Ver pdf

E-signatures are essential to verify the identity of individuals and businesses online and to ensure authenticity of electronic documents.
In the European Union (‘EU’), electronic identification and trust services (‘eIDAS’), where e-signatures are included, are ruled by Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (‘eIDAS Regulation’), which came into force in July 2016.
Although the eIDAS Regulation is directly applicable in all Member States and does not require implementation by local laws, certain specifics such as validity, effects and legal value of e-signatures and e-documents require local regulation that must be in line with the eIDAS Regulation.
In Portugal, local eIDAS specifics are governed by Decree-Law 12/2021, of February 9, 2021 (‘Portuguese eIDAS Law’), which is effective since March 11, 2021.
At the same time, the upcoming obligation for companies with FYE on December 31, 2020 of   holding their general meetings of shareholders to approve annual accounts until March 31, 2021 leads us to the rules on ‘e-shareholder meetings’, i.e. meetings held using electronic means. 

ELECTRONIC SIGNATURES

E-signatures are generally accepted in Portugal in the EU. However, their value as evidence varies according to the type of signature.
The eIDAS Regulation establishes the following types of e-signatures:

• Simple e-signature: data in electronic form which is attached to or logically associated with other data in electronic form, and which is used by the signatory to sign, as set out in the eIDAS Regulation. For example, writing a name on an e-mail may be considered a simple e-signature.
• Advanced e-signature: an e-signature which additionally is (i) uniquely linked to and capable of identifying the signatory, (ii) created in a way that allows the signatory to retain control and (iii) linked to the document in a way that any subsequent change of the data is detectable.
• Qualified e-signature: an advanced e-signature which additionally is (i) created by a qualified signature creation device and (ii) based on a qualified certificate for e-signatures. The use of a qualified e-signature means (i) that the signatory of the document is the individual identified by the qualified signature; (ii) that such individual had the intention to sign the document; and (iii) that the content of the document signed with the qualified e-signature has not changed since it was e-signed.

Only the qualified e-signature has the same value as evidence of a handwritten signature.
Nevertheless, the other types of e-signatures may be used:

• If the contracting parties agree to use other types of e-signatures (simple or advanced), subject, however, to mandatory provisions on the form required for certain agreements; or
• If someone submits an electronic document signed with other type of e-signature and the counterparty accepts such e-signature as valid. 

Qualified e-signatures based on qualified certificates issued in one EU Member State are acknowledged as qualified e-signatures in all other Member States. Providers of qualified certificates for e-signatures in each Member State are listed in the Trusted List.
As the United Kingdom (‘UK’) is no longer a member of the EU, qualified e-signatures based on qualified certificates issued by providers in the UK are not automatically recognised and accepted in the EU. The UK eIDAS Regulations, which are an amended form of the EU eIDAS Regulation and retain many aspects of the EU regulation, are tailored for use within the UK.

ELECTRONIC DOCUMENTS

Electronic documents are valid in Portugal. If the electronic document meets the requirements to be considered a written document – i.e., if it may be represented as a written statement – it will be considered equivalent to a paper document in written form.
Such electronic document signed using a qualified e-signature will be equivalent and have the same value as evidence as a paper document with a handwritten signature. The value as evidence of electronic documents signed with simple e-signatures or advanced e-signatures will be freely assessed by the court, which means additional evidence could be required to demonstrate the content of such documents.
If the electronic document cannot be represented as a written statement, it will have the value as evidence of a photograph or of a copy, even if signed using a qualified e-signature.
Copies of e-signed electronic documents that do not allow the verification and validation of e-signatures may have the same value as evidence of the original if they are certified by a notary.
Under the Portuguese eIDAS Law, the dispatching of electronic documents is subject to the following rules:

• An electronic document sent by electronic means is deemed sent and received by the addressee if it is transmitted and received at the electronic address agreed by the parties;
• The date and time of creation, dispatch or receipt of an electronic document containing a time stamp issued by a qualified trust service provider is effective between the parties and against third parties;
• An electronic document with a qualified e-signature or a qualified electronic seal sent by electronic means that ensure effective receipt is equivalent to dispatching by registered post. If receipt is confirmed by a confirmation message addressed to the sender by the addressee in an identical form, it is equivalent to dispatching by registered post with acknowledgement receipt;
• Dispatching of data and documents using qualified electronic registered mail services is equivalent to using registered post with acknowledgement receipt.

