Decrypting the proposed EU Regulation on Markets in Crypto-Assets

An article by Vladimir Griga

On 24 September 2020, the European Commission published a proposal for a Regulation on Markets in Crypto-Assets (“MiCA”). This piece of legislation is only a part of a larger Digital finance package, including, amongst others, legislative proposals for a Digital Operational Resilience Act (“DORA”) and a Distributed Ledger Technology (“DLT”) Pilot Regime.

MiCA is quite extensive in its scope, covering all crypto-assets in the EEA, bar those that are already regulated by specific laws. Yet, at its core, the regulation aims to remove some of the obstacles in applying these new technologies, whilst also limiting money laundering, fraud and market manipulation activities in the EU’s cryptocurrencies market.

In a nutshell, the regulation sets minimum disclosure requirements for issuing crypto-assets, as well as defines the latter. On top of that, MiCA establishes further requirements for crypto-asset service providers and brings additional consumer protection rules.

Breaking down the various meanings of “crypto-assets”

Crypto-assets are quite broadly defined in the proposed regulation: “a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology”. However, the regulation does not encompass crypto-assets that are currently covered by other EU financial laws[1], e.g., the ones that qualify as financial instruments or electronic money (other than e-money tokens) – which will continue to be governed by their appropriate directives/regulations. Instead, MiCA intends to close the loopholes in the existing regulatory framework, by covering crypto-assets in general, as well as by introducing three specific categories of crypto-assets:

asset-referenced tokens (g., DAI) – these are utilised as a means of exchange, considering their stable value which is maintained by referring to the value of several fiat currencies that are legal tender, one or several commodities/crypto-assets, or a combination of such assets;

e-money tokens (g., USD Coin) – these crypto-assets are also used as a means of exchange, but they aim to maintain a stable value by referring to the value of a single fiat currency that is legal tender;

utility tokens (g., Basic Attention Token, Filecoin token) – these are intended to provide digital access to a good/service, available on a distributed ledger, and are only accepted by the issuer of that token to grant access to the respective good/service.

The first two categories of crypto-assets basically hint at stablecoins, the key differentiating factor being if they are linked (i) to a single fiat currency (e.g., Euro, USD, GBP, etc.) – e-money tokens, or (ii) to several fiat currencies, commodities (e.g., gold, silver, etc.) or even other crypto-assets – asset-referenced tokens.

What’s more, these crypto-assets may be further classified, depending on their impact, into significant asset-referenced tokens (e.g., Diem – formerly Libra) or significant e-money tokens (e.g., Tether USD or the expected “Diem Euro”). Of course, with significant assets come significant requirements for their issuers. Not surprisingly, the role of assessing whether these crypto-assets are significant or not will be conferred to the European Banking Authority (“EBA”), who will have to evaluate if at least three of the following criteria are met:

the size of the customer base;

the value or the market capitalisation of the tokens;

the number and value of transactions in the respective tokens;

the size of the reserve of assets of the issuer of tokens;

the significance of the cross-border activities of the issuer of such tokens;

the interconnectedness with the financial system.

A staple element in this whole conundrum is that the broad definition of crypto-assets does not confine itself to the above subclassifications, but rather embraces them, together with all other types of crypto-assets that are not currently regulated, e.g., Bitcoin, Ether, Litecoin, Stellar, etc. This is why crypto-assets themselves may be regarded as a “catch-all” category or, simply put, a sort of residual “piggybank” for some of the digital coins of the future.

Issuing crypto-assets

Under MiCA, any person offering crypto-assets to third parties will be regarded as an issuer of crypto-assets. However, the regulation will not apply to central banks that issue crypto-assets or provide similar services.

Before making a public offering in the EU, generally, all crypto-asset issuers will have to prepare and publish a white paper, which shall include general information regarding the issuer, the project’s roadmap, the rights and obligations accompanying the crypto-asset, associated risks, etc. This white paper must be further notified to the national competent authorities (“NCAs”), and in case of asset-referenced tokens, it also needs to be approved by them, unless these assets are significant, in which case the EBA will handle the white paper. As anticipated earlier, the EBA will be responsible for the supervision and approval of both asset-referenced and e-money tokens which are deemed to be significant, MiCA providing that colleges of national supervisors be established to help the EBA in this regard.

However, there are some exceptions from the requirements of having a white paper in what concerns the issuers of crypto-assets other than asset-referenced or e-money tokens if:

the crypto-assets are offered for free[2];

the crypto-assets are created automatically via mining, as a reward for the maintenance of the distributed ledger or for the validation of transactions;

the crypto-assets are unique and cannot be exchanged for other crypto-assets;

the crypto-assets are offered to fewer than 150 natural/legal persons per Member State, should these persons act on their own account;

over a period of 12 months, the total consideration of the public offer does not exceed EUR 1,000,000 or the equivalent amount in another currency or in crypto-assets; or

the public offer is only addressed to qualified investors and only they can hold the crypto-assets.

Furthermore, MiCA will require all crypto-asset issuers to be incorporated as legal entities. Those who will issue asset-referenced tokens need to be established in the EU and be authorised by the NCA of their home Member State. On the other hand, the issuers of e-money tokens must be either an authorised credit institution or an electronic money institution[3] in compliance with all the applicable EU legislation.

There are other specific provisions for issuers of asset-referenced tokens and e-money tokens, especially for the former, which have more strict requirements. For asset-referenced tokens, the regulation includes rules regarding conflicts of interest, governance and minimal capital, along with rules on the custody of the reserve assets, and provisions for the stabilisation mechanism and the reserve of assets backing this type of tokens. In particular, issuers of asset-referenced tokens will be obliged to safeguard the security, integrity and confidentiality of information. In what concerns e-money tokens, their holders should always have redemption right at any moment and at par value with the fiat currency that the e-money token is referencing. Issuers of both asset-referenced and e-money tokens will be prohibited from granting interests or any other benefit to users of such tokens for the length of time they are holding the tokens. This is to ensure that the tokens are mainly used as a means of exchange, rather than as a store of value.

Providing services related to crypto-assets

Crypto-asset service providers are legal persons that engage in activities such as brokerage, exchange, trading, custody or giving advice on crypto-assets. With the exception of credit institutions[4] and investment firms[5], all other crypto-asset service providers are required to obtain specific authorisation from an NCA in an EU/EEA Member State prior to providing such services, as well as have a registered office in that state.

Further requirements target, amongst others, minimum capital, the security of the IT infrastructure, conflicts of interest, the corporate governance structure and the management board of these service providers.

It is important to note that some Member States are already quite ahead of the curve in what concerns regulating this field. Liechtenstein and Malta, alongside France, Germany and Estonia may be regarded as pioneers in the “crypto-verse”, having put in place procedures for acquiring licenses. Other countries, such as Luxembourg, whilst not having specific laws regulating cryptocurrencies yet, have developed incentives to support the growth of the crypto industry. The aforementioned Member States may decide to further ease the procedures required by MiCA, so that the existing licences be easily and rapidly “upgraded” to the standards set by the proposed regulation. By doing this, the markets therein may gain a significant advantage compared to the rest of the Member States, which would barely start to dip their toe into the swirling waters of crypto-assets.

