Cyber insurance and the silent revolution in Brazil

Cyber risks – intensified by the expansion of home working due to the Covid-19 pandemic countermeasures – are one of the most serious worldwide threats nowadays. That doesn’t mean the risks themselves are new, but the sophistication and range of modern cyber attacks foretell a dire future. According to Cybersecurity Ventures, the cost of cyber crime is expected to reach a whopping $6trn per year by 2021. Continue reading “Cyber insurance and the silent revolution in Brazil”

Key considerations for foreign investors in the Indian insurance market

With over fifty insurers today, aggregate premiums of approximately $82.8bn in the financial year 2019, and insurance penetration levels in 2018 of 3.70% (compared to a global average of 6.09%), India is an exciting insurance market, offering growth opportunities for international investors. However, foreign direct investment (FDI) caps and other regulatory issues have meant that international investors are required to set up local joint ventures that need to take into account a number of regulatory considerations. This article sets out the key regulatory issues in India from an international investor perspective. Continue reading “Key considerations for foreign investors in the Indian insurance market”

China effectively strengthens fight against malicious trade marks

A focus for Chinese trademark law and practice in recent years has
been strengthening the fight against malicious trademarks. On 1 November 2019, the amended Trademark Law of the People’s Republic of China (the Trademark Law) was officially implemented, in which Article 4 primarily embodies China’s determination to strengthen the fight against malicious trademarks and significantly lowers the threshold for fighting against them, while also serving as the latest weapon in the country’s crackdown. Continue reading “China effectively strengthens fight against malicious trade marks”

Personal Data Protection Bill, 2019 – practical challenges for stakeholders

The Supreme Court of India has recognised the right to privacy as a fundamental right, which is intrinsic to life, personal liberty and is inseparable from human existence. To codify this right, to put in place a robust regime for data protection, and to safeguard against encroachments on privacy by state and non-state actors, the government has formulated a draft Personal Data Protection Bill 2019 (PDP Bill), which is largely inspired by the EU General Data Protection Regulation. Continue reading “Personal Data Protection Bill, 2019 – practical challenges for stakeholders”

Climate change – litigation and liability risks for companies, D&Os and insurers on the rise

In retrospect, the year 2019 will likely be seen as a turning point in the combat of climate change. With Friday for Future as pace maker, for the first time in history, there is a globally-aligned political movement including countries on every continent urging for immediate and robust action against climate change. Pressure on legislators is increasing to take more drastic measures with the European Union and Ursula von der Leyen’s ‘European Green New Deal’ setting the scene for the coming comprehensive rebuilding of economies, moving away from the age of fossil fuel to a new green model building on renewable energies. The Commission’s goal is to put Europe on a new path of sustainable and inclusive growth, with an overall target of being the first continent to reach net zero by 2050. At the heart of the Green New Deal is a proposal to mobilise €1trn of investment and a just transition mechanism, with direct funding of €7.5bn directed towards regions which have the greatest reliance upon carbon-intensive industries. In the coming years the Commission will formulate wide-reaching policy and regulation in the areas of energy, industry, transportation, building, agriculture and biodiversity. The fight against climate change, with the aim to cut global warming at maximum 2°C above pre-industrial levels by 2100 and achieve only a 1.5°C rise, will not be won against the economy and will depend on massive investments into new technology. It is also clear that new regulations will be adopted where market mechanisms may be perceived as ineffective or too slow.

Hitting the charts of business risks

Climate change is beyond doubt the greatest single threat to the future of mankind. Given the environmental and political developments, it is thus no surprise that climate change risks have also been climbing the ladders of business risk rankings and have become a mandatory c-suite issue for company leaders to consider and implement in their risk management and business strategies. For example, climate change now, eventually, made the top ten (number seven) in the global Allianz Risk Barometer. While that may still appear as an underestimation, when considering the interrelatedness with many of the other top-ranked risks including business interruption and supply chain risks (number two), regulatory changes (number three), natural catastrophes (number four) and reputation (number eight), the comprehensive impact of climate change risks on companies is more than evident.

