28. Juni 2021

Zum BMF-Schreiben vom 24.03.2021: Das Bundesministerium der Finanzen (BMF) hat vor kurzem zur körperschaftsteuerlichen Anerkennung von Gewinnabführungsverträgen Stellung genommen. Dies gibt Anlass, insbesondere sog. Altverträge, die vor dem 27.02.2013 abgeschlossen oder letztmals geändert worden sind, zu prüfen und ggf. anzupassen.

I. Hintergrund

Mit dem Gesetz zur Fortentwicklung des Sanierungs- und Insolvenzrechts vom 22.12.2020 wurde § 302 Abs. 3 Satz 2 AktG mit Wirkung zum 01.01.2021 um einen Verweis auf den ebenfalls neu eingeführten Restrukturierungsplan ergänzt. Obwohl mit dem Verweis auf den Restrukturierungsplan keine Änderung körperschaftsteuerrechtlicher Regelungen verfolgt wurde, kann die Gesetzesänderung dennoch Auswirkungen auf bestimmte Gewinnabführungsverträge haben und ihre Anpassung erforderlich machen, da u.U. die Voraussetzungen der körperschaftlichen Organschaft andernfalls nicht mehr erfüllt sind.

In § 302 AktG ist die Verlustübernahmepflicht des anderen Vertragsteils bei Bestehen bestimmter Unternehmensverträge geregelt. § 302 Abs. 3 Satz 1 AktG enthält ein diesbezügliches Verzichts- und Vergleichsverbot in Bezug auf den entsprechenden Ausgleichsanspruch. Ausnahmen von diesem Verbot sind in § 302 Abs. 3 S. 2 AktG geregelt. Der Katalog der Ausnahmen wurde mit dem Gesetz zur Fortentwicklung des Sanierungs- und Insolvenzrechts um den Fall ergänzt, dass die Ersatzpflicht in einem Restrukturierungsplan geregelt wird.

Der Wortlaut des § 302 AktG ist jedoch auch für das Körperschaftsteuergesetz von Bedeutung. Die Voraussetzungen einer steuerrechtlichen Organschaft mit einer anderen als den in § 14 KStG aufgeführten Kapitalgesellschaften sind in § 17 KStG geregelt. Unter diese „anderen“ Gesellschaften fällt insbesondere die GmbH. Die bis 26.02.2013 gültige Fassung des § 17 S. 2 Nr. 2 KStG setzte eine Verlustübernahme „entsprechend den Vorschriften“ des § 302 AktG voraus. Seit der Anpassung durch das Gesetz zur Änderung und Vereinfachung der Unternehmensbesteuerung und des steuerrechtlichen Reisekostenrechts vom 20.02.2013 ist seither gemäß § 17 S. 2 Nr. 2 KStG (a.F.) (nunmehr § 17 Abs. 1 S. 2 Nr. 2 KStG) Voraussetzung, dass eine Verlustübernahme durch Verweis auf die Vorschriften des § 302 AktG in seiner jeweils gültigen Fassung vereinbart wird. Erforderlich ist demnach ein sog. dynamischer Verweis; von der Neuregelung in 2013 waren jedoch nur Gewinnabführungsverträge erfasst, die nach dem 26.02.2013 abgeschlossen oder geändert wurden. Sog. Altverträge, die vor dem 27.02.2013 abgeschlossen oder letztmalig geändert wurden, waren für Zwecke der Organschaft weiterhin anzuerkennen, selbst wenn diese lediglich einen statischen Verweis auf § 302 AktG oder eine Wiederholung des damaligen Wortlauts enthalten.

Die nun vorgenommene Änderung des Wortlautes des § 302 AktG führt allerdings dazu, dass bei Altverträgen keine Verlustübernahme mehr entsprechend den Vorschriften des § 302 AktG vereinbart ist und im Ergebnis auch die Vorgaben des § 17 S. 2 Nr. 2 KStG in seiner alten Fassung nicht mehr erfüllt sind.

II. Betroffene Verträge

Für Gewinnabführungsverträge, die nach dem 26.02.2013 abgeschlossen oder geändert wurden, ist nach § 17 Abs. 1 S. 2 Nr. 2 KStG in seiner gegenwärtigen Fassung ohnehin schon ein expliziter dynamischer Verweis auf § 302 AktG erforderlich. Für diese sog. Neuverträge – soweit sie den Anforderungen des § 17 Abs. 1 S. 2 Nr. 2 KStG entsprechen – besteht durch die jetzige Änderung in § 302 AktG kein Anpassungsbedarf.

Für sog. Altverträge, die vor dem 27.02.2013 abgeschlossen oder letztmalig geändert wurden und die noch einen statischen Verweis auf – die nun nicht mehr aktuelle Fassung des – § 302 AktG enthalten, besteht Anpassungsbedarf.

III. Stellungnahme der Finanzverwaltung

In Bezug auf die steuerrechtlichen Auswirkungen der Änderung des § 302 AktG nahm das BMF in seinem Schreiben vom 24.03.2021 (DStR 2021, 803) Stellung. Für vor dem 27.02.2013 abgeschlossene oder letztmalig geänderte Gewinnabführungsverträge gelte Folgendes:

„Aufgrund der am 1.1.2021 in Kraft getretenen Änderung des § 302 AktG […] ist für die weitere Anerkennung der Organschaft nach § 17 KStG Voraussetzung, dass die bisherigen Vereinbarungen zur Verlustübernahme im Gewinnabführungsvertrag angepasst werden […]. Dabei muss nach aktueller Rechtslage die Verlustübernahme durch Verweis auf die Vorschriften des § 302 AktG in seiner jeweils gültigen Fassung (dynamischer Verweis) gemäß § 17 Abs. 1 S. 2 Nr. 2 KStG vereinbart werden.

Der Anerkennung der Organschaft steht es für Veranlagungszeiträume ab 2021 nicht entgegen, wenn die Anpassung der Altverträge zur Aufnahme des dynamischen Verweises nach § 17 Abs. 1 S. 2 Nr. 2 KStG spätestens bis zum Ablauf des 31.12.2021 vorgenommen wird.“

IV. Anpassung von Gewinnabführungsverträgen

Wie in der Stellungnahme des BMF angegeben ist für die Wirksamkeit einer Organschaft das Einfügen eines dynamischen Verweises in Altverträge erforderlich: Die nunmehr aufgrund der Änderung des § 302 AktG vorzunehmende Anpassung der Vereinbarung zur Verlustübernahme führt dazu, dass aufgrund § 17 Abs. 1 S. 2 Nr. 2 KStG in Altverträgen nun ein dynamischer Verweis auf § 302 AktG aufzunehmen ist.

Die Änderung ist nach der Stellungnahme des BMF bis zum Ablauf des 31.12.2021 vorzunehmen. Dabei soll nach Auffassung des BMF die notarielle Beurkundung des Zustimmungsbeschlusses der Organgesellschaft (zur privatschriftlichen Änderungsvereinbarung des Gewinnabführungsvertrags) und die Anmeldung der Änderung zur Eintragung ins Handelsregister bis zum 31.12.2021 ausreichen. Diese Aussage kann jedoch in ihrer Belastbarkeit hinterfragt werden, da es ja noch offen sei, ob die Rechtsprechung diesen Grundsätzen folgen und nicht ggf. doch auf die (zivilrechtlich erforderliche) Eintragung im Handelsregister abstellen werde. Es empfiehlt sich daher, auch die Handelsregistereintragung bis spätestens zum 31.12.2021 zu bewirken.

Die Anpassung des Gewinnabführungsvertrages zur Aufnahme eines dynamischen Verweises auf § 302 AktG soll nach Auffassung des BMF keinem Neuabschluss des Gewinnabführungsvertrages gleichgestellt sein. Eine neue Mindestlaufzeit iSd § 14 Abs. 1 S. 1 Nr. 3 S. 1 KStG werde durch diese Anpassung nicht in Gang gesetzt. Nicht erforderlich sei eine Anpassung von Altverträgen hingegen, wenn die Organschaft mit oder vor Ablauf der Umsetzungsfrist für die Änderungsvereinbarung zum 01.01.2022 beendet würde.

Wird die nach dem BMF-Schreiben geforderte Anpassung der betroffenen Altverträge nicht vorgenommen, kann die Organschaft für den Veranlagungszeitraum 2021 und zukünftige Veranlagungszeiträume steuerlich nicht anerkannt werden.

Ihre Ansprechpartner:

Steuerrecht
Dr. Hans Martin Schmid (+49 89 189 33 110, mschmid@gibsondunn.com)

Gesellschafts- und Kapitalmarktrecht, Unternehmenstransaktionen
Dr. Lutz Englisch (+49 89 189 33 150, lenglisch@gibsondunn.com)
Dr. Birgit Friedl (+49 89 189 33 180, bfriedl@gibsondunn.com)

Wenn Sie Fragen zu diesem Thema haben, sprechen Sie uns bitte an, wir stehen Ihnen gerne zur Verfügung. Dieses Client Update ist nur zu allgemeinen Informationszwecken erstellt, es dient nicht als Rechtsberatung und ersetzt nicht Ihre anwaltliche Beratung.

In order to meet the technical requirements for the upcoming interconnection of the EU Member States’ national registers holding beneficial ownership information via a European central platform, the German lawmaker made some elemental changes to the provisions on the German transparency register[i], which will result in new filing requirements for numerous German legal entities and registered partnerships (see section 1. below). The new filing requirements with the German transparency register will apply in addition to any filing requirements with other public registers such as, e.g., the commercial register, and will also apply to listed companies and their subsidiaries. Moreover, the obligations of foreign entities to file beneficial ownership information for registration in the German transparency register are significantly expanded, in particular, to capture share deals involving real estate located in Germany (see section 2. below).

The new regulations will take effect as early as 01 August 2021. However, German legal entities and registered partnerships, which will have to file beneficial ownership information with the transparency register for the first time solely due to the new rules, benefit from transitional periods, with filing deadlines that – depending on the type of entity – will expire only on 31 March 2022, 30 June 2022 or even 31 December 2022. The new filing obligations for foreign entities directly or indirectly acquiring real estate located in Germany, however, will take effect immediately on 01 August 2021. German notaries are obliged to ascertain that any such filing obligations with the transparency register have been complied with, and they must refuse notarization in case of non-compliance with the filing obligations. Foreign entities planning to acquire (directly or indirectly) real estate located in Germany thus are strongly advised to ensure that the required beneficial ownership information is filed with the German transparency register in due time prior to the scheduled signing date in order not to risk a delay of their transaction because the German notary refuses notarization. Furthermore, significant administrative fines may be imposed if the filing requirement is not complied with.

1. German legal entities and registered partnerships

Current Status

Since 2017, legal entities (juristische Personen) under German private law and registered partnerships have been required to file beneficial ownership information for registration in the German transparency register. To prevent double filings to multiple registers, this filing obligation is deemed fulfilled if the relevant beneficial ownership information is available in electronic form in certain other German registers, e.g., in shareholders lists retrievable via the German commercial register (“notification fiction”) (§ 20 (2) sentence 1 of the German Anti-Money Laundering Act (Geldwäschegesetz – GwG)). In addition, with respect to corporations listed on regulated markets with adequate transparency requirements with regard to voting rights, no filing of beneficial ownership information with the transparency register is required for the listed corporation and even its subsidiaries if the chain of control up to the listed parent company is traceable via documents and information stored in electronic form in German registers (so-called “unconditional notification fiction”, § 20 (2) sentence 2 GwG). As a result of these notification fictions, an excerpt from the German transparency register often does not reveal the names of beneficial owners, and further complex and cumbersome analysis is required in order to chase down, via various public registers, the persons ultimately owning or controlling the relevant legal entity or registered partnership.

New Regulations

Effective 01 August 2021, the notification fictions of § 20 (2) GwG will be abolished in total. As a result, every legal entity under private German law and registered partnership under German law will not only be required to collect information on their beneficial owners, to store such information and to keep such information up to date, but will also be required to file such beneficial ownership information for registration with the German transparency register. If there is no natural person who directly or indirectly ultimately owns or controls the legal entity or partnership, the legal representative, managing shareholder or partner of the legal entity or partnership must be filed as “fictional beneficial owners” for registration with the transparency register; the fact that the relevant legal representatives are already registered in the commercial register (or another recognized public register, respectively), will no longer be sufficient. There will be an exemption only for not-for-profit registered associations (such as, e.g., sport and music clubs) for which the register-keeper, the Federal Gazette, will file the beneficial ownership information based on the data available in the German association register.

The definition of a beneficial owner remains essentially unchanged – in particular, as now, in case of a legal entity (other than associations capable of holding rights) every natural person holding or controlling, directly or indirectly (via a controlled legal entity) more than 25 per cent of the capital, more than 25 per cent of the voting rights or exercising control in a comparable way qualifies as a beneficial owner. However, with regard to the beneficial ownership information, in the future not only one nationality but all nationalities of the beneficial owners must be filed for registration; according to the explanatory memorandum, however, it shall be sufficient that missing relevant information on further nationalities is filed in due course as part of updates.

The new filing obligations will affect numerous German legal entities and registered partnerships, especially including German subsidiaries of groups with listed or widely held parent holdings, which so far have often profited from the notification fictions of § 20 (2) GwG. At least, the Act provides for relatively generous staggered transitional periods for the German entities and registered partnerships that are required to file beneficial ownership information for the first time solely due to the cancellation of the notification fictions of § 20 (2) GwG:

for stock corporations (Aktiengesellschaft – AG), European stock corporations (Societas Europaea – SE) and limited partnerships limited by shares (Kommanditgesellschaft auf Aktien – KGaA) until 31 March 2022;
for limited liability companies (Gesellschaft mit beschränkter Haftung – GmbH), cooperatives (Genossenschaften), European cooperatives (Europäische Genossenschaften) or partnerships (Partnerschaften) until 30 June 2022; and
for all other obliged legal entities and registered partnerships until 31 December 2022.

In addition, administrative fines for failure to file beneficial ownership information triggered by the new rules shall not be imposed for a transitional period of one year following the expiry of the corresponding filing deadlines.

2. Foreign entities directly or indirectly acquiring German real estate

The real estate sector in general is considered particularly vulnerable to money laundering, and, especially, German real estate is attractive for not only national but also international criminals.

As a consequence, since 2020 foreign entities (i.e., entities having their headquarters abroad) that undertake to acquire real estate in Germany by way of an asset deal have been required to file beneficial ownership information with the German transparency register. The German notary recording the real estate transaction must ascertain that the filing obligation has been complied with or otherwise refuse notarization, which effectively prevents the acquisition as real estate purchase agreements under German law must be notarized to be effective.

From 01 August 2021, the obligations of foreign entities to collect, keep up-to-date, and file information on their beneficial owners with the German transparency register are further expanded to also cover share deals and other transaction structures resulting in an indirect acquisition of German real estate. In the future, the obligation for foreign entities to file beneficial ownership information with the German transparency register will thus be triggered if a foreign entity

undertakes to acquire real estate located in Germany (asset deal);
directly or indirectly acquires at least 90 per cent of the capital of a German or foreign corporation holding real estate located in Germany (share deals triggering German real estate transfer tax in accordance with § 1 (3) German Real Estate Transfer Tax Act (Grunderwerbsteuergesetz)), or
directly or indirectly acquires a beneficial interest of at least 90 per cent of the capital of a (German or foreign) corporation holding real estate located in Germany (transactions triggering German real estate transfer tax in accordance with § 1 (3a) German Real Estate Transfer Tax Act).

The details of the new filing obligations in case of share deals and other transaction structures are still unclear. Hopefully, explanatory guidelines concerning the interpretation of these new filing obligations will be published by the German Office of Administration (Bundesverwaltungsamt) in due time.

Exemptions from the filing obligations to the German transparency register apply if the foreign entity has already filed the relevant beneficial ownership information to another EU Member State’s register on beneficial ownership.

The new regulations provide for a similar expansion of the filing obligations for trustees with residence or legal headquarters outside of the European Union if they wish to acquire (directly or indirectly) real estate located in Germany (§ 21 (1) sentence 2 GwG new version).

__________________________

[i] Act for the European interconnection of the transparency registers and for transforming Directive (EU) 2019/1153 of the European Parliament and the Council of 20 June 2019 for the use of financial information to combat money laundering, terrorist financing and other serious crimes (Transparency Register and Financial Information Act) of 10 June 2021 (Gesetz zur europäischen Vernetzung der Transparenzregister und zur Umsetzung der Richtlinie 2019/1153 des Europäischen Parlaments und des Rates vom 20. Juni 2019 zur Nutzung von Finanzinformationen für die Bekämpfung von Geldwäsche, Terrorismusfinanzierung und sonstiger schwerer Straftaten (Transparenzregister- und Finanzinformationsgesetz) vom 10. Juni 2021).

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. For further information, please feel free to contact the Gibson Dunn lawyer with whom you usually work, any member of the team in Frankfurt or Munich, or the following authors:

Silke Beiter – Munich (+49 89 189 33271, sbeiter@gibsondunn.com)
Daniel Gebauer – Munich (+49 89 189 33216, dgebauer@gibsondunn.com)
Martin Schmid – Munich (+49 89 189 33290, mschmid@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

As a reaction to the spectacular collapse of Wirecard, a then-DAX-listed financial service provider, in June 2020, an Act on Strengthening the Financial Market Integrity (Finanzmarktintegritätsstärkungsgesetz – FISG) has now been adopted following several months of intense discussions. It enters into effect on 1 July 2021 with a transitional period for certain provisions. The Act establishes new requirements for the corporate governance and the audit of listed companies as well as other public-interest entities.

Corporate Governance

Mandatory audit committee comprising at least two financial experts

Although German law already now addresses the composition, role and functions of audit committees in several regulations and the recommendations by the German Corporate Governance Code (see D.3 German Corporate Governance Code), it had been, until now, up to the discretion of the supervisory board whether to form an audit committee. The FISG now requires all listed companies and other public-interest entities (PIE), including in particular certain financial institutions and insurance companies as defined in the new § 316a German Commercial Code (Handelsgesetzbuch – HGB), to establish a mandatory audit committee no later than 1 January 2022 (§ 107 (4) Stock Corporation Act (Aktiengesetz -AktG) (new version), § 324 HGB (new version)). In order to ensure compliance with the obligation to form an audit committee, a (periodic) penalty payment of up to € 5,000 can be imposed on each individual member of the supervisory board (§ 407 AktG (new version)). Since the formation of audit committees is already best practice for listed companies, however, the implications of this for the vast majority of the listed companies will be limited.

The FISG further requires that the audit committee (or, if the supervisory board comprises only three members, the supervisory board itself) shall comprise at least two financial experts, with one member having expertise in the fields of accounting and another member in the fields of auditing (§ 100 (5) AktG (new version), 107 (4) AktG (new version)). Previously, the law required only that at least one supervisory board member (who, if an audit committee was formed, must have been also a member of the audit committee) must qualify as a financial expert with expertise in the fields of auditing or (alternatively) accounting. The new qualification requirements shall ensure that both kinds of expertise are represented, and with different board members. The consequences in case the new qualification requirements are not met are not further stipulated by the law and thus remain unclear. According to the prevailing view in legal literature, the election of a supervisory board member which results in a violation of this special requirement for the composition can be challenged in court within the usual one-month period after the election takes place; if no legal action is brought within this term, the election is finally valid.

The new qualification requirements must be met for elections taking place on or after 1 July 2021, but do not apply retroactively.

Extended information rights and functions for audit committee members

Each audit committee member shall have the right to request information from the heads of the company’s central services that fall within the audit committee’s responsibilities, e.g. the head of risk management, the head of internal audit or the head of the compliance department. Any such requests must be channeled via the chair of the audit committee, who must then provide the requested information to all other audit committee members and must also inform the management board of the information request without undue delay) (§ 107 (4) AktG (new version)). Furthermore, the Act now also explicitly stresses that the responsibilities of the audit committee in relation to the audit also include the quality of the audit (§ 107 (3) AktG (new version)). The new information rights and functions apply starting 1 January 2022.

Separate meetings with the auditor without the management board

In order to foster the confidentiality of communications between the auditor and the supervisory board or the audit committee, respectively, the law explicitly stipulates that if the auditor is consulted as an expert by the supervisory board or a supervisory board committee, from 1 July 2021 on, the management board shall only participate in such a meeting if the supervisory board or its committees deems its participation necessary (§ 109 (1) AktG (new version)).

Legal obligation to establish an internal control system and a risk management system

The new law explicitly requires the management board of a listed company to establish an effective internal control system and a risk management system which are appropriate for the size and the risk position of its business (§ 91 (3) AktG (new version)). The implications of this new statutory obligation, which will be applicable immediately starting 1 July 2021, will be limited since most listed companies already have such systems in place (see also principle 4 of the German Corporate Governance Code).

Audit

Mandatory external auditor rotation after ten (10) years and internal auditor rotation after five (5) years

The maximum duration for an audit engagement of public-interest entities shall be ten (10) years. The currently existing option to extend this period under the exemption of the Member State option of Regulation (EU) /No 537/2014 (hereinafter EU Regulation) will be abolished (elimination of § 318 (1a) HGB). Abolishing this exemption also re-synchronizes the maximum term for listed companies with the maximum ten-year term applicable to CRR institutes and insurance companies.

For a transition period audit engagements may still be renewed after expiry of the ten (10)-year term for the business year beginning after 30 June 2021 and the following business year, provided the requirements for a renewal of the engagement have been fulfilled prior to 30 June 2021. If the business year equals the calendar year this means that the auditor needs to be changed for the business year 2024 at the latest.

Furthermore, the maximum term for the internal rotation of the key audit partner will be reduced from currently seven (7) to five (5) years (§ 43 (6) Public Accountant Act (Wirtschaftsprüferordnung – WPO) (new version)). In the absence of any transitional period the shortened term will be immediately applicable starting 1 July 2021.

Tightening of the prohibition of non-audit services

In order to further strengthen the independence of auditors, the Member State option of the EU regulation to allow certain tax and valuation services when such services are immaterial or have no direct effect on the audited financial statements (see § 319a HGB) will be rescinded. As a consequence, all black-listed non-audit services of Article 5 (1) sub-paragraph 2 of the EU Regulation will now be prohibited. In addition, the exemption relating to the fee cap (§ 319a (1a) HGB) will also be abolished. In case of noncompliance with the prohibition of non-audit services, shareholders holding five percent (5%) per cent of the voting rights or share capital or shares with a stock market value of at least € 500,000 can request the court to replace the auditor (§ 318 (3) HGB (new version)). The new rules will apply to the audit of business years starting on or after 1 January 2022.

Increase of the liability caps for auditors and tightened criminal liability

Previously, the civil liability of auditors was capped at one (1) million Euro for listed companies to four (4) million Euro, respectively, for negligence (including gross negligence), and higher damages could only be recovered by the company or its group of companies in case of intent on the auditors’ part. In the future, the civil liability of auditors for negligence will be capped at sixteen (16) million Euro for the audit of listed and other capital market companies, at four (4) million Euro for other PIEs and at one point five (1.5) million Euro for all other companies. In addition, in case of intent or gross negligence no liability cap will apply for listed companies and other capital market-orientated companies. With regard to other PIEs and other companies, the cap for gross negligence will be thirty-two (32) million Euro or twelve (12) million Euro, respectively (§ 323 (2) HGB new version)). The new rules will be applicable for the audit of business years starting on or after 1 January 2022.

One should note, however, that under German law, shareholders, absent any tort, normally do not have liability claims against the statutory auditors of companies. Thus, absent exceptional circumstances, only the company can raise such claims. It remains to be seen whether this will change in the aftermath to the Wirecard accounting fraud.

Furthermore, the FISG also provides for a significant tightening of criminal liability for accounting and auditing offences.

Election of auditors of insurance companies by the shareholders

The auditors of insurance companies will now be elected by the shareholders and not by the supervisory board (cancellation of § 341k (2) HGB). This shall apply for business years starting on or after 1 January 2022.

Financial Reporting Enforcement

The current two-tier enforcement system will be fundamentally changed. With effects as of 1 January 2022, the private-law Financial Reporting Enforcement Panel (FREP) (Deutsche Prüfstelle für Rechnungslegung – DPR) will be abolished, and financial reporting enforcement will be bundled at the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) (§§ 106 et seq. Securities Trading Act (Wertpapierhandelsgesetz – WpHG) (new version)). In addition, the competences of BaFin will be extended, and will include, amongst others, a right of BaFin to search business and residential premises as well as to confiscate documents and other evidence. The competent court for issuing the required search warrant and confiscation order will be the local court of Frankfurt/Main.

Silke Beiter – Munich (+49 89 33371, sbeiter@gibsondunn.com)
Ferdinand Fromholzer – Munich (+ 49 89 33270, ffromholzer@gibsondunn.com)
Johanna Hauser – Munich (+49 89 33272, jhauser@gibsondunn.com)
Finn Zeidler – Frankfurt (+49 69 247411530, fzeidler@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The 17th amendment of the Foreign Trade and Payments Ordinance (“AWV amendment”) came into effect in the first week of May 2021. It marks the third fundamental revision of the German FDI regime since April 2020. FDI scrutiny in Germany therefore continues to witness a significant amount of attention.

Summary

Almost 20 new business sectors, for which a mandatory cross-sector filing may be required, are added to the existing regime. These include: satellite systems, artificial intelligence, robots, autonomous driving/unmanned aircrafts, quantum mechanics, and critical raw materials.
In these newly covered business sectors, a mandatory filing is triggered if 20% or more of the voting rights in the German target are to be acquired by a non-EU/EFTA investor. This is higher than the 10% threshold that applies to the business sectors covered by the regime before the most recent changes.
One of the main goals of the reform is to mirror in national law the protection of the specific sectors mentioned in Art. 4(1) Regulation (EU) 2019/452 (“EU Screening Regulation”) and to further clarify the delineation of these sectors.
Investments in the defence sector also face a broader range of mandatory sector-specific filing obligations.
In addition, an ex officio review can now also be triggered if certain control rights are acquired.

Background

On 30 April 2021, the AWV amendment was published in the Federal Gazette and came into effect the day after. The German Ministry of Economic Affairs and Energy (“BMWi”) had published a draft of the amendment in January 2021, which was open for public consultation. The AWV amendment follows two earlier revisions to the German FDI regime in 2020 which were triggered by the COVID-19 pandemic as well as the EU Screening Regulation. FDI regimes across the globe, in particular in EU Member States, such as Austria, France, Italy, and Spain have seen substantial expansion in recent months.

Overview

The AWV amendment is mainly driven by the aim of reflecting in national law the categories of critical technologies and activities mentioned in Art. 4(1) of the EU Screening Regulation. By its nature, the EU Screening Regulation has a directly binding effect so that a transposition into national law is not formally required. However, the EU Member States are not obliged to consider these categories as a ground for a mandatory filing and have some discretion with respect to their implementation. The German regulator has added almost twenty critical sectors to the list.

In more detail:

Cross-sector review increased significantly

The AWV amendment expands the cross-sector review significantly and introduces a new investment threshold. A mandatory filing in the newly covered business sectors is only triggered if a non-EU/EFTA investor acquires 20% or more of the voting rights in a German target. The 10% threshold remains the applicable threshold for the business sectors previously covered. The “new” business sectors include:

developers or manufacturers of filter materials that are suitable as a starting material for respirators or medical face masks;
operators of a high-quality earth remote sensing system (e. satellites);
developers or manufacturers of goods which solve specific application problems by means of artificial intelligence and are capable of independently optimizing their algorithm, and which can be used inter alia to carry out cyber-attacks or imitate individuals in order to distribute targeted disinformation;
developers or manufacturers of motor vehicles or unmanned aircrafts;
developers or manufacturers of specific industrial robots;
developers, manufacturers or refiners of micro- or nanoelectronics, including their components;
developers or manufacturers of specific security-relevant IT products or components of such products;
operators of an air carrier with an EU operating license or developers or manufacturers of goods mentioned in subcategories 7A, 7B, 7D, 7E, 9A, 9B, 9D, or 9E of Annex I of Regulation (EC) No 428/2009 (“Dual-Use Regulation”) or goods or technology intended for use in space or for use in space infrastructure systems;
developers, manufacturers, modifiers or users of goods of category 0 or of list headings 1B225, 1B226, 1B228, 1B231, 1B232, 1B233 or 1B235 of Annex I to Dual-Use Regulation;
developers or manufacturers of specific goods or components for such goods using quantum mechanics;
developers or manufacturers of goods with which components of metallic or ceramic materials are produced by means of additive manufacturing processes;
developers or manufacturers of goods specifically for the operation of wireless or wireline data networks;
manufacturers of (components of) smart meter gateways;
employers of persons who work in vital facilities at safety-sensitive locations;
processors or refiners of raw materials or ores that have been defined in the list of critical raw materials;
developers or manufacturers of goods within the scope of protection of a patent classified or a utility model classified; and
a German undertaking which is of fundamental importance for food safety and directly or indirectly manages an agricultural area of more than 10,000 hectares.

Scope of sector-specific review also broadened

In addition, Section 60 of the AWV amendment expands the sector-specific review and now includes a reference to the entire part 1, section A of the export list [Ausfuhrliste]. It also captures developers or manufacturers or modifiers of goods in the field of defence technology, and those who have actual control over such goods which are within the scope of protection of a patent classified or a utility model classified. Both cases also apply to undertakings which have developed, produced or modified or had actual control over the respective goods in the past and which still have knowledge or other access to the underlying technology.

The acquisition of certain control rights opens the scope for ex officio investigations

The scope of the FDI review now also extends to acquisitions of control rights. Section 56(3) of the AWV amendment provides that the regime also applies to acquisitions of effective control over a German target, even if the voting rights threshold of 25% is not exceeded. This is particularly the case if an acquisition of voting rights is accompanied by (i) the guarantee of additional seats or majorities in supervisory bodies or in the management; (ii) the granting of veto rights in strategic business or personnel decisions; or (iii) the granting of information rights. Such rights must go beyond the influence which would ordinarily result from a 25% stake.

Increasing shareholding may trigger another filing obligation

The AWV amendment also clarified that share increases may lead to new filing obligations. If, for example, a non-EU/EFTA investor initially acquired 10% in a German target which operates a critical infrastructure and intends to increase its stake to 25%, 40%, 50%, or 75% (25%, 40%, 50%, or 75% in case of the 20% threshold for “new” business sectors, respectively) a mandatory filing is triggered.

Conclusion

The decision of the German regulator to introduce specific business sectors instead of referring to the broad categories mentioned in the EU Screening Regulation promotes legal certainty. However, it also significantly increases the regulatory burden for inbound M&A. First, the business sectors now covered by the German FDI regime will often require a sophisticated qualitative filing assessment. Secondly, since the categories of control are rather vague, a voluntary filing (to obtain a certificate of non-objection) will more often be considered as the only prudent course.

In light of this, investors should analyse potential FDI filing requirements at an early stage to avoid any time constraints impeding the completion of the transaction.

Georg Weidenbach (+49 69 247 411 550, gweidenbach@gibsondunn.com)
Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com)
Wilhelm Reinhardt (+49 69 247 411 520, wreinhardt@gibsondunn.com)
Linda Vögele (+49 69 247 411 536, lvoegele@gibsondunn.com)
Jan Vollkammer (+49 69 247 411 551, jvollkammer@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

For the third consecutive year, following the publication of Gibson Dunn’s ninth annual U.S. Cybersecurity and Data Privacy Outlook and Review on Data Privacy Day, we offer this separate International Outlook and Review.