Protecting consumers

MiCA also sets out rules to ensure consumer protection. For example, prospective buyers of crypto-assets will be informed about the associated characteristics, functions and risks via the white paper. Additionally, consumers who are buying crypto-assets, other than asset-referenced or e-money tokens, directly from the issuer or from a crypto-asset service provider, will be provided with a right of withdrawal during a limited period of time after their acquisition.

More notably, issuers of asset-referenced tokens and crypto-asset service providers need to put in place a clear procedure for handling complaints received from their clients. The latter shall be able to file such complaints free of charge and have their problems investigated in a timely and fair manner, as well as be provided with the outcome of the investigations within a reasonable period of time.

Lastly, any exclusion of civil liability will be deprived of any legal effect, this rule covering issuers of all crypto-assets.

The European Central Bank’s reaction

On 19 February 2021, the European Central Bank (“ECB”) published its opinion on the current version of the proposed regulation. Whilst being generally in favour of MiCA, the ECB advocates for a considerable number of changes and refinements in the rather hefty 42-pages document. In the following, we shall cover some of the ECB’s suggestions.

First and foremost, the ECB recommends that a clear distinction be made between its powers[6] and the responsibilities awarded to the EBA in the proposed regulation. Likewise, the EBC considers that the current MiCA proposal, which features the power to issue only non-binding opinions on applications of prospective issuers of asset-referenced tokens, is rather excessive, pointing out that the ECB, together with other non-euro national central banks, have responsibilities in conducting “oversight of clearing and payments systems as part of its [theirs] mandate”, given that “one of the basic tasks to be carried out through … [the ECB] is to ‘promote the smooth operation of payment systems”. The ECB seems to further double down on these views through another proposition, i.e., adding the following wording after some references to the EBA in the regulation’s recitals and articles, the intention here being to give non-euro central banks control rights similar to those allocated by MiCA to the EBA: “after consultation of the ECB and the relevant central banks of Member States whose currency is not the euro”.

Secondly, the ECB is against the current catch-all definition of crypto-assets, claiming that a better one should be envisaged, “in order to avoid diverging interpretations at national level on what may or may not constitute a crypto-asset under the proposed regulation, to help support the provision of crypto-asset services on a cross-border basis and to establish a truly harmonized set of rules for crypto-assets”.

Furthermore, the ECB endorses the restriction on crypto-assets that generate interest, probably due to the risks this would pose to the banking sector and to other monetary policies, e.g., should crypto-assets have interest attached, they would become more desirable and have an impact on traditional bank deposits, thus driving some people to substitute the latter for crypto-assets. Interestingly enough, the ECB is also contemplating having a central bank digital currency (“CBDC”), the so-called “digital euro” which would complement cash, rather than replace it. Still, whilst this initiative is still in very early stages[7], this type of currency would not fall under the provisions of MiCA.

A potential trojan horse

The current version of MiCA comes with both pros and cons.

On the plus side, this piece of legislation is designed as a regulation, thus being binding and directly applicable across the EU/EEA. It promotes the development of crypto-assets by having a legal framework that supports innovation and fair competition, as well as safeguards consumer’s rights and preserves market integrity. Moreover, MiCA enables European businesses to have full access to the internal market, providing legal certainty and levelling the playing field for every crypto-asset service provider.

However, the regulation is still far from perfect, having some shortcomings that need to be touched, such as the following:

the wording of the definitions covering asset-referenced and e-money tokens is cumbersome and rather inaccurate since both of them are “referring to the value of”, inter alia, fiat currencies, without taking into consideration that some crypto-assets refer to the value of a fiat currency, but have their reserve assets consist of other fiat currencies, commodities or crypto-assets. This is the case for DAI, which refers to the value of USD (at first glance, making DAI resemble e-money tokens), but its reserve assets are issued based on Ether (which points to a characteristic specific to asset-referenced tokens);

it is unclear how the regulation interacts with MiFID II in cases where crypto-assets include traits specific to financial instruments;

the thresholds for whether an asset-referenced or e-money token is significant are unrealistic in the current version of the regulation, given that virtually all relevant stablecoins would easily surpass those limits and be qualified as significant crypto-assets. The consequences of this might prove to be preposterous for the issuers of such coins, since they would suddenly be obliged to observe additional requirements, g., owning capital funds of at least 3% of the average amount of the reserve assets[8];

prohibiting interests associated with asset-referenced and e-money tokens might undermine the competitiveness of both issuers and service providers of crypto-assets located in the EU, compared to those in other jurisdictions that allow such interests;

since only legal entities can issue crypto-assets, it is unclear how tokens generated (i) via an open blockchain network, such as Bitcoin, or (ii) through an application, such as a smart contract, may be construed;

the regulation may have an adverse effect on the newer market players, creating significant barriers to entry into the market, inasmuch as some requirements (g., white paper, compliance costs) would hinder their development, rather than bolster it.

Codebreaking the future

MiCA is a very ambitious effort, although it is paramount that it strikes a good balance between regulatory expectations and the realities of the market. Given the current status of the proposal, along with the transition period of 18 months, there will be several years until the rules therein apply.

In the past few years, European legislators have been striving to regulate different fields of technology, one of the objectives being to bolster the competitiveness of the EU market, by attracting talent and investments, as well as by keeping them in the single market. Unfortunately, one could argue that ship has sailed in terms of AI or cloud computing, given that most of the relevant actors are located outside the EU.

Nevertheless, should the current weaknesses be dealt with accordingly, there are little reasons to believe that MiCA will not emulate the impact of the GDPR in what concerns cryptocurrencies in the EU, thus bringing the old continent into the new age as the leading watchdog in the world not only on privacy matters but also on all things crypto.

[1] Directive 2014/65/EU (the MiFID II), Regulation (EU) 2017/1129 (the Prospectus Regulation), Directive 2004/109/EC (the Transparency Directive), Regulation (EU) 909/2014 (the CSDR), Directive (EU) 2015/2366 (the Electronic Payment Directive), etc.

[2] Nevertheless, crypto-assets will not be regarded as being offered for free (i) should the purchasers be required to provide personal data to the issuer in exchange, or (ii) if the issuer receives any third-party fees, commissions, monetary or non-monetary benefits in exchange for those crypto-assets.

[3] The regulation sets out that an electronic money institution shall be authorised to also issue e-money tokens, and that these tokens will be regarded as electronic money, as defined in Directive 2009/110/EC.

[4] Authorised under Directive 2013/36/EU (the Capital Requirements Directive).

[5] Abiding all other requirements set out in the MiFID II.

[6] The ECB is the head of the Single Supervisory Mechanism, which is one of the two key pillars of the banking union.

[7] As stated in a recent blog post on the ECB’s website, the ECB is “still exploring the possibility and considering it conceptually”. For more information on this, visit https://www.ecb.europa.eu/press/blog/date/2021/html/ecb.blog210325~e22188c522.en.html.

[8] For example, as of 5 April 2021, with its reserve assets of approximately USD 43 billion, Tether would be required to own almost USD 1.3 billion of its funding. Considering the positive trend of cryptocurrencies in the past few months, this amount will only keep on rising.

