January 2021 marked an important stage on the relationship between the EU and the UK regarding data privacy. As of 2021, the UK is considered a third country when it comes to international data transfers ,meaning that there was data before and there is data after Brexit.
Since the requirements in GDPR concerning international transfers of (personal) data to third countries are strict, and since there was not an EU adequacy decision on UK’s data protection legal framework, risks of non-compliance for businesses transferring data from an EEA country to the UK were significant.
But, on February 19 2021, fifty days after the EU and UK markets were set apart, the EU published a draft decision on adequate protection of personal data by the UK under GDPR.
The draft decision concludes that the UK’s legal framework when it comes to data protection ensures a level of protection of personal data transferred from the European Union that is essentially equivalent to the one guaranteed by GDPR, and that both supervision and adjustment mechanisms facilitate the detection of violations and their punishment, as well as solutions for data subjects.
Considering this draft decision, and assuming a final decision will comprehend the same terms, the transition period initially set out will no longer apply and businesses in the EU will be able to continue to transfer personal data to the UK based on an adequacy decision, which means that data transfers to the UK have no restrictions whatsoever.
These are very relevant news for several key economy sectors, such as health, banking and technology, and the continuity of EU-UK data flows therein.
This draft decision includes, however, a duration period of four years at the end of which the EU must renew its adequacy decision. Because the UK will no longer be bound by the current data protection framework after the EU-UK Trade and Cooperation Agreement ceases to apply, the EU decided to subject the adequacy decision to an amendment and restatement by the end of 2024: six months before the adequacy decision ceases to apply, the EU must initiate a procedure to amend it by extending its temporal scope for an additional period.
Within the next few weeks, EDPB is expected to issue an opinion on the draft decision, which will be taken into consideration in the preparation of (but should not stop) the final decision.

As of January 1, 2022, investors will no longer be able to buy real estate in Lisbon and Oporto to obtain a residence visa – a “golden visa” – in Portugal.
Investors that have already purchased real estate in these areas or are in the process of doing so will not be affected by these changes. So, for investors that intend on investing in high-density regions of the country, such as Aveiro, Braga and Coimbra and the majority of Algarve, the time to do so is now or until the end of 2021.  
Real estate in inland areas of the country, Azores and Madeira will, however, still be eligible for obtaining a golden visa in Portugal. In these areas, for a minimum of €500,000 for new properties and €350,000 for properties purchased for renovation, one can still apply for a golden visa and become a Portuguese resident.
Minimum investment requirements will increase for those who apply for a residence visa by making capital transfers to Portugal:

  1. capital transfers for no specific reason will increase from €1,000,000 to €1,500,000;
  2. capital transfers for (i) research purposes; (ii) acquisition of investment funds or venture capital funds shares and (iii) investing in existing and registered Portuguese businesses will increase from €350,000 to €500,000.

The rules above are included in Decree-law no. 14/2021, of 12 February, and will apply to visa requests filed after January 1, 2022. Renovation of residence visas granted under the rules in force until December 31, 2021 and the granting and renovation of family regroup visas connected with residence visas also granted under the rules in force until December 21, 2021 will not be affected by the new rules.

On 14 January 2021, the European Data Protection Board ('EDPB') adopted Guidelines 1/2021, the first guidelines issued this year, which include practical and useful examples of notifications of personal data breaches ('Guidelines') under the General Data Protection Regulation ('GDPR').

These Guidelines are to be the continuation of the guidelines issued by the former Article 29 Working Party (' WP250 Guidelines ') in 2018, adding the experience obtained by the supervisory authorities of the various Member States with the application of the GDPR.

In contrast with the WP250 Guidelines, the current Guidelines adopt a more practical approach, stressing the importance of a risk assessment when it comes to the possible causes for a data breach. The Guidelines provide examples of data breaches (the most common) and the procedures to be followed, underlining the importance of documenting the entire process in the event of a data breach.

The examples given are divided into six groups: (i) 'ransomware'; (ii) data exfiltration ‘attacks’; (iii) breach due to human error within companies; (iv) lost or stolen devices and paper documents; (v) breach resulting from communications (‘mispostal’); and (vi) other cases (involving 'social engineering').

The specific examples indicated by the EDPB (about 18) range from submitting an online application for a job position, to filling in credentials on a bank website, to personal data breaches in hospitals.