Like many recent years, 2020 saw significant developments in the evolution of the data protection and cybersecurity landscape in the European Union (“EU”):

On 16 July 2020, the Court of Justice of the EU (“CJEU” or “Court”) struck down as legally invalid the EU-U.S. Privacy Shield, on which some companies relied to transfer personal data from the EU to the U.S. While companies are turning to other frameworks to transfer personal data, such as Standard Contract Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”), EU law also compels these companies to ensure that personal data will be safeguarded.
As a consequence of the COVID-19 pandemic, a number of public, corporate and workplace practices have emerged to limit the spread of the virus, all which have privacy implications. To respond to this, many EU Member States have issued rules and guidelines with respect to the processing of personal data in the context of the pandemic.
Negotiations among EU Member States have been ongoing regarding the adoption of a new e-Privacy Regulation, due to replace the soon 20-year-old e-Privacy Directive. Meanwhile, EU supervisory authorities have continued to publish guidance on cookie practices and other e-privacy matters, as well as to impose heavy fines on companies in breach of cookies-related requirements.
Before Brexit was completed on 31 December 2020, the EU and the UK adopted the Trade and Cooperation Agreement, which includes an overall six-month “bridging mechanism” to cover transfers of personal data into the UK. The European Commission and the UK are in negotiations to adopt an adequacy decision that can enable the free flow of personal data beyond this six-month period, as in the pre-Brexit scenario.

In addition to the EU, different legal developments occurred in other jurisdictions around the globe, including in other European jurisdictions, the Asia-Pacific region, the Middle East, Africa and Latin America.

We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.

__________________________________________

I. European Union

A. International Data Transfers

1.         The Schrems II Ruling
2.         Guidance Adopted by the EDPB and Member State Authorities
3.         Conclusions on Data Transfers

B. COVID-19 Pandemic

1.         Guidance Adopted by Supervisory Authorities
2.         Guidance at EU Member State Level
3.         Next Challenges for the Fight against the COVID-19 Pandemic

C. E-Privacy and Cookies

1.         Guidance Adopted by the EDPB and Member State Authorities
2.         Reform of the e-Privacy Directive
3.         Enforcement in Relation to Cookies

D. Cybersecurity and Data Breaches

1. Guidance and Initiatives Adopted by ENISA
2. Enforcement in Relation to Cybersecurity

E. The UK and Brexit 17

1. Transfers from and into the EU/EEA and the UK
2. Transfers from and into the UK and other Jurisdictions

F. Other Significant Developments in the EU

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

A. Russia

1.         Access Restriction Trend in Privacy Laws Enforcement
2.         The Russian Data Protection Authority Has Continued to Target Large, Multinational Digital Companies
3.         Legislative Updates

B. Switzerland

1. The Revised FADP
2. The Swiss-U.S. Privacy Shield

C. Turkey

1. Turkish Data Protection Authority and Board Issues a Number of Regulations, Decisions and Guidance Documents
2. Turkish Data Protection Act Continues to be Enforced

III. Developments in Asia-Pacific, Middle East and Africa

A. Australia

B. China

1. New Developments in Chinese Legislation
2. Enforcement of Chinese Data Protection and Cybersecurity Legislation

C. Hong Kong SAR

D. India

1.         Legislative initiatives
2.         Regulatory opinions and guidance
3.         Enforcement of data protection laws

L. United Arab Emirates

M. Other Developments in Africa

N. Other Developments in the Middle East

O. Other Developments in Southeast Asia

IV. Developments in Latin America and in the Caribbean Area

A. Brazil

B. Other Developments in South America

1.         Argentina
2.         Chile
3.         Colombia
4.         Mexico
5.         Uruguay

__________________________________________

I. European Union

A. International Data Transfers

1. The Schrems II Ruling

On 16 July 2020, the CJEU struck down as legally invalid the EU-U.S. Privacy Shield, which some companies had relied upon to transfer personal data from the EU to the U.S. The Court also ruled that the Standard Contractual Clauses (“SCCs”) approved by the European Commission, another mechanism used by many companies to transfer personal data outside of the EU, remained valid with some caveats. The Court’s landmark decision has forced companies on both sides of the Atlantic to reassess their data transfer mechanisms, as well as the locations where they store and process personal data.[1]

2. Guidance Adopted by the EDPB and Member State Authorities

Following the Schrems II ruling, several supervisory authorities shared their views and opinions on its interpretation.[2] On its side, the UK Information Commissioner’s Office (“ICO”) invited companies to continue transferring data on the basis of the invalidated Privacy Shield and, on the contrary, several German Authorities have advised against it.

These initial reactions were overcome by the Frequently Asked Questions (“FAQ”) report issued by the European Data Protection Board (“EDPB”) on 23 July 2020. In its FAQs on Schrems II, the EDPB stated, in particular, the following:

	i.		No “grace” period is granted for entities that relied on the EU-U.S. Privacy Shield. Entities relying on the now invalidated Privacy Shield should immediately put in place other data transfer mechanisms or frameworks.

	ii.		Data controllers relying on SCCs and BCRs to transfer data should contact their processors to ensure that the level of protection required by EU law is respected in the third country concerned. If personal data is not adequately protected in the importing Member State, the controller or the processor responsible should determine what supplementary measures would ensure an equivalent level of protection.

	iii.		If data transferred cannot be afforded a level of protection essentially equivalent to that guaranteed by EU law, data transfers should be immediately suspended. Companies willing to continue transferring data under these circumstances should notify the competent supervisory authority(ies).[3]

In October 2020, the U.S. Department of Commerce and the European Commission announced that they had initiated discussions to evaluate the potential for a new version of the Privacy Shield that would be compliant with the requirements of the Schrems II ruling.[4]

Pending the discussions between the EU and the U.S. on a new data transfer framework, on 10 November 2020, the EDPB issued important new guidance on transferring personal data out of the EEA, namely:

	i.		Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,[5] which aim to provide a methodology for data exporters to determine whether and which additional measures would need to be put in place for their transfers; and

	ii.		Recommendations 02/2020 on the European Essential Guarantees (“EEG”) for surveillance measures,[6] which aim to update the EEG, in order to provide elements to examine whether surveillance measures allowing access to personal data by public authorities in a receiving country, whether national security agencies or law enforcement authorities, can be regarded as a justifiable interference.

The EDPB’s guidance lessened some of the uncertainty caused by the Schrems II ruling. However, since this guidance was issued in the form of a public consultation closing on 21 December 2020, it may be subject to further changes or amendments.

In the Recommendations on supplementary transfer tools, the EDPB recommends that data exporters: (i) map all transfers of personal data to third countries and verify that the data transferred is adequate, relevant and limited to what is necessary; (ii) verify the transfer tool on which the transfers are based; (iii) assess whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards, and document this assessment; (iv) identify and adopt additional measures (examples are provided in Annex 2 of the Recommendations); (v) take any formal procedural steps that the adoption of the supplementary measure may require; and (vi) re-evaluate at appropriate intervals the level of protection afforded to the data transferred. Although the guidance takes the form of non-binding recommendations, companies that transfer personal data outside of the EEA would be well served to review their approach to such transfers in light of the EDPB guidance.

On 12 November 2020, the European Commission published a draft implementing decision on SCCs for the transfer of personal data to third countries along with a draft set of new SCCs. The new SCCs include several modules to be used by companies, depending on the transfer scenario and designation of the parties under the GDPR, namely: (i) controller-to-controller transfers; (ii) controller-to-processor transfers; (iii) processor-to-processor transfers; and (iv) processor-to-controller transfers.

These new SCCs also incorporate some of the contractual supplementary measures recommended by the EDPB, as described above. They have been opened for public consultation that closed on 10 December 2020 and the final new set of SCCs is expected to be adopted in early 2021. At this stage, the draft provides for a grace period of one year during which it will be possible to continue to use the old SCCs for the execution of contracts concluded before the entry into force of the new SCCs.[7]

Besides, the European Commission also published on 12 November 2020 draft of SCCs for contracts between controllers and processors. These SCCs are intended to be optional (the parties may choose to continue using their own data processing agreements) and have also been opened for public consultation that closed on 10 December 2020. The final draft of SCCs are also expected to be adopted in early 2021.[8]

On 15 January 2021, the EDPB and European Data Protection Supervisor adopted joint opinions on both sets of SCCs (one opinion on the SCCs for contracts between controllers and processors, and another one on SCCs for the transfer of personal data to third countries).[9]

3. Conclusions on Data Transfers

As explained above, 2020 was a year of changes when it comes to data transfer mechanisms.

The EU-U.S. Privacy Shield, once believed to have put an end to the issues raised by the EU-U.S. Safe Harbour, has again been deemed to be insufficient to safeguard the data protection rights of individuals in the EU. It is expected that, with a change in the U.S. federal administration, and the need for authorities to give legal certainty and facilitate cross-border commercial activity in the current economic context, the EU and the U.S. will work swiftly towards a mechanism that can resolve transatlantic transfers once and for all.

The adoption of new SCCs, expected to occur in 2021, will also bring more certainty to companies that relied on this framework to transfer personal data. The new sets of SCCs will cover wider scenarios than those under the current framework, reducing implementation costs and limiting uncertainty. However, given the limited grace period expected to apply to pre-GDPR SCCs, and the introduction of changes to the new SCCs, companies should take the opportunity to review the new contractual framework and adapt it to their data transfer needs.

B. COVID-19 Pandemic

The COVID-19 pandemic and the ensuing health crisis has led to the emergence of new practices to limit the spread of the virus, such as the issuance of tracing apps and the implementation of temperature checks at public administration buildings or at the workplace. These practices involve the processing of various health data, and may therefore have privacy implications. On the other hand, remote working has increased the exposure of companies and their employees to cybersecurity risks, such as the use of private (unprotected and non-certified) assets to review, print or process company information.[10]

1. Guidance Adopted by Supervisory Authorities

On 19 March 2020, the EDPB adopted a statement on the processing of personal data in the context of COVID-19. In the statement, the EDPB emphasised that while data protection rules should not hinder the fight against the virus, data controllers and processors must ensure the protection of personal data even in these exceptional times.[11]

Further, on 17 April 2020, the European Commission set out the criteria and requirements that applications supporting the fight against COVID-19 must meet in order to ensure compliance with data protection regulations.[12] Building on this guidance, the EDPB adopted Guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak as well as Guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak.[13]

Since the beginning of the pandemic, European authorities have also focused on pooling resources at the EU level. The European Commission and the EDPB published materials relating to the interoperability between the Members States’ contact tracing applications, in order for users to be able to rely on a single app wherever they are located in the EU.[14]

The EDPS also issued a Preliminary Opinion on the European Health Data Space, which aims to promote better exchange and access to different types of health data within the EU.[15]

2. Guidance at EU Member State Level

Member State supervisory authorities have also issued their own guidance with respect to the processing of personal data in the context of the COVID-19 pandemic. Although authorities have emphasised the general principles set forth under the GDPR, they have failed to adopt a unified approach.

As regards national tracing applications, the UK ICO issued a notice on the joint initiative by two tech companies to enable the use of Bluetooth technology in contact research applications,[16] as well as on the development of contact tracing applications in accordance with the principles of privacy by design and privacy by default.[17] In France, the French supervisory authority (the “CNIL”) opened and closed a formal enquiry into the national tracing app sponsored and developed by the French government,[18] after requesting the Ministry of Solidarity and Health to remedy certain breaches identified in the app.[19] In Germany, as in France, the authority emphasised that the use of the national COVID-19 app should be voluntary.[20]

On a different note, supervisory authorities have also intervened in different degrees in the testing and tracing efforts of public authorities. In the UK, for example, the ICO issued a notice on the recording and retention of personal data in support of the test and trace scheme, where it advised in particular to only collect data requested by the government, not to reuse the data for other purposes, and to delete the data as soon as it is no longer necessary.[21] In Germany, a regional supervisory authority even issued warnings for excessive health requests.[22]

Supervisory authorities have also issued substantial guidance in respect of measures to fight the COVID-19 pandemic in an employment context, for example, in the UK,[23] France,[24] Italy,[25] Belgium[26] and the Netherlands.[27] The topics covered by supervisory authorities include the implementation of tests and the monitoring of employees, the reporting of sensitive information to the employer, and in turn the communication of such information to the health authorities, as well as remote work.

The use of smart and thermal cameras has also been strictly regulated both in France and in Germany.[28]

3. Next Challenges for the Fight against the COVID-19 Pandemic

While data protection laws were not meant to hinder the deployment of necessary measures to trace and contain the evolution of the virus, EU supervisory authorities have been adamant that this should not come at a cost in terms of privacy.

Privacy standards are likely to remain high as Member States commence their vaccination plans and prepare for the post-COVID-19 economic recovery. For example, in the Member States the monitoring of doses and medical supervision of patients are generally conducted by qualified medical staff, and health and pharmaceutical institutions. However, there is still some debate whether private and public institutions can issue or request vaccination “passports” or certificates to facilitate the safe movement of people.[29] With regard to tracing and detection data, public administrations and companies have to assess the proper retention periods that apply to the storage and archive of such information.

C. E-Privacy and Cookies

Against the backdrop of the ongoing EU discussions on the future e-Privacy Regulation, guidance has been released by Member State supervisory authorities. Meanwhile, significant fines continue to be imposed on companies that do not comply with applicable e-privacy rules.

1. Guidance Adopted by the EDPB and Member State Authorities

On 5 April 2020, the EDPB updated its Guidelines (05/2020) on consent, which now specifically address the practice of so-called “cookie walls” (a practice which consists in making access to online services and functionalities conditional on the consent of a user to cookies). Among others, in these Guidelines the EDPB explicitly states that continuing browsing on a website does not meet the requirements of valid consent.[30]

As a result of the additional clarifications provided by the EDPB, the Spanish supervisory authority (“AEPD”) updated its guidance on the use of cookies, denying the validity of consent obtained through cookie walls or continued browsing.[31]

In France, the CNIL adopted a different approach set by the French Administrative Court, which in a 2020 ruling invalidated the general and absolute ban on cookie walls. Consequently, the CNIL adopted amending guidelines and a recommendation on the use of cookies and other tracing devices, offering practical examples of the collection of user’s consent.[32]

2. Reform of the e-Privacy Directive

The e-Privacy Regulation was proposed by the European Commission in 2017 in order to update the legislative rules applicable to digital and online data processing and to align e-privacy laws to the GDPR. Ambitious and promising at first, eight presidencies of the Council of the EU have been unable to push the project over the finish line.

In January 2021, the Portuguese Presidency of the Council of the EU (January to June 2021) proposed a new version (the 14th) of the e-Privacy Regulation, with the aim to simplify the text and further align it with the GDPR.[33]

While the new Regulation is not expected to be applicable before 2022, its adoption process should be closely monitored in order to anticipate compliance efforts that will be required, in particular in view of the shorter transition period (from 24 to 12 months) set out in the proposal of the Portuguese Presidency.

3. Enforcement in Relation to Cookies

In parallel, Member State supervisory authorities continued to enforce their national e-privacy legislation transposing the e-Privacy Directive.

In Spain, a social network service was fined €30,000 for breaching the rules relating to cookies, specifically because its cookie banner did not enable users to reject the use of trackers or to issue consent per type of cookie.[34] Similarly, the AEPD imposed a fine of the same amount to an airline for implementing a “cookie wall” on its website.[35]

In France, hefty fines have been imposed for violations of the legal provisions on cookies. First, two companies of a food and goods retail distribution group were fined €2,250,000 and €800,000 euros for various violations, including the automatic setting of cookies on users’ terminals.[36] More recently, two U.S. tech companies have been imposed fines of €100 million and €35 million, respectively, due to violation of the legal framework applicable to cookies. In particular, the CNIL observed that these companies placed advertising cookies on user’s computers without obtaining prior consent and without providing adequate information.[37]

D. Cybersecurity and Data Breaches

As in previous years, EU and Member State supervisory authorities and cybersecurity agencies have continued to be active in the adoption of measures and decisions that enhance and enforce cybersecurity standards.

1. Guidance and Initiatives Adopted by ENISA

The EU Agency for Cybersecurity (“ENISA”) has the mandate of increasing the protection of public and private networks and information systems, to develop and improve cyber resilience and response capacities, and to develop skills and competencies in the field of cybersecurity, including management of personal data.

In 2020, ENISA continued to issue guidelines and to spearhead initiatives to achieve these objectives:

On 27 January 2020, ENISA released an online platform to assist companies in the security of personal data processing. Among others, the platform focuses on the analysis of technical solutions for the implementation of the GDPR, including the principle of privacy by design. The platform may assist data controllers and processors in the determination of their approach when developing personal data protection policies.[38]
On 4 February 2020, ENISA published a report outlining frameworks, schemes and standards of possible future EU cybersecurity certification schemes. The report focuses in particular on the current standards applied to fields such as the Internet of Things, cloud infrastructure and services, the financial sector and electronic health records. The Report also addresses gaps in the current cybersecurity certification schemes, paving the way for the adoption of future EU cybersecurity certification schemes.[39]
On 19 March 2020, ENISA issued a report on security requirements for digital service providers and operators of essential services, based on Directive (EU) 2016/1148 of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union (“NISD”) and the GDPR. Among other things, the report proposes and sets the outline for a risk-based approach to security. It identifies the guidelines relevant to NISD and GDPR security measures, recommends the establishment of certification mechanisms, and sets the need for competent EU bodies and research bodies to continue providing specialised guidance on state-of-the-art data protection and security techniques.[40]
On 9 June 2020, ENISA made available a visual tool to ensure transparency with regard to cybersecurity incidents. The tool provides information on eight years of telecommunications security incidents, as well as four years of trust services incident reports. In total, the tool provides information on a total of 1,100 cybersecurity incidents notified as mandated by EU legislation for over nine years. In its release, ENISA noted that, over the last four years, system failure was the most common cause behind both telecom security incidents and trust services incidents.[41]

Finally, it is worth noting the Strategy for a Trusted and Cyber Secure Europe released by ENISA on 17 July 2020. The Strategy aims to achieve a high common level of cybersecurity across the EU, containing ENISA’s strategic objectives to boost cybersecurity, preparedness, and trust across the EU. The Strategy sets out a list of seven objectives that it aims to reach, including the effective cooperation amongst operational actors within the EU in case of massive cyber incidents, the creation of a high level of trust in secure digital solutions, and efficient and effective cybersecurity information and knowledge management for Europe.[42]

2. Enforcement in Relation to Cybersecurity

Member State supervisory authorities have been particularly active in sanctioning data breaches and the lack of appropriate security measures, with significant monetary penalties.

For example, in the UK, three sanctions have been especially significant. First,an airline company was fined £20 million following a cyberattack in 2018, compromising the personal and financial data of more than 400,000 of its customers for over two months.[43] ICO investigators found that the airline company should have identified weaknesses in its security and resolved them with security measures that were available at the time, which would have prevented the cyber-attack.

Second, a hotel chain was fined £18.4 million after an estimated 339 million guest records worldwide were affected following a cyberattack that occurred in 2014, but remained undetected until September 2018.[44] According to the ICO, the investigation revealed failures on the side of the hotel chain to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR. In those two cases, the ICO significantly reduced the amount of the fine originally considered in its notice of intention to fine the companies, taking into account the company’s representations and the economic impact of the COVID-19 pandemic in setting the final amount of the fine.

Third, a ticket sales and distribution company was imposed a £1.25 million fine for failing to comply with its security obligations, in the context of a cyberattack on a chatbot installed on its online payment page, potentially affecting the data of 9.4 million people.[45] The ICO concluded that the company failed to assess the risks of using a chat-bot on its payment page, identify and implement appropriate security measures to negate the risks, and identify the source of suggested fraudulent activity in a timely manner.

In Germany, a German telecommunications service provider was fined by the German Federal Data Protection Authority for insufficient data security procedures established in a call centre that lead to an inappropriate disclosure of a cell phone number of an individual who then complained to a data protection authority. While the fine initially amounted to €9.5 million, it was challenged by the telecommunications service provider and later reduced by the competent district court in Bonn to €900,000.

More recently, in Ireland, a social network service was fined €450,000 concerning its 2019 data breach. This decision bears great importance, as it represented the outcome of the first application of the GDPR dispute resolution mechanism, where the Irish Data Protection Commission adopted a decision further to the adoption of a prior decision by the EDPB.[46]

On 30 July 2020, the Council of the EU imposed its first ever sanctions on cyberattacks. In particular, the Council adopted restrictive measures against six individuals and three entities responsible for or involved in various cyberattacks, including a travel ban and an asset freeze. In addition, EU individuals and entities are forbidden from making funds available to these individuals and entities.[47]

E. The UK and Brexit

The UK regained full autonomy over its data protection rules at the end of the Brexit transition period, on 31 December 2020. However, before Brexit was concluded, the EU and the UK entered into the EU-UK Trade and Cooperation Agreement on 30 December 2020.[48] This Agreement regulates data flows from the EU/EEA to the UK under a so-called “bridging mechanism”, and sets a timeline for the adoption of an EU-UK adequacy decision thereafter.

The Trade and Cooperation Agreement includes mechanisms to enable the UK to make changes to its data protection regime or exercise international transfer powers, subject to mutual agreement, without affecting the bridging mechanism. The EU does not have the power to block changes to the UK’s framework or use of its powers. However, if the EU objects to changes considered by the UK, and the UK implements them despite these objections, the EU/EEA-UK bridge will be terminated.

1. Transfers from and into the EU/EEA and the UK

As indicated above, the bridging mechanism contained in the EU-UK Trade and Cooperation Agreement covers personal data transfers from the EU/EEA to the UK. According to the provisions in the Agreement, it will apply for up to a maximum period of six months, unless an adequacy decision comes into effect earlier. The adoption of an EU adequacy decision for the UK, which is expected to be adopted in 2021, would enable the ongoing free flow of personal data from the EEA to the UK thereafter, without needing to implement additional safeguards.

Notwithstanding the stability offered by the Trade and Cooperation Agreement, the UK Government has advised companies to put in place alternative transfer mechanisms that may safeguard personal data received from the EEA against any interruption to the free flow of personal data.[49] SCCs have been identified as the most relevant mechanism that organisations may resort to in order to safeguard such transfers.

On the other side, regarding personal data transfers from the UK to the EU/EEA and Gibraltar, the conditions under which such transfers may be made will remain unchanged and unrestricted, according to the UK Government.[50]

2. Transfers from and into the UK and other Jurisdictions

The transfer of personal data from third countries and territories to the UK generally raises questions of legal compliance in the exporting jurisdiction. The impact of Brexit has been particularly significant regarding the regulation of data transfers into the UK from jurisdictions that were already covered by an adequacy decision of the European Commission.

Pre-Brexit, the European Commission had made findings of adequacy of personal data transfers to a number of jurisdictions.[51] These adequacy decisions generally address the inbound transfer of personal data from these jurisdictions into the EU/EEA. However, in order to obtain and maintain these adequacy decisions, these jurisdictions put in place legal restrictions on (onward) transfers of personal data to countries outside the EEA, which now include the UK.

To resolve potential issues on transfers of personal data from these jurisdictions to the UK, the governments of most of these jurisdictions have issued statements, resolutions and even modified their legal regimes in order to permit the continued transfer of personal data into the UK. The UK ICO has indicated that it is continuing to work with these jurisdictions in order to make specific arrangements for transfers of personal data to the UK.[52]

On the UK side, the 2019 Brexit regulations applicable to data protection matters recognised the European Commission’s adequacy decisions, and rendered permissible cross-border transfers of personal data to these jurisdictions.[53] The Government and the ICO are working on the adoption of new UK adequacy regulations, to confirm that particular countries, territories or international organisations ensure an adequate level of protection, so as to allow transfers of personal data from the UK to these jurisdictions, without the need for adoption of additional safeguards. SCCs and other mechanisms for lawful international data transfers may be put in place to cover transfers of personal data from the UK to jurisdictions not covered by adequacy decisions.

F. Other Significant Developments in the EU

More generally, this year has been marked by the adoption of important EDPB Guidelines. In addition to those mentioned above, the EDPB released new Guidelines on the concepts of controller and processor, on the targeting of social media users, and on data protection by design and by default.[54]

Furthermore, hefty fines were imposed as mentioned in Sections I.A to D above, in particular in France with the €100 million fine imposed on a tech company which is the highest penalty ever imposed by a supervisory authority as of end of December 2020.

Fines were also imposed on topics other than those addressed above. In particular, in Germany, the Hamburg supervisory authority fined a retail company €35.3 million for illegally collecting and storing sensitive personal data from employees, such as information about health condition, religious beliefs and family matters. According to the authority’s investigation, data about the personal life of the company’s employees had been collected comprehensively and extensively by supervisors since at least 2014, and stored on the company’s network drive. This information was accessible to up to 50 managers of the company and was used, among other things, to create profiles of individual employees in order to evaluate their work performance and to adopt employment decisions. In sum, the practice of the company amounted to a number of data protection violations, including a lack of legal basis for the data processing, illegal processing of the data, and the absence of controls to limit storage and access to the data.[55]

Significant monetary penalties have also been imposed due to the lack of valid consent under the GDPR:

In Italy, two telecommunications operators were fined approximately €17 and €12 million for processing hundreds of unsolicited marketing communications without having obtained users’ prior consent, without having offered to users their right to object to the processing, and for aggressive telemarketing practices, respectively.[56]
In Spain, the AEPD fined a bank €5 million for violations of the right to information and for lack of valid consent. In particular, the bank used imprecise terminology to define the privacy policy, and provided insufficient information about the category of personal data processed, especially in relation to customer data obtained through financial products, services, and channels. Moreover, the bank failed to obtain consent before issuing promotional SMS messages, and did not have in place a specific mechanism for consent to be obtained by customers and account managers.[57]

As regards the requirements for valid consent under the GDPR, the CJEU, in its ruling on Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, decided that valid consent cannot be inferred from a preselected box in a contract for the provision of telecommunications services, whereby the customer allegedly consents to the collection and storage of his/her identity document. The Court specified that this is also the case where the customer is misled as to the possibility of concluding the contract if he/she refuses to consent to the processing of his/her data, or where the freedom to choose to object to that collection and storage is affected by the requirement to complete an additional form setting out that refusal.[58]

In addition to increased scrutiny by data protection authorities, there is also a slightly increasing trend in private enforcements actions from consumers and (former) employees. These actions primarily relate to both the enforcement of transparency and access rights to personal data as well as claims for compensation for alleged GDPR violations.

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

As explained in the 2020 International Outlook and Review, the increasing impact of digital services in Europe and the overhaul brought about by the GDPR in the EU have continued to influence the regulatory and enforcement actions of jurisdictions in the vicinity of the EU.

A. Russia

1. Access Restriction Trend in Privacy Laws Enforcement

Russian local data privacy laws have continued to be heavily enforced by the Russian Federal Service for the Supervision of Communications, Information Technology and Mass Communications (“Roskomnadzor”). This activity reflects the growing priority and concern that personal data protection represents for the Russian population. According to Roskomnadzor’s statistics, in the previous year the number of complaints concerning personal data protection had increased to 50,300. The largest number of complaints related to the actions of the owners of internet sites, including social networks, credit institutions, housing and communal services organisations, and collection agencies.[59]

The most notable activity of Roskomnadzor in 2020 was its use of its regulatory powers to manage activities of numerous Internet-based services. Below we describe three noteworthy cases where the access to Internet resource was restricted by Roskomnadzor until the respective company satisfied certain expectations and /or requests of the regulator.

On 29 January 2020, Roskomnadzor announced that it would restrict access to the mail service of a tech company. In deciding so, Roskomnadzor noted that the company was used by cybercriminals to send false messages under the guise of reliable information, and that it had categorically refused Roskomnadzor’s repeated requests for information to be included in the register of information dissemination organisers on the Internet.[60] However, the company has taken actions to address the situation, and currently it is accessible for the Russian users.

On 20 February 2020, Roskomnadzor took a similar measure and temporarily restricted access to another email service provider.[61] The authority stated that, in 2019 and in February 2020, the email service had been used by cyber-attackers to send false messages under the guise of reliable information about the massive mining of social transport infrastructure and ships in the Russian Federation.

On 18 June 2020, Roskomnadzor also announced that it had removed the requirements to restrict access to the messaging application of a tech company.[62] This decision was paired with Roskomnadzor’s declaration of its readiness to cooperate with internet companies operating in Russia to quickly suppress the spread of terrorist and extremist information, child pornography, and the promotion of suicide and drugs. In addition, Roskomnadzor noted that, through joint efforts with leading Russian and foreign companies, it had removed, on average and weekly, 2,500 materials relating to suicidal behaviours, 1,300 materials of an extremist and terrorist nature, 800 materials propagandising drug use, and 300 materials containing pornographic images of minors.

2. The Russian Data Protection Authority Has Continued to Target Large, Multinational Digital Companies

In 2020, Roskomnadzor followed its set trend in targeting large, multinational digital companies. On 31 January 2020 the authority announced that it had initiated administrative proceedings against two social network services.[63] In particular, Roskomnadzor stated that these companies did not meet the requirements for data localisation of Russian users on servers located in the Russian Federation.

Following the authority’s proceedings, on 13 February 2020, the Tagansky District Court of Moscow fined both social network services RUB 4 million (approx. €45,000) for these violations.[64] The Court affirmed the authority’s finding that one of the companies had violated Russia’s legal requirement to record, organise and store the personal data of Russian citizens in databases located in the Russian Federation.[65]

3. Legislative Updates

Several notable laws have been adopted at the end of 2020.

New amendments to the Code of Administrative Offenses of the Russian Federation entail considerable fines for failure to delete prohibited information upon the request of Roskomnadzor.[66] The fines can be imposed on hosting providers or any person enabling other persons to publish information on the Internet for failure to restrict access to prohibited information and owners of the websites or Internet resources for non-deletion of prohibited information may be up to RUB 4,000,000 (approx. €45,000) for the first offence and up to 10% of the company’s annual turnover from the preceding calendar year (but not less than RUB 4,000,000) for the subsequent offence. If prohibited information contains propaganda of extremism, child pornography, or drugs, liability is increased for up to RUB 8,000,000 (approx. €90,000) for the first offence or up to 20% of the company’s annual revenue from the preceding calendar year (but not less than RUB 8,000,000) for the subsequent offence. This law is aimed at establishing liability for hosting providers, owners of websites and information resources who fail to restrict access to or delete the information, dissemination of which is prohibited in Russia, and has come into force on 10 January 2021.

Another amendment to Russian law[67] increases significantly the risks of blocking of internet resources in Russia. The law introduces the status of the owner of an Internet resource involved in violations of the fundamental human rights of Russian citizens. The Prosecutor General, in consultation with the Russian Foreign Ministry, may assign this status to the owner of an Internet resource that discriminates against materials from the Russian media. Such a decision can be made if the internet resource limits access to socially important information based on the nationality, language, or in connection with the imposition of sanctions against Russia or its citizens. If the owner of the internet resource censors or anyhow restricts the access to accounts of Russian media, Roskomnadzor is entitled to restrict access to such internet resource, fully or partially. This law has come into force on 10 January 2021.

The law amending the Personal Data Law significantly changes the legal landscape with regard to the processing of publicly available personal data.[68] As per the new law, data controllers making personal data publicly available for further processing by third parties must obtain individuals’ explicit consents, which shall not be bundled to any other consents and data subjects have a wide range of rights in this regard.

Third parties who intend processing publicly available personal data have three options: (i) to rely on the consent obtained by the controller when making the data publicly available, subject to compliance with the rules of data processing; (ii) to rely on the consent provided by an individual to Roskomnadzor via a dedicated web-based platform to be set up under the law, but also subject to compliance with the rules of data processing; or (iii) to ensure on their own that they have appropriate legal grounds as per the general requirements of Russian Personal Data Law. The above rules will enter into force as of 1 March 2021.

In addition, the new law introduces the data controller’s obligation to publish information on the processing terms and existing prohibitions and conditions for processing of personal data, permitted by a data subject for dissemination, by an unlimited number of persons. These new requirements will come into force as of 1 July 2021. According to the amendments to the Law on Information, Information Technologies, and Information Protection, if a resource is considered a social network, it will be included in the register maintained by the Roskomnadzor.[69] These amendments impose moderation obligations on social networks regarding the content published by users, and require them to make available certain information on their websites.

In practice, social networks will now be required to identify and restrict access to illegal content.[70] Furthermore, the following information must be posted on the social network by its owner: (i) name, email address and an electronic form for sending requests about the illegal content; (ii) annual reports on the results of the consideration of requests and monitoring activities; (iii) terms of use of the social network. This amendment will enter into force on 1 February 2021.

