Welcome to the January edition of Schoenherr's to the point: technology & digitalisation newsletter!

We are excited to present a selection of legal developments in the area of technology & digitalisation in the wider CEE region.

Insights waiting for you in this edition:

  • Bye Bye 2020 - thanks for nothing! | Thomas Kulnigg
  • Blockchain Newscorner & Crypto-market Update
  • Airbnb IPO | Thomas Kulnigg
  • The 2019/2020 DACH Report | Thomas Kulnigg
  • Distance is no longer relevant for corporate decisions | Maximilian Nutz and Dominik Tyrybon
  • 1 December 2020 - Ethereum 2.0 goes live with launch of Beacon Chain | Dominik Tyrybon
  • New cryptocurrency regulation announced by US FinCEN | Dominik Tyrybon and Nikolaus Stepan
  • Cybersecurity on the rise: the NIS Directive 2.0 | Christoph Haid and Felix Schneider
  • Latest data breaches and fines imposed by the Polish Data Protection Office | Daria Rutecka
  • EUR 18m GDPR fine overturned | Günther Leissler, Veronika Wolfbauer, János Böszörményi and Maximilian Trautinger
  • Two unpleasant Christmas gifts thanks to cookies | Veronika Wolfbauer
  • Romanian competition authority publishes report on big data | Christoph Haid
  • The New European Drone Rules | Eva Bajáková and Ondrej Holowka

Bye Bye 2020 - thanks for nothing! | Thomas Kulnigg

2020 was a very "interesting" year, and I guess we are all glad that it is over. Still - from a technology perspective - not every aspect of 2020 was bad: most people got used to videoconferencing, allowing us to interact in a more personal way from a distance. Most jurisdictions have introduced COVID-19-related laws that allow for virtual board meetings and virtual notarial acts - a gamechanger in corporate law as distance is no longer relevant for corporate decisions or notarial acts, such as notarial deeds or the certification of signatures. All in all, we have seen more and more technology & digitalisation-related investments and projects in 2020. Let's try to forget the rest of 2020...and not to forget: Bitcoin reached a record high of EUR 23,700 as of 31 December 2020 (source: Bitpanda.at). Spoiler alert: the price race continued into January 2021! To honor Bitcoin (and digital assets in general) and their enormous success in 2020, please find below a quick update of our Blockchain newscorner of 2019.

The Schoenherr Technology & Digitalisation Group wishes you a Happy New Year and all the best for 2021 - stay healthy and safe.

Blockchain Newscorner

  • Major developments in the US: (i) The US Security and Exchange Commission charged Ripple and two Executives with conducting USD 1.3bln unregistered securities offering**** (ii) The U.S. Financial Crimes Enforcement Network (FinCEN) takes a measured approach to money laundering risks posed by unhosted virtual currencies wallets (see our article in this newsletter) and (iii) FinCen is planning to amend the US Bank Secrecy Act's Foreign Bank and Financial Accounts (FBAR) regulation regarding reports of foreign financial accounts to include virtual currency as a type of reportable account. Such change would require any US citizen or other US person to report holdings of virtual currencies above USD 10,000 with foreign financial or virtual asset service providers.
  • The Ethereum Network is in the process of being updated to "Ethereum 2.0" ("Eth2"). Eth2 refers to "a set of interconnected upgrades that will make Ethereum more scalable, more secure, and more sustainable". The process has started with the introduction of "the Beacon Chain" as of 1 December 2020. As major feature, the Beacon Chain will introduce proof-of-stake to Ethereum (replacing the currently used proof-of work consensus mechanism). For more information, visit https://ethereum.org.

Crypto-market Update

31 October 2019 13 January 2021
BTC/EUR* EUR 7,521.19 EUR 28,680.10
ETH/EUR* EUR 150.40 EUR 890.22
Total Bitcoins mined** 18,022,600 18,599,106
Total Ether supply*** 108,343,814 114,233,072
BTC market capitalisation** EUR 138,889,913,934 EUR 530,857,581,121
ETH market capitalisation*** EUR 16,299,863,790 EUR 101,152,634,984

* Bitpanda.at, 13 January 2021, ~12:02 (BTC), ~12:02 (ETH); Coinbase.com, closing values for 31 October 2019
** https://coinmarketcap.com/de/currencies/bitcoin/, 13 January 2021, 12:02
*** https://coinmarketcap.com/de/currencies/ethereum/, 13 January 2021, 12:02
****https://www.sec.gov/news/press-release/2020-338, 13 January 2021, 12:02

Airbnb IPO | Thomas Kulnigg

Airbnb, Inc., the American vacation rental online marketplace company based in San Francisco, went public on 10 December 2020 with a valuation of approximately USD 47.3bln. As at 30 December 2020, the NASDAQ-listed Airbnb, Inc. Class A Common Stock (ABNB) had reached approximately USD 150 per share, boosting the market capitalisation of Airbnb to approximately USD 88bln. Airbnb's IPO was one of the largest of 2020.

