Today's General Counsel, February/March 2023

In this issue of our Today’s General Counsel Sonia Cheng and Pierre Faller ask some interesting questions, starting with the title of their article: Do Avatars Have Privacy Rights? The subject is the “metaverse,” a term which is unusual if only because it has become ubiquitous before the thing itself exists. The authors don’t pretend to have definitive answers, but the questions they pose are germane to any legally-oriented inquiry into how an “$800 billion market opportunity poised to become one of the most disruptive technology advancements in history” will be regulated. They look at some issues that are bound to arise, and steps companies can take now to reduce the risks inherent in pursuing opportunities in the digital sphere.

William Curtin and Michael Sabino examine the case of a photography firm that licensed the use of its copyrighted photos to a company that subsequently went bankrupt, and listed the photos as an asset. The asset was sold to a third company, which the courts ruled can use the photos as it pleases without giving rise to an infringement claim. Curtin and Sabino list the ways a licensor can involve itself in a licensee’s bankruptcy to protect its rights.

Patrick Miller’s article describes how model contract clauses can prevent human rights abuses in a company’s supply chain. In the world of antitrust, Jeffery Cross’s column discusses the implications of the proposed total ban on non-competes by the FTC.

Experienced Cyber Incident Response

Cybersecurity incidents are now so prevalent that the question has moved from not if, but when to how many times. Given the pervasiveness, you need a dedicated Cyber Incident Response team on your side to provide:

 Industry insight and actionable steps to take to limit your risk prior to an incident

 The latest strategies for data mining post-incident, including reducing the time and cost to analyze impacted data for PII/PHI

 Post-incident insight to refine your internal data management practices

Learn more about KLDiscovery’s specialized Cyber Incident Response team and how their expertise, purpose-built technology solutions, and tailored workflows can help you with readiness and response.

www.kldiscovery.com/who-we-serve/cyber-incident-response

EXECUTIVE EDITOR

Bruce Rubenstein

EDITOR-IN-CHIEF

Robert Nienhouse

CONSULTING EDITOR

CHIEF OPERATING OFFICER

Stephen Lincoln

DIGITAL EDITOR

David Rubenstein EDITOR

Catherine Lindsey Nienhouse

CONTRIBUTING EDITORS AND WRITERS

Sonia Cheng

Jeffery M. Cross

William Curtin

Pierre Faller

Patrick Miller

Michael Sabino

SUBSCRIPTION

Subscription rate per year: $199 For subscription requests, email subscriptions@todaysgc.com

REPRINTS

For reprint requests, email Lisa Payne lpayne@mossbergco.com Mossberg & Company Inc.

SENIOR EDITOR

Barbara Camm FEATURES EDITOR

Jim Gill

MANAGING DIRECTOR OF CLIENT PARTNERSHIPS & INITIATIVES

Lainie Geary

DATABASE MANAGER

Jessica Bajorinas

ART DIRECTION & PHOTO ILLUSTRATION MPower Ideation, LLC

Patricia McGuinness

Dennis Block GREENBERG TRAURIG, LLP

Thomas Brunner WILEY REIN

Peter Bulmer JACKSON LEWIS

Mark A. Carter DINSMORE & SHOHL

James Christie BLAKE CASSELS & GRAYDON

Adam Cohen FTI CONSULTING

Jeffery Cross FREEBORN & PETERS

Thomas Frederick WINSTON & STRAWN

Jamie Gorelick WILMERHALE

EDITORIAL ADVISORY BOARD

Robert Haig KELLEY DRYE & WARREN

Robert Heim DECHERT

Joel Henning JOEL HENNING & ASSOCIATES

Sheila Hollis DUANE MORRIS

David Katz WACHTELL, LIPTON, ROSEN & KATZ

Steven Kittrell MCGUIREWOODS

Nikiforos latrou WEIRFOULDS

Timothy Malloy MCANDREWS, HELD & MALLOY

Steven Molo MOLOLAMKEN

Thurston Moore HUNTON & WILLIAMS

Robert Profusek

JONES DAY

Art Rosenbloom CHARLES RIVER ASSOCIATES

George Ruttinger CROWELL & MORING

Jonathan S. Sack MORVILLO, ABRAMOWITZ, GRAND, IASON & ANELLO, P.C.

