Ver pdf

On 14 January 2021, the European Data Protection Board ('EDPB') adopted Guidelines 1/2021, the first guidelines issued this year, which include practical and useful examples of notifications of personal data breaches ('Guidelines') under the General Data Protection Regulation ('GDPR').

These Guidelines are to be the continuation of the guidelines issued by the former Article 29 Working Party (' WP250 Guidelines ') in 2018, adding the experience obtained by the supervisory authorities of the various Member States with the application of the GDPR.

In contrast with the WP250 Guidelines, the current Guidelines adopt a more practical approach, stressing the importance of a risk assessment when it comes to the possible causes for a data breach. The Guidelines provide examples of data breaches (the most common) and the procedures to be followed, underlining the importance of documenting the entire process in the event of a data breach.

The examples given are divided into six groups: (i) 'ransomware'; (ii) data exfiltration ‘attacks’; (iii) breach due to human error within companies; (iv) lost or stolen devices and paper documents; (v) breach resulting from communications (‘mispostal’); and (vi) other cases (involving 'social engineering').

The specific examples indicated by the EDPB (about 18) range from submitting an online application for a job position, to filling in credentials on a bank website, to personal data breaches in hospitals.

In other words, these are day-to-day situations, that no person or entity is completely safe from. It is therefore recommended that necessary measures are taken in the event of a data breach, by adopting the following measures:

1. Investigate the data breach so that, after identifying its origin, the measures to be taken are assessed. Ideally, there should be a 'contingency plan' drawn up in advance for this purpose;
2. The next step is to take the necessary measures to mitigate the damage resulting from the data breach (such as returning all affected computer systems to a 'clean' state and repairing their vulnerability) and report the breach to the relevant supervisory authority. Reporting the breach should be made within 72 hours from the moment it is known, when it is likely that it represents a risk to the rights and freedoms of the persons involved (the data subjects);
3. Finally, if the data breach constitutes (or is likely to constitute) a high risk to the data subjects’ rights and freedoms, it must also be reported to the data subject.

These Guidelines will be under public consultation until March 2, 2021.

Ver pdf

Overview

On January 15, 2021, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a joint opinion on the draft proposal of Standard Contractual Clauses (SCCs) released by the European Commission on  November 12 2020 for data transfers from within the EEA to non-EEA countries (third countries) (the Draft SCCs). 

Once settled, the Draft SCCs will replace the existing SSCs: (i) EU controller to non-EU or EEA controller (Decision 2001/497/EC and Decision 2004/915/EC) and EU controller to non-EU or EEA processor (Decision 2010/87/EU), approved under the former Data Protection Directive and that was repealed by the EU General Data Protection Regulation (GDPR).

GDPR requires a solution to be implemented for data transfers from the European Economic Area (EEA) to third countries that do not provide an adequate level of data protection. The SCCs, among or together with other options, such as data subject’s consent, binding corporate rules (BCR), ad hoc contractual clauses, approved codes of conduct or certification mechanisms, allow international data transfers in compliance with GDPR.

The EU-US Privacy Shield was also one of the solutions used to justify data transfers from EEA to the US. Last summer, the EU-US Privacy Shield was, however, ruled void by the Court of Justice of the European Union’s (CJEU), in Schrems II case. Consequently, organizations using the EU-US Privacy Shield need to rely on alternative solutions, from which SCCs may be used to justify data transfers to the US.

For a comprehensive approach, we will first recall the Schrems II case and the subsequent steps until the recent joint opinion issued by EDPB and EDPS.

Schrems II case

This decision of July 16 2020 (Schrems II case) is the sequel to a previous ruling, where CJEU invalidated the EU-US Safe Harbour (Schrems I case). The EU-US Safe Harbour was the predecessor of the Privacy Shield, which also ruled as inadequate to ensure an adequate level of protection required for international data transfers. In turn, CJEU considered the Commission Decision 2010/87/EU applicable to data transfers from EU controllers to non-EU or EEA processors to be valid.

This CJEU ruling follows a complaint lodged by M. Schrems. The Austrian citizen and Facebook’s user lodged his complaint with the Irish data supervisory authority seeking to prohibit Facebook Ireland from transferring his personal data to the US. Personal data of Facebook users, who are residents in the EU, is transferred to servers of Facebook Inc. located in the US where they are processed under International SCCs.