ELECTRONIC SHAREHOLDERS’ MEETINGS 

Although usually shareholder general meetings take place in the corporate head-offices, it is possible for shareholders of Portuguese companies to hold general meetings using electronic means, unless the company’s articles of association establish otherwise.
Some aspects must, nevertheless, be taken in consideration when deciding to hold the meetings electronically:

• It is an option of the company and not of the shareholders; and
• The company must put in place technical means to allow confirmation of identity of the shareholders attending the meeting, ensure authenticity and safety of communications in the meeting and to keep a full record of the meeting. 

This means, for example, that the notice of the meeting must specify that the meeting is to be held electronically and that the company must provide the shareholders the information required to access the meeting.
Even though the meetings are held electronically, minutes containing the record of discussions and resolutions must be drafted and signed by the chairman and secretary of the meeting (in case of S.A. companies) or by the shareholders (in Lda. companies), as applicable, either in paper or in electronic form.

Ver pdf

The Portuguese Presidency of the Council of the European Union can now negotiate the proposed e-Privacy Regulation. This regulation, yet to be negotiated with the European Parliament, intends on continuing the European Commission's 2017 proposal while defining rules on direct marketing, cookies and metadata, regarding "online privacy” framework.
Once approved, the regulation will revoke e-Privacy Directive, transposed by Law 41/2004 of 18 August into Portuguese domestic law. This Directive and the Portuguese law that transposed it are almost two decades old and no longer keep up with new challenges that come with technological development.
The proposed e-Privacy Regulation includes:

• Electronic communications data confidentiality and the users’ consent to their processing. Listening, monitoring and data processing by a third party will be prohibited, except if allowed by law or for protection against exceptional situations, e.g. guaranteeing the integrity of the services, malicious programs or viruses;
• End users’ choice to accept cookies (or not). To avoid "consent fatigue", users can consent to certain types of cookies by setting permissions in their browser's default settings;
• In marketing communications, the users’ consent rule stands when the user is a natural person (opt-in). If the user is a customer, prior consent to direct marketing communications is not needed, if the seller obtained the client’s electronic contact details during the sale of a product or service where customer had the possibility to opt-out of receiving these communications (soft opt-in). Member States can define the period during which data can be used for sending marketing communications in their domestic law;
• Metadata processing is allowed for billing purposes or to detect or prevent fraudulent use, or if the user consents so. Metadata can also be processed to protect vital interests of users, e.g. to monitor epidemics and their spread, or during humanitarian emergencies.

As lex specialis, the e-Privacy Regulation will set out the rules on privacy in electronic communications and, when and where not applicable, the General Data Protection Regulation (''GDPR'') will apply. One will not replace, but rather complete the other and vice-versa.
The Council will discuss the draft Regulation with the European Parliament. Once approved, the Regulation will enter into force 20 days after its publication and apply after a transitional period of two years.