Often, the impact of global warming on rising sea levels and climate extremes dominates risk discussions. And quite rightly, this is where everybody can see and feel climate change accelerating. However, moving into 2020 and beyond, companies, their directors and officers will increasingly need to also respond to regulatory, litigation and liability risks. In some industries, such as the energy and automotive sector, fundamental change has been on the way for a few years, but is still picking up speed. Beyond these most directly impacted sectors, companies across all sectors will need to assess how climate change risks and new legislation will impact the way they are running their business.

Climate change litigation

Pressure is on legislators to take more drastic decisions at an increased pace. This pressure is not only political but is also coming from the courts. According to recent statistics (cf. climatecasechart.com), there are meanwhile more than 1,600 cases pending with the courts worldwide. Not surprisingly, the US continues to be the litigation hot spot accounting for more than 1,300 of these cases. Other noteworthy jurisdictions are Australia, Canada, the European Union and the UK.

Actions against governments

Most of these actions continue to be cases brought against governments. While the debate continues whether the courts are an appropriate mechanism to address climate change and, while plaintiffs have seen set-backs (such as recently in the Juliana v US [2020] case where the Ninth Circuit Appeal Court dismissed the claims for governmental action to regulate carbon dioxide pollution for perceived lack of power to order the US government to adopt a national remedial plan to phase out fossil fuel emissions), other cases have seen spectacular success. Especially, the landmark final ruling in the Dutch Urgenda case on 20 December 2019 obliging the government to cut carbon dioxide emissions by at least 25% by the end of 2020 (compared to 1990 levels) is seen as a playbook for similar actions. The decision was based on the European Convention on the Protection of Human Rights and Fundamental Freedoms, namely the right to life, and the right to respect for private and family life. More such rights-based legal arguments will come before courts in 2020 and, for instance, a similar constitutional action was just recently filed before the German Federal Constitutional Court. Even if not many of the governmental cases are successful, together with the necessary further implementation of the Paris Agreement and other international and national plans for action, company leaders need to anticipate that more regulation will come at a higher speed in the future and will need to anticipate what that means for the business in good time and to take respective actions.

Actions against companies

The risk of litigation is by no means confined to governments. The cases brought in public law are now accompanied by an extensive body of civil litigation against private entities. In the US and Europe a number of influential climate liability cases have been started with the intention of defining new duties and standards of care for carbon-emitting businesses and, eventually, their investors, financiers, insurers, advisers, customers and clients. For obvious reasons, climate liability litigation is also being closely watched by the insurance industry. Liability insurers may be impacted in several classes, most obviously under general liability, product liability and environmental liability policies.

For example, in the US, a number of lawsuits has been filed by several municipalities and one state against the oil industry, seeking damages under common law tort theories for the financial consequences of climate change. The thrust of the allegations is that, from 1965, the oil industry defendants: extracted a substantial percentage of the world’s raw fossil fuel; caused a quantifiable percentage of global fossil fuel-related CO2 emissions; wrongfully promoted their fossil fuel products; concealed known hazards associated with the use of those products; championed anti-regulation and anti-science campaigns; and failed to pursue the less hazardous alternatives which were or might, with further investment, have been available. The complaints are not made under federal environmental law but under the common law and, in some cases, codified state law, including public nuisance, private nuisance, product liability, negligence and trespass. The substantive issues at stake in the cases break new ground. The plaintiffs’ central allegation is that oil is a defective product which has caused greenhouse gas emissions and contributed to man-made climate change.

Climate liability litigation is, however, not uniquely an American phenomenon. One of the leading climate liability cases has been brought in Germany by a Peruvian farmer against the energy company RWE (Lliuya v RWE AG [2015]). The claimant alleges that a lake threatens to overflow as the result of glacial retreat, creating a risk of flooding to his home. He seeks to hold RWE responsible for its part in man-made global warming and claims a contribution towards the €3.5m cost of draining the lake. The claim is similar to the US litigation in that it seeks to establish a causal relationship between RWE’s emissions and the risk of physical damage. As the claimant asserts that RWE was responsible for 0.47% of global greenhouse gas emissions over the last 250 years, he seeks damages of €17,000 to represent a contribution of 0.47% towards the cost of draining the lake. While the first instance court dismissed the action, in February 2018, the Higher Regional Court of Hamm on appeal made an order that the claim should proceed to the evidence stage.

