look” in light of the easing of many requirements); Arun Bhatt, Future of Indian Clinical Trials: Moving Forward from Hyped Potential to Human Protection, 8 PERSP. CLINICAL RES. 2, 2-4 (2017), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5299800/ [https://perma.cc/J4WK-SAXY] (“As the Indian clinical trial environment became unattractive, the regulators amended some of the stringent regulatory requirements in 2015. And now, there is optimism among the stakeholders about prospects of growth of clinical trials.”). ALERT

China Life Sciences

May 8, 2018 The China Drug Administration Proposes a Working Procedure for Pharmaceutical Study Data Protection

In response to the central government’s calling for a data protection mechanism,1 the China Attorneys Drug Administration (the “CDA”) published a draft on Implementing Measures for Katherine Wang Pharmaceutical Study Data Protection (the “Draft”) on April 25, 2018 for public comments. This Draft specifies data protection scope, extends the data protection period, and, for the first time, proposes a working procedure for applying for and granting a data protection right. To Redefine Protection Scope Since China’s entry to the WTO in 2002, drugs containing innovative chemical entities have been entitled to six years of data exclusivity protection.2 The Draft expands the protection scope to cover both innovative drugs and generic drugs. Specifically, eligible drugs include (i) innovative drugs, (ii) innovative therapeutic biologics, (iii) orphan drugs, (iv) pediatric drugs, and (v) generic drugs to which pertinent patents have been invalidated. The current data protection mechanism protects independently generated and undisclosed study data and other data. The Draft narrows the scope of protected data to those independently generated and undisclosed non-clinical and clinical study data that is submitted for marketing authorization purposes only if they are related to product efficacy. Product safety data in the regulatory submissions is excluded from protection. To Extend Protection Period The Draft offers a variety of protection periods up to 12 years (for details, please see the table below). The level of protection is on par with what the USFDA offers3 and surpasses what the EMEA provides.4

Drugs Protection Period

Innovative drugs 6 years from the date of marketing authorization in China

Innovative therapeutic biologics 12 years from the date of marketing authorization in China

Orphan drugs 6 years from the date of the first approval of the relevant indication in China

1 See the General Office of the CPC Central Committee and the General Office of the State Council’s Opinions on Deepening the Reform of the Evaluation and Approval Systems and Encouraging Innovation on Drugs and Medical Devices dated October 2017. 2 See Article 34 of the Implementing Regulation of the Drug Administration Law (2016) and Article 20 of the Drug Registration Administration Measures (2007). 3 The U.S. grants a maximum 12 years of data protection period to biologics. 4 The EU grants a maximum 10 years of data protection period to innovative drugs.

ATTORNEY ADVERTISING ropesgray.com

May 8, 2018 ALERT | 2

Pediatric drugs 6 years from the date of the first approval of the relevant indication in China

Generic drugs to which pertinent patents have been Unclear invalidated (i.e., first-to-market generics)

To incentivize early launches of new drugs in China, the protection period for an innovative drug will be reduced by one to five years if the New Drug Approval (NDA) application is first filed outside China in reliance of data from multi-regional clinical studies on Chinese patients. No protection will be granted if such NDA application is filed six years later than the first foreign filing. Further, a protection period will be reduced (i) by 75% if a NDA application is solely based on overseas clinical data or (ii) by 50% if such NDA application is based on supplemental studies on Chinese subjects. To Provide an Implementing Mechanism The Draft introduces a working procedure for pharmaceutical companies to apply for and exercise its data protection right. An NDA applicant can apply for a study data protection right in the NDA application with the CDA. The CDA may grant a data protection right together with the relevant NDA. Information about the rationale for data protection and its exclusivity term will be publically available in China’s Orange Book. If any subsequent application concerns a drug having the same active ingredient and indication as that of a protected drug during the exclusivity term, the CDA will notify the relevant data protection right owner within 30 days after its receipt of the application. The right owner can oppose this application within 30 days after receiving the notification. If the right owner opposes, the CDA will verify and decide on the authenticity of the data submitted by the other applicant, e.g., whether this data is truly independently generated by the applicant or from properly authorized sources. Either the right owner or the applicant can appeal to the CDA’s decision by administrative appeals or litigations. To Prevent Abuse of Right The Draft requires a data protection right owner to voluntarily disclose its protected data after the right is conferred. However, it is unclear whether the right owner is obligated to disclose any protected data that contains trade secrets or personal data. In addition, an approved data protection right can be revoked by the CDA upon a third-party request if the relevant right owner fails to market and sell the protected drug within one year after receiving the NDA. The updated regulatory data protection mechanism is encouraging, but several questions remain unclarified, for example, how an innovative drug is defined; which types of patents, if being successfully challenged, can render a generic drug eligible for data protection; the exclusivity term of first to market generics; and the definition of “independently generated data,” etc. We advise that pharmaceutical companies submit comments to the CDA by May 31, 2018. If you would like to discuss the foregoing or any other related matter, please contact Katherine Wang or your usual Ropes & Gray advisor.

Introduction

Although historically U.S. regulators have not focused FCPA enforcement efforts in Korea to the Attorneys same extent as other Asian jurisdictions such as China and India, multinational companies doing Mimi Yang business in Korea, particularly in the life sciences space, should remain vigilant. In addition to the Karen Oddo possibility of increased enforcement by U.S. regulators going forward, domestically, Korea has pursued an increasingly stringent and aggressive anti-corruption regime, marked by several high-profile enforcement actions as well as Korea’s implementation of an expansive new anti-corruption law, the Kim Young-ran Act, in September 2016.

In its latest effort to battle corruption and increase transparency, Korea implemented the Sunshine Act, which requires pharmaceutical and medical device companies to establish and maintain an expense reporting system to track economic benefits provided to healthcare professionals (“HCPs”) during a fiscal year. The obligation to implement the reporting system took effect on January 1, 2018, following adoption of the law in June 2017.

With the roll-out of the Sunshine Act marking a further uptick in Korea’s efforts to strengthen its anti-corruption efforts, companies operating in the life sciences space in Korea should take appropriate steps to ensure compliance with local requirements, such as localizing their compliance policies and programs.

The Sunshine Act

Under Korea’s Sunshine Act, pharmaceutical and medical device companies must collect and maintain records of economic benefits provided to HCPs, and prepare an aggregated expense report detailing the economic benefits provided during each fiscal year. Companies must generate aggregated expense reports within three months following the conclusion of its fiscal year, and retain expense reports for at least five years. Expense reports and relevant supporting documentation must be provided, if requested, to the Ministry of Health and Welfare (“MHW”), which may use such materials to investigate whether illegal kickbacks have been paid. There is no requirement that such reports be made public.

The MHW identified seven reporting categories: (1) samples; (2) clinical trials; (3) post-market surveillance; (4) product presentations to multiple medical institutions; (5) product presentations to a single medical institution; (6) academic conferences; and (7) price discounts. For product presentations, food, drinks, and souvenirs exceeding US$9 require reporting, while those under US$9 do not. However, no minimum threshold is required to trigger the reporting obligation for other economic benefits.

Regarding covered persons, companies must collect and keep records of economic benefits provided to a broad range of health care professionals, including physicians, pharmacists, dentists, traditional Korean medicine practitioners, nurses, midwives, founders of medical institutions, and individuals working with medical institutions for purposes of sales promotion.

ropesgray.com ATTORNEY ADVERTISING

Enforcement Trends

Signaling a continuing focus on domestic anti-corruption efforts, particularly in the life sciences industry, the Sunshine Act follows on the heels of several high-profile anti-corruption enforcement actions by Korean regulators. Such efforts include a US$48 million fine against Novartis International AG for allegedly bribing doctors to use its products in May 2017, and the criminal conviction of the top executive of one of the largest Korean companies.

It also follows the September 2016 implementation of the Kim Young-ran Act, which significantly expanded the scope of Korea’s anti-corruption laws, imposing requirements that exceed the scope of the FCPA. Specifically, the Kim Young-ran Act criminalized the provision of “benefits” to any “public official” exceeding KRW 1 million (about USD $900) in a single instance, or KRW 3 million (about $2,500) in aggregate over a one-year period, regardless of whether benefits are provided in exchange for any particular business favor or in connection with the public official’s duties. The Kim Young-ran Act also expanded the definition of public officials to cover a broader range of persons, including private educators and employees of state-owned enterprises, extended criminal liability to corporations for employee misconduct, and set caps on certain benefits offered for promotion of normal business and social relationships (KRW 30,000 (approximately US$25) for meals/drinks, KRW 50,000 (approximately US$41) for gifts, and KRW 100,000 (approximately US$82) for congratulatory or condolence payments at festive occasions and funerals).

While the Kim-Young-ran Act does not specifically target the pharmaceutical and medical device industry, it indicates that Korea is committed to eliminating corruption and improper payments. Korean regulators have long focused on potential corruption within the life sciences sector. In addition to the $US48mm fine levied against Novartis in May 2017, from 2007 to 2011, the Korea Fair Trade Commission (“KFTC”) took extensive enforcement actions against the pharmaceutical industry, including global companies, and imposed numerous fines for “rebate” incentives provided to HCPs such as cash payments, lecture fees, and overseas sponsorships, which were deemed to be illegal incentives for increased prescriptions. The KFTC, and other Korean regulators, continue to investigate pharmaceutical and medical device companies for illegal rebates, improper payments, and related potential violations.

Given Korea’s continued focus on rooting out improper payments and potential corruption, particularly in the life sciences sector, domestic enforcement actions are likely to increase.

Recommendations

To navigate through an increasingly difficult anti-corruption regime in Korea, pharmaceutical and medical device companies doing business in Korea should assess and update their policies, procedures, and internal controls to ensure they are localized to address Korean concerns, particularly with respect to travel, gifts and entertainment, and expense controls.

As part of this process, with respect to the Sunshine Act in particular, companies should ensure that their systems carefully and effectively track spend and other relevant data, and analyze their categories of spend and persons to which they provide economic benefits, to determine which expenditures and persons trigger a reporting obligation under the Sunshine Act. In addition, companies should ensure that they have robust internal controls in place, particularly with respect to the seven reportable categories of support for healthcare professionals, and the use of corporate credit cards in connection with such support. Finally, companies should provide training to appropriate personnel on the Sunshine Act, and monitor compliance on an ongoing basis.

China Life Sciences

August 31, 2016 China FDA Clarifies Legal Consequences of Clinical Trial Data Inspections China’s recent drug regulatory reform has emphasized that clinical trial data must be authentic Attorneys and reliable. However, the legal consequences for breaching data integrity requirements in Katherine Wang clinical trials remain ambiguous. On August 24, 2016, the China FDA (“CFDA”) issued a draft Mark Barnes Guideline for Handling Issues Identified in Clinical Trial Data Inspections (“Draft Guideline”). The Draft Guideline aims to clarify what constitutes data forgery and the legal consequences of noncompliance in clinical trials for different stakeholders. The CFDA is currently seeking public comments on the Draft Guideline. Previously, the CFDA issued on July 22, 2015, a circular requiring all applicants of 1,622 pending drug registration applications to self-inspect their clinical trial data and compliance with the Good Clinical Practices (GCP). The circular highlighted several priority areas for the self-inspection, such as consistency of the final data for analysis with the original raw data, documentation of changes, compliance in handling of samples and investigational products, management of subject screening, inclusion and exclusion, keeping track of protocol deviations and reporting of adverse events. Upon self-inspection, applicants voluntarily withdrew around 80% of the pending applications, including domestic and imported drug applications. Based on the submitted self-inspection results, since early 2016 the CFDA has initiated five rounds of onsite inspections over selected clinical trials, including some Phase I to III trials and some BE studies. Among the first three batches of completed inspections, 30 drug applications were rejected, in most instances based on findings of false clinical data. To provide more guidance on the legal consequences of these CFDA-led inspections, the newly issued Draft Guideline mainly addresses the following:

• Division of liability between applicants/sponsors, clinical trial institutions/sites, and clinical research organizations (CROs). While sites and CROs shall bear liability for those data integrity issues, they are directly responsible for, the sponsors ultimately bear all the legal liabilities for the submitted clinical data and drug application dossier.

• Types of GCP breaches that constitute data forgery. The Draft Guideline gave a specific list of violations of relevant sections of GCP that constitute data forgery. Among others, hiding certain trial data or not presenting the complete data set is considered data forgery, which can lead to CFDA’s ban on the applicant’s future applications (see the bullet below).

• Ban on future applications. Companies that have forged clinical trial data are banned from refiling an application for the same product with the CFDA for the next three years. In particular, if data forgery is found to have occurred after November 11, 2015, the CFDA will directly reject the current application under review, and the applicant will be banned from filing any applications for any drug products for one year.

• Implementing a blacklist. Based on the Draft Guideline, blacklisting will apply not only to the sponsors, sites and CROs involved in data forgery, but also to the responsible individuals within these entities.

ropesgray.com ATTORNEY ADVERTISING

August 31, 2016 ALERT | 2 • Suspension of studies at study sites. If study sites are found to be involved in data forgery, or to have committed other serious GCP violations that threaten subject safety or data integrity, the sites must immediately suspend subject enrollment, rectify the misbehavior, and refrain from undertaking any new trials.

• Discretion in imposing penalties. Applicants can be exempted from penalties if they voluntarily report all identified issues through self-inspection and withdraw the questionable applications. There will be leniency in penalties if applicants fully cooperate with the investigation and timely explain and correct the identified noncompliance. On the other hand, applicants who decline, deter, or avoid inspections can face higher penalties.

We encourage life sciences companies to arrange necessary audits of ongoing clinical trials, evaluate the level of GCP compliance, and develop corrective action plans accordingly. If you would like to discuss the foregoing or any other related matter, please contact Katherine Wang or your usual Ropes & Gray advisor.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING

September 29, 2016 Donations and Grants in China: Compliance Controls Beyond T&E While travel and entertainment expenses have presented significant compliance challenges for life sciences companies operating in China, donations and grants can also pose notable compliance risks. China’s escalated anti- corruption enforcement in recent years is well-publicized, and regulators have taken interest in grants and donations in the life sciences space. For example, in early 2015, the State Administration of Industry and Commerce (“SAIC”), which enforces commercial bribery regulations, published specific guidance on this issue for the pharmaceutical industry. More recently, the National Health and Family Planning Commission (“NHFPC”), China’s regulator for the health care services sector, also enacted specific measures on donations for health care-related organizations. These trends suggest potential scrutiny from enforcement officials towards grants and donations, which may be areas that deserve additional attention from legal and compliance professionals in the life sciences sector. I. New NHFPC Regulations on Donations On October 20, 2015, the NHFPC published Measures for Administering the Receipt of Public Welfare Donations by Health and Family Planning Organizations (“New Measures”). Despite being announced in October, the New Measures became effective as of August 26, 2015, and replaced the previous measures enacted in 2007, entitled Interim Measures for the Administration of the Acceptance of Social Donations and Financial Aid by Health care and Health Institutions (“Old Measures”). The New Measures apply to donations received by hospitals, health care institutions and other health care organizations (e.g., medical associations, funds and charities) overseen by the NHFPC, regardless of whether the donations are made by domestic or foreign life sciences companies. The types of donations subject to the New Measures include funds and tangible property, though they are not necessarily exclusive. In particular, the New Measures provide detailed guidance on what donations would be considered appropriate, in part by expressly listing acceptable purposes for donations and prohibited types of donations. Additionally, the New Measures further require that health care institutions establish appropriate controls and procedures in accepting donations. Although the New Measures technically apply to health and family planning institutions and organizations receiving donations, the detailed guidelines may indirectly impact how life sciences companies provide donations to those organizations and institutions. In turn, life sciences companies, both foreign and domestic, may want to ensure that their internal controls are consistent with the requirements of the New Measures. Permitted and Prohibited Donations Unlike the Old Measures, the New Measures expressly enumerate the types of donations that recipients are permitted to accept, which include donations for public health care education, training health care professionals, academic activities and research studies, discounting or waiving costs for medical treatments, and other non-profit programs. At the same time, it expressly prohibits acceptance of certain categories of donations, which include donations related to profit-seeking commercial activities, donations related to the procurement or purchase of products or services, donations where the donor has an interest in the economic benefits, intellectual property rights, research results or industry data of said donation, and donations that do not conform to laws and regulations or involve potential unfair competition and commercial bribery.

ropesgray.com ATTORNEY ADVERTISING

Interestingly, the prohibition against commercial bribery appears to create a link to the SAIC and local AICs. As noted above, while the New Measures apply directly to health care-related institutions, its list of expressly permitted and prohibited donations could potentially affect the AIC’s interpretation in its commercial bribery enforcement actions.1 Procedural Requirements The New Measures also set forth certain procedural requirements for donations, many of which are expansions of the Old Measures. For example, donations must still be documented via a written agreement, but the New Measures expressly require that certain information be specified, such as the type, quantity, quality and value of the donated items, the intention and purposes of the donation, restrictions on the management and use of the donated items, etc. The New Measures further provide clear requirements on the method of making donations, including, among other things, that monetary donations be made via bank transfers and that donations in the form of tangible property (e.g., products or equipment) undergo fair market valuation, preferably by a third-party appraiser. The New Measures also appear to take a further step in requiring transparency. A donation recipient is required to publicize its written policies on accepting donations and disclose donations it has accepted, including the nature of the donated item, the value of such item, and how the item is used, on its website or via mainstream news media. Donation recipients must also report accepted donations in its annual financial statements, along with detailed explanations. Moreover, donation recipients are required to answer public inquiries about donations that they have accepted. Notable Provisions that Require Further Clarification The New Measures contain two provisions that are unclear, but may have particular relevance to life sciences companies in China. The first is a requirement that donations for training health care professionals, academic activities or scientific research may not designate the specific recipient or beneficiary. It is unclear, however, whether the scope of this restriction includes company sponsorships of specific health care professions (“HCPs”) to attend academic meetings or professional trainings, or sponsorship of a particular principal investigator in conducting certain medical studies or clinical trials. The second requirement is an express prohibition against donations related to “profit-seeking commercial activities,” which is not further defined. It is unclear whether this provision could be interpreted broadly to preclude donors from allowing display booths, spaces or other product promotion or marketing presence at an event. Since its announcement, there has been little public information about enforcement actions pursuant to the New Measures, so it remains to be seen how the NHFPC will interpret these provisions. Nonetheless, some local hospitals and NHFPC-regulated entities have made public announcements stating that they will update their donation policies to comply with the New Measures.2 For the time being, however, life sciences companies should pay close attention to further guidance or enforcement signals from the NHFPC and AIC with respect to donations and grants.

1 As of the time of this article, the AIC has not published any cases instructive to this point and it remains unclear how the New Measures will influence AIC enforcement behavior. 2 On January 10, 2016, Peking University People’s Hospital implemented a local policy regarding administering the receipt of non-profit donations, based on the New Measures. Similarly, on February 18, 2016, Chongqing Cancer Hospital implemented a local policy regarding administering the receipt of non-profit donations, based on the New Measures. On May 10, 2016, Tianjin Health and family Planning Commission announced on its website that the local districts/counties and hospitals should follow the New Measures.

ropesgray.com ATTORNEY ADVERTISING

II. Compliance Controls and Monitoring in Relation to Donations and Grants While the ultimate impact of the New Measures is yet unclear, the underlying compliance risks nonetheless warrant attention. In recent years, pharmaceutical and medical devices companies have made significant efforts to enhance compliance controls and monitoring around travel and entertainment expenses. However, donations and grants are not devoid of FCPA risks and they can present unique compliance challenges. The most significant of those risks stem from involvement of a third party, which means limited control and transparency. In response, similar controls and monitoring for third parties should be undertaken, some of which include: • Ensure Clear Policies and Protocols While most companies’ general anti-corruption and anti-bribery policies include provisions related to donations and grants, special attention to these issues may be warranted. For example, shielding involvement of sales and marketing functions from the company’s internal decision-making process, particularly with respect to selecting recipients, can minimize potential quid pro quo considerations that may influence the decision (or the optics thereof). In fact, companies may want to limit the extent to which it designates eventual use of the donated funds or items to particular HCPs who would derive a benefit therefrom. Decisions on donations and grants often involve business considerations, and clear protocols can ensure that those decisions are subject to compliance controls. • Perform Due Diligence on the Recipient and Third-Party Intermediaries Due diligence should focus on uncovering any governmental relationships and assessing the reputation and appropriateness of the recipient or donee. Bribery risks can arise where the donation may be deemed to indirectly benefit a government official linked to the recipient organization. For example, if due diligence uncovers that the recipient is an organization established by an influential government official whose position or office happens to be relevant to the company’s business, the company may wish to balance the potential risks and/or take additional steps to assess the appropriateness of the donation and implement enhanced compliance safeguards. Also, recipients, such as hospitals, medical associations and charitable organizations, are not impervious to fraud and misappropriation, as exemplified in accusations against the Red Cross Society of China regarding donations to aid victims of the devastating 2008 Sichuan earthquake.3 There may be additional reputational risks with providing donations to a recipient that is linked with improprieties and accusations of misconduct. Finally, employees might collude with the recipient or third-party intermediaries to engage in misconduct. Best practices would involve performing due diligence on any third-party intermediaries that are involved. Additionally, it may be worthwhile to understand the level of compliance controls employed by the intermediary to assess third-party compliance risks. • Ensure Appropriate Terms and Safeguards are Included in Donation, Grant, or Sponsorships Agreements The New Measures already require that the written donation agreements set out detailed terms of the donation. Accordingly, compliance terms should also be included. Such terms can set forth appropriate anti- bribery representations and warranties, a covenant from the recipient that the donated funds or items will only be used in accordance with the stipulated purpose and will not be reassigned or transferred, an obligation to provide any required supporting documents and information to show how the funds are actually

3 See here and here.

ropesgray.com ATTORNEY ADVERTISING

used, and audit rights (to the extent practicable), among other provisions. Also, it is not uncommon in China for donation or grant recipients to informally solicit suggestions from company employees on the use of funds, including any preferences on selecting HCPs who may benefit from the donation, which can increase bribery risk. Hence, companies may also wish to clearly stipulate the company’s detachment and independence from the use of the funds. • Post-Donation Monitoring and Verifications Similar to travel and entertainment expenses, securing supporting documentation and conducting follow-up verification are important steps towards detecting and deterring misappropriation and fraud in the context of donations and grants. Because third parties are involved, detailed supporting documentation and information tend to be more challenging to obtain. As noted above, companies may wish to establish controls and protocols for follow-up verifications and include contractual obligations for the recipient and/or intermediary to provide necessary supporting documentation and information in the written agreement. Given the recent regulatory attention to donations and grants, particularly within China’s heightened anti-bribery enforcement climate, compliance professionals in the life sciences sector may wish to pay particular attention to how donations and grants are being provided and enhance their compliance programs, where needed, to reduce compliance risks related to donations and grants.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING

November 16, 2016 Recent Developments in Japanese Enforcement of Foreign Bribery Laws

In recent years, Japan has been under increasing scrutiny and pressure from the international community regarding its enforcement of its anti-corruption laws. A signatory to the OECD Anti-Bribery Convention, Japan enacted an amendment to its Unfair Competition Prevention Law (“UCPL”), which came into force on February 15, 1999, to address bribery of foreign public officials. But the OECD Working Group on Bribery in International Transactions has continually criticized Japan for its relatively lax enforcement of anti-corruption. Indeed, while the UCPL is broad in scope and prohibits offering or giving any benefit to a foreign public official, Japan is reported to have prosecuted only four cases of bribery since 1999. In February 2014, the OECD Working Group expressed significant concerns about the lack of foreign bribery enforcement in Japan, noting that numerous allegations involving Japanese companies had been reported in the media, yet did not seem to have been prosecuted. Most recently, in June 2016, a high-level OECD mission met with government representatives and senior officials in Japan to urge them to take additional steps in furtherance of the OECD Anti-Bribery Convention.