Ver pdf

On  February 18, the European Commission opened violation proceedings against countries that have incorrectly transposed into their domestic law provisions regarding the 4th Anti-Money Laundering Directive (AMLD4 or Directive). Portugal included.
The deadline for the transposition of AMLD4 was June 27, 2017, and Brussels concluded that several provisions of the Directive were not transposed correctly into Portuguese law.
Because of this, the European Commission initiated a violation procedure by sending the defaulting countries a formal notice.
Over the next two months, Portugal must defend itself and answer adequately the Commission’s questions on why the transposition was not fully done. If it does not, the violation procedure will be pursued.
Portugal must address the fundamental aspects of the anti-money laundering framework, such as: (i) exchanging information with Financial Intelligence Units (FIUs) and cooperating adequately with them, for that matter; (ii) complying with customer due diligence requirements; and foster and encourage the transparency of central beneficial ownership registers.
If the Commission concludes that Portugal has not complied with its obligations under the EU law, the second stage of the violation procedure will follow.
In the second stage, the Commission sends Portugal a formal request to comply with AMLD4 and exposes the reasons why it considers that Portugal is breaching EU law. It also asks Portugal to inform the Commission of the measures adopted, within a specified period, usually 2 months.
The non-compliance with these rules might cause an impact on the EU, as a whole, by not protecting the financial system and combating money-laundering-related crimes. In order to step up these efforts the Commission published a six-point Action Plan on May 7, to further strengthen the EU's fight against money laundering and terrorist financing.
Now Portugal has to wait and see what the European Commission will decide, and we have to wait and see how the country will justify the poor transposition of the Directive into the Portuguese legal system.

Ver pdf

January 2021 marked an important stage on the relationship between the EU and the UK regarding data privacy. As of 2021, the UK is considered a third country when it comes to international data transfers ,meaning that there was data before and there is data after Brexit.
Since the requirements in GDPR concerning international transfers of (personal) data to third countries are strict, and since there was not an EU adequacy decision on UK’s data protection legal framework, risks of non-compliance for businesses transferring data from an EEA country to the UK were significant.
But, on February 19 2021, fifty days after the EU and UK markets were set apart, the EU published a draft decision on adequate protection of personal data by the UK under GDPR.
The draft decision concludes that the UK’s legal framework when it comes to data protection ensures a level of protection of personal data transferred from the European Union that is essentially equivalent to the one guaranteed by GDPR, and that both supervision and adjustment mechanisms facilitate the detection of violations and their punishment, as well as solutions for data subjects.
Considering this draft decision, and assuming a final decision will comprehend the same terms, the transition period initially set out will no longer apply and businesses in the EU will be able to continue to transfer personal data to the UK based on an adequacy decision, which means that data transfers to the UK have no restrictions whatsoever.
These are very relevant news for several key economy sectors, such as health, banking and technology, and the continuity of EU-UK data flows therein.
This draft decision includes, however, a duration period of four years at the end of which the EU must renew its adequacy decision. Because the UK will no longer be bound by the current data protection framework after the EU-UK Trade and Cooperation Agreement ceases to apply, the EU decided to subject the adequacy decision to an amendment and restatement by the end of 2024: six months before the adequacy decision ceases to apply, the EU must initiate a procedure to amend it by extending its temporal scope for an additional period.
Within the next few weeks, EDPB is expected to issue an opinion on the draft decision, which will be taken into consideration in the preparation of (but should not stop) the final decision.

Ver pdf

As of January 1, 2022, investors will no longer be able to buy real estate in Lisbon and Oporto to obtain a residence visa – a “golden visa” – in Portugal.
Investors that have already purchased real estate in these areas or are in the process of doing so will not be affected by these changes. So, for investors that intend on investing in high-density regions of the country, such as Aveiro, Braga and Coimbra and the majority of Algarve, the time to do so is now or until the end of 2021.  
Real estate in inland areas of the country, Azores and Madeira will, however, still be eligible for obtaining a golden visa in Portugal. In these areas, for a minimum of €500,000 for new properties and €350,000 for properties purchased for renovation, one can still apply for a golden visa and become a Portuguese resident.
Minimum investment requirements will increase for those who apply for a residence visa by making capital transfers to Portugal:

1. capital transfers for no specific reason will increase from €1,000,000 to €1,500,000;
2. capital transfers for (i) research purposes; (ii) acquisition of investment funds or venture capital funds shares and (iii) investing in existing and registered Portuguese businesses will increase from €350,000 to €500,000.

