Deadlines for Objecting to Proposed Tariffs

According to the United States Trade Representative (USTR), U.S. companies and individuals will have until May 22nd to voice objections to President Trumps’ proposed 25% tariffs on some 1,300 foreign goods.  In general, products subject to this retaliation against China fall within the sectors of aerospace, information and communication technology, robotics and machinery.  (Left off the list are retail mainstays such a mobile phones and clothing, items that might provoke a U.S. consumer backlash.)  

Important dates are as follows:

  • April 23 - due date for filing all requests to appear and to submit a summary of testimony to be presented at the public hearing; it is also the date for filing pre-hearing submissions
  • May 11  - due date for submission of written comments
  • May 15 - date of the 10 a.m. public hearing to be held at US International Trade Commission, 500 E. Street SW, Washington, D.C., 20436.
  • May 22 -  due date for rebuttal comments following the May 15 hearing

Note: USTR strongly prefers electronic submissions made through the Federal eRulemaking Portal: Instructions for submitting comments in sections F and G can be found at this link. The docket number is USTR-2018-0005. 

On April 3, 2018, the United States Trade Representative published a proposed tariff retaliation list.  This follows just a few weeks after the USTR’s March 22nd release of its Section 301 Report detailing findings regarding Chinese acts, policies, and practices related to technology transfer, innovation and intellectual property. The 301 Fact Sheet states that  “the United States is committed to rebalancing the U.S.-China trade relationship to achieve more fair and reciprocal trade. After years of U.S.-China dialogues that produced minimal results and commitments that China did not honor, the United States is taking action to confront China over its state-led, market-distorting forced technology transfers, intellectual property practices, and cyber intrusions of U.S. commercial networks.” 

The complete list of products that could be subject to a 25% tariff is included in the annex to the 301 Report

Since the April 3 USTR tariff list was published, China responded by publishing its own list of products it may subject to increased tariffs if President Trump moves forward.  These items include agricultural commodities such as soybeans as well as exports such as autos, aircraft, and chemicals.  In response, Trump has threatened to slap additional tariffs on more goods, stating that he might consider whether an additional “100 billion in tariffs might be appropriate.” 

Suzanne DeCuir

The GDPR: A Broad-Reaching Game Changer

Passed by the European Union on April 26, 2016, the General Data Protection Regulation (GDPR) is set to take effect on May 25, 2018. Replacing the 1995 Data Protection Directive, the GDPR contains key changes that affect businesses throughout the world, including U.S. companies. Understanding these new regulations is essential to maintaining compliance and avoiding harsh penalties.

The GDPR is an EU regulation concerning data privacy. In the United States, data privacy laws tend to be segmented to specific fields (FERPA, HIPPA, etc.). However, the European Union considers data privacy to be a fundamental human right and thus applies data privacy laws consistently across the board. The main purpose of this regulation is to protect “personal data” in European Union member countries or countries where “personal data” originating in the EU is stored, processed or retained. This is important as it greatly expands who is regulated in comparison to its predecessor directive. 

In this context, personal data is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”. Note that the inclusion of information as simple as email addresses, login-information, or computer IP addresses means that the GDPR can apply to many U.S. corporations simply through the course of normal business activities.

Companies are specifically required to comply with the GDPR if they fit any of three specific criteria. The GDPR applies to any company that maintains an “establishment” in an EU member nation, whether or not data collection or processing occurs there. Establishment generally means “any real and effective activity – even a minimal one” through “stable arrangements” in the EU. Secondly, the GDPR applies “where the processing activities are related to offering goods or services to data subjects in the Union.” This provision even includes goods and services that are free. Moreover, the bar to “offering goods” is low and can be as simple as the specific language, shipping options, or currencies being that of an EU member. Lastly, the GDPR applies to a company “if it processes the personal data of data subjects in the EU and that processing is related to the ‘monitoring’ in the EU of the ‘behavior’ of data subjects as their behavior takes place within the EU”. In this context, “monitoring” includes the use of cookies and other information frequently used by advertisers to track and recommend products to consumers.