Perhaps in response to the OECD’s criticisms, the Ministry of Economy, Trade, and Industry (“METI”) and the Japan Federation of Bar Associations (“JFBA”) have issued guidance in an effort to heighten awareness of anti- bribery issues and highlight the factors that Japanese regulators and foreign regulators will likely scrutinize. This guidance, issued in 2015 and 2016, indicates that anti-corruption is no longer an issue that companies in Japan should take lightly. I. METI Guidelines Regarding Foreign Bribery

On July 30, 2015, METI revised its Guidelines for the Prevention of Bribery of Foreign Public Officials (“Guidelines”). The Guidelines, which were promulgated in 2004 and previously revised in 2010, had been criticized for being vague and abstract. The revision was published to clarify legal interpretations regarding conducting business internationally, with the purpose of supporting Japanese companies’ expansion overseas.

Although the Guidelines are not legally binding, they provide guidance on how Japanese anti-bribery law should be interpreted. The revision clarified that Japanese companies must reject demands for bribes from foreign public officials even if the bribes are made to avoid unreasonable and discriminatory treatment by those officials. On the other hand, the Guidelines clarified that small congratulatory gifts and travel and entertainment expenses may not be considered bribery if given solely to build a general social relationship or acquaint the official with the company’s products or services, rather than to demand advantageous treatment. Specific examples of acceptable gifts and hospitality include promotional giveaways or commemorative gifts for general distribution, refreshments at business meetings, and seasonal gifts of low value given in accordance with local custom and law.

One focus of the revised Guidelines was to enumerate anti-corruption best practices for Japanese companies conducting business overseas. Japanese companies were encouraged to adopt an internal control system to prevent foreign bribery, taking an approach tailored to the risks in each country and market in which they operated. They were also urged to pay close attention to the internal control systems at foreign subsidiaries, which may have difficulty managing their anti-corruption risks without the parent company’s support. The revised Guidelines also emphasized the importance of conducting review or diligence prior to taking risky operational decisions, such as the

ropesgray.com ATTORNEY ADVERTISING

hiring of local agents or consultants, selection of a joint venture partner, acquisition of a company, and participation in public procurement. II. JFBA Guidance Regarding Anti-Bribery Measures

On July 15, 2016, the JFBA issued new guidance for companies regarding compliance with Japanese and foreign anti-bribery laws, called the Guidance on Prevention of Foreign Bribery (“Guidance”). The JFBA Guidance, which was intended to supplement the METI Guidelines, was published with the purpose of providing practical advice for Japanese companies and legal counsel seeking to implement anti-bribery measures. Its recommendations take into account both Japanese law and foreign bribery laws such as the Foreign Corrupt Practices Act and 2010 U.K. Bribery Act, and are meant to address both bribery of public officials and commercial bribery.

The Guidance echoed many of the messages in the METI Guidelines, including the importance of a comprehensive system of internal controls, monitoring, and training. The Guidance also emphasized the importance of managing third-party relationships by conducting risk-based due diligence and adopting contractual safeguards to mitigate risk. Notably, the Guidance encouraged management at Japanese companies to issue a declaration that they were adopting measures in accordance with the Guidance, with the expectation that this would lead to increased public confidence in the companies. III. Implications of METI and JFBA Guidance

Companies conducting business in Japan, as well as Japanese companies conducting business overseas, should prepare for increased scrutiny from Japanese regulators in the coming years. When announcing the revision to the Guidelines, METI cited the expansion of Japanese companies to overseas marketing, including the infrastructure sector, as one of the factors that led to the revisions. A recent Japanese prosecution targeted this exact sector, and investigated allegations of bribes paid by Japan Transportation Consultants, Inc. to foreign officials in Vietnam, Indonesia, and Uzbekistan in a bid to gain railway projects. Increased anti-corruption enforcement globally in the life sciences sector may lead to closer attention by Japanese regulators to medical and pharmaceutical companies.

Japan will next be evaluated by the OECD Working Group in March 2019, which may lead to additional enforcement. The OECD Working Group has repeatedly urged Japan to adopt two additional enforcement efforts. The first is amending Japan’s Anti-Organized Crime Law, rendering it impossible for companies and individuals convicted of bribing foreign public officials to keep their illegal proceeds, including by laundering them. The second is to adopt an action plan to organize policy and prosecution resources to be able to proactively detect, investigate, and prosecute cases of foreign bribery involving Japanese companies.

In the face of increased scrutiny, companies with operations or headquarters in Japan are advised to evaluate their internal system of controls to ensure compliance with international anti-corruption compliance standards.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

China Life Sciences

December 20, 2016 China Solicits Comments on Drug GCP The China Food and Drug Administration (“CFDA”) recently proposed revisions to the Good Attorneys Clinical Practices for Pharmaceuticals (“GCP”), the most comprehensive revision in 13 years. Katherine Wang The revisions (“Revisions”) are now open to public comments until January 31, 2017. It’s notable that the Revisions have rewritten all the articles of the current GCP, but these sweeping changes are not especially innovative, as most of the concepts and principles have already been addressed in the International Conference on Harmonisation (“ICH”) GCP. Overall, the Revisions set forth general principles of conducting clinical studies in China, as well as guidance of roles and responsibilities for the ethics committee (“EC”), the investigator and the sponsor, as well as the requirements for protocol and investigator’s brochure (“IB”). Highlights of the changes proposed in the Revisions are as follows:

• Regulate the Handling and Retention of Biological Specimens: According to the Revisions, the sponsor shall be prohibited from conducting any testing that is unrelated to the study protocol approved by the EC on biological specimens. Additionally, the Revisions would require the sponsor to seek written consent from the subjects regarding the continuous storage of and/or possible use in any future research of leftover biological specimens after completion of the trial. The consent form would have to specify issues such as the retention period, the data confidentiality requirements, and the circumstances under which the data and specimens could be shared with other investigators.

• Extend Insurance Coverage to Institutions: Unlike the current GCP, the Revisions would require the sponsor to insure or indemnify both the investigator and the institution against all claims, except for those arising from malpractice.

• Allow an Individual to Serve as Sponsor or CRO: As a response to the pilot program of marketing authorization holder promulgated by the State Council this past June, the Revisions would allow individuals to act as sponsors and contract research organizations (“CROs”).

• Specify the Requirement and Quantity of Retention Samples: Under the Revisions, reserve samples of study drugs for bioequivalence and bioavailability testing must be retained at the study site for no less than two years after marketing approval. The investigator will randomly select the reserve samples from the supply sent by the sponsor and should retain enough to allow five rounds of quality standard testing.

• Detail the Process of Seeking Informed Consent from Subjects: Under the Revisions, the EC would have to pre-approve any new information that may affect subjects’ willingness to participate in the study. Importantly, the Revisions would prohibit agreements (whether oral or written) that ask subjects to waive their legal rights, or that may release the investigator, the institution, the sponsor, or its agents from liability.

• Add Notification Requirement of the Unblinding Results: The Revisions propose that, for any double- blinding studies, the sponsor must provide the investigator and all study participants with the treatment allocation status after unblinding.

ropesgray.com ATTORNEY ADVERTISING

December 20, 2016 ALERT | 2 • Revise the Data Retention Requirement: Whilst the current GCP imposes different data retention requirements on the investigator (e.g., five years after the study ends) and the sponsor (e.g., five years after obtaining marketing approval), the Revisions would impose similar obligations on both: data would have to be retained for two years after marketing approval or for five years after the study ends.

• Require to Specify Direct Access to Source Records: The Revisions would require that under either the protocol or the clinical trial agreement ("CTA”), the investigator and the institution must be required to give the monitors and auditors direct access to the source data and source documents related to the clinical trial. This change may help clarify the industry’s concern regarding who may have access to subjects’ medical records to verify the authenticity of the study data, especially for the clinical trial data inspection campaign.

• Clarify Contractual Arrangements Regarding CTA: The Revisions clearly stipulate that a CTA shall be structured as a three-party agreement between the sponsor, the investigator and the institution. Each party shall sign the CTA on his/her own capacity. In addition, for multi-center trials, the Revisions specify that the sponsor shall sign the CTA with all participating investigators and the relevant institutions.

• Impose Regular Review Requirement of IB: The requirement regarding the IB in the current GCP is simple and general. The Revisions would incorporate the same detailed regulatory requirement on IB as that provided in the ICH GCP. In particular, according to the Revisions the sponsor must establish a written procedure regarding amendments to the IB, noting that the IB needs to undergo a review and amendment at least once per year. In addition, the Revisions add several provisions to set forth the purpose, general considerations, and contents regarding the IB.

• Adopt Some Changes Reflected in the Latest ICH GCP: The latest version of the ICH GCP, the E6 (R2), was adopted by the ICH on November 9, 2016. Accordingly, the Revisions include a number of the new changes reflected in the E6 (R2), such as the notions of certified copies and validation of computerized systems, as well as the sections regarding quality management, risk management, oversight of CROs, and risk-based monitoring, among others. To some extent, it reflects CFDA’s willingness to establish a regulatory framework in line with international standards.

The Revisions would standardize the conduct of drug studies in China, as well as strengthen the management of such studies. It remains unclear whether and when these changes will be adopted. We recommend that pharmaceutical companies closely monitor the progress of the Revisions and propose their comments by the deadline. If you would like to discuss the foregoing or any other related matter, please contact Katherine Wang or your usual Ropes & Gray advisor.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

China Life Sciences

February 15, 2017 CFDA Amends Medical Device Recall Rules

Recently China’s Food and Drug Administration (“CFDA”) released the Provisions for Attorneys Medical Device Recall (“New Recall Rules”). The New Recall Rules, becoming effective on Katherine Wang May 1, 2017, will replace the existing Interim Provisions for Medical Device Recall promulgated by the former Ministry of Health in 2011 (“Existing Recall Rules”). The New Recall Rules follow the basic regulatory framework for device recall provided in the Existing Recall Rules. Recalls are divided into mandatory recalls (imposed by local FDAs) and voluntary recalls (initiated by device manufacturers). Depending on the severity of product defects, recalls are classified as Level 1 recalls (products caused or may cause serious damage to health), Level 2 recalls (products caused or may cause non-lasting or reversible damage to health) or Level 3 recalls (products carry only a minor risk of causing damage to health). Under these different recall scenarios, device manufacturers are further subject to different requirements for recall implementation. Device distributors and device- using hospitals are also obligated to cooperate with or assist the manufacturers during the recalls. Compared with the Existing Recall Rules, the New Recall Rules introduced the following major changes: Clarify the application scope of the rules and the responsible entity for recall

The New Recall Rules apply to the recall of medical devices marketed in China. For domestic products, the holder of the product’s registration license is responsible for recall; for imported products, the designated regulatory agent of the foreign device manufacturer in China is responsible for recall. If a foreign manufacturer initiates a recall outside China for a product also marketed in China, its local agent must timely report the recall-related information to the CFDA. Expand the scope of Defective Products

In the Existing Recall Rules, Defective Products (i.e., products that should be recalled) are defined as devices that pose unreasonable risk of potentially damaging human health or life safety when used under normal conditions. The New Recall Rules enlarge the existing definition by adding three more types of Defective Products: (a) products that do not conform to compulsory standards, or to the product’s technical specifications registered or filed with the CFDA; (b) products that pose unreasonable risk due to the failure to comply with the applicable quality management rules for device manufacture and supply; and (c) products that for other reasons must be recalled. More severe penalties for manufacturers that refuse to implement mandatory recalls

Local FDAs may identify, investigate and assess devices with potential defects and determine upon their own discretion that such products should be recalled. In the event of such mandatory recalls, if device manufacturers refuse to implement the recalls, the Existing Recall Rules allow the local FDAs to impose monetary fines of three times the total value of products that should be recalled. The New Recall Rules, on the other hand, refer to the penalty provisions under Article 66 of the State Council’s Regulation for the Supervision and Administration of Medical Devices (Order 650), which allow the local FDAs to impose fines of up to ten times of the goods’ value.

The Provisions for Medical Device Recall form an important part of China’s new device regulatory regime centering around Order 650. Device companies with product sales or local operations in China are recommended to review the New Recall Rules and keep their post-market product safety measures in line with the more stringent regulatory requirements.

If you would like to discuss the foregoing or any other related matter, please contact Katherine Wang or your usual Ropes & Gray advisor.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you ropesgray.com © are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Anti-Corruption / International Risk

February 16, 2017 Hong Kong Proposes Enhanced AML Obligations for Professionals and Beneficial Owner Registries for Hong Kong Companies The Hong Kong Government has recently proposed to expand its anti-money laundering Attorneys (“AML”) laws. This is expected to assist Hong Kong in keeping pace with AML Patrick Sinclair developments in other financial centers, and to prepare for its upcoming FATF mutual 1 Geoffrey M. Atkins evaluation in 2018. Nathaniel Lai Key Proposals

• Hong Kong companies would be required to maintain a register of “beneficial owners” or “persons with significant control,” known as a PSC register.

• Solicitors, accountants, real estate agents, and trust or company service providers would be required to perform customer due diligence in certain circumstances.

Beneficial Owner Registers The government proposes to amend the Companies Ordinance to require Hong Kong companies to identify and maintain records of their “beneficial owners.” The definition of “beneficial owners” would also be significantly revised. These proposed rules would apply to all companies incorporated in Hong Kong, including companies limited by shares, companies limited by guarantee and unlimited companies. However, listed companies will be exempt given the existing regime already imposed on them under the Securities and Futures Ordinance (Chapter 571 of the Laws of Hong Kong). If approved, such companies will be required to create a “PSC Register” of persons with “significant control.” Persons with “significant control” include both registrable individuals and registrable legal entities. This register would be available for public inspection on payment of a fee. “Registrable individuals” are beneficial owners, as that term is newly defined under the proposed amendments. Historically, a “beneficial owner” was defined as an individual who owns or controls, directly or indirectly, not less than 10% of the issued share capital of the corporation, or who is, directly or indirectly, entitled to exercise or control the exercise of not less than 10% of the voting rights at general meetings of the corporation, or who exercises ultimate control over the management of the corporation. Under the proposed amendments, “beneficial owners” would be individuals who meet one or more of the following specified conditions:

• Directly or indirectly holding more than 25% of shares;

1 Hong Kong Financial Services and the Treasury Bureau, Consultation on Enhancing Anti-Money Laundering Regulation of Designated Non-Financial Businesses and Professions, available here; and Hong Kong Financial Services and the Treasury Bureau, Consultation on Enhancing Transparency of Beneficial Ownership of Hong Kong Companies, available here.

ropesgray.com ATTORNEY ADVERTISING

February 16, 2017 ALERT | 2 • Directly or indirectly holding more than 25% of voting rights;

• Directly or indirectly holding the right to appoint or remove a majority of directors;

• Otherwise having the right to exercise, or actually exercising, significant influence or control; or

• Having the right to exercise, or actually exercising, significant influence or control over the activities of a trust or a firm that is not a legal person, but whose trustees or members satisfy any of the first four conditions (in their capacity as such) in relation to the company, or would do so if they were individuals.

In its consultation paper, the government stated that they might “take this opportunity to align the threshold under the Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance (the “AMLO”) with the proposed 25% threshold to be adopted under the Companies Ordinance.”2 Accordingly, this revision would likely also apply to financial institutions that are currently subject to AML customer due diligence requirements. “Registrable Legal Entities,” in turn, are defined as any legal entity immediately above the company in its ownership chain that meets the beneficial ownership definition. Companies would be required to obtain and ascertain the accuracy of the following information required to be included in the PSC register: the beneficial owner’s name; his or her or its identity card or passport details, or company registration number; his or her or its address; the date he or she or it became a registrable individual or entity; and the nature of the control exerted over the company. If there is no person or entity that falls within the definition of registrable individual or legal entity, the new rules would also require that this be stated in the PSC register. Registrable individuals and entities would be required to comply with notices to ascertain and confirm the relevant particulars. Customer Due Diligence and Recordkeeping Obligations for Solicitors, Accountants, Real Estate Agents and Trust and Company Service Providers. A proposed amendment to the AMLO would extend customer due diligence (“CDD”) recordkeeping requirements to three types of professions performing specified kinds of roles:

• Solicitors and accountants, when preparing for or carrying out transactions for clients concerning

i. the buying or selling of real estate;

ii. managing of client money, securities or other assets;

iii. management of bank, savings or securities accounts;

iv. organization of contributions for the creation, operation or management of companies;

v. creation, operation or management of legal persons or arrangements; or

vi. buying or selling of business entities;

• Real estate agents, when engaged in transactions concerning the buying and selling of real estate; and

2 See Hong Kong Financial Services and the Treasury Bureau, Consultation on Enhancing Anti-Money Laundering Regulation of Designated Non-Financial Businesses and Professions, p.19, available here.

ropesgray.com ATTORNEY ADVERTISING

February 16, 2017 ALERT | 3 • Trust or Company Service Providers (“TCSPs”), when preparing for or carrying out transactions for clients concerning

i. the forming of companies or other legal persons;

ii. acting, or arranging for another person to act, as a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons;

iii. providing a registered office, business address, correspondence or administrative address or other related services for a company, a partnership or any other legal person or arrangement; or

iv. acting, or arranging for another person to act, as a trustee of an express trust or similar legal arrangement, or a nominee shareholder for a person other than a company whose securities are listed on a regulated market.

Under these proposals, effectively, the current rules governing financial institutions would be extended to such professionals. Such professionals would be required to undertake customer due diligence measures in the following circumstances: (1) when establishing business relationships with new customers; (2) when carrying out transactions above HK$120,000 with customers with whom they do not already have a business relationship; (3) where there are suspicions of money laundering and/or terrorist financing; and (4) when there are doubts about the veracity or adequacy of previously obtained customer identification data.3 In the first two scenarios, these professionals would be allowed to apply simplified CDD measures when dealing with specified categories of business that are considered to pose a lower risk. Simplified CDD would apply for clients who are financial institutions subject to AML regulation, listed companies, government organizations, certain types of pension schemes, investment vehicles where the managers are financial institutions supervised for AML/CFT compliance, and certain types of insurance policies. Like financial institutions, such professionals would also be subject to enhanced CDD requirements when dealing with higher-risk situations, such as when a customer is a politically exposed person or is not physically present for identification purposes. Enhanced CDD requirements would include obtaining management approval for establishing or continuing the business relationship, and taking additional measures to mitigate the AML/CFT risk, such as enquiring with customers about their source of funds. The proposed amendments would also codify additional recordkeeping rules, including requirements to maintain customer identification data collected, account files, business correspondence, and records of transactions with respect to each customer for a period of six years. Enforcement of these proposed requirements would be implemented through the existing professional regulatory bodies for solicitors, accountants and estate agents. TCSPs would be required to apply for a license from the Registrar of Companies before they provide trust or company services as a business to the public; it will be a criminal offense to operate a TCSP business without a license. Background and Context These proposals are intended to enhance Hong Kong’s regulatory regime for combating money laundering and terrorist financing to bring it up to date and in line with international requirements as promulgated by the Financial Action Task Force (“FATF”), an inter-governmental body that sets standards on combating money laundering and terrorist financing.

3 Notably, solicitors in Hong Kong are already required to conduct such diligence by the Law Society of Hong Kong under Practice Direction P.

ropesgray.com ATTORNEY ADVERTISING

February 16, 2017 ALERT | 4 Hong Kong has been a member of the FATF since 1991. As most clients will be aware, Hong Kong already maintains strict requirements in respect of AML compliance and reporting that are in line with many of the world’s other financial capitals. However, in recent years, the FATF has increased its focus on CDD, including with respect to businesses that have not historically been subject to such requirements in many jurisdictions. Following the Panama Papers leak in April 2016, recent meetings of the G20 Finance Ministers have also paid particular attention to promoting greater transparency of beneficial ownership of legal persons, and the G20 has requested the FATF and the Global Forum of the OECD to improve the implementation of international standards on transparency of beneficial ownership information. The FATF and the Global Forum of the OECD are set to jointly recommend that G20 members lead by example and bring forward their plans to fully and effectively implement the FATF recommendations on beneficial ownership by the end of 2017. The FATF has long recommended that financial institutions implement CDD measures to identify and verify customers and maintain records on customer identification and transactions for at least five years. Hong Kong has implemented such recommendations through the AMLO. However, the FATF also recommends that such requirements be applied to “designated non-financial businesses and professions,” or “DNFBPs,” which in its view present money-laundering and terrorist financing risks. Among others, DNFBPs include casinos, dealers in precious metals and stones, real estate agents, lawyers, notaries, accountants, and TSCPs. Member jurisdictions have generally been less robust about implementing CDD requirements for DNFBPs, and the FATF has in recent mutual evaluations emphasized their importance. Notably, in its recent mutual evaluation the United States was criticized by the FATF for not having CDD requirements for certain types of DNFBPs. Other jurisdictions, such as the U.K., already have such requirements, although such jurisdictions are in the minority. Hong Kong enacted the AMLO in April 2012 to implement the FATF’s recommendations relating to financial institutions. Under the AMLO, certain types of financial institutions currently have a statutory obligation to conduct CDD on their customers and keep relevant records for a specified period. However, in Hong Kong – as in certain other jurisdictions – there are currently no such statutory regulations in respect of DNFBPs. The current proposed amendments to the AMLO are expected to bring Hong Kong in line with these international recommendations. FATF’s 2012 Recommendations (as updated in 2013, 2015 and 2016) also recommend that countries require companies to maintain information on beneficial ownership,4 and in 2014 the FATF published additional guidance on how to implement this.5 In response to this, in its latest AML Directive the EU has required that trusts and similar structures obtain and hold information on their beneficial ownership.6 Hong Kong’s latest proposal in requiring companies to maintain PSC registers can be seen as an effort to keep in step with these recommendations. The proposed amendments are made in anticipation of Hong Kong’s upcoming mutual evaluation by the FATF (scheduled for 2018). In the Hong Kong Government’s view, given the recent emphasis on beneficial ownership, Hong Kong’s efforts in implementing CDD requirements will be closely examined during this upcoming evaluation. The Hong Kong Government launched its public consultation period on the proposals on January 6, 2017. The consultation period closes on March 5, 2017. We expect the proposed amendments to become effective, potentially in modified form, at some point shortly thereafter. For more information please feel free to contact a member of Ropes & Gray’s leading anti-corruption / international risk team.