The rules above are included in Decree-law no. 14/2021, of 12 February, and will apply to visa requests filed after January 1, 2022. Renovation of residence visas granted under the rules in force until December 31, 2021 and the granting and renovation of family regroup visas connected with residence visas also granted under the rules in force until December 21, 2021 will not be affected by the new rules.

Ver pdf

On 14 January 2021, the European Data Protection Board ('EDPB') adopted Guidelines 1/2021, the first guidelines issued this year, which include practical and useful examples of notifications of personal data breaches ('Guidelines') under the General Data Protection Regulation ('GDPR').

These Guidelines are to be the continuation of the guidelines issued by the former Article 29 Working Party (' WP250 Guidelines ') in 2018, adding the experience obtained by the supervisory authorities of the various Member States with the application of the GDPR.

In contrast with the WP250 Guidelines, the current Guidelines adopt a more practical approach, stressing the importance of a risk assessment when it comes to the possible causes for a data breach. The Guidelines provide examples of data breaches (the most common) and the procedures to be followed, underlining the importance of documenting the entire process in the event of a data breach.

The examples given are divided into six groups: (i) 'ransomware'; (ii) data exfiltration ‘attacks’; (iii) breach due to human error within companies; (iv) lost or stolen devices and paper documents; (v) breach resulting from communications (‘mispostal’); and (vi) other cases (involving 'social engineering').

The specific examples indicated by the EDPB (about 18) range from submitting an online application for a job position, to filling in credentials on a bank website, to personal data breaches in hospitals.

In other words, these are day-to-day situations, that no person or entity is completely safe from. It is therefore recommended that necessary measures are taken in the event of a data breach, by adopting the following measures:

1. Investigate the data breach so that, after identifying its origin, the measures to be taken are assessed. Ideally, there should be a 'contingency plan' drawn up in advance for this purpose;
2. The next step is to take the necessary measures to mitigate the damage resulting from the data breach (such as returning all affected computer systems to a 'clean' state and repairing their vulnerability) and report the breach to the relevant supervisory authority. Reporting the breach should be made within 72 hours from the moment it is known, when it is likely that it represents a risk to the rights and freedoms of the persons involved (the data subjects);
3. Finally, if the data breach constitutes (or is likely to constitute) a high risk to the data subjects’ rights and freedoms, it must also be reported to the data subject.

These Guidelines will be under public consultation until March 2, 2021.

Ver pdf

Overview

On January 15, 2021, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a joint opinion on the draft proposal of Standard Contractual Clauses (SCCs) released by the European Commission on  November 12 2020 for data transfers from within the EEA to non-EEA countries (third countries) (the Draft SCCs). 

Once settled, the Draft SCCs will replace the existing SSCs: (i) EU controller to non-EU or EEA controller (Decision 2001/497/EC and Decision 2004/915/EC) and EU controller to non-EU or EEA processor (Decision 2010/87/EU), approved under the former Data Protection Directive and that was repealed by the EU General Data Protection Regulation (GDPR).

GDPR requires a solution to be implemented for data transfers from the European Economic Area (EEA) to third countries that do not provide an adequate level of data protection. The SCCs, among or together with other options, such as data subject’s consent, binding corporate rules (BCR), ad hoc contractual clauses, approved codes of conduct or certification mechanisms, allow international data transfers in compliance with GDPR.

The EU-US Privacy Shield was also one of the solutions used to justify data transfers from EEA to the US. Last summer, the EU-US Privacy Shield was, however, ruled void by the Court of Justice of the European Union’s (CJEU), in Schrems II case. Consequently, organizations using the EU-US Privacy Shield need to rely on alternative solutions, from which SCCs may be used to justify data transfers to the US.

For a comprehensive approach, we will first recall the Schrems II case and the subsequent steps until the recent joint opinion issued by EDPB and EDPS.