M. Schrems claimed that International SCCs would not offer sufficient protection against access by US public authorities to the data transferred to the US.

Following the Advocate General’s Opinion (non-binding opinion published on 19 December 2019) on this case, the CJEU considered International SCCs as adequate. The Court points out that International SCCs decision imposes an obligation on the data exporter and on the data recipient to verify, prior to any transfer, whether that level of protection is respected in the receiving country and that the decision requires the recipient to inform the data exporter of any inability to comply with International SCCs, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

On the other hand, CJEU challenged the level of protection afforded by the Privacy Shield on the grounds that it does not include satisfactory limitations to ensure the protection of EU personal data from access and use by US public authorities based on US domestic law.

The Schrems II case has relevant implications on the data transfer from the EU to third countries (namely the US) and gave data subjects, controllers, and processors with a great deal of uncertainty in relation to the conditions under which data exports can occur, i.e. what the practical consequences for existing and new contracts are and how to conduct Transfer Impact Assessments (TIAs) onwards.

SCCs meet businesses halfway

Further to the Schrems II ruling, on 10 November 2020, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

The EDPB recommendations emphasizes the principle of accountability under which controllers which export personal data must ensure that whatever mechanism and supplemental measures govern a data transfer, the data must receive the same protection it would in the EU. Otherwise, the data transfer will breach GDPR. These recommendations are targeted to both public and private transfers of EU data to private sector entities outside the EU.

Data exporters need to determine whether they must use supplemental measures other than the revised SCCs. EDPB provides examples of supplementary measures to be assessed on a case-by-case basis, such as “flawlessly implemented” encryption and pseudonymizing data.

Two days after the EDPB’s recommendations, the Commission published the Draft SCCs  with input due by December 10, 2020. As data processing is increasingly complex, the adage of this draft proposal is adaptability.

The Draft SCCs combine general clauses with a modular approach to cater for various transfer scenarios. In addition to the general clauses, controllers and processors should select the module applicable to their situation among the four following modules: (i) module one: transfer controller to controller; (ii) module two: transfer controller to processor; (iii) module three: transfer processor to processor; and (iv) module four: transfer processor to controller.

Some relevant issues that should be concerning to organizations dealing with international data transfers, and that do not solve any of the issues raised by the Draft SCCs, include:

• On the adequacy of the law and practices of the third country. This is not a great relief for controllers and processors who come about a great deal of responsibility;
• A brief period of one year to comply. Organizations will need to put in practice the revised SCCs for their entire business operation. The draft proposal grants organizations one year to do so, which may come up short;
• The revised SCCs are not necessarily of use, or mandatory, for organizations operating under SCCs of greater privacy assurance. SCCs work as a minimum protection threshold.

Joint opinion of EDPB and EDPS

In this context, on November 12 2020, the Commission requested EDPB and EDPS to issue a Joint Opinion on the Draft Decision and the Draft SCCs (“the Joint Opinion”).

In general, EDPB and EDPS are of the opinion that the Draft SCCs offer a reinforced level of protection for data subjects. In particular, EDPB and EDPS welcome the specific provisions intended to address some of the main issues identified in the Schrems II ruling.

Nevertheless, EDPB and EDPS are of the understanding that several provisions could be improved or clarified, including (i) the scope of SCCs; (ii) certain third-party beneficiary rights; (iii) certain obligations regarding onward transfers; (iv) aspects of the assessment of third country laws regarding access to public data by public authorities; and (v) the notification to the supervisory authority.

The conditions under which SCCs can be used must be clear for organizations and data subjects should be provided with effective rights and remedies. SCCs should include a clear distribution of roles and of the liability regime between the parties. Regarding the need, in certain cases, for ad-hoc supplementary measures to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU, the Joint Opinion considers that new SCCs will have to be used along with EDPB Recommendations on supplementary measures.

EDPB and EDPS thus invite the Commission to refer to the final version of EDPB Recommendations on supplementary measures.

The revised SCCs together with the recent Schrems II will give a new approach to international data transfers, with due diligence measures towards data exporters to ascertain whether the country of the data importer effectively ensures an adequate level of protection. For data exporters, this may however become a huge task, as they will need to map all transfers and understand the laws and practices of the third country to adopt appropriate measures to meet the EU’s data protection requirements.