Victor Schwartz SHOOK, HARDY & BACON

Jonathan Schiller BOIES, SCHILLER & FLEXNER

Robert Zahler

PILLSBURY WINTHROP SHAW PITTMAN

All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information or retrieval system, without the written permission of the publisher. Articles published in Today’s General Counsel are not to be construed as legal or professional advice, nor unless otherwise stated are they necessarily the views of a writer’s firm or its clients.

Today’s General Counsel (ISSN 2326-5000) is published ten times per year by Nienhouse Group Inc., 110 N. Wacker Drive, Suite 2500, Chicago, Illinois 60606. Image source: iStockphoto | Copyright © 2023 Nienhouse Group Inc. Email submissions to editor@todaysgc.com or go to our website www.todaysgeneralcounsel.com for more information.

With decades of experience, our subject matter experts and data strategists help businesses and legal teams tap into data – giving them control of the narrative for the best possible outcomes. This starts with an understanding of their needs and objectives through our STEPS™ framework – providing valuable insight into the unknown, the unseen, and the undiscovered. Having this insight gives them the opportunity to make informed decisions that lead to transformative outcomes.

At iDS, we work with our clients to find solutions to their data problems – helping to ensure that their data can be leveraged as an asset and not a liability.

Do Avatars Have Privacy Rights? Regulatory Uncertainty in the Metaverse

The metaverse, estimated to create a nearly $800 billion market opportunity, is poised to become one of the most disruptive technology advancements in history. Companies are clamoring to understand their role and opportunity within this new arena, but as with any disruptive technology or business model, innovation also introduces new areas of risk.

Currently, there are varying views of what the metaverse is and what it means as the next evolution of the internet. Many attempts have

been made to build metaverses. Technology giants and startups alike have implemented strategies to provide the infrastructure that enables metaverses, as well as tools and products that support metaverse experiences. Likewise, consumer brands are exploring opportunities to build their presence and sell goods, services, and various digital assets within the metaverse. Exciting uses are emerging but many unknowns remain. For example, how will these new virtual worlds be connected to the physical world? That question

leads to more specific risk-related considerations, particularly in a data privacy context.

Organizations building metaverses and offering services within them have yet to establish whether the metaverse can provide a safe and secure environment, especially for children. It is unclear whether and how data privacy laws will apply to future metaverse environments, and if the technology will be able to evolve to create a single virtual universe that maintains a unifying legal framework.

These are serious questions for any organization in this space to consider. Delivering the kind of immersive experiences that the metaverse promises will require the collection and processing of personal and sensitive data. There is the possibility that illegal or illicit content may creep in. Organizations will need to establish controls to prevent, identify and control such activity and mitigate the corresponding legal, security and data protection risks.

For example, these environments rely on virtual or augmented reality technologies and artificial intelligence in order to create a truly

Questions to ask when making these decisions include:

• Based on the current regulatory landscape, how are data privacy laws expected to evolve to address the metaverse in the future?

• How will regulators and companies determine which jurisdictions and laws apply to which users?

• In an interoperable, highly connected virtual ecosystem, how will concepts of responsibility be defined? How will consent be given, recorded and revoked?

• Is data localization possible in an environment that is dispersed and distributed around the world? What implications might this have on the transfer of sensitive and personal data across borders?

immersive world. Yet, these technologies often utilize underlying user scoring, labeling and categorization functions that collect and store very specific information (e.g., user behavior, movements, habits and responses) about each person in the environment. Theoretically, this collection of personal and identifying information will be collected not via a form that the user fills out, but rather automatically in the background while users are interacting and transacting in the virtual space.

There is no regulatory precedent for such activities. Until regulation catches up to technological advancement, companies will be playing a guessing game. Legal and privacy teams will need to determine the extent to which privacy principles must be embedded into metaverse projects and other activities involving the use of AI to engage with users in digital environments.