Schrems II case

This decision of July 16 2020 (Schrems II case) is the sequel to a previous ruling, where CJEU invalidated the EU-US Safe Harbour (Schrems I case). The EU-US Safe Harbour was the predecessor of the Privacy Shield, which also ruled as inadequate to ensure an adequate level of protection required for international data transfers. In turn, CJEU considered the Commission Decision 2010/87/EU applicable to data transfers from EU controllers to non-EU or EEA processors to be valid.

This CJEU ruling follows a complaint lodged by M. Schrems. The Austrian citizen and Facebook’s user lodged his complaint with the Irish data supervisory authority seeking to prohibit Facebook Ireland from transferring his personal data to the US. Personal data of Facebook users, who are residents in the EU, is transferred to servers of Facebook Inc. located in the US where they are processed under International SCCs.

M. Schrems claimed that International SCCs would not offer sufficient protection against access by US public authorities to the data transferred to the US.

Following the Advocate General’s Opinion (non-binding opinion published on 19 December 2019) on this case, the CJEU considered International SCCs as adequate. The Court points out that International SCCs decision imposes an obligation on the data exporter and on the data recipient to verify, prior to any transfer, whether that level of protection is respected in the receiving country and that the decision requires the recipient to inform the data exporter of any inability to comply with International SCCs, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

On the other hand, CJEU challenged the level of protection afforded by the Privacy Shield on the grounds that it does not include satisfactory limitations to ensure the protection of EU personal data from access and use by US public authorities based on US domestic law.

The Schrems II case has relevant implications on the data transfer from the EU to third countries (namely the US) and gave data subjects, controllers, and processors with a great deal of uncertainty in relation to the conditions under which data exports can occur, i.e. what the practical consequences for existing and new contracts are and how to conduct Transfer Impact Assessments (TIAs) onwards.

SCCs meet businesses halfway

Further to the Schrems II ruling, on 10 November 2020, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

The EDPB recommendations emphasizes the principle of accountability under which controllers which export personal data must ensure that whatever mechanism and supplemental measures govern a data transfer, the data must receive the same protection it would in the EU. Otherwise, the data transfer will breach GDPR. These recommendations are targeted to both public and private transfers of EU data to private sector entities outside the EU.

Data exporters need to determine whether they must use supplemental measures other than the revised SCCs. EDPB provides examples of supplementary measures to be assessed on a case-by-case basis, such as “flawlessly implemented” encryption and pseudonymizing data.

Two days after the EDPB’s recommendations, the Commission published the Draft SCCs  with input due by December 10, 2020. As data processing is increasingly complex, the adage of this draft proposal is adaptability.

The Draft SCCs combine general clauses with a modular approach to cater for various transfer scenarios. In addition to the general clauses, controllers and processors should select the module applicable to their situation among the four following modules: (i) module one: transfer controller to controller; (ii) module two: transfer controller to processor; (iii) module three: transfer processor to processor; and (iv) module four: transfer processor to controller.

Some relevant issues that should be concerning to organizations dealing with international data transfers, and that do not solve any of the issues raised by the Draft SCCs, include:

• On the adequacy of the law and practices of the third country. This is not a great relief for controllers and processors who come about a great deal of responsibility;
• A brief period of one year to comply. Organizations will need to put in practice the revised SCCs for their entire business operation. The draft proposal grants organizations one year to do so, which may come up short;
• The revised SCCs are not necessarily of use, or mandatory, for organizations operating under SCCs of greater privacy assurance. SCCs work as a minimum protection threshold.

Joint opinion of EDPB and EDPS

In this context, on November 12 2020, the Commission requested EDPB and EDPS to issue a Joint Opinion on the Draft Decision and the Draft SCCs (“the Joint Opinion”).

In general, EDPB and EDPS are of the opinion that the Draft SCCs offer a reinforced level of protection for data subjects. In particular, EDPB and EDPS welcome the specific provisions intended to address some of the main issues identified in the Schrems II ruling.