The GDPR can alternatively come into force against U.S. corporations who do not collect data but instead import/export data from the EU. Under the GDPR, in language mostly unchanged from the 1995 directive, data can only be exported to countries that are deemed to have equivalent or stronger data protection laws than the EU. However, the U.S. is not considered one of these countries and U.S. corporations must be able provide adequate assurances that data will be handled in accordance with the GDPR. An exception to this is U.S. companies under the authority of the Federal Trade Commission or Department of Transportation that have signed on to the 2016 EU-U.S. Privacy Shield framework. The Privacy Shield, the successor of the Safe Harbor Program struck down in 2015 after the Edward Snowden leaks, allows companies that self-certify compliance to receive EU personal data as if they were in a country approved by the commission. Companies that are unable or do not wish to join the Privacy Shield program have alternatives. The European Commission allows companies to use pre-approved standard contractual clauses, binding corporate rules, or codes of conduct that have been approved by the European Commission or independent state supervisory authorities. Importantly, companies are not only responsible for their own exports and compliance but also for any “onward transfers” and the compliance of any company down the chain.While companies can share data protected by the GDPR, they must ensure that said company or their contract meets the criteria above.

Knowing these broad categories for which a U.S. company can be subject to the GDPR, examining what must be met for compliance is essential. Penalties for the GDPR are extreme, failure to comply can result in fines of up to 4% of global revenue or 20,000,000 euros, whichever is greater, and direct liability to anyone impacted by mishandled data.

The GDPR has two different sets of requirements depending on a company’s classification as either a data “controller” or data “processor”. A data controller “acting alone or together with others, determines the purposes and means of the processing of personal data.” A data processor “processes personal data on behalf of the controller”. While not all encompassing, important requirements for data controllers include:  establishing when privacy notices are required, including insufficiency of pre-checked boxes which are common practice in the U.S; placing restrictions on choosing data processor; establishing data breach notification timelines and individual rights; recordkeeping; and appointing a data protection officer. This differs slightly for data processors who have regulations on issues such as data breach notification, data security, recordkeeping, and subprocessing, but not many of the restrictions concerning privacy and the actual notices themselves.

The GDPR updates EU data protection laws to provide a far-reaching jurisdictional range. The data protected includes many data types commonly used by US businesses. Act now, before May 25th, and review the specific controller or data processor regulatory requirements if you believe that your business falls under the GDPR’s authority.

Max Krauskopf

State/DDTC Posts Beta Version of "Part 130 Decision Tool"

The U.S. State Department's Directorate of Defense Trade Controls (DDTC) posts a beta version of its "Part 130 Decision Tree" here. The beta version is available for evaluation until COB on December 2, 2013. DDTC requests that all questions and comments be forwarded to the DDTC Response Team at  (subject line:  DDTC Part 130 Decision Tool Feedback) or at  (202) 663-1282.

DDTC Updates DS-2032 Statement of Registration Form


 Effective October 25, 2013, a new version of the DS-2032 Statement of Registration  form goes into effect. The U.S. Department of State Directorate of Defense Trade Controls (DDTC) will not accept older versions of the form if submitted after the effective date. DDTC provides on its website that DS-2032  may be submitted either electronically (via EFS), by registered mail, or express mail until December 31, 2013; effective January 1, 2014 only electronic submissions will be permitted.

The new version of the form includes several modifications, such as the ability for U.S. persons to consolidate manufacturer/exporter/broker registrations; updates to the International Traffic in Arms Regulations (ITAR) U.S. Munitions List (USML) categories; disclosure of intermediate through ultimate parents; a certification regarding debarred or subsequently reinstated parties; a certification on violations involving any U.S. criminal statutes; as well as clarification on foreign ownership.