4 FATF, International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation – The FATF Recommendations, February 2012 (updated October 2016), Recommendation 24, paragraph 8, available here. 5 FATF Guidance, Transparency and Beneficial Ownership, October 2014, available here. 6 Directive 2015/849 of the European Parliament and of the Council, on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No. 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, 20 May 2015 (the “Fourth Anti-Money Laundering Directive”).

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

China Life Sciences

February 20, 2017 China’s State Council Announces Major Policies to Reform the Pharmaceutical Industry China will launch further reforms in the pharmaceutical sector as part of the healthcare reform Attorneys initiatives announced by the State Council in its February 9, 2017 Circular on Several Opinions Katherine Wang Concerning Further Reforms of the Policies Governing Drug Production, Circulation and Usage (the “Circular No.13”). The Circular No. 13 sets forth general principles of the reform. Detailed implementation measures are expected from relevant ministries, including the CFDA, National Health and Family Planning Commission (NHFPC), the Ministry of Human Resources and Social Security (MOHRSS), the Ministry of Commerce (MOC), National Development and Reform Commission (NDRC), State Administration of Industry and Commerce (SAIC), and the Ministry of Public Security (MPS). The Circular No. 13 reinforces the government’s determination to expedite approvals for new drugs and urges generics to pass the quality consistency tests.

• Generics that are consistent with the quality of originator drugs (“high quality generics”) will be deemed interchangeable with the originator drugs. These high quality generics will be prioritized for hospital procurement. In addition, only the first three high quality generics passing the consistency test will be eligible for collective tenders for public hospitals.

• The Marketing Authorization Holder (“MAH”) system will be applicable to both new drugs and high quality generics if they are developed or manufactured in China.

• Compulsory license can be granted and enforced for any patented drugs that prevent or treat critical illness. This practice, if widely implemented, will significantly impact the competitive landscape for innovative products.

Healthcare affordability is another major theme in the Circular No. 13.

• Prices of patented and off-patent drugs must not be higher than those in the country of origin or in China’s neighboring countries. The government expects manufacturers of patented or off-patent drugs to offer price commitment when applying for marketing authorizations, and will further leverage price-volume negotiations at collective tenders to exercise its control over drug prices.

• The CFDA is responsible for establishing an ex-factory price database for pharmaceuticals to enhance surveillance and provide better intelligence for antitrust enforcement.

• Public hospitals must prioritize their use of essential drugs. The NHFPC will organize health economic studies to evaluate clinical outcomes and further rationalize the use of drugs. The performance review of public hospitals will be closely tied to the change in healthcare costs.

• Reimbursement by Basic Medical Insurance funds will be calculated based on Disease Related Groups, number of patients, or number of days in hospital. The costs for drugs and consumables will not be separately reimbursed.

ropesgray.com ATTORNEY ADVERTISING

February 20, 2017 ALERT | 2 • Sales of pharmaceuticals on the Internet will be promoted. Consumers can order pharmaceuticals online, with either pickup or delivery from brick-and-mortar retail pharmacies.

Last but not least, anti-bribery and anti-corruption enforcement remains high on the Chinese government’s agenda. The Circular No. 13 asks the CFDA to strengthen the administration of medical representatives. All medical representatives will have to register with the CFDA (or its local counterpart), and their registration will be timely published. More notably, medical representatives can engage only in academic promotion and technical consulting activities; they will be prohibited from selling pharmaceuticals. Failures to comply with these requirements will impact the individual credit ratings. The Circular No. 13 will considerably impact the China strategy of multinational pharmaceutical companies. We recommend that companies carefully review and study the policies, and monitor the progress of any implementing rules associated therewith. If you would like to discuss the foregoing or any other related matter, please contact Katherine Wang or your usual Ropes & Gray advisor.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Anti-Corruption / International Risk ▪ India

February 23, 2017 U.S. Department of Commerce Establishes Favorable Export Control Policies for India On January 19, 2017, the U.S. Department of Commerce’s Bureau of Industry and Security Attorneys (“BIS”) published a final rule (the “Rule”) making two significant changes to U.S. export Cori A. Lable control policy with respect to India. First, the Rule establishes a more favorable licensing Michael S. Casey policy with respect to the export of most controlled items to India; second, it also expands the Emerson Siegle scope of an export license exemption program for eligible Indian entities.1 These changes immediately follow the United States government’s designation of India as a “Major Defense Partner” on June 7, 2016, as well as other changes BIS has made in recent years to ease export controls relating to India and strengthen the U.S.-India trading relationship.2 Together, these developments have established a very favorable export control policy with respect to India, which should allow both U.S. companies operating in India and Indian companies transacting with American counterparties to quickly and efficiently engage in an increased volume of trade. New “Presumption of Approval” Standard for BIS License Applications

Under the Export Administration Regulations (“EAR”), parties seeking to export, re-export, or transfer items controlled under the Commerce Control List (“CCL”) typically first require a license from BIS. Items on the CCL, which include materials, software, and technology across a variety of sectors including electronics, telecommunications, and aerospace, among others, are classified according to a five-digit Export Control Classification Number (“ECCN”). The ECCN provides information about the nature of the product, the reason why the product is controlled, and to which countries the product may be shipped only upon receipt of a license. Previously, all license applications for exports of controlled items to India were subject to “case-by-case review” by BIS.

In contrast, the new Rule establishes a significantly more favorable “presumption of approval” standard for (1) exports and re-exports to, and transfers within, India of items subject to the EAR, including “600 Series” military items,3 for civil or military end use (including by the Government of India); (2) re-exports to countries BIS has categorized as “A:5” countries, which includes Australia and most countries in Europe; and (3) return of items to the United States, so long as the items are not intended for use in nuclear, missile, or chemical or biological weapons activities. While the change does not eliminate the need for U.S. companies operating in India or Indian companies to seek approval from BIS, the new presumption of approval standard means that companies may now routinely expect to receive regulatory approval to engage in transactions relating to almost all controlled items, including those that previously would have been subject to significantly more restrictive export control rules.

1 Amendments to the Export Administration Regulations Implementing an Additional Phase of India-U.S. Export Control Cooperation, 82 Fed. Reg. 6218 (Jan. 19, 2017) (to be codified at 15 C.F.R. §§ 742, 748). 2 The White House, Joint Statement: The United States and India, Enduring Global Partners in the 21st Century (June 7, 2016), https://obamawhitehouse.archives.gov/the-press-office/2016/06/07/joint-statement-united-states-and-india-enduring-global- partners-21st. 3 “600 Series” military items are items that were formerly listed on the United States Munitions List (“USML”) and subject to the International Traffic in Arms Regulations (“ITAR”) and regulated by the Department of State’s Directorate of Defense Trade Controls (“DDTC”). Pursuant to President Obama’s policy of export control reform, a number of ITAR-controlled items were shifted to the EAR, which is generally a less restrictive export regime. ropesgray.com ATTORNEY ADVERTISING

February 23, 2017 ALERT | 2 Expansion of Validated End-User Program for Authorized Entities

The Rule also expanded the Validated End-User (“VEU”) program applicable to certain approved Indian entities. The VEU program was established by BIS in 2007 to facilitate trade by allowing exporters to ship certain items that would otherwise be controlled under the CCL (and therefore require a BIS export license) to approved end users without a license. Currently, China and India are the only two countries eligible under the VEU program, and twelve entities have been awarded VEU status.4

Either the prospective VEU, or exporter acting on its behalf, may apply to BIS through this program, identifying both the specific destinations and the CCL items that would be covered should the application be approved. All VEU applications are then screened through a cross-departmental group chaired by the Department of Commerce and including representatives from the U.S. Departments of State, Defense, and Energy.

Prior to the Rule, controlled items could only be shipped under the VEU program if the items were for civil end use. Although the civil use limitation still applies to China,5 approved VEUs in India are now authorized to use controlled items for civil or military use, so long as the items are not transferred or used to further nuclear, missile, or chemical or biological weapons activities.6 Accordingly, while the VEU application process can be cumbersome, approval offers even greater commercial benefits for Indian end users. Any Indian company that is awarded VEU status will now be able to export items for both civil and military use without the need for a license, significantly cutting down on the regulatory burdens inherent in the BIS license application process. Conclusion

Taken together, these changes mean that U.S. companies operating in India and Indian companies working with U.S. partners now can expect most applications to engage in transactions involving controlled items to be approved. They are also now eligible to bypass the application process entirely through the VEU program for a greater number of transactions. It has been estimated that over 810 licenses have been granted in the last five years for goods covered under the new Rule, representing $5 billion in trade.7 Accordingly, these changes are likely to have a significant impact, and should continue to expand the volume of trade and strengthen relations between the United States and India.

For more information, please contract your usual Ropes & Gray advisor.

4 15 C.F.R. § 748 Supp. 7 (listing the 11 Chinese entities and one Indian entity that have been awarded VEU status). 5 15 C.F.R. § 748.15(d). 6 82 Fed. Reg. at 6219. 7 PTI, US makes changes in export control laws to benefit India, THE ECONOMIC TIMES (Feb. 7, 2017, 2:43 PM), http://economictimes.indiatimes.com/news/economy/foreign-trade/us-makes-changes-in-export-control-laws-to-benefit- india/articleshow/57017564.cms ropesgray.com ATTORNEY ADVERTISING

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. © 2017 Ropes & Gray LLP

May 1, 2017 South Korea Fines Prominent Pharmaceutical Manufacturer in Latest Anti-Corruption Enforcement Efforts In a sign that South Korea is ramping up its anti-corruption enforcement efforts, Korean authorities announced on April 27 that they plan to levy a $48 million fine against Swiss pharmaceutical giant Novartis International AG for allegedly bribing physicians to use its products. In addition to the fine, the Korean Ministry of Health and Welfare will also suspend state insurance reimbursements for several of Novartis’ products. The fine and related penalties come eight months after Korean authorities indicted six current and former Novartis executives (along with over a dozen Korean doctors and editors of medical journals) for their role in the alleged kickback scheme, and seven months after South Korea implemented a sweeping new anti-corruption law. Korean authorities allege that between 2011 and 2016, Novartis paid around $2.3 million in bribes to physicians, in the guise of funding of academic events, whereby Novartis would arrange for a scientific journal to host medical symposia and then would make cash “travel expense” payments to participating doctors. Novartis Korea was subject to a highly-publicized government raid last year, in which Korean prosecutors seized various documents and financial records from the company. Subsequently, Korean prosecutors criminally charged six current and former executives in August 2016, along with fifteen physicians and six medical journal publishers. Those individuals’ criminal trials are currently underway. Novartis Korea issued a statement last week that it acknowledged and accepted the government’s fine, further stating that “We do not tolerate misconduct and are continuing to invest significant efforts to fully embed a culture of compliance throughout our Korean organization.” This is not Novartis Korea’s first domestic enforcement action. In 2011, Novartis and several other multinational pharmaceutical companies were fined by the Korea Fair Trade Commission (“KFTC”) for providing travel, entertainment and gifts to medical professionals with the objective of increasing prescriptions. Novartis Korea paid a penalty of just over $2 million to resolve the KFTC action. However, in the aftermath of the KFTC’s industry sweep, Korea introduced a “two-strike rule” intended to combat bribery in the health care sector: For a first violation, the South Korean Ministry of Health and Welfare (“MOHW”) can delist a company’s product from state reimbursement for up to one year, while a second violation can lead to permanent delisting. Per last week’s announcement, MOHW has decided to suspend various formulations of Novartis’ Alzheimer’s Disease treatment Exelon and its chemotherapy drug Zometa for three months. The Ministry will continue to reimburse the company’s other products, and it will announce its final decision on the penalty in May. In a parallel proceeding, the Korean Ministry of Food and Drug Safety had announced smaller fines and a similar three-month suspension of Exelon in March 2017. Media reports at the time suggested that the Korean government had responded to patient lobbying efforts to limit the number of suspended products, as adequate alternatives to some Novartis products did not exist in the Korean market. Last week’s announcement appears to be the most recent indication that South Korea is bolstering its anti-corruption enforcement efforts. In September 2016, Korea implemented an expansive new anti-corruption law, the Kim Young- ran Act, that is significantly broader than the U.S. Foreign Corrupt Practices Act in several respects. For example, the new Korean statute imposes strict liability for certain payments irrespective of corrupt intent; expands the definition of covered “public officials” to include journalists and private educators; and introduces corporate criminal liability for unlawful payments made by employees and agents.

ropesgray.com ATTORNEY ADVERTISING

In light of these recent initiatives, pharmaceutical, medical device, and other life sciences and health care companies operating in Korea are advised to: 1) Update their policies to reflect the changes in the Korean legal landscape; 2) Provide suitable training for personnel operating in South Korea or interacting with Korean public officials worldwide on the Kim Young-ran Act and associated health care compliance requirements; and 3) Continue to ensure they have adequate internal controls regarding the appropriate provision of gifts, hospitality, and educational support to health care professionals. For more information please contact your usual Ropes & Gray advisor.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Government Enforcement ▪ China Life Sciences ▪ Global Health Care Compliance

October 11, 2017 Shanghai Tightens Industry Interactions with HCPs

In August 2017, multiple departments of Shanghai government,1 led by Shanghai’s Health and Family Planning Commission (“Shanghai HFPC”), jointly issued a series of administrative rules2 (collectively, “Recent Shanghai Rules”) to tighten the interactions of pharmaceutical and medical device companies with health care professionals (“HCPs”) working in Shanghai hospitals and to crack down on commercial bribery in the course of sale and procurement of medical products.

The Recent Shanghai Rules echoed and reinforced the existing mechanisms in two earlier rules issued by China’s central government in late 2013 to combat corruption in the health care sector, i.e., the Regulations on the Establishment of Commercial Bribery Records for the Purchase and Sale of Medicines (also known as the “2013 Blacklisting Rules”), and the Nine Prohibitions for Strengthening Ethical Conduct in the Healthcare Industry (also known as the “2013 Nine Prohibitions”). However, the Recent Shanghai Rules also went further than these earlier rules and considerably expanded the scope of activities subject to restrictions. 1. Mandating Registration of Medical Representatives

China’s State Council first proposed registering medical representatives (“MRs”) of pharmaceutical companies in February 2017 and assigned China’s Food and Drug Administration (“CFDA”) the task of setting up an MR registration system. In August, the Shanghai FDA became the first local FDA to announce the draft implementing measures and solicited public comments on them. The Shanghai draft measures defined MRs as professionals who engage in communication and feedback of drug product-related information on behalf of pharmaceutical manufacturers, as well as general agents of imported drugs in China and Marketing Authorization Holders.3 An MR is allowed to engage in academic promotion and technical consultancy work when interacting with HCPs, but is forbidden to carry out the sale of drugs. Once registered in the online database administered by the Shanghai FDA, a certificate will be issued to the MR, so that he or she can interact with HCPs within the permitted range and following the prescribed procedures. Identities of registered MRs will be published and any misconduct by the MRs will also be recorded in the MR registration system.

The Shanghai MR registration measures caused extensive debate among industry stakeholders. The MR definition did not cover those individuals with similar functions but employed by non-drug manufacturers, such as drug distributors and third-party service providers of manufacturers and distributors (e.g., contract sales organizations, or “CSOs”). The definition also did not expressly cover medical device manufacturers, leaving it vague as to whether medical device MRs also need to be registered in order to legally function. The distinction between the permitted

1 These included, among others, the Shanghai HFPC, the Shanghai Human Resources and Social Security Bureau, the Shanghai Medical Insurance Office, and the Shanghai Food and Drug Administration. 2 Three rules were issued: (i) Opinion on Strengthening the Mechanism to Crack Down on Kickbacks in Sale of Medical Products; (ii) Administrative Provisions on Management of Commercial Bribery Records in Purchase and Sale of Medical Products; (iii) Administrative Regulations on Reception of Medical Product Manufacturers and Distributors by Shanghai Medical and Healthcare Institutions. One draft rule was announced for public comments: Provisional Measures for Implementing a Registration System of Shanghai Medical Representatives. 3 "Marketing Authorization Holders" typically refers to pharmaceutical companies which own the regulatory approvals for their drugs but do not manufacture these drugs. Details of the Marketing Authorization Holder pilot initiative can be found in our China Life Sciences Alert dated June 15, 2016.

ATTORNEY ADVERTISING ropesgray.com

October 11, 2017 ALERT | 2 “academic promotion” and the forbidden “commercial promotion /selling” activities is also not clear. The Shanghai FDA is currently evaluating comments from the industry and is likely to clarify these issues in the upcoming final version of the MR registration measures. 2. Imposing Stringent Control over Hospital Visits and On-site Interactions with HCPs

In addition to pioneering with the MR registration system, Shanghai also created a set of procedures for Shanghai- based medical institutions to follow when receiving pharmaceutical and device company representatives at hospitals, including manufacturers and distributors of drugs, medical equipment and consumables (collectively, “Medical Products”), as well as agents and employees of these companies (collectively “Industry Representatives”). For the purpose of these rules, the broader Industry Representatives, not just MRs, need to abide by the stipulated procedures when conducting on-site visits at hospitals.

Under these rules, medical institutions shall collect from all visiting companies information related to the company, the relevant products, and the visiting employees. They must also keep ledger files of such information. Industry Representatives are allowed to interact with HCPs only within designated areas of the hospitals and are prohibited from carrying out any activities in “key areas of diagnosis and treatment,” such as inpatient and outpatient departments, emergency departments, medical examination departments, medical equipment departments, pharmacy departments and IT management departments.

Hospitals are required to administer proper internal procedures for receiving Industry Representatives and must strictly follow several “rules of thumb,” i.e., “reception only at specified time, specified venue, by specified persons, and followed by meeting records.” All visits by Industry Representatives need to be requested beforehand and meeting details need to be decided in advance. In principle, the receiving persons from the hospitals shall consist of the staff from both the medical administrative division and the relevant clinical departments, with at least two receiving persons present together from each hospital.

Hospitals are required to keep records of Industry Representatives so as to keep track of their integrity and compliance status, and to record any irregularities or misconduct during their visits to the hospital. If any Industry Representative enters the “key areas of diagnosis and treatment” to engage in drug selling or collation of prescription statistics, upon three accumulated violations, the relevant manufacturers or distributors will be blacklisted from supplying the hospital in question and the Industry Representative's misconduct will be reported to Shanghai’s municipal HFPC, FDA and the centralized procurement office. If any manufacturers or distributors are found to be blacklisted by several public hospitals, the municipal authorities will likely disqualify them from participating in collective tenders.

Meanwhile, hospitals found to have seriously violated the requirements in interacting with Industry Representatives will receive merit deductions in their periodic review by the HFPC. The responsible HCPs and hospital management personnel will also receive disciplinary warnings or actions, including, among others, possible suspension of the physician’s prescription right for three to six months. 3. Strictly Enforcing the Records-Keeping Requirement under Commercial Bribery Laws and Reiterating Blacklisting Consequences

Since the introduction of the central government’s 2013 Blacklisting Rules, the majority of the provincial blacklists appear to have been only sporadically maintained. To actively maintain records of commercial bribery cases and to effectively blacklist relevant stakeholders, the Recent Shanghai Rules reinforced the level-by-level violation reporting mechanism and set strict time limits on the duty to report.

Reportable commercial bribery violations are determined according to the same criteria laid out in the 2013 Blacklisting Rules, including minor to serious bribery cases in the health care sector being prosecuted or investigated

ropesgray.com ATTORNEY ADVERTISING

October 11, 2017 ALERT | 3 by the relevant authorities. Once becoming aware of a bribery case, hospitals must report them to their supervisory governmental agency (the district level HFPC or other applicable agencies) within five working days, detailing the names of involved companies and individuals. The district level supervisory agencies shall investigate and verify the facts and names related to the violation, upon completion of which they shall further report the violations to the Shanghai HFPC within five working days. The Shanghai HFPC, within 15 working days of receiving the report, shall investigate and verify the violations according to the 2013 Blacklisting Rules.

Once bribery cases are confirmed, the records will be published online on the Shanghai HFPC’s website, including information such as the company’s name, business address, legal representatives or persons in charge, directly responsible persons, facts of the violation and relevant judicial decisions and penalties imposed. Within one month of publicizing the records at the Shanghai provincial level, the case information will be further reported to the National HFPC for broader dissemination.

Recent Shanghai Rules reiterated the serious consequences of blacklisting as set forth in the 2013 Blacklisting Rules. Blacklisted companies or individuals are subject to debarment from Shanghai’s centralized procurement office and cannot supply Shanghai public hospitals for two years. Companies or individuals blacklisted in provinces other than Shanghai are subject to a credit points deduction in tendering to Shanghai’s centralized procurement. If they are blacklisted two or more times within five years in other provinces, they are similarly subject to debarment from Shanghai’s centralized procurement office and cannot supply Shanghai public hospitals for two years. Recent Shanghai Rules also made it clear, however, that if a company is blacklisted, its subsidiaries or parents as independent legal entities are not implicated or considered blacklisted.

***

The regulatory developments in the Recent Shanghai Rules evidence a continued emphasis by PRC authorities on curbing bribery and corruption in the health care sector from both the supply and demand sides. Other provinces are likely to model themselves on the Recent Shanghai Rules and adopt similar measures. The wider implementation of these measures may pose significantly higher compliance requirements and risks for companies operating in China’s health care sector. Facing China’s evolving health care anti-corruption landscape, companies are advised to closely monitor further developments and update their company policies and controls to mitigate potential risks.

