The European Commission (EC) published the final version of the Standard Contractual Clauses (SCCs) on June 4, following the draft proposal on November 12, 2020. The topic is of great interest for companies operating outside the European Economic Area (EEA) or working with companies that are. SCCs should give these companies a hand at being GDPR-compliant.
For those less acquainted with SCCs, these take part in ensuring safer international data transfers. A principle of accountability applies to controllers which export personal data to countries outside of the EEA: controllers must ensure that no matter what mechanism and supplemental measures govern a data transfer, the data must receive the same protection at its destination as it would in the European Union (EU), or else the data transfer will be violating the GDPR.
For international data transfers to be possible, the GDPR requires the adoption of mechanisms/measures that ensure that transfers are carried out safely, which may include obtaining the data subject’s consent, adopting Binding Corporate Rules (BCR), ad hoc contractual clauses, approving codes of conduct or certification mechanisms, and/or SCCs.
SCCs set out appropriate safeguards regarding data transfers from (i) controller to controller, (ii) controller to processor, (iii) processor to processor, and (iv) processor to controller.
The new SCCs include general provisions that are applicable to all transfers of data, regardless of the nature of the parties, and specific provisions that the parties should include if they see fit to their specific situation (again, a principle of accountability applies). General obligations include ensuring that data protection rules in the country of destination do not prevent the processing of personal data according with the standard contractual clauses applied, as well as ensuring the minimization of data disclosure to public authorities, a shared responsibility between the parties in case of a data breach, etc.
The new SCCs also address both onward transfers and subscription by third parties. Onward transfers of personal data can lawfully occur, provided the third party subscribes to the SCCs. Subscription to the SCCs is enabled through a docking clause.
The EC sets out a transitional period, within which companies relying on old SCCs under existing data transfer agreements will be able to rely on those outdated SCCs for 18 months after the publication of the new SCCs. For companies entering into new data transfer agreements, the new SCCs ought to be the mechanism to rely on for the purpose of international data transfers, as the new SCCs will be repealed for future use three months after their publication.

 

The General Contractual Clauses Legal Regime (or 'LCCG') has been amended and now forbids fine print and tight line spacing in contractual terms drafted without prior individual negotiation with their addressees – usually consumers.
General contractual terms are one of the most frequently used contractual instruments in consumer contracts, for example, when opening a bank account, in insurance contracts or contracts for electricity, water or electronic communications supply.
Since there is no negotiation (between the parties) involved, since its recipients merely subscribe to or accept its content, LCCG provides mechanisms to prevent abuse, such as special duties of information and communication towards recipients and a list of prohibited clauses. There are two groups of prohibited clauses under LCCG: (i) absolutely prohibited clauses, which are void, such as clauses excluding or limiting liability for life damage, moral or physical integrity or health, or for non-contractual property damage and (ii) relatively prohibited clauses, which, depending on the situation, may or may not be forbidden, meaning that, in case of a dispute before a court, the clauses will be subject to review. These are, for example, clauses setting excessive deadlines for the acceptance or rejection of bids or penalty clauses disproportionate to the damage.
To enhance transparency, recently published Law 32/2021 of 27 May 2021 (which amends the LCCG), establishes drafting rules: font size may not be smaller than 11 or 2.5 millimetres, and line spacing cannot be less than 1.15. In case of non-compliance, the clause will be null and void, as this prohibition becomes part of the list of absolutely forbidden clauses.
This does not mean, however, that "small print" was allowed before. This issue has been addressed by case law on the violation of the duties of information (in this regard, for example, the ruling of the Supreme Court of Justice of 15 May 2008, the ruling of the Lisbon Court of Appeal of 13 October 2016 and, recently, the ruling of the Court of Appeal of 28 January 2021), all of them considering that it is not enough to formally comply with the duties of information, and that this obligation must be fulfilled in accordance with a “reasonableness criterion” to make all pieces of information of the contract known by the consumer.
Law 32/2021 also provides for a control and prevention system of unfair terms to be set up in the upcoming months to ensure that clauses forbidden by a court decision are not applied by other entities. Entities using general contractual clauses will have to be more careful with disputed cases involving general contractual clauses that have already been prohibited by a court decision. This mechanism intends to decrease imbalance between the parties.