The 2019/2020 DACH Report | Thomas Kulnigg

Speedinvest, the Vienna-based European VC fund, and Frontline Ventures, an early-stage B2B venture capital ?rm based in London and Dublin, recently published a report on venture capital in the DACH (Germany, Austria, Switzerland) region. The report concludes inter alia that VC spending reached an all-time high in 2020, DACH VCs continue to raise large funds, which is an important basis for future VC activities in this region, and that corporates are still a major source for funding. The report also summarises what's hot in 2019/2020 (e.g. for Austria: Fintech&Crypto, Enterprise SaaS, Industrial and PropTech and B2C/B2B Marketplaces). The report slides can be reviewed here.

Distance is no longer relevant for corporate decisions | Maximilian Nutz and Dominik Tyrybon

In light of the ongoing COVID-19 pandemic, the Austrian parliament has extended (just before its expiration) the COVID-19 company law (COVID-19-GesG) and its ordinance (COVID-19-GesV) for another year until 31 December 2021. This means all regulations and facilitations as of now remain in force. In particular virtual meetings remain possible and extensions to certain periods of corporate procedures and resolutions apply (e.g. preparation, approval of financial statements).

In addition, the regulations on digital notarial acts and certifications were adopted by the National Council in its session on 10 December 2020, into the permanent law of the Austrian Notarial Code.

Therefore, as of 1 January 2021, digital notarial acts and certifications can continue to be made, and even after the (hopefully imminent) end of COVID-19 this will remain a possibility to establish notarial acts or certifications digitally. For a recap of the COVID-19 company law (COVID-19-GesG), please see our blog posts from 8 April 2020 and 10 April 2020.

1 December 2020 - Ethereum 2.0 goes live with launch of Beacon Chain | Dominik Tyrybon

After the ETH 2.0 deposit contract passed the 524,288 ETH minimum threshold on 24 November 2020, the much-anticipated upgrade to the ETH blockchain was launched on 1 December 2020. Phase 0, also known as the Beacon Chain, is the first stage of this launch, and marks the start of the transition of the ETH blockchain from a proof-of-work (PoW) to a proof-of-stake (PoS) consensus mechanism. Users will need to stake a total of at least 32 ETH in order to act as validators of transactions. The transition promises several major improvements to the ETH blockchain, making it scalable, more secure and more sustainable. But it will take several years and at least three more phases to add and align the existing ETH 1.0 blockchain with ETH 2.0.

ETH 2.0 is expected to have a large impact on the growth capabilities of the DeFi (Decentralised Finance) market, as ETH is used as the foundational blockchain for most DApp DeFi use cases. However, it remains to be seen if ETH 2.0 will be able to scale fast enough to cope with the growth of the DeFi markets. More news will follow in due course.

Cybersecurity on the rise: the NIS Directive 2.0 | Christoph Haid and Felix Schneider

On 16 December 2020, the European Commission published a new legislative proposal that introduces systemic and structural changes to the NIS framework and aims to address the shortcomings in the functioning of the current NIS Directive.

The proposal introduces a new size-cap rule, according to which all medium and large enterprises, as defined by Commission Recommendation 2003/361/EC, that operate within the sectors or provide the type of services covered by the proposal, fall within its scope, and significantly expands the scope of the current NIS Directive by adding new sectors based on their criticality to the economy and society. Furthermore, the proposal strengthens security requirements for the relevant entities by requiring a risk management approach to be applied and provides for stricter supervisory measures for national authorities and stricter enforcement requirements. The public now has until 11 February 2021 to submit comments on this proposal (see our Legal Insight for further details).

Latest data breaches and fines imposed by the Polish Data Protection Office | Daria Rutecka

Currently, data protection offices all over Europe are experiencing a high workload, mostly because of issues related to the Schrems case, as well as difficulties resulting from Brexit. The end of 2020 was very busy, also for the Polish Data Protection Office (Polish: Urzad Ochrony Danych Osobowych; "UODO") as it dealt with more GDPR infringements and imposed more fines than usual.

In the beginning of December UODO imposed a fine of nearly PLN 2m (approx. EUR 436,000) on Virgin Mobile Polska, a telecommunications company, for the lack of implementation of appropriate technical and organisational measures ensuring the security of processed data. UODO stated that the company infringed the principles of data confidentiality and accountability specified in the GDPR. As it turned out, Virgin Mobile Polska failed to carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the processed data. Those breaches led to an unauthorised person obtaining customer data from one of the databases.

Further, UODO also imposed a fine on Towarzystwo Ubezpieczen i Reasekuracji WARTA S.A., an insurance company, as it did not notify the supervisory authority of a personal data breach. Back in May 2020, a third-party notified UODO of a breach involving sending an e-mail including an insurance policy to an unauthorised addressee. The attached document contained personal data in the scope of, among others, names, surnames, addresses of residence, PESEL numbers (personal identification numbers) and information concerning the subject matter of insurance (passenger car). UODO imposed a fine on the company in the amount of PLN 86,000 (approx. EUR 19,000).