Nevertheless, EDPB and EDPS are of the understanding that several provisions could be improved or clarified, including (i) the scope of SCCs; (ii) certain third-party beneficiary rights; (iii) certain obligations regarding onward transfers; (iv) aspects of the assessment of third country laws regarding access to public data by public authorities; and (v) the notification to the supervisory authority.

The conditions under which SCCs can be used must be clear for organizations and data subjects should be provided with effective rights and remedies. SCCs should include a clear distribution of roles and of the liability regime between the parties. Regarding the need, in certain cases, for ad-hoc supplementary measures to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU, the Joint Opinion considers that new SCCs will have to be used along with EDPB Recommendations on supplementary measures.

EDPB and EDPS thus invite the Commission to refer to the final version of EDPB Recommendations on supplementary measures.

The revised SCCs together with the recent Schrems II will give a new approach to international data transfers, with due diligence measures towards data exporters to ascertain whether the country of the data importer effectively ensures an adequate level of protection. For data exporters, this may however become a huge task, as they will need to map all transfers and understand the laws and practices of the third country to adopt appropriate measures to meet the EU’s data protection requirements.

Ver pdf

Since January 1, 2021, the UK is considered a third country regarding international transfers of data. Except for the interim period of four months set out in the EU-UK Trade and Cooperation Agreement, transfers of personal data from the EEA to the UK will be treated as a data transfer to a third country, and the transfer will need to meet the GDPR requirements for international data transfers.

If the EU does not issue an adequacy decision on the UK for the purpose of international data transfers within the next four to six months, all companies that transfer personal data to the UK will need to ensure that they have appropriate safeguards that comply with the requirements of GPDR and legitimize transfers of data to the UK.

In this short briefing, you can learn more about (i) the EU-UK Trade and Cooperation Agreement regarding data protection, (ii) the implications of non-compliant data transfers to the UK, and (iii) the GDPR requirements for international transfers of data.

Brexit: bidding farewell to the UK

From January 1, 2021, the EU and the UK form two separate markets. The movement of persons, goods and services has come to an end between these two territories. On December 24, 2020, the EU and the UK agreed the terms of a free trade agreement, a governance framework, and a citizen’s security framework.

As regards personal data protection, the EU and UK commit to uphold high levels of data protection standards, and, for a period of four to six months, an interim period allows­ free flow of personal data from EEA countries to the UK ensuring a transition after Brexit. This is temporary relief for businesses as a no-deal Brexit would mean new transfer mechanisms to be needed already in January 2021.

The UK issued guidance stating that EEA countries will be considered adequate for the purpose of transfers of data, so these transfers will be permitted from the UK to the EEA. But the Brexit deal leaves out the adequacy of data protection rules in the UK, so for data transfers from EEA countries to the UK to be considered legitimate, it is still necessary that the EU issues an adequacy decision under Article 45 of the GDPR.

As regards data protection, the relationship between the EU and the UK remains unchanged until 1 May 2021 (or 1 July 2021, if it is extended). For the second semester of 2021, however, and if the EU does not issue an adequacy decision, things will change.

Risks of non-compliance

Following the transition period, and unless the EU determines the level of adequacy for personal data protection in the UK, the risks of non-compliance for businesses transferring data from an EEA country to the UK are significant.

Businesses infringing provisions regarding the personal data transfers to recipients in a third country are subject to fines up to €20 million or up to 4% of their total worldwide annual turnover, whichever is higher.

Having considered the risks posed by faulty compliance with the rules governing the transfers of data to the UK after the transition period, businesses must understand the GDPR requirements for cross-border transfers and structure internal policies accordingly.

International transfers of data under the GDPR

Communication of personal data from a data permanent storage location within the EEA made available to an identified party with the sender’s knowledge or intention to give the recipient access to such personal data at destination outside of the EEA is an international transfer of data.

