Recent years have seen a sizeable increase in migration by Portuguese corporate users of their IT infrastructure to cloud-based services. Cost reductions and efficiencies have been the main driver for this trend but other factors such as the self-service, flexible and scalable nature of cloud services have also contributed. Currently, according to IDC market figures, more than two-thirds of Portuguese organisations already resort to public or private cloud computing solutions and overall expenditure (of which software as a service, SaaS, is the main preferred service model) is projected to grow at an annual rate of 19.8% until 2023.
The Council of Ministers Resolution No 29/2020 encouraged the development of a legislative framework to facilitate research, simulation and testing activities, in a real environment, for innovative technologies, products, services, and models in Portugal (including, among others, artificial intelligence, blockchain, virtual reality, big data, 5G or Internet of Things), through the creation of Technological Free Zones.
Moreover, the Portuguese government recently introduced an Action Plan for Digital Transition through the Council of Ministers Resolution No 30/2020, which is considered an essential instrument for the country's development. This action plan foresees, in particular, a cloud strategy for the public administration, aiming to create a strategic framework for its integration in the cloud through the adoption of computing tools, and the digital transformation of businesses.
Laws and Regulations in Relation to the Cloud
In Portugal, there are no national laws or regulations specifically regulating cloud computing.
However, Law No 46/2018 of 13 August, which establishes the legal framework for security in cyberspace and transposes Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016, concerning measures for a high common level of security of network and information systems across the European Union (NIS Directive), defines “cloud computing services” as digital services that allow access to a scalable and adaptable set of shared computing resources (Article 3 (p)). It also qualifies the providers of such services as digital services providers (Article 11) to whom the cybersecurity regime applies.
Furthermore, in the context of entrusting processes or data to the cloud, certain limitations can nevertheless arise from general provisions (namely those governing the provision of services, consumer protection rules, IP law and data protection law). In practice, the contract terms between the cloud service provider and its client should stipulate, or circumvent, any relevant limitations.
General contract rules will apply to the formation and performance of cloud service contracts. These may vary from entirely standardised terms of service to more flexible and negotiated arrangements, with a content more tailored to the cloud service user’s requirements.
Typical issues raised in the context of cloud computing service contracts include the following:
In Portugal, there is no industry-specific legal regulation in relation to the cloud. However, there are industry recommendations and guidelines, notably for the financial services industry.
The Portuguese Central Bank (Banco de Portugal or BdP), which is also the supervisory authority for the financial services sector, has stated its intention to ensure compliance with the European Banking Authority’s (EBA) guidelines on outsourcing arrangements in its Carta Circular (guideline) No CC/2019/25. Although this refers explicitly to the 2017 Cloud Outsourcing Guidelines, these have been subsequently revised by the EBA in February 2019 and the current (and broader, covering also non-cloud outsourcing contracts) version is assumed to apply as of 30 September 2019.
Under the guidelines, specific requirements apply if the contracting of cloud-based services by a financial services provider constitutes a material outsourcing, involving the outsourcing to a cloud services provider of "critical or important" functions, such as those involving banking activities or payment functions.
Processing of Personal Data in the Context of the Cloud
The processing of personal data in the context of cloud computing is subject to the general rules on data protection established in the GDPR. Special attention should be given to the rules regarding data transfers to non-EEA countries, namely whether or not the transfers are made on the basis of an adequacy decision and whether appropriate safeguards for data protection are in place.
If a cloud services provider has a data centre in a non-EEA country, that factor should be taken into account. Also, attention and due care should be given to the appropriate technical and organisational measures against unauthorised access, as well as the availability and integrity of the personal data stored in the cloud (eg, encryption of the personal data).
It should be noted that cloud service providers are processors in light of the GDPR. Therefore, according to Article 28 of the GDPR, an agreement should be concluded to regulate the processing of personal data carried out by the processor, which should include, inter alia, the identification of the processors contracted by the cloud service provider (ie, subprocessors).
Additionally, it is worth mentioning that it is not prohibited to use cloud service providers located outside the EEA. However, according to the GDPR, any transfer of personal data to non-EEA countries shall take place only if:
* According to Article 29 Working Party – which was the independent EU Advisory Body on Data Protection and Privacy and which, with the entry into force of the GDPR on 25 May 2018, has been replaced by the European Data Protection Board – these derogations are exceptions from the rule that personal data may not be transferred to a non-EEA country unless the country provides for an adequate level of data protection or appropriate safeguards are put in place.
Blockchain (or distributed ledger) technology may be described as an encrypted database which keeps an irreversible and updated record of transaction information. The blockchain database compiles transactions in blocks, which are time-stamped, and distributed across a network of peer-to-peer participants (decentralised model). An integral copy of the database is stored in each of the network’s computers, or nodes. To date, although many other potential applications hold enormous interest, blockchain has mainly been used in the context of cryptocurrencies and digital financial transactions.
With the recent publication of Law No 58/2020, of 31 August, implementing Directive (EU) 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU, Banco de Portugal has taken on the supervision of entities that manage virtual assets, or cryptocurrencies, in compliance with the legal and regulatory provisions applicable to the prevention of money laundering and financing of terrorism (exclusively).
In particular, BdP is responsible for registering entities that perform “exchange services between virtual assets and fiat currencies or between one or more virtual assets”, “virtual asset transfer services” and/or “custody or custody services and administration of virtual assets or instruments that allow controlling, holding, storing or transferring these assets, including private cryptographic keys”.