Ver pdf

Since January 1, 2021, the UK is considered a third country regarding international transfers of data. Except for the interim period of four months set out in the EU-UK Trade and Cooperation Agreement, transfers of personal data from the EEA to the UK will be treated as a data transfer to a third country, and the transfer will need to meet the GDPR requirements for international data transfers.

If the EU does not issue an adequacy decision on the UK for the purpose of international data transfers within the next four to six months, all companies that transfer personal data to the UK will need to ensure that they have appropriate safeguards that comply with the requirements of GPDR and legitimize transfers of data to the UK.

In this short briefing, you can learn more about (i) the EU-UK Trade and Cooperation Agreement regarding data protection, (ii) the implications of non-compliant data transfers to the UK, and (iii) the GDPR requirements for international transfers of data.

Brexit: bidding farewell to the UK

From January 1, 2021, the EU and the UK form two separate markets. The movement of persons, goods and services has come to an end between these two territories. On December 24, 2020, the EU and the UK agreed the terms of a free trade agreement, a governance framework, and a citizen’s security framework.

As regards personal data protection, the EU and UK commit to uphold high levels of data protection standards, and, for a period of four to six months, an interim period allows­ free flow of personal data from EEA countries to the UK ensuring a transition after Brexit. This is temporary relief for businesses as a no-deal Brexit would mean new transfer mechanisms to be needed already in January 2021.

The UK issued guidance stating that EEA countries will be considered adequate for the purpose of transfers of data, so these transfers will be permitted from the UK to the EEA. But the Brexit deal leaves out the adequacy of data protection rules in the UK, so for data transfers from EEA countries to the UK to be considered legitimate, it is still necessary that the EU issues an adequacy decision under Article 45 of the GDPR.

As regards data protection, the relationship between the EU and the UK remains unchanged until 1 May 2021 (or 1 July 2021, if it is extended). For the second semester of 2021, however, and if the EU does not issue an adequacy decision, things will change.

Risks of non-compliance

Following the transition period, and unless the EU determines the level of adequacy for personal data protection in the UK, the risks of non-compliance for businesses transferring data from an EEA country to the UK are significant.

Businesses infringing provisions regarding the personal data transfers to recipients in a third country are subject to fines up to €20 million or up to 4% of their total worldwide annual turnover, whichever is higher.

Having considered the risks posed by faulty compliance with the rules governing the transfers of data to the UK after the transition period, businesses must understand the GDPR requirements for cross-border transfers and structure internal policies accordingly.

International transfers of data under the GDPR

Communication of personal data from a data permanent storage location within the EEA made available to an identified party with the sender’s knowledge or intention to give the recipient access to such personal data at destination outside of the EEA is an international transfer of data.

Under Articles 45 and 46 of the GDPR, transfers of data outside of EEA can only occur if (i) they rely on an adequacy decision of the EU or, if there is none, if (ii) there are appropriate safeguards in place, namely adequate standard contractual clauses, binding corporate rules, codes of conduct, or security certification procedures, save for any of the derogations of Article 49, and (ii) on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

An adequacy decision by the EU determines that a country outside of the EEA has an adequate level of data protection standards to the extent that data can be transferred to that country without any further safeguards. It is expected that the EU will issue an adequacy decision on the UK during the transition period, but businesses should nevertheless be prepared to put in place standard contractual clauses, corporate rules binding their group’s entities, codes of conduct and certification mechanisms in line with the EU’s standards and guidelines.

It is also useful to consider two sets of recommendations issued by EDPB on personal data transfer to third countries and related to the conclusions of the CJUE in its recent judgment C-311/18 (Schrems II). These recommendations have a special impact on measures that supplement transfer tools to ensure compliance with adequate levels of personal data protection.

Summary

For the first four months of 2021, there will be an interim period, which can be extended for an additional two months, in which transfers from EEA to the UK can occur legitimately without the requirements set out under GDPR for international data transfers. 
It is noteworthy that the interim period is precarious: in case the UK changes its current legal framework on data protection, the transition period will immediately come to an end, except if previously approved by the EU. At the end of this interim period, unless the EU issues an adequacy decision on the UK data protection framework, transfers of data from an EEA country to the UK are not permitted unless appropriate safeguards are put in place in compliance with GDPR.