The recently adopted laws evidence the trend of the increased regulation of IT-industry activities in Russia. With these new regulations, the Russian authorities increase the regulatory mechanisms that may affect the activities of websites, news media, social media, social networks and video hosting services in Russia.

B. Switzerland

1. The Revised FADP

On 25 September 2020, the Swiss Parliament adopted the revised version of the Federal Act on Data Protection 1992 (“Revised FADP”).[71] The Revised FADP is not in force yet, as it was subject to approval by referendum until 14 January 2021 (which was not held). The Federal Council will decide on entry into force which is expected during 2021 or at the beginning of 2022. The specific date is particularly important because the Revised FADP does not provide for any transitional periods.

One of the main reasons behind the adoption of the Revised FADP was to ensure that the EU recognises Switzerland as providing an adequate level of protection to personal data according to GDPR standards.

The most significant differences between the Revised FADP and the previous version, are the following:

The Revised FADP now codifies expressly the international principle of the effects doctrine, subject to the principles governing civil and criminal enforcement that remain in place.[72] Hence, the Revised FADP will also apply on persons that are domiciled outside of Switzerland if they process personal data and this data processing has an effect in Switzerland.
Personal data pertaining to legal entities is no longer covered by the Revised FADP, which in line with the GDPR, and most foreign data protection laws.[73]
The Revised FADP will extend the term of sensitive data by adding two new categories: (i) genetic data; and (ii) biometric data that uniquely identifies an individual.[74]
The Revised FADP now contains a legal definition of profiling that corresponds to the definition in the GDPR.[75]
The Revised FADP distinguishes controllers and processors.[76]
Like the GDPR, the Revised FADP contains provisions concerning data protection by design and by default.[77]
The Revised FADP provides that a processor can hire a sub-processor only with the prior consent of the controller.[78]
Under the Revised FADP and subject to specific exemptions, controllers and processors must maintain records of data processing activities under their respective responsibility. The former duty to notify data files to and register with the Federal Data Protection and Information Commissioner (“FDPIC”) has been abolished.[79]
Under the Revised FADP and under specific conditions, controllers that are domiciled or resident abroad and process personal data of Swiss individuals must designate a representative in Switzerland.[80]
The Revised FADP provides that individuals must (at the time of collection) be informed about certain minimum information[81] and have a new right to intervene in case of automated decision-making.[82]
Under the Revised FADP, the FDPIC will have the power to issue binding decisions. However, it will not have the unilateral power to impose fines, unlike most data protection authorities in Europe – resort to Swiss courts will be required.
Controllers are required to conduct a Data Protection Impact Assessment (“DPIA”) where there is a high risk for the privacy and the fundamental rights of data subjects.[83]
Controllers will have a data breach notification obligation to the FDPIC where an incident results in high risk for data subjects.[84]
The Revised FADP introduces the right to data portability, which was not covered by the previous data protection law.[85]
The maximum amount of sanctions for individuals will be CHF 250,000 (approx. €232,000),[86] and the Revised FADP also extends criminal liability to the violation of additional data protection obligations.

As can be seen, there are significant similarities between the Revised FADP and the GDPR. The entry into force of the Revised FADP is therefore expected to lead to continuity in the cross-border data transfers between the EU and Switzerland.

2. The Swiss-U.S. Privacy Shield

On 8 September 2020, the FDPIC published an assessment on the Swiss-U.S. Privacy Shield where it found that the cross-border transfer mechanism did not guarantee an adequate level of protection regarding data transfers from Switzerland to the U.S.[87] Prior to FDPIC’s assessment, the CJEU had delivered its judgment in Schrems II,[88] in July 2020, which rendered the European Commission’s decision on the EU-U.S. Privacy Shield invalid.

The FDPIC identified two key problems concerning the Swiss-U.S. Privacy Shield, namely: (i) the lack of an enforceable legal remedy for persons concerned in Switzerland in particular due to the inability to assess the effectiveness of the Ombudsman mechanism because of a lack of transparency; and (ii) the inability to assess the decision-making abilities of the Ombudsman and its independence with respect to U.S. intelligence services. Since FDPIC’s assessment is a soft-law instrument without legally binding nature, the Swiss-U.S. Privacy Shield will remain valid and binding for the companies registered unless and until it is repealed or annulled on a case-by-case basis by the competent Swiss courts or in its entirety by the U.S.

C. Turkey

1. Turkish Data Protection Authority and Board Issues a Number of Regulations, Decisions and Guidance Documents

In 2020, the Turkish Data Protection Authority (“KVKK”) and the Turkish Data Protection Board (the “Board”) continued to issue a number of statements, decisions and guidance documents regarding the application and enforcement of Turkish data protection provisions. We outline and briefly explain below the most relevant ones:

On 16 December 2020, the KVKK issued a statement on the data protection rules related to publicly available personal data. In the statement, the KVKK acknowledged that the Law on Protection of Personal Data No. 6698 (“Turkish Data Protection Act”) allows personal data to be processed where the data concerned is made available to the public by the data subject themselves.[89] However, the KVKK clarified that the concept of “making data public” has a narrow meaning under the Turkish Data Protection Act, and only covers scenarios where the data subjects wish the data to be public for data processing – the mere act of making personal data available to the public is not sufficient.
On 26 October 2020, the KVKK issued a statement on cross-border data transfers outside of Turkey.[90] The statement noted that the Turkish Data Protection Act allowed a grace period for compliance with relevant data transfer provisions, and that several deadlines had been extended due to the COVID-19 pandemic. The KVKK also committed to eliminate and correct any misunderstandings arising from the interpretation and implementation of the Act, which had led to criticism from practitioners and scholars. As a start, the KVKK clarified that the Board will carry out assessments on the adequacy of foreign jurisdictions for data transfers based on a number of factors, including the reciprocity concerning data transfers between the importing country and Turkey. The KVKK also indicated that “Binding Corporate Rules” (“BCRs”) may be applicable and used in data transfers between multinational group companies. Indeed, on 10 April 2020, the KVKK introduced BCRs to the Turkish data protection law, to be used in cross-border personal data transfers of multinational group companies.[91] In its announcement, the KVKK described the undertaking letter procedure for data transfers outside of Turkey, and states that although the undertaking letters make bilateral data transfers easier; they may be inadequate in terms of data transfers between multinational group companies. Therefore, the KVKK determined BCRs as another mean that could be used in international data transfers between group companies.
On 17 July 2020, the KVKK issued a statement on de-indexing of personal data from search engine results[92] based on the Board’s decision with number 2020/481.[93] The KVKK stated in its announcement that, they have evaluated the applications submitted before the KVKK with regards to the requests as to de-indexing web search results and within the scope of “right to be forgotten”, the Board decided that search engines should be considered as “data controllers” under the Turkish Data Protection Act, that individuals may primarily convey their de-indexing requests to the search engines and file complaints before the KVKK and search engines should make a balance test between fundamental right and freedoms and public interest. Additionally, KVKK also published a criteria document[94] by indicating that de-indexing requests should be considered per the issues indicated therein, which is mainly based on Article 29 Working Party’s Opinion on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on Costeja Case.
On 26 June 2020, the KVKK issued a statement on obligation to inform data subjects.[95] The statement concerns the general rules that are already regulated under the Turkish Data Protection Act and secondary legislation concerning the obligation to inform set forth for the data controllers. KVKK indicated in its announcement that privacy policies or data processing policies should not be used to fulfill the obligation to inform and thus, privacy notices should be separated from these texts. Following that, the KVKK listed several examples with regards to the deficiencies and illegalities as to obligation to inform.
In the context of the COVID-19 pandemic, on 9 April 2020, the KVKK issued a statement on the processing of location data in light of the COVID-19 pandemic.[96] The statement highlights that many other countries have used and allowed the use of personal data, such as the health, location and contact information of individuals, to identify those who carry or are at risk of carrying this disease. The KVKK reminds that the processing of this data needs to be carried out within the framework of the basic principles enshrined in the Turkish Data Protection Act.

2. Turkish Data Protection Act Continues to be Enforced

2020 was also a year in which the KVKK enforced the Turkish Data Protection Act in a number of data protection proceedings.

On 6 February 2020, the KVKK fined an undisclosed bank TRY 210,000 (approx. €27,800) for illegally processing personal data to gain potential customers.[97] The case concerned the creation of bank accounts without the knowledge or consent of individuals, using information gained by the bank via a third party. The KVKK found that the bank had acted in breach of its security obligations to prevent unlawful processing of personal data.

On 22 July 2020, the KVKK fined an automotive company TRY 900,000 (approx. €101,840) for violations related to the transfer of personal data based on the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”).[98] The software provider sought to rely on the fact that the receiving country was party to Convention 108 and, therefore, offered sufficient protection to personal data imported from Turkey. However, the KVKK outlined that the fact that a receiving country is a party to Convention 108 is in itself an insufficient measure in determining adequate protection of data. The data transfer had thus been carried out in breach of the Turkish Data Protection Act, without data subjects’ consent and not benefitting from any of the exceptions set out in the Turkish Data Protection Act. It is worth noting, in this regard, that the KVKK is yet to publish the list of countries deemed to provide sufficient protection under Turkish law. Finally, the decision notes that the data controller failed to comply with its data security obligations, as it had failed to prevent the unlawful processing and transfer of personal data. The KVKK ordered the data controller to delete/destroy the personal data unlawfully transferred outside of Turkey.

On 16 April 2020, the KVKK fined a gaming company TRY 1,100,000 (approx. €120,000) for failing to notify the KVKK of data breach within seventy-two (72) hours after becoming aware of the relevant data breach and to take required data security measures.[99]

On 27 February 2020, the KVKK fined an e-commerce company TRY 1,200,000 (approx. €120,000) mainly, TRY 1,100,000 for failing to fulfil the obligations relating to data security and TRY 100, 000 for failing to comply with the obligation to inform data subjects.[100] Besides, the Board also ordered the data controller to revise the data processing processes and privacy policy, Conditions of Sale and Use and Cookie Notice in accordance with the determined irregularities and in line with the Turkish Data Protection Act. The Board stated in its decision that (i) the privacy policy contains lots of information and general information about personal data processing and this does not mean that the data subjects are duly informed; (ii) although the data processing activities start with the cookies as soon as a user enters the website, information obligation is not complied with at any stages such as cookies or member login to the website; (iii) explicit consent is not obtained for commercial electronic communications and cross-border transfer of personal data; and (iv) considering that the undertaking letters submitted for cross-border transfer of personal data are not approved and the safe countries have not been announced, data controller may only transfer personal data abroad based on data subjects’ explicit consent.

III. Developments in Asia-Pacific, Middle East and Africa

A. Australia

The Australian government released the Terms of Reference and Issues Paper for the review of the Privacy Act 1988, and solicited public submissions by 29 November 2020. This wholesale review may update main provisions of the Privacy Act 1988, such as increasing maximum civil penalties, creating a binding privacy code for social media platforms, strengthening notification and consent requirements, modifying international data transfers, and expanding the definition of personal information. The government plans to issue a discussion paper seeking specific feedback on preliminary outcomes and possible areas of reform in early 2021.

B. China

1. New Developments in Chinese Legislation

The most significant legislative framework in China for the protection of personal data is the Cybersecurity Law (“Cybersecurity Law”) which came into effect on 1 June 2017. Two additional laws were introduced into the pipeline in 2020: the Draft Personal Information Protection Law[101] (“Draft PIPL”); and the Draft Data Security Law (“Draft DSL”). Once adopted, the combination of these three legal instruments (the Cybersecurity Law, the Draft Data Security Law and the Draft PIPL) are expected to become the fundamental laws in the field of cybersecurity and data protection in China.

The Draft PIPL is intended to be a general data protection law, which could harmonise the current fragmented legislative framework. However, even after the adoption of the Draft PIPL, personal information protection in China would remain sector based.

The Draft PIPL was partially inspired by the GDPR, but it has important differences that prevent a common cross-border approach (e.g., regarding the legal grounds for data processing, there is no legal basis of legitimate interest of the controller). Using a single privacy framework for EU and Chinese companies would consequently not result in adequate compliance.

The Draft PIPL introduces substantial new fines. For example, data processors are subject to fines of RMB 50 million (approx. €8 million, or $7.4 million), or 5% of the company’s revenue from the previous year.[102] In addition, the Cyberspace Administration of China would also have the competence to blacklist organisations and individuals for misusing data subjects’ data.[103]

On 18 November 2020, the Centre for Information Policy Leadership (“CIPL”) submitted recommendations on possible modifications of the Draft PIPL in order to ensure the protection of China’s citizens, businesses and government data,[104] including the following:

The Draft PIPL includes definitions for sensitive personal information,[105] including biometric, financial, ethnic and religious information. The CIPL suggested a risk-based approach to assess personal data processing, rather than providing categories of predefined “sensitive information”.
According to the CIPL, exemptions should be provided to the general requirement to appoint data protection officers and representatives, in line with other foreign privacy laws like the GDPR.
The Draft PIPL should explain further what conditions or factors are required to satisfy the Cyberspace Administration’s security assessment for cross-border transfers of personal data.
The Draft PIPL should clarify what constitutes a “serious” unlawful act.
Finally, the CIPL recommended that organisations be afforded a two-year grace period from the date that the Draft PIPL is passed, to be fully compliant.

The other major legislative proposal, the Draft DSL, is intended to provide the fundamental rules of data security for both personal and non-personal data. The intended scope of application of the Draft DSL is broad, applying to “activities” (actions including collection, storage, processing, use, supply, trade and publishing) regarding “data” (any record of information in electronic or non-electronic form).

Finally, on 1 January 2021 the Civil Code of the People’s Republic of China entered into force, adopted by the third session of the 13th NPC. The Civil Code applies to all businesses in general (without distinguishing among controllers and processors), and introduces rules for the protection of personal information, including its collection, use, disclosure, and processing.

2. Enforcement of Chinese Data Protection and Cybersecurity Legislation

In August 2020, the China Banking and Insurance Regulatory Commission (“CBIRC”) issued two separate fines of RMB 1 million ($150,000) on two banks.[106] In both cases the banks were fined for failures to provide protection to personal data of credit card customers.

C. Hong Kong SAR

On June 30, 2020, the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (the “NSL”) passed by the Standing Committee of the National People’s Congress of the People’s Republic of China (the “PRC”) became effective in Hong Kong. The NSL empowers law enforcement authorities to search electronic devices and premises that may contain evidence of related offenses and carry out covert surveillance upon approval of the Chief Executive; criminalizes acts of terrorism, subversion, secession, or collusion with foreign or external forces to endanger national security; and holds incorporated or unincorporated entities accountable for violations of the NSL.

Furthermore, the Committee for Safeguarding National Security (the “Committee”), which consists of specified Hong Kong officials and an advisor appointed by the Central People’s Government of the PRC (the “CPR”), is established pursuant to the NSL and assumes various duties including formulating work plans and policies, advancing the enforcement mechanisms and coordinating significant operations for safeguarding national security in Hong Kong. Decisions made by the Committee are not subject to judicial review.

The Office for Safeguarding National Security of the CPG (the “Office”) may in specified circumstances assume jurisdiction over serious or complex cases which would be difficult or ineffective for Hong Kong to handle in light of, for example, involvement of a foreign country or external elements. Such cases shall be investigated by the Office and, upon prosecution by a body designated by the Supreme People’s Procuratorate, adjudicated by a court designated by the Supreme People’s Court of the PRC.

The NSL applies not only to offenses committed or having consequences in Hong Kong by any person or entity, but also offenses committed from outside Hong Kong against Hong Kong by any person or entity.

D. India

1. Legislative initiatives

As indicated in the 2020 International Outlook and Review, the Personal Data Protection Bill 2019 (“PDP Bill”) was introduced in Parliament on 11 December 2019 adapted from the draft data protection legislation presented to the Ministry of Electronics and Information Technology on 27 July 2018[107], by the committee of experts led by Justice Srikrishna. Thereafter the PDP Bill was referred to a Joint Parliamentary Committee for its review. As of January 2021, the PDP Bill is in its final stages of deliberation and is expected to be promulgated soon. Several industry bodies and stakeholders were asked to depose before the Joint Parliamentary Committee for their views on the amendments made in the PDP Bill and the desired requisites of a national data protection law. Until the PDP Bill is enacted, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, continue to govern data protection in India.

In September 2019, the Ministry of Electronics and Information Technology constituted a committee of experts (“Committee”) to devise a framework for the regulation of non-personal data. Ultimately, on 12 July 2020, the Committee released a Report on Non-Personal Data Governance Framework (“NPD Framework”)[108], where it emphasised that the regulation of non-personal data is necessary to incentivise innovation, create value from data sharing, address privacy concerns, and prevent harm. The NPD Framework was met with criticism for the imposition of compulsory data sharing obligations and onerous compliance requirements on entities collecting and managing non-personal data. After reviewing feedback from public and stakeholders, the Committee released a revised version of the NPD Framework on 1 January 2021, wherein the Committee provided several clarifications to the earlier draft and streamlined the jurisdictions of the PDP Bill and the NPD Framework. The NPD Framework is still under public consultation and is yet to be presented before the Parliament as a bill for the promulgation of a single national-level regulation to establish rights over non-personal data collected and created in India.

In August 2020, the Government of India also proposed a data-sharing framework in the fintech sector. The National Institution for Transforming India (“NITI Aayog”) released a draft framework on the Data Empowerment and Protection Architecture[109] which will be implemented by the four government regulators: the Reserve Bank of India, the Securities and Exchange Board of India, the Insurance Regulatory and Development Authority, and the Pension Fund Regulatory and Development Authority, and the Ministry of Finance. The draft aims to institute a mechanism for secure consent-based data sharing in the fintech sector, which may be an important step towards empowering individuals in relation to their personal data. The draft aims to enable individuals to share their financial data across banks, insurers, lenders, mutual fund houses, investors, tax collectors, and pension funds in a secure manner.

In August 2020, the Government of India also launched the National Digital Health Mission (“NDHM”), a visionary project which intends to digitise the entire health care ecosystem of India. The National Health Data Management Policy, 2020[110] came into force on 15 December, 2020, and is the first step in realising the NDHM’s guiding principle of “security and privacy by design” for the protection of data principals’ personal digital health data privacy. It is intended to be a guidance document across the National Digital Health Ecosystem and sets out the minimum standard for data privacy protection for data relating to the physiological and psychological health of individuals in India.

2. Regulatory opinions and guidance

Indian institutions have also adopted certain measures in response to the challenges resulting from the COVID-19 pandemic. For instance, the Data Security Council of India (“DSCI”) issued the best practices on working from home in light of COVID-19[111] on 18 March, 2020. The guidance notes, among other things, that virtual private networks should only be used on company-owned devices, employees should access company data and applications through a browser-based webpage or virtual desktop, and a risk assessment should be conducted when selecting a remote access method. In addition, the guidance outlines a basic mandate for organisations and employees, which includes taking care of the confidentiality of valuable transactions and sensitive financial documents when working from home.

In a similar vein, the DSCI published, on 24 April 2020, its guidelines on data privacy during the COVID-19 pandemic, which highlights the privacy implications of COVID-19 for different sets of stakeholders and provides privacy and data protection practices.[112] The guidelines address healthcare privacy considerations and note the importance of notifying patients of all information that is collected, having specific protocols in place to ensure that consent is obtained, having internal and external audit mechanisms to assess privacy measures, and using health data solely for the specific purposes of their collection. Finally, the guidelines provide working from home considerations both for employers and employees, noting the importance of revisiting data protection strategies, data management practices, remaining compliant with regulatory obligations, conducting Data Protection Impact Assessments to ascertain privacy risks, and spreading privacy awareness and training across organisations.[113]

The DSCI also published its Report for Enabling Accountable Data Transfers from India to the United States Under India’s Proposed Personal Data Protection Bill on 8 September 2020[114] (“Report on Data Transfers”). The purpose of the Report on Data Transfers is to make additional recommendations to the existing draft of the PDP Bill to enable free flow of data between countries, especially with the U.S. owing to the value it adds to India’s digital economy, and to provide solutions for facilitating India-US data transfers. The Report on Data Transfers also suggests, among other things, that the PDP Bill’s provision on the creation of codes of practice should include certification requirements in order to increase interoperability between different privacy regimes as well as facilitate cross-border transfer mechanisms.

On 2 September 2020, the Artificial Intelligence Standardisation Committee for the Department of Telecommunication released its Indian AI Stack discussion paper.[115] The Discussion Paper notes that the AI Stack will, among other things, secure storage environments that simplify archiving and extraction from data based on the data classification, ensure the protection of data through data federation, data minimisation, an open algorithm framework, defined data structures, interfaces and protocols, and monitoring, auditing, and logging, as well as ensuring the legitimacy of backend services.

3. Enforcement of data protection laws

In 2020, the Government of India adopted three decisions to block applications following information that they were engaging in activities which were prejudicial to the integrity and the national security of India.[116]

In particular, the Government had received complaints regarding the misuse of mobile application data, stealing and secretly transmitting users’ data in an unauthorised manner to servers located outside of India. As a result, on 29 June 2020, the Government decided to disallow the use of 59 applications to safeguard the interests of Indian mobile and internet users.[117] Similarly, on 2 September 2020[118], and 29 November, 2020,[119] the Indian Government decided to further block 118 and 43 mobile applications respectively for misusing users’ data and engaging in activities which are prejudicial to the sovereignty, integrity and defence of India, as well as the security of the state and public order. According to the Government, the applications’ practices raised concerns relating to the fact that they were collecting and sharing data in a manner which compromised the personal data of users, posing a severe threat to the security of the State.

On 23 November 2020, the Orissa High Court delivered an important judgment emphasising the need to recognise the right to be forgotten, noting the presence of objectionable images and videos of rape victims on social media platforms.[120] The court emphasised that the principle of purpose limitation is already embodied in law by virtue of the precedent of the Supreme Court’s judgment in K.S. Puttaswamy v. Union of India, and that capturing images and videos with the consent of the victim cannot justify the subsequent misuse of such content. The court referred to existing case law and the PDP Bill, which provide for the right to be forgotten. Accordingly, the court recognised the right to be forgotten as a right in rem and stressed that, in the absence of legislation, victims may nevertheless seek appropriate orders to have offensive posts erased from public platforms to ensure protection their right to privacy.

E. Indonesia

On 24 January 2020, a draft of the Personal Data Protection Act (“PDP Bill”) was submitted to the Indonesian House of Representatives.[121] The PDP Bill consolidates the rules related to personal data protection in Indonesia, and is anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime.[122]

On 1 September 2020, the Ministry of Communication and Information Technology of Indonesia (“Kominfo”) issued a statement claiming that the PDP Bill would be completed by mid-November 2020.[123] However, it appears that the COVID-19 pandemic has led to delays in the adoption of the Bill.

Finally, on 10 March 2020, Kominfo submitted a new draft regulation on the Management of Privately Managed Electronic System Organiser (“Draft Regulation”) for approval. The Draft Regulation is intended to serve as an implementing regulation of Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions, which, as noted in the 2020 International Outlook and Review, became effective in October 2019.

F. Israel

On 29 November 2020, the Israeli Ministry of Justice (“MoJ”) launched a public consultation on the introduction of amendments to the Protection of Privacy Law 5741-1981.[124] The MoJ also launched, on 23 July 2020, a public consultation on proposed amendments to privacy law database registration requirements which would reduce the scope of the obligation to register a database and amend certain definitions contained in the law.[125]

Moreover, the Privacy Protection Authority (“PPA”) published a number of reports and recommendations on a series of topics, including:

privacy protection in the context of epidemiological investigations,
security recommendations following security incidents,
the protection of privacy in the context of money transfers and app payments,
data processing and storage service providers,
smart transportation services,
digital monitoring tools for COVID-19 contact tracing,
GSS assistance in contact tracing,
recommendations in the context of the COVID-19 pandemic (e.g., remote learning, privacy for individuals entering workplaces, medical institutions privacy compliance).

Following the CJEU’s decision to annul the EU-U.S. Privacy Shield in Schrems II, the PPA issued, on 29 September 2020, a statement regarding transfers of personal information from Israel to the U.S. In this statement, the PPA indicated that data transfers from Israel to the U.S. could no longer rely on the EU-U.S. Privacy Shield or the Transfer of Information Regulations, and that alternative exceptions provided for in Section 2 of the Regulations could only be used where applicable. The PPA had nonetheless clarified that personal data could be transferred from Israel to EU Member States, as well as to countries which will cease to be EU Member States but will continue to apply and enforce the provisions of EU Law on the protection of personal data.[126]

On the enforcement side, in 2020 the PPA identified and investigated a number of violations, including the leak of personal data of 6.5 million Israeli voters.[127] The PPA also offered security recommendations following the security incident at an insurance company.

G. Japan

On 5 June 2020, the Parliament of Japan adopted a bill to amend the currently applicable general data protection law, the Act on the Protection of Personal Information (“APPI”).[128]

Under the bill, the rights of the data subjects have been expanded. For example, if the proposed amendments to the APPI are introduced, data subjects will be entitled to request an organisation to delete their personal information, but only if certain requirements are met. Consequently, the scope has remained narrower than the right to erasure and the right to object under the GDPR.

Regarding data retention periods, the currently applicable law provides that any data which was to be erased after six months is not considered as “retained personal data”, and therefore is not not subject to data subject requests. The Amendments will abolish this six-month rule, and data subjects will be able to exercise their data-related rights regardless of the retention period.

Under the current applicable law, organisations should “duly make an effort” to report data breaches to the Personal Information Commission (“PIC”). In contrast, the bill will introduce a mandatory obligation to notify data breaches, obliging organisations to report data breaches to the PIC and to notify the affected data subjects if their rights and interests are infringed. Although this requirement is similar to the corresponding provisions in the GDPR, the latter sets a strict deadline of 72 hours for notification, while the bill requires “prompt” reporting.

The amended APPI will include the concept of “pseudonymously processed information”, which similarly to the GDPR will mean personal information that cannot be used to identify an individual unless combined with other information. Pseudonymously processed information will not be subject to some requirements, such as requests for disclosure, utilisation, or correction. In the event of a data breach concerning pseudonymously processed information, reporting to the PIC will not be mandatory.

One of the main goals of the bill is to address the increasing risks associated with cross-border data transfers. Under the new provisions, data subjects should be informed about the details of any data transfer to a third party located in a foreign country. The bill has also increased the criminal penalties, such as the penalty for violating an order of the PIC (100 million yen; approx. €800,000). However, administrative fines will not be introduced.

The bill is expected to enter into force no later than June 2022. The new rules will bring the APPI into closer alignment with the EU’s data protection standards and strengthen Japan’s data protection regime.

H. Malaysia

On the legislative side, on 14 February 2020, a public consultation paper was released proposing amendments to the Malaysian Personal Data Protection Act 2010, which currently regulates data protection in Malaysia.[129] If adopted, the amendments would introduce significant changes to Malaysia’s data protection regime, including: the obligatory appointment of a data protection officer, mandatory breach reporting, the introduction of civil litigation against data users, the implementation of technical and organisational measures such as data portability and privacy by design, and the broadening of the Malaysian Personal Data Protection Act’s scope to data processors. Many of the proposed amendments have been inspired by the GDPR and aim to bring the Malaysian regime closer to EU data protection standards.

On 29 May 2020, the Department of Personal Data Protection (“PDP”) released advisory guidelines on the handling of personal data by businesses under the Conditional Movement Control Order.[130] The advisory guidelines highlight that only names, contact numbers, and the dates and times of attendance can be collected from customers, and requires a clearly visible notice detailing the purpose of collection. The PDP also advises that personal data should only be collected for informational purposes and must be permanently deleted six months after the Control Order is terminated.

I. Singapore

As explained in the 2020 International Outlook and Review, Data protection in Singapore is currently governed by the Personal Data Protection Act 2012 (“Singapore PDPA”).

The Personal Data Protection Commission (“PDPC”) conducted a review of the Singapore PDPA and, on 14 May 2020, the PDPC released a joint statement with the Ministry of Communications and Information announcing the launch of an online public consultation on a bill to amend the Singapore PDPA and the Spam Control Act 2007 (“SCA”).[131]

On the basis of this, the proposed amendments to the Singapore PDPA to address Singapore’s evolving digital economy needs, and related amendments to the SCA, were passed in Parliament on 2 November 2020.[132] The bill introduced several notable amendments, including mandatory data breach notification requirements, enabling meaningful consent where necessary and providing consumers with greater autonomy over their personal data through the incorporation of a data portability obligation.[133] Moreover, the bill strengthened the enforcement powers of the PDPC.[134]

Subsequently, on 20 November 2020, the PDPC issued the draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill (“Draft Advisory Guidelines”).[135] The Draft Advisory Guidelines provide clarifications on key provisions in the bill, covering, inter alia, the framework for the collection, use, and disclosure of personal data, mandatory breach notification requirements, financial penalties, and offences for mishandling personal data. The Draft Advisory Guidelines will be finalised and published when the amendments to the Singapore PDPA come into effect, i.e., upon their signing and publication in the Gazette, which is expected in early 2021.

J. South Korea

In January 2020, the National Assembly of the Republic of Korea adopted amendments (“Data 3 Act”) to the Personal Information Protection Act 2011 (“PIPA”)[136] and to other main data protection laws. The adoption of the Data 3 Act meant the implementation of a more streamlined approach to personal data protection in South Korea. In addition, it is expected that these legislative changes will facilitate the adequacy assessment under the GDPR and the adoption of an adequacy decision from the European Commission.

The Data 3 Act aims to extend the powers of the Personal Information Protection Commission (“PIPC”), which will be the supervisory authority for any data breaches. Data protection issues are currently handled by several different agencies, but with the entry into force of the reforms these will now be handled exclusively by the PIPC. In addition, the PIPC will have the competence to impose fines similar to those provided under the GDPR.

The Data 3 Act introduced to the PIPA the concept of “pseudonymised information” (i.e., personal information processed in a manner that cannot be used to identify an individual unless combined with other information). Pseudonymised information may be processed without the consent of the data subject for purposes of statistical compilation, scientific research, and record preservation for the public interest.

Finally, it should be noted that the cross-border transfer of the personal data of Korean data subjects has remained restricted as their consent is required prior to transferring their personal data abroad.

K. Thailand

As noted in the 2020 International Outlook and Review, the Personal Data Protection Act 2019 (“Thailand PDPA”), which is the first consolidated data protection law in Thailand, was originally expected to come into full effect on 27 May 2020. However, in May 2020, the government of Thailand approved a Royal Decree to postpone the application of the Thailand PDPA until 31 May 2021, citing the negative effects of the COVID-19 pandemic as one of the main reasons for doing so.[137]

Subsequently, on 8 June 2020, the Ministry of Digital Economy and Society (“MDES”) issued a statement on the Thailand PDPA’s postponement, noting that government agencies, and private and public institutions, were not ready for the enforcement of the legislation.[138] This was followed by a notice published by the MDES on 17 July 2020 for data controller requirements and security measures to be implemented during the postponement period of the Thailand PDPA.[139]

Reference must be made to the fact that the Thailand PDPA is largely modelled upon the GDPR, containing many similar provisions, although they differ in areas such as anonymisation. Moreover, the Thailand PDPA provides for the creation of the Personal Data Protection Committee (“PDPC”), which is yet to be fully established. As such, the MDES is currently acting as the supervisory authority for any data protection–related issues within Thailand. Once created, the PDPC is expected to adopt notices and regulations to clarify and guide data controllers and other stakeholders on how to prepare for and remain compliant with the requirements under the Thailand PDPA by 27 May 2021.