• Is there a need for new laws and methods of protection to address the new categories of information (e.g., avatar identities, physical movements, health data, user behaviors) that will be created and stored as part of metaverse activities?

• What mechanisms are needed to ensure this complex scope of highly sensitive, unique data can be effectively stored, managed and protected?

Even amidst these uncertainties, there are steps companies can take to establish strong privacy standards for metaverse projects and reduce the risks associated with pursuing the many opportunities emerging in the digital sphere. The first step is to clearly define the intended business model for these projects and determine what personal data will be collected in that context — directly and via third parties.

With that baseline, legal and

privacy teams can begin assessing what jurisdictions and existing regulations are likely to apply to those activities. Use cases and the organization’s technological future can then be founded on principles that limit privacy, security, and compliance risks by design, and maximize data protection. One example is the possible tokenization of sensitive data, or storage of it separate from the metaverse itself, so that it can be adequately secured and protected.

The metaverse is an exciting prospect for the future of commerce, connectivity, convenience, entertainment and more, but these virtual experiences are also likely to bring complex legal and regulatory issues in the physical world. Strong technology, organization, privacy, security and strong legal frameworks, all combined with a clear strategy, will be necessary to pursue this innovation responsibly.

Sonia Cheng is Senior Managing Director at FTI Technology. She leads the EMEIA Information Governance Privacy & Security practice and is an expert in Information Governance and GDPR, handling high-stakes regulatory challenges.

Pierre Faller is DPO at Christian Dior Couture. He is involved in the implementation of a privacy governance program at a global level. He is an active member of the International Association of Privacy Professionals, and as co-chair of the Paris KnowledgeNet Chapter, organizes conferences, debates and roundtables in the area of privacy, data protection and governance. He previously served as Privacy Counsel at PayPal.

There is no regulatory precedent for such activities.

IP Consequences of Asset Sales in Bankruptcy

Abankruptcy case of a licensee creates a series of pitfalls that can impact the rights of a licensor of intellectual property (IP).

A recent decision from the Southern District of New York in the In re Old Market Group Holdings Corp, et al. (“Fairway”) bankruptcy underscores this point, highlighting a purchaser’s entitlement to the quiet enjoyment of its acquired assets and the impact this can have on IP counterparties.

Prior to bankruptcy, Fairway entered into a license with Ferguson

and Katzman Photography, Inc. permitting Fairway to use a series of photographs to create non-broadcast media, including advertising displays. Fairway did not have the right to transfer its rights under the license and was simply permitted to reproduce the photographs to create these displays, which were created while the now-expired license was in effect and continuously displayed thereafter.

In bankruptcy, Fairway conducted an auction sale of its assets,

including these displays. Pursuant to the sale order: Fairway’s assets were transferred to Village Super Market, Inc. “free and clear” of claims or interests and no holder of any interest or claim could interfere with Village’s quiet use and enjoyment of the purchased assets. The sale order included a finding that Village has no successor or derivative liability.

The court subsequently confirmed Fairway’s plan of reorganization and approved provisions enjoining parties from interfering with the plan.

Katzman later commenced a district court action alleging Fairway violated the Copyright Act by displaying its photographs post-expiration and transferring the photographs to Village. Katzman further argued that Village was infringing on its copyrights by continuing to display the photographs. Village responded by seeking a bankruptcy court order enforcing the sale order and enjoining Katzman from continuing the district court action.

The bankruptcy court found that Katzman’s intellectual property, as incorporated into the store furnishings, was transferred as part of the sale. Moreover, the court found that Katzman received adequate notice of the sale and plan and therefore had an opportunity to object to both, but failed to do so. The court then found the transfer was not invalidated by the fact that the license was expired at the time of the transfer

were barred by the entry of the sale order.

IMPLICATIONS FOR OWNERS OF INTELLECTUAL PROPERTY

This decision underscores a purchaser’s entitlement to quiet enjoyment of acquired assets, including IP. Although the parties argued about whether the displays constituted derivative works, rights Fairway possessed under the expired license, and which rights survived the sale, the entry of the sale order and the confirmation of the plan were found to have eliminated any recourse the licensor had with respect to pre-closing actions regardless of applicable non-bankruptcy law.

