In the first edition of our review of 2021 within the confines of commercial law developments, we wrote about the record levels of deal activity that was ongoing in light of the favourable business environment, despite the challenges posed by the still-ongoing COVID-19 pandemic. Low interest rates and a yet-healthy business environment allowed for high numbers of transactions, We also wrote about ongoing trends in private equity, including the growing trend for private equity firms to list publicly. In other developments, Jerome Powell was re-nominated for a second term at the Federal Reserve. He was instrumental in the adoption of expansionary monetary policy that helped stabilise markets and the economy – this policy has however been criticised on the account of promoting high levels of inflation. While 2021 saw continued growth in emerging markets, it also saw significant concerns about the state of the global/regional economy after China imposed deleveraging reforms to control its highly inflated property market, which contributes to 20% of China’s GDP and has led to highly inflated property prices in many large Chinese cities. This deleveraging led to significant financial concerns and default concerns amongst the Evergrande Group, one of the largest property developers in the world. In this section, we will explore the updates to the antitrust, regulation & taxation and dispute resolution components of the corporate world.
Regulators take a more positive view of antitrust action
In the world of antitrust actions, regulators, especially guided by high levels of fines (both in term of quantum and number) in the European Union, have increasingly taken a more active approach towards filing antitrust actions against potential mergers. In the U.S, vertical mergers have increasingly attracted oversight from regulators under the Biden administration. These have typically been subject to less oversight in the past due to efficiency considerations. However, the Department of Justice in September 2021 issued a statement saying that it was commencing a review of the vertical merger guidelines to ‘prevent harmful mergers’, after the Federal Trade Commission (FTC) had also voted amongst themselves to withdraw from the 2020 Guidelines for vertical mergers. These 2020 guidelines originated before the commencement of the current Presidential administration of President Biden. It can additionally be reasonably expected that the U.S. will commence more antitrust actions and enforcement, especially with Biden’s appointment of Jonathan Kanter, who was reported by the New York Times as being “a longtime antitrust lawyer” and “a Critic of Big Tech”, as the “top antitrust official at the Justice Department”.
In October 2021, the Competition and Mergers Authority (CMA) fined Facebook due to their having breached an enforcement order issued in June 2020. Facebook had been looking to purchase Giphy, a GIF repository and service, but was obligated by an Initial Enforcement Order to continue competing with Giphy and avoid integrating the services of the two companies. Facebook was obliged to provide updates regarding this process to the CMA, but failed to do so fully and appropriately, and was thus fined to the tune of more than 50 million pounds. This shows further the rising interest of the authorities in policing and managing vertical mergers – this was the first time the authorities had issued a fine like this for failure to adequately report, and the authorities, especially in the EU, have increased enforcement activity in recent years.
One of the biggest antitrust stories of the year was also in the field of technology – with the seminal lawsuit between Epic and Apple. Epic claimed that Apple was engaging in anti-competitive practices by not allowing other companies to create their own app stores or to even provide alternative modes of payment, leading to monopolisation and allowing Apple to charge high fees for apps on the stores. Epic was looking to set up an app store of its own. While Apple was ruled for on most counts, the judge in the matter found that Apple had violated competition law by not allowing developers to link customers to alternative payment methods, which meant many services had forbidden payments on iOS, not wanting to lose the hefty fees Apple charged for Apple Store payments. This lawsuit was heavily watched, and Apple was even recently blocked from delaying their implementation of the judge’s ruling. With growing vertical integration of services and ecosystems, especially in the tech ecosystem where this is much more possible to do, governments and regulators will certainly have much to do in the future to prevent rising anti-competitive practices.
A Global Minimum Tax Heralds in a New Era of Competition – or does it?
The U.S. and several countries around the world, including several OECD states, worked together to herald in sweeping changes to the global tax system, with 136 countries signing a taxation agreement which would impose a global minimum tax on 136 countries of 15%. These countries, comprising 90% of the global economy, desired to reduce tax inversion and re-incorporation practices that lead to a reduction of national income for governments around the world, reducing the ability for governments to afford stronger programs for their citizens at home. The Tax Observatory, located within the European Union, launched a series of estimates of the impacts of the policies adopted as a result of the new global minimum tax.