In other words, these are day-to-day situations, that no person or entity is completely safe from. It is therefore recommended that necessary measures are taken in the event of a data breach, by adopting the following measures:

  1. Investigate the data breach so that, after identifying its origin, the measures to be taken are assessed. Ideally, there should be a 'contingency plan' drawn up in advance for this purpose;
  2. The next step is to take the necessary measures to mitigate the damage resulting from the data breach (such as returning all affected computer systems to a 'clean' state and repairing their vulnerability) and report the breach to the relevant supervisory authority. Reporting the breach should be made within 72 hours from the moment it is known, when it is likely that it represents a risk to the rights and freedoms of the persons involved (the data subjects);
  3. Finally, if the data breach constitutes (or is likely to constitute) a high risk to the data subjects’ rights and freedoms, it must also be reported to the data subject.

These Guidelines will be under public consultation until March 2, 2021.

Overview

On January 15, 2021, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a joint opinion on the draft proposal of Standard Contractual Clauses (SCCs) released by the European Commission on  November 12 2020 for data transfers from within the EEA to non-EEA countries (third countries) (the Draft SCCs). 

Once settled, the Draft SCCs will replace the existing SSCs: (i) EU controller to non-EU or EEA controller (Decision 2001/497/EC and Decision 2004/915/EC) and EU controller to non-EU or EEA processor (Decision 2010/87/EU), approved under the former Data Protection Directive and that was repealed by the EU General Data Protection Regulation (GDPR).

GDPR requires a solution to be implemented for data transfers from the European Economic Area (EEA) to third countries that do not provide an adequate level of data protection. The SCCs, among or together with other options, such as data subject’s consent, binding corporate rules (BCR), ad hoc contractual clauses, approved codes of conduct or certification mechanisms, allow international data transfers in compliance with GDPR.

The EU-US Privacy Shield was also one of the solutions used to justify data transfers from EEA to the US. Last summer, the EU-US Privacy Shield was, however, ruled void by the Court of Justice of the European Union’s (CJEU), in Schrems II case. Consequently, organizations using the EU-US Privacy Shield need to rely on alternative solutions, from which SCCs may be used to justify data transfers to the US.

For a comprehensive approach, we will first recall the Schrems II case and the subsequent steps until the recent joint opinion issued by EDPB and EDPS.

Schrems II case

This decision of July 16 2020 (Schrems II case) is the sequel to a previous ruling, where CJEU invalidated the EU-US Safe Harbour (Schrems I case). The EU-US Safe Harbour was the predecessor of the Privacy Shield, which also ruled as inadequate to ensure an adequate level of protection required for international data transfers. In turn, CJEU considered the Commission Decision 2010/87/EU applicable to data transfers from EU controllers to non-EU or EEA processors to be valid.

This CJEU ruling follows a complaint lodged by M. Schrems. The Austrian citizen and Facebook’s user lodged his complaint with the Irish data supervisory authority seeking to prohibit Facebook Ireland from transferring his personal data to the US. Personal data of Facebook users, who are residents in the EU, is transferred to servers of Facebook Inc. located in the US where they are processed under International SCCs.

M. Schrems claimed that International SCCs would not offer sufficient protection against access by US public authorities to the data transferred to the US.

Following the Advocate General’s Opinion (non-binding opinion published on 19 December 2019) on this case, the CJEU considered International SCCs as adequate. The Court points out that International SCCs decision imposes an obligation on the data exporter and on the data recipient to verify, prior to any transfer, whether that level of protection is respected in the receiving country and that the decision requires the recipient to inform the data exporter of any inability to comply with International SCCs, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

On the other hand, CJEU challenged the level of protection afforded by the Privacy Shield on the grounds that it does not include satisfactory limitations to ensure the protection of EU personal data from access and use by US public authorities based on US domestic law.

The Schrems II case has relevant implications on the data transfer from the EU to third countries (namely the US) and gave data subjects, controllers, and processors with a great deal of uncertainty in relation to the conditions under which data exports can occur, i.e. what the practical consequences for existing and new contracts are and how to conduct Transfer Impact Assessments (TIAs) onwards.

SCCs meet businesses halfway

Further to the Schrems II ruling, on 10 November 2020, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

The EDPB recommendations emphasizes the principle of accountability under which controllers which export personal data must ensure that whatever mechanism and supplemental measures govern a data transfer, the data must receive the same protection it would in the EU. Otherwise, the data transfer will breach GDPR. These recommendations are targeted to both public and private transfers of EU data to private sector entities outside the EU.