The court reasoned that because the IP was incorporated into the physical assets sold by Fairway, any claims arising out of those assets, including with regard to the photographs, were barred by the sale order. The drastic result is that Village is now permitted to use the photographs in perpetuity.

the transfer of licensed IP and materials containing the licensed IP.

• Rights of the licensee that remain upon the termination of the agreement.

Counterparties who choose to ignore bankruptcy proceedings and fail to object to a sale or chapter 11 plan do so at their peril. Substantial rights can be lost without recourse.

William Curtin is a partner with the Restructuring Group at Sidley. He focuses his practice on corporate reorganization, bankruptcy, bankruptcy litigation and other insolvencyrelated matters. He leverages his experience as a bankruptcy regulator and litigator with the Department of Justice to provide practical solutions in a broad range of complex and high-profile restructuring matters.

and that the sale order stripped Katzman of its right to assert claims related to its IP. As a result, Village was permitted to continue to use all purchased assets, including the store furnishings containing the copyrighted photographs free and clear of any claims.

The court then found that the continued display of Katzman’s photographs did not give rise to new, post-closing infringement claims because the photographs were continuously displayed and open to the public, and the post-closing display related back to any pre-closing claims Katzman may have had, which

Critically, notwithstanding publication notice of the sale and actual notice of the plan’s injunction provision, Katzman did not object. Had Katzman objected, it may have been able to protect its rights. Instead, it seemed determined to adjudicate its claims before a venue of its choosing and to ignore the chapter 11 cases.

This case is a reminder to licensors of the importance of involvement in a licensee’s bankruptcy in order to protect its rights. Licensors of IP should be particularly mindful of how agreements address:

• Notice of bankruptcy.

• Notice of the sale of property containing licensed IP in bankruptcy.

• Rights of the licensor concerning

Michael Sabino is a managing associate in Sidley’s New York office and a member of the Restructuring Group. His experience includes representing debtors, official committees, secured and unsecured creditors, and other parties in all aspects of bankruptcy cases, out-of-court restructurings, acquisitions and other distressed situations.

Had Katzman objected, it may have been able to protect its rights.

The Important Role Legal Plays in an Era of Growing Data Risks (Privacy, Cyber, Litigation)

Tuesday, March 16 1pm ET / 12pm CST

This CLE webinar explores key areas of risks and provides tools and tips to mitigate these risks and establish defensible compliance to help insulate your organization in the event of a privacy breach, regulatory action, or litigation.

Webinars

The intricate lattice of privacy, data protection and the law with Robert

Scott

Tuesday, March 28 1pm ET / 12pm CST

Understanding the intricacies of how privacy, data protection and the law intersect is at the root of navigating the complex "Privacy" labyrinth. In this education-forward webinar, we'll cover Four Key Areas important to today's GCs, Law Firm Attorneys and Legal Professionals.

The Art of Consent: Navigating the Compliance Trifecta

Thursday, April 6 1pm ET / 12pm CST

In this innovative and intelligent webinar, our experts will explore the Compliance Trifecta of consent and preference management— say it, do it, prove it. You'll learn how to effectively communicate your privacy policies, implement them in a way that's compliant, and demonstrate your compliance to regulators.

Register for Webinar Register for Webinar Register for Webinar

Sponsored by

Sponsored by Sponsored by

The FTC Rule Banning Non-Compete Agreements

Ahot topic in antitrust today is the FTC’s proposed rule banning non-compete agreements as an unfair method of competition under Section 5 of the FTC Act. The proposed rule has been published in the Federal Register and the FTC is now seeking comments.

The FTC defines a non-compete agreement as “a contractual term between an employer and a worker that prevents the worker from seeking or accepting employment with a person, or operating a business, after the conclusion

of the worker’s employment with the employer.” The proposed rule exempts any non-compete agreements that are entered into by a person who is selling a business or ownership interest in a business, when the person restricted is a substantial owner or member of the business being sold.