The European Union would especially profit, with corporate income increasing by about 25% yearly, while the U.S. and developing countries would see revenue gains too, but smaller (and significantly so, in the case of developing countries) as compared to the E.U. While there are exemptions in the minimum tax policy that allow some measure of avoidance, these do not massively impact incomes and countries still stand to profit from the implementation of this global minimum tax. Perhaps counter-intuitively, some tax havens such as Ireland, Hungary and Estonia (as cited by the BBC) have agreed to join the plan, perhaps due to other diplomatic incentives or the perceived risk of diplomatic and economic isolation and regulation.
The cybersecurity and data protection worlds see more regulation, yet more reason for worry
The biggest news in the end of 2020 and the early part of 2021 with relation to cybersecurity was the fallout from the SolarWinds cyberattack, which was organised by a state-backed group with links to the Russian Federation. The cyberattack had targeted a platform that was operated and created by SolarWinds, using said platform to launch a large-scale cyberattack on the American government and supranational organisations such as NATO and the European Union. The attack was probably the largest cyberattack in history. It demonstrated the potential of so-called ‘upstream’ attacks that targeted companies like SolarWinds, which through its Orion proprietary data management system supported and provided systems that were used by companies worldwide as well as other organisations, including the above-mentioned organisations and states.
A number of major vulnerabilities also arose in 2021, including the Log4Shell vulnerability, which was from an open-source logging tool, Log4j, that was a Java library which allowed for the logging of events in any computer program. Until patches were issued, it provided for an easy method for hackers to infiltrate internal networks and intranets. It would allow hackers access to a stunning array of classified and confidential information, including military and other governmental information. While quick fixes were issued upon the discovery of the bug, updating many enterprise systems which rely on this bug will take much longer. The discovery of this bug also prompted a broader discussion about the use of open-source software in enterprise software, due to the open nature of the code and the potential that hackers might be best able to exploit this software due to open access to the code. However, the consensus in the programming community appears to still favour open-source libraries such as Log4j.The fact that they are open source does not just increase access, but reduces vulnerabilities which are much more able to be spotted by security researchers as opposed to hackers who have infiltrated the company’s servers to obtain the code.
In the field of data protection, a key international development was the continuing growth of the data protection law in China and Hong Kong. Hong Kong, which already had personal data protection laws and has since 1996, has seen a steady expansion of these laws, much as other jurisdictions in the region, such as Singapore, have seen. In 2021, Hong Kong acted to prevent the revealing of others’ personal information (“doxing”) and to standardise their data privacy legislation with international data privacy legislation. China also introduced data security legislation, with a focus on Chinese national security and introducing regulations based on the classification accorded to any group of information.
In one of the other key international developments of the year, Irish regulators fined WhatsApp €225m in September for violating the European Union’s General Data Protection Regulations (GDPR). This was due to a lack of transparency and other violations of the regulations that affected WhatsApp’s global userbase. This demonstrated the growing willingness of regulators to impose large fines and penalties on companies that violated the GDPR, especially due to the EU’s growing use of revenue percentages to determine fines on companies and their quanta. While WhatsApp did describe the penalty as “disproportionate”, it remains to be seen if countries continue to have the appetite to pose increasing fines on companies that violate data privacy guidelines. Further, the question remains of whether European data protection principles will eventually be adopted by other countries, which may place less value on data privacy as compared to the EU. Given that the EU fines are based on global rather than EU turnover, if other countries standardise to match the sort of fines the EU accords, it may raise issues of fairness to the companies involved and issues of jeopardy
All in all, a revolutionary year – what will 2022 bring?
All in all, 2021 has been an important year commercially, even despite the ongoing COVID-19 pandemic. 2022 is expected to bring a litany of developments in these spaces, especially with the increase in cyberattacks due to the ongoing Russia-Ukrainian conflict. The rise in the use of state-sponsored cyberattacks, especially with the U.S. having accused Russia of effectively staging a false flag attack, will also likely bring important developments in the space of cybersecurity and data protection.
Oxford Analytica. (2020). Fallout of SolarWinds hack could last for years. Emerald Expert Briefings (oxan-es)
Ducklin, P. (2021, December 29). Log4Shell explained – how it works, why you need to know, and how to fix it. Naked Security. Retrieved from https://nakedsecurity.sophos.com/2021/12/13/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it/
Hong Kong e-Legislation. (2021). Cap. 486 Personal Data (Privacy) Ordinance
Skadden. (2021). China’s New Data Security and Personal Information Protection Laws: What They Mean for Multinational Companies. Skadden.
Data Guidance. (2021). EU: WhatsApp requests CJEU to annul €225M fine. OneTrust.