L. United Arab Emirates

On 19 November 2020, the Abu Dhabi Global Market (“ADGM”)[140] announced the issuance of a public consultation on proposed new Data Protection Regulations 2020 amending the existing Data Protection Regulations 2015.[141] The proposed draft aims at aligning the ADGM with certain international standards, especially the GDPR,[142] and introduces, amongst other things, the following elements: definitions, the principles of accountability and transparency, the processing of special categories of data, individual rights, security obligations, and the notification of data breaches. The proposed data protection framework is aimed to have a broad scope of application, including the processing of personal data in the context of the activities of an establishment in ADGM, regardless of whether the processing takes place in ADGM. In a similar vein, it will apply to natural persons, whatever their nationality or place of residence, excluding cases where a data controller is only connected to ADGM because it uses a data processor located inside the ADGM. In the latter case, the Proposed Data Protection Framework would not apply to the data controller.[143]

On 1 July 2020, the Dubai International Financial Centre (the “DIFC”) published the Data Protection Regulations, which entered into effect on the same date with the Data Protection Law No. 5 of 2020.[144] In particular, the Regulations comprise provisions regarding, in particular, the content and format to be followed by personal data processing records, activities requiring data processing notifications to the Data Protection Commissioner, conditions to transfer data outside of the DIFC, and fines. Moreover, in September 2020, the DIFC became a fully accredited member of the Global Privacy Assembly (“GPA”).[145]

M. Other Developments in Africa

Data protection authorities in Africa have generally been monitoring compliance with data protection requirements, especially in the context of the COVID-19 pandemic. Moreover, Nigeria and other African nations have developed a framework that aims to harmonise laws on data protection and the digital economy.[146]

Egypt: On 17 July 2020, Resolution No. 151 of 2020 (“Egypt Data Protection Law”) was approved and published in the official gazette, and within three months it came into force.[147] The Egypt Data Protection Law governs the processing of personal data carried out electronically, in part or in full, and gives to data subjects’ rights in relation to the processing of personal data. The key elements that the law provides for are the following:

consent is the main legal basis for the processing of personal data;
conditions and principles for data processing must be respected;
the Centre for the Protection of Personal Data is the regulatory body aiming to maintain compliance with the Egypt Data Protection Law; and
activities covered include the processing of sensitive personal data, cross-border transfers, electronic direct marketing practices, monetary penalties and criminal sanctions for violations of the Egypt Data Protection Law itself.

Kenya:[148] The Information Technology Industry Council (“ITI”) announced, on 28 April 2020, that it had submitted comments to the Office of the U.S. Trade Representative on the U.S. and Republic of Kenya Trade Agreement negotiations. These comments include measures that should ensure protection of personal data by taking into account best international practices for privacy and interoperability, strengthen regulatory practices in emerging technologies such as artificial intelligence and machine learning, and promote risk-based cybersecurity and vulnerability disclosure in alignment with international standards.[149] The formal negotiations were launched in July 2020.[150]

Namibia: Namibia has not yet enacted a comprehensive data protection legislation. On 24 February 2020, the Council of Europe organised, in coordination with Namibia’s Ministry of Information and Communication Technology, a two-day stakeholders’ consultation workshop on a draft data protection bill for Namibia.[151] A draft of the bill is expected to be published in 2021.

Nigeria: In Nigeria, data privacy is currently protected by a comprehensive data protection regime comprising a variety of laws, regulations, and guidelines. As underlined in a statement, issued on 27 January 2020 by the National Information Technology Development Agency (“NITDA”), the Nigeria Data Protection Regulation concerns the use, collection, storage or transfer of personal data and intends to provide a clear framework for data protection in Nigeria. However, pursuant to the Nigerian Communications Commission, appropriate legal instruments must be put in place in order in order to strengthen cybersecurity.[152]

The NITDA issued, on 17 May 2020, its Guidelines for Management of Personal Data by Public Institutions in Nigeria.[153] On 20 August 2020, the NITDA had published the Draft Data Protection Bill 2020 for public comments. The Draft Bill aims primarily to promote a code of practice that ensures the protection of personal data and its lawful, fair and transparent process in accordance with the principles set out in the Draft Bill while taking into account the legitimate interests of commercial organisations as well as government security agencies. In addition, the Draft Bill provides for a Data Protection Commissioner, an impartial, independent and effective regulatory authority.

South Africa:[154] In 2013, the Protection of Personal Information Act (“POPIA”) was signed into law by the President of South Africa and the Information Regulator was established as the supervisory authority. In June 2020, the President announced that certain essential remaining sections of POPIA would commence to apply on 1 July 2020 and that, following a 12-month transition period, public and private bodies would need to comply from 30 June 2021.

In addition, on 3 April 2020, the South African Regulator published a guidance note on processing personal information during the Coronavirus pandemic encouraging proactive compliance by responsible parties when processing personal information belonging to COVID-19 cases and their contacts.[155]

Togo: On 9 December 2020, the National Assembly announced that it had adopted a draft decree on the organisation and functioning of the body for the protection of personal data, the IPDCP, which will have a power of investigation and enforcement in order to support the government’s policy on personal data protection.[156]

Rwanda: A final draft of the data protection bill was approved and published on 27 October 2020 by the Office of the Prime Minister of the Republic of Rwanda.[157] The Bill includes provisions on data subject rights, general rules for data collection and processing, and procedures for data activities, such as transfers, sharing and retention.[158] Moreover, the Ministry of ICT and Innovation (MINICT) published, on 5 May 2020, COVID-19 guidelines addressing cybersecurity measures.[159]

N. Other Developments in the Middle East

Whereas data protection was mainly provided for in sectoral regulations, privacy laws are progressively emerging across the region.

Oman: On 12 July 2020, the State Council of the Sultanate of Oman announced that it had held discussions on the draft law on the protection of personal data, which comprises in particular provisions regarding the role of the Ministry of Technology and Communications, the responsibility to protect the rights of personal data owners, and the obligations of controllers and processors, as well as the applicable sanctions.[160] The State Council also announced on 10 September 2020 that it had discussed a draft law of a new legislation dealing with cybersecurity. The Technology and Innovation Committee of the State Council had approved in part the content of the draft law.

Pakistan: Data protection is still governed through sectoral legislation. However, the Ministry of Information Technology and Telecommunication (“MOITT”) finalised the draft Personal Data Protection Bill 2020 which was presented to the Cabinet of Pakistan for approval.[161] The bill, which was introduced in April 2020, provides for the general requirements for personal data collection and processing and contains several similar provisions to those found within GDPR, but is silent regarding the right to data portability and does not require data controllers to notify data subjects of data breaches. In addition, the MOITT adopted, on 18 November 2020, social media rules setting measures and obligations applicable to social media and internet providers in order to prevent unlawful online content and to protect national security.[162]

O. Other Developments in Southeast Asia

Throughout 2020, developments related to the data protection and cybersecurity landscape occurred in certain other jurisdictions in the south-eastern subregion of Asia, including the following:

Cambodia: While the country does not have a general personal data protection law or a data protection authority, there have been recent legislative developments addressing relevant areas. In particular, a draft cybercrime law is currently being prepared that would regulate Cambodia’s cyberspace and security, aiming to prevent and combat cyber-related crimes.

Philippines: On 9 March 2020, the APEC Cross-Border Privacy Rules (“CBPR”) system Joint Oversight Panel approved the Philippines’ application to join the APEC CBPR system. As such, the Philippines becomes the ninth APEC economy to join the CBPR system.

The institutions in the Philippines have been particularly active in formulating data protection measures and statements to address issues relating to the collection and processing of data in the wake of the COVID-19 pandemic. On 1 June 2020, the Philippines created a task force in order to drive practical responses to privacy issues emerging from the pandemic.

Vietnam: The data protection framework in Vietnam was fragmented, and relevant provisions can be found in numerous laws. In 2020, the government of Vietnam issued Decree No. 15/2020/ND-CP, providing for regulations on penalties for administrative offences in the sectors of post, telecommunication, radio frequency, information technology, and electronic transactions, which is in effect as of 15 April 2020. In February 2020, however, a draft personal data protection decree was released, which has already undergone public consultation. The draft decree sets out principles of data protection, including purpose limitation, data security, data subject rights, and the regulation of cross-border data transfers. Moreover, the draft decree contains provisions on obtaining consent of data subjects, the technical measures needed to protect personal data, and the creation of a data protection authority.

IV. Developments in Latin America and in the Caribbean Area

A. Brazil

The biggest data protection development in Brazil in 2020 was the entry into force of Law No. 13.709 of 14 August 2018, the General Personal Data Protection Law[163] (as amended by Law No. 13.853[164] of 8 July 2019) (“LGPD”) on 18 September 2020. The specific enforcement provisions of the LGPD are expected to enter into force on 1 August 2021, further to an additional law passed in June 2020.

Compared to the EU’s GDPR, the LGPD shows both differences and similarities. The definitions of “personal data” are very similar in both instruments, both having the goal of assuring a high level of protection for any “information related to an identified or identifiable natural person”. Thus, anonymised data falls expressly out of scope in the two jurisdictions, with a caveat on the Brazilian side existing in the sense that if anonymised data is used to create or enhance the behavioural profiling of a natural person, it may also be deemed as personal data, provided that the impacted person can be identified in the process.

Both legislations apply to the processing of personal data carried out by both public and private entities, online and offline. As for the territorial scope, the rules apply to organisations that are physically present in the EU and Brazil as well as to organisations that, although not located in those states/regions, may offer goods or services there. When it comes to the handling of sensitive data, the LGPD sets forth a narrower list of legal grounds that can be elected to legitimise the processing of such data, such as the necessity to comply with a legal obligation, to protect the life and physical safety of the subject or a third party, for the exercise of rights in contractual or judicial proceedings and for the prevention of fraud.

The LGPD offers ten legal grounds for processing of personal data, which are comparable to the ones provided in the GDPR. In addition, the LGPD offers four additional grounds that may authorise the processing of personal data, namely for the conduction of studies of research bodies, for the exercise of rights in judicial, administrative, and arbitral proceedings, for the protection of health in procedures conducted by health professionals and health entities, and for the protection of credit.

Both the LGPD and the GDPR expressly provide for a set of rights granted to data subjects with respect to their personal data. Both norms recognise individuals’ right of access to their personal data, right to be informed of processing activities based on their personal data, and rights of rectification and erasure. Although the rights prescribed in both pieces of legislation are fairly similar, it could be argued that the major element that sets both norms apart are the timeframes for responding to data subject requests. While on the European side organisations must generally respond to requests within one month of the receipt of a request, the LGPD is limited to a 15-day period for complying with access requests, while requests for the exercise of other rights should be responded to immediately.

The role of data protection officers (“DPOs”) is fairly similar under both legislations. DPOs are legally tasked with acting as a point of contact between the organisation they represent, the supervisory authorities, and data subjects, as well as advising and orienting the organisation they represent with regard to its data protection obligations. There are, however, two major differences between the Brazilian and the EU rules concerning the position of DPOs. The first one is that the GDPR expressly specifies instances where an organisation is required to appoint a DPO, while the LGPD makes no such limitation, thus obliging virtually every organisation subject to its scope to appoint one. The second difference is that, while the GDPR establishes the need for DPOs to be independent within the organisational structure of their organisations and also to be provided with monetary and human resources to fulfil their tasks, the LGPD does not provide such express guidance.

A significant difference between the two instruments is their enforcement. The legal structure of the Brazilian supervisory authority lacks some traits of independence and autonomy when compared to the structure provided for under the GDPR. However, the LGPD has introduced a number of sanctions that can be imposed by the ANPD, such as public disclosure of a violation, erasure of personal data relating to a violation, and even a temporary suspension of data processing activities. The entry into force of the provisions of the LGPD governing administrative sanctions has been deferred to 1 August 2021.

On 23 September 2020, Bill 4695/2020,[165] seeking to protect the personal information of students when using distance learning platforms, was introduced. The bill would require distance learning platforms to follow data processing requirements provided by the LGPD and to, whenever possible, use the technology without collecting and sharing personal and sensitive data, revealing racial origin, religious or political beliefs, or genetics of the users. Furthermore, the bill requires that processing of personal data can only take place when prior and express consent has been obtained.

Finally, on 18 December 2020, the National Telecommunications Agency (“Anatel”) approved the Cybersecurity Regulation[166] applied to the telecommunications sector. The regulation is intended to promote cybersecurity in telecommunications networks and services and support ongoing supervision of the market, infrastructures, and the adoption of proportional corrective measures. Moreover, the regulation imposes an obligation on telecommunication providers to develop, maintain and implement a detailed cybersecurity policy, which must include, inter alia, national and international norms, best practices, risk mapping, incident response time and sharing and sending information to Anatel. The regulation came into force on 4 January 2021.

B. Other Developments in South America

1. Argentina

On 28 January 2020, The Argentinian data protection authority (“AAIP”) issued a resolution[167] against a telecommunication company for violations of Law No. 26.951 (“DNC Law”).[168] In particular, the AAIP issued a fine of ARS 3,000,000 (approx. €45,000) for 248 charges relating to violations of Article 7 of the DNC Law, which provides that those who advertise, offer, sell or give away goods or services by means of telephone communications may not address any individual who is registered in the “Do Not Call” registry.

On 6 June 2020, the AAIP imposed a fine[169] of ARS 280,000 (approx. €3,770) against a tech company for violations of the Personal Data Protection Act No. 25.326 of 2000. In particular, the AAIP found that the company did not allow a user to access their personal data in their email account and related applications after changes to their passwords were made by an un-authorised third party.

2. Chile

On 1 June 2020, the Chilean Transparency Council (“CPLT”) announced that an audit of 12,000 purchase orders made by 86 organisations in the health sector had revealed some disclosures of sensitive personal data of patients without their express consent.[170] Moreover, the CPLT highlighted that in some cases the data had even been made public through online platforms. To remedy that, the CPLT has offered technical support to the Chilean Ministry of Health.[171]

3. Colombia

On 26 November 2020, the Colombian data protection authority (“SIC”) announced that it had issued an order[172] requiring a videoconference service provider (with no physical presence in Colombia) to implement new measures guaranteeing the security of personal data of its users in Colombia. SIC emphasised that the measures should be effective and meet the standards of data security required under the Colombian Data Protection Law, and required the company to provide a certificate issued by an independent data security expert. SIC’s order raise significant jurisdictional question, since the Colombian Data Protection Law does not apply to processing that occurs outside of Colombia (and there was no allegation that any processing in violation of the Law occurred in Colombia).).[172a]

Through 2020, SIC also imposed a number of fines on various companies for non-compliance with data protection rules. Some of the biggest and most notorious fines were imposed on a health company[173] and on financial institutions[174]

4. Mexico

Since the beginning of the COVID-19 pandemic, the Mexican data protection authority, the National Institute of Transparency, Access to Information and Data Protection (“INAI”) began a series of actions to provide information to the general public on how to protect their personal data and the guidelines for data controllers on how to process personal and sensitive personal data.

Among these actions, it became imperative to announce to health-related data controllers, public and private hospitals, to comply with their legal obligations as per the Mexican data protection laws, on how to process personal data of patients diagnosed with COVID-19. This was especially the case because Mexican data protection laws consider health-related data to be sensitive and thus require stronger security measures.

One of the first actions by the Mexican data protection authority was that, on 29 March, 2020, it launched a COVID-19 microsite [175] dedicated specifically to provide useful information and guidelines to protect personal data and provide transparency during the pandemic. This microsite has been a useful tool for both data subjects and data controllers to handle personal data processed as a result of the COVID-19 pandemic.

On 2 April 2020, the INAI released a statement calling for the adoption of extreme precautions with regard to personal data of COVID-19 patients.[176] Medical personnel handling such data must use strict administrative, physical and technical safeguards to avoid any loss, destruction of improper use. The INAI also recommended that only minimum necessary personal data is collected, and only for purposes of preventing and containing the spread of the virus. This communication also speaks of the responsibility that all data processors bear when handling personal data.

As the pandemic grew, on 13 July 2020, the INAI expressed its concerns on the deficiencies of the health sector in the processing of personal data of COVID-19 patients. Francisco Javier Acuña Llamas, the then President Commissioner of INAI, noted that data bases that contain COVID-19 patients must be kept for a specific period of time and not indefinitely. He established that all data transferences of sensitive personal data should be under the specificities of the Mexican data protection laws. He also recognised that the Global Privacy Assembly, to be held in Mexico in 2021, should have at its core a discussion of the impact of the pandemic.[177]

The pandemic brought a series of events that had not been taken into consideration on a regular basis, because of the pandemic many companies allowed their employees to work from home. Because of this development, on 8 April 2020, the INAI issued recommendations for the protection of personal data in a home office environment. These guidelines highlighted the need to implement security measures that included only using computer equipment provided by the employer, not using public connections, using only official communication sites to share information, and using passwords on all equipment used at home for work-related activities.[178]

In Mexico this brought legislative changes to the Federal Labor Law[179] that now establishes how work from home is to be regulated. These modifications to the law establish both the employers and employees’ obligations when working from home. This comes to show how, due to the COVID-19 pandemic, a new normality is underway and will be here to stay.

This pandemic is far from over and it poses a challenge not only to the processing of sensitive personal data, but also to the implementation of health check points in every public space or while working from home. It has changed the way organisations protect their information from any loss or improper access putting cybersecurity at the forefront for any organisation. It has changed the way organisations interact with clients and how products or services are purchased, turning evermore to an online commerce activity. This will bring challenges not only regarding companies’ operations, but also how companies collect and process a data subjects’ information.

5. Uruguay

On 21 February 2020, the Council of Ministers adopted Decree No.64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 and Article 12 of Law No. 18.331 of 8 November 2008.[180]

The Decree regulates new personal data protection obligations with major changes, including requiring all database owners and data controllers to report security incidents involving personal data to the Uruguayan data protection authority within a maximum of 72 hours. Reports must contain relevant information relating to the security incident, including the actual or estimated date of the breach, the nature of the personal data affected and possible impacts of the breach.

The Decree establishes the obligation to assess the impact of a breach when data processing involves specially protected data, large volumes of personal data (i.e., data of over 35,000 persons) and international data transfers to countries not offering an adequate level of protection. The Decree obliges public entities, and private entities that focus on the processing of sensitive personal data or of large volumes of data, to appoint a data protection officer.

[1] See http://curia.europa.eu/juris/document/document.jsf;jsessionid=2BDC80771D0FB7EA8B6F60B9A3C4F572?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=20032710.

[2] See, e.g., https://www.cnil.fr/en/invalidation-privacy-shield-cnil-and-its-counterparts-are-currently-analysing-its-consequences (French CNIL); https://www.aepd.es/es/derechos-y-deberes/cumple-tus-deberes/medidas-de-cumplimiento/transferencias-internacionales/comunicado-privacy-shield (Spanish AEPD).

[3] See https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf.

[4] See https://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=684836.

[5] See https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en.

[6] See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf.

[7] See https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.

[8] See https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12740-Data-protection-standard-contractual-clauses-between-controllers-processors-located-in-the-EU-implementing-act-

[9] See https://edpb.europa.eu/news/news/2021/edpb-edps-adopt-joint-opinions-new-sets-sccs_en#:~:text=The%20EDPB%20and%20EDPS%20have,of%20contractual%20clauses%20(SCCs).&text=The%20Controller%2DProcessor%20SCCs%20will,between%20controllers%20and%20their%20processors.

[10] See, e.g., https://www.enisa.europa.eu/news/executive-news/top-tips-for-cybersecurity-when-working-remotely. On 15 March 2020, the Director of the ENISA shared some views on teleworking conditions during COVID-19. The Director recommended that individuals work with a secure Wi-Fi connection and have up-to-date security software, regularly update their anti-virus systems and make periodic backups. Employers should also provide regular feedback to their employees on the procedures to follow in case of problems.

[11] See https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.

[12] See https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52020XC0417(08)&from=FR.

[13] See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf andhttps://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf.

[14] See https://ec.europa.eu/health/sites/health/files/ehealth/docs/contacttracing_mobileapps_guidelines_en.pdf andhttps://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statementinteroperabilitycontacttracingapps_en.pdf.

[15] See https://edps.europa.eu/sites/edp/files/publication/20-11-17_preliminary_opinion_european_health_data_space_en.pdf.

[16] See https://ico.org.uk/media/2617653/apple-google-api-opinion-final-april-2020.pdf.

[17] See https://ico.org.uk/media/for-organisations/documents/2617676/ico-contact-tracing-recommendations.pdf.

[18] See https://www.cnil.fr/fr/application-stopcovid-la-cnil-tire-les-consequences-de-ses-controles andhttps://www.cnil.fr/fr/tousanticovid-la-cnil-revient-sur-levolution-de-lapplication-stopcovid.

[19] See https://www.cnil.fr/sites/default/files/atoms/files/deliberation_du_24_avril_2020_portant_avis_sur_un_projet_dapplication_mobile_stopcovid.pdf.

[20] See https://www.datenschutzkonferenz-online.de/media/pm/20200616_pm_corona_warn_app.pdf.

[21] See https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/contact-tracing-protecting-customer-and-visitor-details/ andhttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/09/data-protection-guidance-for-collecting-customer-information/.

[22] See https://www.datenschutz.rlp.de/fileadmin/lfdi/Dokumente/Pruefschritte_Datenuebermittlung_in_Drittlaender_nach_Schrems_II.pdf.

[23] See https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/.

[24] See https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles andhttps://www.cnil.fr/fr/les-questions-reponses-de-la-cnil-sur-le-teletravail.

[25] See https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9282117#1.

[26] See https://www.dataprotection.ie/sites/default/files/uploads/2020-07/Data%20Protection%20implications%20of%20the%20Return%20to%20Work%20Safely%20Protocol.pdf.

[27] See https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-onderzoekt-meten-temperatuur-werknemers-tijdens-corona.

[28] See https://www.cnil.fr/fr/cameras-dites-intelligentes-et-cameras-thermiques-les-points-de-vigilance-de-la-cnil-et-les-regles andhttps://www.datenschutzkonferenz-online.de/media/dskb/20200910_beschluss_waeremebildkameras.pdf.

[29] See https://ec.europa.eu/health/sites/health/files/vaccination/docs/2019-2022_roadmap_en.pdfhttps://ec.europa.eu/health/sites/health/files/vaccination/docs/2019-2022_roadmap_en.pdf.

[30] See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf.

[31] See https://www.aepd.es/es/prensa-y-comunicacion/notas-de-prensa/aepd-actualiza-guia-cookies.

[32] See https://www.cnil.fr/fr/cookies-et-autres-traceurs-la-cnil-publie-des-lignes-directrices-modificatives-et-sa-recommandation.

[33] See https://data.consilium.europa.eu/doc/document/ST-5008-2021-INIT/en/pdf.

[34] See https://www.aepd.es/es/documento/ps-00299-2019.pdf.

[35] See https://www.aepd.es/es/documento/ps-00032-2020.pdf.

[36] See https://www.cnil.fr/fr/sanctions-2250000-euros-et-800000-euros-pour-carrefour-france-carrefour-banque.

[37] See https://www.cnil.fr/en/cookies-financial-penalties-60-million-euros-against-company-google-llc-and-40-million-euros-google-ireland andhttps://www.cnil.fr/en/cookies-financial-penalty-35-million-euros-imposed-company-amazon-europe-core.

[38] See https://www.enisa.europa.eu/news/enisa-news/securing-personal-data-a-risky-business.

[39] See https://www.enisa.europa.eu/publications/recommendations-for-european-standardisation-in-relation-to-csa-ii/.

[40] See https://www.enisa.europa.eu/news/enisa-news/security-requirements-for-operators-of-essential-services-and-digital-service-providers.

[41] See https://www.enisa.europa.eu/news/enisa-news/spotlight-on-incident-reporting-of-telecom-security-and-trust-services.

[42] See https://www.enisa.europa.eu/news/enisa-news/enisa-unveils-its-new-strategy-on-cybersecurity-for-a-trusted-and-cyber-secure-europe.

[43] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400-000-customers/.

[44] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/.

[45] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/11/ico-fines-ticketmaster-uk-limited-125million-for-failing-to-protect-customers-payment-details/.

[46] See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf and https://edpb.europa.eu/sites/edpb/files/decisions/final_decision_-_in-19-1-1_9.12.2020.pdf.

[47] See https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/.

[48] See https://ec.europa.eu/info/sites/info/files/draft_eu-uk_trade_and_cooperation_agreement.pdf.

[49] See https://www.gov.uk/guidance/using-personal-data-in-your-business-or-other-organisation.

[50] See https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-now-the-transition-period-has-ended/the-gdpr/international-data-transfers/.

[51] The adequacy decisions adopted by the European Commission currently cover Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay.

[52] Seehttps://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-now-the-transition-period-has-ended/the-gdpr/international-data-transfers/.

[53] See Schedule 21 of the Data Protection Act 2018, as enacted by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

[54] See https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf, https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202008_onthetargetingofsocialmediausers_en.pdf and https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en.

[55] See https://datenschutz-hamburg.de/pressemitteilungen/2020/10/2020-10-01-h-m-verfahren.

[56] See https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9435753 and https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9485754.

[57] See https://www.aepd.es/es/documento/ps-00070-2019.pdf.

[58] See https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-11/cp200137fr.pdf.

[59] The Statistics are (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71528.htm.

[60] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71612.htm. For more information in English seehttps://www.reuters.com/article/us-russia-protonmail-idUSKBN1ZS1K8.

[61] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news72026.htm.

[62] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news73050.htm. For more information (in English) seehttps://www.ft.com/content/b1e76905-29f2-4ac0-99e0-7af07cef280d. For more information see the 2020 Privacy and Cybersecurity International Review and Outlook.

[63] Press release (in Russian) available athttps://rkn.gov.ru/news/rsoc/news71720.htm. More information (in English) available athttps://www.themoscowtimes.com/2020/01/31/russia-threatens-facebook-twitter-with-100k-fines-a69126.

[64] Press release (in Russian) available athttps://mos-gorsud.ru/rs/taganskij/news/mirovoj-sudya-rajona-taganskij-rassmotrel-dela-ob-administrativnyh-pravonarusheniyah-v-otnoshenii-tvitter-ink-i-fejsbuk-ink, and https://mos-gorsud.ru/rs/taganskij/news/mirovoj-sudya-rajona-taganskij-rassmotrel-dela-ob-administrativnyh-pravonarusheniyah-v-otnoshenii-tvitter-ink-i-fejsbuk-ink. More information (in English) available athttps://www.themoscowtimes.com/2020/02/13/russia-fines-twitter-and-facebook-63000-each-over-data-law-a69280.

[65] See https://www.themoscowtimes.com/2020/11/26/facebook-pays-russia-50k-fine-for-not-localizing-user-data-a72152.

[66] The law (in Russian) available athttp://publication.pravo.gov.ru/Document/View/0001202012300050.

[67] The law (in Russian) available athttp://publication.pravo.gov.ru/Document/View/0001202012300002.

[68] The law (in Russian) available athttp://publication.pravo.gov.ru/Document/View/0001202012300044.

[69] The law (in Russian) available athttp://publication.pravo.gov.ru/Document/View/0001202012300062.

[70] The Russian laws define the notion of illegal content broadly. Inter alia, illegal content is materials containing public calls for terrorist activities or publicly justifying terrorism, other extremist materials, as well as materials promoting pornography, the cult of violence and cruelty, and materials containing obscene language.

[71] The text of the Revised FADP (in German) is available athttps://www.parlament.ch/centers/eparl/curia/2017/20170059/Schluzssabstimmungstext%203%20NS%20D.pdf.

[72] See Revised FADP, Article 3.

[73] See Revised FADP, Article 5(a).

[74] See Revised FADP, Article 5(c).

[75] See Revised FADP, Article 5(f).

[76] See Revised FADP, Article 5(j) and (k).

[77] See Revised FADP, Article 7.

[78] See Revised FADP, Article 9(3).

[79] See Revised FADP, Article 12.

[80] See Revised FADP, Article 14.

[81] See Revised FADP, Article 19.

[82] See Revised FADP, Article 21.

[83] See Revised FADP, Article 22.

[84] See Revised FADP, Article 24.

[85] See Revised FADP, Article 28.

[86] See Revised FADP, Articles 60-63.

[87] Press release available at https://www.admin.ch/gov/en/start/documentation/media-releases.msg-id-80318.html.

[88] Judgment of the Court of 16 July 2020 in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, available athttp://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=rst&part=1&cid=9791227.

[89] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6843/-ALENILESTIRME-HAKKINDA-KAMUOYU-DUYURUSU.

[90] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6828/YURTDISINA-VERI-AKTARIMI-KAMUOYU-DUYURUSU.

[91] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6728/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-BAGLAYICI-SIRKET-KURALLARI-HAKKINDA-DUYURU.

[92] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6777/Kisilerin-Ad-ve-Soyadi-ile-Arama-Motorlari-Uzerinden-Yapilan-Aramalarda-Cikan-Sonuclarin-Indeksten-Cikarilmasina-Yonelik-Talepler-Hakkinda-Kamuoyu-Duyurusu.

[93] Full decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6776/2020-481.

[94] Full criteria (in Turkish available athttps://kvkk.gov.tr/SharedFolderServer/CMSFiles/68f1fb19-5803-4ef8-8696-f938fb49a9d5.pdf.

[95] Full statement (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6765/AYDINLATMA-YUKUMLULUGUNUN-YERINE-GETIRILMESI-HAKKINDA-KAMUOYU-DUYURUSU.

[96] Full statement (in Turkish) available at https://www.kvkk.gov.tr/Icerik/6726/COVID-19-ILE-MUCADELEDE-KONUM-VERISININ-ISLENMESI-VE-KISILERIN-HAREKETLILIKLERININ-IZLENMESI-HAKKINDA-BILINMESI-GEREKENLER-2-.

[97] Full text of the Decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6733/2020-103.

[98] Full text of the Decision (in Turkish) available athttps://kvkk.gov.tr/Icerik/6790/2020-559.

[99] Full text of the Decision (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6763/2020-286.

[100] Full text of the Decision (in Turkish) available athttps://www.kvkk.gov.tr/Icerik/6739/2020-173.

[101] English text available athttps://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-draft-personal-information-protection-law-full-translation/.

[102] See Article 62 of the Draft PIPL.

[103] See Article 42 of the Draft PIPL.

[104] Seehttps://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_comments_on_chinas_draft_personal_information_protection_law__18_november_2020_-_english_.pdf.

[105] See Article 29 of the Draft PIPL.

[106] CBIRC decisions (in Chinese) available athttp://www.cbirc.gov.cn/branch/shanghai/view/pages/common/ItemDetail.html?docId=920602&itemId=1000 and http://www.cbirc.gov.cn/branch/shanghai/view/pages/common/ItemDetail.html?docId=920603&itemId=1000.

[107] For the daft data protection legislation presented to the Ministry of Electronics and Information Technology on 27 July 2018 by the committee of experts led by Justice Srikrishna, seehttps://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.

[108] Report on Non-Personal Data Governance Framework available at https://static.mygov.in/rest/s3fs-public/mygov_159453381955063671.pdf

[109] See “Data Empowerment and Protection Architecture: A Secure Consent-Based Data Sharing Framework to Accelerate Financial Inclusion – Draft for Discussion” (August 2020), available athttps://niti.gov.in/sites/default/files/2020-09/DEPA-Book_0.pdf.

[110] See the National Health Data Management Policy, available athttps://ndhm.gov.in/assets/uploads/NDHM%20Health%20Data%20anagement%20Policy.pdf.

[111] See DSCI, “Work from Home – Best Practices” (18 March 2020), available athttps://www.dsci.in/sites/default/files/DSCI-WorkfromHomeAdvisory-1.pdf.

[112] See DSCI, “COVID-19: Data Privacy Outlook” (24 April 2020), available athttps://www.dsci.in/sites/default/files/DSCI_COVID19_Data_Privacy_Outlook.pdf.

[113] See also DSCI, “Business Resiliency and Security During COVID-19” (24 May 2020), available at https://www.dsci.in/sites/default/files/Business-Resiliency-and-Security.pdf.

[114] See DSCI, “Report on Data Transfers” (8 September 2020), available athttps://www.dsci.in/sites/default/files/documents/resource_centre/DSCI-CIPL-Accountable-Data-Transfer-Report.pdf.

[115] The Discussion Paper is available athttps://www.tec.gov.in/pdf/Whatsnew/ARTIFICIAL%20INTELLIGENCE%20-%20INDIAN%20STACK.pdf.

[116] See “India bans 43 more mobile apps as it takes on China” Reuters (25 November 2020), available athttps://uk.reuters.com/article/uk-india-china-apps/india-bans-43-more-mobile-apps-as-it-takes-on-china-idUKKBN2841QI.