Anti-Corruption / International Risk

May 2, 2018 De-Implementation Day: Preparing for Changes to U.S. Sanctions Targeting Iran

Throughout the 2016 presidential campaign, candidate Donald Trump sharply criticized the Attorneys Iran nuclear deal—the Joint Comprehensive Plan of Action (“JCPOA”)—and threatened to Ama A. Adams withdraw the United States from the agreement if its terms were not renegotiated. During Brendan C. Hanifin the initial months of his presidency, President Trump continued his criticism of the JCPOA, Emerson Siegle while reluctantly certifying Iran’s compliance with the agreement’s terms. Finally, in October 2017, President Trump declined to certify Iran’s compliance with the JCPOA, triggering a 60-day window during which Congress could elect to impose new sanctions against Iran. Congress did not act and, on January 12, 2018, President Trump announced that he would waive sanctions against Iran for a final time, ostensibly extending the life of the JCPOA until May 12. Since January 12, there have been no public reports of significant progress toward amending the JCPOA, and Iranian government representatives have stated that the country is unwilling to renegotiate the agreement’s terms. Against this backdrop, changes to current U.S. sanctions policy with respect to Iran could be imminent, with potentially significant consequences for U.S. and non-U.S. companies alike. As such, this article examines several potential changes to the current sanctions regime, as well as practical considerations for companies with international operations involving Iran. Overview of Current Iran Sanctions The United States maintains wide-ranging, comprehensive sanctions targeting Iran. The Iranian Transactions and Sanctions Regulations (“ITSR”) prohibit U.S. persons from engaging in virtually any business or dealing with individuals or entities located or organized in Iran.1 Unlike other country-based sanctions programs, the ITSR apply not only to U.S. persons, but also to foreign entities “owned or controlled” by U.S. persons. For purposes of the ITSR, a foreign entity is “owned or controlled” by a U.S. person if a U.S. person (1) holds a 50% or greater equity interest by vote or value in the foreign entity; (2) holds a majority of the seats on the foreign entity’s board; or (3) otherwise controls the actions, policies, or personnel decisions of the foreign entity.2 Certain prohibitions of the ITSR apply to foreign entities that are neither owned nor controlled by a U.S. person. For example, foreign entities are prohibited from exporting U.S.-origin products or services to Iran. Similarly, foreign entities may violate the ITSR by causing any other entity to violate the Iranian sanctions. This could occur, for example, if a foreign entity were to initiate an Iran-related payment that were processed through a correspondent account in the United States or at the foreign branch of a U.S. financial institution. In addition, the United States administers “secondary sanctions” that specifically target foreign entities that engage in transactions with certain Iranian counterparties. On January 16, 2016 (“Implementation Day”), the United States and the European Union relaxed their Iranian sanctions programs pursuant to the JCPOA. However, the United States did not lift non-nuclear secondary sanctions against Iran. As a result, secondary sanctions continue to attach to non-U.S. persons’ activities with (1) more than

1 Under the ITSR, U.S. persons include (1) U.S. companies and their foreign branches; (2) U.S. citizens, wherever located; and (3) any person physically located in the United States. 31 C.F.R. § 560.314. 2 Id. § 560.215(b)(1)(i)-(iii).

ATTORNEY ADVERTISING ropesgray.com

May 2, 2018 ALERT | 2 200 Iranian or Iran-related individuals and entities that remain on the SDN List; (2) the Islamic Revolutionary Guard Corps (“IRGC”) and its designated agents or affiliates; and (3) any other person on the SDN List in connection with Iran’s proliferation of weapons of mass destruction or their means of delivery or Iran’s support for international terrorism. Following Implementation Day, OFAC also issued a general license, General License H, which allows foreign entities owned or controlled by U.S. persons to conduct certain business with Iran, subject to restrictions. Such transactions generally must not support Iran’s nuclear program or involve U.S. persons, U.S. territory, controlled U.S.-origin goods, the U.S. financial system, or parties included on the SDN List or OFAC’s List of Foreign Sanctions Evaders (“FSE List”).3 Despite the sanctions relief introduced on Implementation Day under General License H, U.S. persons continue to be generally prohibited from engaging in most dealings with Iran. Possible Actions Under existing authorities, President Trump has authority to act unilaterally to (1) revoke or narrow the scope of sanctions relief accorded to Iran pursuant to the JCPOA; or (2) impose new sanctions targeting Iran. Importantly, these potential actions are not mutually exclusive, meaning that U.S. and non-U.S. companies must be prepared to address a combination of new sanctions and restrictions that do not necessarily reflect the status quo ante on January 16, 2016. Revocation of General License H President Trump could instruct OFAC to revoke General License H. General License H was arguably the most significant aspect of sanctions relief accorded to U.S. companies, as the general license has enabled a wide range of entities to conduct commercial transactions with Iran that otherwise would have been prohibited due to the breadth of the ITSR. Revoking General License H would have the most obvious and immediate impact upon foreign entities owned or controlled by U.S. persons that are (1) currently conducting business with Iran; or (2) contemplating new activities in Iran. OFAC has advised that, “in the event of a JCPOA sanctions snapback, the U.S. government would provide non- U.S., non-Iranian persons a 180-day period to wind down operations in or business involving Iran that was consistent with the U.S. sanctions lifting under the JCPOA and undertaken pursuant to a written contract or written agreement entered into prior to snapback.”4 Foreign entities owned or controlled by U.S. persons would need to wind down their operations in, or business involving, Iran within the 180-day grace period. Doing so may present practical challenges for even the best-prepared companies—among other issues, agreements may need to be amended or terminated altogether, business operations may need to be shuttered, and supply chains may need to be recalibrated to avoid Iran-related transactions. In addition, there are certain foreign entities currently conducting business with Iran in “partial reliance” on General License H. These foreign entities fall—or may fall—within the third, “catch-all” prong of the ITSR’s “ownership or control” test (i.e., entities that are not majority-owned by U.S. persons, but whose “actions, policies, or personnel decisions” may, in OFAC’s view, be controlled by U.S. persons).5 This third prong of the ITSR’s “ownership or control” test is subjective. Since General License H was introduced in January 2016, some foreign entities with minority U.S. investors have begun conducting business with Iran without determining, as a formal matter, whether they are required to comply with the ITSR. In other words, these foreign entities have reasoned (1) they are generally

3 Since 2012, OFAC has maintained “foreign sanctions evader” sanctions targeting foreign individuals and entities whom OFAC determines have (1) violated, or caused violations of, U.S. sanctions against Iran or Syria; or (2) facilitated deceptive transactions on behalf of parties subject to U.S. sanctions. U.S. persons are prohibited from conducting virtually any business with individuals or entities on the FSE List. 4 OFAC, JCPOA FAQs #M.5, available here [hereinafter “JCPOA FAQs”]. 5 31 C.F.R. § 560.215(b)(1)(iii).

ropesgray.com ATTORNEY ADVERTISING

May 2, 2018 ALERT | 3 outside the scope of OFAC’s jurisdiction; or (2) even if within the scope of OFAC’s jurisdiction, their Iran-related activities are permissible under General License H. If General License H were to be revoked, each foreign entity that “partially relies” on General License H as a fallback position may be forced to make a risk-based determination regarding whether it in fact qualifies as “owned or controlled” by a U.S. person, and therefore is required to comply with the ITSR. Partial Revocation of General License H Alternatively, President Trump could narrow the scope of General License H, without revoking the general license in its entirety. While tightening of General License H could take many different forms (e.g., restrictions on payment terms, product-related restrictions, etc.), one foreseeable scenario is that the Administration may instruct OFAC to further restrict the categories of Iranian end users that may be involved in transactions executed pursuant to General License H. Currently, General License H explicitly excludes transactions involving (1) entities or individuals on the SDN List or FSE List; and (2) military, paramilitary, intelligence, or law enforcement entities of the Government of Iran (including the IRGC), or any official, agent, or affiliate thereof. OFAC could expand the scope of prohibited end users to include, for example, entities and individuals on the List of Persons Identified as Blocked Solely Pursuant to Executive Order 13599 (the “E.O. 13599 List”).6 This, or other steps to narrow the scope of permissible activities under General License H, may have significant commercial implications for foreign entities that have pursued business opportunities in Iran in reliance on the current terms of General License H. Additional Sanctions Designations President Trump also could instruct OFAC to designate additional Iranian parties on the SDN List. While this step would have minimal impact upon U.S. persons, who already are prohibited from engaging in most dealings with Iran, the implications could be potentially significant for foreign parties that are neither owned nor controlled by U.S. persons. As described above, on Implementation Day, OFAC lifted nuclear-related secondary sanctions that targeted non-U.S. persons for engaging in certain transactions with Iran. OFAC explicitly did not lift secondary sanctions that target non-U.S. persons for conducting transactions with Iran-related individuals and entities who remain—or are subsequently placed—on the SDN List. As a result, the designation of additional Iranian SDNs may deter foreign entities from conducting business with Iran, as such business dealings may present an increased risk of being targeted by secondary sanctions. New Secondary Sanctions Finally, President Trump could instruct OFAC to impose new sanctions targeting sensitive Iranian industries, such as Iran’s energy industry. Prior to 2012, the United States maintained secondary sanctions that prohibited non-U.S. persons from, inter alia, (1) investing in Iran’s oil, gas, or petrochemical sectors; (2) providing goods, services (including financial services), or technology in connection with Iran’s energy sector; (3) purchasing, acquiring, selling, transporting, or marketing petrochemical products from Iran; (4) exporting, selling, or providing refined petroleum products and petrochemical products to Iran; and (5) dealing with entities affiliated with Iran’s energy sector, including the National Iranian Oil Company, the Naftiran Intertrade Company, and the National Iranian Tanker Company.7 Were President Trump to instruct OFAC to instate (or reinstate) certain secondary sanctions targeting key Iranian industries, foreign entities (not otherwise subject to OFAC’s jurisdiction) would effectively be forced to decide

6 The E.O. 13599 List identifies entities and individuals that meet the definition of the term “Government of Iran” under the ITSR but are not included on the SDN List, and include a large number of Iranian financial institutions, energy firms, shipping companies, and others. The E.O. 13599 List was created on Implementation Day in order to clarify a subset of entities and individuals that were no longer targeted by secondary sanctions pursuant to the JCPOA but that remained off limits to U.S. persons. JCPOA FAQs #I.2. 7 Id. at #B.1-B.7.

ropesgray.com ATTORNEY ADVERTISING

May 2, 2018 ALERT | 4 whether to (1) continue their dealings with targeted Iranian industries, at the risk of being sanctioned by the United States; or (2) discontinue their dealings with targeted Iranian industries, abandoning the investment made in, and potential profits realized from, pursuing such opportunities. Proactive Steps While it is impossible to predict with certainty what may happen on, or around, May 12, the prevailing uncertainty need not equate to sanctions compliance paralysis. This section outlines several practical steps that U.S. and non- U.S. companies should start to take to prepare themselves for whatever Iran-related actions may unfold over the coming weeks. Identify Iran-Related Touchpoints As an initial step, U.S. and non-U.S. companies should identify their Iran-related touchpoints, cognizant that those touchpoints may be indirect. For example, do any non-U.S. subsidiaries or portfolio companies conduct business with Iranian counterparties, including sourcing or direct or indirect sales (e.g., via a distributor, reseller, or sales agent)? Are any non-U.S. subsidiaries or portfolio companies a party to joint ventures, consortia, or other arrangements whose scope of operations may include Iran or Iranian counterparties? Are any non-U.S. subsidiaries or portfolio companies contemplating new, Iran-related investments or business opportunities? Develop a Communication Strategy In parallel, U.S. and non-U.S. companies should consider how to communicate relevant changes to U.S. sanctions targeting Iran to affected employees, subsidiaries, portfolio companies, and other business partners. While development of an effective communication plan is necessarily organization-specific, factors to consider include:

• The predictably extensive media coverage, by U.S. and non-U.S. media outlets, of the announced changes, some of which may be legally inaccurate; and

• The need to respond to employee and business partner inquiries with a single, consistent policy in a timely manner, to minimize unnecessary business disruption.

The timely and accurate communication of changes in U.S. sanctions targeting Iran will be particularly important if, as is anticipated, the European Union does not follow the United States’ lead in reversing sanctions relief accorded pursuant to the JCPOA, potentially leading to employee confusion regarding sanctions compliance obligations. Review Existing Agreements Companies also would be well served to review existing agreements with Iranian counterparties and agreements that otherwise touch Iran—including agreements involving foreign subsidiaries and portfolio companies—to assess what steps may be required to terminate the agreements. Many agreements contain termination provisions with minimum notice periods, and failure to provide timely notice could result in the seemingly untenable choice of (1) failing to terminate the agreement within the OFAC-allotted period, creating potential U.S. sanctions exposure; or (2) breaching the terms of the agreement, risking potential civil liability in a non-U.S. jurisdiction. Advance planning may assist companies to head off unintended, and potentially intractable, contractual consequences resulting from changes to U.S. sanctions. Identify Relevant Policies, Procedures, & Controls For companies whose subsidiaries, portfolio companies, or affiliates conduct business in or with Iran, any change to the Iranian sanctions almost inevitably will require amendments to existing policies, procedures, or controls. Advance identification of the policies and procedures—at the corporate, subsidiary, and portfolio company level— that may or will need to be updated will help facilitate a single, coordinated response to changes in U.S. policy, thereby reducing confusion and business disruption.

ropesgray.com ATTORNEY ADVERTISING

May 2, 2018 ALERT | 5 For any affiliates that may continue conducting business with Iran (e.g., minority-owned portfolio companies organized outside of the United States), potential change in U.S. policy would be an opportune time to ensure that such affiliates have implemented sufficient restricted party screening procedures to detect and prevent transactions with prohibited Iranian counterparties that could result in the affiliates themselves becoming sanctions targets. Conclusion Although the scope of possible changes to U.S. sanctions targeting Iran is unclear, companies with international operations would benefit from advanced planning. Simple, proactive steps will go a long way towards avoiding unnecessary crises, whether commercial or legal, and ensure that companies are equipped to address the latest development in an ever more complicated—and frequently evolving—regulatory regime.

October 19, 2016 European Health Care Compliance Challenges (And Solutions)

Life sciences and health care companies (“health care companies”) rightly invest a significant amount of time and money into ensuring compliance with health care regulations in the countries in which they are based, but global companies must also consider the panoply of compliance challenges posed by the European market. This alert will address the top five health care compliance challenges facing health care companies operating in Europe, as well as simple steps that health care compliance professionals can take to address these challenges. Future alerts will address these topics in greater detail. 1. Government Interactions in Countries with Public Health Care Systems

Health care companies operating in Europe will inevitably face a higher number of government interactions than their counterparts that operate only in the United States, because nearly all of Europe has either publicly sponsored and regulated universal health care or publicly provided universal health care. Due to the public or quasi-public nature of health care in much of Europe, there are a larger number of individuals who regulators may consider government officials and with whom employees may be interacting, including doctors, nurses, and hospital administrators. Enforcement actions against health care companies are often predicated on the fact that health care professionals are government officials, and companies that interact with them regularly must be particularly aware of these risks.

Companies doing business with state-sponsored health care systems will also need to contend with sometimes complex reimbursement regimes and potential obstacles around introducing new or innovative products. Delays caused by the necessity for government approvals or reimbursement can create the incentives for bribes or facilitation payments, and the volume of government interactions increases the odds that a company may violate an anti-corruption law like the U.S. Foreign Corrupt Practices Act (“FCPA”). Health care companies must also be aware of changing local laws, such as Germany’s recent implementation of a revised Act to Combat Corruption in Healthcare which holds self-employed health care professionals (“HCPs”) liable for active and passive bribery, rather than just those at state-owned hospitals who would be classified as “public officials.”1

Solution: Companies can significantly mitigate the risks around government interactions by: 1) having clear policies and procedures around government interactions, including guidance around meals, hospitality, and sponsorship for educational events; 2) training employees who interact with government officials on these policies; and 3) monitoring compliance with these policies.

For additional information, see our Global Anti-Corruption Resources here. 2. Distribution Networks in Diverse Geographic Locations

In addition to risks from its own employees, health care companies must also be aware of the compliance risks associated with their distribution networks and foreign subsidiaries in the fragmented European market. Relying on a suite of different distributors, speaking different languages, using different currencies and with different cultures can

1 Sections 299 et seq. of the German Criminal Act.

ropesgray.com ATTORNEY ADVERTISING

create significant compliance challenges for companies across Europe. The actions of third-party distributors have been the basis for many FCPA settlements, sanction-related fines and compliance problems over the years, and companies must ensure that they have appropriate control and oversight of their third parties to limit such risks.

Solution: Companies can protect themselves by ensuring that distributors are carefully controlled, including with regards to issues around export control, sanctions, product registrations, and corruption. These steps include: 1) conducting appropriate risk-based due diligence on third-party distributors; 2) having clear written agreements that contain representations that the distributor will comply with anti-corruption, sanctions, export control and product registration regulations in the jurisdictions in which they operate, as well as limitations on the geographic area in which the distributor operates; and 3) monitoring distributor activities.

For additional information, see our White Papers and Alerts here. 3. Competing Regulatory Regimes in European Countries

Another layer of complexity involved in doing business in Europe is the presence of competing regulatory regimes in the highly regulated European market. Conduct that is legal in one European country, or in the country in which a company is based, may be illegal in another European country. These regulatory regimes are subject to change at any time and keeping current with developing laws may be a challenge.

Companies should also consider ethical guidance published by professional bodies, such as the code of ethical business practices and guidelines on HCP interactions published by the medical device trade association Eucomed and the European Diagnostic Manufacturers Association (“EDMA”), the codes of practice for interactions with HCPs and patient organizations published by the European Federation of Pharmaceutical Industries and Associations (“EFPIA”), the guiding principles published by the International Federation of Pharmaceutical Manufacturers & Associations (“IFPMA”), and the Association of the British Pharmaceutical Industry (“ABPI”) code of practice in the UK, along with many other country-specific laws and sets of guidance. These trade association standards and accompanying guidance are also constantly changing. For example, on June 30, 2016, as required by EFPIA’s code on disclosures of transfers of value, EFPIA’s company members began disclosing payments to European health care providers and organizations in 33 European countries.

Solution: Companies should keep abreast of changes in regulatory regimes, including changes to transparency laws and antitrust regulations; develop a strategic approach to global and local policies that allows for flexibility to address varying and evolving legal requirements and ethical guidelines; and ensure that they seek the advice of competent local counsel in the jurisdictions in which they operate. 4. Data Privacy

Data privacy issues are a challenge for all companies, but they are a particularly tricky issue for health care companies that may be dealing with sensitive information related to patients’ health. It is even trickier in Europe, as stringent European Union (“EU”) data privacy standards will be applied and these may differ in interpretation and enforcement from country to country. Data privacy is an area of law that frequently evolves, as shown by the changes in the last year alone, including the loss of the safe harbor for U.S. companies, and the new General Data Protection Regulation that will come into effect for the EU in 2018 and have implications for all companies providing goods or services in and to European individuals, no matter where in the world the company is located.

ropesgray.com ATTORNEY ADVERTISING

Solution: With the focus on the new regime coming into force, any company doing business in or with Europeans should be reviewing its people, policies and procedures to ensure that they will meet the new accountability standards and remain compliant. If necessary, companies should seek advice from data privacy counsel to ensure that they comply with relevant laws in the jurisdictions in which they do business.

For additional resources, see our Alerts and White Papers here. 5. New Supply Chain Disclosure Requirements under the UK Modern Slavery Act

The UK Modern Slavery Act (“MSA”) requires companies that do business in the UK with worldwide annual turnover of £36 million to annually publish a slavery and human trafficking Statement on their websites indicating the steps they have taken during the fiscal year to ensure that slavery and human trafficking are not taking place in their supply chains or in their own businesses. This broad disclosure requirement is applicable to both UK- and non- UK-based companies, including those in the health care and life sciences industries. Compliance is for fiscal years ending on or after March 31, 2016 and the Statement should be published within six months after fiscal year end. The Statement must be approved by the Board and signed by a director. Although the MSA is a disclosure-only statute that does not require companies to adopt policies and related management systems, disclosures will be used by NGOs, socially responsible investors (“SRIs”) and other stakeholders to assess ethical sourcing programs and push for change. Health care and life sciences companies often have complex multi-tier global supply chains of limited transparency. In addition, the raw materials and components in the supply chains of health care and life sciences companies (such as certain agricultural products used in pharmaceuticals and metals used in medical devices) often originate in higher risk locations that can present modern slavery risks.

Solution: If the process has not already begun, companies should start focusing on their first MSA Statements. In preparation for putting pen to paper, companies should assess human trafficking risks and current compliance procedures and determine whether enhancement is warranted. As part of this exercise, companies should benchmark compliance activities against peer companies, existing voluntary compliance frameworks and NGO and SRI expectations. Although the MSA is a simple statute on its face, Statements often take longer to prepare than companies anticipate. Many decisions will go into the approach to be taken and, especially at larger companies, many constituencies will need to weigh in on the Statement and it is likely to go through several rounds of revisions. For additional resources, see our White Papers and Alerts here and the anti-human trafficking module of our Supply Chain Compliance and Corporate Social Responsibility Resource Center here.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

CSR & Supply Chain Compliance

November 28, 2016 EU Reaches Final Agreement on Conflict Minerals Regulation – An Overview On November 22, the EU Council, Commission and Parliament reached an informal final Attorneys agreement on a conflict minerals regulation. Last week’s agreement builds upon the Michael R. Littenberg “political agreement” reached during June. Amanda N. Raad The regulation generally will require EU smelters and refiners and direct importers of tin, Katerina Sandford tantalum, tungsten and gold (3TG) into the EU to conduct due diligence using the OECD Emily K. Burke Guidance framework if they are sourcing from conflict-affected and high-risk areas Julia L. Chen anywhere in the world. See our earlier Alert for a more extensive discussion of the key terms of the regulation and what it means for downstream companies. Please also visit the Ropes & Gray Supply Chain Compliance and Corporate Social Responsibility Resource Center for EU source documents relating to the regulation. The EU press conference and press releases following the final agreement were fairly light on substance, but, in addition to the above, they provide a few additional details and confirm some of the previously disclosed details of the regulation: Importers

• Small volume importers of 3TG will be exempt, although the threshold was not included in the public announcements. The regulation is intended to cover more than 95% of all EU imports of raw 3TG. Given the high value of gold in small quantities, the EU Commission has indicated that it intends to monitor the effectiveness of the regulation as it relates to gold imports.

