What to expect in 2021 – One In-Houser perspective

If you think, 2020 was a challenging year for Legal Departments and the In-House Counsel, i.e.
the In-Houser, of a Multinational Company (MNC), think again. 2020 has brought an
interruption to our supply chains, a patchwork of regulations on lock downs, shut downs,
occupancy restrictions, movement restrictions and limits on gatherings. It has forced companies
to transition their workforce to living rooms and kitchen tables. 2020 has definitely redefined the
definition of multitasking. In addition to doodling while talking on the phone, we now know how
to run a load of laundry while troubleshooting internet issues while helping an 8 th grader with an
Algebra problem while letting the dog out…. while trying to be a productive participant of a
Zoom call with client. Now that we have mastered the mystery of the mute button and explored
the vast array of virtual backgrounds, we are ready to conquer 2021. Or… are we?
Here is a sampler of challenges that lie ahead and that the In-Houser crowd will need to address
in 2021:
1. Privacy, Privacy, Privacy
For years, we have been dealing with a complex hodge-podge of industry-specific regulations
addressing communications, credit and financial information, health information or online
marketing. By now, we are all familiar with an alphabet soup of privacy regulations. GDPR,
CCPA, CPRA, ePrivacy Directive, CPI, HIPPA. We have studied the regulations, implemented
internal policies, drafted protocols for managing personal data and amended our contract forms.
We thought we were done. Not so fast.
First, rumor has it that the long awaited federal privacy law may be on the horizon. It may not
happen overnight, but chances are that the Biden administration will be more receptive to an
uniform data protection regulation and more stringent regulation of the Big Tech. While the
concept is great, it will mean re-writing those very same policies and contractual clauses to
comply with the new law.
Then, there is a maze of various laws around cybersecurity, data and/or network security, breach
notification regulations, etc. that we need to be familiar with. The requirements vary from state
to state and are at various stages of implementation. It is fun to keep up with them if your
company does business in all 50 States.
If you happen to do business in Europe, you will need to pay even more attention to the
legislative privacy landscape. Europe’s data privacy laws are an ever-changing masterpiece of
over-engineered patchwork of legislations (their word, not mine). For the purpose of this
challenge list, let me just mention a few buzzwords: Brexit, ePrivacy Directive, Bye Bye to the
Privacy Shield. Now, that the U.K. is out of the Union, it is time to designate a supervisory
authority in another country. Will it be Ireland? We should also review the cross-border data
transfer agreements to make sure the flow of data between UK and the European Union is still
adequately addressed. For those relying on the subscription to a program called EU-US Privacy
Shield, it is time to revisit the basis for data transfers between United States and the EU. The
EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data
protection requirements when transferring personal data from the European Union to the United
States.

Contrary to a popular belief the Privacy and Electronic Communications Directive (the ePrivacy
Directive) is not just about cookies. It covers electronic communications and the right of
confidentiality, data/privacy protection and more. Although it is not an official “law” but a
directive to implement pertinent laws – it, nevertheless, adds another wrinkle in the privacy and
data protection realm. Because it addresses a very broadly defined “electronic communications”,
it touches on every aspect of corporate business. From website to the network, from telephone to
messaging apps, from spam to online advertising, from internet to Internet of Things, ePrivacy
Directive regulates corporate communications and affects the way a company operates in
Europe. For an MNC, it may mean that some of your company-wide marketing initiatives or
global communications will need to be fine-tuned to make sure the data protection requirements
have been complied with.

2. We are from the Government and we are here to help.

Back in the USA, if your company wants to do business with the federal government you are in
for a real treat. You need to expand your horizons to now become fluent in CMMC, DFRS, and
“Section 889 Compliance”, just to name a few. Section 889 refers to a section in the sweeping
John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA) that impacts
federal contracts and procurement. This section in particular prohibits the federal government
from directly procuring “any equipment, system or service that uses covered telecommunications
equipment or services as a substantial or essential component of any system, or as critical
technology as a part of any system […]” or “entering into a contract with any entity that uses
such covered telecommunications equipment or services.”1
So the In-Houser will now need to inspect Company’s equipment to make sure none of it is on
the banned equipment list which includes, for example, equipment made by Chinese suppliers
such as Huawei or ZTE ( looking at you, CCTV cameras or network routers).

3. China
Speaking of China, if you do business with and/or in China, as most multinational companies do,
2021 will be another interesting year. If you endeavor to keep your company’s trade secrets,
well… secret, you may be disappointed. I think it is about time we all accepted the fact that the
Chinese Communist Party (CCP) through its various tentacles, knows who you are, where you
are and what you do. In this context, In-Housers will need stay abreast of the various
mechanisms the Chinese Government is using to monitor and control the flow of data from/to
and within China.

1
https://www.congress.gov/bill/115th-congress/house-bill/5515/text
It could be that there is a malware embedded in an invoicing software that all companies (foreign
and domestic) are required to use to pay Value-Added Tax, as was the case with the
“GoldenHelper”, a virus intended to penetrate corporate networks and access information.2
It could be the requirement to use WeChat (government controlled messaging application) to do
all your banking, social media posting and communication.
It could be the new, not so new, China’s Corporate Social Credit System aimed at assessing
company’s regulatory compliance.3 All companies doing business in China are being monitored
and rated based on their records of compliance with governmental regulations, tax and corporate
filings. Chinese government is using advanced technologies to collect a vast array of data, both,
personal and potentially sensitive information as well as company data. The aggressive
collection may cause significant risks in the areas of data privacy, business operations and
personal liability of directors/officers, especially if they happen to be US nationals. I am not sure
if there is anything one can do to prevent this data collection and monitoring but it pays to be
aware of the rules and new developments.

4. COVID -19
The In-Houser will certainly continue to deal with COVID-19 and its impact on business
operations. There is the nagging question when to return to the office, whether to require testing
and how far should the accommodations go. Since most airlines now require a proof of a
negative COVID-19 test prior to returning to the US (international travel), companies may need
to update their travel policies and address the issue of associates being stuck abroad due to a
positive test results and quarantine requirements.
In-Housers will most likely need to spend hours researching the complicated laws around
vaccinations. While the COVID-19 vaccines may be the long awaited panacea –in our world,
they translate into a mysterious, untested, unregulated legal nightmare. We will need to address
whether vaccines should be required, whether they can be administered on (employer’s) site and
whether asking the screening questions will violate HIPPA. Considerations will need to be given
to exemptions, including refusing to get the vaccination because of one’s sincerely held religious
beliefs. And probably most importantly, what do we do with population that is not vaccinated?
Separate? Segregate? Discriminate? You see where I am going with this.
Lastly, let me just mention an occasional gem that some employers may need to deal with from
time to time. It may or may not involve a PR nightmare. Hypothetically, an employee decides to
join the mob and storm the nation’s Capitol. He or She decides to share pictures and videos on
social media and brag about it publically. Most likely the In-Houser will be dealing with
questions such as to fire or not to fire and how soon is soon enough!

2
https://www.jdsupra.com/legalnews/chinese-tax-software-contains-malware-20977/
3
https://blogs.thomsonreuters.com/answerson/china-corporate-social-credit-system/