EECC – a far-reaching reform in the telecom sector. Interpretation and implementation.

An article by Diana Gavril

In the context of creating a European Digital Single Market, the European Electronic Communications Code (“EECC”) comes to modernize the European regulatory framework for electronic communications, reflecting the reality of today’s electronic communications market. EECC entered into force in December 2018 and had to be transposed by the Member States until 21 December 2020 into national law. Romania failed to meet the deadline and has not yet transposed the EECC.

EECC’s main objectives include (i) promoting connectivity and investment in very high-speed, high-capacity networks, such as optical fiber and 5G; (ii) enhancing consumer’s protection and updating the rules on universal service; (iii) ensuring higher standards of communication services.

1.What about ECS? What are ICS?

One of the key changes of EECC is the introduction of an expansive definition of electronic communication services (“ECS”), which includes the following types of services: (a) Internet access services; (b) interpersonal communications services (“ICS”) and (c) conveyance of signals. The novelty here is the inclusion of ICS within the scope of ECS. ICS means a service normally provided for remuneration that enables the direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s) and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service[1].

According to the above definition of ICS, two aspects are important to be emphasized:

the requirement for ECS, and implicitly ICS, to be normally provided for remuneration remains part of the definition; however, EECC expressly provides for a broad interpretation of such requirement – the concept of remuneration should include situations where:

the provider of service requests and the end-user provides personal data directly or indirectly to the provider;

the end-user allows access to information without actively supplying it, such as personal data or other automatically generated information;

the end-user is exposed to ads as a condition for gaining access to the service, or the service provider monetizes personal data it has lawfully collected;

if the communication element of a service is a minor ancillary feature intrinsically linked to another service, then such an element does not fall under the scope of ICS (g. a chat feature which is part of a video game).

ICS are further subdivided into number-based and number-independent services, depending on whether the service connects with or enables communications with publicly assigned numbering resources. Thus, VoIP, emails, SMS, MMS are now services which should be provided taking into account the EECC rules, given that they would fall under the scope of ICS. It is also important to mention that although EECC seems to provide for lighter regulation of number-independent ICS compared to number-based ICS, many of the core regulatory requirements will apply to both types of ICS.

As we may see, the EECC, compared with the former telecom framework, adopts a more functional understanding of ECS and does not define such services merely based on technical features – the conveyance of signals. In this context, EECC intends to level the playing field and extends the rules to providers that were not previously subject to ECS rules, such as over-the-top (OTT) players, which are generally providers of services over the Internet.

2. Conclusion

EECC accurately reflects the fast growth of communications over the Internet. Given the inclusion of ICS within the definition of ECS, more and more Internet-based service provides, including OTT service provides, which were, until now, outside the scope of the regulatory regime, have to understand and comply with the new set of rules on electronic communications.

As mentioned above, EECC has not yet been transposed by Romania. However, there is currently a draft under debate, which is generally in line with the EECC and largely transposes all its provisions.

The implementation draft amends and supplements the regulations in the field of electronic communications, mainly the Government Emergency Ordinance no. 111/2011 on electronic communications and aims to establish measures to facilitate the development of electronic communications networks.

The critical changes brought by the transposition of the EECC into national legislation concern: (i) redefining ECS in regard to ICS, (ii) the general authorization regime, (iii) the limited resources regime (radio frequency spectrum, numbering resources ), (iv) the security of electronic communications networks and services, (v) portability and transfer to another Internet service provider, (vi) end-user rights, (vii) termination fees, (viii) facilitating the development of electronic communications networks, (ix) the “My ANCOM” service.

Nevertheless, it remains to be seen whether this piece of legislation will suffer additional changes until its official publication and entry into force. Depending on how each member state transposes the EECC, including Romania, each entity providing an ECS may need to notify the relevant Member State regulatory entity, ANCOM in our jurisdiction, in order to receive a general authorization to lawfully provide such services within that Member State.

 

[1] Article 2 (5) of DIRECTIVE (EU) 2018/1972 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 11 December 2018 establishing the European Electronic Communications Code (EECC).

Audiovisual Services – Keeping Up with New Video Content Distribution Models

An article by Vladimir Griga

The 2018 Audio Visual Services Directive[1] (the “AVMS Directive” or the “Directive”) has brought important changes, especially for broadcasters and on-demand service providers. The deadline for transposing the Directive, set for September 19th, 2020, has passed with only four Member States successfully implementing the provisions on time (i.e. Denmark, Hungary, the Netherlands and Sweden). This failure has prompted the Commission to launch the infringement procedures against the other 23 Members States and the UK. On November 23rd, 2020, the Commission has sent letters of formal notice to the respective Members States, who now have two months to provide the Commission further information.

In Romania, the Ministry of Culture has submitted a draft law for public consultation in April last year, which was withdrawn shortly after, due to the stark criticism received online from the public. Since then, there have not been any new developments in this regard, despite the transposition deadline being exceeded.

In the following, we shall cover the main amendments of the AVMS Directive, which we believe will reshape the media landscape in 2021.

Services that fall under the Directive

Besides the addition of video-sharing platforms, the general scope of the AVMS Directive remains mostly unchanged. Audiovisual media services continue to be defined in the Directive, covering both linear (television broadcasts) and non-linear (on-demand) services.

Nevertheless, the Directive now outlines that a catalogue of programmes incorporated in a distinct service may also be classified as an audiovisual media service. This change is not surprising, considering the previous judgement of the CJEU[2], where the Court ruled that a catalogue of videos displayed on a newspaper publisher’s website (e.g. short videos consisting of local news bulletins, sports and entertainment clips) may also be subject to the provisions of the AVMS Directive, as long as the other requirements are also observed. Another important change is the removal from the definition of “programme” of the requirement that programmes need to be comparable to the form and content of television broadcasting.

These changes will inevitably expand the scope of the Directive to new services (e.g. channels with video content on social media or pages featuring video catalogues). At the same time, such an extension in scope would appear to have been already toned down by the CJEU’s recent judgement[3], where the Court ruled that the AVMS Directive may not cover a channel featuring promotional audiovisual content (e.g. a YouTube channel). Therefore not every video service provider will be subject to these provisions. However, the merits of the aforementioned case were analysed by the Court prior to the publication of the final draft of the 2018 AVMS Directive and to its subsequent transposition by the Member States (which is yet to be completed). Whilst the conclusions on whether such a video constitutes an audiovisual media service should remain applicable under the new Directive, not the same can be said about the audiovisual commercial communication, which now refers to user-generated videos as well, in addition to programmes. Time will tell how these issues will be construed by the Court in future cases.

Video-sharing platforms

Probably the most important addition of the AVMS Directive is the inclusion of online video-sharing platforms in the scope of the Directive. Simply speaking, these platforms allow users to share video content without any operator having an editorial control or responsibility over the respective content. From now on, video sharing platforms will be required to introduce suitable measures to protect minors from harmful content and defend all audiences against incitement to hatred or violence.