• The “responsible importer” concept will be retained in the final regulation. A company can become a responsible importer by declaring in writing to the competent member state authority that it follows the due diligence obligations set forth in the regulation. A list of responsible importers will be published by the Commission.

• The competent authorities in the member states will be charged with carrying out checks to ensure that EU importers comply with their due diligence obligations.

Downstream Companies

• The regulation will not require due diligence by manufacturers, importers and sellers of finished products and components. However, these companies will be encouraged to make voluntary disclosures. The EU Commission intends to develop voluntary guidance for downstream companies. It also intends to create a voluntary transparency registry where companies can report on their due diligence practices.

Conflict-Affected and High-Risk Areas

• The EU Commission will draft a handbook that includes non-binding guidelines to help companies, including small and medium-sized enterprises, with the identification of conflict-affected and high risk areas.

ropesgray.com ATTORNEY ADVERTISING

November 28, 2016 ALERT | 2 Next Steps in the Approval Process

• The next step is for the final agreement to be confirmed by the EU member states. The Slovak presidency of the EU Council is expected to present the agreed text to member states’ ambassadors on December 7, 2016. Early next year, the final regulation is expected to be adopted by the Council.

• Thereafter, the final regulation will move to the Parliament for a vote. The Parliament is expected to vote on the regulation during the first half of 2017.

Effective Date

• The regulation will take effect on January 1, 2021. This is a longer transition that the two year transition contemplated in earlier proposals. The transition period is intended to allow sufficient time to establish procedures and control mechanisms and prepare guidance. However, we expect that many larger downstream companies and the NGO community will push for earlier voluntary compliance.

For Further Information If you would like to learn more about the issues in this Alert, please contact your usual Ropes & Gray attorney. Ropes & Gray Supply Chain Compliance and CSR Mailing List Click here to join the Ropes & Gray Supply Chain Compliance and CSR mailing list to receive Alerts, articles and program announcements relating to supply chain compliance, or to sign up for other Ropes & Gray mailing lists. About our Supply Chain Compliance Practice Ropes & Gray has a leading supply chain compliance and corporate social responsibility practice. We advise clients across a broad range of regulations, commodities and geographies, and our clients include leading public and private companies and trade groups from every major industry. With on-the-ground expertise in the United States, Europe and Asia, we are able to take a holistic, global approach to supply chain compliance and CSR, to help clients efficiently and effectively structure and implement their supply chain compliance and CSR programs and mitigate risk.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

CSR & Supply Chain Compliance

February 15, 2017 The UK Modern Slavery Act – A Compliance Primer for Fund Managers Starting this year, a significant number of fund managers based all over the world will be Attorneys among the approximately 12,000 companies that will be required to publish an annual Michael R. Littenberg statement under the transparency provisions of the UK Modern Slavery Act. The Isabel K.R. Dische statement is required to describe the steps that were taken during the prior fiscal year to Amanda N. Raad ensure that slavery and human trafficking is not taking place in any of the subject Marcus Thompson company’s supply chains and in its own business. In this Alert, we provide an overview of the MSA and tips for compliance for fund managers. We also discuss how MSA disclosures by fund managers may be used by external constituencies.

Starting this year, a significant number of fund managers based all over the world will be among the approximately 12,000 companies that will be required to publish an annual statement under the transparency provisions of the UK Modern Slavery Act. The statement is required to describe the steps that were taken during the prior fiscal year to ensure that slavery and human trafficking is not taking place in any of the subject company’s supply chains and in its own business. In this Alert, we provide an overview of the MSA and tips for compliance for fund managers. We also discuss how MSA disclosures by fund managers may be used by external constituencies. Who Is Subject to the MSA? The transparency provisions of the MSA have broad applicability. They apply to “commercial organisations” doing business in the United Kingdom that provide goods or services and have annual worldwide turnover of at least £36 million. Commercial Organisations. “Commercial organisation” is defined broadly. It includes a corporation or partnership, wherever incorporated or formed, that carries on a business or part of a business in any part of the United Kingdom. A “business” includes a trade or profession. Doing Business in the United Kingdom. The MSA does not contain a bright-line test for determining whether a commercial organisation based outside of the United Kingdom is carrying on a business or part of a business in any part of the United Kingdom. In its Guidance on the MSA, the UK Home Office has indicated that commercial organisations should apply “a common sense approach,” noting that commercial organisations that do not have a demonstrable business presence in the United Kingdom should not be required to prepare a statement. According to the Guidance, having a UK subsidiary will not, in itself, mean that a parent company is carrying on a business in the United Kingdom, since a subsidiary may act completely independently of its parent or other group companies. However, depending upon their business activities in the United Kingdom, multiple entities in the group, even those that are not primarily engaged in carrying on a business in the United Kingdom, could be required to prepare a statement. The Turnover Threshold. A commercial organisation doing business in the United Kingdom only will be required to prepare a slavery and human trafficking statement if, for the applicable fiscal year, it supplies goods or services and has total turnover of at least £36 million. The turnover calculation includes the turnover of the subject commercial organisation and its subsidiaries, including those subsidiaries carrying on business entirely outside of the United Kingdom.

ropesgray.com ATTORNEY ADVERTISING

February 15, 2017 ALERT | 2 Content of the Statement The statement is required to indicate the steps that the commercial organisation has taken during the preceding fiscal year to ensure that slavery and human trafficking is not taking place in any of its supply chains and in any part of its own business. Alternatively, if the organisation has not taken any steps to eradicate slavery and human trafficking, it is required to indicate that. The MSA does not require commercial organisations to adopt a human trafficking policy, conduct supply chain due diligence or put in place a compliance program. It is a disclosure-only rule, but the transparency provisions are intended to create what the UK Home Office refers to as a “race to the top,” by encouraging companies to focus on the modern slavery risks present in their business and supply chains and adopt appropriate policies and procedures to manage those risks. The transparency provisions also are intended to enable external stakeholders to evaluate company risk assessments and compliance measures and compare them against those of other companies. The MSA and subsequent Home Office commentary indicate the following areas that a commercial organisation may wish to discuss in its statement:

• The organisation’s structure, its business model and its supply chain relationships;

• The organisation’s policies in relation to slavery and human trafficking;

• Its due diligence and auditing processes in relation to slavery and human trafficking in its business and supply chains;

• The parts of its business and supply chains where there is a risk of slavery and human trafficking taking place, and the steps it has taken to assess and manage that risk;

• Its effectiveness in ensuring that slavery and human trafficking are not taking place in its business or supply chains, measured against such key performance indicators as it considers appropriate; and

• The training regarding slavery and human trafficking available to its staff, including for supply chain management and the rest of the organisation.

However, these are recommended, rather than mandatory, disclosure topics. Commercial organisations have the flexibility to tailor their statement to their particular facts and circumstances. The Guidance indicates that a commercial organisation that is subject to the transparency provisions must include in its statement the activities of its subsidiaries, even if a subsidiary does not independently meet all of the jurisdictional requirements of the MSA, if the activities of the subsidiary form part of the business of the parent commercial organisation. Publication of the Statement Dissemination. The statement must be published on the commercial organisation’s website, if it has one. If the organisation does not have a website, it must provide a copy of the statement, upon written request, within 30 days after the request is received. The statement must be in a prominent place on the website’s home page. According to the Home Office Guidance, a “prominent place” may mean a modern slavery link that is directly visible on the home page or part of an obvious drop-down menu on that page. The Guidance indicates that the link should be clearly marked so that the contents are apparent, and it recommends a link such as “Modern Slavery Act Transparency Statement.”

ropesgray.com ATTORNEY ADVERTISING

February 15, 2017 ALERT | 3 Timing. Statements are required to be prepared annually, for the trailing fiscal year, beginning with fiscal years ending on or after March 31, 2016. Because fund managers typically have a December 31 fiscal year end, this will generally mean that the first statement required to be prepared will be for the fiscal year ended December 31, 2016. The MSA does not contain a specific date by which a statement must be prepared and posted on the commercial organisation’s website. The Home Office Guidance indicates that organisations are expected to publish their statements as soon as reasonably practicable after the end of the applicable fiscal year, and they are encouraged to report within six months of their fiscal year end. Combined Statements. The Home Office Guidance indicates that, if a parent commercial organisation and one or more subsidiaries in the same group are each required to produce a statement, the parent may produce one statement that the subsidiaries can use to meet their disclosure requirement, provided that the statement fully covers the steps that each of the commercial organisations required to produce a statement has taken in the relevant fiscal year. Approval and Signature Requirement The statement must be approved by the board of directors (or equivalent management body) and signed by a director or the equivalent if the commercial organisation is a body corporate. If the entity is a limited liability partnership, the statement must be approved by the members and signed by a designated member. If the commercial organisation is a limited partnership registered under the U.K. Limited Partnerships Act, it must be signed by a general partner. If the organisation is any other kind of partnership, the statement must be signed by a partner. Getting Started – Observations and Selected Compliance Recommendations Start by Assessing Applicability. As an initial matter, fund managers should assess whether any of their management companies or other group entities must prepare a statement and, if so, which entities. A significant number of managers have offices in the United Kingdom and will meet the “doing business” requirement of the MSA transparency provisions. In most cases, the statement only will be required to cover a portion of the business activities and operations of managers based outside of the United Kingdom due to the manner in which their global operations are structured. Up-the-chain and sister entities are not required to be included in an MSA statement unless they independently meet the requirements of the MSA. However, some managers will elect to discuss their risk assessment and compliance activities for their entire consolidated group. Review Existing Policies and Procedures and Consider Whether to Make Enhancements. As noted earlier in this Alert, the transparency provisions of the MSA only require disclosure. They do not require a modern slavery or social compliance policy or particular compliance procedures to be put in place. However, in connection with preparing an MSA statement, among other things, managers should review applicable portions of existing management company and investment policies and pre-and post-investment procedures that address human and labor rights such as modern slavery. These should be reviewed against any publicly disclosed policies and procedures of other managers with comparable strategies, as well as against any limited partner expectations, guidelines and commitments. Managers also should assess the extent to which existing human and labor rights policies and procedures align with NGO guidance and whether they are sufficient to mitigate reputational and other potential risks relating to modern slavery. Managers that have not yet assessed modern slavery risk or extended environmental, social and governance (ESG) programs to cover modern slavery – which includes most managers – should take a gradual approach. A significant portion of first time MSA statements by managers (and commercial organisations generally) will indicate that their modern slavery risk assessment and the establishment of appropriate compliance procedures remain works in process. External constituencies recognize that it takes time to develop and implement a tailored compliance approach. The Home Office Guidance echoes this view and notes that first statements may indicate how the commercial organisation is starting to act on the issue of modern slavery and its planned actions to investigate or collaborate with other stakeholders to effect change.

ropesgray.com ATTORNEY ADVERTISING

February 15, 2017 ALERT | 4 Write Your MSA Statement for Limited Partners and NGOs. Strictly from a compliance standpoint, a manager could take a narrow approach in drafting its MSA statement, hewing to the literal requirements of the Act. Unlike manufacturers and sellers of products, fund managers do not have supply chains. In addition, entities in which they invest are typically not considered part of the manager’s own business. However, the consideration of ESG factors at the management company level and in investment decisions and ongoing portfolio management is an increasing area of focus for limited partners, especially European pension fund investors investing in private equity funds and other funds with illiquid strategies. Limited partners are likely to start using MSA statements as part of their ESG assessment. In addition, NGOs already have begun reviewing and ranking MSA statements, and more rankings, including by industry, are expected later in the year. Larger fund managers are the most likely to be included in industry rankings and, to the extent their statements and related compliance efforts are viewed as deficient, targeted for NGO engagement. For all of these reasons, managers generally will be better served by a more robust MSA statement. For example, managers should consider discussing, to the extent applicable, (1) their principal investment strategies, (2) how human and labor rights, including modern slavery, are addressed in their ESG policies, (3) how modern slavery risk is assessed and (4) any related pre- and post-investment compliance procedures and engagement with companies in which the manager invests. The manager also should consider indicating whether it is a signatory to or otherwise following particular responsible investment or human rights guidelines, such as the UN-supported Principles for Responsible Investment, the Private Equity Growth Capital Council Guidelines for Responsible Investment, the UN Global Compact, the UN Guiding Principles on Business and Human Rights, the IFC Performance Standards on Environmental and Social Sustainability and/or the Equator Principles. It also should consider discussing whether it encourages companies in which it invests to follow particular human and labor rights guidelines and codes of conduct relevant to their industries. External stakeholder expectations will be greatest for managers of private equity, infrastructure and real estate funds, as well as other managers that make significant illiquid investments, such as some credit fund managers. To the extent that it is not practical for the manager to consider social factors in its investment decisions for some or all of the asset classes in which it invests, the manager should consider discussing that in its statement as well. Align the Statement with Other ESG Disclosures, Statements and Commitments. At many companies, ESG communications lack consistency. Fund managers are no different in this regard. Managers should ensure that their MSA statements are consistent with ESG guidelines in investment policies, any ESG statements and commitments made to limited partners and other publicly facing ESG statements and disclosures. In addition, for private equity firms and other managers that make control investments, MSA and California Transparency in Supply Chains Act statements published by portfolio companies should be consistent with any ESG guidelines of the manager that are applicable at the portfolio company level. Approach MSA Compliance as a Process, Not a Project. An MSA statement must be prepared annually. As a recurring requirement, a member of the legal, compliance or operations group should be assigned ongoing responsibility for the statement. Disclosures will evolve as commercial organisations, including fund managers, continue to assess modern slavery risk and implement and enhance their modern slavery compliance procedures. Furthermore, as has been the case with other mandatory and voluntary ESG disclosures, other year-over-year enhancements to disclosures will be made as limited partners, NGOs and other external constituencies publish expectations documents, advocate for specific practices and rank compliance efforts.

ropesgray.com ATTORNEY ADVERTISING

February 15, 2017 ALERT | 5 With on-the-ground expertise in the United States, Europe and Asia, we are able to take a holistic, global approach to supply chain compliance and CSR, to help clients efficiently and effectively structure and implement their supply chain compliance and CSR programs and mitigate risk. For further information on our supply chain compliance and CSR practice or if you would like to learn more about the topics in this Alert, please contact your usual Ropes & Gray attorney or contact us here.

Ropes & Gray Supply Chain Compliance and CSR Mailing List Click here to join the Ropes & Gray Supply Chain Compliance and CSR mailing list to receive Alerts, articles and program announcements relating to supply chain compliance and corporate social responsibility, or to sign up for other Ropes & Gray mailing lists.

Ropes & Gray Supply Chain Compliance and Corporate Social Responsibility Resource Center As part of our commitment to excellence in this area, we have developed the Resource Center as a free educational tool for our clients, friends and other stakeholders. The Resource Center is the most extensive complimentary collection of supply chain compliance resources and is frequently updated to reflect new developments in this dynamic area. Click here to go to the Resource Center.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Intellectual Property Transactions

August 9, 2017 Privacy Shield dented? The EU Parliament’s Civil Liberties, Justice and Home Affairs Committee identifies deficiencies in US implementation of the Privacy Shield

The European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) visited Attorneys Washington in the last week of July, not for a summer holiday, but to discuss the upcoming Rohan Massey Privacy Shield review with the new US administration. Also on the agenda were counter- terrorism and immigration. For transatlantic data flows, the outcome of the meeting between the delegation of European Parliament and the Trump administration was far from satisfactory with the Civil Liberties Chair, Claude Moraes, voicing concerns over “deficiencies” that need to be addressed to ensure that the Privacy Shield complies with the EU Charter of Fundamental Rights and the General Data Protection Regulation ahead of its application throughout the EEA in May 2018. LIBE’s concerns While both LIBE and the US administration reiterated their continued commitment to make the Privacy Shield work, the meeting highlighted a number of issues to be resolved. In particular, LIBE identified several key positions that still need to be filled under the new US administration if the conditions of the adequacy decision are to be met. These, Claude Moraes says, would include “Some of the necessary functions of the Federal Trade Commission, the Privacy and Civil Liberties Oversight Board that is currently lacking four of its five commissioners and the ombudsperson, who is currently only in an acting capacity.”

The EU delegation also drew attention to open questions on the commercial aspects of the Privacy Shield as well as the ongoing review of Section 702 of the Foreign Intelligence Surveillance Act, Presidential Policy Directive 28 and law enforcement issues, which, according to LIBE, are essential components of the US commitments. Chairman Moraes also highlighted concerns around the state of surveillance reform in the US, an added deficiency that must be addressed immediately to ensure that the Privacy Shield stands the test of time and serves its purpose. Comment LIBE’s visit appears to have fulfilled its objective, which was “to obtain up-to-date information on the state of play in the US on major topics which fall within the remit of the LIBE Committee” such as the protection of personal data and the implementation of the EU-US Privacy Shield. Unfortunately, it transpires that, in Claude Moraes’ words, “Deficiencies still remain and must be urgently resolved to ensure that the Privacy Shield does not suffer from critical weaknesses”. The EU Data Protection Commissioners are due to issue their assessment of how the agreement is working by the end of the year. Sceptics might say that, in the light of the shortcomings identified by LIBE and the increasingly dysfunctional political landscape in the US, that assessment is unlikely to be entirely positive.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING Ropes & Gray LLP: Excessive Pricing in Generic Drug Markets Page 1 of 2

ARTICLE Excessive Pricing in Generic Drug Markets

August 23, 2017 Practices: Health Care

EU and UK antitrust laws make it illegal for dominant firms to charge unfair or excessive prices. These laws have most often been applied in markets that feature high barriers to entry or expansion, which enable a dominant firm to charge supra-competitive prices free of competitive challenge.

Excessive pricing laws have not often been applied to generic drug markets because those markets are typically characterised by aggressive competition from lower-priced equivalents. But in the recent past, we’ve seen a spate of excessive pricing cases involving generic pharmaceuticals. For example:

• In December last year the UK Competition and Markets Authority fined Pfizer and Flynn Pharma £90m for alleged excessive pricing generic anti-epilepsy drugs and, in the same month, issued formal objections to Actavis for its pricing behaviour in generic hydrocortisone tablets. • And in May this year, the European Commission commenced proceedings against Aspen Pharma for alleged excessive pricing in relation to generic cancer drugs.

So the question arises: what drives the trend towards excessive pricing cases in generic drug markets and does this trend signal the start of price regulation for generic drugs?

An analysis of the recent cases (Pfizer/Flynn, Actavis, and Aspen) doesn’t suggest a desire to regulate all generic drug prices. They suggest instead a desire to intervene in a fairly narrow set of circumstances where:

• The NHS has no choice but to continue to purchase the generic drug in question; • The price increases have been significant, persistent, and unchallenged by competitors; and • The pharma company is in a “mixed scheme”, so it sells both branded drugs under the Pharmaceutical Price Regulation Scheme and generic drugs, which are sold free of price regulation.

There is no suggestion, including in these recent cases, that competition authorities want to regulate all generic drug prices, especially where prices exhibit a downward trend.

• That’s consistent with public statements by the European Commission, • With the Advocate General Opinion’s in the Latvian Collecting Society case • And with the European Commission’s decisional practice in the Hepatitis C vaccines case.

Importantly, there is of course no certainty that the CMA’s decision in Pfizer or the investigations into Actavis and Aspen will ultimately prevail. We shouldn’t forget that excessive pricing cases have several inherent challenges, including:

• How to identify and apportion all applicable costs to ensure that the price is truly above cost; • How to assess whether a price charged is “excessive” by reference to a reliable and probative comparative benchmark prices; https://www.ropesgray.com/newsroom/alerts/2017/08/Excessive-Pricing-in-Generic-Drug-Markets.aspx 10/10/2017 Ropes & Gray LLP: Excessive Pricing in Generic Drug Markets Page 2 of 2 • How to examine whether a price charged is merely the result of an abusive use of market power, or whether the consequence of legitimate reasons; and • How to examine whether there is no effective competitive pressure on prices

There is no guarantee that these elements will be proven to the requisite legal standard in these recent cases. For example, in the Pfizer case, it is not clear that the competitive impact of Teva’s comparable anti-epilepsy drug has been properly assessed. Nor is it currently clear that the CMA fully considered the impact of the fact that the Pfizer/Flynn branded product was sold at a loss, meaning that nameplate price increases are not probative of excessive pricing.

Indeed factors such as these can explain why other high profile excessive pricing cases (e.g., the Qualcomm standards cases and the Swedish ports cases) have not been pursued by the European Commission and why other decisions have been reversed on appeal (e.g., United Brands ).

Finally, the Health Service Medical Supplies (Costs) Act, which entered into force in May of this year, reduces the prospect of these kinds of excessive pricing cases in the future. The Act allows the Secretary of State to control the prices of generic drugs, including for pharma companies who are in a “mixed scheme” (i.e., who sell branded drugs under the voluntary/PPRS and generic drugs).

So it’s possible that, going forward, pharma companies who charge significant and persistent high prices for generic drugs may face regulatory actions rather than excessive pricing enforcement.

https://www.ropesgray.com/newsroom/alerts/2017/08/Excessive-Pricing-in-Generic-Drug-Markets.aspx 10/10/2017 ALERT

Supply Chain Compliance and CSR

September 6, 2017 The EU Conflict Minerals Regulation – Frequently Asked Questions and Take-Aways for Downstream Companies (or Why Should I Care About Yet Another New Supply Chain Regulation?)