Almost 100 days and over 500 bids into the main bidding phase of the Portuguese 5G auction, on May 31, 2021, ANACOM proposed an amendment to the auction’s regulation (Regulation 987-A/2020 of November 5).
According to available data, bidding in the 700MHz, 900MHz, 2,1GHz and 2,6GHz bands stalled as of the 24th day, with an aggregated price of 154,58 million euros. However, in the forty available 3,6GHz blocks (frequency blocks H1 to J30), a furious bidding contest is still ongoing with bids reaching 162,89 million euros, i.e., a 244% increase over the reserve price of 44,86 million euros.
Although the bidder’s identities are yet to be confirmed, the increase in the current bid average price per MHz (in the 3,6GHz band) from 0,38 million euros to 0,61 million euros and an unusually vocal dispute in the media, suggest an undergoing bidding war among new entrants and incumbents. With the total amount reaching 317,47 million euros, mixed reactions are heard throughout the market with the Government simultaneously expressing satisfaction with the unexpected tax windfall and concern over the consequences of the delay, and incumbent operators voicing concerns over the detrimental impact that mounting spectrum costs might have on network rollout investment.
The proposed amendments will extend the length of the rounds, which will now take place daily between 9:00 and 19:00. Also, each round duration will be halved from the current 60 to 30 minutes, thus allowing 12 rounds to occur.
With these changes, ANACOM expects to prevent the excessive extension of the 5G Auction. If approved, as of June, bidders are expected to form more robust and refined expectations about the spectrum they are most likely to win and the maximum amount they are willing to bid for it, which should lead to a reduction in the time needed for bidders to complete their bids. An important feature in the draft Regulation, ANACOM recognized that the unexpected extention of the Auction already affected short-term investment in commercial offers and hinted that further action may be taken in the near future.
Bidders will now have five working days to comment on these proposed changes. One question remains: are these too little too late?

 

Considering that Artificial Intelligence (AI) can bring a range of economic and social benefits, but also create new risks, the European Commission recently published a Regulation Proposal on a European Approach for Artificial Intelligence (the ‘AI Draft Act’ or ‘Draft Act’).
Following a public consultation on the Commission’s White Paper on AI of February 2020, the AI Draft Act aims to harmonize existing laws on AI, ensure the protection of fundamental European Union (EU) rights and safety of AI system users, as well as trust in the development and uptake of AI.
The Draft Act applies to public and private players (i.e., providers, importers, distributors, and users of AI systems) established within the EU or in a third country that places AI systems on the market or puts them into service within the EU, or where their use affects people located in the EU. The Draft Act is divided into twelve titles of which we highlight the following:

  • Scope and definitions (Title I): including, among other definitions, ‘AI’ and ‘AI system’. ‘AI system’ is broadly defined as a software product developed using certain listed techniques and approaches that can generate outputs influencing the environments they interact with;
  • Prohibited AI practices (Title II): the Draft Act uses a risk-based approach distinguishing between (i) unacceptable risk (e.g. AI systems that can exploit vulnerabilities of a specific group of persons or use real-time remote biometric identification in publicly accessible spaces, subject to some exceptions); (ii) high-risk to the health and safety or fundamental rights of natural persons (e.g. AI systems that perform a safety function in certain products, such as mobile devices, robotics, medical devices and other machinery); and (iii) low or minimal risk (e.g. AI-enabled video games or chatbots);
  • High-risk AI systems (Title III): once a high-risk AI system is identified, compliance obligations should be reinforced (Title IV), including obligations covering risk management, data governance, technical documentation, record-keeping requirements, transparency and provision of information to users, human oversight, robustness, accuracy, cybersecurity, post-market monitoring and incident reporting;
  • Governance, enforcement and sanctions (Titles VI to XII): the Draft Act provides for the establishment of a European Artificial Intelligence Board (EAIB) composed by the national supervisory authorities and the European Data Protection Supervisor. The AI Draft Act provides for substantial penalties of up to EUR 30 million or up to 6% of annual worldwide turnover, whichever is higher to be levied against companies for non-compliance.