The materials published in the Federal Register acknowledge that the treatment of non-compete agreements is basically addressed by state law. Private enforcement or challenges to non-compete

agreements under the federal antitrust laws are usually unsuccessful because section 4 of the Clayton Act requires that the plaintiff establish an injury to competition. The proposed rule, however, would preempt state law to the extent the state law is inconsistent.

Interestingly, in 1898, just eight years after the Sherman Act was passed establishing a national antitrust regime, then Judge William Howard Taft issued a seminal antitrust decision that still resonates today. Judge Taft was sitting on

the Sixth Circuit Court of Appeals. He would go on, of course, to become President of the United States and then Chief Justice of the Supreme Court. The United States v. Addyston Pipe & Steel Co. decision set forth a framework to analyze restraints of trade under the new antitrust law. Under this framework, a court or jury would consider whether the restraint was ancillary and necessary to an otherwise pro-competitive arrangement and whether the restraint was greater than necessary to achieve the pro-competitive purpose.

In explaining his test, Judge Taft provided five examples of restraints that were considered lawful under the common law. These included non-compete agreements relating to the sale of a business and non-compete agreements between an employer and an employee.

Both types of restraints were real restraints on competition but were considered lawful because they were ancillary or necessary to an otherwise legitimate, pro-competitive arrangement. Take, for example, a non-compete agreement in connection with the sale of a business.

When I teach antitrust law, the example I use is the sale of a pizza restaurant under the name “Sally’s Pizza.” Sally wants to sell more than the pizza ovens and other fixtures. She wants to sell the goodwill that she has developed over the years because her dough and sauce have developed a strong following. The buyer is willing to pay for this goodwill, but wants some protection so that Sally does not open a pizza restaurant across the street called “Sally’s Original Pizza.” A non-compete agreement protects the buyer’s purchase of Sally’s goodwill and

encourages persons like Sally to develop goodwill.

What about an employeremployee non-compete agreement? Judge Taft noted that business owners want to employ the best assistants and train them thoroughly, including in the secrets of the business. Judge Taft pointed out that the owner of a business would be reluctant to do so if the employee could set up a rival business in the vicinity after learning the details and secrets of the business.

The FTC has concluded that a complete ban on non-competes is preferable to having courts or juries apply a test like Judge Taft’s test. The published materials set forth studies and analyses to support this conclusion.

Judge Taft in an oft-quoted passage cautioned that courts that seek to determine how much restraint is in the public interest “set sail on a sea of doubt.” The FTC’s total ban on non-competes is also a determination as to how much a non-compete is in the public interest. Of course, the total ban now is a proposed rule only. It remains to be seen if the FTC concludes that it also has set sail on a sea of doubt.

The General Counsel Report

2023: Global Legal Departments

Alleviate and Respond to Critical Pressure Points

ON-DEMAND

Over the last four years, FTI Technology and Relativity have co-sponsored a study of trends, challenges, and best practices within large corporate legal departments to deliver The General Counsel Report. In this year’s edition, the role of the GC is examined, as new and intensifying areas of risk and complexity are challenging legal departments.

Jeffery Cross is a columnist for Today’s General Counsel and a member of the Editorial Advisory Board. He is a partner in the Litigation Practice Group of Freeborn and Peters LLP and a member of the firm’s Antitrust and Trade Regulation Group.

jcross@freeborn.com

View

Establishing Responsible Supply Chains With Model Contract Clauses

The global supply chain is an interconnected web of goods, from raw materials to the finished product. How does a retailer ensure that the garment it hopes to sell was not sewn in unsafe working conditions in Bangladesh, or that the cotton used was not sourced from forced labor in Xinjiang? Model contract clauses (MCCs) are a contractual toolkit to help companies implement responsible sourcing practices.