In late May, the European Union published the final text of its recently adopted conflict Attorneys minerals regulation (the “Regulation”), which was more than seven years in the making. Michael R. Littenberg On almost a daily basis, we are asked by clients what, if anything, they should be doing Amanda N. Raad under the Regulation. In this Alert, we provide a deep dive on the Regulation – in an Julia L. Chen easy-to-follow Q&A format – and take-aways for downstream companies. For additional information on the Regulation, see our earlier Alerts here and here. Please also visit the Ropes & Gray Supply Chain Compliance and Corporate Social Responsibility Resource Center for EU source documents relating to the Regulation. Unpacking the Regulation – Frequently Asked Questions In a Nutshell, What Does the Regulation Require? The Regulation generally will require importers of tin, tantalum, tungsten and gold (“3TG”) into the European Union to establish management systems to support due diligence, conduct due diligence and make certain disclosures concerning the 3TG that they import into the European Union. We expand on these concepts and discuss other aspects of the Regulation in the FAQs below. Who Is Subject to the Regulation? The Regulation applies to importers into the European Union of 3TG in mineral or metal form. These can be importers who provide ores or unrefined minerals to EU smelters and refiners or importers who import specified 3TG metals processed outside of the European Union. How is 3TG defined? The Regulation includes an Annex that contains a detailed description, including Combined Nomenclature codes, of the specific 3TG ores, concentrates and metals that come within its scope. Tin, tantalum, niobium, tungsten and gold ores and concentrates and gold unwrought or in semi-manufactured forms or in a powder with a gold concentration lower than 99.5% that has not passed the refining stage are listed as “minerals.” Specified metals containing or consisting of tin, tantalum, tungsten or gold, including among others various enumerated oxides, hydroxides, chlorides, carbides, bars, powders, rods and wires, are listed as “metals.” In certain respects, the compliance obligations for minerals and metals are different, as discussed below. Does the Regulation Cover Other Minerals or Metals? No. The Regulation is limited to 3TG, as listed on Annex I to the Regulation. Various constituencies in the European Parliament advocated for a broader regulation applicable to additional minerals, metals and commodities. However, this was rejected.

ropesgray.com ATTORNEY ADVERTISING

September 6, 2017 ALERT | 2 Is There a De Minimis Exception? Small volume importers of 3TG will be exempt under the Regulation. The Regulation is intended to cover not less than 95% of the annual volume of EU imports of each of the listed 3TGs. Annex I to the Regulation contains volume thresholds for some of the listed minerals and metals. For the remaining minerals and metals, the EU Commission (the “Commission”) must establish the required volume thresholds by April 1, 2020 if feasible, and in any event not later than July 1, 2020. The thresholds will be established using customs information for the prior two years. The Commission is empowered to amend the thresholds every three years after the effective date of the Regulation. Given the high value of gold in small quantities, the Commission has indicated that it intends to in particular monitor the effectiveness of the Regulation as it relates to gold imports. Is Any 3TG Excluded from the Regulation, Other Than Under the De Minimis Exception? Yes. There are three other exceptions, for recycled metals, mineral by-products and pre-existing stocks. Recycled metals. These consist of reclaimed end-user or post-consumer products, or scrap processed metals created during product manufacturing, including excess, obsolete, defective and scrap metal materials that contain refined or processed metals that are appropriate for recycling in the production of 3TG. Minerals partially processed, unprocessed or a by-product from another ore are not considered to be recycled metals. As noted later in this Alert, although recycled metals are not in scope, they trigger disclosure requirements. By-products. A by-product is a mineral or metal falling within the scope of the Regulation that has been obtained from the processing of a mineral or metal falling outside the scope of the Regulation, and that would not have been obtained without the processing of the primary mineral or metal falling outside the scope of the Regulation. The importer is required to maintain information supported by documentation indicating the point at which the by- product was first separated from its primary mineral or metal falling outside the scope of the Regulation. Pre-existing stocks. The Regulation does not apply to existing stocks of 3TG created in their current form on a verifiable date prior to February 1, 2013. A date is verifiable if it can be verified by the inspection of physical date stamps on products or from inventory lists. What Countries or Regions Is the Regulation Concerned With? The Regulation is concerned with 3TG sourced from conflict-affected and high-risk areas worldwide. The Regulation does not call out specific countries or regions by name. Instead, it contains a general principles-based definition of what it means to be a conflict-affected and high-risk area. These include (1) areas in a state of armed conflict; (2) fragile post-conflict areas; (3) areas with weak or non-existent governance and security, such as failed states; and (4) areas with widespread and systematic violations of international law, including human rights abuses. How Do I Determine if an Area Is Conflict-Affected and High-Risk? The Commission is preparing non-binding guidelines to help companies identify conflict-affected and high-risk areas. These guidelines are expected to be released by the end of 2017. They follow on a draft handbook that was published by the Commission in 2015. The Commission also will select experts through a tender process to draw up an indicative, non-exhaustive list of conflict-affected and high-risk areas. The list also will include additional information to assist companies with their due diligence. The list is scheduled for release in 2019. The Commission intends to update the list on a regular basis. If I Am a Manufacturer, Importer, Distributor or Retailer of Components or Finished Products, Am I Subject to the Regulation? The Regulation does not impose compliance obligations on manufacturers of components or finished products, unless they are importing minerals or metals covered by the Regulation. Importers, distributors and retailers of

ropesgray.com ATTORNEY ADVERTISING

September 6, 2017 ALERT | 3 components or finished products also do not have compliance obligations under the Regulation. However, as discussed later in this Alert, all of the foregoing are encouraged to responsibly source 3TG, establish related compliance programs and make voluntary disclosures. What Are Importers Required to Do? Importers of minerals and metals are required to put in place management systems to support their due diligence, conduct supply chain due diligence, manage identified risks and provide specified information to their immediate customers and the public, as further described below. These requirements conform to the OECD Guidance framework (as defined below), with which the Regulation is intended to align. What is the OECD Guidance Framework? The Organisation for Economic Co-operation and Development (“OECD”) Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas (the “OECD Guidance”) provides detailed recommendations to help companies respect human rights and avoid contributing to conflict through their mineral purchasing decisions and practices. The OECD Guidance consists of base guidance and two supplements, one for tin, tantalum and tungsten and one for gold. It is organized into a five-step due diligence framework:

• establish strong company management systems; • identify and assess risks in the supply chain; • design and implement a strategy to respond to identified risks; • carry out independent third-party audits of supply chain due diligence at identified points in the supply chain; and • report on supply chain due diligence.

The OECD Guidance is for use by any company potentially sourcing minerals or metals from conflict-affected and high-risk areas. The OECD Guidance provides recommendations tailored to different points in the supply chain. What Management Systems Are Importers Required to Adopt? Importers are required to put in place the following management systems, which are consistent with Step 1 of the OECD Guidance:

• adopt a supply chain policy for 3TG minerals and metals potentially originating from conflict-affected and high-risk areas, and clearly communicate to suppliers and the public up-to-date information on the supply chain policy; • incorporate in the supply chain policy standards against which supply chain due diligence is to be conducted consistent with the standards set out in the OECD Guidance; • structure internal management systems to support supply chain due diligence by assigning responsibility to senior management to oversee the supply chain due diligence process, and maintain records of those systems for a minimum of five years; • strengthen engagement with suppliers by incorporating the supply chain policy into contracts and agreements with suppliers consistent with the OECD Guidance; and • establish a grievance mechanism as an early-warning risk-awareness system, or provide a mechanism through a multi-stakeholder arrangement or by facilitating recourse to an external expert or body, such as an ombudsman.

What Information Must Be Obtained from Suppliers? Consistent with Step 2 of the OECD Guidance, the importer must operate a chain of custody or supply chain traceability system. The information to be obtained differs for importers of minerals and metals, recognizing that they are at different points in the supply chain. The purpose of the due diligence is to determine whether the 3TG that

ropesgray.com ATTORNEY ADVERTISING

September 6, 2017 ALERT | 4 is being imported into the European Union has been mined and processed responsibly to ensure that it is not funding armed groups or security forces in conflict areas. Minerals. The chain of custody or supply chain traceability system must provide, supported by documentation, the following information:

• a description of the mineral, including its trade name and type; • the name and address of the supplier to the importer; • the country of origin of the minerals; • the quantities and dates of extraction, if available, expressed in volume or weight; and • if minerals originate from conflict-affected and high-risk areas, or other supply chain risks as listed in the OECD Guidance have been ascertained by the importer, additional information in accordance with the specific recommendations for upstream economic operators set out in the OECD Guidance, such as the mine of mineral origin, locations where minerals are consolidated, traded and processed and taxes, fees and royalties paid.

Metals. The chain of custody or supply chain traceability system must provide, supported by documentation, the following information:

• a description of the metal, including its trade name and type; • the name and address of the supplier to the importer; • the name and address of the smelters and refiners in the supply chain of the importer; • if available, records of the third-party audit reports of the smelters and refiners, or evidence of conformity with a recognized supply chain due diligence scheme; and • if third-party audit reports are not available: o the countries of origin of the minerals in the supply chain of the smelters and refiners; and o if the metals are based on minerals originating from conflict-affected and high-risk areas, or other supply chain risks listed in the OECD Guidance have been ascertained by the importer, additional information in accordance with the specific recommendations for downstream economic operators set out in the OECD Guidance.

Importers are required to maintain documentation demonstrating compliance with their due diligence obligations. What Are Importers Required to Do to Mitigate Sourcing Risk? Importers of minerals and metals are required to use the information that they obtain through their due diligence to mitigate risk. Importers of Minerals. An importer of minerals is required to identify and assess the risks of adverse impacts in its mineral supply chain using the information that it obtains through its due diligence against the standards of its supply chain policy and the due diligence recommendations set out in the OECD Guidance. Using this information, it is required to implement a strategy to respond to the identified risks that is designed to prevent or mitigate adverse impacts by:

• reporting findings of the supply chain risk assessment to designated senior management; • adopting risk management measures consistent with the OECD Guidance, taking into account its ability to influence and, where necessary, take steps to exert pressure on suppliers who can most effectively prevent or mitigate the identified risk; these risk management measures may include continuing trade while simultaneously implementing measurable risk mitigation efforts, suspending trade temporarily while pursuing ongoing measurable risk mitigation efforts or disengaging with a supplier after failed attempts at risk mitigation;

ropesgray.com ATTORNEY ADVERTISING

September 6, 2017 ALERT | 5 • implementing the risk management plan, monitoring and tracking the performance of risk mitigation efforts, reporting back to designated senior management and considering suspending or discontinuing engagement with a supplier after failed attempts at mitigation; and • undertaking additional fact and risk assessments for risks requiring mitigation, or after a change of circumstances.

If an importer of minerals pursues risk mitigation efforts while continuing trade or temporarily suspending trade, it is required to consult with suppliers and the stakeholders concerned, including local and central government authorities, international or civil society organizations and affected third parties, and agree on a strategy for measurable risk mitigation in its risk management plan. An importer of minerals is required to design conflict and high-risk sensitive strategies for mitigation in its risk management plan in accordance with the measures and indicators in Annex III to the OECD Guidance and measure progressive improvement. Importers of Metals. An importer of metals is required to identify and assess in accordance with the OECD Guidance the risks in its supply chain based on available third-party audits of smelters and refiners and by assessing the smelters’ and refiners’ due diligence practices. The findings of the risk assessment must be reported to designated senior management, and the importer must implement a response strategy designed to prevent or mitigate adverse impacts consistent with the OECD Guidance. If there is not a third-party audit report from a smelter or refiner, the importer must identify and assess the risks in its supply chain as part of its own risk management system. In those cases, the importer must carry out audits of its supply chain due diligence through an independent third-party. When Must An Importer Obtain a Third-Party Audit? Importers of minerals or metals generally are required to obtain independent third-party audits pertaining to their supply chain due diligence to assess conformity with the Regulation. The audit must:

• include in its scope all of the importer's activities, processes and systems used to implement supply chain due diligence regarding minerals or metals, including its management system, risk management and disclosure of information in accordance with the Regulation; • have as its objective the determination of conformity of the importer's supply chain due diligence practices with the Regulation; and • make recommendations to the importer on how to improve its supply chain due diligence practices.

However, importers of metals are exempt from the audit requirement if they make available substantive evidence, including third-party audit reports, demonstrating that all of the smelters and refiners in their supply chain comply with the Regulation. This requirement will be deemed to be fulfilled if the importer of metals demonstrates that it is sourcing exclusively from smelters and refiners listed by the Commission as global responsible smelters and refiners. This exemption is intended to encourage importers to source 3TG exclusively from compliant smelters and refiners. How Will Importers Know if They Are Purchasing Responsibly Sourced 3TG? The Commission is required to publish on the Internet a list of global responsible smelters and refiners. The list will take into account smelters and refiners covered by supply chain due diligence schemes recognized by the Commission. The Commission is required to use its best endeavors to identify those smelters and refiners included on the list that source at least partially from conflict-affected and high-risk areas, in particular by utilizing information provided by recognized due diligence schemes.

ropesgray.com ATTORNEY ADVERTISING

September 6, 2017 ALERT | 6 Are There Currently Any Recognized Due Diligence Schemes? At present, there are not any recognized due diligence schemes. The recognition process is discussed in the next FAQ. How Does a Due Diligence Scheme Get Recognized? Supply chain due diligence schemes may request recognition by the Commission. Supplemental legislation setting out the methodology and criteria for assessing due diligence schemes is expected to be completed in 2018. The Commission is required to establish and keep up to date a register of recognized supply chain due diligence schemes. That register is required to be made publicly available on the Internet. Existing industry due diligence schemes based on the OECD Guidance methodology and criteria, such as the Conflict-Free Smelter Program, the London Bullion Market Association Responsible Gold Guidance and the Responsible Jewellery Council Chain-of-Custody Standard, are expected to be recognized. These existing due diligence schemes currently are used by companies in connection with their due diligence under the U.S. Conflict Minerals Rule. The foregoing due diligence schemes and others are undergoing an assessment of their alignment with the OECD Guidance. We hosted a webinar on the alignment assessment process as part of our Advanced Supply Chain Compliance & CSR Webinar Series. That webinar is available here. Do Importers Have Disclosure Obligations under the Regulation? Importers have specified disclosure obligations to customers, the public and regulators, as described below. Customers. Importers must make available to their immediate downstream purchasers all information gained and maintained pursuant to their supply chain due diligence, with due regard for business confidentiality and other competitive concerns. Publicly. Importers must, on an annual basis, publicly report as widely as possible, including on the Internet, on their supply chain due diligence policies and practices for responsible sourcing. The report must contain the steps taken by the importer to implement its management system and risk management obligations. In addition, the report must contain a summary of any third-party audit that is commissioned, including the name of the auditor, with due regard for business confidentiality and other competitive concerns. If an importer of metals can reasonably conclude that the metals are derived only from recycled or scrap sources, it must, with due regard for business confidentiality and other competitive concerns, publicly disclose its conclusion and describe in reasonable detail the supply chain due diligence measures it exercised in reaching that conclusion. Regulators. Importers must make available to EU member state competent authorities the reports of any third-party audit that they commission or evidence of conformity with a supply chain due diligence scheme recognized by the Commission. Does the Regulation Require Companies Further Downstream to Make Public Disclosures? The Regulation does not require companies that are downstream from an importer – such as a product or component manufacturer, distributor or retailer – to make public disclosures. However, the Commission intends to launch a transparency database in 2018 to provide a single location for these companies to voluntarily report on their due diligence practices. In addition to creating greater transparency, the database is intended to create peer pressure to report and engage in due diligence. Separate from the Regulation, EU entities that are subject to the Non-Financial Reporting Directive may need to report on their 3TG due diligence. According to the voluntary guidelines on non-financial reporting published by the Commission this summer, where relevant and proportionate, companies are expected to disclose information on due

ropesgray.com ATTORNEY ADVERTISING

September 6, 2017 ALERT | 7 diligence to ensure responsible supply chains for 3TG from conflict-affected and high-risk areas. According to the guidance, disclosures should be consistent with the OECD Guidance, including (1) relevant information on the performance of policies, practices and results on due diligence and (2) the steps taken to implement the OECD Guidance framework, taking into account the company’s position in the supply chain. Companies also are expected to disclose key performance indicators relating to (1) the nature and number of risks identified, (2) the measures taken to prevent and mitigate these risks and (3) how the company has strengthened its due diligence efforts over time. When Does the Regulation Take Effect? The due diligence and other obligations applicable to importers will take effect on January 1, 2021. The extended transition period is intended to allow sufficient time to establish procedures and control mechanisms, prepare guidance and recognize due diligence schemes. However, we expect that many larger downstream companies and the NGO community will push for earlier voluntary compliance by importers. Do EU Member States Need to Adopt Implementing Legislation? No. As a regulation (in contrast to a directive), the EU’s conflict minerals legislation will be directly and uniformly applicable in all member states from its effective date, without the need for the member states to draft and adopt separate national legislation. Who Will Be Responsible for Enforcing the Regulation? EU member states’ competent authorities will be responsible for ensuring effective and uniform implementation of the Regulation throughout the European Union. Member states are required to inform the Commission of their designated competent authority by December 9, 2017. How Will the Regulation Be Enforced? Member state competent authorities are responsible for carrying out ex-post checks in order to ensure that importers are complying with the Regulation. The Commission is required to prepare non-binding guidelines detailing the steps to be followed by member state competent authorities carrying out the ex-post checks. Each member state is required to establish rules applicable to infringements of the Regulation. Will the Regulation Be Expanded to Cover Additional Points in the 3TG Supply Chain? The Commission is periodically required to review and report on the functioning and effectiveness of the Regulation. The first review will occur in 2023. Additional reviews will occur every three years thereafter. Reviews are required to take into account the impact of the Regulation on the ground, including on the promotion and cost of responsible sourcing of 3TG from conflict-affected and high-risk areas and the impact of the Regulation on EU economic operators. Reviews also are required to include an independent assessment of the proportion of total downstream EU economic operators with 3TG in their supply chains that have due diligence schemes in place. In addition, the review is required to assess the adequacy and implementation of these due diligence schemes as well as the need for additional mandatory measures in order to ensure sufficient leverage of the total EU market on the responsible global supply chain of minerals. Has the EU Adopted or Is It Considering Other Measures to Encourage Responsible Sourcing of 3TG? The Regulation is one piece of a multi-pronged strategy to encourage responsible sourcing of 3TG, which, among other things, includes the following: Multi-stakeholder Initiatives. The European Partnership for Responsible Minerals has been launched by selected EU member states, the Commission and stakeholders from the NGO and business communities. The Partnership supports the socially responsible extraction of minerals in conflict zones and other high-risk areas. During November

ropesgray.com ATTORNEY ADVERTISING

September 6, 2017 ALERT | 8 2016, we hosted a webinar on the Partnership as part of our Advanced Supply Chain Compliance & CSR Webinar Series. That webinar is available here. In-region Support. The EU has allocated €20 million to support in-region projects to help reduce conflict in areas from which 3TG is sourced. Public Procurement. The Commission has indicated that it will require in its public procurement contracts for finished goods that contain 3TG that vendors comply with the OECD Guidance. Product Labeling. The Commission has called upon EU member states to separately develop complementary national initiatives relating to consumer information and labeling. Is the EU Regulation Similar to the U.S. Conflict Minerals Rule? The Regulation and the U.S. Conflict Minerals Rule both apply to 3TG and both utilize the OCED Guidance framework for due diligence. However, there are significant differences between the Regulation and the U.S. Rule. The principal differences include the following: Subject Companies. The U.S. Rule imposes due diligence and disclosure requirements on U.S. public companies anywhere in the supply chain. The EU instead seeks to regulate further up the supply chain, focusing on 3TG importers. Included Minerals and Metals. The U.S. Rule contains a generic definition of 3TG, as compared to the more detailed Annex included in the Regulation. Although there is significant overlap, in-scope 3TG is not the same under the Regulation and the U.S. Rule. Geographic Scope. The U.S. Rule is focused on the Democratic Republic of the Congo (“DRC”) region. The Regulation applies to minerals and metals sourced from conflict-affected and high-risk areas worldwide. For additional information on the U.S. Rule, see the Ropes & Gray Supply Chain Compliance and Corporate Social Responsibility website. Selected Take-Aways for Downstream Companies The U.S. Conflict Minerals Rule Will Continue to Be the Primary Driver of Compliance Programs, for Now Assuming that the U.S. Rule is not repealed or modified, it will for the time being continue to drive the compliance procedures and programs at most downstream companies, whether they are public or private, large or small or located in the United States, the European Union or elsewhere. As noted earlier, the Regulation does not take effect until 2021. In addition, because it only imposes obligations on 3TG importers, it will not require downstream companies to implement compliance programs to the same extent as under the U.S. Rule. However, as more EU downstream companies begin to publicly report on their 3TG compliance programs, either voluntarily through the transparency database or pursuant to the Non-Financial Reporting Directive, we expect to see the Regulation have an impact on downstream compliance practices. Although beyond the scope of this Alert, we also expect the French human rights-focused Duty of Vigilance Law, which was adopted earlier this year, to have some impact on downstream 3TG compliance programs. For additional information on some of the recent developments affecting the U.S. Rule, see our Alerts and White Papers here. Some Manufacturers Will Need to Broaden Their Compliance Programs The Commission estimates that the Regulation will apply directly to between 600 and 1,000 importers. The vast majority of product and component manufacturers are not importers within the meaning of the Regulation. However, some larger companies that manufacture in the European Union also are importers of 3TG metals and will therefore be required to comply with the Regulation. As an initial matter, if they have not already done so, compliance

ropesgray.com ATTORNEY ADVERTISING

September 6, 2017 ALERT | 9 personnel at companies with large EU manufacturing operations should determine whether they directly import 3TG metals into the European Union. The inquiry will need to be specific to the metals listed on Annex I. The Regulation Will Draw More Attention to 3TG Sourcing from Other Regions The global focus of the Regulation will over time draw more attention to other 3TG-producing areas of the world, beyond the DRC, that may be conflict-affected and high-risk. To the extent other areas are widely recognized as conflict-affected and high-risk, we expect that leading downstream companies will expand and refine their supply chain inquiries, policies and other procedures to take these areas into account, both to mitigate supply chain risk and as part of their commitment to responsible sourcing. This will in turn put pressure on other portions of the supply chain to follow suit. We also expect that many larger downstream companies, not just those based in the European Union, will over time expand their supply chain disclosures to specifically address 3TG sourcing from these other areas. As noted earlier, the Commission is preparing non-binding guidelines to help companies identify conflict-affected and high-risk areas, and it will select experts via a tender process to draw up an indicative, non-exhaustive list of these areas. There are likely to be good faith differences of opinion as to whether a particular area is conflict-affected and high-risk and how to demarcate the area. For these reasons, it is important for larger companies and industry associations to be part of this dialogue with governments, NGOs and other members of civil society. Expect Pressure on Responsible Sourcing of 3TG and Related Disclosures to Continue to Increase The NGO community has been critical of the limited applicability of the Regulation. Downstream companies should expect that NGOs will continue to advocate for due diligence and disclosure by the downstream, including through one-on-one engagement, benchmarking studies and “name and shame” and social media campaigns. NGOs also may lobby for national legislation that addresses perceived gaps in the Regulation, similar in approach to that which has been adopted or proposed relating to anti-human trafficking, especially in EU member states that were supportive of mandatory 3TG due diligence for the entire supply chain. Although additional EU legislation is not imminent and the Regulation was many years in the making, at the press conference announcing the political agreement on the Regulation, the Chair of the EU Parliament’s Committee on International Trade foreshadowed what may perhaps be ahead. He indicated that the Regulation “opens the door for a new momentum in trade policy,” and that the Parliament will look at other sectors and value chains to improve living conditions for workers and the environment in the entire value chain of products. About Our Supply Chain Compliance and Corporate Social Responsibility Practice Ropes & Gray has a leading Supply Chain Compliance and Corporate Social Responsibility practice. With team members in the United States, Europe and Asia, we are able to take a holistic, global approach to supply chain compliance and CSR. Senior members of the practice have advised on these matters for almost 30 years, enabling us to provide a long-term perspective that few firms can match. For further information on the practice, click here. Click here to visit our Supply Chain Compliance and CSR website. To join our Supply Chain Compliance and CSR mailing list, click here.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2017 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Government Enforcement / White Collar Crime

October 10, 2017 U.S. Announces Revocation of Sudanese Sanctions Regulations: New Opportunities and Familiar Risks On October 6, 2017, the United States government announced that, effective October 12th, Attorneys the Sudanese Sanctions Regulations (“SSR”) would be officially revoked. The October 6th Brendan C. Hanifin announcement marked the culmination of a nine-month process initiated during the waning Sean Seelinger days of the Obama administration. Revocation of the SSR will create additional Emerson Siegle opportunities for U.S. companies to do business in—and with—Sudan. The step also is in line with a broader trend across U.S. sanctions policy in favor of narrower sanctions that target specific actors and categories of transactions over broader sanctions that target entire countries or regions. I. Overview of the SSR The United States imposed sanctions against Sudan in 1997 in response to alleged human rights abuses and the country’s support of terrorism.1 The SSR prohibited persons subject to U.S. jurisdiction from engaging in a broad range of transactions with Sudan, including:

• Exportation or reexportation to Sudan of goods, technology, or services from the United States or by a U.S. person;

• Importation into the United States of goods or services of Sudanese origin;

• Facilitation by a U.S. person of the export or reexport of goods, technology, or services from Sudan to any destination or to Sudan from any location;

• Performance by a U.S. person of any contract in support of an industrial, commercial, public utility, or governmental project in Sudan; and

• Any transactions by U.S. persons relating to the petroleum or petrochemical industries in Sudan, including, but not limited to, oilfield services and oil or gas pipelines.