Data exporters need to determine whether they must use supplemental measures other than the revised SCCs. EDPB provides examples of supplementary measures to be assessed on a case-by-case basis, such as “flawlessly implemented” encryption and pseudonymizing data.

Two days after the EDPB’s recommendations, the Commission published the Draft SCCs  with input due by December 10, 2020. As data processing is increasingly complex, the adage of this draft proposal is adaptability.

The Draft SCCs combine general clauses with a modular approach to cater for various transfer scenarios. In addition to the general clauses, controllers and processors should select the module applicable to their situation among the four following modules: (i) module one: transfer controller to controller; (ii) module two: transfer controller to processor; (iii) module three: transfer processor to processor; and (iv) module four: transfer processor to controller.

Some relevant issues that should be concerning to organizations dealing with international data transfers, and that do not solve any of the issues raised by the Draft SCCs, include:

  • On the adequacy of the law and practices of the third country. This is not a great relief for controllers and processors who come about a great deal of responsibility;
  • A brief period of one year to comply. Organizations will need to put in practice the revised SCCs for their entire business operation. The draft proposal grants organizations one year to do so, which may come up short;
  • The revised SCCs are not necessarily of use, or mandatory, for organizations operating under SCCs of greater privacy assurance. SCCs work as a minimum protection threshold.
Joint opinion of EDPB and EDPS

In this context, on November 12 2020, the Commission requested EDPB and EDPS to issue a Joint Opinion on the Draft Decision and the Draft SCCs (“the Joint Opinion”).

In general, EDPB and EDPS are of the opinion that the Draft SCCs offer a reinforced level of protection for data subjects. In particular, EDPB and EDPS welcome the specific provisions intended to address some of the main issues identified in the Schrems II ruling.

Nevertheless, EDPB and EDPS are of the understanding that several provisions could be improved or clarified, including (i) the scope of SCCs; (ii) certain third-party beneficiary rights; (iii) certain obligations regarding onward transfers; (iv) aspects of the assessment of third country laws regarding access to public data by public authorities; and (v) the notification to the supervisory authority.

The conditions under which SCCs can be used must be clear for organizations and data subjects should be provided with effective rights and remedies. SCCs should include a clear distribution of roles and of the liability regime between the parties. Regarding the need, in certain cases, for ad-hoc supplementary measures to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU, the Joint Opinion considers that new SCCs will have to be used along with EDPB Recommendations on supplementary measures.

EDPB and EDPS thus invite the Commission to refer to the final version of EDPB Recommendations on supplementary measures.

The revised SCCs together with the recent Schrems II will give a new approach to international data transfers, with due diligence measures towards data exporters to ascertain whether the country of the data importer effectively ensures an adequate level of protection. For data exporters, this may however become a huge task, as they will need to map all transfers and understand the laws and practices of the third country to adopt appropriate measures to meet the EU’s data protection requirements.

Since January 1, 2021, the UK is considered a third country regarding international transfers of data. Except for the interim period of four months set out in the EU-UK Trade and Cooperation Agreement, transfers of personal data from the EEA to the UK will be treated as a data transfer to a third country, and the transfer will need to meet the GDPR requirements for international data transfers.

If the EU does not issue an adequacy decision on the UK for the purpose of international data transfers within the next four to six months, all companies that transfer personal data to the UK will need to ensure that they have appropriate safeguards that comply with the requirements of GPDR and legitimize transfers of data to the UK.

In this short briefing, you can learn more about (i) the EU-UK Trade and Cooperation Agreement regarding data protection, (ii) the implications of non-compliant data transfers to the UK, and (iii) the GDPR requirements for international transfers of data.

Brexit: bidding farewell to the UK

From January 1, 2021, the EU and the UK form two separate markets. The movement of persons, goods and services has come to an end between these two territories. On December 24, 2020, the EU and the UK agreed the terms of a free trade agreement, a governance framework, and a citizen’s security framework.

As regards personal data protection, the EU and UK commit to uphold high levels of data protection standards, and, for a period of four to six months, an interim period allows­ free flow of personal data from EEA countries to the UK ensuring a transition after Brexit. This is temporary relief for businesses as a no-deal Brexit would mean new transfer mechanisms to be needed already in January 2021.