The new requirements also target the advertisement that takes place on these platforms, which previously were not subject to the AVMS Directive. Hence, all providers will need to comply with the provisions set out in the Directive regarding the advertising content shown on their video sharing platforms. What’s more, they will also have to take proper measures in order to make sure that users comply with these requirements as well. The ambitious scope of the Directive also stems from the detailed manner in which the video-sharing platforms have been regulated, the regulation providing for no less than ten instruments that the platforms could use to meet the new requirements, e.g. adding certain clauses in the terms and conditions of service that specifically aim to protect the minors and the general public; enabling users to declare whether commercial content exists in the clips they post; age verification; allowing users to rate the video content; parental control, amongst many others.

Although at first glance, these requirements may seem burdensome for the video-sharing platforms, it is important to note that most of them have already implemented appropriate measures, as laid down in the Directive. That being said, the key takeaway here is that the providers of such services will be subject to the media regulator, as well as be obligated to register as a video sharing platform. On top of that, the AVMS Directive will be applicable to the video-sharing platform providers even if they are located outside the EU, should another legal entity from their corporate group be located within the EU.

Different points of view, same confines

The country-of-origin principle is still present in the AVMS Directive; therefore, there is a very low risk of conflict of jurisdiction between the Member States. The criteria for determining the jurisdiction are largely the same, i.e. the location where the media service provider has its head office, as well as the place where the editorial decisions about the service are taken. In case these locations are set in the different Member States or in a third country, other criteria shall be considered, such as the location of a significant part of the service provider’s workforce.

Notedly, the Directive now clearly defines the meaning of both “editorial decision” and “significant part of the workforce”. The former is a decision taken on a regular basis in order to exercise editorial responsibility and which is related to the everyday operation of the media service, whilst the latter pertains to the staff which is engaged in services concerning the programme.

Other important additions

Another novelty that the AVMS Directive brings relates to the financial contributions for the production of European works. Member States may now oblige media providers to make such financial contributions, should the providers’ service be addressed to the respective national audiences. The initial intention was for this to apply only to on-demand service providers, although now it seems to encompass most audiovisual media service providers. Nonetheless, it is worthwhile to note that these requirements are not applicable to non-EU service providers, nor to video platform providers, irrespective of where their head offices are.

On the topic of European works, the Directive introduces more stringent requirements regarding the promotion of such works for on-demand service providers. These providers must ensure that at least 30% of the catalogues on their platforms comprise actual European content. The Directive gives some examples of how to do this: using European works in advertising campaigns, emphasising them in banners or having a distinct catalogue for European works which is available on the main page.

Moving on to advertising, the AVMS Directive specifies that the amount of television commercial and teleshopping spots, broadcasted between 6.00 and 18.00, and between 18.00 and 24.00, cannot exceed 20% of the total broadcasting time in the respective time frame. This will definitely benefit broadcasters since now they can schedule their advertising more freely[4]. Furthermore, product placement is now generally allowed, with the exception of programmes covering news, current affairs, consumer affairs, or of programmes targeting religion and children[5].

Lastly, the new Directive aims to strengthen the cooperation between the national audiovisual authorities, by consolidating the European Regulatory Group for Audiovisual Media Services (ERGA) and clarifying its prerogatives in the regulation[6].

“Closing credits”

The AVMS Directive, as showcased above, represents a crucial milestone in the EU audiovisual landscape. Although having yet to be transposed by most of the Member States (including Romania), the AVMS Directive is of paramount importance to virtually (pun intended) all stakeholders, ranging from TV broadcasters, on-demand service providers and social media platforms, to the end consumer. This is why we believe that the AVMS Directive is one of the new EU regulations that shall profoundly impact the European digital market in 2021.

 

[1] The Directive (EU) 2018/1808 amending Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative action in the Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) in view of changing market realities (“AVMSD”).

[2] CJEU, Case C-347/14, New Media Online GmbH v Bundeskommunikationssenat, October 21st, 2015.

[3] CJEU, Case C-132/17, Peugeot Deutschland GmbH v Deutsche Umwelthilfe eV, February 21st, 2018. In a nutshell, the defendant (Peugeot Deutschland GmbH) posted a short video on YouTube, advertising a new vehicle. The claimant then filed a lawsuit against Peugeot, claiming that it failed to provide information regarding the official fuel consumption and CO2 emissions of the said vehicle, thus infringing the German laws. The matter was eventually brought before the CJEU, which concluded that neither a video channel on which users can view short promotional videos for new cars nor a single such video by itself, can be regarded as being an audiovisual media service or audiovisual commercial communication. Simply put, the AVMS Directive did not apply in this case.

[4] Under the previous version of the Directive, the 20% limit applied to TV advertising and teleshopping spots per clock hour, i.e. 12 minutes per hour, whilst now it covers a much broader spectrum, resulting in either 144 minutes or 72 minutes of advertising, based on the specific time frame. Thus, a broadcaster may now use the entire hour of transmission without running any commercials, since they may be carried forward in the following broadcasts.

[5] Similarly, the former Directive expressly prohibited product placement, with only a few exceptions. The new Directive makes a rather odd U-turn and now gives a green-light to product placement, leaving out some of the more sensitive types of programmes.

[6] ERGA was first established by the Commission on February 3rd, 2014.

Four (More) Areas of the European Digital Market to Be Impacted by Future Regulation

In a recent article, we discussed four new European regulations impacting the digital market from 2021 onwards. While these pieces of regulation exist and produce effects already or will start producing effects in the months to come, there are other areas of concern for the European regulators that will receive increasing attention in the near future.

1. Data Governance

A draft proposal for a regulation on data sharing in the European Union was published for consultation this November 2020. This regulation aims to facilitate the exchange of data between public and private sectors withing all Member States and increase trust in data sharing within the EU.

This regulation has the potential to boost the re-use of data available in the hands of public actors which is normally protected by an available form of confidentiality, by other business and not-for-profit actors. These vast amounts of data can prove decisive in training AI models for various applications, can be poured into various R&D projects or help drive European or nation-wide public policies.

It also introduces the concept of data altruism as a new type of consent for the use of protected data (personal or otherwise) without reward for general interest.

2. The Common European Health Data Space

In February 2020, the EC published its European strategy for data in which digital health sector, including healthcare and medical devices, was specifically addressed. To remove the fragmentation between the Member States in the health sector, the EC proposes a Common European Health Data Space, supporting the idea of a single market for data.

Just like the Data Governance Act, this proposal is based on the use and re-use of data, in this case, health data, which is extremely important for innovation in the healthcare sector, for improving accessibility and effectiveness of the healthcare systems and the competitiveness of the European industry. Although such system brings numerous benefits to society in general and individuals in particular, all use and combination of health data within Europe will have to include adequate safeguards in compliance with, among other, the provisions of the GDPR.

3. Artificial Intelligence – White Paper and & Consultation Report

This year, the EC kick-started the process for a regulation on AI with the White Paper on Artificial Intelligence – A European approach to excellence and trust, together with a series of accompanying documents, including the aforementioned European strategy for data and a Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics. The documents discuss the objectives of a potential regulatory framework and address many potential risks and concerns related to the use of AI.

The White Paper on AI is the first step to start the legislative process, being a document used by the EC to launch a debate with the public, other stakeholders, EU Parliament and the Council to reach a concrete proposal for a European approach to AI. According to the EC, the main risks identified concern the fundamental rights, including data privacy and non-discrimination, and safety and liability issues. Taking this into account, the EC concluded that a new regulation specifically on AI is necessary to address these risks.