Ver pdf

The International Chamber of Commerce (ICC) has amended its arbitration rules effective January 1, 2021.

These amendments apply to all ICC arbitrations to be commenced from that date, irrespective of when the underlying Arbitration Agreement was concluded, unless the parties "have agreed to submit to the Rules in effect on the date of their arbitration agreement” (Article 6 (1)).

Although some of the amendments recently introduced are intended to overcome challenges posed by the Covid-19 pandemic, they should, nevertheless, continue to make ICC arbitration more flexible, transparent and efficient in the years to come.

We hope the following may help you keeping track of the amended rules applicable to ICC arbitrations.

1. Conflict of Interests

The 2021 ICC Rules introduce three Articles that mainly prompt to ensure the independence and impartiality of the arbitral tribunal.

Article 11 (7) requires the parties to notify the ICC Secretariat, the arbitral tribunal and other parties of the existence and identity of non-litigant third parties funding the claims pursued in the arbitration, considering that such third parties have an economic interest in the outcome of the arbitration.

In addition, Article 13(6), applying to investment arbitrations based on a treaty, ensures complete neutrality of the arbitral tribunal by providing that no arbitrator shall have the same nationality of any party to the arbitration.

To prevent the emergence of conflicts of interests between arbitrators and new party representatives, after the establishment of the tribunal, Article 17 (1) obliges the parties to inform the Secretariat, the arbitral tribunal and the counterparties of any changes of its representatives.

Also, once a party communicates an alteration of its representatives, the arbitral tribunal may take any measures to avoid a conflict of interests, including rejecting the proposed change or limiting the new representatives’ participation in part of the proceedings (Article 17 (2)).

2. The Virtualization of Arbitration

The 2021 ICC arbitration rules seek to adapt the arbitration proceedings to the new context of circulation restrictions and the technological breakthrough carried by the COVID-19 pandemic, simultaneously aiming to reduce the delays and costs of arbitration procedures.

As a result of the Covid-19 pandemic, virtual hearings became an increasing option for parties. To align with what is now common practice in arbitration, the revised Article 26 (1) gives discretion to the tribunal to decide, after consulting the parties and considering the circumstances of the case, if a hearing shall be conducted in person or remotely, by videoconference, teleconference, or other possible means of communication.

Interestingly enough, the previous ICC Rules already included a recommendation to hold hearings through telephone or video conferencing whenever personal attendance was not necessary (Appendix IV – case management techniques, Article 1 (f)).

In what concerns written submissions, notifications and communications, the revised Article 3 (1) abandons the rule of its physical presentation and allows the parties to choose any means of telecommunication that provide a record of the sending.

By removing the rule of paper filings, the ICC affirms its call for “greener” arbitrations while expanding the principles of efficiency and flexibility.

3. Joinder and consolidation provisions

The new Article 7 (5) establishes some requirements for the acceptance of a Request for Joinder of additional parties after the appointment of any arbitrator. Besides the agreement of all the parties (Article 7 (1)), the additional party must accept the constitution of the arbitral tribunal and the Terms of Reference, if they exist.

Once these requirements are fulfilled, the arbitral tribunal decides on the request, considering “all relevant circumstances”, including, without limitation, the “prima facie jurisdiction over the additional party, the timing of the Request for Joinder, possible conflicts of interests and the impact of the joinder on the arbitral procedure”.

Regarding the consolidation of arbitrations, the Court may now order the consolidation of two or more arbitrations when the claims are made under various common arbitration agreements (Article 10 (b)) or when the claims are not made under the same arbitration agreement or agreements, but the arbitrations have common parties, the disputes in the arbitrations arise in connection with the same legal relationship, and the arbitration agreements are compatible (Article 10 (c)).

Thus, the consolidation of arbitrations becomes easier and more flexible.

4. Tribunal appointments

The new Article 12 (9) confers the Court competence to, in exceptional circumstances, appoint all the arbitrators, regardless of any agreement between the parties. The 2017 version of ICC Rules only allowed the Court to appoint the arbitrators when parties were unable to agree on the constitution of the arbitral tribunal.