Once discussed (and probably subject to changes) and approved by the European Parliament and the Council, the AI Regulation will apply directly across the EU and with a wide-reaching impact.

 

Law 21/2021 introduced several amendments to the Tax Benefits Code, the Stamp Duty Code, the Investment Tax Code, the Vehicles and Circulation Tax Codes. It also created an extraordinary measure for counting deadlines within the scope of Corporate Income Tax (“CIT”).
The application of these measures, unless otherwise specified, are retroactive to 1 January 2021.
In this newsletter we analyze the main tax changes introduced by the Diploma.

Tax Benefits Code

The main changes to the Tax Benefits Code are as follows:
Extension of certain tax benefits:

  1. Tax benefits to the financial system and capital markets, sponsorship and others: 31 December 2025 (with retroactive effect from 1 January 2021);
  2. Tax benefits relating to intellectual property income: 31 December 2021 (with retroactive effect from 1 January 2020);
  3. Tax benefits relating to the Madeira Free Trade Zone and the Santa Maria Free Trade Zone: 31 December 2027 (with retroactive effect from 1 January 2021).

Madeira Free Trade Zone. The income of entities licensed to operate in the Madeira Free Trade Zone from 1 January 2015 up to 31 December 2021 are subject to CIT until 31 December 2027, at a 5% rate. This benefit is, however, subject to one of the following applicable annual limits:

  1. 20,1% of the annual gross value added generated in the Autonomous Region of Madeira;
  2. 30,1% of the annual labor costs incurred in the autonomous region of Madeira; or
  3. 15,1% of the annual turnover generated in the autonomous region of Madeira.

Other benefits:

  1. Income paid by collective investment undertakings to their unitholders will now be excluded from the tax benefit limitation rule;
  2. Interest and rents payable in connection with loans and industrial, commercial or scientific equipment leases granted by non-resident entities will be exempt from PIT and CIT without the need of prior approval of the Minister of Finance;
  3. Entities managing designations of origin and geographical indications of wines, vinegars, spirit drinks of vinic origin and aromatized wine products recognized under the terms of the applicable legislation will be exempt from CIT.
Investment Tax Code

The deadline for contractual tax benefits and regional state aid, in accordance with the national state aid map, is extended until 31 December 2021.

Stamp Duty

The Stamp Duty Code now provides for an exemption from Stamp Duty on the report of securities or equivalent rights carried out on a regulated market or multilateral or organized trading system, as well as on report and financial guarantees carried out by financial institutions, namely by credit institutions and financial companies, with the intermediation of central counterparties.

Vehicles and Circulation Tax Code

They are revoked with effect from 1 July 2021:

  1. ISV exemption. Light goods vehicles with open, flat, or closed boxes, which do not have a cabin integrated into the body, with a gross weight of 3500 kg, without four-wheel drive are now exempt from payment of ISV;
  2. Circulation Tax Code. The exemption from payment of 50% of the single circulation tax for category D vehicles has been revoked.
Corporate Income Tax Code

Is suspended, during the 2020 tax period and during the following tax period, with retroactive effect from 1 January 2020, the computation:

  1. The deadline for reinvestment of the realization values;
  2. The deadline for deducting from taxable income expenses that could not be deducted in the period to which they relate, due to insufficient taxable income, regarding research and business development expenses in the Autonomous Region of Madeira.