The UK issued guidance stating that EEA countries will be considered adequate for the purpose of transfers of data, so these transfers will be permitted from the UK to the EEA. But the Brexit deal leaves out the adequacy of data protection rules in the UK, so for data transfers from EEA countries to the UK to be considered legitimate, it is still necessary that the EU issues an adequacy decision under Article 45 of the GDPR.

As regards data protection, the relationship between the EU and the UK remains unchanged until 1 May 2021 (or 1 July 2021, if it is extended). For the second semester of 2021, however, and if the EU does not issue an adequacy decision, things will change.

Risks of non-compliance

Following the transition period, and unless the EU determines the level of adequacy for personal data protection in the UK, the risks of non-compliance for businesses transferring data from an EEA country to the UK are significant.

Businesses infringing provisions regarding the personal data transfers to recipients in a third country are subject to fines up to €20 million or up to 4% of their total worldwide annual turnover, whichever is higher.

Having considered the risks posed by faulty compliance with the rules governing the transfers of data to the UK after the transition period, businesses must understand the GDPR requirements for cross-border transfers and structure internal policies accordingly.

International transfers of data under the GDPR

Communication of personal data from a data permanent storage location within the EEA made available to an identified party with the sender’s knowledge or intention to give the recipient access to such personal data at destination outside of the EEA is an international transfer of data.

Under Articles 45 and 46 of the GDPR, transfers of data outside of EEA can only occur if (i) they rely on an adequacy decision of the EU or, if there is none, if (ii) there are appropriate safeguards in place, namely adequate standard contractual clauses, binding corporate rules, codes of conduct, or security certification procedures, save for any of the derogations of Article 49, and (ii) on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

An adequacy decision by the EU determines that a country outside of the EEA has an adequate level of data protection standards to the extent that data can be transferred to that country without any further safeguards. It is expected that the EU will issue an adequacy decision on the UK during the transition period, but businesses should nevertheless be prepared to put in place standard contractual clauses, corporate rules binding their group’s entities, codes of conduct and certification mechanisms in line with the EU’s standards and guidelines.

It is also useful to consider two sets of recommendations issued by EDPB on personal data transfer to third countries and related to the conclusions of the CJUE in its recent judgment C-311/18 (Schrems II). These recommendations have a special impact on measures that supplement transfer tools to ensure compliance with adequate levels of personal data protection.

Summary

For the first four months of 2021, there will be an interim period, which can be extended for an additional two months, in which transfers from EEA to the UK can occur legitimately without the requirements set out under GDPR for international data transfers. 
It is noteworthy that the interim period is precarious: in case the UK changes its current legal framework on data protection, the transition period will immediately come to an end, except if previously approved by the EU. At the end of this interim period, unless the EU issues an adequacy decision on the UK data protection framework, transfers of data from an EEA country to the UK are not permitted unless appropriate safeguards are put in place in compliance with GDPR.

The International Chamber of Commerce (ICC) has amended its arbitration rules effective January 1, 2021.

These amendments apply to all ICC arbitrations to be commenced from that date, irrespective of when the underlying Arbitration Agreement was concluded, unless the parties "have agreed to submit to the Rules in effect on the date of their arbitration agreement” (Article 6 (1)).

Although some of the amendments recently introduced are intended to overcome challenges posed by the Covid-19 pandemic, they should, nevertheless, continue to make ICC arbitration more flexible, transparent and efficient in the years to come.

We hope the following may help you keeping track of the amended rules applicable to ICC arbitrations.

1. Conflict of Interests

The 2021 ICC Rules introduce three Articles that mainly prompt to ensure the independence and impartiality of the arbitral tribunal.

Article 11 (7) requires the parties to notify the ICC Secretariat, the arbitral tribunal and other parties of the existence and identity of non-litigant third parties funding the claims pursued in the arbitration, considering that such third parties have an economic interest in the outcome of the arbitration.

In addition, Article 13(6), applying to investment arbitrations based on a treaty, ensures complete neutrality of the arbitral tribunal by providing that no arbitrator shall have the same nationality of any party to the arbitration.

To prevent the emergence of conflicts of interests between arbitrators and new party representatives, after the establishment of the tribunal, Article 17 (1) obliges the parties to inform the Secretariat, the arbitral tribunal and the counterparties of any changes of its representatives.