The purpose of the norm is to prevent the violation of fundamental principles of the arbitration procedure, like the equality of the parties and the fair trial, thereby avoiding the nullity of the arbitral award. Actually, the mentioned principles are limitations to the principle of freedom to choose the arbitrators and the mechanisms for their selection.

Bearing this in mind, the intervention of the Court will be justified, v.g., when the information or power asymmetry between the parties generates appointment agreements that ascribe the choice of all arbitrators to one party or prevent one party to choose certain people or people with certain characteristics to be the party appointed arbitrator.  

It should be noted that the application of Article 12 (9) may generate problems of compatibilization with Article V(1)(d) of the 1958 New York Convention, according to which an award may be refused recognition if the composition of the arbitral tribunal is not in accordance with the parties' agreement.

5. Additional Award

The 2021 ICC Rules introduce the possibility of an application for an additional award in case the arbitral tribunal omits a ruling on any of the parties’ claims. This application must be presented to the Secretariat within 30 days from receipt of the award by the parties. After granting the other parties the possibility to submit any comments to the application, the arbitral tribunal drafts a decision to be submitted to the Court.  

If the Court accepts the arbitral tribunal’s decision to grant the application, that decision takes the form of an additional award.

6. Expedited Procedure Rules

2021 ICC Rules raise the threshold to opt-out of the expedited procedure rules from USD 2 million to USD 3 million when the arbitration agreement is concluded on or after 1 January 2020. Thus, arbitration agreements concluded on or after 1 March 2017 and up to the end of 2020 remain subject to the USD 2 million threshold established on 2017 ICC Rules.

Conclusions

The changes introduced by ICC 2021 Rules will likely increase the efficiency and flexibility of ICC arbitrations, reducing costs and allowing the adjustment of the procedures according to a multiplicity of factors, like the complexity of the dispute, the participants’ availability to travel or any restrictions to the free movement of persons.

At the same time, the 2021 ICC Rules strongly invest in guaranteeing the tribunal’s independence, impartiality and transparency, raising the public’s confidence in arbitral institutions and the reliability of the arbitral awards.

Ver pdf

The Portuguese Data Protection Authority (CNPD) launched its plan of activities for 2021, a plan that is conditioned by and considers the current situation caused by the Covid-19 pandemic. Social confinement as well as other limitations in social interaction have contributed to the promotion of new types of personal data processing, due to telework, distance learning, and matters of protection of privacy and public interest in health data processing, which requires monitoring by CNPD in 2021.

Regarding the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), CNPD will propose requirements and procedures for the approval of codes of conduct and measures to guarantee the application of the principles of Privacy by Design and by Default.

CNPD will also provide guidance in matters that have gained importance over the years, such as data processing of children and other vulnerable groups, by offering guidelines to those responsible for processing and raising awareness amongst children and young people, using language adequate to the recipients.

The legal regime applicable to cookies will be monitored and further explained. CNPD will assist in the compliance of the GDPR as well, especially when it comes to the form and content of privacy policies and the obligation to inform data subjects. The Activity Plan focuses mainly on raising citizens’ and companies’ awareness about personal data protection and privacy as well as supervision of personal data processing.

In 2021, CNPD will conduct audits and inspections to verify compliance with the personal data protection legal regime, especially focusing on areas such as: (i) video surveillance in public space; (ii) call centers; and (iii) TVDE platform.

Regarding specific measures, the Activity Plan emphasizes the supervision and monitoring of data processing within the 2021 Census and the presidential election, as well as in the context of teleworking and distance learning.

The plan includes the implementing and connection, at a national level, of the large-scale European information system for recording the entry and exit of third country nationals (ENS), and the monitoring of the transition to the new Schengen Information System, adaptation to the new legal framework of the Schengen Information System (SIS) and consequent changes in the national system and procedures for the entry into operation of the system.

The national parties of the European Information Systems SIS II, VIS and Eurodac will also be inspected regularly, as well as the Office of Single Contact Point Management for International Police Cooperation (PUC-CPI).

Ver pdf

On December 22, the Portuguese Ministers’ Council approved a new regulation that will progressively put an end to golden visas, first in the metropolitan areas of Lisbon and Oporto, and, from July 2021 onwards, in the entire coast regions of Portugal. In the future, this residency permit will only be granted in the inland regions of Portugal, as well as in the autonomous regions of Madeira and Azores. This means that foreign investors intending to acquire a Portuguese residence permit will have to do so investing in real estate outside the country’s major cities.