E-signatures are essential to verify the identity of individuals and businesses online and to ensure authenticity of electronic documents.
In the European Union (‘EU’), electronic identification and trust services (‘eIDAS’), where e-signatures are included, are ruled by Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (‘eIDAS Regulation’), which came into force in July 2016.
Although the eIDAS Regulation is directly applicable in all Member States and does not require implementation by local laws, certain specifics such as validity, effects and legal value of e-signatures and e-documents require local regulation that must be in line with the eIDAS Regulation.
In Portugal, local eIDAS specifics are governed by Decree-Law 12/2021, of February 9, 2021 (‘Portuguese eIDAS Law’), which is effective since March 11, 2021.
At the same time, the upcoming obligation for companies with FYE on December 31, 2020 of   holding their general meetings of shareholders to approve annual accounts until March 31, 2021 leads us to the rules on ‘e-shareholder meetings’, i.e. meetings held using electronic means. 

ELECTRONIC SIGNATURES

E-signatures are generally accepted in Portugal in the EU. However, their value as evidence varies according to the type of signature.
The eIDAS Regulation establishes the following types of e-signatures:

  • Simple e-signature: data in electronic form which is attached to or logically associated with other data in electronic form, and which is used by the signatory to sign, as set out in the eIDAS Regulation. For example, writing a name on an e-mail may be considered a simple e-signature.
  • Advanced e-signature: an e-signature which additionally is (i) uniquely linked to and capable of identifying the signatory, (ii) created in a way that allows the signatory to retain control and (iii) linked to the document in a way that any subsequent change of the data is detectable.
  • Qualified e-signature: an advanced e-signature which additionally is (i) created by a qualified signature creation device and (ii) based on a qualified certificate for e-signatures. The use of a qualified e-signature means (i) that the signatory of the document is the individual identified by the qualified signature; (ii) that such individual had the intention to sign the document; and (iii) that the content of the document signed with the qualified e-signature has not changed since it was e-signed.

Only the qualified e-signature has the same value as evidence of a handwritten signature.
Nevertheless, the other types of e-signatures may be used:

  • If the contracting parties agree to use other types of e-signatures (simple or advanced), subject, however, to mandatory provisions on the form required for certain agreements; or
  • If someone submits an electronic document signed with other type of e-signature and the counterparty accepts such e-signature as valid. 

Qualified e-signatures based on qualified certificates issued in one EU Member State are acknowledged as qualified e-signatures in all other Member States. Providers of qualified certificates for e-signatures in each Member State are listed in the Trusted List.
As the United Kingdom (‘UK’) is no longer a member of the EU, qualified e-signatures based on qualified certificates issued by providers in the UK are not automatically recognised and accepted in the EU. The UK eIDAS Regulations, which are an amended form of the EU eIDAS Regulation and retain many aspects of the EU regulation, are tailored for use within the UK.

ELECTRONIC DOCUMENTS

Electronic documents are valid in Portugal. If the electronic document meets the requirements to be considered a written document – i.e., if it may be represented as a written statement – it will be considered equivalent to a paper document in written form.
Such electronic document signed using a qualified e-signature will be equivalent and have the same value as evidence as a paper document with a handwritten signature. The value as evidence of electronic documents signed with simple e-signatures or advanced e-signatures will be freely assessed by the court, which means additional evidence could be required to demonstrate the content of such documents.
If the electronic document cannot be represented as a written statement, it will have the value as evidence of a photograph or of a copy, even if signed using a qualified e-signature.
Copies of e-signed electronic documents that do not allow the verification and validation of e-signatures may have the same value as evidence of the original if they are certified by a notary.
Under the Portuguese eIDAS Law, the dispatching of electronic documents is subject to the following rules:

  • An electronic document sent by electronic means is deemed sent and received by the addressee if it is transmitted and received at the electronic address agreed by the parties;
  • The date and time of creation, dispatch or receipt of an electronic document containing a time stamp issued by a qualified trust service provider is effective between the parties and against third parties;
  • An electronic document with a qualified e-signature or a qualified electronic seal sent by electronic means that ensure effective receipt is equivalent to dispatching by registered post. If receipt is confirmed by a confirmation message addressed to the sender by the addressee in an identical form, it is equivalent to dispatching by registered post with acknowledgement receipt;
  • Dispatching of data and documents using qualified electronic registered mail services is equivalent to using registered post with acknowledgement receipt.
ELECTRONIC SHAREHOLDERS’ MEETINGS 

Although usually shareholder general meetings take place in the corporate head-offices, it is possible for shareholders of Portuguese companies to hold general meetings using electronic means, unless the company’s articles of association establish otherwise.
Some aspects must, nevertheless, be taken in consideration when deciding to hold the meetings electronically:

  • It is an option of the company and not of the shareholders; and
  • The company must put in place technical means to allow confirmation of identity of the shareholders attending the meeting, ensure authenticity and safety of communications in the meeting and to keep a full record of the meeting. 

This means, for example, that the notice of the meeting must specify that the meeting is to be held electronically and that the company must provide the shareholders the information required to access the meeting.
Even though the meetings are held electronically, minutes containing the record of discussions and resolutions must be drafted and signed by the chairman and secretary of the meeting (in case of S.A. companies) or by the shareholders (in Lda. companies), as applicable, either in paper or in electronic form.

The Portuguese Energy Secretary of State announced that the Portuguese Government will publish the general guidelines for a Portuguese Hydrogen Auction in the first week of April. This will be followed by a set of public sessions for promoters.
This auction is the second initiative to develop the H2 technology in Portugal after the kick-off of the Green Flamingo project, a large production unit to be built in Sines, as part of the Portuguese Hydrogen National Plan.
Consumers and not producers, as originally planned, will be participating in this auction. It is expected to capture the interest of large consumers, mainly industrials or/and consumers applying for self-consumption programs.
The guidelines projected for April will be key to understand this mechanism: the auctioned amounts, the auction date and eventual financial prerequisites are not yet known.
The auction will be based on Carbon Contract for Differences (commonly known as “CfDs”), the participants bidding amongst themselves to buy a certain amount of hydrogen.
The difference between the awarded bid (strike price) and the carbon price will be paid through public funds. The Portuguese Government anticipates that, over the years, the carbon price drops and such payments will cease to exist.
There will also be a special channel for the energy suppliers to participate in the auction. In this case, the hydrogen bought will not be used for self-consumption but sold in the market instead.
This announcement promises to bring back the promoters’ enthusiasm and create new expectations for 2021 in the renewables market.
 

The Portuguese Presidency of the Council of the European Union can now negotiate the proposed e-Privacy Regulation. This regulation, yet to be negotiated with the European Parliament, intends on continuing the European Commission's 2017 proposal while defining rules on direct marketing, cookies and metadata, regarding "online privacy” framework.
Once approved, the regulation will revoke e-Privacy Directive, transposed by Law 41/2004 of 18 August into Portuguese domestic law. This Directive and the Portuguese law that transposed it are almost two decades old and no longer keep up with new challenges that come with technological development.
The proposed e-Privacy Regulation includes:

  • Electronic communications data confidentiality and the users’ consent to their processing. Listening, monitoring and data processing by a third party will be prohibited, except if allowed by law or for protection against exceptional situations, e.g. guaranteeing the integrity of the services, malicious programs or viruses;
  • End users’ choice to accept cookies (or not). To avoid "consent fatigue", users can consent to certain types of cookies by setting permissions in their browser's default settings;
  • In marketing communications, the users’ consent rule stands when the user is a natural person (opt-in). If the user is a customer, prior consent to direct marketing communications is not needed, if the seller obtained the client’s electronic contact details during the sale of a product or service where customer had the possibility to opt-out of receiving these communications (soft opt-in). Member States can define the period during which data can be used for sending marketing communications in their domestic law;
  • Metadata processing is allowed for billing purposes or to detect or prevent fraudulent use, or if the user consents so. Metadata can also be processed to protect vital interests of users, e.g. to monitor epidemics and their spread, or during humanitarian emergencies.