[117] The press release and a list of the apps that were blocked are available athttps://pib.gov.in/PressReleasePage.aspx?PRID=1635206#.XvoIE9L3Qpw.whatsapp.

[118] The press release and a list of the apps that were blocked are available athttps://pib.gov.in/PressReleasePage.aspx?PRID=1650669.

[119] The press release and a list of the apps that were blocked are available athttps://www.pib.gov.in/PressReleasePage.aspx?PRID=1675335.

[120] Case BLAPL/4592/2020 Subhranshu Rout @ Gugul v State of Odisha available at https://www.medianama.com/wp-content/uploads/display_pdf.pdf.

[121] Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/24039/siaran-pers-no-15hmkominfo012020-tentang-presiden-serahkan-naskah-ruu-pdp-ke-dpr-ri/0/siaran_pers; the PDP Bill (in Indonesian) is available athttps://web.kominfo.go.id/sites/default/files/users/4752/Rancangan%20UU%20PDP%20Final%20%28Setneg%20061219%29.pdf.

[122] Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/24041/menkominfo-indonesia-akan-menjadi-negara-ke-5-di-asean-pemilik-uu-pdp/0/berita_satker.

[123] Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/29084/siaran-pers-no-104hmkominfo092020-tentang-pemerintah-apresiasi-pandangan-fraksi-terhadap-ruu-pdp/0/siaran_pers.

[124] Press release (in Hebrew) available at https://www.gov.il/he/departments/publications/Call_for_bids/amendment_privacy_protection

[125] Press release (in Hebrew) available at https://www.tazkirim.gov.il/s/law-item/a093Y00001RdRNXQA3/%D7%AA%D7%96%D7%9B%D7%99%D7%A8-%D7%97%D7%95%D7%A7-%D7%94%D7%92%D7%A0%D7%AA-%D7%94%D7%A4%D7%A8%D7%98%D7%99%D7%95%D7%AA-%D7%AA%D7%99%D7%A7%D7%95%D7%9F-%D7%9E%D7%A1-%D7%94%D7%92%D7%93%D7%A8%D7%95%D7%AA-%D7%95%D7%A6%D7%9E%D7%A6%D7%95%D7%9D-%D7%97%D7%95%D7%91%D7%AA-%D7%94%D7%A8%D7%99%D7%A9%D7%95%D7%9D-%D7%94%D7%AA%D7%A9%D7%A3-2020?language=iw

[126] See “Opinion regarding cross-border transfers of personal data, from Israeli based organisations to organisations based in countries complying with the data protection legislation of the EU” (1 July 2020), available athttps://www.gov.il/en/Departments/publications/reports/personaldata_the_european_union.

[127] See “Personal data of all 6.5 million Israeli voters is exposed” (10 February 2020), available athttps://www.nytimes.com/2020/02/10/world/middleeast/israeli-voters-leak.html. Press release, “Data Breach at Shirbit” (1 December 2020), available athttps://www.gov.il/en/departments/news/news_shirbit.

[128] English version of the of APPI available athttps://www.ppc.go.jp/files/pdf/Act_on_the_Protection_of_Personal_Information.pdf.

[129] Department of Personal Data Protection, “Public Consultation Paper No. 10/2020 – Review of Personal Data Protection Act 2010 (Act 709)” (14 February 2020), available athttps://www.pdp.gov.my/jpdpv2/assets/2020/02/Public-Consultation-Paper-on-Review-of-Act-709_V4.pdf. See also a press release of 26 August 2020, where the Malaysian government announces the continued discussions on amending the Personal Data Protection Act 2010 (in Malay), available athttps://www.kkmm.gov.my/awam/berita-terkini/17616-bernama-26-ogos-2020-kerajaan-masih-bincang-keperluan-pinda-akta-perlindungan-data-peribadi.

[130] Advisory guidelines (in Malay) available athttps://www.kkmm.gov.my/images/AdHoc/200529-ADVISORY.pdf.

[131] See “MCI and PDPC launch online public consultation on Personal Data Protection (Amendment) Bill 2020”, Press Release (14 May 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/5/MCI-and-PDPC-launch-online-public-consultation-on–Personal-Data%20Protection-Amendment-Bill-2020; “Public Consultation on the Draft Personal Data Protection (Amendment) Bill” (28 May 2020), available athttps://www.mci.gov.sg/public-consultations/public-consultation-items/public-consultation-on-the-draft-personal-data-protection-amendment-bill.

[132] See Bill No. 37/2020 Personal Data Protection (Amendment) Bill, available athttps://www.parliament.gov.sg/docs/default-source/default-document-library/personal-data-protection-(amendment)-bill-37-2020.pdf; Ministry of Communications and Information, “Amendments to the Personal Data Protection Act and Spam Control Act Passed”, Press Release (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/amendments-to-the-personal-data-protection-act-and-spam-control-act-passed.

[133] See “Opening Speech by Mr S Iswaran, Minister for Communications and Information, at the Second Reading of the Personal Data Protection (Amendment) Bill 2020 on 2 November 2020” (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/opening-speech-by-minister-iswaran-at-the-second-reading-of-pdp-(amendment)-bill-2020.

[134] See “Amendments to the Personal Data Protection Act and Spam Control Act Passed”, Press Release (2 November 2020), available athttps://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/amendments-to-the-personal-data-protection-act-and-spam-control-act-passed.

[135] See PDPC, “Draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill” (20 November 2020), available athttps://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Draft-AG-on-Key-Provisions/Draft-Advisory-Guidelines-on-Key-Provisions-of-the-PDP-(Amendment)-Bill-(20-Nov-2020).pdf?la=en.

[136] English version of PIPA available athttps://elaw.klri.re.kr/kor_service/lawView.do?hseq=53044&lang=ENG.

[137] Royal Decree (in Thai) available athttp://www.ratchakitcha.soc.go.th/DATA/PDF/2563/A/037/T_0001.PDF.

[138] MDES statement (in Thai) is available athttps://www.mdes.go.th/news/detail/2760–ดีอีเอส–เตรียมคลอดประกาศมาตรการคุ้มครองความปลอดภัยข้อมูลส่วนบุคคลฯ.

[139] MDES notice (in Thai) available athttp://www.ratchakitcha.soc.go.th/DATA/PDF/2563/E/164/T_0012.PDF.

[140] The AGDM is a financial free zone within the UAE.

[141] See “Abu Dhabi Global Market Launches Public Consultation on New Data Protection Regulatory Framework” by Natasha G. Kohne, Jenny Arlington, Sahar Abas & Mazen Baddar, GDPR, International Privacy (7 December 2020), available at https://www.akingump.com/en/experience/practices/cybersecurity-privacy-and-data-protection/ag-data-dive/abu-dhabi-global-market-launches-public-consultation-on-new-data-protection-regulatory-framework.html.

[142] See “ADGM commences Public Consultation on proposed new Data Protection Regulations” (19 November 2020), available athttps://www.adgm.com/media/announcements/adgm-commences-public-consultation-on-proposed-new-data-protection-regulations.

[143] This explanation is taken from Data Guidance – AGDM.

[144] See Data Protection Regulations, available athttps://www.difc.ae/files/9315/9358/7756/Data_Protection_Regulations_2020.pdf and Data Protection Law No. 5 of 2020, available athttps://www.difc.ae/files/6215/9056/5113/Data_Protection_Law_DIFC_Law_No._5_of_2020.pdf.

[145] For the full list of accredited GPA members, see https://globalprivacyassembly.org/participation-in-the-assembly/list-of-accredited-members/.

[146] See “Africa to harmonise laws for data protection, digital economy” by Gloria Nwafor, Guardian (8 October 2020), https://guardian.ng/appointments/africa-to-harmonise-laws-for-data-protection-digital-economy/?_sm_au_=iVV7MH8JqKDPF0RFFcVTvKQkcK8MG.

[147] See “Sisi endorses law on personal data protection”, Egypt Today (18 July 2020), available athttps://www.egypttoday.com/Article/1/89794/Sisi-endorses-law-on-personal-data-protection.

[148] Kenya’s high court ruled that the country’s new digital ID scheme could continue with some conditions and stronger regulations. The court banned the collection of DNA and geolocation data, See “Court orders safeguards for Kenyan digital IDs, bans DNA collecting“, by Humphrey Malalo, Omar Mohammed, (31 January 2020), available athttps://www.reuters.com/article/us-kenya-rights/court-orders-safeguards-for-kenyan-digital-ids-bans-dna-collecting-idUSKBN1ZU23D

[149] See “ITI Comments on the U.S.-Kenya Trade Agreement Negotiation” (27 April 2020), https://www.itic.org/policy/ITIUS-KenyaFTAComments_27APR2020_FINAL.pdf and “ITI: U.S.-Kenya Trade Agreement Can Set New Global Benchmark for Digital Trade” (28 April 2020), available athttps://www.itic.org/news-events/news-releases/iti-u-s-kenya-trade-agreement-can-set-new-global-benchmark-for-digital-trade.

[150] See “Joint Statement Between the United States and Kenya on the Launch of Negotiations Towards a Free Trade Agreement” (7 August 2020), available athttps://ustr.gov/node/10204.

[151] See “Stakeholders’ Consultation Workshop on the Data Protection Bill in Namibia” (24-26 February 2020), available athttps://www.coe.int/en/web/cybercrime/glacyplusactivities/-/asset_publisher/ekq5KxUZwAqU/content/glacy-stakeholders-consultation-workshop-on-the-data-protection-bill-in-namibia?inheritRedirect=false&redirect=https%253A%252F%252Fwww.coe.int%252Fen%252Fweb%252Fcybercrime%252Fglacyplusactivities%253Fp_p_id%253D101_INSTANCE_ekq5KxUZwAqU%2526p_p_lifecycle%253D0%2526p_p_state%253Dnormal%2526p_p_mode%253Dview%2526p_p_col_id%253Dcolumn-4%2526p_p_col_count%253D1.

[152] See “Pantami Reiterates FG’s Commitment to Strengthening Cybersecurity” (14 April 2020), available athttps://www.ncc.gov.ng/media-centre/news-headlines/783-pantami-reiterates-fg-s-commitment-to-strengthening-cybersecurity.

[153] Seehttps://von.gov.ng/collection-of-covid-19-data-aligns-with-ndpr-guidelines-nitda/.

[154] See “Annual Report for the 2019/2020 Financial Year”, available athttps://www.justice.gov.za/inforeg/docs/anr/ANR-2019-2020-InformantionRegulatorSA.pdf and “South Africa must implement privacy laws to protect citizens, says UN expert” (12 March 2020), available athttps://mg.co.za/article/2020-03-12-south-africa-must-implement-privacy-laws-to-protect-citizens-says-un-expert/. Moreover, two significant incidents were reported: Experian South Africa announced a data incident affecting 24 million South Africans and 793,749 businesses, see “Experian South Africa curtails data incident” (19 August 2020), available athttps://www.experian.co.za/content/dam/marketing/emea/soafrica/za/assets/experian-south-africa-statement-19082020.pdf. Nedbank announced a data incident concerning 1.7 million clients, see “Nedbank warns clients of potential impact of data incident at Computer Facilities (Pty) Ltd”, https://www.nedbank.co.za/content/nedbank/desktop/gt/en/info/campaigns/nedbank-warns-clients.html.

[155] See “Guidance Note on the Processing of Personal Information in the Management and Containment of COVID-19 Pandemic in terms of the Protection of Personal Information Act 4 of 2013 (POPIA),” available athttps://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PPI-Covid19-20200403.pdf and Press Release (3 April 2020), available athttps://www.justice.gov.za/inforeg/docs/ms-20200403-GuidanceNote-PPI-Covid19.pdf.

[156] See “Conseil des ministres: un projet de décret sur la protection des données à caractère personnel adopté” (9 December 2020), available athttps://presidence.gouv.tg/2020/12/09/conseil-des-ministres-un-projet-de-decret-sur-la-protection-des-donnees-a-caractere-personnel-adopte/.

[157] See “Statement on cabinet decisions of 27th October 2020”, available athttps://www.primature.gov.rw/index.php?id=131&tx_news_pi1%5Bnews%5D=933&tx_news_pi1%5Bcontroller%5D=News&tx_news_pi1%5Baction%5D=detail&cHash=7a012c144e6b2eb6d384a0bf1f153c26.

[158] See “Rwanda data protection bill approved” (29 October 2020), available athttps://iapp.org/news/a/rwanda-data-protection-bill-approved/#:~:text=30%20and%20included%20provisions%20on,as%20transfers%2C%20sharing%20and%20retention.

[159] See Cybersecurity Regulation n˚ 010/r/cr-csi/rura/020 of 29/05/2020, available athttps://rura.rw/fileadmin/Documents/ICT/Laws/Cybersecurity_Regulation_in_Rwanda.pdf.

[160] See “Oman: Latest developments in data protection and cybersecurity,” Alice Gravenor, PWC-Middle East (19 November 2020), available athttps://www.pwc.com/m1/en/media-centre/articles/oman-latest-developments-data-protection-cybersecurity.html.

[161] See Draft Personal Data Protection Bill (9 April 2020), available athttps://moitt.gov.pk/SiteImage/Misc/files/Personal%20Data%20Protection%20Bill%202020%20Updated(1).pdf.

[162] See social media rules adopted (6 October 2020), available athttps://moitt.gov.pk/SiteImage/Misc/files/Corrected%20Version%20of%20Rules.pdf.

[163] Law (in English) available athttps://www.lgpdbrasil.com.br/wp-content/uploads/2019/06/LGPD-english-version.pdf.

[164] Law (in Portuguese) available athttps://www.in.gov.br/en/web/dou/-/lei-n-14.058-de-17-de-setembro-de-2020-278155040.

[165] Bill (in Portuguese) available at: https://www.camara.leg.br/proposicoesWeb/prop_mostrarintegra;jsessionid=E847373CA5B3CD6F9C0FEF1AA14EED13.proposicoesWebExterno1?codteor=1931814&filename=Tramitacao-PL+4695/2020.

[166] Regulation (in Portuguese) available at https://sei.anatel.gov.br/sei/modulos/pesquisa/md_pesq_documento_consulta_externa.php?eEP-wqk1skrd8hSlk5Z3rN4EVg9uLJqrLYJw_9INcO760LFI_pHFdPDvhssf6GcKAE5_GJovBZUfi7_h9SO4EFu4GZ_rtRSkPAMggKV38swnbODIuh_k2ClcCwWdtg0X.

[167] Decision (in Spanish) available athttps://www.argentina.gob.ar/sites/default/files/rs-2020-33-apn-aaip.pdf.

[168] Law (in Spanish) available athttp://servicios.infoleg.gob.ar/infolegInternet/anexos/230000-234999/233066/norma.htm.

[169] Decision (in Spanish) available athttps://www.argentina.gob.ar/sites/default/files/rs-2020-25457045-apn-aaip_google.pdf.

[170] Press release (in Spanish) available athttps://www.consejotransparencia.cl/fiscalizacion-del-cplt-descubre-vulneracion-de-la-privacidad-de-pacientes-en-compras-de-hospitales-y-servicios-de-salud/.

[171] Letter (in Spanish) available athttps://www.consejotransparencia.cl/wp-content/uploads/2020/06/N%C2%B0000746-Patricio-Ferna%CC%81ndez-Pe%CC%81rez.-Superintendente-de-Salud.pdf.

[172] Order (in Spanish) available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/Res%2074519%20DE%202020%20ZOOM(1).pdf.

[172a] See https://www.sic.gov.co/slider/superindustria-ordena-la-plataforma-zoom-reforzar-medidas-de-seguridad-para-proteger-los-datos-personales-de-los-colombianos

[173] The imposed fine was of COP 894,365,280 (approx. €214,524), after confirming the violation of the personal data of a data subject whose data was being processed by EPS. Full Resolution available at https://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/1%20Apelacio%CC%81n%2018-179365%20%20EPS%20SANITAS%20VP%20F%20(1)%20(1).pdf.

[174] For the first bank, the imposed fine was of COP 702,000,000 (approx. €171,400) for including information that was not of a financial or credit nature in the credit history of 288,753 Colombians. Full Resolution available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/SANCIO%CC%81N%20CIFIN.pdf; for the second bank, the imposed fine was of COP 269,046,492 (approx. €60,030) for violating a data subject’s right to deletion. Full Resolution of SIC available athttps://www.sic.gov.co/sites/default/files/files/Normativa/Resoluciones/19-141889%20VP.pdf; for the third bank, the imposed fine was of COP 356,070,000 (approx. €80,910) for violations of Law 1581 of 2012 and Decree 4886 of 2011. Full decision of SIC available athttps://www.sic.gov.co/sites/default/files/files/Noticias/2019/RE10720-2020(1).pdf.

[175] Press release (in Spanish) available athttps://home.inai.org.mx/wp-content/documentos/SalaDePrensa/Comunicados/Comunicado%20INAI-102-20.pdf.

[176] Press release (in Spanish) available athttps://home.inai.org.mx/wp-content/documentos/SalaDePrensa/Comunicados/Comunicado%20INAI-106-20.pdf.

[177] Press release (in Spanish) available athttps://home.inai.org.mx/wp-content/documentos/SalaDePrensa/Comunicados/Comunicado%20INAI-228-20.pdf.

[178] Press release (in Spanish) available athttps://home.inai.org.mx/wp-content/documentos/SalaDePrensa/Comunicados/Comunicado%20INAI-113-20.pdf.

[179] Mexico’s Official Gazzete publication of January 11, 2021 that modifies section XII Bis of the Federal Labor Law available athttp://dof.gob.mx/nota_detalle.php?codigo=5609683&fecha=11/01/2021.

[180] Decree (in Spanish) available athttps://www.impo.com.uy/bases/decretos/64-2020

The following Gibson Dunn lawyers assisted in the preparation of this article: Ahmed Baladi, Alexander Southwell, Alejandro Guerrero, Vera Lukic and Clémence Pugnet.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:

Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, vlukic@gibsondunn.com)
Sarah Wazen – London (+44 (0) 20 7071 4203, swazen@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On January 19, 2021, the 10th Amendment of the German Competition Act (“ACR”) entered into force, also known as “GWB Digitalization Act” (the “Amendment”).

With the passing of the Amendment[1], Germany is setting the pace for an ambitious goal: the regulation of digital platforms. As noted during the parliamentary discussion[2], the new provisions are specifically designed to provide the German Federal Cartel Office (Bundeskartellamt) with an efficient instrument against alleged “Wild West methods” in the digital sector to keep digital markets open. The Amendment also introduces a number of other changes to the German Competition Act concerning, inter alia, antitrust investigations procedure, leniency and cartel damage claims.

In the legislative process, the German Parliament has also implemented some last-minute changes to the merger control provisions: the two domestic turnover thresholds were increased from EUR 25 million to EUR 50 million, and from EUR 5 million to EUR 17.5 million. This major policy shift will result in a significant decrease of notifiable transactions, thereby freeing up capacities within the Bundeskartellamt for scrutiny of the digital space. However, as highlighted in our 2020 Year-End German Law Update, the “GWB Digitalization Act” provides the Bundeskartellamt with the authority to require companies, which are deemed to reduce competition through a series of small acquisitions in specific markets in which the Bundeskartellamt has conducted sector inquiries, to notify every transaction provided that certain thresholds are met.

A brief overview of the most important provisions with regard to the regulation of digital platforms and related procedural changes is provided below.

NEW PROVISIONS AIMED AT DIGITAL PLATFORMS

Similar to the competition law regime(s) within the European Union, the German Competition Act features rules on the abuse of market dominance. However, unlike many other EU jurisdictions, Germany always had a stricter regime, in that provisions on market abuse also apply to companies, which are not dominant but possess so called ‘relative market power’. Now, the Amendment introduces an additional category of market power, which is clearly aimed at digital platforms. The most important changes include the following:

“Digitalization” of the abuse of dominance rules. The amended ACR provides that in assessing market dominance, particular account shall be taken of a company’s access to data relevant for competition. Further, the role of a company acting as an ‘intermediary on multi-sided markets’ (i.e. digital platforms) shall be considered when assessing market dominance, in particular with regard to the role the intermediary plays for access to procurement and sales markets. Additionally, the Amendment explicitly stipulates that an abuse of dominance shall occur if a company is considered dominant and (i) refuses to grant other companies access to data, to networks or other infrastructure facilities in return for an appropriate consideration, (ii) such access is objectively necessary in order to operate on an upstream or downstream market, and (iii) the refusal threatens to eliminate effective competition on that market.
Giving up the ‘SME’ requirement for determining ‘relative market power’. In light of the structural changes digital services and platforms have created in the economy, the German legislator decided to drop the requirement that small or medium-sized enterprises have to be dependent on another company, in order for the latter to be deemed to have ‘relative market power’. Under the amended ACR, irrespective of size, a company is considered to have ‘relative market power’, if another company is dependent on it in such a way that sufficient and reasonable possibilities of switching to other third companies do not exist and provided that there is a clear imbalance to the countervailing powers of the other company. Again, the provision also explicitly mentions ‘intermediaries on multi-sided markets’ (i.e. digital platforms) and extends the definition of ‘relative market power’ to such intermediaries, provided that other companies are dependent on them for access to procurement and sales markets in such a way that there are no sufficient and reasonable alternatives to those intermediaries.
‘Access to data’ as a crucial criterion. Pursuant to the Amendment, the dependency on another company, and thus its ‘relative market power’, might also arise from the fact that a company is dependent for its own activities on access to data controlled by another company. The refusal to provide access to such data in exchange for an adequate fee may also constitute an abuse. This provision might affect not only digital platforms, but also industry players which have collected significant amounts of data through intelligent products and networked devices.
Introduction of a new type of market power. The Amendment introduces a completely new category of market power, namely companies with ‘paramount significance for competition across markets’. The rationale behind the new category can be summarized as follows: While large digital players may not have significant market shares in all affected markets, they may nevertheless have significant influence on these markets due to their key position for competition and their conglomerate structures (also referred to as gatekeepers).

If the Bundeskartellamt issues an order declaring that it considers a company to have paramount significance for competition across markets, the authority can prohibit the company from, inter alia, (i) preferential treatment of own services, (ii) the impediment of competition on markets where the company is not dominant, (iii) the creation of entry barriers by the use of data collected on a dominated market, or (iv) the restriction of the interoperability of products, services or data. The Bundeskartellamt shall also have the power to prohibit measures, which impede other companies conducting their business activities on procurement or sales markets (e.g. through pre-installation or integration of the dominant company’s offers) and to prohibit the demanding of benefits for the treatment of offers from another company, which are disproportionate to the reason for the demand (e.g. if the dominant company requires the transfer of data or rights for the presentation of the offers, which are not strictly necessary for this purpose).

PROCEDURAL CHANGES

Some stakeholders have complained that, so far, the Bundeskartellamt has not been able to react swiftly enough to the fast-paced developments in the digital realm[3]. To address this perceived lack of ‘clout’, as the German Federal Minister for Economic Affairs and Energy, Peter Altmaier has put it, the Amendment introduces new provisions with regard to interim measures. The Bundeskartellamt will have the power to step in already on the basis that it finds an infringement of antitrust rules ‘predominantly likely’ and it deems the interim measure necessary for the protection of competition or because of an imminent threat of serious harm on another company. For appeals against such interim measures and all measures taken by the Bundeskartellamt in connection with the new category of ‘super dominant’ market players, the Amendment introduces a fast-track to the Federal Court of Justice, Germany’s highest civil court. All disputes in connection with these measures, including all independently contestable procedural acts, are decided in the first and last instance by the Federal Court of Justice. By establishing the Federal Court of Justice as the first and final authority to decide on these measures, the German legislator makes clear that they are well aware of the sweeping scope of the Bundeskartellamt’s new powers and the potential harm they may cause. However, for companies seeking judicial relief under the new rules, one layer of judicial review has been stripped away. This could raise some constitutional concerns.

OUTLOOK

It is hard to predict, how these new provisions will play out in practice. Nonetheless, Germany has certainly rung in the first round. Regulators around the globe are increasingly trying to curb digital platforms’ powers and to tackle the competitive challenges resulting from the mass collection of data, which is perceived as the new gold of the 21st century. In light of the recent publication of the draft regulation on an EU Digital Markets Act by the European Commission, it remains to be seen how the German provisions will fit into the proposed European framework. However, the EU Digital Markets Act is not expected to come into force before 2022. Thus, the “GWB Digitalization Act” might prove to be a welcome opportunity for all stakeholders to put these new legal concepts to the test.

_____________________

[1] Please also refer to our previous alerts in this respect: “Competition 4.0 in Germany: Proposed Changes to German Antitrust Rules Targeting Digital Platforms”, November 8, 2019 (available at: https://www.gibsondunn.com/competition-4-0-in-germany-proposed-changes-to-german-antitrust-rules-targeting-digital-platforms/) and Section 9.3 in the 2020 Year-End German Law Update, January 14, 2021 (available at: https://www.gibsondunn.com/2020-year-end-german-law-update/#_Toc61506166).

[2] https://www.cducsu.de/themen/wirtschaft-und-energie-haushalt-und-finanzen/dr-matthias-heider-wollen-einen-moderaten-aber-effektiven-regulierungsansatz-ueber-das-kartellrecht-waehlen.

[3] See for example, the results of an expert working group regarding the topic “Industry 4.0 – Antitrust Considerations”, which was established by the Federal Ministry for Economic Affairs and Energy in 2018 (available in German at: https://www.plattform-i40.de/PI40/Redaktion/DE/Downloads/Publikation/hm-2018-kartellrecht-ag4.pdf?__blob=publicationFile&v=6).

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. For additional information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition Practice Group, or the following authors:

Kai Gesing – Munich (+49 89 189 33 180, kgesing@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33 180, mwalther@gibsondunn.com)
Jens-Olrik Murach – Brussels (+32 2 554 7240, jmurach@gibsondunn.com)
Georg Weidenbach – Frankfurt (+49 69 247 411 550, gweidenbach@gibsondunn.com)
David Wood – Brussels (+32 2 554 7210, dwood@gibsondunn.com)
Selina Grün – Munich (+49 89 189 33-180, sgruen@gibsondunn.com)

Antitrust and Competition Group:

Brussels
Peter Alexiadis (+32 2 554 7200, palexiadis@gibsondunn.com)
Attila Borsos (+32 2 554 72 11, aborsos@gibsondunn.com)
Jens-Olrik Murach (+32 2 554 7240, jmurach@gibsondunn.com)
Christian Riis-Madsen (+32 2 554 72 05, criis@gibsondunn.com)
Lena Sandberg (+32 2 554 72 60, lsandberg@gibsondunn.com)
David Wood (+32 2 554 7210, dwood@gibsondunn.com)

Frankfurt
Georg Weidenbach (+49 69 247 411 550, gweidenbach@gibsondunn.com)

Munich
Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com)
Kai Gesing (+49 89 189 33 180, kgesing@gibsondunn.com)

London
Patrick Doris (+44 20 7071 4276, pdoris@gibsondunn.com)
Charles Falconer (+44 20 7071 4270, cfalconer@gibsondunn.com)
Ali Nikpay (+44 20 7071 4273, anikpay@gibsondunn.com)
Philip Rocher (+44 20 7071 4202, procher@gibsondunn.com)
Deirdre Taylor (+44 20 7071 4274, dtaylor2@gibsondunn.com)

Hong Kong
Kelly Austin (+852 2214 3788, kaustin@gibsondunn.com)
Sébastien Evrard (+852 2214 3798, sevrard@gibsondunn.com)

Washington, D.C.
Adam Di Vincenzo (+1 202-887-3704, adivincenzo@gibsondunn.com)
Scott D. Hammond (+1 202-887-3684, shammond@gibsondunn.com)
Kristen C. Limarzi (+1 202-887-3518, klimarzi@gibsondunn.com)
Joshua Lipton (+1 202-955-8226, jlipton@gibsondunn.com)
Richard G. Parker (+1 202-955-8503, rparker@gibsondunn.com)
Cynthia Richman (+1 202-955-8234, crichman@gibsondunn.com)
Jeremy Robison (+1 202-955-8518, wrobison@gibsondunn.com)
Andrew Cline (+1 202-887-3698, acline@gibsondunn.com)
Chris Wilson (+1 202-955-8520, cwilson@gibsondunn.com)

New York
Eric J. Stock (+1 212-351-2301, estock@gibsondunn.com)
Lawrence J. Zweifach (+1 212-351-2625, lzweifach@gibsondunn.com)

Los Angeles
Daniel G. Swanson (+1 213-229-7430, dswanson@gibsondunn.com)
Samuel G. Liversidge (+1 213-229-7420, sliversidge@gibsondunn.com)
Jay P. Srinivasan (+1 213-229-7296, jsrinivasan@gibsondunn.com)
Rod J. Stone (+1 213-229-7256, rstone@gibsondunn.com)

San Francisco
Rachel S. Brass (+1 415-393-8293, rbrass@gibsondunn.com)
Caeli A. Higney (+1 415-393-8248, chigney@gibsondunn.com)

Dallas
Veronica S. Lewis (+1 214-698-3320, vlewis@gibsondunn.com)
Mike Raiff (+1 214-698-3350, mraiff@gibsondunn.com)
Brian Robison (+1 214-698-3370, brobison@gibsondunn.com)
Robert C. Walters (+1 214-698-3114, rwalters@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

In 2020, the COVID-19 pandemic taught the world another lesson about the unpredictability of life. Each country responded to the challenges posed by the pandemic in its own way. The German Government in its familiar technocratic and sober approach quickly unlocked massive financial resources to mitigate any immediate economic damage. It supported a further relaxation of the purse strings at EU level and put legislative acts in place that helped manage the uncertainty in the most affected industries for now. Hit by a second wave of the pandemic in an unexpectedly hard way, Germany is now left wondering whether the country really was smart in the spring or just lucky. The new year 2021 will provide the answer to this question.

The disruption caused by the pandemic is not over; it has just started. On a positive note, we have seen an unprecedented move towards more efficient means of communication through the use of new media and the leveraging of technology in general. For example, long overdue changes to the handling of annual shareholder meetings of German joint stock corporations were implemented within weeks to facilitate the annual reporting season under lock-down conditions. By providing short term work allowances to compensate for losses in remuneration resulting from temporary cuts in working hours, the German system helped employers to hold onto their highly-skilled work force in the hope of a quick recovery thereby avoiding immediate hardship for those hit hard by the imposed restrictions. A speedy process to amend legislation addressing topics from suspending rent payments and interest payments to the temporary relaxation of insolvency filing obligations flanked by a coherent communication strategy added to the sentiment of most Germans of having been governed well, so far.

2021 will be different and bigger challenges certainly lie in wait. Instead of throwing hundreds of billions of Euros at the problem, German politicians will now have to explain to the public who is going to pick up the bill for all the important measures taken. The inadequate accords reached with the twenty-seven European Union members states that remain after Brexit designed to stabilize the weakest member state economies will require rigorous implementation and oversight. To date, hope rests on what has been a series of blink-decisions taken in face of an imminent European crisis coupled with the expectation that this will all result in a more aligned and more integrated European Union. A very optimistic scenario, indeed.

Apart from the emergency measures triggered by the COVID-19 pandemic, the EU and Germany have set and started to implement an ambitious agenda with regard to the regulation of international trade (by the introduction of tightened rules on foreign direct investments), antitrust laws (responding to the topics of market dominance in the digital age), consumer protection (with the introduction of collective redress within the EU), increased corporate responsibility in the white collar area (with the long-discussed introduction in Germany of criminal corporate liability), and the fight against money laundering and tax evasion.

And, finally, Angela Merkel’s term ends in the fall of 2021. She will have been the longest serving Chancellor in German history. This brings a 16-year era to an end that served Germany well and also helped Europe to navigate through difficult waters. She is expected to leave a temporary vacuum in German and European leadership that comes at the wrong time and is difficult to be filled in the short term.

Is this a dramatic crisis? No. Should we be concerned? Maybe. Should we act? Yes.