The change will enter into force on July 1, 2021, but between 2021 and 2022 there will still be a transitional period during which the application of these new rules will be progressive, in the sense that the required investment amounts in metropolitan areas will be progressively higher and the possibility of application in these areas will be reduced over time. These investment amounts, however, have not yet been revealed.

This measure was included in the State Budget for 2020, but, because of the COVID-19 pandemic, has been postponed, and returns now slightly modified, in the Portuguese government’s view, to keep up with the economic recession the country is presently going through.

The Council of Ministers’ press release mentions that the purpose is to promote and increase foreign investment in the interior and low-density regions of Portugal, mainly in “urban requalification, cultural heritage, activities of high environmental or social value, productive investment and job creation".

This decision worries most real estate market players who fear it will push foreign investors away from Portugal and to other countries where there are no restrictions.

The Portuguese Association of Real Estate Promoters and Investors said the end of golden visas in Lisbon and Oporto means the loss of €700 million in investment per year by the National economy.

Ver pdf

1. The first two ‘hub-and-spoke’ decisions

For the first time, the Portuguese Competition Authority (Autoridade da Concorrência – ‘AdC’) issued not one but two decisions on ‘hub-and-spoke’ arrangements in alcoholic and spirit beverages market imposing a total fine of circa €304 million  – the largest fine ever imposed by AdC –  against six large food retail chains.

Both cases now fined are not the first ‘hub-and-spoke’ cases investigated by AdC. The large retail chains sector is a key-sector on the watchdog of AdC. During 2017, AdC carried out dawn-raids into the premises of 44 entities and from which would result the opening of 16 proceedings, mostly against large retail chains.

Currently, investigations have led to seven statement of objections for “hub-and-spoke” arrangements, including the one issued a week ago. Last week, AdC had issued a statement of objections against three of the six large food retail chains now fined – Modelo Continente, Pingo Doce and Auchan – for another ‘hub-and-spoke’ arrangement in cosmetics and personal care products market.

In the first decision, AdC considered that the six large food retail chains Modelo Continente, Pingo Doce, Auchan, Intermarché, Lidl and E. Leclerc (the spokes) used the commercial relationship with the supplier (the hub) Sociedade Central de Cervejas (‘SCC’) – which commercializes, among others, beers Sagres and Heineken, ciders, such as Bandida do Pomar and sparkling water such as  Água do Luso – to progressively increase their prices in the retail market. A SCC board member and a business unit director of Modelo Continente were also fined by AdC.

The AdC’s investigation concluded that the distributors and the supplier concerted prices between 2008 and 2017, that is, for more than nine years, at the consumers’ expense.

In the second decision, AdC fined the same four large food retail chains (Modelo Continente, Pingo Doce, Auchan and Intermarché), as well as Lidl and Cooplecnorte (E. Leclerc), for concerting  prices, through the spirits supplier Primedrinks, in various alcoholic and spirit beverages, including wines from Esporão and Aveleda producers, whiskies such as The Famous Grouse or Grant´s, Hendrick’s gin or Stolichnaya vodka. This ‘hub-and-spoke’ arrangement occurred between 2007 and 2017, that is, more than 10 years.

Although ‘hub-and-spoke’ arrangements differ from traditional horizontal cartels in the lack of direct communication between the horizontal competitors, the adverse market effects may be similar – both may result in a hard-core price-fixing cartel, through a common supplier, thus restricting price competition between players and depriving consumers from price differentiation.

Under the current two decisions, AdC imposed, other than fines, the undertakings to immediately cease the ‘hub-and-spoke’ arrangements, as AdC was not able to rule out whether the investigated practices would continue.

2. How does a ‘hub-and-spoke’ work?

‘Hub-and-spoke’ arrangements are horizontal restrictions on the supplier or retailer level (the ‘spokes’), which are carried out through vertically related players that serve as a common ‘hub’ (e.g., a common retailer or service provider). The hub enables the coordination of competition between the spokes without direct contacts between the spokes, as shown below.