Finally, a fine in the amount of over PLN 1m (approx. EUR 219,000) was imposed by UODO on ID Finance Poland, an owner of online loan website, for loss of data due to lack of appropriate technical and organisational measures. The company failed to react to a notification regarding gaps in their security systems, which resulted in an unauthorised person having access to personal data and deleting such data from the company's servers.

EUR 18m GDPR fine overturned | Günther Leissler, Veronika Wolfbauer, János Böszörményi and Maximilian Trautinger

In Oct 2019, the Austrian Data Protection Authority ('ADPA') imposed a fine of EUR 18m on an Austrian postal service provider for alleged GDPR violations. This fine was recently overturned by the Federal Administrative Court.

The fine was imposed because the ADPA deemed the use of likeliness-based data for establishing potential interests in receiving advertisements as unlawful processing of personal data. The ADPA has expressed its opinion in separate proceedings which are currently pending at the Supreme Administrative Court. However, although that separate proceeding is still undecided, the Federal Administrative Court nevertheless has overturned the fine due to irrevocable procedural deficiencies in the related criminal administrative proceeding.

In fact, the Federal Administrative Court has concluded that the ADPA did not sufficiently identify those natural persons working at the controller who are deemed responsible for the alleged GDPR violations. With its decision the Federal Administrative Court has followed established case law which requires those natural persons to be individually identified who were acting on behalf of the controller when the GDPR was breached. The Federal Administrative Court has missed such sufficient identification of natural persons in its case and, thus, it has overturned the fine and ceased the criminal administrative proceedings.

Although the Federal Administrative Court's decision is in line with applicable case law of the Austrian Supreme Administrative Court, the ADPA takes the view that this case law conflicts with the GDPR. The ADPA might therefore very likely appeal, taking the matter to the Austrian Supreme Administrative Court.

So far, the lifted fine was the highest GDPR fine imposed in Austria and the 6th highest fine within the EU for GDPR breaches.

Two unpleasant Christmas gifts thanks to cookies | Veronika Wolfbauer

In December, the French data protection authority (CNIL) issued significantly high fines on two of the big players - Google and Amazon. The CNIL alleges that both companies unlawfully used tracking cookies and did not provide adequate information about the use of these cookies. In particular, the CNIL was especially critical of the fact that advertising cookies on the French websites of Google and Amazon were set before users had explicitly given consent. In the case of Google, a cookie notification was displayed, which gave users the choice of accessing the privacy settings or directly accessing the requested website. However, in the opinion of the CNIL, this notification did not suffice to obtain an actual informed consent for the use of advertising cookies. The consequence: The CNIL fined Google LLC EUR 60m, and Google Ireland Limited EUR 40m. On the same day (10 December 2020), the CNIL announced that it had fined Amazon Europe Core Sarl EUR 35m.

On a side note: Google and Amazon also challenged the jurisdiction of the CNIL, arguing inter alia that CNIL is, under the one-stop-mechanism of the GDPR, not their lead authority. However, the CNIL based its decisions and the sanctions on the French Data Protection Act, which implemented the EU ePrivacy Directive and not the GDPR. This is just another example that the long-expected ePrivacy Regulation, which will replace the ePrivacy Directive, is urgently needed. Find the CNIL press release here and here.

Romanian competition authority publishes report on big data | Christoph Haid

In line with the focus of other competition authorities on digitalisation, the Romanian Competition Council has conducted a survey into Big Data Technologies in Romania. The RCC established (see report here) that big data technologies are used widely by ride-hailing digital platforms and major telecommunications retailers. Meanwhile, banks, price comparison platforms and electronic trading platforms do not resort much to such technologies. Big Data technologies are growing rapidly and are important for enhancing the competitiveness of several companies. At the same time, they may lead to establishing and artificially keeping prices high. In summary, the RCC identified, besides many pro-competitive effects of Big Data Technologies, the following risks:

  • the use of Big Data may lead to large-scale price-fixing collusion;
  • the use of a shared database and of identical pricing algorithms can help align its prices to those of its rivals in real time; and
  • there is a risk where an online digital platform limits or denies access to its data silos or imposes terms in exchange for access to its own analysis services.

The New European Drone Rules | Eva Bajáková and Ondrej Holowka

As of 31 December 2020, national rules for flying unmanned aircrafts ("UAS"), commonly referred to as drones, are being replaced by a common European regulatory framework.

All UAS operators will need to register themselves with the National Aviation Authority of the EU country of their residence ("NAA") unless they operate a drone from a so-called "Open" category that weighs less than 250 g and has no camera or other sensor able to detect personal data, or is a toy (even with a camera or other sensor). Once the registration is completed, the drone operator will obtain a registration number which must be placed on all his/her drones. Besides, most UAS pilots will have to pass an obligatory online examination.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.