Financial disclosures

Climate change risks are, in a broader context, part of corporate social responsibility and companies’ environmental, social and governance (ESG) strategies. In this context, rating agencies are taking climate risk – and other ESG metrics – seriously, warning of lower credit ratings for carbon-intensive companies, or steeper borrowing costs for municipal bond issuers that fail to take climate resilience measures. In addition, investors are revisiting their investment policies and are also pressing for decision-useful climate-related financial disclosures. BlackRock has joined forces with Climate Action 100+, bringing the financial clout of this investor initiative to a total of $41trn under management, nearly 40% of the world’s publicly traded stock. Its chair and CEO Larry Fink in his annual letter to chief executives wrote ‘I believe we are on the edge of a fundamental reshaping of finance’ noting that ‘climate change has become a defining factor in companies’ long-term prospects’. Less publicised, Ping An, China’s largest insurer also joined Climate Action 100+ and has followed EU and US (re)insurers in adopting a non-coal underwriting and investment policy.

A number of jurisdictions have been reporting requirements relating to climate change. In 2010, the US Securities and Exchange Commission (SEC) issued interpretive guidance to public companies regarding its existing disclosure requirements as applied to climate change. The European Commission has for example addressed the methodology for non-financial reporting in its respective non-binding guidelines on non-financial reporting (2017/C 215/01). In particular, the framework for climate-related financial disclosures introduced by the Financial Stability Board’s Taskforce on Climate-related Financial Disclosures (TCFD) in June 2017 will very likely see increased implementation. Although currently still voluntary, governments such as the UK are considering introducing obligations for large asset owners to disclose climate risks in line with TCFD recommendations. A number of companies have started on a ‘TCFD journey’ taking the view that risks are best understood and managed before such disclosures become compulsory.

At the same time, climate change disclosures have started to materialise as the subject of more claims against companies and their directors and officers, and the impact is being felt by insurers under directors and officers (D&O) policies. Climate change has become an important board-level issue, and corporations themselves as well as their directors and officers may be held accountable if disclosures are not adequate. Increasing interest in this area by investors, regulators and the plaintiffs’ bar, and the recent decision in the putative securities class action pending in the Northern District of Texas, Ramirez v ExxonMobil Corp, suggest that an increase in these types of claims could now be on the horizon. Plaintiff firms will continue to test various claims and theories of liability, as they did with tobacco, asbestos and other mass tort claims. They have taken a particular interest in climate change disclosures by companies in the energy sector, but they are also looking closely at other areas such as mining, transportation and insurance.

Outlook

Climate change-driven regulation and litigation is on the rise. And the claims arise on a global scale with claimants seeking to shop for the forum that appears best suited to develop liability theories. It is thus no coincidence that Mr Lliuya’s claim is brought against RWE in Germany although there would have been other available defendants and forums. Climate liability litigation will not, therefore, be limited to the courts of the jurisdiction in which the alleged damage occurred. Companies are at risk of litigation in the courts of any country where they conduct business and subject to that country’s laws.

The increase in climate change litigation is also fuelled by advancements in climate attribution science. A growing body of science around the attribution of extreme weather events may encourage a greater number of cases brought by individual claimants. The same is true of causation theories. Plaintiffs in the US rely on collective liability theories which have been tried and tested in other environmental lawsuits such as the MTBE litigation. The theory of contribution-based causation put forward in the RWE case is, in principal, well established under German law in other cases and also not dissimilar to the approach taken by the English appellate courts in employers’ liability asbestos claims.

Accordingly, companies and insurers need to expect that the prospect of successful claims will improve with time: the greater the number of cases, the higher the probability that one will succeed. Political policy changes to zero carbon growth, related technological improvements and new industries taking the lead play their part: once society is less dependent on fossil fuels, it will be a less daunting prospect for a judge or jury to hold that oil is a defective product or that its consumption amounts to a violation of fundamental rights.