2020-12-18

Cláudia Fernandes Martins

Ver pdf

On 25 November 2020, the European Commission (EC) published a proposal for Regulation on European Data Governance (the Data Governance Act), which will set out a new legal framework to promote the development of common European data spaces: a Single Market for data.

The Data Governance Act is the first set of measures announced in the 2020 European Strategy for Data, and that it was followed by a public consultation carried out between February and May this year. EC also released a Questions & Answers document and a Factsheet on European data governance, alongside the Data Governance Act.

The Data Governance Act is the cornerstone of the EC’s Data Strategy, which targets a set of changes on digital regulatory and antitrust matters, including: (i) the EC’s white paper on artificial intelligence and consultations on the Digital Services Act package; (ii) a ‘New Competition Tool’ (NCT) to allow the EC to examine and make changes in market structure; and (iii) the EC notice on market definition.

Following the Data Governance Act, reviewed in Part One of this article, EC published two important legislative proposals on 15 December 2020: the Digital Services Act (DSA) and the Digital Markets Act (DMA), which are reviewed in Part Two.

Additional legislative proposals, particularly changes to the EC’s enforcement of European Union (EU) competition rules, are also expected in early 2021, and they will be addressed in due course.

Part One – Proposal for a Regulation on European data governance

The Data Governance Act proposes to establish nine common European data spaces for data sharing and pooling in strategic and critical domains, including health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills.

For this purpose, the Act establishes three main goals:

• Sharing of public sector data: establishing a mechanism to promote the sharing and re-use of certain categories of data held by public sector bodies in EU;
• Data sharing service providers: creating a new notification and supervisory framework for the provision of data sharing services; and
• ‘Data altruism’: ‘data altruism’ means individuals or businesses voluntarily consenting to the use of data (personal and non-personal) for altruistic purposes (e.g., for scientific research or improving public service). A new framework will enable entities that collect, and process data made available for altruistic purposes to be qualified for voluntary registration upon fulfilment of some requirements and be recognized as ‘Data Altruism Organizations’.

A new formal expert group is also to be created, the European Data Innovation Board, composed by EC, the European Data Protection Board, and relevant local authorities, with powers to ensure a consistent application of the Data Governance Act across all Member States, including cooperation between local relevant authorities.

Sharing of public sector data

The Data Governance Act establishes a set of common basic conditions for sharing and re-using certain categories of protected public sector data, namely personal data, data covered by intellectual property rights or confidentiality and that hence fall outside the scope of the 2019 Open Data Directive.

The Data Governance Act does not intend to create a right to re-use such data, but instead sets out the conditions under which public bodies (not including State-owned businesses or ‘public undertakings’) must comply when dealing with re-use of data.

These conditions, which must be non-discriminatory, proportionate and objectively justified, may include: (i) to re-use anonymized or pseudonymized data only; (ii) that the data only be disclosed under the EU General Data Protection Regulation (GDPR); or (iii) to delete commercially confidential information, including trade secrets. Exclusive agreements for re-using data must be avoided, except when necessary for the provision of a service of general interest and must be awarded under EU public procurement and State aid rules and for periods up to three years.

EC may impose further conditions on the re-use of highly sensitive non-personal data (that is, data that is not covered by GDPR), and on data transfer to third countries.

Data sharing service providers

The Data Governance Act creates new rules addressed to intermediaries between data ‘holders’ (data subjects) and data users – the so-called ‘data sharing service providers.’

Data sharing service providers will be obliged to submit a prior notification to the relevant local authority (to be appointed by each Member State and empowered to monitor compliance with new rules, including cooperate with other sectoral authorities).  

The provision of data sharing services will have to fulfil specific requirements: (i) the collected data cannot be used for other purposes, and any metadata can be only used for the provision of that service; (ii) data sharing services must be provided by a separate legal entity from other services; (iii) data interoperability; (iv) services providers must act under a fiduciary duty towards data subjects; (v) adequate security safeguards must be in place; and (vi) service providers, which are not established within EU, must have to appoint a legal representative in one of the Member States.

‘Data altruism’

The Data Governance Act provides a legal framework for voluntary registration of entities that collect, and process data (personal and non-personal data) made available for altruistic purposes. In order to qualify for registration, a data altruism organization must fulfil certain criteria, including being a non-profit organization. Data altruism organizations that are not established in EU must appoint a legal representative in EU. Each Member State must appoint one or more local authorities to keep the register of data altruism organizations and monitor compliance with the requirements applicable to data altruism organizations.