Following a period of consultation concluded in June 2020, a report was published summarizing the opinion of over 1,200 respondent from a broad spectrum of stakeholders. The report showed that the respondents were concerned, inter alia about AI potentially breaching fundamental rights, AI leading to discriminatory outcomes or posing a safety risk. Almost 75% of the respondents opined that regulators need to issue new regulations or strengthen existing ones to tackle the identified risks.

Among the high-risk application areas of AI, the respondents identified the defence sector (autonomous weapons), remote biometric identification and surveillance, healthcare, critical infrastructure, human resources and employment.

4. Crypto-Assets & Digital Operational Resilience

Two new regulation proposals, Regulation on Markets in Crypto-Assets(“MiCA”) and Regulation on digital operational resilience for the financial sector, published in September 2020, aim to establish a harmonized EU regime for the regulation of crypto-assets and to reduce ICT risk in the financial sector as well as to overcome regulatory fragmentation in this field among the Member States and sub-sectors.

MiCA concerns cryptocurrencies not presently included in general regulation, establishing separate frameworks for three categories of crypto-assets: e-money tokens, asset-referenced tokens and other crypto-assets, as well as a new subset of crypto assets, the so-called „stablecoins”, which recently emerged and attracted the attention of both the public and regulators around the world.

The proposal for a Regulation on digital operational resilience for the financial sector introduces an oversight framework to cover critical third-party information providers and communications technology services, including cloud service providers, as well as a ban on using critical ICT third-party service providers established outside the EEA.

Four new European regulations impacting the European digital market in 2021

+++ BONUS: THE DIGITAL SERVICES ACT PACKAGE

The regulation of the European digital market is a constant preoccupation of the European Commission. Be it for the increase of the consumer welfare, as the Commission claims, or for setting roadblocks on the path of the technology powerhouses to dominate the European digital space, as the industry claims, here are the most important European regulations that will shape the European digital market in 2021.

1. Audiovisual Services – Keeping Up with New Video Content Distribution Models

The 2018 Audio Visual Services Directive[1] is already here and brings significant changes for linear broadcasters and on-demand service providers, providing minimum harmonization standards. One of the most notable change brought about is the introduction of rules regarding video sharing platforms, which will be subject to stricter obligations to protect viewers, especially minors, from harmful content in the online world and will be required to take appropriate measures to protect individuals from incitement to violence or hatred and content constituting criminal offences (in essence, a public provocation to commit terrorist offences, child pornography and racism/xenophobia).

Despite the implementation deadline of 19 September 2020, Romania is still to present for public consultation a draft implementation law.

2. European Electronic Communication Code – Consolidation and Reform

In December 2018, the first the European Electronic Communications Code (“EECC”) was adopted[2], representing a far-reaching reform of the European framework in the field of electronic communications. The notion of electronic communications service was expanded to incorporate the evolutionary changes in the sector, leading to more and more service providers being subject to the provisions of EECC (e.g. interpersonal communications services provided over the internet, such as Whatsapp, are now included in the electronic communication services).

EECC must be transposed by the Member States until 21 December 2020. In Romania, the draft implementation law is currently under debate and, with the deadline just around the corner and a Parliament in the making, it is unlikely that the implementing law will be adopted in time.

3. Expanding Consumer Rights in the Digital Space

2019 Digital Content Directive[3] and 2019 Sale of Goods Directive[4] aim to reduce transaction costs for businesses by aligning the EU legislation and to increase the level of protection and legal certainty for consumers when buying from across the EU. These come in addition to 2019 Platform-to-Business Regulation[5] which deals with the relationship between platforms and their business users, which came into effect in July 2020.

While the Sale of Goods Directive applies to sale contracts between a consumer and a seller for goods, including goods with a digital element (e.g. smartwatches, smart TVs etc.), while the Digital Content Directive applies to contracts concluded between a consumer and a trader which supplies digital content or digital services. The definition of “digital services and digital content” covers, inter alia, social media services, software as a service and various computer applications. However, certain services, such as healthcare, financial services and open-source software, are expressly excluded. A very important aspect is that the Digital Content Directive also applies when the consumer provides its personal data as payment in return for the digital content or service. The question of contract validity, in this case, is, however, left to the national laws.

Both directives must be adopted by the Member States before July 1, 2021, and shall apply from 1 January 2022.

4. Biggest Overhaul in Copyright Laws for 20 Years

The 2019 Copyright Directive[6] is the biggest overhaul of European copyright laws since 2001 in view of increased cross-border use of digital content. The new rules provide increased protection for authors and artists while opening new possibilities for accessing and sharing copyrighted content online across the European Union.

Online content sharing service providers are greatly impacted by this Copyright Directive. In an unprecedented shift in liability for copyright infringements, content sharing platforms will be, in principle, required to obtain licenses for copyright-protected content uploaded by users, unless certain conditions set out in the Copyright Directive are met. The new rules continue to be subject to intensive debate and the practical implementation of “policing” and rights collection systems is giving the whole industry a big of headache.

The Copyright Directive must be implemented across EU by 7 June 2021.

Bonus: The Digital Services Act Package 

The Digital Services Act (“DSA”) is a legislative package published on 15 December 2020 by the European Commission, which aims to create a modern legal framework for digital services[7]. DSA represents the biggest regulatory reform effort in the sector of digital services since the 2000 E-commerce Directive in 2000 and is aimed at strengthening the Digital Single Market and ensuring that digital service providers in the European Union act responsibly to mitigate risks faced by their users and to protect their rights. It aims to tackle the issues posed by the rising power of internet platforms, especially of the so-called gatekeepers (who, for example, would be required to observe requirements intended to ensure inter-operability with competitors) and marks a return by the European Commission to ex-ante type of measures rarely seen in a couple of decades.

 

[1] The Directive (EU) 2018/1808 amending Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative action in the Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) in view of changing market realities (“AVMSD”)

[2] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code, repealing the provisions of Directive 2002/21/EC

[3] The Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services;

[4] Directive (EU) 2019/771 on certain aspects concerning contracts for the sale of goods;

[5] Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services;

[6] DIRECTIVE (EU) 2019/790 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC

[7] https://ec.europa.eu/digital-single-market/en/digital-services-act-package

The electronic signature: long-distance (commercial) relationships

*An article by Cezara Constantinescu, Senior Associate

The state of emergency has brought a series of changes in the life of each of us. Among these, the way we communicate, the way we conclude contracts, the way we carry out our interactions with the public authorities. All these must be made, in principle, from a distance.

In this context, the electronic signature takes on particular relevance. The electronic signature is an instrument which exists and has been used for years, which however becomes particularly relevant in the current context, especially since the presidential decrees[1] not only imply, but also expressly advise towards the use of electronic means of communication. Moreover, GEO 38/2020[2], in force as of 7 April 2020, grants an increased legal value to the advanced electronic signature, allowing the use of such signature by natural/ legal persons in their relations with public authorities and institutions.

In this article, we will present the types of electronic signatures, their specific effects, as well as the issue of the electronic signature originating from a non-EU country.