Under Articles 45 and 46 of the GDPR, transfers of data outside of EEA can only occur if (i) they rely on an adequacy decision of the EU or, if there is none, if (ii) there are appropriate safeguards in place, namely adequate standard contractual clauses, binding corporate rules, codes of conduct, or security certification procedures, save for any of the derogations of Article 49, and (ii) on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

An adequacy decision by the EU determines that a country outside of the EEA has an adequate level of data protection standards to the extent that data can be transferred to that country without any further safeguards. It is expected that the EU will issue an adequacy decision on the UK during the transition period, but businesses should nevertheless be prepared to put in place standard contractual clauses, corporate rules binding their group’s entities, codes of conduct and certification mechanisms in line with the EU’s standards and guidelines.

It is also useful to consider two sets of recommendations issued by EDPB on personal data transfer to third countries and related to the conclusions of the CJUE in its recent judgment C-311/18 (Schrems II). These recommendations have a special impact on measures that supplement transfer tools to ensure compliance with adequate levels of personal data protection.

Summary

For the first four months of 2021, there will be an interim period, which can be extended for an additional two months, in which transfers from EEA to the UK can occur legitimately without the requirements set out under GDPR for international data transfers. 
It is noteworthy that the interim period is precarious: in case the UK changes its current legal framework on data protection, the transition period will immediately come to an end, except if previously approved by the EU. At the end of this interim period, unless the EU issues an adequacy decision on the UK data protection framework, transfers of data from an EEA country to the UK are not permitted unless appropriate safeguards are put in place in compliance with GDPR.

Ver pdf

The International Chamber of Commerce (ICC) has amended its arbitration rules effective January 1, 2021.

These amendments apply to all ICC arbitrations to be commenced from that date, irrespective of when the underlying Arbitration Agreement was concluded, unless the parties "have agreed to submit to the Rules in effect on the date of their arbitration agreement” (Article 6 (1)).

Although some of the amendments recently introduced are intended to overcome challenges posed by the Covid-19 pandemic, they should, nevertheless, continue to make ICC arbitration more flexible, transparent and efficient in the years to come.

We hope the following may help you keeping track of the amended rules applicable to ICC arbitrations.

1. Conflict of Interests

The 2021 ICC Rules introduce three Articles that mainly prompt to ensure the independence and impartiality of the arbitral tribunal.

Article 11 (7) requires the parties to notify the ICC Secretariat, the arbitral tribunal and other parties of the existence and identity of non-litigant third parties funding the claims pursued in the arbitration, considering that such third parties have an economic interest in the outcome of the arbitration.

In addition, Article 13(6), applying to investment arbitrations based on a treaty, ensures complete neutrality of the arbitral tribunal by providing that no arbitrator shall have the same nationality of any party to the arbitration.

To prevent the emergence of conflicts of interests between arbitrators and new party representatives, after the establishment of the tribunal, Article 17 (1) obliges the parties to inform the Secretariat, the arbitral tribunal and the counterparties of any changes of its representatives.

Also, once a party communicates an alteration of its representatives, the arbitral tribunal may take any measures to avoid a conflict of interests, including rejecting the proposed change or limiting the new representatives’ participation in part of the proceedings (Article 17 (2)).

2. The Virtualization of Arbitration

The 2021 ICC arbitration rules seek to adapt the arbitration proceedings to the new context of circulation restrictions and the technological breakthrough carried by the COVID-19 pandemic, simultaneously aiming to reduce the delays and costs of arbitration procedures.

As a result of the Covid-19 pandemic, virtual hearings became an increasing option for parties. To align with what is now common practice in arbitration, the revised Article 26 (1) gives discretion to the tribunal to decide, after consulting the parties and considering the circumstances of the case, if a hearing shall be conducted in person or remotely, by videoconference, teleconference, or other possible means of communication.