Also, once a party communicates an alteration of its representatives, the arbitral tribunal may take any measures to avoid a conflict of interests, including rejecting the proposed change or limiting the new representatives’ participation in part of the proceedings (Article 17 (2)).

2. The Virtualization of Arbitration

The 2021 ICC arbitration rules seek to adapt the arbitration proceedings to the new context of circulation restrictions and the technological breakthrough carried by the COVID-19 pandemic, simultaneously aiming to reduce the delays and costs of arbitration procedures.

As a result of the Covid-19 pandemic, virtual hearings became an increasing option for parties. To align with what is now common practice in arbitration, the revised Article 26 (1) gives discretion to the tribunal to decide, after consulting the parties and considering the circumstances of the case, if a hearing shall be conducted in person or remotely, by videoconference, teleconference, or other possible means of communication.

Interestingly enough, the previous ICC Rules already included a recommendation to hold hearings through telephone or video conferencing whenever personal attendance was not necessary (Appendix IV – case management techniques, Article 1 (f)).

In what concerns written submissions, notifications and communications, the revised Article 3 (1) abandons the rule of its physical presentation and allows the parties to choose any means of telecommunication that provide a record of the sending.

By removing the rule of paper filings, the ICC affirms its call for “greener” arbitrations while expanding the principles of efficiency and flexibility.

3. Joinder and consolidation provisions

The new Article 7 (5) establishes some requirements for the acceptance of a Request for Joinder of additional parties after the appointment of any arbitrator. Besides the agreement of all the parties (Article 7 (1)), the additional party must accept the constitution of the arbitral tribunal and the Terms of Reference, if they exist.

Once these requirements are fulfilled, the arbitral tribunal decides on the request, considering “all relevant circumstances”, including, without limitation, the “prima facie jurisdiction over the additional party, the timing of the Request for Joinder, possible conflicts of interests and the impact of the joinder on the arbitral procedure”.

Regarding the consolidation of arbitrations, the Court may now order the consolidation of two or more arbitrations when the claims are made under various common arbitration agreements (Article 10 (b)) or when the claims are not made under the same arbitration agreement or agreements, but the arbitrations have common parties, the disputes in the arbitrations arise in connection with the same legal relationship, and the arbitration agreements are compatible (Article 10 (c)).

Thus, the consolidation of arbitrations becomes easier and more flexible.

4. Tribunal appointments

The new Article 12 (9) confers the Court competence to, in exceptional circumstances, appoint all the arbitrators, regardless of any agreement between the parties. The 2017 version of ICC Rules only allowed the Court to appoint the arbitrators when parties were unable to agree on the constitution of the arbitral tribunal.

The purpose of the norm is to prevent the violation of fundamental principles of the arbitration procedure, like the equality of the parties and the fair trial, thereby avoiding the nullity of the arbitral award. Actually, the mentioned principles are limitations to the principle of freedom to choose the arbitrators and the mechanisms for their selection.

Bearing this in mind, the intervention of the Court will be justified, v.g., when the information or power asymmetry between the parties generates appointment agreements that ascribe the choice of all arbitrators to one party or prevent one party to choose certain people or people with certain characteristics to be the party appointed arbitrator.  

It should be noted that the application of Article 12 (9) may generate problems of compatibilization with Article V(1)(d) of the 1958 New York Convention, according to which an award may be refused recognition if the composition of the arbitral tribunal is not in accordance with the parties' agreement.

5. Additional Award

The 2021 ICC Rules introduce the possibility of an application for an additional award in case the arbitral tribunal omits a ruling on any of the parties’ claims. This application must be presented to the Secretariat within 30 days from receipt of the award by the parties. After granting the other parties the possibility to submit any comments to the application, the arbitral tribunal drafts a decision to be submitted to the Court.  

If the Court accepts the arbitral tribunal’s decision to grant the application, that decision takes the form of an additional award.

6. Expedited Procedure Rules

2021 ICC Rules raise the threshold to opt-out of the expedited procedure rules from USD 2 million to USD 3 million when the arbitration agreement is concluded on or after 1 January 2020. Thus, arbitration agreements concluded on or after 1 March 2017 and up to the end of 2020 remain subject to the USD 2 million threshold established on 2017 ICC Rules.

Conclusions

The changes introduced by ICC 2021 Rules will likely increase the efficiency and flexibility of ICC arbitrations, reducing costs and allowing the adjustment of the procedures according to a multiplicity of factors, like the complexity of the dispute, the participants’ availability to travel or any restrictions to the free movement of persons.