I. The types of electronic signatures. The national and EU regulation.

Two main pieces of legislation on electronic signature are applicable in Romania, namely:

Law no. 455/2001 on the electronic signature (”Law 455/2001”);

Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC („eIDAS”).

Being an EU regulation, eIDAS is mandatory and directly applicable in the national legal system. eIDAS has priority over Law 455/2001, where it grants broader rights than the latter. In any case, eIDAS is based on the principle that the legal effect of electronic signatures is defined by national law, except for the requirement according to which a qualified electronic signature should have the equivalent legal effect of a handwritten signature (para. (49) eIDAS preamble).

On a basic level, the electronic signature is defined as data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign. Three types of electronic signatures are regulated:

1. The simple electronic signature – consists of data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.

For example, the signature used in an e-mail, or the signature given on certain digital signature pads.

2. The extended electronic signature, named advanced electronic signature (“AES”) in eIDAS – is that electronic signature which:

is uniquely linked to the signatory;

allows the identification of the signatory;

is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and

is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.

Examples: DocuSign[3], PandaDoc, etc.

3. The extended electronic signature based on a qualified certificate, named qualified electronic signature (“QES”) in eIDAS – is an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures;

Consequently, the main difference between an AES and a QES is that the latter is created by a qualified electronic signature creation device, and is based on a qualified certificate for electronic signatures. These additional elements of the QES generate the presumption that the identity of the signatory is the real one, the reason for which QES is the “safest” type of electronic signature, and has the highest legal value, as will be shown below.

Qualified trust service providers in Romania are listed in the Registry kept by the specialized public authority, which is currently, the Ministry of Transport, Infrastructure and Communications[4]: https://www.comunicatii.gov.ro/semnatura-electronica/ The Registry is updated by the authority as changes occur with respect to the providers.

At an EU level, the full list of trust service providers – including QES in the member states, as per eIDAS, is published at this address: https://webgate.ec.europa.eu/tl-browser.

There is an important aspect which we underline here, namely that, as per Art. 25 (3) eIDAS, a qualified electronic signature based on a qualified certificate issued in one EU member state is recognised as a qualified electronic signature in all other member states. Consequently, a QES based on a qualified certificate issued in another member state is recognized as QES in Romania and has the same legal effects as a QES issued by a local provider.

II. The legal effects of the three types of electronic signatures

Below we will present the legal effects of the three types of electronic signatures, starting with the one with the highest legal value – the qualified electronic signature (QES), and continuing with the other two types of electronic signatures – the advanced electronic signature (AES) and the simple electronic signature.

1. The qualified electronic signature (QES)

Both eIDAS and Law 455 provide that an electronic document signed with QES is assimilated, in what regards its conditions and effects, with an act under private signature. More specifically, the QES has the legal value of a handwritten signature.

At the same time, when the written form is legally requested as a condition of validity or proof of a legal act, an electronic document fulfils such condition if it is signed with a QES.

In this respect, we mention by way of example:

Legal acts for which the written form is a validity condition:

a court claim / a request for appeal;
 a company’s constitution, as per the Company Law no. 31/1990 (when the notarized form is not required);
 the individual employment contract;
 the personal guarantee;
 the mortgage on movable assets;
 the land lease agreement;
the vote expressed in a company’s shareholders’ assembly, when the voter is not physically present;
 the vote expressed in the creditors’ assembly/ committee of an insolvent company, when the voter is not physically present;
 tax declarations;
 the handwritten testament.

Legal acts for which the written form is a proof condition:

 the legal services agreement (as well as any power of attorney based on such agreement);
the transaction agreement;
the company agreement (for companies without legal personality);
the insurance contract;
 the storage contract.

These legal acts are valid or can be proven, respectively, if they are signed with a QES.

2. The advanced electronic signature (AES) and the simple electronic signature

2.1 The general situation

We have previously shown that both eIDAS and Law 45/2001 give the QES the legal value of a handwritten signature.

Nevertheless, by interpreting the relevant legal provisions, we appreciate that the documents signed with AES or simple electronic signature may also have the effects of an act under private signature, in certain situations and under certain circumstances:

 In the case of legal acts for which the written form is not legally required as a condition of validity or proof (see item II.1 above) if the parties agree to use such signature in their relationship.

We may include here: orders; invoices; certain sales agreements; distribution agreements; service agreements; consumer agreements.

 For any legal act, if the party to whom the signature is opposed recognizes the signature.

In this regard, Art. 6 of Law 455/2001 provides that the act in electronic form, to which an electronic signature has been incorporated, attached or logically associated, recognized by the party to which it is opposed, has the same effect as an authentic deed between its signatories and their representatives.

The disadvantage is that in order to be valid, such recognition must be made in the legal form requested for the validity of the act, or before the court – if it comes to litigation. This is why, in practice, the use of a QES from the beginning is preferred.

For any legal act signed with an AES, even in absence of any recognition by the party to which the signature is opposed, if the interested party manages to prove that the AES meets the four cumulative legal requirements (item I.2. above), namely that it:

is uniquely linked to the signatory;
allows the identification of the signatory;
is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.

In the case of QES, it is presumed that these requirements are met, until any proof to the contrary (Art. 9 of Law 455/2001).

Illustratively, in practice, we may think of situations like: (i) a party in a contract signed with an AES denies having signed the contract, and the other party wants to prove that the signature indeed belongs to the party that denies it; (ii) when the recipient of a unilateral legal act (e.g. a unilateral promise of sale) signed with an AES wants to exercise the rights granted by such act, but its author (signatory) denies the signature; (iii) when the author of a unilateral legal act signed with an AES wants to prove such act generated legal effects.

Of course, such proof may be difficult from a technical point of view, however not impossible.

In all cases, the interested party is entitled to challenge in court a certain signature, be it a QES, an AES or a simple electronic signature. In such a situation, the court may order a technical (IT) expertise, the objectives of which will be more or less complex, depending on what exactly is challenged.

2.2 The particular situation of GEO 38/2020 – the AES has the legal value of a handwritten signature for natural and legal persons in their relation with public authorities and institutions

The recent GEO 38/2020 – in force as of 7 April 2020, grants the AES the legal value of a handwritten signature, in the relation of natural and legal persons with public authorities and institutions, providing that:

 As of 7 April 2020, public authorities and institutions have an obligation of registering documents signed with the electronic signature;

The public authorities and institutions establish the type of electronic signature applicable for the use of a particular online service by the natural or legal persons, with the observance of eIDAS. GEO 38/2020 provides that within 15 days from its entry into force, the public authorities and institutions will issue the administrative regulations necessary for the implementation of this provision[5].

The documents signed with an AES, which are sent by the utilisation of authentication mechanisms of a substantial or high level, are assimilated – as regards the conditions and effects thereof, with acts under private signature.

III. The issue of the electronic signature originating from a non-EU country

We have shown above that a qualified electronic signature based on a qualified certificate issued in one EU member state is recognised as a qualified electronic signature in all other member states (Art. 25 (3) eIDAS).

But what legal effects does an electronic signature originating from a third country have? For example, a document signed with DocuSign (USA). This is one of the questions we can face in practice.