Despite the SSR’s broad scope, enforcement was relatively limited. From 2012 through October 5, 2017, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) announced 26 civil penalties or settlements that involved apparent violations of the SSR. Of these 26 enforcement actions, only five matters related exclusively to alleged violations of the SSR, while the remaining matters involved violations of multiple sanctions programs. II. Recent Developments As noted above, President Barack Obama initiated the revocation of the SSR. On January 13, 2017, President Obama issued Executive Order (“EO”) 13761, which provided for the revocation of the SSR on July 12, 2017 if the Government of Sudan sustained certain “positive actions over the past 6 months,” including “a marked reduction in

1 The Republic of South Sudan gained independence from Sudan (also known as North Sudan) in July 2011. Following its secession from Sudan, South Sudan was no longer subject to comprehensive sanctions (although certain activities in South Sudan were—and remain—prohibited).

ATTORNEY ADVERTISING ropesgray.com

October 10, 2017 ALERT | 2 offensive military activity . . . steps toward the improvement of humanitarian access throughout Sudan . . . [and] cooperation with the United States on addressing regional conflicts and the threat of terrorism.” Exec. Order No. 13,761, 82 FED. REG. 5,331 (Jan. 18, 2017). On January 17, OFAC issued a general license authorizing all transactions prohibited under the SSR. Sudanese Sanctions Regulations, 82 FED. REG. 4,793 (Jan. 17, 2017). Shortly after EO 13761 was issued, Reuters reported that President Obama’s action “came with the full approval of the incoming Trump administration.” Move to lift Sudan sanctions came after Trump approval, months of talks, REUTERS (Jan. 14, 2017). Less than two weeks later, however, President Trump issued EO 13769, which temporarily suspended entry of Sudanese citizens, along with the citizens of six other countries, into the United States, subject to limited exceptions. Exec. Order No. 13,769, 82 FED. REG. 8,977 (Feb. 1, 2017). EO 13769 was superseded by EO 13780, issued on March 6, 2017, which included the same restriction on Sudanese citizens and cited Sudan’s “support for international terrorist groups, including Hizballah and Hamas . . . [and] al-Qa’ida.” Exec. Order No. 13,780, 82 FED. REG. 13,209 (Mar. 9, 2017). The inclusion of Sudan in President Trump’s “travel ban” suggested that the Trump administration was skeptical of the Government of Sudan’s commitment to combatting international terrorism. On July 11, 2017, President Trump issued EO 13804, which extended the SSR review period established by EO 13761 from July 12 until October 12, 2017. Exec. Order No. 13,804, 82 FED. REG. 32,611 (July 14, 2017). On September 24, foreshadowing the October 6th announcement, President Trump issued a proclamation that imposed new restrictions on entry into the United States by citizens of eight countries—not including Sudan. Press Release, The White House, Presidential Proclamation Enhancing Vetting Capabilities and Processes for Detecting Attempted Entry Into the United States by Terrorists or Other Public-Safety Threats (Sept. 24, 2017). III. Life After the SSR A. New Business Opportunities in Sudan The revocation of the SSR will create new business opportunities in Sudan for U.S. companies. For the past twenty years, U.S. companies have been prohibited from engaging in virtually any business or dealings involving Sudan. In addition, while foreign-organized subsidiaries of U.S. companies were permitted to conduct business with Sudan, subject to restrictions,2 many U.S. companies adopted blanket policies that prohibited all transactions involving Sudan, whether carried out by U.S. or non-U.S. personnel. Even though the SSR were suspended in January 2017, relatively few U.S. companies pursued opportunities in Sudan in the following months. Hesitancy by U.S. companies was undoubtedly attributable, at least in part, to lingering uncertainty regarding whether President Trump would reverse (or, at minimum, roll back) the Obama administration’s policy regarding Sudan, as President Trump has done with respect to Cuba (and has threatened to do with respect to Iran). The 2011 secession of South Sudan inflicted a significant toll on the Sudanese economy. According to the U.S. Central Intelligence Agency, South Sudan accounted for approximately 75% of Sudan’s oil production, which had been the troubled country’s largest driver of GDP growth over the past decade. The World Factbook, Central Intelligence Agency (last visited Oct. 6, 2017). Still, oil production constitutes a significant percentage of the Sudanese economy and, in recent years, oil and gas investment in Sudan has been dominated by Chinese companies. See Sudan: China’s Original Foothold in Africa, THE DIPLOMAT (June 14, 2017). With the revocation of the SSR, U.S. oil and gas companies, as well as extractive and consumer goods companies, potentially stand to benefit. B. Significant Risks Remain Despite the revocation of the SSR, conducting business in Sudan will continue to present a wide range of sanctions- and non-sanctions-related risks. As an initial matter, although the SSR will be revoked, certain Sudanese individuals and entities remain on OFAC’s List of Specially Designated Nationals (“SDNs”) and Blocked Persons pursuant to

2 For example, 31 C.F.R. § 538.205 could be interpreted as prohibiting the exportation to Sudan by a non-U.S. company of U.S.- origin goods, technology, or services.

ropesgray.com ATTORNEY ADVERTISING

October 10, 2017 ALERT | 3 other sanctions programs. U.S. companies will remain prohibited from engaging in transactions involving SDNs, including SDNs based in Sudan, absent a license from OFAC. In addition, multinational organizations may be subject to European Union sanctions targeting Sudan, which include an arms embargo, prohibition against the provision of assistance for military activities, asset freezes, and travel restrictions. Relatedly, some companies may be subject to contractual restrictions against conducting business in Sudan that will not automatically dissipate as a result of the October 6th announcement. For example, certain loan agreements prohibit or restrict borrowers and their subsidiaries from conducting business with Sudan (as well as other countries targeted by comprehensive U.S. sanctions). Depending upon the specific wording of the underlying contractual provisions, such prohibitions or restrictions may survive revocation of the SSR. Second, the revocation of the SSR will only apply prospectively. U.S. companies that engaged in impermissible business or dealings with Sudan prior to OFAC’s issuance of a general license in January 2017 could still face potential sanctions liability stemming from their historical conduct. OFAC, Frequently Asked Questions on Revocation of Certain Sanctions With Respect to Sudan and the Government of Sudan on October 12, 2017. Notably, on October 5—the day before the announcement that the SSR will be revoked—OFAC announced a $372,465 settlement with BD White Birch Investment LLC (“White Birch USA”), a U.S.-based manufacturer of paper and paperboard products, to resolve three apparent violations of the SSR. OFAC alleged that White Birch USA violated the SSR by facilitating the sale and shipment of over 500 metric tons of Canadian-origin paper from Canada to Sudan in 2013. Press Release, Treasury Dep’t., BD White Birch Investment LLC Settles Potential Civil Liability for Apparent Violations of the Sudanese Sanctions Regulations (Oct. 5, 2017). Notably, OFAC’s Enforcement Information stated that the general license issued in January 2017 “does not affect past, present, or future OFAC enforcement investigations or actions related to any apparent violations of the SSR relating to activities that occurred prior to the effective date of the general license.” In addition, in recent enforcement actions, OFAC has regularly asked companies to enter into statute of limitations tolling agreements, which can significantly extend the life of active investigations. As such, it is possible that OFAC will continue to pursue and resolve suspected historical violations of the SSR for several years, notwithstanding the October 6th announcement. Third, significant non-sanctions-related obstacles to conducting business in Sudan will remain. For example, Sudan has an extremely high incidence of public sector corruption. In Transparency International’s latest Corruption Perceptions Index (“CPI”), Transparency Int’l (last visited Oct. 6, 2017), Sudan ranked 170th out of 176 countries surveyed, earning the same score as Libya and Yemen. The only countries to score worse than Sudan in the 2016 CPI were Syria, North Korea, South Sudan, and Somalia. Beyond corruption risk, conducting business in Sudan may present significant—bordering insurmountable—personal security concerns. The U.S. State Department has issued a travel warning advising U.S. citizens not to travel to Sudan. Sudan Travel Warning, U.S. State Dep’t (last updated Mar. 30, 2017). The State Department warning notes, inter alia, that terrorist groups are active and that violent crimes targeting Westerners occur everywhere in Sudan. Further, conducting business in Sudan presents significant reputational risk. Notwithstanding the October 6th announcement, Sudan remains one of only three countries designated on the State Department’s State Sponsors of Terrorism list (along with Iran and Syria). State Sponsors of Terrorism, U.S. Dep’t of State (last visited Oct. 6, 2017).3 In addition, in its 2017 World Report, Human Rights Watch described Sudan’s human rights record as “abysmal,” citing “continuing attacks on civilians by government forces in Darfur, Southern Kordofan, and Blue Nile states” and “widespread arbitrary detentions of activists, students, and protesters.” Sudan: Events of 2016, Human Rights Watch (last visited Oct. 6, 2017). In sum, while the revocation of the SSR will present opportunities for U.S. companies evaluating potential business opportunities in Sudan, it is not a panacea. C. Following U.S. Sanctions Developments The pending revocation of the SSR serves as a useful reminder that U.S. sanctions policy can—and occasionally does—change quickly, at least in comparison to other areas of law. By way of illustration, the announcement that the

3 OFAC will issue a general license on October 12, 2017 authorizing the exportation of agricultural commodities, medicines, or medical devices that would otherwise be prohibited due to Sudan’s continued presence on the State Sponsors of Terrorism list.

ropesgray.com ATTORNEY ADVERTISING

October 10, 2017 ALERT | 4 SSR will be revoked came on the same day that multiple news outlets reported that the Trump administration plans to take the potentially significant, though unpredictable, step of decertifying Iran’s compliance with the Joint Comprehensive Plan of Action. The prospect of short-notice policy changes underscores the importance of remaining abreast of changes to U.S. sanctions regulations, and of communicating those changes to relevant personnel. Relatedly, the revocation of the SSR will necessitate re-review of internal policies and procedures, as well as template contract provisions, to ensure that those documents reflect the current status of U.S. economic sanctions. D. Continuing Evolution of Sanctions as a Foreign Policy Tool The pending revocation of the SSR is reflective of a broader trend across U.S. sanctions policy. In today’s geopolitical climate—in which military options appear, at least at times, to present an undesirable or wholly unacceptable level of risk—the use of sanctions as a foreign policy tool is increasingly attractive. At the same time, the U.S. government is continually rethinking and refining how its sanctions programs affect targeted parties and U.S. commercial interests. Currently, there appears to be an emerging consensus in favor of targeted sanctions, which restrict certain categories of transactions and/or transactions with designated parties, as opposed to broad country-based sanctions. While the trend in favor of more targeted sanctions undoubtedly presents increased opportunities for U.S. companies, those opportunities also carry compliance costs. From a compliance perspective, it generally is less costly to implement and enforce a broad prohibition against conducting business in a particular country or region than to analyze, on a case-by-case basis, whether a prospective transaction is prohibited by more targeted—and, increasingly technical—U.S. sanctions. It is too early to assess whether the revocation of the SSR will mark a significant turning point away from broad country-based sanctions. At the very least, however, OFAC is unlikely to reverse course soon with respect to Sudan, as OFAC must demonstrate that sanctions relief can be real in order to preserve the bite of existing (and future) sanctions as a tool for influencing desired policy outcomes. IV. Conclusion While the revocation of the SSR will present new business opportunities for some U.S. companies, such opportunities still present numerous potential pitfalls. More generally, the decision to revoke the SSR marks another step in an emerging—but, at times, circuitous—trend away from broad, country-based sanctions. While this trend implicitly suggests increased commercial opportunities for U.S. companies, companies would be wise to evaluate those potential opportunities in light of the costs of complying with U.S. sanctions regulations that are increasingly complex and evolving with remarkable frequency.

Anti-Corruption / International Risk

August 17, 2016 Mexico Enacts a Sweeping New Anti-Corruption Regime, Accompanied by a Public Apology from President Peña Nieto and Increased Attention on Mexico’s Energy Sector by U.S. Regulators

After an aggressive grassroots campaign, Mexican President Enrique Peña Nieto recently Attorneys announced the enactment of sweeping changes to Mexico’s anti-corruption regime. The new David Peet law is a significant step toward transparency in a country that consistently ranks among the Kim Nemirow most corrupt in the region and the world. Almost as noteworthy, President Peña Nieto publicly Nicholas Berg apologized for his own involvement in a conflict-of-interest scandal that has plagued his administration for years. The New Legislation in Mexico

The new legislation was originally proposed in early 2016 to the Mexican legislature through a unique citizen petition process primarily aimed at increasing transparency of public sector officials. More commonly known as the “three of three” proposal, this original legislation would have required three separate stakeholder groups—public officials, close relatives of public officials, and any individual or entity that is the beneficiary of a government contract—to publicly disclose three pieces of personal information: (1) an accounting of their personal assets, (2) certain tax information, and (3) an accounting of their economic and beneficial interests. Ultimately, the Mexican government stopped short of adopting the “three of three” proposal in full. Specifically, the new law does not require recipients of government contracts to disclose personal assets, tax information or economic interests. It also allows public officials to withhold information “whose publication may affect privacy or personal data protected by the Constitution.”

While some of the transparency provisions of the legislation were pared back, the new law goes beyond transparency to enhance the Mexican anti-corruption regime more broadly. For the first time, the new law creates an independent anti-corruption prosecutor. It also creates whistleblower protections for individuals and implements methods to enhance cooperation across federal, state, and municipal enforcement authorities as well as with the U.S. government and other international regulators.

The regulations, which will come into effect on July 19, 2017, also provide for significant criminal and administrative sanctions for private parties and legal entities that are found to have engaged in bribery, collusion in public bid procedures, influence peddling, wrongful use of public resources, or wrongful recruitment of ex public servants, among other acts. Individuals face sanctions of up to twice the amount of the acquired benefits (or if no tangible benefit, around $600,000 USD), temporary ineligibility to participate in procurement, leases, services or state-owned projects for a period ranging from three months to eight years, and compensatory and/or punitive damages. Legal entities face similar sanctions—up to twice the amount of the benefit (and up to $6 million USD if no monetary benefit)—and could be deemed ineligible to participate in procurement, leases, services or state-owned projects for up to 10 years. Entities could also be subject to suspension of activities for a period ranging from three months to three years, partnership dissolution, and compensatory and/or punitive damages. Along with the new penalties, the new regulations provide for some partial defenses for entities and persons charged with violating the

ropesgray.com ATTORNEY ADVERTISING

August 17, 2016 ALERT | 2 law. For example, legal authorities will give credit for the existence of a current compliance or integrity program that includes effective reporting and whistleblower protection tools. Entities may also receive credit for self-reporting misconduct and collaborating with government investigations, and a person who has committed a serious administrative offense can confess and fully and continuously cooperate with authorities in exchange for a reduction of 50-70% of the total amount of his or her sanction. President Peña Nieto’s Public Apology

In an unprecedented step, Peña Nieto issued a public apology, during the press conference announcing the legal reforms, for the distraction of an ongoing conflict-of-interest scandal that has plagued his administration for nearly two years. Beginning in November 2014, Mexican media outlets started reporting that a major government contractor had sold a luxurious, seven-bedroom home valued at $7 million to Peña Nieto’s wife, first lady Angélica Rivera. The contractor who designed and sold the home to Rivera, Grupo Higa, had been part of a consortium of companies who won a multibillion-dollar infrastructure contract during Peña Nieto’s presidency. What is more, one of the contractor’s chief executives was a close friend of Peña Nieto. Rivera and Peña Nieto maintained that the purchase of the home was legitimate, and a government-sponsored investigation found no evidence of wrongdoing on the part of either member of the first family. However, during his press conference, Peña Nieto apologized for the effect the controversy had on public perception of his administration, though he maintains that he had not broken any laws and that combatting corruption would continue to be a principal goal of his administration.

As evidenced by the promulgated legislation and Peña Nieto’s own words during the signing of these regulations, corruption is a key area of focus both for the Peña Nieto administration and the government watchdogs that were responsible for the grassroots effort to mobilize the Mexican legislature. Continued U.S. Enforcement of Conduct in Mexico: Key Energy Settlement

The changes to Mexico’s anti-corruption enforcement regime occur at the same time that regulators in the U.S. have again demonstrated that corruption in Mexico remains an enforcement priority. On August 11, 2016, the U.S. Securities and Exchange Commission announced that Key Energy Services, Inc., a Houston-based energy company, would pay $5 million USD in disgorgement for violations of the internal controls and books-and-records provisions of the Foreign Corrupt Practices Act. The Commission explained that its investigation yielded evidence that Key Energy’s Mexican subsidiary had made payments to an employee at Pemex, Mexico’s state-owned oil company, in order to induce the employee to provide information that would benefit Key Energy while negotiating contracts with Pemex. Key Energy paid the Pemex employee through a third-party consulting firm and recorded the payments as legitimate business expenses in the records of the Mexican subsidiary.

The Key Energy settlement and recent changes in Mexican law prove that the “state of play” regarding interactions with government officials in Mexico is shifting, becoming increasingly fraught with risk. Given this reality, companies should consider how their past or future conduct may make its way into the public sphere and monitor the practical application of these new laws on the day-to-day operations of their businesses. For example, companies doing business in Mexico can protect themselves by ensuring they perform comprehensive, risk-based due diligence on engaged and prospective third parties, training and educating their employees on the risks associated with doing business in Mexico, and examining the company’s internal controls to ensure that the company has properly accounted for its funds, its presence in the country, and any interactions with government officials.

For more information please feel free to contact a member of Ropes & Gray’s leading anti-corruption and international risk team.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING ALERT

Latin America

September 28, 2016 Top 10 Anti-Corruption Red Flags In Latin America

Latin American countries continue to be a source of potentially lucrative investment Attorneys opportunities for U.S. and multinational corporations. At the same time, operating in Latin Nicholas M. Berg America may present corruption-related challenges under the U.S. Foreign Corrupt Practices G. David Rojas Act.1 Identifying corruption under the FCPA, however, is often not as easy as catching culprits in a red-handed exchange involving envelopes teeming with cash. Rather, symptoms of these issues are often identified through commonly observed violations of the FCPA’s books-and-records and internal-controls provisions.2

This article highlights 10 red flags related to the FCPA’s accounting provisions, as well as enforcement actions undertaken by the U.S. Securities and Exchange Commission and U.S. Department of Justice for conduct occurring in the region. Although these red flags are not exhaustive, they may help serve as a guide to evaluating risk under the FCPA while operating in high-risk Latin American markets. Books-and-Records Red Flags

First, we have identified five common warning signs related to the FCPA’s books-and-records provision. The books- and-records provision requires companies to “make and keep books, records, and accounts” that “accurately and fairly” reflect its transactions and to “devise and maintain a system of internal accounting controls.”3 There are several ways in which companies may come up short:

1. Inadequate Supporting Documentation

Problematic recordkeeping is a common red flag for potential FCPA accounting violations. One key to maintaining proper books and records is ensuring that transactions are supported by complete documentation.

There is a wide spectrum of issues that may be encountered with supporting documentation for transactions. Sometimes, it is as simple as incomplete forms. In other instances, companies may make large payments that are supposedly “consulting fees” without attaching documents that show work was done. This potential violation may also involve vendor documents, such as invoices or bills of lading, where the address used was fake, a residential home, or simply vacant.

While the primary focus of this article is on investigations or enforcement actions by the U.S. Securities and Exchange Commission (“SEC”) or the U.S. Department of Justice (“DOJ”), 1 governments in Latin America seem to have also ramped up their own anti-corruption laws and efforts. Many, if not all, of the areas addressed by this article are being identified as anti-corruption issues in local Latin American investigations and enforcement actions. In addition, these considerations are not just important in terms of evaluating FCPA risk; issues in any of these areas may also be indicative of exposure to fraud or other types of accounting misconduct. Specifically, in addition to prohibiting the payment of bribes, the FCPA requires companies to (1) “make and keep books, records, and accounts” that “accurately and fairly” reflect its transactions 2 and (2) “devise and maintain a system of internal accounting controls.” 15 U.S.C. § 78dd-1, et seq. Another prominent anti-corruption statute, the UK Bribery Act, does not have explicit provisions on books and records and internal controls, but does offer an “adequate [compliance] procedures” defense to liability. See UK Bribery Act 2010 c. 23, § 7. ]“Recordkeeping and Internal Controls Provisions Section 13(b) of the Securities Exchange Act of 1934,” United States Securities and Exchange Commission, May 28, 2003, 3 https://www.sec.gov/spotlight/fcpa/fcpa-recordkeeping.pdf. ropesgray.com ATTORNEY ADVERTISING

September 28, 2016 ALERT | 2 These types of violations appear to be on the government’s radar, as shown by recent enforcement actions involving instances where improper payments were disguised as legitimate transactions using inadequate or falsified supporting documentation. Last August, Vicente E. Garcia, a former software executive, pleaded guilty to conspiracy to violate the FCPA for allegedly using “sham contracts” and “false invoices” to disguise bribes to Panamanian officials.4

2. Misreporting Payments

A second way for noncompliant employees to pass off improper payments as legitimate is by mischaracterizing or misreporting transactions. Transactions recorded in cost accounts which are not product-related (e.g., commissions, employee advances, travel and entertainment, marketing or “other”) may be analyzed to identify such transgressions. Improper payments may be misclassified under such accounts.