There are many things that each of us can do to turn the many challenges ahead into something new and potentially better. Here is our favorite list: First, stay healthy, look after yourself and your loved ones. Second, take informed and careful decisions each day to tackle the problems ahead, instead of rushing to beat “long-term-trends” with blurry visionary steps or short-sighted activism. Third, stay connected with the world, avoid narrow-minded thinking and a further fragmentation of the world, while staying connected to your local community. Learn where you can, challenge where you can, and help where you can. We are all in this together and only when we join forces, will we navigate the challenging times ahead of us.

At Gibson Dunn, we are proud and honored to be at your side to help solve your most complex legal questions and to continue our partnership with you in the coming year in Germany, in Europe and the world. We trust you will find this German Law Year-End Update insightful and instructive for the best possible start in 2021.

_______________________

Corporate, M&A
Tax
Financing and Restructuring
Labor and Employment
Real Estate
Compliance / White Collar
Data Privacy – Regulatory Activity and Private Enforcement on the Rise
Technology
Antitrust and Merger Control
International Trade, Sanctions and Export Control
Litigation
Update on COVID-19 Measures in Germany

________________________

1. Corporate, M&A

1.1 Next Round – Virtual-only Shareholder’s Meetings of Stock Corporations in 2021

The temporary COVID-19-related legislation of March 2020 allowing to hold virtual-only shareholders’ meetings of stock corporations in 2020[1] has been extended until the end of 2021 by means of an executive order of the German Ministry of Justice and Consumer Protection (Bundesministerium der Justiz und für Verbraucherschutz) issued in October 2020. While the legal framework of the temporary regime for virtual-only meetings remained unchanged, the regulator strongly appealed to the management of the relevant corporations to use the emergency instrument of a virtual-only meeting in a responsible manner, taking into account the specific individual circumstances due to the pandemic situation.

In addition to this mere moral appeal by the executive branch, just before year-end and somewhat surprisingly, the parliamentary legislator modified the March 2020 legislation with regard to the shareholders’ right to information in virtual-only meetings as a concession to the widespread criticism in the aftermath of the March 2020 legislation. The March 2020 legislation had reduced the shareholders’ right to information to a mere possibility to submit questions in electronic form prior to the meeting, leaving it up to management in its sole discretion as to whether and in which manner to answer such questions. Additionally, it allowed management to set a submission deadline of up to two days prior to the meeting.

The October legislation, addressing widespread criticism raised not only by shareholder activists and institutional investors but also by legal scholars, restored the shareholder’s right to ask questions in the 2021 season for shareholders’ meetings taking place after February 28, 2021: It will again constitute a genuine information right requiring management to duly answer all shareholders’ questions submitted in time prior to the meeting. In addition, the cut-off deadline for the submission of shareholders’ questions may not exceed one day.

Furthermore, the parliamentary legislator also clarified in its last minute amendments that counter-motions by shareholders that are submitted for publication with the company at least 14 days prior to the shareholders’ meeting must be dealt with in the virtual-only shareholders’ meeting if the submitting shareholder has duly registered for the virtual shareholders meeting.

The virtual-only format is available to shareholders’ meetings of stock corporations which are held by December 31, 2021. In light of the current pandemic, the extensive use of the virtual-only format and the frequently observed extraordinary high participation-rate of shareholders in 2020, it can be expected that most stock corporations will again hold their shareholders’ meetings in a virtual-only format in 2021.

Back to Top

1.2 Legislative Initiative to Strengthen Market Integrity after the Wirecard Scandal

In the aftermath of the spectacular collapse of German payment solutions provider Wirecard last summer, the German Government on December 16, 2020 presented a draft bill (Regierungsentwurf) for an Act on the Strengthening of the Financial Market Integrity (Finanzmarktintegritätsstärkungsgesetz – FISG) which aims to restore and strengthen trust in the German financial market.

The draft bill provides for new rules designed to bolster both the internal (in particular, via the supervisory board) and external (e.g. by strengthening the independence of external auditors and their supervision) corporate governance of companies of public interest, including listed companies.

This includes, in particular, the explicit obligation for the management board of a listed stock corporation to implement an adequate and effective internal control and risk management system. Furthermore, the draft bill also aims to strengthen the accounting and audit expertise present in the supervisory board of listed companies: Whereas the law currently only requires that, at least, one supervisory board member shall have expertise in the fields of accounting and auditing, the draft bill requires that, at least, one board member has expertise in the fields of accounting and, at least, one other board member has expertise in the fields of auditing, thus increasing the minimum number of experts to, at least, two board members. In addition, the establishment of an audit committee by the supervisory board shall no longer be discretionary but becomes compulsory for companies of public interest, including all listed companies.

In order to strengthen the independence of the auditor as part of a company’s external safeguards, the draft bill suggests the tightening of the mandatory external rotation. The external rotation of the auditor shall occur no later than after ten years for all companies of public interest, including listed companies, thus eliminating national exemptions from the EU audit regime, which currently allow for a maximum term of 24 years, and introduces further restrictions on non-audit services that can be provided by the auditor.

In reaction to the widespread criticism leveled at the response of Germany’s Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) to the events that led to Wirecard’s collapse and the perceived failure of the supervisory and enforcement procedures and mechanisms in financial reporting, the draft bill also proposes revisions to the current supervisory and enforcement procedures, including further-reaching competences for the financial regulator BaFin itself.

Last but not least, the draft bill provides for increased civil liability for damages caused by auditors as well as a tightening of criminal and administrative penalties for misrepresentations made by company representatives and statutory auditors in connection with the preparation and audit of company accounts.

The Government’s draft bill essentially corresponds to a joint ministerial draft of October 26, 2020 by the Federal Ministry of Finance (Bundesministerium für Finanzen) and the Federal Ministry of Justice and Consumer Protection (Bundesministerium der Justiz und für Verbraucherschutz), which had been met with widespread criticism arguing that the proposals were not going far enough and failed to address the shortcomings of the current system which were also identified by the EU’s securities market regulator, the European Securities and Markets Authority (ESMA), in its special report on the Wirecard collapse published in November 2020. It remains to be seen whether and to which extent this criticism will be taken up by the lawmaker in the upcoming parliamentary process by providing for more fundamental changes and reforms.

Back to Top

1.3 German Foreign Direct Investment Control – Rule-Tightening in Light of COVID-19 and the EU Screening Regulation

In December 2020, for the very first time, the German Federal government officially prohibited the indirect acquisition of a German company with specific expertise in satellite/radar communications and 5G millimeter wave technology by a Chinese state-owned defense group. The decision is the culmination of an eventful year which has seen various changes to the rules on foreign direct investments (the “FDIs”) in light of, inter alia, COVID-19 and the application of the EU Screening Regulation[2].

Below is an overview of the five key changes that have become effective over the course of 2020:

1. Extension of the catalog of select industries triggering a mandatory filing with the German Ministry of Economy and Energy (Bundesministerium für Wirtschaft und Energie, BMWi) upon acquisition of 10% or more of the voting rights in a German company by a non-EU/non-EFTA acquirer to include (i) personal protective equipment, (ii) pharmaceuticals that are essential for safeguarding the provision of healthcare to the population as well as (iii) medical products and in-vitro-diagnostics used in connection with life-threatening and highly contagious diseases.
2. No more gun-jumping: All transactions falling under the cross-sector review that require a mandatory notification (i.e., FDIs of 10% or more of the voting rights by a non-EU/non-EFTA investor in companies active in one or more of the conclusively listed select industries) may only be consummated upon conclusion of the screening process (condition precedent).
3. Introduction of penalties (up to five years imprisonment or criminal fine (in case of willful infringements and attempted infringements) or an administrative fine of up to EUR 500,000 (in case of negligence)) for certain actions pending (deemed) clearance by the BMWi, namely: (i) enabling the investor to, directly or indirectly, exercise voting rights, (ii) granting the investor dividends or any economic equivalent, (iii) providing or otherwise disclosing to the investor certain security-relevant information on the German target company, and (iv) the non-compliance with enforceable restrictive measures (vollziehbare Anordnungen) imposed by the BMWi.
4. Implementation of the EU-wide cooperation mechanism as required under the EU Screening Regulation.
5. Expansion of the grounds for screening under German FDI rules to include public order or security (öffentliche Ordnung oder Sicherheit) of a fellow EU member state as well as effects on projects or programs of EU interest, and tightening of the standard under which an FDI may be prohibited or restrictive measures may be imposed from “endangering” (Gefährdung) to “likely to affect” (voraussichtliche Beeinträchtigung) the public order or security, so as to reflect the EU Screening Regulation.

For additional details on these and other changes in 2020 to foreign investment control and an overview on the overall screening process in Germany, please refer to our respective client alerts published in May 2020[3] and November 2020[4].

Further changes to the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung, AWV) are announced for 2021. In particular, the catalog of critical industries are to be extended further. Based on earlier announcements by the BMWi, artificial intelligence, robotics, semiconductors, biotechnology and quantum technology will likely be added to the catalog of critical industries.

Back to Top

1.4 Gender Quota for (Certain) Management Boards on the Horizon

Five years after the (first) Management Position Act (Führungspositionen-Gesetz) for the first time implemented a mandatory female quota for the composition of supervisory boards of certain German companies in 2016,[5] the German government coalition parties now support a mandatory quota also for management boards. In the future, under the contemplated Second Management Position Act (Zweites Führungspositionen-Gesetz) (i) listed companies, (ii) which are subject to the 50% employee co-determination under the Co-Determination Act (Mitbestimmungsgesetz) and (ii) whose management board consists of more than three members, must appoint at least one female management board member whenever a position becomes vacant.

The new management board quota will only apply with regard to the rather limited number of companies who meet all of the above criteria. However, it is nevertheless a strong signal by the German coalition parties to a German business community in which voluntary commitments to increase gender equality have failed to gain significant momentum in the past. Under the 2015 Management Position Act which had introduced the mandatory gender quota for supervisory boards, companies were, in addition, requested to set themselves gender targets for the composition of their management boards. Rather than taking the opportunity to consider voluntary targets in line with the specific circumstances of a company, a large number of affected companies simply set the target at “zero” year after year. By contrast, the mandatory 30% gender quota for the composition of supervisory boards has not just been met but even exceeded and is currently polling at approximately 37%.

For all companies in which governmental authorities hold a majority, the contemplated Second Management Position Act will also (i) provide for a mandatory 30% female quota for the composition of supervisory boards and (ii) introduce a minimum number of mandatory female management board members. In addition, public law corporations (Körperschaften des öffentlichen Rechts) primarily active in the health and insurance sectors which typically employ a large number of female staff, will be required to appoint at least one female board member if the board is composed of two or more members.

The draft legislation was approved by the cabinet in early January 2021 and will now be submitted to the German Parliament. The new gender quota should in any event come into force prior to the German federal elections in autumn 2021.

While a number of corporations welcome the move towards more gender equality as Germany is lagging behind in comparison to, in particular, Scandinavian and UK companies, others oppose the quota law arguing undue interference with the right of the supervisory board to appoint the best available candidate. It will be interesting to see if and how investors position themselves.

Back to Top

1.5 New Developments on Taxation of Remuneration for Supervisory Board Members

As a consequence of a ruling by the German Federal Fiscal Court (Bundesfinanzhof, BFH) late in 2019, the tax classification of compensation paid to supervisory board members has been modified in terms of value-added tax (VAT). In order to avoid potential adverse tax effects based on the incorrect tax treatment of supervisory board compensation, both individual supervisory board members and the companies they serve should be familiar with the ruling.

Previously, the tax authorities presumed without further differentiation between fixed or variable supervisory board compensation that members of supervisory boards were engaged in independent entrepreneurial activity and their remuneration was to be charged with VAT. It was irrelevant whether the respective member of the supervisory board was an elected member, served on the board as a shareholder delegate or in a capacity as an employee representative. At least in those cases where supervisory board members receive a fixed compensation for their service, future invoices will no longer be permitted to charge a VAT component.

The respective ruling by the BFH applied an earlier decision of the European Court of Justice (ECJ) taken on June 13, 2019 at the national level and confirmed the ECJ’s view that supervisory board members who receive fixed remuneration are not qualified as independent. The ECJ held in its decision that supervisory board members, who act on behalf of and in the sphere of responsibility of the supervisory board, do not bear any economic risk for their activities and therefore do not perform entrepreneurial activities due to a lack of independence. The BFH followed the argumentation of the ECJ and agreed that supervisory board members who receive a fixed remuneration which is neither dependent on their attendance at meetings nor on the services actually performed, cannot be classified as entrepreneurs. The BFH left it open whether independent entrepreneurial activities can be deemed to exist in cases where a variable remuneration is agreed with the individual member of the supervisory board.

For the individual supervisory board member, such classification as a dependent activity means, at least, in the case of fixed remuneration, that he or she may no longer add a VAT element to the remuneration in invoices issued to the company. Otherwise the supervisory board member would owe such tax, while the company would not be able to deduct such an incorrectly added tax component as an input tax deductible. Likewise, input tax amounts incurred in connection with the activity as a supervisory board member (e.g. VAT on travel expenses or office supplies) would no longer be recoverable due to the lack of independence of the supervisory board member.

If the supervised company is entitled to an unrestricted input tax deduction, this new jurisprudence should not have any adverse economic impact on the company, provided correct invoices are issued. Industries which are not entitled to deduct input tax or only entitled to deduct it to a limited extent – such as banks, insurance companies or non-profit organizations – actually benefit if the supervisory board member issues invoices without VAT.

The tax authorities have so far not yet published any guidelines in response to the new case law. It therefore remains to be seen whether the tax authorities will draw a distinction between fixed and variable compensation when qualifying the activities of a supervisory board member for VAT purposes. It would also be conceivable that the tax authorities would now generally assume that a supervisory board member’s services are deemed to be a dependent activity which is generally not subject to VAT.

However, since a short-term response to the case in the administrative guidelines is to be expected in the near future, the ruling should be applied to fixed compensation and VAT should not be included in any future invoice. In the case of variable compensation and in view of the previous administrative practice, the invoicing of a separate VAT component would continue to be required until the tax authorities have communicated their new position on the matter or – if variable compensation is also to be accounted for without VAT – legal action may become necessary. It also remains to be seen whether the tax authorities will apply the new case law retrospectively and whether and how it would take into account considerations of the protection of legitimate expectations (Vertrauensschutz).

Back to Top

2. Tax

2.1 Taxation of Transactions involving German Registered IP

In a decree issued on November 6, 2020, the German tax authorities expressed their opinion that transactions between non-German parties, which relate to IP registered in a German register, are subject to tax in Germany. The tax provision the German tax authorities are referring to has been in existence for almost 100 years but in practice this provision has not been applied to transactions where both contracting parties reside outside of Germany. The German tax authorities now deviate from past practice and take the view that such extraterritorial transactions with German registered IP are taxable in Germany. In essence, such interpretation of the German tax authorities creates a taxable nexus in Germany only by virtue of the German registration of IP. As a consequence, royalties paid by a non-German licensee to a non-German licensor for German registered IP are subject to German withholding tax at a flat rate of 15.8%. A potential upfront tax relief under European directives or applicable double tax treaties may be applicable but requires a formal application by the licensor and a certification by the German tax authorities prior to payment of the royalties. If the withholding tax was not withheld, which is the typical case for German registered IP, the licensee as well as the licensor may be held liable for the payment of the withholding tax.

Only two weeks after the issuance of the decree, the German government released a draft tax bill on November 20, 2020 recognizing the far reaching interpretation of the tax authorities. Under the draft tax bill German tax for registered IP in Germany would only apply if the IP is exploited through a German permanent establishment or facility of the licensee; the pure registration of IP in a German register would not be sufficient anymore to become taxable in Germany. It is still unclear if and to what extent the draft tax bill becomes effective and, therefore, the November 6 decree remains for now the only currently valid administrative guidance on the taxation of IP registered in Germany.

Affected tax payers are well advised to closely monitor the further legislative process.

Back to Top

2.2 Anti-Tax-Avoidance Directive

In 2016, the EU enacted the Anti-Tax-Avoidance Directive (ATAD) containing a package of legally binding measures to combat tax avoidance to be implemented into national law by all EU member states by 2018/2019. Germany has so far delayed implementation, exposing itself to EU infringement proceedings for failure to implement ATAD into national law in time. Almost one year after publication of the first draft bill, Germany is now considering implementing ATAD requirements in early 2021. Implementation has been delayed because Germany wanted to introduce several measures beyond a one-to-one implementation of the Directive, such as new rules on cross-border intercompany financing or exit taxation for individuals.

As part of the most relevant gap between existing German tax rules and ATAD requirements, Germany will introduce rules which limit the deduction of operating expenses for certain hybrid arrangements between related parties. Significant changes under ATAD regarding the current controlled foreign corporation (CFC) rules (Außensteuergesetz) will be a new control criterion and introduction of a shareholder-based approach. Control shall be deemed to exist if a German-resident shareholder, alone or jointly with related persons, holds a majority stake in the foreign company. The current concept of domestic control by adding up the participations of all German taxpayers will be abandoned. The current CFC rules, according to which a foreign company is considered as lowly taxed if the income tax is below 25%, shall, however, be retained.

This has evoked strong criticism by commentators since even in many developed countries the income tax rate is below 25% and CFC regulations in Germany can therefore be triggered too easily.

Back to Top

2.3 New Anti-Treaty Shopping Rule

The European Court of Justice (ECJ) has consistently declared Germany’s attempts at creating a treaty-overriding anti-abuse provision to be a violation of EU fundamental freedoms. On November 20, 2020, the German government released a draft tax bill and launched another attempt at making the anti-abuse provision compatible with EU law. The draft law takes into account recent ECJ case law and provisions under the ATAD. Under the new wording of the anti-abuse provision a foreign company has no claim for relief from withholding tax to the extent that it is owned by persons, which would not be entitled for such relief, had they been the direct recipients of the income, and as far as the source of income is not materially linked to economic activity of this foreign company. Receiving the income and its onward transfer to investors or beneficiaries as well as any activity that is not carried out using business substance commensurate with the business purpose cannot be regarded as an economic activity. Withholding tax relief shall be given in so far as the foreign company proves that none of the main purposes of its interposition is obtaining a tax advantage or if the shares in the foreign company are materially and regularly traded on a recognized stock exchange.

If the new rule becomes law, it could in the future be harmful for a holding company to be interposed between its parent and a German income source even if the holding company and the parent are in different countries and both German tax treaties applicable to the holding and the parent company provide for the same withholding tax benefits. In such case it may be required to create a sufficient economic link between the German income source and the economic activity of the holding company in order to avoid the application of the anti-treaty shopping rule. An active management holding company should be regarded as a sufficient economic activity and such holding company should not to fall under the new rules. Further clarifications in that respect by the German tax authorities are expected in the first half of 2021.

Back to Top

3. Financing and Restructuring

With the COVID-19 pandemic hitting the German economy hard, the areas of financing and restructuring saw some of the most significant changes and sustained reform in 2020. The initial legislative response focused, in particular, on providing new sources of emergency funding and a temporary relaxation of the traditionally strict German insolvency filing obligations for companies perceived to be in financial disarray through no fault of their own due to the effects of the pandemic.[6]

On December 17, 2020, the German Parliament then adopted the Act on the Continued Development of Restructuring and Insolvency Law (Sanierungs- und Insolvenzfortentwicklungsgesetz – SanInsFoG) to address (i) the fear of a large-scale “insolvency wave” upon the originally scheduled expiry of the COVID-19 pandemic triggered partial suspension of the insolvency filing requirement due to over-indebtedness on December 31, 2020,[7] and (ii) the implementation of the European Union Directive (EU) 2019/1029 of June 23, 2019 on preventive restructuring frameworks, the discharge of debt and measures to increase the efficiency of restructuring and insolvency proceedings (the “Restructuring Framework Directive”) into German law which would have been due by July 2021.

This reform of German restructuring and insolvency law, which was pushed through the parliamentary process in a very short period of time, has been labeled by many commentators as potentially the most significant reform of the German restructuring landscape since the introduction of the German Insolvency Code (Insolvenzordnng, InsO) in 2001.

A selection of key changes introduced by the SanInsFoG reform which came into effect on January 1, 2021 are highlighted in the below sections:

3.1 Reform of the German Insolvency Code (InsO) by the SanInsFoG

The insolvency reason of over-indebtedness (Überschuldung) was modified in such a way that the period for the necessary continuation prognosis (Fortführungsprognose), during which a mathematically over-indebted company must be able to meet its obligations when they fall due, was shortened to twelve months only. Before the reform, the relevant period was the current and the following business year.
If certain special requirements during the period of the pandemic are met, the prognostication period is shortened further to only four months in order to deal with the economic effects of the pandemic which makes reliable long term planning difficult if not impossible. This provision is designed further to soften the effects of the pandemic and applies only from January 1, 2021 to December 31, 2021.
The suspension of the insolvency filing obligation under the COVInsAG was further extended for all of January 31, 2021. The suspension applies to all over-indebted and/or illiquid companies (i) who filed an application for public support under the “November and December COVID-relief funds” (November- und Dezemberhilfen) but the respective funds were not yet paid out or (ii) such application was not possible for technical or legal reasons even though a business was entitled to apply. The extension does not apply if the receipt of such funds would not be sufficient to cure the existence of the insolvency reason or such application would clearly be unsuccessful.
For the insolvency reason of over-indebtedness only, the previous maximum period for mandatory insolvency filing of three weeks was extended to a maximum of six weeks.
The prognostication period for the determination of impending illiquidity (drohende Zahungsunfähigkeit) is now as a general rule twenty-four months.
Certain provisions relevant for the liability of the managing directors in times of distress were removed from various corporate statutes and concentrated in modified form in a new provision of the Insolvency Code (§ 15b InsO). The legislator, in particular, clarified and extended the payments permitted by the management of a debtor company after the time an insolvency reason has already occurred if a timely filing is later made.
The provisions on future access to own administration by management (Eigenverwaltung) and so-called protective umbrella proceedings (Schutzschirmverfahren) in the Insolvency Code were modified and partly restricted to address past undesirable developments. However, exceptions apply for entities who became insolvent due to the pandemic: (i) Illiquid entities may rely on the protective umbrella proceedings which otherwise are only available in case of impending illiquidity, and (ii) companies may under certain specific circumstances continue to avail themselves of the less restrictive pre-reform rules on own administration by management if such proceedings are applied for during the year 2021.

Back to Top

3.2 Introduction of a New Pre-Insolvency Restructuring Tool Kit

The core piece of the SanInsFoG is the new, stand-alone act called the Business Stabilization and Restructuring Act (Unternehmensstabilisierungs- und -restrukturierungsgesetz – StaRUG, the “Restructuring Act”). This Restructuring Act contains the German rules to transpose the requirements of the Restructuring Framework Directive into local German law, but partly goes beyond such minimum requirements.

Without any claims to be complete, clients and their management ought to be aware of the following key items in the Restructuring Act:

The Restructuring Act introduces a general obligation for management to install continuous supervision and early warning systems that enable management to detect any developments endangering their company’s existence or financial wellbeing.
Once a company is faced with impending illiquidity, and has opted for voluntary pre-insolvency restructuring proceedings, management of the debtor has to conduct the business with the care of prudent business person in restructuring and thus, in particular, has to safeguard the interests of the community of creditors. Conflicting shareholder instructions may not be complied with.
In voluntary pre-insolvency restructuring proceedings, management of the company must draw up a detailed, descriptive (darstellend) and executive (gestaltend) restructuring plan in order to restructure the company’s business or individual types of liabilities or contractual obligations. Measures may, for example, include haircuts and amendments of the rights of secured or unsecured creditors, but a comparative calculation/analysis needs to be attached which outlines the effects of the restructuring on individual creditors compared to a regular insolvency situation. It should be noted that claims of employees (including pension claims) may not be restructured or changed as part of the restructuring plan.
Approval of the restructuring plan requires a majority of 75% of the voting rights per creditor group. Subject to additional requirements, non-consenting creditors can be overruled via a court approved cross-class cram-down.
The court may upon request of the restructuring company further impose a temporary three-month moratorium on individual enforcement measures. Such moratorium may under certain circumstances be extended to a maximum period of eight months.
The handling of the entire pre-insolvency restructuring can be assisted or facilitated by the involvement of two newly-created functional experts appointed by the competent court, the so-called restructuring agent (Restrukturierungsbeauftragter) and the restructuring moderator (Sanierungsmoderator). In addition, the competent court may appoint a so-called creditor’s advisory committee (Gläubigerbeirat) ad officium if the proposed restructuring plan affects all creditors (except for creditors of exempt claims such as claims of employees) and, thus, is of such general application to all groups of creditors that the proceedings are akin to universal proceedings (gesamtverfahrensartige Züge). Such creditor advisory committee may also include members that are unaffected by the restructuring plan like e.g. employee representatives or others.
If illiquidity or over-indebtedness occurs during the restructuring proceedings, management is obliged to immediately inform the restructuring court, but the formal duty to file for insolvency is suspended. Such insolvency filings do remain possible, though, and the restructuring court may close the restructuring matter to allow for formal insolvency proceedings. Failure to inform the restructuring court duly or timely may incur personal liability for management.
The tools, procedures and restructuring measures contained in the Restructuring Act are mostly new and untested. It can thus be expected that the need for specialist advice for distressed companies will generally increase.

The need for additional expert assistance and the relatively heavy load of technical and procedural safeguards may pose a challenge in particular for small and medium-sized distressed businesses who suffer heavily from the pandemic and who may not have the financial and other resources to benefit from the Restructuring Act. It therefore remains to be seen whether and how the new Restructuring Act will stand the test of time in this regard. It can be expected, though, that the Restructuring Act will offer interesting options and restructuring potential, at least, for bigger and more sophisticated players in the German or international business arena. We would thus recommend that interested circles, i.e. German managing directors and board members but also investors or shareholders, familiarize themselves with the fundamentals of the Restructuring Act.

Back to Top

4. Labor and Employment

4.1 Employers’ Options during the COVID-19 Pandemic

The German lawmaker has enacted several support measures and subsidies for companies to cope with the ongoing COVID-19 pandemic, especially enhancing short-time work options. In a nutshell, short-time work means that working hours are reduced (even down to zero) and that the state pays between 60% and 87% of the net income lost by the affected employees. Currently, such a scheme can be extended to 24 months with the government even covering the social security costs.

Companies that make use of this generous scheme are not barred from carrying out redundancy measures. However, the narrative for such lay-offs is different: A termination for business reasons requires a permanent, not only a temporary loss of work. Regardless of these strict requirements, we have seen an uptick of redundancies during the pandemic.

For a more detailed insight we would refer to our client alert on the topic.[8]

Back to Top

4.2 Reclassification Risk of Crowd-Workers into De-Facto Employees

The German Federal Labor Court (Bundesarbeitsgericht, BAG) has recently held that crowd-workers, i.e. freelancers hired over an online platform, can be classified as employees of the platform (9 AZR 102/20). This would entitle them to certain employee-protection rights, such as protection against dismissal, continued payment of remuneration and vacation claims.

In this particular case, the crowd-worker was considered an employee because the platform controlled the details of the work (place, date and contents) and featured a rating system that incentivized him to continuously perform activities for the platform operator. In the opinion of the court that sufficed to show that the crowd-worker was integrated in the platform operator’s business, making him an employee.

While the ruling will not render the business model of crowd-working platforms entirely impossible, especially platform operators using incentive systems should have these arrangements double-checked to mitigate the risk of costly reclassification of their crowd-workers.

Back to Top

4.3 Pension Claims in Insolvency (Distressed M&A)

The European Court of Justice (ECJ) has issued an important ruling concerning the liability of acquirers of insolvent companies for occupational pensions. According to German case law, such acquirers have not been liable for their new employees’ rights with regard to occupational pension schemes as far as these rights had been accrued prior to insolvency. Instead, such claims are covered by the German Insolvency Protection Fund (Pensionssicherungsverein, PSV), which secures them to a certain extent, but not always entirely.

The plaintiffs in the underlying German court proceedings sued the acquirer for acknowledgement of their full pension claims disregarding reductions due to the insolvency. The ECJ now ruled on September 9, 2020 that the limited liability of the acquirer regarding occupational pension claims was only in line with European Union law if national law provided a certain minimum protection regarding the part not covered by the acquirer (C-674/18 and C-675/18). Regrettably, the ruling does not make it entirely clear who would be liable for a possible difference in benefits – the acquirer or the PSV. According to the few publications available so far, it appears more convincing that the PSV would have to cover said deficit. However, due to the lack of certainty, investors ought to take this potential risk into account when acquiring insolvent businesses.

Back to Top

5. Real Estate

5.1 Conveyance requires Domestic German Notary

The transfer of title to German real estate requires (i) the agreement in rem between the transferor and the acquiror on the transfer (conveyance) and (ii) the subsequent registration of the transfer in the competent land register. To be effective, the conveyance needs to be declared in the presence of both parties before a competent agency. While a notary appointed in Germany fulfills this criterium, it is disputed among German scholars whether the conveyance may also be effectively declared before a notary public abroad.

In its decision of February 13, 2020, the German Federal Supreme Court (Bundesgerichtshof – BGH) held that the conveyance may not be effectively declared before a notary who has been appointed outside of Germany. Engaging a notary abroad for the conveyance to get the benefit of (often considerably) lower notarial fees abroad, is thus not a viable option. In case of a sale of real estate under German law, additional notarial fees for the conveyance, however, may be avoided if the conveyance is included in the notarial real estate sale agreement recorded by a German notary.

The feasibility of a notarization before a notary public abroad is still disputed with respect to the notarization of the sale and transfer or the pledging of shares in a German limited liability company (GmbH). It remains to be seen whether this decision on real estate conveyance may also impact the dispute and arguments on the permissibility of foreign notarization of share sales and transfers or pledges.

Back to Top

5.2 Update regarding Commercial Lease Agreements

Further developments of potential relevance for the real estate world, which were triggered by the COVID-19 pandemic, are discussed in the context of the continuing legal impact of the pandemic in sections 12.3 and 12.4 below.

Back to Top

6. Compliance / White Collar

6.1 Corporate Sanctions Act: Extended Liability for Criminal Misconduct

The German Federal Government is still pursuing its plan to implement a corporate criminal law into German law. After the Federal Council (Bundesrat) had demanded some changes to the previous draft bill, the Federal Government introduced its draft to Parliament on October 21, 2020. Unlike many other countries, German criminal law does not currently provide for corporate criminal liability. Corporations may only be fined for an administrative offense. Based on the draft bill, corporations will be responsible for business-related criminal offenses committed by their leading personnel and will be liable for fines of up to 10% of the annual – worldwide and group-wide – turnover. In addition to this fine, profits can be disgorged and the corporation will be named in a sanctions register as a convicted party for up to 15 years.

Furthermore, if implemented, public prosecutors would be legally obliged to open investigations against the corporation on the basis of a reasonable suspicion (currently, it is in their discretion), and a written legal framework for internal investigations will be established. A corporation will benefit from considerable mitigation of the sanction if it carries out an internal investigation that meets certain criteria (such as a cooperation with the authorities in an uninterrupted and unlimited manner, organizational separation between investigation and criminal defense, and adherence to fair trial standards).

In view of these developments, corporations should not only revise existing compliance systems to prevent corporate criminal misconduct, but also set up an action plan to be prepared for criminal investigations under the planned Corporate Sanctions Act. Considering that the current legislative period will end in the autumn of 2021, it is expected that a final resolution on the Corporate Sanctions Act will soon be reached by the legislator.

Back to Top

6.2 Money Laundering: The German Government’s Intensified Fight for AML Compliance

In the past, the FATF (Financial Action Task Force) and others have often portrayed Germany as being too lenient in its efforts to combat money laundering, and the German regulatory framework was branded as containing too many loopholes. Recent developments surrounding the collapse of German pay service provider Wirecard have done little to assuage such views.