As regards the QES, Art. 40 of Law 455/2001 provides that the qualified certificate issued by a certification services provider headquartered in a third country is recognized as having equivalent legal effects with the qualified certificate issued by a certification services provider headquartered in Romania if:

 The certification services provider headquartered in a third country had been accredited in the conditions provided by Law 455/2001; or

An accredited certification services provider headquartered in Romania warrants for that certificate; or

 The certificate or the issuing certification services provider is recognized by way of a bilateral or multilateral agreement between Romania and other countries or international organizations, based on reciprocity.

This latter hypothesis overlaps with the eIDAS provision according to which trust services provided by trust service providers established in a third country shall be recognised as legally equivalent to qualified trust services provided by qualified trust service providers established in the EU, where the trust services originating from the third country are recognised under an agreement concluded between the EU and the third country in question or an international organisation (Art. 14 eIDAS).

On the other hand, Art. 25 (1) eIDAS provides that an electronic signature will not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

We appreciate that our conclusions above (item II.2) on the legal effects of the AES and the simple electronic signature are relevant here. Accordingly, an electronic signature originating form a third country, that does not meet the requirements for being considered a QES, may have legal effects as an AES or a simple electronic signature, as follows:

 In the case of legal acts for which the written form is not legally required as a condition of validity or proof (see item II.1 above), if the parties agree to use such signature in their relationship.

 For any legal act, if the party to whom the signature is opposed recognizes the signature.

 For any legal act signed with an AES, even in absence of any recognition by the party to which the signature is opposed, if the interested party manages to prove that the AES meets the four cumulative legal requirements (item I.2. above).

Moreover, considering the provisions of GEO 38/2020, we conclude that an AES issued in a non-EU country can be used by natural/ legal persons in their relation with public authorities and institutions, having the legal value of a handwritten signature in the sense of the GEO.

Finally, we reiterate that a qualified electronic signature based on a qualified certificate issued in one EU member state is recognised as a qualified electronic signature in all other member states (Art. 25(3) eIDAS). Consequently, a QES based on a qualified certificate issued in another member state is recognized as QES in Romania and has the same legal effects as a QES issued by a local provider.

 

[1] Decree no.  195/2020 on the establishment of the state of emergency in Romania, issued by the President of Romania, in force as of 16 March 2020. Decree no. 240/2020 on the extension of the state of emergency in Romania, in force as of 15 April 2020.

[2] Government Emergency Ordinance no. 38/2020 on the use of documents in electronic form, at the level of public authorities and institutions, in force as of 7 April 2020.

[3] Except for DocuSign France, which is a QES provider according to the list of trust service providers in EU: https://webgate.ec.europa.eu/tl-browser/#/tl/FR/9

[4] Following the reorganization of the Ministry of Communications and Information Society (MCIS), on 19 February 2020. An update of the websites of the involved ministries was not done yet, therefore the Registry is still published on the (former) website of MCIS.

[5] At the date this article was written, no such administrative implementation acts had been issued.

Brief analysis of the Judgement of the Court of Justice of the European Union in Case C-567/18, Coty Germany v. Amazon Europe

*An article by Vladimir Griga, Associate

On April 2, 2020, the Court of Justice of the European Union (“the Court” or “CJEU”) ruled in Case C-567/18, concerning the reference for a preliminary ruling made by the German Federal Court of Justice (hereinafter “the referring court”) in the dispute between Coty Germany and Amazon Europe. This judgement may have significant implications for retailers, online marketplaces (which usually act as intermediaries of the latter), as well as trademark holders.

Facts

Coty Germany (hereinafter „Coty”), a German company and licensee of the European trademark “Davidoff”, made test purchases and found out that several perfumes from the “Davidoff How Water” line, which were offered for sale by third-party sellers on the Amazon-Marketplace platform (www.amazon.de), have been put on the EU market without its consent, hence infringing Coty’s trademark with respect to Davidoff. Amazon Europe (hereinafter “Amazon”) was not aware at the time the offers were published that those products violate Coty’s rights. Later on, Coty asked Amazon to disclose the details of those sellers, the latter refusing to do so. Finally, Coty sued Amazon for trademark infringement, requesting Amazon to cease the stock and dispatch of perfumes in Germany, if they are marketed without Coty’s consent.

Out of the Amazon companies that were sued, one runs the online platform, whilst the other one runs the warehouse under the “Fulfilment by Amazon” scheme. This scheme allows a third-party seller that uses the platform to delegate to Amazon the entire warehousing and delivery logistics of goods, albeit the former and not the latter remains the person that concludes the contract with the end customer (Amazon thus acting as an intermediary).

Reference for a preliminary ruling

In the dispute, the referring court requested the CJEU’s opinion with respect to the liability of an intermediary who, on behalf of a third-party, stores goods that infringe trademark rights, as long as the intermediary (the warehouse keeper) is not aware of this infringement.

The judgement of the Court

The CJEU decided to limit its judgement strictly within the scope of the question, concluding that the mere warehousing of goods, on behalf of a third-party, does not represent a trademark infringement, should that person be unaware of this infringement. In giving this solution, the Court has partially parted from the Advocate General’s opinion, the latter analysing in-depth the nuances of the issue at hand, from a double perspective.

The opinion of the Advocate General

The Advocate General considered that a distinction should be made between the intermediaries, depending on the nature of the services provided to the seller that had infringed the trademark.

» On the one hand, the Advocate General offered an answer similar to that given by the Court: if the intermediary carries out only ancillary tasks in the sales process, such as warehousing the seller’s products, then the intermediary cannot be sanctioned for trademark infringements if he/she was not aware of them, the responsibility belonging entirely to the seller. This is due to the fact that the intermediary does not have an active role nor any control in the sales process, as opposed to the seller.

» On the other hand, the Advocate General emphasised that the situation is different in the case of the so-called “integrated stores”, where the intermediary is actively involved in the sales process, offering not only simple warehousing services but a much wider range of services, such as online advertising and promotion, providing customer service, managing refunds of defective products, intermediation of payments between buyer and seller, preparation of products for delivery, including labelling, packaging and gift wrapping, and others alike. If the warehousing services, by themselves, could be regarded as accessories of the sales process, not the same can be said about the other services, which together put the online platform in a similar position to the seller, giving it more of a “co-seller” capacity, rather than it being just an intermediary of the seller.

We would like to point out that the Court did not consider the Advocate General’s analysis because the information regarding the active involvement of Amazon in the sales process emerged only in the procedures before the CJEU, the referring court failing to provide them in the context of the reference for a preliminary ruling. Nonetheless, from a procedural point of view, the Court has decided that it can only rule within the limits set by the referring court and, therefore, has omitted all that information and, consequently, the comparative analysis carried out by the Advocate General.

Conclusions and recommendations

Online marketplaces can breathe a sigh of relief for the time being, the decision, in this case, being favourable to them: the simple warehousing, on behalf of a third-party, of goods that infringe the trademark rights of another person will not lead to the liability of the online marketplaces unless they knew about that infringement. However, it is recommended that online marketplaces take into account the Advocate General’s reasons and consider the liability risk for trademark infringements, as the Court has not in any way ruled on the situation of “integrated stores”, which offer a broader range of services. At the same time, one needs to keep in mind that the intermediary’s liability in the present case concerned only trademark infringements: the Court itself warned that the intermediary’s liability may still exist on grounds of intellectual property enforcement and e-commerce, in cases where the intermediary enables another economic operator to use a trademark unlawfully, thus being liable for it.