At the same time, the 2021 ICC Rules strongly invest in guaranteeing the tribunal’s independence, impartiality and transparency, raising the public’s confidence in arbitral institutions and the reliability of the arbitral awards.

The Portuguese Data Protection Authority (CNPD) launched its plan of activities for 2021, a plan that is conditioned by and considers the current situation caused by the Covid-19 pandemic. Social confinement as well as other limitations in social interaction have contributed to the promotion of new types of personal data processing, due to telework, distance learning, and matters of protection of privacy and public interest in health data processing, which requires monitoring by CNPD in 2021.

Regarding the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), CNPD will propose requirements and procedures for the approval of codes of conduct and measures to guarantee the application of the principles of Privacy by Design and by Default.

CNPD will also provide guidance in matters that have gained importance over the years, such as data processing of children and other vulnerable groups, by offering guidelines to those responsible for processing and raising awareness amongst children and young people, using language adequate to the recipients.

The legal regime applicable to cookies will be monitored and further explained. CNPD will assist in the compliance of the GDPR as well, especially when it comes to the form and content of privacy policies and the obligation to inform data subjects. The Activity Plan focuses mainly on raising citizens’ and companies’ awareness about personal data protection and privacy as well as supervision of personal data processing.

In 2021, CNPD will conduct audits and inspections to verify compliance with the personal data protection legal regime, especially focusing on areas such as: (i) video surveillance in public space; (ii) call centers; and (iii) TVDE platform.

Regarding specific measures, the Activity Plan emphasizes the supervision and monitoring of data processing within the 2021 Census and the presidential election, as well as in the context of teleworking and distance learning.

The plan includes the implementing and connection, at a national level, of the large-scale European information system for recording the entry and exit of third country nationals (ENS), and the monitoring of the transition to the new Schengen Information System, adaptation to the new legal framework of the Schengen Information System (SIS) and consequent changes in the national system and procedures for the entry into operation of the system.

The national parties of the European Information Systems SIS II, VIS and Eurodac will also be inspected regularly, as well as the Office of Single Contact Point Management for International Police Cooperation (PUC-CPI).

The transitional period set out in the Agreement on the withdrawal of the United Kingdom from the European Union ends on 31 December 2020. As a result, the European Union law, in particular, the rights of establishment and the freedom to provide services will cease to apply to UK entities.

In order to ensure a smooth transition, the Government approved Decree-Law 106/2020, which establishes a transitional regime applicable to the provision of financial services by entities based in the UK without establishment in Portugal, including the following rules:

• Receipt of deposits, granting of credit, payment services and issuance of electronic money: new contracts or new operations may only be entered into in Portugal after prior authorisation from the Bank of Portugal, which must be requested within three months as of 1 January 2021. Any acts which are necessary to comply with the contracts already executed may be performed until 31 December 2020.

• Investment services and activities and services related to Collective Investment Schemes (CIUs): credit institutions, investment firms and management companies authorised to provide services in Portugal under the right of establishment or the freedom to provide services may continue to provide services in Portugal, provided that, within three months, they inform the Portuguese Securities Market Commission (Comissão de Mercado de Valores Mobiliários – “CMVM”) if they (i) intend to terminate ongoing contracts or (ii) request an authorisation to maintain its activity in Portugal, within six months of 1 January, 2021. CIUs may continue to be marketed in Portugal provided that the management entities provide the CMVM with information on the CIUs within three months.

• Insurance contracts: contracts covering risks located in Portuguese territory or for which Portugal is the Member State of commitment will remain in force until the end of the contract, without prejudice to any right of early termination. These contracts may not be extended beyond the transitional period defined in the withdrawal agreement and may only be amended for the benefit of the policyholder or when the amendment results from the application of a mandatory legal rule. Insurance companies must send information on these contracts to the Insurance and Pension Funds Supervisory Authority (Autoridade de Supervisão de Seguros e Fundos de Pensões - “ASF”) within two months.

• Representation of bondholders: the entities that have been designated to represent investors may continue to provide their services until the expected maturity of the issue or program.

The transitional regime will be in force between 1 January 2021 and 31 December 2021, with the exceptions described above.