In response to such criticism, Germany has recently increased its efforts towards introducing a more forceful AML framework. A prime example of Germany’s new-found vigor in this regard is the fact that the German government opted not only to implement the 5^th EU Money Laundering Directive, but to go above and beyond the minimum requirements set by the EU. As already discussed in sections 1.4, 5.2 and 6.2 of last year’s client alert, a number of legislative changes came into effect.[9]

In addition, the German government issued two distinct resolutions, namely the eleven points “National Strategy Package” and – in direct conjunction with the Wirecard collapse – the “16-Points Action Plan”. The corresponding changes are not limited to the German Criminal Code and the Anti Money Laundering Act (Geldwäschegesetz, GwG), but extend to establishing an improved organization of the German AML authorities.

The provision on money laundering in the German Criminal Code (section 261) will, according to the current Ministry of Justice draft bill, undergo a fundamental change. Pursuant to the intended legislation, the scope of section 261 of the German Criminal Code will be significantly broadened as any criminal wrongdoing may in the future constitute a predicate offense for money laundering.

Under the current state of the law, only a limited set of criminal offenses may give rise to money laundering. Importantly, criminal acts committed abroad may serve as predicate offenses for money laundering as well. The new legislation extends the scope of relevant prior offenses to certain acts which under EU law is required to be rendered punishable under the respective local criminal laws of the member states, irrespective of whether such act is in fact punishable in the jurisdiction at the place it is committed. Moreover, the offense of grossly-negligent money laundering has been re-introduced into the draft after a heated debate in this regard.

As supporting measures to the amended Anti Money Laundering Act, the German government decided to subject numerous economic players to (new or partially enhanced) AML requirements, including private financial institutions, crypto currency traders, real estate agencies and notaries who would be burdened with extended new obligations to disclose AML-related concerns regarding their customers and clients. These measures are mainly reflected in this year’s draft of a regulation on obligations to report certain facts surrounding real estate (Verordnung zu den nach dem Geldwäschegesetz meldepflichtigen Sachverhalten im Immobilienbereich).

Key German AML institutions were – as a direct result of the aforementioned government’s resolutions – significantly strengthened:

The Financial Intelligence Unit’s (FIU) personnel was more than doubled, and its data access rights were significantly expanded. In addition, a high level government body was established between German federal and local state authorities.
The German Federal financial supervisory authority BaFin was requested to ensure that companies and persons under its supervision implement any statutory obligations, and BaFin’s related supervisory competences were broadened.
The transparency registry which may be accessed by members of the public was established, collecting key relevant data including the UBO. Registration in the transparency register is mandatory for all companies with business activities in or related to Germany.

The German business community and relevant AML specialists should, at least, inform themselves or gain an in depth understanding of the new and extended regulatory framework. New monitoring systems need to be put in place to follow up on future predicate offenses. Therefore, relevant risk factors including those arising from new business models such as crypto currency trading have to be evaluated as a first step prior to implementing the new provisions.

While Germany has failed to implement new European AML requirements by December 3, 2020, the corresponding draft bill is expected to come into force soon.

Back to Top

6.3 Cross-Border European Investigations: The European Public Prosecutor’s Office

To fight crimes against the fiscal interests of the European Union, the European Public Prosecutor’s Office (“EPPO”) is expected to become operative in 2021. The EPPO will act both on a centralized level with European Prosecutors based in Luxembourg having a supervisory and coordinating function and on a decentralized level with European Delegated Public Prosecutors situated in the participating EU member states having the same powers as national prosecutors to investigate specific cases. Its activities will focus on the prosecution of offenses to the detriment of the EU such as subsidy fraud, bribery and cross-border VAT evasion.

After the originally intended start of the new authority was delayed at the end of 2020, it is anticipated that investigation activities will start in 2021. In addition to the existing national criminal prosecution authorities and European institutions such as OLAF, Europol and Eurojust, a genuine European criminal prosecution authority will enter the stage and possibly bring about a shift in European enforcement trends. It is to be hoped that crimes affecting the EU’s financial interests will be pursued in a more robust manner and that international coordination of investigations will be significantly improved.

Back to Top

7. Data Privacy – Regulatory Activity and Private Enforcement on the Rise

The German Data Protection Authorities (“DPAs”) have certainly had a busy year. While, the trend towards higher fine levels for GDPR violations continues, the German DPAs have also initiated a number of investigations and issued guidance on a variety of issues, such as COVID-19 related data privacy concerns, the consequences of the “Schrems II” ruling of the Court of Justice of the European Union (judgment of July 16, 2020, case C-311/18)[10] and the use of video conferencing services and other technological tools in the context of working from home.

With regard to fines, in 2020 the German DPAs issued fines in the total amount of EUR 36.6 million (approx. USD 44.8 million). In October 2020, the Hamburg Data Protection Authority imposed a record-breaking fine in the amount of EUR 35.3 million (approx. USD 43.2 million) on a retail company for comprehensively and extensively collecting sensitive personal data from its employees, including health data and data about the employees’ personal lives, without having a sufficient legal basis to do so. This was the highest fine ever issued by a German DPA.

However, for companies it may well pay off to push back against such fines: The District Court (Landgericht) of Bonn largely overturned a fining decision issued by the German Federal Commissioner for Data Protection and Freedom of Information against a German telecommunications service provider in December 2019. While the court confirmed a violation of the GDPR, the court significantly reduced the fine in the amount of EUR 9.5 million (approx. USD 11.6 million) to EUR 900,000 (approx. USD 1.1 million).

Another important trend is the increasing number of private enforcements in the context of data protection violations. In particular, consumers are seeking judicial help to enforce information and access requests as well as compensation claims for material or non-material damages suffered as a result of GDPR violations, especially in the employment context. But German courts are apparently not (yet) prepared to award larger amounts to plaintiffs for this kind of GDPR violations. For example, in a case where an employee requested damages in the amount of EUR 143,500 (approx. USD 175,800) the Labor Court of Düsseldorf has awarded damages in the amount of only EUR 5,000 (approx. USD 6,000). Nevertheless, companies are well advised to keep an eye on future developments as courts may raise the amount of damages awarded if an increasing number of cases were to show that current levels of damages awarded are not sufficient to have a deterrent effect.

Back to Top

8. Technology

8.1 Committee Report on Artificial Intelligence

In November 2020, the German AI inquiry committee (Enquete-Kommission Künstliche Intelligenz des Deutschen Bundestages, hereafter the “Committee”) presented its final report, which provides broad recommendations on how society can benefit from the opportunities inherent in AI technologies while acknowledging the risks they pose. The Committee was set up in late 2018 and comprises 19 members of the German Parliament and 19 external experts.

The Committee’s work placed a focus on legal and ethical aspects of AI and its impact on the economy, public administration, cybersecurity, health, work, mobility, and the media. The Committee advocates for a “human-centric” approach to AI, a harmonious Europe-wide strategy, a focus on interdisciplinary dialog in policy-making, setting technical standards, legal clarity on testing of products and research, and the adequacy of digital infrastructure.

At a high level, the Committee’s specific recommendations relate to (1) data-sharing and data standards; (2) support and funding for research and development; (3) a focus on “sustainable” and efficient use of AI; (4) incentives for the technology sector and industry to improve scalability of projects and innovation; (5) education and diversity; (6) the impact of AI on society, including the media, mobility, politics, discrimination and bias; and (7) regulation, liability and trustworthy AI.

Back to Top

8.2 Proposed German Legislation on Autonomous Driving

The German government announced plans to pass a law on autonomous vehicles by mid-2021. The new law is intended to regulate the deployment of connected and automated vehicles (“CAV”) in specific operational areas by the year 2022 (including Level 5 “fully automated vehicles”), and will define the obligations of CAV operators, technical standards and testing, data handling, and liability for operators. The proposed law is described as a temporary legal instrument pending agreement on harmonized international regulations and standards.

Moreover, the German government also plans to create, by the end of 2021, a “mobility data room”, described as a cloud storage space for pooling mobility data coming from the car industry, rail and local transport companies, and private mobility providers such as car sharers or bike rental companies. The idea is for these industries to share their data for the common purpose of creating more efficient passenger and freight traffic routes, and support the development of autonomous driving initiatives in Germany.

Back to Top

9. Antitrust and Merger Control

9.1 Enforcement Overview 2020

The German Federal Cartel Office (Bundeskartellamt), Germany’s main antitrust watchdog, has had another very active year in the areas of cartel prosecution, merger control, consumer protection and its focus on the digital economy.

On the cartel prosecution side, the Bundeskartellamt concluded several investigations in 2020 and imposed fines totaling approximately EUR 358 million against 19 companies and 24 individuals from various industries including wholesalers of plant protection products, vehicle license plates, and aluminum forging. It is of note that the fining level decreased by more than 50 % compared to 2019. While the Bundeskartellamt received 13 notifications under its leniency program, the increasing risks associated with private follow-on damage claims clearly reflect on companies’ willingness to cooperate with the Bundeskartellamt under its leniency regime. The authority stressed that it is continuing to explore alternative means to detect illegitimate cartel conduct, including through investigation methods like market screening and the expansion of its anonymous whistle-blower system.

In 2020, the Bundeskartellamt also reviewed approximately 1,200 merger control filings (i.e., approximately 14 % less than in 2019). As in previous years, more than 99 % of these filings were concluded during the one-month phase one review. Only seven merger filings required an in-depth phase-two examination. Of those, five were cleared in phase-two (subject to conditions in two of these cases), and two phase-two proceedings are still pending.

Looking ahead to the year 2021, the Bundeskartellamt will likely continue to focus on the digital economy and conclude its sector inquiry into online advertising. The agency also announced to go live with its competition register in Q1 of 2021 for public procurement purposes. This database will list companies that were involved in competition law infringements and other serious economic offenses.

Back to Top

9.2 Paving the Way for Private Enforcement of Damages

In its Otis decision (C-435/18 of December 12, 2019), the European Court of Justice (ECJ) paved the way for private enforcement in cases concerning antitrust damages. The ECJ held that even a party not active on the market related to the one affected by the cartel may seek damages if there is a causal link between the damages incurred and the violation of Article 101 of the Treaty on the Functioning of the European Union (TFEU). The ECJ also reaffirmed that the scope of the right to compensation under Article 101 TFEU, i.e. the “who,” “what” and “why”, is governed by EU law while the national laws of the member states determine how to enforce the right.

Private enforcement of cartel damages is gaining momentum. Since the Otis decision, German courts, in particular the German Federal Supreme Court (Bundesgerichtshof, BGH), have further explored the course set by the ECJ in several antitrust damages cases concerning the so-called rail cartel.

The BGH held that Article 101 TFEU and, therefore, also the right to damages under German law, does not require the claimant to prove that a certain business transaction has directly been affected by the cartel at issue. Instead, it is sufficient if the claimant establishes that the cartel infringement is abstractly capable of causing damages to the claimant. As a result, courts only need to evaluate one long-lasting cartel infringement instead of individual breaches. The BGH further clarified in its decisions that the extent of an impairment by a cartel is a question of “how” a claimant would be compensated and, therefore, subject to German procedural law. As a consequence, the BGH encouraged courts to exercise judicial discretion when weighing the parties’ factual submissions and assessing cartel damages.

The BGH also ruled that the passing-on defense could apply if the claimant had received public grants which otherwise would not or not in such an amount have been paid to the claimant if the cartel had not existed. The court explained, however, that the defense may be barred when the damage is scattered to the downstream market level. In this case, it is inappropriate for the initiator of the cartel to walk free only because the individual damages were too minor to prompt claims for damages.

In the future, businesses will do well to monitor these ongoing developments as private enforcement actions of damages further gather pace and may develop into a sharp sword to police anti-competitive practices of other market players.

Back to Top

9.3 Adoption of the “GWB Digitalization Act” expected for 2021

The draft bill for the 10^th Amendment of the German Competition Act, also known as “GWB Digitalization Act” endorsed by the German Federal Government on September 9, 2020 is currently undergoing the legislative procedure in the German Parliament. The adoption of the bill is expected for early 2021. Having said that, the final discussions of the bill originally scheduled for December 17, 2020 were postponed until January 14, 2021.

As reported in our Year-End Alert 2019,[11] the draft bill addresses topics such as market dominance in the digital age and introduces a number of new procedural simplifications. For example, the bill currently foresees that companies, which depend on data sets of market-dominating undertakings or platforms, would have a legal claim to data access against such undertakings or platforms. Further, the draft bill introduces a rebuttable presumption whereby it is presumed that direct suppliers and customers of a cartel are affected by the cartel in case of transactions during the duration of the cartel with companies participating in the cartel.

Compared to the draft bill discussed in our Year-End Alert 2019, the governmental revision contains certain changes, in particular in the area of merger control. Thus, the draft bill currently features an increase of the two domestic turnover thresholds by EUR 5 million (approx. USD 6 million), i.e. from EUR 25 million to EUR 30 million (from approx. USD 30.6 million to approx. USD 36.8 million), and from EUR 5 million to EUR 10 million (from approx. USD 6.1 million to approx. USD 12.3 million), respectively. Additionally, a new provision was introduced in the legislative procedure, whereby the German Federal Cartel Office (Bundeskartellamt,) may require companies, which are deemed to reduce competition through a series of small company acquisitions in markets in which the Bundeskartellamt conducted sector inquiries, to notify every transaction in one or more specific sectors provided that certain thresholds are met. This notification obligation can be imposed on a company, if (i) the company has generated global turnover of more than EUR 500 million in the last business year, (ii) there are reasonable grounds for the presumption that future mergers could significantly impede effective domestic competition in the sectors for which the obligation has been imposed and (iii) the company has a market share of at least 15% in Germany in the sectors for which the obligation has been imposed. However, a notification will only be required if the target company has (i) generated turnover of more than EUR 2 million in the last business year and (ii) has generated more than two-thirds of its turnover in Germany. The notification obligation lasts for three years.

In light of the recent publication of the draft regulation on an EU Digital Markets Act by the European Commission, it remains to be seen how the German legislator will react to the proposals put forward by the Commission and how the national legislative procedure will evolve.

Back to Top

10. International Trade, Sanctions and Export Control

10.1 The New Chinese Export Control Law and its Impact on German Companies

The challenges, which German companies, specifically those with a U.S. parent or another U.S. nexus, face in light of the EU Blocking Statute’s prohibition to comply with certain U.S. sanctions on Iran and on Cuba, are well documented.[12] While 2021 might see calmer waters in the West due to the expected (yet far from certain) return to a more multilateral focus of the incoming Biden Administration, further complications await the German export business community in the East.

On December 1, 2020, a comprehensive new Chinese export control law went into effect. Generally speaking, the Chinese export control law reflects key elements of U.S. and EU/German export control related law. Particularly, licensing requirements for the export of controlled Chinese goods (including technologies) are determined on the basis of lists of goods and a catch-all clause.

As early as December 4, 2020, China’s Ministry of Commerce along with other authorities already published the first such lists of goods in the area of “commercial cryptography”, i.e. regarding goods and technologies which can be used for encryption, inter alia, in telecommunication applications, VPN equipment or quantum cryptographic devices.

It is likely that any significant restrictions on, inter alia, exports of certain U.S. origin items and technology to China will eventually be mirrored in the respective Chinese lists to also impose significant restrictions on the export of certain Chinese origin items and technology to the U.S. For many German-based companies with a diversified supply chain this raises the unenviable prospect that they may use suppliers whose sourced goods originate in the U.S. and in China, respectively, which feature on each of the respective lists. This conflict may eventually limit the number of counterparties the German company can export the final product to without jeopardizing either supply chain. It may also limit the possibility of cooperation (e.g. technology transfer) with U.S. and/or Chinese suppliers and customers alike.

Further, China’s new Export Control Law contains regulation comparable to the (U.S.) concept of “deemed export” via the definition of “exports”, which applies when a Chinese person transfers listed goods to a foreign person. Depending on how extensively this is interpreted by the Chinese authorities, this could, for example, result in Chinese export control law also applying to transfers by Chinese individuals located in Germany to a German person. Therefore, the details of this potential extraterritorial effect of Chinese export control law, as well as a vague reference to an extension of Chinese export control law to re-exports of listed goods and technologies or goods and technologies covered by the catch-all regime, raises numerous questions that will presumably only be clarified in time by the publication of specific regulations or guidance by the Chinese authorities.

Additionally, the EU is also taking initial steps to further strengthen its defense mechanisms against perceived and potential interference with its sovereignty by the extraterritorial effects of U.S. and Chinese export control laws. Specifically, the EU Parliament requested a study[13] on extraterritorial sanctions on trade and investments and European responses, that, inter alia, suggests the establishment of an EU agency of Foreign Assets Control (EU-AFAC) with the aim of more efficient and effective enforcement of, inter alia, the EU Blocking Statute, which might also come to include parts of the Chinese export control law.

In any case, any German export control compliance department would be well-advised to update its Internal Compliance Program to be able to identify conflicting compliance obligations early and establish a process to swiftly resolve them – without breaching applicable anti-boycott regulations – in order to avoid the supply-chain-management of the company being negatively impacted.

Back to Top

10.2 Update on the German Rules regarding Foreign Direct Investment Control

For a summary of the recent reforms of German foreign investment control laws, reference is made to section 1.3 above.

Back to Top

11. Litigation

11.1 Establishment of Commercial Courts in Germany – An Emerging Forum for International Commercial Disputes?

Over the past few years, Germany has taken several efforts to become a more attractive forum venue for international disputes. In 2010, three District Courts (Landgerichte) in Cologne, Bonn and Aachen had established English-speaking divisions for civil disputes. Since January 2018, the Frankfurt district court has allowed oral hearings in international commercial disputes to be conducted in English, provided the parties agree. The same now applies for the district courts in Mannheim and Stuttgart where two civil and two commercial divisions specially established for this purpose have started their work in November 2020. The civil divisions consist of three professional judges, respectively. The commercial divisions offer a combination of legal and industry-specific expertise and are led by one professional judge and two honorary judges from the local business community. All divisions have been equipped with state-of-the-art technical equipment, allowing for video-conferences and video testimonies of witnesses and experts.

Provided that the district court in Mannheim or in Stuttgart has jurisdiction (or the parties agree), the Commercial Courts in Mannheim or Stuttgart may hear corporate disputes, post-M&A disputes as well as disputes concerning mutual commercial transactions. Additionally, the court in Mannheim is available for disputes resulting from banking and financial transactions. While the Commercial Court in Stuttgart does not limit its jurisdiction to a certain litigation value, the court in Mannheim (its patent division enjoys global recognition) requires an amount in dispute of at least EUR 2 million. To ensure an effective review at the appellate level, the Higher District Courts (Oberlandesgerichte) in Stuttgart and Karlsruhe have also established specialized appeal panels responsible for dealing with appeals and complaints against the decisions of the new Stuttgart and Mannheim Commercial Courts.

The new Commercial Courts are supposed to let international litigants benefit from the high quality of the German court system and the advantages of its procedural rules. Overall, the duration of court proceedings in Germany is fairly short. There is no “American-style” discovery process. Costs are moderate by international standards, and must be borne by the losing party. Hearings are usually held in public, but the public can be excluded when business secrets are discussed. Additionally, parties may decide whether or not to allow for an appeal.

Despite these benefits, it remains to be seen whether the Commercial Courts in practice will measure up to these high expectations: Even though oral hearings may be conducted in English and a translation of English appendices is no longer required, every written submission must still be filed in German, and the decisions the court renders are in German as well. In any case, the new Commercial Courts seem to be a further step into the right direction towards a more international business-friendly approach.

Back to Top

11.2 Directive for Collective Redress – Class Action at EU-Level

On December 4, 2020, following an agreement between the EU-institutions in June 2020, the EU-Parliament has approved the “Directive on representative actions for the protection of the collective interests of Consumers” (the “Directive”)[14], introducing the possibility of collective redress across the borders within the EU. The Directive aims to strengthen the protection of EU-consumer rights in case of mass damages, covering both domestic and cross-border infringements, especially with regard to data protection, energy, telecoms, travel and tourism, environment and health, airline rights and financial services. The EU Member States need to implement the Directive into their national laws within two years and six months, i.e. by mid-2023.

Under the Directive, collective legal actions may only be taken by “qualified entities” on behalf of consumers against traders, seeking injunction and/or redress measures. For the purpose of cross-border representative actions, the qualified entities may only be designated (by the Member State) if they comply with EU-wide criteria (i.e. non-profit, independent, transparent and ensure a legitimate interest in consumer protection). To prevent abusive litigation, the defeated party has to bear the costs of the proceedings (“loser pays”) and courts or administrative authorities may dismiss manifestly unfounded cases. Consumers can join the action by either opt-in or opt-out mechanisms, depending on the decision regarding procedure which each Member State takes.

Even though the legal orders of many Member States already provide for the possibility of collective redress, the Directive assures (i) a harmonized approach to collective redress and (ii) mandatory redress measures in every Member State such as compensation, repair or price reduction without the need to bring a separate action. Therefore, the Directive goes beyond some existing regulations, which only allow declaratory actions or injunctive relief. At the same time, individual actions by plaintiffs remain possible and unregulated at the EU level. As the diesel emissions lawsuits in Germany demonstrate, this can lead to waves of mass actions and a massive clogging of court dockets.

Even though the deadline for the implementation of the Directive is still sometime down the road, the adoption of laws and regulations in the Member States to implement the Directive will need to be closely monitored by companies and law firms, in particular with regard to the various Member States’ chosen path on such issues as opt-in vs. opt-out and discovery or disclosure of documents.

Back to Top

11.3 German Courts and the COVID-19 Pandemic

COVID-19 has affected all areas of life, including the court system. Over the year 2020, German courts had to learn how to litigate despite the pandemic and conduct oral hearings, as well as litigation in general, as safe as possible for everyone involved.

During the first wave of the pandemic in spring 2020, non-urgent matters were mostly postponed. Some courts in areas particularly troubled by the virus were forced to close their buildings to the public. However, the German administration of justice was never completely suspended or paused.

During the summer of 2020, with fewer COVID-19 cases, court proceedings started to normalize and courts developed concepts to continue with litigation despite the pandemic. In appropriate cases, courts tried to avoid oral hearings and, with the parties’ consent, conducted the proceedings in writing only. Courts also slowly started to hold oral hearings using video conferencing tools. While the German Rules of Civil Procedure (Zivilprozessordnung, ZPO) allow this method since 2001, German Courts were reluctant to use it before the pandemic. However, in the vast majority of cases, German Courts still conduct oral hearings despite the COVID-19 situation. Most courts adhere to hygiene concepts for these hearings, such as wearing face masks, keep sufficient distance between the individuals and ventilate the court room frequently.

For the year 2021, we expect that more and more courts elect to conduct the proceedings in writing or by videoconference. If an oral hearing is necessary nevertheless, the courts now have hygienic routines in place. Thus, unless we see a dramatic change in the COVID-19 infection rates, we do not expect that German courts will need to reduce their working speed in 2021.

Back to Top

12. Update on COVID-19 Measures in Germany

As in other jurisdictions, the COVID-19 pandemic has led to a large variety of legislative measures in Germany, which were aimed at mitigating the impact of the pandemic on the economy. These measures included in particular a moratorium for continuing obligations (temporary right to refuse performance under certain contracts), a temporary deferral of payment for consumer loans, the Special Program 2020 set up by the Kreditanstalt für Wiederaufbau (KfW) and the introduction of the Economic Stabilization Fund (Wirtschaftsstabilisierungsfonds). While many of these state measures and programs are still in place unchanged, others have been amended and adapted in time and some have lapsed without replacement. The following summary therefore gives a short overview on the current status of the COVID-19-induced state measures and programs in Germany. Most of the measures mentioned in this alert have already been covered in more detail in previous alerts published throughout 2020, that can be found here.[15]

Back to Top

12.1 Economic Stabilization Fund (Wirtschaftsstabilisierungsfonds)

The Act on the Introduction of an Economic Stabilization Fund (Gesetz zur Errichtung eines Wirtschaftsstabilisierungsfonds – WStFG) entered into force on March 28, 2020. This act provides the statutory framework for state stabilizing measures, in particular, guarantees and recapitalization measures, like the acquisition of subordinated debt instruments, profit-sharing rights (Genussrechte), silent partnerships, convertible bonds and the acquisition of shares. After the introduction of the Economic Stabilization Fund was approved under state aid law by the EU Commission in July 2020 and the legal regulations for its implementation were published in the Federal Law Gazette in October 2020, the Economic Stabilization Fund has become fully operational.

Moreover, in July 2020 the new Economic Stabilization Acceleration Act (Wirtschaftsstabilisierungsbeschleunigungsgesetz – WStBG) came into force, which provides for temporary modifications of German corporate law in order to implement the state aid measures by the Economic Stabilization Fund more efficiently. These changes include, inter alia, facilitations for capital measures and transactions (capital increases, capital reductions, etc.) in connection with stabilization measures, which significantly relax minority protection.

Since the introduction of the Economic Stabilization Fund, there have been several high profile cases, in which those measures have been effectively put into action: Deutsche Lufthansa (silent participation in the amount of EUR 5,7 billion and subscription of shares by way of a capital increase amounting to 20% of the share capital), TUI (convertible bond and various other emergency support measures in the amount of EUR 1.3 billion), FTI Touristik (subordinated loan in the amount of EUR 235 million), MV Werften Holding (subordinated loan in the amount of EUR 193 million) and German Naval Yards Kiel (subordinated loan in the amount of EUR 35 million).

Originally, (i) guarantees under the Economic Stabilization Fund could only be granted until December 31, 2020 and (ii) the application period for recapitalization measures was set to run until June 30, 2021. These deadlines have now been extended and (i) guarantees can now be granted until June 30, 2021 and (ii) recapitalizations can be granted until September 30, 2021, respectively.

Back to Top

12.2 Corporate Law Modifications pursuant to the COVID-19 Pandemic Mitigation Act

The COVID-19 Pandemic Mitigation Act (Gesetz zur Abmilderung der Folgen der COVID-19-Pandemie im Zivil-, Insolvenz- und Strafverfahrensrecht) provided for, inter alia, (i) a modification of the Limited Liability Company Act (GmbHG), which facilitates shareholder resolutions in text form or by written vote (circulation procedure) without requiring the consent of all shareholders to such procedure, and (ii) a modification of the Conversion Act (UmwG) with regard to measures requiring the submission of a closing balance sheet, where the balance sheet reference date (Bilanzstichtag) used in such filings can now be up to twelve months old at the time of the register filing instead of a maximum of eight months as under the regular statutory rules.

Both of these COVID-19-induced rules were extended by legislative decree dated October 20, 2020 (Verordnung zur Verlängerung von Maßnahmen im Gesellschafts-, Genossenschafts-, Vereins- und Stiftungsrecht zur Bekämpfung der Bekämpfung der Auswirkungen der COVID-19-Pandemie) and are effective until December 31, 2021.

Back to Top

12.3 Moratorium for Continuing Obligations and Consumer Loans, Restriction of Lease Terminations

The COVID-19 Pandemic Mitigation Act also introduced a moratorium for substantial continuing obligations (i.e. those which serve to provide goods or services of general interest, such as the supply of energy and water), which allowed obligors to refuse to fulfill their obligations if they were no longer able to meet their obligations as a result of the COVID-19 pandemic. This moratorium was limited to June 30, 2020. It could theoretically have been extended thereafter by legislative decree until September 30, 2020, but the government decided not to make use of the option to extend the moratorium. The moratorium therefore expired on June 30, 2020.

Likewise, the payment deferral for consumer loan agreements, which stipulated that claims of lenders for payment of principal or interest due between April 1 and June 30, 2020 were deferred by three months, was not extended by the government, either. As a result, debtors can no longer defer payment, and in order to avoid a double burden for the debtor, the period of the loan agreement will be extended by three months, unless the lender under such a consumer loan and the debtor have reached another arrangement.

Furthermore, the COVID-19 Pandemic Mitigation Act restricts the landlords’ termination right concerning German real estate lease agreements. Until June 30, 2022, a landlord is not entitled to terminate such a lease agreement solely based on the argument that the tenant is in default with payment of the rent for the period April 1, 2020 through June 30, 2020 if the tenant provides credible evidence that the payment default is based on the impact of the COVID-19 pandemic. The landlord’s other contractual and statutory termination rights as well as its rental payment claims for such period, however, remained unaffected by the COVID-19 Pandemic Mitigation Act. Likewise, the government did not make use of the option to extend the termination restrictions to backlogs in tenants’ payments for the period July 1, 2020 through September 30, 2020.

Back to Top

12.4 Request for Adjustment of Commercial Lease Agreements

The German Parliament (Bundestag) passed a bill on December 17, 2020 that is supposed to increase the chances of tenants of German commercial property or room leases to successfully request an adjustment of the contractual lease terms or even termination of the lease pursuant to Section 313 German Civil Code (Bürgerliches Gesetzbuch – BGB) due to the COVID-19 pandemic. A request pursuant to Section 313 BGB requires that (i) circumstances that are the mutually accepted basis of the contract have significantly changed since the conclusion of the contract, (ii) the parties would not have entered into the contract or only with different content if they had foreseen this change, and (iii) the party making such a request cannot reasonably be expected to be held to the terms of the contract without adjustments or even at all taking into account all circumstances of the specific case, in particular, the contractual or statutory distribution of risk between the parties.

According to this bill, circumstances that are the mutual basis of the contract are refutably deemed to have significantly changed if the use of such leased premises is significantly restricted due to public measure for the purpose of combating the COVID-19 pandemic. As the tenant still needs to show that the other conditions are fulfilled, in particular, that the balancing of interest under (iii) above is in its favor, it remains to be seen whether this bill has the desired effect. Attempting to find an amicable solution may still be the better option for both the landlord and the tenant.

Back to Top

12.5 Miscellaneous

In addition to the legislative measures mentioned above, Germany has introduced a varied array of additional programs to stabilize and support the German economy. Particularly noteworthy is the KfW’s Special Program 2020 (“KfW Sonderprogramm 2020 für Investitions- und Betriebsmittelfinanzierung”), which includes the KfW Entrepreneur Loan (“KfW Unternehmerkredit”), the ERP Start-Up Loan – Universal (“EPR Gründerkredit – Universell”) and the KfW Special Program Syndicated Lending (KfW Sonderprogramm “Direktbeteiligung für Konsortialfinanzierung“). The Special Program 2020 was originally set to run until December 31, 2020 and has in the meantime been extended until June 30, 2021. The European Commission has not yet approved the program under state aid law, but this is expected to take place in the near future.

The Immediate Corona Support Program for small(est) enterprises and sole entrepreneurs (Corona Soforthilfe für Kleinstunternehmen und Soloselbstständige) was a one-off payment for three months during the first lockdown in the spring of 2020, that has not been relaunched by the government in connection with the second lockdown in Germany in the fall of 2020. However, similar support has been provided to companies which are particularly affected by the lockdown (most notably restaurants and hotels) through the so-called “November and December COVID-relief” program (November- und Dezemberhilfen).

Back to Top

12.6 Conclusion

The COVID-19 pandemic is obviously not over yet and it is difficult to predict how things will develop going forward. It is important for companies to keep an eye on the current status of the COVID-19 support measures and programs and how they will be amended or evolve over time. Otherwise, there is the risk that new support programs will be overlooked or deadlines for existing programs will be missed.

The following webpage provides a good overview of the current support measures for businesses in Germany: https://www.bmwi.de/Redaktion/DE/Coronavirus/coronahilfe.html.

Back to Top

____________________

[1] Also see our alerts dated March 27, 2020, section III., published under https://www.gibsondunn.com/whatever-it-takes-german-parliament-passes-far-reaching-legal-measures-in-response-to-the-covid-19-pandemic/ and dated September 24, 2020, published under https://www.gibsondunn.com/covid-19-german-rules-on-possibility-to-hold-virtual-shareholders-meetings-likely-to-be-extended-until-end-of-2021/.

[2] EU Regulation (EU) 2019/452 of March 19, 2019 establishing a framework for screening of foreign direct investments into the EU, available in the English language version under: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0452&from=EN.

[3] “German Foreign Investment Control Tightens Further”, available under https://www.gibsondunn.com/german-foreign-investment-control-tightens-further/.

[4] “Update on German Foreign Investment Control: New EU Cooperation Mechanism & Overview of Recent Changes”, available under https://www.gibsondunn.com/update-on-german-foreign-investment-control-new-eu-cooperation-mechanism-and-overview-of-recent-changes/.