Interestingly enough, the previous ICC Rules already included a recommendation to hold hearings through telephone or video conferencing whenever personal attendance was not necessary (Appendix IV – case management techniques, Article 1 (f)).

In what concerns written submissions, notifications and communications, the revised Article 3 (1) abandons the rule of its physical presentation and allows the parties to choose any means of telecommunication that provide a record of the sending.

By removing the rule of paper filings, the ICC affirms its call for “greener” arbitrations while expanding the principles of efficiency and flexibility.

3. Joinder and consolidation provisions

The new Article 7 (5) establishes some requirements for the acceptance of a Request for Joinder of additional parties after the appointment of any arbitrator. Besides the agreement of all the parties (Article 7 (1)), the additional party must accept the constitution of the arbitral tribunal and the Terms of Reference, if they exist.

Once these requirements are fulfilled, the arbitral tribunal decides on the request, considering “all relevant circumstances”, including, without limitation, the “prima facie jurisdiction over the additional party, the timing of the Request for Joinder, possible conflicts of interests and the impact of the joinder on the arbitral procedure”.

Regarding the consolidation of arbitrations, the Court may now order the consolidation of two or more arbitrations when the claims are made under various common arbitration agreements (Article 10 (b)) or when the claims are not made under the same arbitration agreement or agreements, but the arbitrations have common parties, the disputes in the arbitrations arise in connection with the same legal relationship, and the arbitration agreements are compatible (Article 10 (c)).

Thus, the consolidation of arbitrations becomes easier and more flexible.

4. Tribunal appointments

The new Article 12 (9) confers the Court competence to, in exceptional circumstances, appoint all the arbitrators, regardless of any agreement between the parties. The 2017 version of ICC Rules only allowed the Court to appoint the arbitrators when parties were unable to agree on the constitution of the arbitral tribunal.

The purpose of the norm is to prevent the violation of fundamental principles of the arbitration procedure, like the equality of the parties and the fair trial, thereby avoiding the nullity of the arbitral award. Actually, the mentioned principles are limitations to the principle of freedom to choose the arbitrators and the mechanisms for their selection.

Bearing this in mind, the intervention of the Court will be justified, v.g., when the information or power asymmetry between the parties generates appointment agreements that ascribe the choice of all arbitrators to one party or prevent one party to choose certain people or people with certain characteristics to be the party appointed arbitrator.  

It should be noted that the application of Article 12 (9) may generate problems of compatibilization with Article V(1)(d) of the 1958 New York Convention, according to which an award may be refused recognition if the composition of the arbitral tribunal is not in accordance with the parties' agreement.

5. Additional Award

The 2021 ICC Rules introduce the possibility of an application for an additional award in case the arbitral tribunal omits a ruling on any of the parties’ claims. This application must be presented to the Secretariat within 30 days from receipt of the award by the parties. After granting the other parties the possibility to submit any comments to the application, the arbitral tribunal drafts a decision to be submitted to the Court.  

If the Court accepts the arbitral tribunal’s decision to grant the application, that decision takes the form of an additional award.

6. Expedited Procedure Rules

2021 ICC Rules raise the threshold to opt-out of the expedited procedure rules from USD 2 million to USD 3 million when the arbitration agreement is concluded on or after 1 January 2020. Thus, arbitration agreements concluded on or after 1 March 2017 and up to the end of 2020 remain subject to the USD 2 million threshold established on 2017 ICC Rules.

Conclusions

The changes introduced by ICC 2021 Rules will likely increase the efficiency and flexibility of ICC arbitrations, reducing costs and allowing the adjustment of the procedures according to a multiplicity of factors, like the complexity of the dispute, the participants’ availability to travel or any restrictions to the free movement of persons.

At the same time, the 2021 ICC Rules strongly invest in guaranteeing the tribunal’s independence, impartiality and transparency, raising the public’s confidence in arbitral institutions and the reliability of the arbitral awards.