Climate change liability risks also extend to other commercial sectors beyond the fossil fuels industries. While they are the easiest targets for the first round of claims, if and once legal theories gain acceptance, plaintiff lawyers will likely extend their activities to sectors, notably manufacturing, transportation, construction and, last but not least, agriculture and those who finance, advise and support those sectors. And beyond that, with the increasing demand on climate risk-related disclosures, pretty much any company could become subject to scrutiny by regulators and investors. In civil law countries, directors and officers themselves may be held liable by their own companies for failing to comply with the duty of care if they do not sufficiently take climate change risks into account in revisiting and amending business strategies.

Naturally, climate liability litigation will thus also affect the insurance industry across various business lines. So far, policies typically do not address climate change risk expressly so it will become increasingly important for insurers to understand their ‘silent climate change risks’ and to manage their exposures. Underwriters will need to stay on top of the changing risk profiles of particular sectors and jurisdictions. Wordings teams should reflect on the adequacy of existing wordings and the boundaries of existing products. Claims handlers will also face new challenges with claims often following new or re-formulated theories, being of an international nature and having cross-border implications and with policy language, such as occurrence wordings, aggregation issues or exclusions for deliberate conduct or pollution, being largely untested in relation to climate change liability claims.

As we are setting off in the 2020s, the world is at a crucial point in time. Sustainable change is required now to avoid the most disastrous consequences of climate change. As policymakers, investors, claimants and others are increasing the pressure, it is now the time for companies across all industries to revisit their business models and to make sure that climate change related-risks, both retrospective and future, are adequately dealt with as it is certain that these risks will remain at the top of the charts for a long time.

Cancellation of tax certificates, the newest measure against tax avoidance

On 1 January 2020, new regulations came into force as a consequence of several amendments published in the Mexican Official Gazette on 9 December 2019.

Among these regulations, the legislative branch introduced new powers to the Federal Tax Code under which the tax authorities will be entitled to restrict, and eventually cancel, the tax certificates used by the taxpayers to issue deductible tax receipts.

The objective of this legislative decision is to broaden the legal spectrum on which the tax authorities will be able to obstruct the billing cycle of companies, as this has proven effective in compelling taxpayers to regularise their tax situation.

However, some of the new powers introduced into tax law could be very dangerous for companies and may become an instrument for some inexcusable abuses from the tax authorities.

Background

Since 2014, the tax authorities in Mexico were entitled to cancel the certificates used by the companies to issue tax receipts in four scenarios: (i) the omission of three or more tax returns; (ii) the disappearance of the taxpayer during an administrative enforcement proceeding or tax audit; (iii) simulation or false operations detected during a tax audit or (iv) infringements relating to the Federal Taxpayer,s Registry, tax returns or accounting records.

Back then, the tax authorities were able to cancel the tax certificates unilaterally, without any previous procedure, and the taxpayers were obliged to request a new tax certificate, with prior demonstration that the supposed irregularity noted by the tax authorities was already offset.

As a consequence of several objections regarding the lack of legal framework to avoid the cancellation of tax certificates, in January 2020 a new procedure was introduced. Under this procedure, the tax certificate can still be used while the taxpayer tries to demonstrate before the tax authorities that the supposed irregularities did not take place.

In that sense, the taxpayer has now the opportunity to defend itself before the tax authorities, prior the cancellation of its tax certificate. However, once such procedure ends, the tax certificate gets cancelled and the taxpayer is compelled to litigate against the invalidation of its tax certificate before the tax courts, being unable, in the meantime, to issue tax receipts during the trial.

Approach to the problem

The new regulation has some serious implications because, although the taxpayer will have the opportunity to explain or refute the irregularity observed during an explanatory procedure, once such procedure concludes, if the tax authorities did not agree with the taxpayer’s arguments, it will have to litigate its case before the tax courts with no possibility to continue issuing tax receipts.

Under these circumstances, some taxpayers could be unable to carry on any further judicial procedure against the invalidation of their tax certificates, as their activity will be completely paralysed as a consequence of the impossibility of issuing tax receipts.

Therefore, the measure under analysis could make it virtually impossible to prosecute the tax authorities for the potential illegal cancellation of a tax certificate.

New scenarios

The situation gets worse if we consider that, in the newest modifications to the Mexican Federal Tax Code, the legislative branch included several new potential scenarios in which the tax authority can restrict, and eventually cancel, the certificates used by taxpayers to issue tax receipts.