This warning signal seems to appear often in Latin America-focused actions by government agencies. For example, former top executives at brokerage firm Direct Access Partners, who were charged by the SEC and DOJ in April 2014, had disguised reimbursements for bribes paid to an executive at a state-owned Venezuelan bank out of their and other employees’ personal funds.5

Executives at aerospace corporation Embraer SA similarly concealed bribes to a Dominican official by booking them as consulting fees in a separate transaction that never happened. These executives now face criminal charges by the Brazilian government, at the same time that Embraer is subject to an ongoing investigation in the United States.6

Another example of this issue can be found in a March 2016 settlement between the SEC and Novartis AG for $25 million.7 Novartis’ subsidiary allegedly made improper payments to induce foreign officials to prescribe or recommend Novartis products, which were then falsely recorded as legitimate selling and marketing costs in its books.

3. Transactions Lacking a Business Purpose

Another method for making potentially improper payments is the provision of benefits to nonemployees without a legitimate business purpose. This may include holiday gifts, extravagant entertainment, travel expenses for family members, or even extended visits or tours added on to “business trips.” In order to win government contracts, Dallas Airmotive Inc., an aircraft engine service provider, allegedly provided Latin American officials with vacations and other benefits and faced a $14 million criminal penalty.8

In fact, one need look no further than Operation Car Wash, the largest corruption scandal in Brazil’s history — and perhaps the largest bribery scandal in modern times.9 Officials at Brazil’s state-owned oil company, Petrobras, allegedly received inappropriate or extravagant gifts and inappropriate benefits of all kinds, from Rolex watches to $3,000 bottles of wine, and from yachts to prostitutes.10

http://www.sec.gov/news/pressrelease/2015-165.html; http://www.justice.gov/opa/pr/former-executive-pleads-guilty-conspiring-bribe-panamanian-officials 4 http://www.justice.gov/opa/pr/2014/April/14-crm-381.html; https://www.sec.gov/News/PressRelease/Detail/PressRelease/1370541487258#.U0x32cd2eou 5 http://www.wsj.com/articles/brazil-files-bribery-charges-in-embraer-aircraft-sale-to-dominican-republic-1411502236. 6 https://www.sec.gov/litigation/admin/2016/34-77431.pdf 7 http://www.justice.gov/opa/pr/dallas-airmotive-inc-admits-foreign-corrupt-practices-act-violations-and-agrees-pay-14. 8 Donna Bowater, “Brazil's continuing corruption problem,” BBC.com, September 16, 2015, http://www.bbc.com/news/business-34255590. 9 http://www.nytimes.com/2015/08/09/business/international/effects-of-petrobras-scandal-leave-brazilians-lamenting-a-lost-dream.html; http://www.wsj.com/articles/brazils-petrobras-reports- 10 nearly-17-billion-impairment-on-assets-corruption-1429744336. ropesgray.com ATTORNEY ADVERTISING

September 28, 2016 ALERT | 3

4. Off-the-Books Records or Transactions

Companies should also be on the lookout for activity which is “off the books,” a possible indicator that something improper may be hidden. Common examples of this in Latin America are debt that is not recorded on a balance sheet, reconciliations reflecting inflated sales, and fictitious inventory.11 These “off-the-books” transactions can be used to hide improprieties or obscure the actual financial performance of a company.

An example of this misconduct is the December 2010 charge against French telecommunications company Alcatel- Lucent SA for paying bribes to win business in Honduras, Costa Rica and elsewhere. To hide these payments, Alcatel’s subsidiaries allegedly either improperly recorded them as consultant fees or simply left them “undocumented.”12 Alcatel paid more than $137 million in the settlement.

5. Pricing Discrepancies

Large differences in pricing — especially when prices do not match a written agreement — are another sign of potentially improper transactions. Excess funds resulting from large discounts, premium charges, or commissions might be used for bribes.

For example, as Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, explained, Garcia, the software executive, “falsified internal approval forms and disguised his bribes as discounts.”13 Similarly, in April 2016, the SEC entered into settlements with seven individuals for their alleged roles in the kickback scheme involving Direct Access Partners described above; the funds for the improper payments were procured in part through large markups and markdowns.14 As the FCPA guide notes, companies should be wary of large commissions provided to sales agents or discounts to distributors15 Red Flags for Internal-Controls Violations

Beyond simply prohibiting bribes and requiring proper books and records, the FCPA requires that companies devise and maintain a system of internal controls. Below are five potential indications of violations of the FCPA’s internal- controls provision.

6. Override of Internal Controls

Regulators continually emphasize that an effective compliance program is only as strong as the response of and adherence by company management. As Stephen L. Cohen, associate enforcement director of the SEC, urged in October 2013, “A strong compliance and ethics program must start with proper governance, including a tone at the top built on actions rather than words.”16 Internal controls which are ignored by management are meaningless in the eyes of government regulators.

To that end, it is a troubling red flag when management or others override or intentionally circumvent established internal controls. For instance, management might approve manual expense reports without sufficient documentation or change prices for customers outside of a company’s enterprise system. Further, payments may be made outside of

https://www.justice.gov/sites/default/files/opa/legacy/2008/12/19/siemens-venezuela-info.pdf 11 https://www.sec.gov/news/press/2010/2010-258.htm. 12 https://www.sec.gov/news/pressrelease/2016-17.html; http://www.sec.gov/news/pressrelease/2015-165.html; http://www.justice.gov/opa/pr/former-executive-pleads-guilty-conspiring-bribe- 13 panamanian-officials. https://www.sec.gov/litigation/litreleases/2016/lr23513.htm; https://www.sec.gov/litigation/complaints/2013/comp-pr2013-84.pdf 14 FCPA Guide, at 22 15 https://www.sec.gov/News/Speech/Detail/Speech/1370539872783 16 ropesgray.com ATTORNEY ADVERTISING

September 28, 2016 ALERT | 4 the general ledger system or multiple payments may be made to the same third party which are just below established mandatory review amounts.

It appears that regulators are focused on this red flag, as shown by recent actions and investigations. For example, Embraer’s executives allegedly recorded bribes paid to a middleman as consulting fees in an effort to get around its compliance department, which had originally prevented the full transfer of the bribes.17

7. Inadequate Screening of Third Parties

One key to developing an effective compliance program is implementing controls to ensure proper oversight over third parties, including a third-party due diligence program. Without a program to screen third parties for legitimacy, a company may be paying vendors or agents that pay bribes, circumvent import and export laws, or even do not exist.

A due diligence program should identify whether a prospective third-party business partner does business with or is a government official, in order for a company to understand the level of FCPA risk. The FCPA covers payments to a much broader group than what is customarily considered government officials. For instance, employees of public medical facilities — which are common in Latin America — are considered by SEC and DOJ to be foreign officials.18 Reviewing and categorizing payment recipients to identify employees of state-owned medical facilities in Latin America are important ways for a company to oversee its third-party business partners.

An inadequate due diligence program can have substantial FCPA risks. According to Brockmeyer, a company cannot “possess[] a ‘check the box’ mentality when it [comes] to third-party due diligence” or “simply rely on paper-thin assurances by employees, distributors, or customers.”19

8. Failure to Internally Assess Compliance Programs

A core aspect of developing a comprehensive system of effective anti-corruption internal controls and policies is a risk assessment to determine whether the controls are adequate.20 Many of the FCPA issues identified in this article occurred not because companies lacked good policies on paper but, rather, because the companies’ employees or third-party partners did not have an awareness of, and an emphasis and structure to ensure, FCPA compliance.

An internal-control failure could subject a company to substantial financial consequences. Tyson Foods Inc. entered into a multimillion-dollar settlement in 2011 for, according to the SEC, its “lax system of internal controls that failed to detect or prevent” illegal payments to government-employed inspection veterinarians in Mexico.21 Financial consequences may involve not only direct penalties, but also requirements to implement extensive new compliance initiatives and years of engaging a third party to act as a compliance monitor.

9. An Inadequate Internal Audit Program

A rigorous self-monitoring program, including a robust internal audit function, is a crucial part of a system of effective internal accounting controls. A company’s internal audit team should test transactions and supporting documentation, and follow up on negative findings. In order to be equipped to address anti-corruption risks, a company’s internal audit team should be trained on the FCPA and other applicable anti-corruption laws.

http://www.wsj.com/articles/brazil-files-bribery-charges-in-embraer-aircraft-sale-to-dominican-republic-1411502236 17 FCPA Guide, at 20 (https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf) 18 http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171487116 19 FCPA Guide, at 58–59. 20 https://www.sec.gov/news/press/2011/2011-42.htm 21

ropesgray.com ATTORNEY ADVERTISING

September 28, 2016 ALERT | 5 The importance of self-monitoring is underscored by statements from the SEC. Brockmeyer has emphasized the importance of implementing internal controls to stop patterns of illegal payments to win business in Latin America and elsewhere, including detecting improper payments and gifts.22 It is important for companies to maintain an adequate internal audit function to detect and remediate corruption-related risks and issues.

10. Use of Shell Companies

Companies subject to the FCPA should also be wary of the use of shell companies by their Latin American subsidiaries. Shell companies can be another tool to facilitate “off-the-books” transactions, a red flag described above, which can include payments to foreign officials.

The recently released “Panama Papers” have turned a spotlight on this issue by providing examples of individuals, governments, and corporations (including ones in Latin America) using shell companies to hide assets from tax and regulatory authorities. While analysis of these documents is ongoing, to date more than 10 million released records from the Panamanian law firm Mossack Fonseca name over 200,000 anonymous offshore companies around the globe.23 Given the reality of conducting business in Latin America, it may be prudent for a corporation subject to the FCPA to require information on the beneficial owners of third parties to whom payments are made, depending on the type of company and its interactions with other third parties.

It is clear that the U.S. government takes these risks seriously. One of the Direct Access executives who pleaded guilty allegedly paid kickbacks to a shell entity controlled by the Venezuelan official.24 Likewise, Terra Telecommunications Corp. paid almost $1 million to shell companies to be used for improper payments to officials at Haiti’s state-owned telecommunications company, leading to convictions of Terra’s former executives.25 Conclusion

The FCPA mandates that companies maintain accurate books and records and a robust system of internal accounting controls. While not as attention-grabbing as the anti-bribery provision, a company’s failure to deal with these 10 red flags could be a signal of — or result in — FCPA violations in Latin America and beyond. Even in the absence of charges related to the anti-bribery provision, the U.S. government continues to investigate and prosecute companies and individuals for violations of the accounting provisions of the FCPA as a result of their operations in Latin America.26

Given the region’s history and current risk profile, companies seeking to take advantage of business opportunities in Latin America should ensure they develop accounting processes and controls designed to reduce corruption-related risk and to identify and prevent red flags under the FCPA.

Rajal Dubal is a director in AlixPartners' financial advisory services practice in New York. Adam Tymowski is a director in AlixPartners’ financial advisory services practice in Chicago. Nicholas Berg is a partner and David Rojas is an associate in Ropes & Gray’s Chicago office.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370541453075 22 http://www.fcpablog.com/blog/2016/4/5/panama-papers-who-are-the-winners-now.html 23 https://www.sec.gov/News/PressRelease/Detail/PressRelease/1370541487258 24 http://www.justice.gov/opa/pr/executive-sentenced-15-years-prison-scheme-bribe-officials-state-owned-telecommunications 25 See, e.g., https://www.sec.gov/litigation/admin/2016/34-77057.pdf; https://www.sec.gov/news/pressrelease/2016-17.html. 26

ropesgray.com ATTORNEY ADVERTISING

September 28, 2016 ALERT | 6 Republished with permission from Law360.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. © 2017 Ropes & Gray LLP

December 20, 2016 Update on the Anti-Corruption Landscape in Mexico After an aggressive grassroots campaign, in mid-2016, the Mexican government signaled substantial progress in its fight against corruption when it adopted a new anti-corruption program. The new legislation promised increased transparency and accountability of public officials and energized the international community about Mexico’s commitment to fight its long-standing corruption problems. Since enactment, however, progress towards implementing the provisions of the new law has slowed, leaving many questions about its future unanswered. Anti-Corruption Regime in Mexico Mexico’s anti-corruption enforcement regime (the “National Anti-Corruption System”) was approved by President Peña Nieto on July 18, 2016. The National Anti-Corruption System, which will come into effect on July 19, 2017, provides for severe sanctions against individuals and entities that are found to have engaged in bribery, collusion, and influence peddling, among other acts. For instance, individuals face sanctions of up to twice the amount of the acquired benefits, temporary ineligibility to participate in procurement, leases, services or state-owned projects, and compensatory and/or punitive damages. Legal entities face similar sanctions—up to twice the amount of the benefit—and could be deemed ineligible to participate in the aforementioned projects for up to 10 years. Entities could also be subject to suspension of activities, partnership dissolution, and compensatory and/or punitive damages. The National Anti-Corruption System offers partial defenses, such as the existence of a current compliance or integrity program that includes effective reporting and whistleblower protection tools. Entities may also receive credit for self-reporting misconduct and collaborating with government investigations. Along with the promulgation of stringent sanctions, the National Anti-Corruption System also created the role of independent anti-corruption prosecutor—the first of its type in Mexico’s history—to operate independently of the Mexican government. Importantly, National Anti-Corruption System is designed to enhance cooperation across federal, state, and municipal enforcement authorities and foreign authorities including the U.S. government. Although the enforcement regime provides much needed transparency for a country riddled with corruption, we have yet to see the National Anti-Corruption System in action. Since its adoption nearly five months ago, there has been very little progress in establishing the framework needed to effectively implement the key provisions. In fact, the Mexican government has yet to even appoint the anti-corruption prosecutor. Recent developments could further exacerbate the period of stagnation. Obstacles to Enforcement In September 2016, President Peña Nieto’s approval rating fell to an all-time low of 22% amidst reports that citizens were unhappy with his failure to fight crime, drug trafficking, corruption, and poverty. President Peña Nieto was harshly criticized for his decision to meet with Donald Trump in the summer of 2016 due to the threats Trump made towards Mexico throughout his campaign. Without the backing of his countrymen, President Peña Nieto may lack the necessary support in the legislature to roll out an effective National Anti-Corruption System next July. Donald Trump’s election could further complicate the potential effectiveness of the National Anti-Corruption System. As President-elect Trump’s inauguration nears, the media continues to speculate about his immediate impact. For example, Mexico’s economic outlook may turn squarely on the resolution of the North American Free Trade Agreement (“NAFTA”). Trump has publicly stated his intent to “tear up” or drastically alter the current version of NAFTA, which was signed in 1994 and permits free trade between Canada, Mexico, and the U.S. Due to

ropesgray.com ATTORNEY ADVERTISING

the fact that 80% of Mexican exports are purchased by the U.S., any change to NAFTA will impact Mexico’s economy. Despite his many public statements about NAFTA, many believe that Trump is using the NAFTA threats to pressure Mexico into accepting tariffs on certain products to spur relocation within American borders of manufacturing facilities owned by American companies. Practically speaking, a cooling-off period is likely to occur before any drastic measures are taken. The U.S. and Mexico share common interests in improving cross-border relations and promoting economic growth, which will require ingenuity and compromise. One step in the right direction is Mexico’s enactment of the National Anti- Corruption System. The U.S. economy will certainly share in the benefits of a less corrupt infrastructure in Mexico. Nevertheless, it will require a significant amount of resources to enforce the stringent measures detailed above. Amidst the never-ending flow of speculation, the outlook for an effective anti-corruption regime in Mexico is uncertain.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you © ropesgray.com are urged to consult your attorney concerning any particular situation and any specific legal question you may have. 2016 Ropes & Gray LLP ATTORNEY ADVERTISING

March 30, 2017 A Judicial Reinterpretation of the Brazilian Constitution’s Right to Health Care In recent years, there has been a spike in right-to-health litigation in Brazil wherein citizens seek court orders mandating that certain medications be dispensed through the public health system (Sistema Único de Saúde—“SUS”). Now a ubiquitous term, the “judicialization of health care” (“judicialização da saúde”) is often considered to be a last resort for citizens when the state fails to meet their needs. The critical issue is that patients have been using free legal assistance and a responsive judiciary to procure costly drugs and treatments that are not included on the list of pre- approved drugs and treatments covered by the SUS. Consequently, the SUS is required to fund high-cost drugs that meet the needs of a small group of people, but are not necessarily of broader use to the collective citizenry. Furthermore, many court-backed judicial determinations that mandate the provision of certain drugs may contradict administrative policies and challenge cost-cutting governmental efforts. Given the increasingly dire state of the Brazilian economy, there are concerns over the budgetary burden imposed on the SUS by judicial procurement. In the near future, Brazil’s Federal Supreme Court (Supremo Tribunal Federal— “STF”) will be voting on whether the SUS should cover high-cost drugs not included on government formularies. If the judiciary reinterprets the constitutional right to health care and limits its scope, there could be broad implications for the demand of non-formulary drugs. The Judicialization of Health Care The 1988 Brazilian Constitution declared health a “right of all persons and the duty of the State,” which prompted the creation of the SUS, extending health coverage to all citizens. The Constitution underscored the autonomy of the judiciary from the government, which established the public defender’s offices to give the indigent access to the justice system. The right to medication as part of the constitutional right to health stems from the passage of a landmark law in 1996 establishing free universal access to antiretroviral therapies for HIV-infected individuals, as well as from Ministry of Health policies and a 2000 ruling by the STF. The federal, state and municipal governments are responsible for purchasing and distributing SUS medicines according to specific drug formularies. In general, the formularies comprise generic drugs bought in bulk in a tax- exempt, competitive bidding process. The federal government is responsible for financing higher cost and more complex treatments (i.e., “exceptional medicines”), while the states oversee the distribution of these federally subsidized treatments. The state governments provide intermediate-cost and medium-complexity treatments (i.e., “special medicines”) that do not appear on the federal or municipal formularies. The municipal governments cover low-cost “basic” drugs that are dispensed at local public pharmacies. There are three broad categories of requests from Brazilian citizens who rely on judicial procurement to obtain medication. The first category encompasses patients who seek an out-of-stock product that is already on the SUS formularies list. The second category includes patients who seek products that have yet to be approved by the National Health Surveillance Agency (Agencia Nacional da Vigilancia Sanitaria—“Anvisa”), which is responsible for the regulation and approval of pharmaceutical drugs. Because federal law prohibits the supply of medicine that is not authorized by Anvisa, neither the SUS nor health insurance companies will readily supply a drug that has yet to be registered with the agency. However, if a judge determines that no other therapeutic alternative is available for a plaintiff, the court may grant an injunction to access medicine not yet cleared by Anvisa. The third category comprises

ropesgray.com ATTORNEY ADVERTISING

patients who search for drugs that have been approved for sale in Brazil by Anvisa, but are not yet included on the SUS list. The high costs resulting from the judicialization of health care are generally attributed to this last group. When a citizen is granted an injunction, the government deposits money in the plaintiff’s account to pay for the medication. These transfers are commonly referred to as “deposits to judicial accounts.” The purchase of a court- granted medication occurs two to five days after the injunction is granted, and generally involves brand-name drugs not included on SUS pharmaceutical distribution lists. This short time frame thus forces the state to buy from the market on a case-by-case basis, which eliminates price competition and results in inflated drug prices. The occurrence of “deposits to judicial accounts” increased 227% from 2012 to 2015, leading to the distribution of $440 million reais (approximately USD $143 million). Intermediary Role of the Judiciary There is consensus among public administrators that the judiciary is overstepping its role by promoting the judicialization of health care. The district and appellate judges who preside over the lawsuits in question have given broad deference to physicians’ prescriptions and individual circumstances, which undermines state efforts to rationalize pharmaceutical use and curb high spending. Furthermore, the judges’ limited technical expertise and lack of understanding of the SUS’s drugs selection process pose significant administrative and economic challenges. The judicial procurement of medicine frequently overlooks and contradicts established public health policies. For example, generic drugs were approved in Brazil in 1999 under Law n. 9.787/1999, which instructed that the government give preference to generic drugs. However, in reality, court-backed judicial determinations often grant injunctions for brand-name drugs, which are not likely to be available yet in generic form. By distributing drugs that have not yet been approved by Anvisa, courts also challenge the agency’s role in regulating efficacious and safe pharmaceutical drugs. Courts often fail to enforce the Ministry of Health’s guidelines for treatment criteria that mandate independent expert opinions and reviews of new medical evidence. Critics recommend that if this practice continues, the courts should demand expert assessment of the safety and efficacy of off-list medications or drugs not registered for sale in the country before ruling for or against their provision for individual plaintiffs. In September 2016, the eleven judges of the STF—the “ministers”—were slated to vote on whether the government should pay for high-cost drugs and treatments not included on government formularies. Ultimately, only three ministers voted in September, as one minister, Teori Zavascki, requested to delay the vote. Zavascki later died in an airplane accident in January 2017, and the vote was never rescheduled among the remaining ministers. On February 22, 2017, the Senate approved interim President Michel Temer’s nomination to replace Zavascki, Alexandre de Moraes. Although a rescheduling of the vote on the judicialization of health care has not yet been announced, many observers predict that it will occur within the year. Paradigm Shift Implications A vote by the STF to prohibit the SUS from paying for high-cost drugs and treatments excluded from government formularies could result in more limited access to specialty pharmaceuticals for Brazilian citizens. However, the practice of seeking medication through judicial procurement likely will not cease, as citizens will continue to file lawsuits to obtain out-of-stock drugs that are already registered with the SUS. Thus, as part of any consideration of whether to pay for specialty pharmaceuticals, the SUS should consider the need to regularly incorporate new medicines into its public distribution lists. If the SUS decides to include new medicines more frequently, pharmaceutical marketing efforts may shift to formulary access discussions. For their part, pharmaceutical manufacturers should closely monitor the judicial procurement system in Brazil and be mindful of the dynamics involved in formulary placement in this complicated market.

This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, ropesgray.com and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. © 2017 Ropes & Gray LLP ATTORNEY ADVERTISING