On December 22, the Portuguese Ministers’ Council approved a new regulation that will progressively put an end to golden visas, first in the metropolitan areas of Lisbon and Oporto, and, from July 2021 onwards, in the entire coast regions of Portugal. In the future, this residency permit will only be granted in the inland regions of Portugal, as well as in the autonomous regions of Madeira and Azores. This means that foreign investors intending to acquire a Portuguese residence permit will have to do so investing in real estate outside the country’s major cities.

The change will enter into force on July 1, 2021, but between 2021 and 2022 there will still be a transitional period during which the application of these new rules will be progressive, in the sense that the required investment amounts in metropolitan areas will be progressively higher and the possibility of application in these areas will be reduced over time. These investment amounts, however, have not yet been revealed.

This measure was included in the State Budget for 2020, but, because of the COVID-19 pandemic, has been postponed, and returns now slightly modified, in the Portuguese government’s view, to keep up with the economic recession the country is presently going through.

The Council of Ministers’ press release mentions that the purpose is to promote and increase foreign investment in the interior and low-density regions of Portugal, mainly in “urban requalification, cultural heritage, activities of high environmental or social value, productive investment and job creation".

This decision worries most real estate market players who fear it will push foreign investors away from Portugal and to other countries where there are no restrictions.

The Portuguese Association of Real Estate Promoters and Investors said the end of golden visas in Lisbon and Oporto means the loss of €700 million in investment per year by the National economy.

1. The first two ‘hub-and-spoke’ decisions

For the first time, the Portuguese Competition Authority (Autoridade da Concorrência – ‘AdC’) issued not one but two decisions on ‘hub-and-spoke’ arrangements in alcoholic and spirit beverages market imposing a total fine of circa €304 million  – the largest fine ever imposed by AdC –  against six large food retail chains.

Both cases now fined are not the first ‘hub-and-spoke’ cases investigated by AdC. The large retail chains sector is a key-sector on the watchdog of AdC. During 2017, AdC carried out dawn-raids into the premises of 44 entities and from which would result the opening of 16 proceedings, mostly against large retail chains.

Currently, investigations have led to seven statement of objections for “hub-and-spoke” arrangements, including the one issued a week ago. Last week, AdC had issued a statement of objections against three of the six large food retail chains now fined – Modelo Continente, Pingo Doce and Auchan – for another ‘hub-and-spoke’ arrangement in cosmetics and personal care products market.

In the first decision, AdC considered that the six large food retail chains Modelo Continente, Pingo Doce, Auchan, Intermarché, Lidl and E. Leclerc (the spokes) used the commercial relationship with the supplier (the hub) Sociedade Central de Cervejas (‘SCC’) – which commercializes, among others, beers Sagres and Heineken, ciders, such as Bandida do Pomar and sparkling water such as  Água do Luso – to progressively increase their prices in the retail market. A SCC board member and a business unit director of Modelo Continente were also fined by AdC.

The AdC’s investigation concluded that the distributors and the supplier concerted prices between 2008 and 2017, that is, for more than nine years, at the consumers’ expense.

In the second decision, AdC fined the same four large food retail chains (Modelo Continente, Pingo Doce, Auchan and Intermarché), as well as Lidl and Cooplecnorte (E. Leclerc), for concerting  prices, through the spirits supplier Primedrinks, in various alcoholic and spirit beverages, including wines from Esporão and Aveleda producers, whiskies such as The Famous Grouse or Grant´s, Hendrick’s gin or Stolichnaya vodka. This ‘hub-and-spoke’ arrangement occurred between 2007 and 2017, that is, more than 10 years.

Although ‘hub-and-spoke’ arrangements differ from traditional horizontal cartels in the lack of direct communication between the horizontal competitors, the adverse market effects may be similar – both may result in a hard-core price-fixing cartel, through a common supplier, thus restricting price competition between players and depriving consumers from price differentiation.

Under the current two decisions, AdC imposed, other than fines, the undertakings to immediately cease the ‘hub-and-spoke’ arrangements, as AdC was not able to rule out whether the investigated practices would continue.

2. How does a ‘hub-and-spoke’ work?

‘Hub-and-spoke’ arrangements are horizontal restrictions on the supplier or retailer level (the ‘spokes’), which are carried out through vertically related players that serve as a common ‘hub’ (e.g., a common retailer or service provider). The hub enables the coordination of competition between the spokes without direct contacts between the spokes, as shown below.