The new scenarios are: (i) the issuance of a negative resolution of a procedure to determine the non-existence of operations for tax purposes; (ii) the designation of an incorrect tax domicile; (iii) discrepancies between tax returns and tax receipts; (iv) the designation of false or incorrect contact data and (v) the improper transmission of tax losses.

Consequently, it is almost certain that the cancellation of tax certificates will increase as a measure to fight improper conduct by taxpayers.

The collateral damage will be that several taxpayers could receive illegal resolutions determining some of these new irregularities, and they will be obliged to fight such illegal resolutions before the tax courts with no possibility to continue issuing, in the meantime, tax receipts.

These circumstances could seriously affect the taxpayer’s right to an effective defence, as they will be unable to continue their billing cycle during the whole judicial process.

Conclusions and remedies

Traditionally, the tax courts have considered that no precautionary measure was appropriate against the cancelation of a tax certificate, as a consequence of the importance of fighting tax avoidance.

However, given the gradual increase in cases in which the tax authority can invalidate a tax certificate it would be valuable to reconsider such stance, as precautionary measures against illegal resolutions issued by the tax authorities could become very important to guarantee the taxpayer’s right to a legal defence (given the fact that, a taxpayer who cannot issue tax receipts could be unable to prosecute all the corresponding legal actions before the tax court).

Additionally, given the serious implications of the cancellation of tax certificates, taxpayers and their legal advisers should be very scrupulous during the explanatory procedure against the temporary restriction of a tax certificate because, as said before, it will be the only chance to demonstrate the illegality of the observations of the tax authority, prior to the cancellation of the tax certificate.

Finally, in case of any contingency derived from the cancellation of a tax certificate, constitutional measures such as an amparo lawsuit should be considered, although – once again – the main problem will be the difficulty of enduring the whole constitutional process with no possibility of issuing tax receipts.

Therefore, in this case, the taxpayer’s right to an effective legal defence rests, fundamentally, in the willingness of the courts to grant precautionary measures against potentially illegal resolutions issued by the tax authorities.

The top three data protection law topics in Japan

In Japan, the Act on the Protection of Personal Information (APPI) is the primary law that regulates data protection issues. In this article, we will cover a few significant recent amendments to the APPI, including one currently under consideration, while also touching on the new guidelines issued by the Japan Fair Trade Commission (JFTC) last year, which highlight an intersection of the APPI and Japanese competition law, as well as the increasing significance of personal data in M&A transactions.

2015 amendments to the APPI

The APPI was enacted in 2003 and went through its first major amendment in 2015 (the 2015 amendment). In accordance with the 2015 amendment, the Personal Information Protection Commission (PPC) was established as the supervisory governmental organisation for privacy protection on 1 January 2016, and since then the agency has issued a number of administrative guidelines concerning the APPI. The 2015 amendment was fully enforced in 2017, which led to another noteworthy development with regard to the APPI. The European Commission (EC) recognised the APPI as having an adequate level of data protection by GDPR standards in 2019. This adequacy decision by EC was met with open arms by Japanese companies as it would allow for data transfers from EEA to Japan without additional safeguard measures.

2020 Amendment to the APPI

On 10 March 2020, the cabinet submitted a bill to amend the APPI which is expected to be enacted into law in 2020 (the 2020 amendment).

Companies will face more stringent obligations under the 2020 amendment. For example, while the current APPI does not stipulate any reporting obligation on data breach, there will be a legal obligation to report certain data breaches after the reform. The penalties for violating orders issued by the PPC will also be harsher. In its preparation for the 2020 amendment, the PPC, being the agency in charge of this amendment, looked to the GDPR for guidance as it viewed the GDPR as the global standard for data protection, and it was important for the APPI to have an adequate level of data protections by the GDPR standard.

Although companies outside of Japan will be required to be compliant with APPI after the enforcement of the amendment, there are currently a substantial number of cases where companies outside of Japan do not appropriately process personal information of individuals within the country. Companies, including those non-compliant companies, will definitely need to promptly report to the PPC in the event of data breach taking place outside of Japan. This is because, after the amendment, the PPC will be issuing orders to companies abroad that process personal data of individuals in Japan inappropriately, and will publish those cases on its website.