The MCCs were developed by a working group of lawyers from the

American Bar Association’s Business Law Section. They are intended to help companies prevent human rights abuses in their supply chains by operationalizing the best practices in business and human rights law, particularly the U.N. Guiding Principles on Business and Human Rights. The MCCs are a modular framework of contract clauses that can be inserted into supply chain agreements by companies seeking to implement their human rights policies in a manner that best suits their specific circumstances.

A key obligation under the MCCs involves human rights due diligence. This requires that both buyers and suppliers take steps to identify potential risks and address human rights issues, even those discovered in lower tiers of the supply chain. The first step involves mapping the supply chain to determine the specific risks of human rights abuses given the industry, product components, geographic location of operations, and all other relevant production and delivery factors. Once the risks have been assessed,

the parties can focus on the key risk areas, in order of severity if required, and work to remediate the issues discovered through the diligence process.

Effective due diligence requires ongoing lines of communication rather than a hands-off delegation of all obligations to one party or a singular audit. The MCCs provide for continuous monitoring by the buyer and reporting obligations of the supplier, acknowledging that lower-tier suppliers become buyers in all complex chains.

even a small component of a product has a nexus to Xinjiang or a list of prohibited entities, then the goods would be subject to the Act. All products that are subject to the Act carry a rebuttable presumption that they were made using forced labor, and thus prohibited from entry into the United States pursuant to Section 307 of the Tariff Act of 1930.

The focus on due diligence is especially relevant for companies that are subject to mandatory human rights due diligence regimes, such as the regimes in Germany and France. The European Council has circulated a proposed directive to establish an EU-wide mandatory human rights and environmental due diligence framework.

The MCCs are also relevant for importers that may be subject to enforcement actions by the U.S. government pursuant to laws such as the Uyghur Forced Labor Prevention Act (UFLPA). Importers who have shipments detained pursuant to the UFLPA must either prove that the goods are not subject to the Act or prove that the goods were not produced using forced labor by clear and convincing evidence.

There is no de minimis exception to the UFLPA, which means that if

Importers must accurately map and trace their supply chain to determine internally whether their shipments might be subject to the Act. This requires continuous, accurate information gathering of the type contemplated by the MCCs. If a shipment were the subject of an enforcement action under the UFLPA (or a withhold release order), the MCCs would also help companies obtain evidence in support of their claim that the products were not produced using forced labor. It should be noted that the evidentiary burden to rebut the presumption of forced labor in the UFLPA is very difficult to meet when a product is found to be subject to the Act.

The MCCs set out human rights standards for the parties to follow in Schedules P and Q. Schedule P is the collection of alternative sample standards that the supplier agrees to uphold. The MCCs do not propose specific obligations in Schedule P because obligations are highly dependent on the concerns of the parties and the nature of the industry. However, the MCC does provide resources for companies to prepare their own set of obligations.

Schedule Q lists the obligations to which the buyer agrees, such as responsible purchasing practices and responsible termination of the agreement.

The MCC approach is consistent

with the U.N. Guiding Principles on Business and Human Rights, which focuses on human rights due diligence and remediation of issues when they are identified. Remediation is not necessarily the supplier’s responsibility only. It also falls upon the buyer to the extent it has contributed to the issue. When a breach of a human rights obligation is discovered, the MCCs focus first on remediation rather than traditional contract damages to be sure the needs of true victims are addressed. Traditional analysis of damages to the non-breaching party that might be appropriate is not omitted, however, and the buyer may immediately terminate the agreement upon the discovery of a zero-tolerance activity.

The MCCs can help companies establish responsible sourcing frameworks that prevent the perpetuation of the worst human rights abuses in supply chains. They are particularly relevant now that governments, investors and consumers are increasingly requiring companies to take effective steps to eliminate these abuses from their supply chains.

Patrick Miller is the Founding Attorney of Impact Advocates, a law firm focusing on international commercial dispute resolution through arbitration, mediation and litigation, and assisting companies to implement responsible supply chain frameworks. He works with an ABA Business Law Section working group that has developed a comprehensive set of contractual provisions to address potential human rights violations in international supply chains.

patrick.miller@impactadvocateslaw.com

The first step involves mapping the supply chain to determine the specific risks of human rights abuses given the industry.