[5] In this context, see section 1.6 of 2015 Year End Alert available under https://www.gibsondunn.com/2015-year-end-german-law-update/.

[6] We refer you to our earlier alerts in this regard available at: https://www.gibsondunn.com/whatever-it-takes-german-parliament-passes-far-reaching-legal-measures-in-response-to-the-covid-19-pandemic/ and at https://www.gibsondunn.com/european-and-german-programs-counteracting-liquidity-shortfalls-and-relaxations-in-german-insolvency-law/, as well as more specifically on insolvency filing obligations https://www.gibsondunn.com/temporary-german-covid-19-insolvency-regime-extended-in-modified-form/.

[7] Again see our alert at https://www.gibsondunn.com/temporary-german-covid-19-insolvency-regime-extended-in-modified-form/.

[8] Available under https://www.gibsondunn.com/covid-19-short-term-reduction-of-personnel-costs-under-german-labor-law/.

[9] Available under https://www.gibsondunn.com/2019-year-end-german-law-update/.

[10] See https://www.gibsondunn.com/the-court-of-justice-of-the-european-union-strikes-down-the-privacy-shield-but-upholds-the-standard-contractual-clauses-under-conditions/.

[11] Section 7.2 in the Year-End Alert published under https://www.gibsondunn.com/2019-year-end-german-law-update/.

[12] Available under https://www.gibsondunn.com/new-iran-e-o-and-new-eu-blocking-statute-navigating-the-divide-for-international-business/.

[13] This study is available under: https://www.europarl.europa.eu/RegData/etudes/STUD/2020/653618/EXPO_STU(2020)653618_EN.pdf.

[14] See at https://eur-lex.europa.eu/legal-content/en/TXT/PDF/?uri=CELEX:32020L1828&from=DE.

[15] These earlier alerts are available under https://www.gibsondunn.com/european-and-german-programs-counteracting-liquidity-shortfalls-and-relaxations-in-german-insolvency-law/, under https://www.gibsondunn.com/whatever-it-takes-german-parliament-passes-far-reaching-legal-measures-in-response-to-the-covid-19-pandemic/ and under https://www.gibsondunn.com/corporate-ma-in-times-of-the-corona-crisis-current-legal-developments-for-german-business/.

The following Gibson Dunn lawyers assisted in preparing this client update: Birgit Friedl, Marcus Geiss, Carla Baum, Silke Beiter, Andreas Dürr, Lutz Englisch, Ferdinand Fromholzer, Daniel Gebauer, Kai Gesing, Franziska Gruber, Selina Grün, Johanna Hauser, Alexander Horn, Markus Nauheim, Patricia Labussek, Wilhelm Reinhardt, Markus Rieder, Richard Roeder, Sonja Ruttmann, Martin Schmid, Annekatrin Schmoll, Benno Schwarz, Ralf van Ermingen-Marbach, Linda Vögele, Friedrich Wagner, Frances Waldmann, Michael Walther, Georg Weidenbach, Finn Zeidler, Mark Zimmer, Stefanie Zirkel and Caroline Ziser Smith.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. The two German offices of Gibson Dunn in Munich and Frankfurt bring together lawyers with extensive knowledge of corporate, M&A, finance and restructuring, tax, labor, real estate, antitrust, intellectual property law and extensive compliance / white collar crime experience. The German offices are comprised of seasoned lawyers with a breadth of experience who have assisted clients in various industries and in jurisdictions around the world. Our German lawyers work closely with the firm’s practice groups in other jurisdictions to provide cutting-edge legal advice and guidance in the most complex transactions and legal matters. For further information, please contact the Gibson Dunn lawyer with whom you work or any of the following members of the German offices:

General Corporate, Corporate Transactions and Capital Markets
Lutz Englisch (+49 89 189 33 150), lenglisch@gibsondunn.com)
Markus Nauheim (+49 89 189 33 122, mnauheim@gibsondunn.com)
Ferdinand Fromholzer (+49 89 189 33 170, ffromholzer@gibsondunn.com)
Dirk Oberbracht (+49 69 247 411 510, doberbracht@gibsondunn.com)
Wilhelm Reinhardt (+49 69 247 411 520, wreinhardt@gibsondunn.com)
Birgit Friedl (+49 89 189 33 122, bfriedl@gibsondunn.com)
Silke Beiter (+49 89 189 33 170, sbeiter@gibsondunn.com)
Annekatrin Pelster (+49 69 247 411 521, apelster@gibsondunn.com)
Marcus Geiss (+49 89 189 33 115, mgeiss@gibsondunn.com)

Finance, Restructuring and Insolvency
Sebastian Schoon (+49 69 247 411 540, sschoon@gibsondunn.com)
Birgit Friedl (+49 89 189 33 122, bfriedl@gibsondunn.com)
Alexander Klein (+49 69 247 411 518, aklein@gibsondunn.com)
Marcus Geiss (+49 89 189 33 115, mgeiss@gibsondunn.com)

Tax
Hans Martin Schmid (+49 89 189 33 110, mschmid@gibsondunn.com)

Labor Law
Mark Zimmer (+49 89 189 33 130, mzimmer@gibsondunn.com)

Real Estate
Hans Martin Schmid (+49 89 189 33 110, mschmid@gibsondunn.com)
Daniel Gebauer (+49 89 189 33 115, dgebauer@gibsondunn.com)

Technology Transactions / Intellectual Property / Data Privacy
Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com)
Kai Gesing (+49 89 189 33 180, kgesing@gibsondunn.com)

Corporate Compliance / White Collar Matters
Benno Schwarz (+49 89 189 33 110, bschwarz@gibsondunn.com)
Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com)
Mark Zimmer (+49 89 189 33 130, mzimmer@gibsondunn.com)
Finn Zeidler (+49 69 247 411 530, fzeidler@gibsondunn.com)
Ralf van Ermingen-Marbach (+49 89 189 33 161, rvanermingenmarbach@gibsondunn.com)

Antitrust
Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com)
Jens-Olrik Murach (+32 2 554 7240, jmurach@gibsondunn.com)
Georg Weidenbach (+69 247 411 550, gweidenbach@gibsondunn.com)
Kai Gesing (+49 89 189 33 180, kgesing@gibsondunn.com)

Litigation
Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com)
Markus Rieder (+49 89 189 33 160, mrieder@gibsondunn.com)
Mark Zimmer (+49 89 189 33 130, mzimmer@gibsondunn.com)
Finn Zeidler (+49 69 247 411 530, fzeidler@gibsondunn.com)
Kai Gesing (+49 89 189 33 180, kgesing@gibsondunn.com)

International Trade, Sanctions and Export Control
Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com)
Richard Roeder (+49 89 189 33 122, rroeder@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On October 29, 2020, the 16th amendment to the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung or “AWV”) entered into force. The amendment is the final step of implementing the EU-wide cooperation mechanism introduced by Regulation (EU) 2019/452 of March 19, 2019 establishing a framework for screening of foreign direct investments into the EU (the “EU Screening Regulation”).

New EU-Wide Cooperation Mechanism

The EU Screening Regulation directly applies as of October 11, 2020 which marks the beginning of a coordinated cooperation among EU member states on foreign direct investments (the “FDIs”). This means that, going forward, the German Federal Ministry for Economic Affairs and Energy (the “German Ministry”) will exchange information on FDIs undergoing screening in Germany with the European Commission and fellow EU member states which, in turn, may issue comments or, in case of the European Commission, an opinion. While such comments and/or opinions are non-binding, they need to be given ‘due consideration’ and, thus, may influence the screening decision rendered by the German Ministry. For details on the EU Screening Regulation, see our Client Alert of March 5, 2019.

In order for the German Ministry to be able to consider the potential impact of an FDI on the public order or security of one or more fellow EU member states as well as on projects or programs of EU interest, the grounds for screening under German FDI rules had to be expanded accordingly. For the same reason, the standard under which an FDI may be prohibited or restrictive measures may be imposed has been tightened from “endangering” (Gefährdung) to “likely to affect” (voraussichtliche Beeinträchtigung) the public order or security, as to reflect the EU Screening Regulation. More or less a side effect, this gives the German Ministry more discretion and room to maneuver as it no longer has to determine an “actual and serious threat” (tatsächliche und hinreichend schwere Gefährdung) but now could prohibit a transaction in order to prevent an impairment that has not yet materialized but that is likely to occur as a result of the contemplated FDI.

Recent Changes to German FDI Rules

In light of the implementation of the EU-wide cooperation mechanism, we want to use the opportunity to recap this year’s key changes to the German FDI screening process. We refer to our client alert of May 27, 2020 (available here) for an overview on the overall screening process and a detailed outline of the most relevant amendments (and contemplated changes) to German FDI rules thus far in 2020.

Changes Effective as of October 29, 2020

Expanding the Grounds for Screening. As described above, the grounds for screening have been expanded to include public order or security of a fellow EU member state as well as effects on projects or programs of EU interest.
Tightening the Standard. As described above, the standard under which an FDI may be prohibited or restrictive measures may be imposed has been tightened from “endangering” (Gefährdung) to “likely to affect” (voraussichtliche Beeinträchtigung) the public order or security.

Key Changes Effective as of June 3, 2020

Health-Care Related Additions. As a response to the COVID-19 crisis, the catalog of select industries subject to cross-sector review was expanded to include personal protective equipment, pharmaceuticals that are essential for safeguarding the provision of healthcare to the population as well as medical products and in-vitro-diagnostics used in connection with life-threatening and highly contagious diseases.
Governmental Communication Infrastructure. Also added to the catalog of select industries subject to cross-sector review, and thus, triggering mandatory notification to the German Ministry, have been FDIs acquiring 10% or more of the voting rights in companies providing services ensuring the interference-free operation and functioning of governmental communication infrastructure.
Investor-Related Screening Factors. In line with the EU Screening Regulation, the German Ministry may now consider screening factors that focus on the background and activities of the individual investor. In particular, the German Ministry may now take into account whether the foreign investor (i) is directly or indirectly controlled by the government, including state bodies or armed forces, of a third country, including through ownership structure or more than insignificant funding, (ii) has already been involved in activities affecting the public order or security of the Federal Republic of Germany or of a fellow EU member state, or (iii) whether there is a serious risk that the foreign investor, or persons acting on behalf of it, were or are engaged in activities that, in Germany, would be punishable as a certain criminal or administrative offence, such as terrorist financing, money laundering, fraud, corruption, or violations of the foreign trade or war weapon control rules.
Applicability to Share and Asset Deals. Since June 3, 2020 it has been codified that German FDI control is not limited to the acquisition of shares but equally applies to asset deals.
Notification Modalities. It was further clarified that FDIs triggering a notification obligation are to be notified immediately after signing of the acquisition agreement. The notification generally has to be submitted by the direct acquirer (even if the acquisition vehicle itself is not “foreign”) but may also be made by the indirect acquirer instead.

Key Changes Effective as of July 17, 2020

Effects on Consummating Transactions. In addition to transactions subject to sector-specific review (i.e., the defense industry and certain parts of the IT security industry), all transactions falling under cross-sector review that are notifiable (i.e., FDIs of 10% or more of the voting rights in companies active in industries listed in the catalog of select industries) may only be consummated upon conclusion of the screening process (condition precedent). Note that this has a tangible impact on the transaction practice given the broad range of notifiable FDIs in the cross-sector category, which are affected by this change. Foreign investors need to carefully assess if the target company operates in one of the listed industry categories. From a drafting perspective, acquisition agreements regarding notifiable FDIs should include a closing condition that the FDI is (deemed) cleared by the German Ministry. Buyers should further make sure to include a mechanism allowing for the amendment or termination of the acquisition agreement in case the German Ministry imposes (comprehensive) restrictive measures.
Penalizing the Disclosure of Security-Relevant Information and Certain Consummation Actions Pending Screening. The following actions are now penalized by way of imprisonment of up to five years or fine (in case of willful infringements and attempted infringements) or with a fine of up to EUR 500,000 (in case of negligence):
- Enabling the investor to, directly or indirectly, exercise voting rights;
- Granting the investor dividends or any economic equivalent;
- Providing or otherwise disclosing to the investor information on the German target company with respect to company objects and divisions that are subject to screening on grounds of essential security interests of the Federal Republic of Germany, or of particular importance when screening for effects on public order and security of the Federal Republic of Germany, or that have been declared as ‘significant’ by the German Ministry;
- Non-compliance with enforceable restrictive measures (vollziehbare Anordnungen) imposed by the German Ministry.

The introduction of criminal liability will lead to even greater focus on whether or not the transaction requires FDI clearing. The seller de facto will be forced to include the clearing by the German Ministry as a closing condition to avoid exposure to criminal liability.

According to the explanatory notes (Gesetzesbegründung), the prohibition to disclose security-sensitive information as described above will usually not apply to purely or other company-related commercial information that is exchanged in the course of a transaction in order to allow the investor to conduct a sound evaluation of the economic opportunities and risks of the FDI. Nonetheless, the seller will need to be cautious when preparing the due diligence process, in particular when populating the virtual data room. Typically, security-sensitive information as described above will not be shared with potential buyers prior to closing of the transaction anyway. Should the need arise, however, the use of a red data room and special disclosure and confidentiality obligations based on a clean team agreement are advisable.

Time Periods. In view of necessary adjustments to the timeframe of the screening process to integrate the EU-wide cooperation mechanism, the German legislator took the opportunity to overhaul the framework of screening periods altogether. Time periods are now set forth directly in the German Foreign Trade and Payments Act (Außenwirtschaftsgesetz or “AWG”) instead of the AWV. This way, time periods can only be adjusted by way of legislative procedure, i.e. with involvement of the German parliament, and may no longer be changed unilaterally by executive order of the German government.Note the following changes to the timeline of the screening process (which will only apply to FDIs of which the German Ministry became aware of after July 17, 2020):
- Standardized Time Periods. The same review periods apply to sector-specific (i.e., the defense industry and certain parts of the IT security industry) and to cross-sector (i.e., all industry sectors except for defense/certain IT security) FDIs alike. The German Ministry now has two months from becoming aware of the reviewable FDI – instead of previously three months (sector-specific review) or even four months (cross-sector review) – to decide whether to initiate formal proceedings. Making a mandatory notification or filing for a certificate of non-objection will equally trigger the two-month pre-assessment period. In addition, the formal screening period was standardized and may now take up to four months regardless of the sector.
- Extension of Time Periods. The German Ministry may extend the four-month screening period by three months if the individual case is particularly difficult in either a factual or a legal manner. A further extension by one month is possible if the Federal Ministry of Defense puts forward that defense interests of Germany are notably affected. Moreover, periods may now be extended with the investor’s approval.
- Suspension of Time Periods. The screening period is suspended in case the German Ministry later requests further information on the FDI. Previously, the screening period was not set in motion before the German Ministry received all (initially or later) requested information on the FDI. This change most likely is meant to allow for requests of fellow EU member states for additional information on the FDI within the cooperation process under the EU Screening Regulation while, at the same time, keeping the delay in the screening process to a minimum.
- Resetting of Time Periods. Time periods will reset and start anew in the event that an FDI clearance or certificate of non-objection was revoked or altered (e.g., in case of willful deceit or the subsequent occurrence of facts). Equally, the time period will also reset if a restrictive measure or a contractual provision with the German Ministry is set aside, partly or in full, by a court decision.
Submission of Information. Being a triggering point for the screening period, the submission of information also was moved from the AWV to the AWG and, therefore, may only be amended by the German parliament.
- Triggering of Screening Period. Previously, the screening period was only triggered once all information had been submitted to the German Ministry. It is now provided that the four-month screening period starts when all initially requested information has been submitted which includes, as before, all information set forth in the corresponding general ordinance issued by the German Ministry, and, as of now, all information that the German Ministry additionally may request in its decision to initiate formal screening proceedings.
- Subsequent Request for Additional Information. The German Ministry may, also later in the screening process, request further information from anyone directly or indirectly involved in the acquisition. Although the screening period will be suspended until submission of the requested information, the overall duration of the screening process remains calculable for the investor who can limit the suspension by actively working towards a speedy submission.
More Effective Monitoring of Compliance with Measures. Investors and target companies are to expect more monitoring activity by the German Ministry which now has a right of information as well as a right to carry out examinations (including access to stored data, respective data processing systems, and business premises, in each case also by use of third-party representatives (Beauftragte)) in order to better monitor the investor’s and/or target company’s compliance with contractually agreed or imposed measures.
Imposing Restrictive Measures without Consent of the German Government. Previously, restrictive measures regarding FDIs subject to cross-sector review could only be imposed with the consent of the German government. Now, restrictive measures may be imposed in agreement with and/or consultation of certain federal ministries instead. For the sake of clarity, the German Ministry still requires the consent of the German government if it wants to prohibit an FDI that is subject to cross-sector review. This has not changed.

What Is Next?

Further changes to the AWV are announced to follow in the 17^th amendment to the AWV. In particular, the German Ministry plans to expand the catalog of critical industries which are notifiable and subject to cross-sector review from the acquisition of 10% or more of the voting rights. Based on earlier announcements by the German Ministry on this subject, we expect artificial intelligence, robotics, semiconductors, biotechnology and quantum technology to be potentially declared critical industries. The German Ministry stresses that it will take special consideration of feedback provided by the affected industry circles when proposing the expansion of critical industries to the German government.

Markus Nauheim – Munich (+49 89 189 33 122, mnauheim@gibsondunn.com)
Wilhelm Reinhardt – Frankfurt (+49 69 247 411 502, wreinhardt@gibsondunn.com)
Stefanie Zirkel – Frankfurt (+49 69 247 411 513, szirkel@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

With talk about a second Coronavirus wave gathering pace, the German Ministry of Justice and Consumer Protection (Bundesministerium der Justiz und für Verbraucherschutz) is proposing to extend the temporary COVID-19-related legislation of March 2020 significantly simplifying the passing of shareholders’ resolution, including, in particular, the possibility to hold virtual-only shareholders’ meetings. The extension is proposed in unchanged form for another year until the end of 2021. A respective draft regulation has been published at short notice on 18 September 2020 and stakeholders are invited to submit their comments until 25 September 2020.

While the legislation of March 2020 was well received in the rise of the COVID-19 crisis the reactions to an extension were mixed so far. Criticism focuses on the significant restrictions of shareholders’ rights by this legislation (e.g. no right to ask questions or to counter-motions in real time, wide discretion of the management with respect to answering submitted questions, only limited appeal right etc.). This was raised not only by shareholders’ activists but also by various parliament members including prominent experts of the ruling coalition.

In the reasons of the draft regulation, the ministry strongly emphasizes that companies should only hold virtual-only meetings if actually required in the individual circumstances due to the pandemic. In addition, the ministry encourages the corporations in question to handle the Q&A process as shareholder-friendly as technically possible, including allowing for questions in real- time, if they decide to hold a virtual meeting.

The time window to debate the proposal is extremely short. The new shareholders’ meeting season is already approaching quickly, starting as early as in January/February 2021 for companies with business years ending on 30 September 2020. While the Ministry of Justice and Consumer Protection is authorized to extend the period of application of the legislation for another year without any modifications, modifications in substance would require the involvement of parliament and are thus deemed rather unlikely. If the proposal is adopted, it would be up to the corporations themselves to take the ministry’s appeal seriously and to make use of the virtual format in a responsible and shareholder-friendly manner.

The following Gibson Dunn lawyers have prepared this client update: Ferdinand Fromholzer, Silke Beiter, Johanna Hauser.

Gibson Dunn’s lawyers in the two German offices in Munich and Frankfurt are available to assist you in addressing any questions you may have regarding the issues discussed in this update.

For further information, please feel free to contact the Gibson Dunn lawyer with whom you usually work, or the three authors:

Ferdinand Fromholzer (+49 89 189 33 170, ffromholzer@gibsondunn.com)
Silke Beiter (+49 89 189 33 170, sbeiter@gibsondunn.com)
Johanna Hauser (+49 89 189 33 170, jhauser@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

When the COVID 19 pandemic first hit European shores in early spring 2020, the German legislator was quick to introduce wide-reaching legislative reforms to protect the German business world from unwanted consequences of an economy struggling with unprecedented upheaval, the lock-down and the ensuing social strain.[1] One key element of the overall legal reform in March 2020 was the temporary derogation from the regular mandatory German-law requirement to file for insolvency immediately whenever a company is either illiquid (Zahlungsunfähigkeit) or over-indebted (Überschuldung). This derogation has now been extended in time for over-indebted companies, but restricted in scope for illiquid companies.

I. The Temporary Insolvency Law Reform in March 2020

At the time the German Act on the Temporary Suspension of the Insolvency Filing Obligation and Liability Limitation of Corporate Body in cases of Insolvency caused by the COVID-19 Pandemic (“Gesetz zur vorübergehenden Aussetzung der Insolvenzantragspflicht und zur Begrenzung der Organhaftung bei einer durch die COVID-19-Pandemie bedingten Insolvenz” – COVInsAG)[2] was introduced in March 2020, it was felt that the strict insolvency filing requirement that obliges management to file for insolvency without undue delay, but in any event no later than three weeks after such insolvency reason first occurs, would (i) place undue time pressures on companies to file for insolvency in situations where this short time period did not even allow management to canvass its financial or restructuring options or access to newly introduced state funding or other financing sources, (ii) result in a wave of insolvencies of otherwise healthy entities based purely on the traumatic impact of the pandemic and (iii) result in unwanted distortions of the market by failing to differentiate appropriately between businesses facing merely temporary cash-flow problems and genuinely moribund companies with long-standing challenges or issues.

In a nutshell and without going into all details, the interim reform of the German Insolvency Code (Insolvenzordnung, InsO) via the COVInsAG introduced a temporary suspension of the mandatory insolvency filing requirement until September 30, 2020 for both the insolvency reasons of illiquidity (Zahlungsunfähigkeit) and of over-indebtedness (Überschuldung) by way of a strong legal assumption that any such insolvency was caused by the pandemic if (i) the company in question was not yet illiquid on December 31, 2019 and (ii) could show that it would (still or again) be in a position to pay all of its liabilities when due on and after September 30, 2020.

This temporary exemption from having to file for insolvency was flanked by a number of other legislative tweaks to the Insolvency Code that privileged and protected a company’s continued trading during such time window against management liability risks and/or later contestation rights of the insolvency administrator in case the temporary crisis in the spring and summer of 2020 would ultimately result in a later insolvency, after all. Access to new financing was similarly privileged in this time window when the company could show that it traded under the protection of the COVID 19 exemption from the regular insolvency filing requirement.

Finally, the COVInsAG also contained a clause that allowed an extension of this protective time window beyond September 30, 2020 up to the maximum point of March 31, 2021 by way of separate legislative act.

II. The Modified Extension Adopted on September 17, 2020

While an extension of the temporary suspension of the filing requirement was consistently deemed likely by insolvency experts and in political cycles, Germany has since moved beyond the initial lock-down and has mostly opened up the country for trading again. It has also become apparent that, in particular, a continued blanket derogation from the mandatory filing requirement for companies facing severe cash-flow problems to the point of illiquidity (i) would often only delay the inevitable and (ii) create an unwanted cluster of many insolvency proceedings which are ultimately all filed for at the same time when the suspension comes to an end, rather than a steady and progressive cleansing of the market by gradually removing companies that have failed to recover from the pandemic in a reasonably short period of time.

As a consequence, Germany has chosen not simply to extend the current provisions in unchanged form, but rather has significantly modified the wording of the COVInsAG to address the above concerns.

Over-Indebtedness

In particular, as of October 1, 2020 and until December 31, 2020, a continued derogation from the immediate obligation to file for insolvency henceforth only applies to companies which otherwise would only file for insolvency due to over-indebtedness (Überschuldung) but which are not also illiquid. Such companies remain protected from having to file for insolvency based on the above-described rules until December 31, 2020, if (i) they were not already illiquid by December 31, 2019 and will not be illiquid after September 30, 2020 and thereafter.

Unlike illiquid companies, it was felt that companies which are over-indebted, i.e. (i) whose assets based on specific insolvency-driven valuation rules are not sufficient to cover their liabilities and (ii) which do not currently have a positive continuation prognosis (positive Fortführungsprognose), deserve a further grace period during which they may address their underlying structural issues, provided they do not enter illiquidity during this time window.

This extension until year end for over-indebted companies also addresses the often-voiced concerns that the uncertain future effects of the pandemic on a company’s medium-term prospects currently do not allow for a meaningful continuation prognosis which by general consensus has to cover the liquidity situation over the next 12 to 24 months.

Illiquidity

This new restriction of the interim derogation from the filing requirement to over-indebtedness only, in turn, means that companies that cannot pay their liabilities when they fall due on September 30, 2020 (and beyond) and, therefore, are illiquid under German insolvency law terms, may no longer justify such financial distress by claiming it is caused by the pandemic. Instead, they will now be obliged to file for insolvency based on illiquidity once the initial protection accorded to them by the March 2020 rules runs out at the end of September 30, 2020.

With it being mid-September 2020 already, this will give the management of any entity facing serious current cash-flow problems only another two weeks to either remedy such cash flow problems and restore full solvency or file for insolvency on or shortly after October 1, 2020 due to their illiquidity at that point in time.

Consequential Issues

The new, changed wording of the COVInsAG consequently restricts the other privileges connected with the temporary exemption from the filing requirement, i.e. that companies are permitted to keep trading during the extended time-window with certain protections against subsequent insolvency contestation rights, personal liability derogations or privileges and simplified access to new external or internal restructuring financing or loans, only to over-indebted companies. For them, these additional rules, which they may have already become accustomed to in the period between March 2020 and September 30, 2020, are simply extended until December 31, 2020.

III. Immediate Outlook

This law reform is of utmost importance for the management and the shareholders of any German entities that are currently in significant financial distress. The ongoing, periodic monitoring of their own financial position will need to determine in an extremely short time-frame whether or not the respective company is either illiquid or over-indebted as of September 30, 2020. If necessary such analysis should be firmed up by involving external advice or restructuring experts.

If the company is found to be over-indebted but not illiquid, the focus of any future turn-around must be December 31, 2020, i.e. the continued applicability of the COVInsAG rules may continue to provide some respite until then. If the company is found to be illiquid, the remaining time until September 30, 2020 must be used productively to either restore future liquidity via external or internal funding in the shortness of the available time or the filing for insolvency in early October 2020 becomes inevitable and should be prepared.

Managing directors of illiquid companies that do not file for insolvency without undue delay, but continue trading regardless of the insolvency reason, will again face the twin risks of personal civil and criminal liability based on a delayed or omitted filing. They and their trading partners and creditors, furthermore, face the full power of the far-reaching array of insolvency contestation rights (Insolvenzanfechtungsrechte) for a subsequent insolvency administrator of any measures now taken outside of the protective force of the COVInsAG interim rules.

_________________________________

[1] In this context, see our earlier general COVID 19 alerts under: https://www.gibsondunn.com/whatever-it-takes-german-parliament-passes-far-reaching-legal-measures-in-response-to-the-covid-19-pandemic/ as well as under: https://www.gibsondunn.com/european-and-german-programs-counteracting-liquidity-shortfalls-and-relaxations-in-german-insolvency-law/.

[2] In this context, again see: https://www.gibsondunn.com/whatever-it-takes-german-parliament-passes-far-reaching-legal-measures-in-response-to-the-covid-19-pandemic/, under section II.2, as well as with further analysis in this regard https://www.gibsondunn.com/european-and-german-programs-counteracting-liquidity-shortfalls-and-relaxations-in-german-insolvency-law/.

__________________________________

The following Gibson Dunn lawyers have prepared this client update: Lutz Englisch, Birgit Friedl, Marcus Geiss.

Gibson Dunn’s lawyers in the two German offices in Munich and Frankfurt are available to assist you in addressing any questions you may have regarding the issues discussed in this update.

For further information, please feel free to contact the Gibson Dunn lawyer with whom you usually work, or the three authors:

Lutz Englisch (+49 89 189 33 150, lenglisch@gibsondunn.com)
Birgit Friedl (+49 89 189 33 122, bfriedl@gibsondunn.com)
Marcus Geiss (+49 89 189 33 115, mgeiss@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Challenges and trends under the “New Normal”: COVID-19 entails many new challenges and accelerates industry trends, some of which have sporadic and some of which have a lasting impact on the compliance function.

In this (German language) WebTalk, Annette Kraus, Chief Counsel Compliance of Siemens AG, and Benno Schwarz, partner in the Munich office of Gibson, Dunn & Crutcher, discuss the latest developments and emerging trends.

Our WebTalk includes the following topics:

New risk assessment under COVID-19
Special challenges for the compliance function
New authorities and players involved in COVID-19 measures
Key take-aways

View Slides (PDF) (German)

PANELISTS:

Annette Kraus, Chief Counsel Compliance at Siemens AG

Benno Schwarz is a partner in the Munich office of Gibson, Dunn & Crutcher. He focuses on white collar defense and compliance investigations. For more than 25 years, Mr. Schwarz has advised companies on sensitive cases and investigations in the context of all compliance issues with international aspects, such as the implementation of German or international laws to prevent and avoid corruption, money laundering or avoiding economic sanctions in the corporate context. He focuses his advisory work on the planning and implementation of internal corporate as well as independent investigations both nationally and internationally, advising on the structuring, implementation and assessment of compliance management systems, and the representation of companies and their executive bodies before domestic and foreign authorities during associated criminal and administrative proceedings.

I. Hintergrund

II. Betroffene Verträge

III. Stellungnahme der Finanzverwaltung

IV. Anpassung von Gewinnabführungsverträgen

Corporate Governance

Audit

Financial Reporting Enforcement

Table of Contents

I. European Union

A. International Data Transfers

1. The Schrems II Ruling

2. Guidance Adopted by the EDPB and Member State Authorities

3. Conclusions on Data Transfers

B. COVID-19 Pandemic

1. Guidance Adopted by Supervisory Authorities

2. Guidance at EU Member State Level

3. Next Challenges for the Fight against the COVID-19 Pandemic

C. E-Privacy and Cookies

1. Guidance Adopted by the EDPB and Member State Authorities

2. Reform of the e-Privacy Directive

3. Enforcement in Relation to Cookies

D. Cybersecurity and Data Breaches

1. Guidance and Initiatives Adopted by ENISA

2. Enforcement in Relation to Cybersecurity

E. The UK and Brexit

1. Transfers from and into the EU/EEA and the UK

2. Transfers from and into the UK and other Jurisdictions

F. Other Significant Developments in the EU

II. Developments in Other European Jurisdictions: Switzerland, Turkey and Russia

A. Russia

1. Access Restriction Trend in Privacy Laws Enforcement

2. The Russian Data Protection Authority Has Continued to Target Large, Multinational Digital Companies

3. Legislative Updates

B. Switzerland

1. The Revised FADP

2. The Swiss-U.S. Privacy Shield

C. Turkey

1. Turkish Data Protection Authority and Board Issues a Number of Regulations, Decisions and Guidance Documents

2. Turkish Data Protection Act Continues to be Enforced

III. Developments in Asia-Pacific, Middle East and Africa

A. Australia

B. China

1. New Developments in Chinese Legislation

2. Enforcement of Chinese Data Protection and Cybersecurity Legislation

C. Hong Kong SAR

D. India

1. Legislative initiatives

2. Regulatory opinions and guidance

3. Enforcement of data protection laws

E. Indonesia

F. Israel

G. Japan

H. Malaysia

I. Singapore

J. South Korea

K. Thailand

L. United Arab Emirates

M. Other Developments in Africa

N. Other Developments in the Middle East

O. Other Developments in Southeast Asia

IV. Developments in Latin America and in the Caribbean Area

A. Brazil

B. Other Developments in South America

1. Argentina

2. Chile

3. Colombia

4. Mexico

5. Uruguay

Table of Contents

1. Corporate, M&A

2. Tax

3. Financing and Restructuring

4. Labor and Employment

5. Real Estate

6. Compliance / White Collar

7. Data Privacy – Regulatory Activity and Private Enforcement on the Rise

8. Technology

9. Antitrust and Merger Control

10. International Trade, Sanctions and Export Control

11. Litigation