What to look out for when contracting agile software development?

*An article by Radu Zmaranda, Associate, CIPP/E

Agile software development has become the core project management model applied by most, if not all, software developers nowadays. Often customers are unable to define their software needs from the commencement of a project, since they may vary depending on the business value, budget, profitability, its own clients’ requirements and other variables.

By oversimplifying the concept, the agile process implies a flexible iterative development of the desired software, each iteration representing a so-called “potentially shippable product” – i.e. a fully functioning standalone software module. This iterative approach to software development has been created to better adapt to the constantly changing requirements of the customers, as well as to deliver high-quality products through ongoing inspection and assessment of the software to be developed, continuous collaboration between cross-functional teams and prompt response to changes.

To put it bluntly: agile means delivering what the customer wants even if he does not know it yet.

This model is not, however, without obstacles for lawyers. One of core the values of agile software development, and probably one of the most feared by legal professionals, is: “customer collaboration over contract negotiation”, hence the paradox. The question that we are often faced within this type of engagements is: how can the parties have the flexibility of the agile model while maintaining the same level of protection as in standard waterfall development agreements?

This following article intends to give a broad overview of the most important aspects related to drafting agile software development agreements. For the sake of example, we will focus on the SCRUM methodologies, but many concepts presented herein are equally applicable to agile as a whole and are not limited to SCRUM

1. Shifting to agile: do we need a clean slate?

The short answer: YES!

Legal costs with contract drafting are never on the wish list of any developer or customer who wants to switch to the agile software development models, especially if they already have a very good standard waterfall software development agreement. Why can’t this agreement just be adapted to the new model when the subject matter is, in fact, identical: software development?

The truth is that the differences between the waterfall model and the agile model are significant, and adapting a contract which was designed specifically for the waterfall model may leave the parties exposed to various risks from a legal perspective.

2. The essentials of drafting agile software development agreements

This section shall focus only on certain specific aspects of the agile software development agreements, such as the key roles in the project, sprints procedure, acceptance, liability etc.

>> Define the key roles within the project

The Scrum Master (or agile coach)
• may be an employee of the customer, of the developer or a third party;
• the role of the Scrum Master essentially consists of support obligations for the product owner and development team (similar to a coach);
• the Scrum Master does not have any authority over the development team and the product owner, but must ensure that each of them cooperates in the most efficient manner and do not encounter any obstacles that may affect or impair the software development process.

The Development Team
• usually consists of employees of the developer (but could also include customer personnel);
• is responsible for the actual development and testing of the software;
• is responsible for estimating the effort required for the development of each item in the product backlog;

The Product Owner
• is the key representative of the Customer;
• is responsible for clearly communicating the goals and objectives of the project (i.e. the customer’s requirements) to the development team;
• is responsible for drafting and ongoing revision of the product backlog;
• is responsible for drafting and ongoing revision of the release plan;

Any agile software development agreement should identify the key roles in each project, as well as the obligations corresponding to each member of the project team. In principle, any such agreement should include the following roles and corresponding obligations:

>> Define the sprint process

During the duration of the agile agreement, the software is developed in iterations, often called “sprints”. The duration of each sprint is at the sole discretion of the parties, but it is usually between 2 and 4 weeks. A sprint usually starts with the planning of the respective iteration (aka the sprint planning meeting) and ends with the acceptance and review of the deliverables (aka sprint review meeting).

Although in practice there are discussions whether the sprint process, in itself, should be legally binding for the parties (claiming that a too rigid approach to the sprint process would be incompatible with the agile model), we deem that to a certain extent it is recommendable to make such process binding on the parties, as this would also better delineate the liability of each party in case the project does not progress as intended.

For example, planning and review meetings should be clearly defined in any agile software development agreement, whereas daily meetings could be left at the sole discretion of the development team in order to allow for better flexibility and time management during each individual sprint.

>> Create the Definition of Done

In SCRUM processes, the definition of done is the benchmark against which each deliverable from a sprint is measured, in order to determine whether it satisfies the customer’s requirements. Utmost importance must be given to the Definition of Done since it will pave the way for any future liability of the developer. The Definition of Done should be carefully drafted and negotiated at the commencement of the project, to ensure that both parties have a common understanding on what “done” actually means with regards to the delivered software. For example, the definition of done could provide that all customer’s functional/non-functional tests have been passed, that the acceptance criteria have been met for each product backlog item etc.

>> Create a liability mechanism for delay

In principle, delay is not a common concept in SCRUM projects. This is because velocity (which represents how many product backlog items can be developed by the development team during a sprint) is usually variable. If certain items could not be completed during a sprint, they are returned to the product backlog and prioritized in future sprints. In this respect, lawyers find themselves in situations in which they avoid determining a specific liability for delay and rely on the other provisions of the agreement, such as the obligations of each person involved in the project to self-organize and self-adapt in order to deliver in a timely and efficient manner.

In our view, however, this does not mean that the consequences of delay cannot be regulated in another manner. For example, in many situations the velocity of the development team can be determined with high precision. In this respect, even though fixed milestone and deadlines are usually discouraged, certain provisions guaranteeing a minimum velocity can overcome such gaps. Nonetheless, lawyers should pay very close attention to how such clauses are drafted, to ensure that even the guaranteed velocity allows the flexibility required by the agile models. Drafting too rigid provisions would lead to bottlenecks throughout the project.

>> Dispute Resolution mechanism

Finally, agile models rely heavily on the collaboration of the parties. There are many points during each engagement that disputes may arise, such as: whether the delivered iteration meets the definition of done, whether the effort estimates of the development team are reasonable and in accordance with good industry practice etc. Of course, in each agreement parties try to solve any dispute amicably, but in case they fail they must defer the dispute to the court.

Under agile models, given the incremental delivery, such an approach would create significant bottlenecks throughout the project. In this respect, a multi-tier dispute resolution mechanism is essential to any agile software development agreement. For example, any dispute which cannot be resolved between the product owner, scrum master and development team, may be referred to the middle management of each parties and ultimately to the top management of either party. Relying on an expert’s opinion is also often recommended in agile software development agreements, since many of the disputes are very technical in nature.

3. Key Takeaways

With the shift from waterfall software development models to agile development models, customers and developers alike must ensure that adequate contractual mechanisms are in place, which accurately reflects the new software development methodology. Considering the significant differences between the two models, the adaptation of classic waterfall software development agreements is not recommendable, as there will always be a risk of significant gaps in the protection granted to the parties.

Roles and procedures are the core elements of any agile software development agreement and collaboration of the parties represents the shell. Disputes should be treated as a natural part of the process and should be solved amicably through adequate mechanisms without bringing the progress to a full stop.

Agile models represent a success story and are here to stay. It remains the job of legal professionals to ensure that the agreements keep up with the rapidly changing trends in the technology sector. In the end, flexibility doesn’t mean anything without adequate safeguards.