As lex specialis, the e-Privacy Regulation will set out the rules on privacy in electronic communications and, when and where not applicable, the General Data Protection Regulation (''GDPR'') will apply. One will not replace, but rather complete the other and vice-versa.
The Council will discuss the draft Regulation with the European Parliament. Once approved, the Regulation will enter into force 20 days after its publication and apply after a transitional period of two years.

On  February 18, the European Commission opened violation proceedings against countries that have incorrectly transposed into their domestic law provisions regarding the 4th Anti-Money Laundering Directive (AMLD4 or Directive). Portugal included.
The deadline for the transposition of AMLD4 was June 27, 2017, and Brussels concluded that several provisions of the Directive were not transposed correctly into Portuguese law.
Because of this, the European Commission initiated a violation procedure by sending the defaulting countries a formal notice.
Over the next two months, Portugal must defend itself and answer adequately the Commission’s questions on why the transposition was not fully done. If it does not, the violation procedure will be pursued.
Portugal must address the fundamental aspects of the anti-money laundering framework, such as: (i) exchanging information with Financial Intelligence Units (FIUs) and cooperating adequately with them, for that matter; (ii) complying with customer due diligence requirements; and foster and encourage the transparency of central beneficial ownership registers.
If the Commission concludes that Portugal has not complied with its obligations under the EU law, the second stage of the violation procedure will follow.
In the second stage, the Commission sends Portugal a formal request to comply with AMLD4 and exposes the reasons why it considers that Portugal is breaching EU law. It also asks Portugal to inform the Commission of the measures adopted, within a specified period, usually 2 months.
The non-compliance with these rules might cause an impact on the EU, as a whole, by not protecting the financial system and combating money-laundering-related crimes. In order to step up these efforts the Commission published a six-point Action Plan on May 7, to further strengthen the EU's fight against money laundering and terrorist financing.
Now Portugal has to wait and see what the European Commission will decide, and we have to wait and see how the country will justify the poor transposition of the Directive into the Portuguese legal system.

January 2021 marked an important stage on the relationship between the EU and the UK regarding data privacy. As of 2021, the UK is considered a third country when it comes to international data transfers ,meaning that there was data before and there is data after Brexit.
Since the requirements in GDPR concerning international transfers of (personal) data to third countries are strict, and since there was not an EU adequacy decision on UK’s data protection legal framework, risks of non-compliance for businesses transferring data from an EEA country to the UK were significant.
But, on February 19 2021, fifty days after the EU and UK markets were set apart, the EU published a draft decision on adequate protection of personal data by the UK under GDPR.
The draft decision concludes that the UK’s legal framework when it comes to data protection ensures a level of protection of personal data transferred from the European Union that is essentially equivalent to the one guaranteed by GDPR, and that both supervision and adjustment mechanisms facilitate the detection of violations and their punishment, as well as solutions for data subjects.
Considering this draft decision, and assuming a final decision will comprehend the same terms, the transition period initially set out will no longer apply and businesses in the EU will be able to continue to transfer personal data to the UK based on an adequacy decision, which means that data transfers to the UK have no restrictions whatsoever.
These are very relevant news for several key economy sectors, such as health, banking and technology, and the continuity of EU-UK data flows therein.
This draft decision includes, however, a duration period of four years at the end of which the EU must renew its adequacy decision. Because the UK will no longer be bound by the current data protection framework after the EU-UK Trade and Cooperation Agreement ceases to apply, the EU decided to subject the adequacy decision to an amendment and restatement by the end of 2024: six months before the adequacy decision ceases to apply, the EU must initiate a procedure to amend it by extending its temporal scope for an additional period.
Within the next few weeks, EDPB is expected to issue an opinion on the draft decision, which will be taken into consideration in the preparation of (but should not stop) the final decision.