Part Two – the Digital Services Act and the Digital Markets Act

As part of the European Digital Strategy, Shaping Europe’s Digital Future, DSA and DMA will address new challenges that have surfaced with digital developments. At the same time, these Acts will ensure users, consumers and businesses to continue to benefit from digital developments. DSA and DMA have two main goals:

• To create a safer digital space in which the fundamental rights of all users of digital services are protected (DSA’s goal); and
• To establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally (DMA’s goal).

Digital Services Act (DSA)

DSA establishes a set of new, harmonized EU-wide obligations for digital services that connect consumers to goods, services, or content, ranging from simple websites to internet infrastructure services and online platforms.

The DSA’s rules mainly concern online intermediaries and platforms, such as online marketplaces, social networks, content-sharing platforms, app stores as well as online travel and accommodation platforms.

The new obligations are addressed according to services’ size and impact. Platforms that reach more than 10% of the EU’s population (45 million users) are considered systemic in nature and will be subject to a new control framework and specific obligations to control their own risks.

In a nutshell, DSA includes:

• Rules for the removal of illegal goods, services or content online and safeguards for users whose content has been erroneously deleted by platforms;
• New obligations for very large platforms to take risk-based action to prevent abuses;
• Wide-ranging transparency measures, including on online advertising and on the algorithms used to recommend content to users;
• New powers to examine how platforms work, including upon facilitating access by researchers to key platform data; and
• New rules on traceability of business users in online marketplaces, to help track down sellers of illegal goods or services.

This new accountability framework will be followed by an innovative cooperation network of public authorities – board of national ‘Digital Services Coordinators’ – with special powers in supervising very large platforms including the power to sanction them directly.

Digital Markets Act (DMA)

DMA is addressed to gatekeepers of ‘core platform services’, e.g., social networking, video-sharing platforms, communication services, operating systems, clouds, and advertising, with (i) a systemic role in the internal market and that (ii) function as bottlenecks between businesses and consumers. These criteria will be met if a company has:

• A strong economic position, significant impact on the internal market and is active in multiple EU countries – presumed so if the annual turnover equals or exceeds €6.5 billion or the market capitalization equals or exceeds €65 billion;
• A strong intermediation position, meaning that it controls an important gateway for business users towards final consumers – presumed so whenever their services count with more than 45 million monthly active users and 10,000 yearly active users in the previous year; and
• An entrenched and durable position in the market, meaning that it is stable over time – presumed so if the two criteria above have lasted the past three years.

Despite these presumptions are rebuttable, service providers must, in any case, notify the EC if they meet the thresholds above. If defined as a “gatekeeper”, companies will have to comply with a clearly defined set of obligations and prohibitions, including:

• Prevent to treat services/products offered by the gatekeeper itself more favorably in ranking than similar services/products offered by third parties on the gatekeeper's platform;
• Ensure interoperability with the gatekeeper’s platform to third parties;
• Share, in compliance with privacy rules, data that is provided or generated through business users' and their customers' interactions on the gatekeepers' platform;
• Provide companies advertising on their platform with the tools and information necessary for advertisers/publishers to carry out their own independent verification of their advertisements hosted by the gatekeeper;
• Allow their business users to promote their offer and conclude contracts with their customers outside the gatekeeper’s platform;
• Prevent consumers from un-installing any pre-installed software or app if they wish so.

In case of infringement of the DMA’s rules, gatekeepers may be subject to fines up to 10% of the company’s total worldwide annual turnover, and periodic penalty payments up to 5% of the average daily turnover. In case of systematic infringements, additional remedies may be imposed, including, non-financial remedies, e.g., the divestiture of (parts of) a business.

Next steps

The Data Governance Act, DSA and DMA will be discussed and passed by the European Parliament and the Council of Ministers in the ordinary legislative procedure. Once approved, which should occur until at least the third quarter of 2021, they will be directly applicable across the EU.

The far-reaching nature and characteristics of DSA and DMA suggest that these statutes may set the benchmark for digital services globally, similarly to what GDPR meant to privacy laws worldwide.