Digital platform operators and personal information

The JFTC, the primary enforcement agency of the Antimonopoly Act, the main competition law in Japan, published the Guidelines Concerning Abuse of a Superior Bargaining Position in Transaction between Digital Platform Operators and Consumers that Provide Personal Information etc (the Guidelines) on 17 December 2019. An ‘abuse of a superior bargaining position’ is a unilateral conduct prohibited under the Antimonopoly Act, which is analogous to an abuse of dominance. For business operators to be held accountable for the abuse of a superior bargaining position, there needs to be a comparatively superior position vis-à-vis a business operator’s counterpart in the transactions between them, not dominance in the market.

With the aim to clarify and enhance the predictability for digital platform operators as to the enforcement of the Antimonopoly Act, the Guidelines provide a non-exhaustive list of conducts by digital platform operators related to the acquisition or use of personal information which can amount to an abuse of superior bargaining position. Such conducts include acquiring personal information without stating the purpose of use to consumers, acquiring or using personal information against consumers’ intention beyond the scope necessary to achieve said purpose of use, and acquiring or using personal data without taking necessary and appropriate precautions for the safe management of personal information.

As the Guidelines concern issues regulated by the APPI, the PPC issued a statement saying that it would co-operate with the JFTC when it discovers facts that can potentially be deemed as an unfair acquisition or use of personal information by a digital platform operator which holds a superior bargaining position. In return, the PPC requested the JFTC to co-operate when it discovers a potential abuse of a superior bargaining position related to the treatment of personal information so that the PPC can evaluate the relevant facts from its perspective. In response, the JFTC agreed to co-operate with the PPC on the abuse of a superior bargaining position between digital platform operators and consumers providing personal information to the extent necessary.

Data compliance in M&A deals

The Information Commissioner’s Office (ICO), the supervisory authority in the UK, announced its intention to impose a fine of more than £99,200,396 on Marriott International, Inc for its infringements of GDPR last year. It was also revealed by the ICO that Marriott failed to conduct sufficient due diligence in its acquisition of Starwood.

In Japan, this case drew significant attention as Marriott was found to be responsible for the vulnerability of Starwood’s IT system in a cybersecurity incident which took place prior to the acquisition. Through this case, Japanese companies reaffirmed the importance of compliance with personal data protection laws in M&A transactions. In particular, as a purchaser, companies must emphasise the importance of due diligence focused on data protection (DDDP) of their target companies in M&A transactions. The results of DDDP should then be used by the purchasers for not only deciding whether or not to proceed with the M&A transaction and examining the validity of purchase prices but also for establishing action plans to properly process personal information of their target companies post-closing. It is also advisable for the purchasers to consider inserting into their M&A agreements essential clauses such as representations and warranties as well as covenants in order to hedge the risks related to data protection. In practice, however, purchasers cannot always conduct a full DDDP for various reasons such as sellers refusing to disclose all the necessary information about them, the purchasers being unable to bear costs of the DDDP etc. It is therefore advisable for Japanese companies to determine the scope of their DDDP, by prioritising in each individual transaction.

Copyrights to work made for hire under Norwegian law

Intellectual property rights are of increasing importance, and for some companies, their most valuable assets. In fact, among S&P 500 companies, the proportion of the company value attributable to intellectual capital (of which intellectual property rights (IPR) are often the most important) is as high as 87%. Although the importance of intangible assets relative to tangible assets may vary, a thorough understanding of the importance of an efficient intellectual property management policy is valuable for all companies. A central part of any intellectual property policy is the relationship between the company and the persons (actual or legal) who generate the IPR – typically being the company’s employees/consultants and contractors. Continue reading “Copyrights to work made for hire under Norwegian law”

The risk-based approach under the GDPR and Swiss data protection laws

The General Data Protection Regulation (GDPR) and the Revised Swiss Data Protection Act (revised FADP) embrace a risk-based approach to data protection. Organisations that control the processing of personal data (controllers) are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Continue reading “The risk-based approach under the GDPR and Swiss data protection laws”