It should also be noted that, following the publication of Law No 58/2020, of 31 August, the BdP launched a public consultation on a draft notice (and the respective explanatory memorandum) aimed at regulating the information and documentation:
The public consultation terminated in December 2020 and its results are expected to be published soon.
Risk and Liability
Risk and liability issues will depend on the specific blockchain solutions or applications in question and on the blockchain’s private/permissioned or public/permissionless network structure. In any circumstance, and given the lack of specific legal rules or regulations, it is advisable for all entities involved to carefully assess potential risk and liability implications and to set up an appropriate contractual framework regulating these matters. This will involve allocating liability between blockchain developers and platform operators (eg, for smart contracts), notably for system errors and failures, and between the latter and downstream users (in this case, probably through more standardised contract terms). In addition to contractual regulation, insurance coverage may be advisable depending on the extent of each participant’s liabilities.
Risk has received greater regulatory attention in the context of cryptocurrencies. In line with similar moves by many other European central banks and regulatory authorities for the financial sector, Banco de Portugal has issued several public statements with warnings on cryptocurrencies, notably a statement addressing Bitcoin (November 2013) and a subsequent one addressing the risks of using cryptocurrencies in general (October 2014).
The Portuguese capital markets authority (CMVM) has also published similar warnings to investors. In November 2017 it issued a warning concerning the potential risks of ICOs (initial coin offerings) for investors. More recently, in July 2018, CMVM published a notice addressed to entities involved in ICOs on the legal qualification of tokens. In this notice, it emphasised the need for the legal nature of tokens being offered in an ICO to be assessed, notably as to the possible qualification as securities. CMVM further stated that tokens may, depending on a case-by-case assessment, qualify as (atypical) securities under Portuguese law.
Furthermore, in December 2020, the BdP also published a paper on crypto-assets, identifying as the main risks underlying the use of crypto-assets:
Blockchain technology created for an application may be protected by Portuguese copyright law and the Portuguese legislation applicable to trade secrets. Under Portuguese law, it is harder to protect an application involving blockchain technology by means of a patent due to the exclusion of source and object code from patentability, except if there is an invention (technical contribution) embodied in that source or object code used with blockchain technology.
Depending on the use case of a specific blockchain application, both personal and non-personal data may be used by participants and registered in the ledger. Where personal data is involved, several issues regarding compliance of the blockchain with the framework data protection rules of the GDPR have been raised and are currently subject to debate. In Portugal, for instance, the Portuguese Data Protection Authority (CNPD) has singled out the processing of personal data using blockchain technologies as one of the three topics for in-depth review in its Action Plan for 2020.
A factor of potential conflict between the blockchain architecture and data protection rules results from the fact that in a blockchain there is no single, centrally responsible, data controller; rather, data may be stored and processed or updated by all participants in the blockchain, in a decentralised design (which is an essential feature of blockchain technology and sets it apart from more traditional models relying on the intervention of trusted third parties). This may make it more difficult for data owners to enforce their rights under the GDPR.
Another point of tension is the apparent incompatibility between the blockchain’s immutable or irreversible design, which seeks to prevent or minimise changes to data (as a crucial means of enhancing security and trust in the database) and the rights to rectification and erasure (right to be forgotten) which the GDPR guarantees to data subjects. Given the potential similarities, in some cases, between a blockchain’s storage and verification of transaction information and the functions traditionally performed by public registry systems (eg, real estate or commercial registry) it seems plausible that the right to erase personal data in this context might warrant a more restrictive interpretation.
Service levels regarding the use of a particular blockchain application or platform should be defined and regulated in the relevant contracts between developer, platform manager and end-user, as applicable.
The fact that a blockchain is distributed to multiple nodes that may be physically located anywhere, and potentially spread out across several jurisdictions, is certain to raise choice of law and jurisdictional issues in the event of disputes. As for other cases of cross-border activities, participants should address the matter by drafting clear choice of law and jurisdiction clauses in their contracts in order to establish an internal governance structure and determine the applicable law and dispute resolution process for a particular transaction, in particular in the case of private or permissioned networks. Compatibility of these contractual provisions with mandatory rules of private international law may need to be assessed on a case-by-case basis.
Big data, machine learning and artificial intelligence (AI) do not have a specific legal or regulatory framework in Portugal but are increasingly topics of debate and study, notably with a view to the framing and adoption of regulatory frameworks in future. A new and mostly innovation-friendly regulatory paradigm seems to be emerging. An example of this new paradigm is a recent Issues Paper from the Portuguese Competition Authority on Technological Innovation and Competition in the Financial Sector, which has proposed the creation of regulatory sandboxes to encourage the development of fintech start-ups and new business models for the financial sector, namely to foster the emergence of “robo-advisers” – ie, investment advisory applications powered by AI.
Additionally, it should be noted that when personal data is processed in this context the requirements of the RGPD must be fulfilled. Special attention should be given to the rules regarding retention periods. According to the GDPR, personal data can only be kept while it is necessary for the purposes for which personal data was collected, and the controller shall establish retention periods of personal data which comply with this rule.
It is also worth mentioning that personal data which has been anonymised is no longer considered to be personal data as defined in the GDPR. Therefore, the requirements under GDPR do not have to be observed if personal data are anonymised.
In March 2019, the Portuguese government constituted a taskforce composed of representatives of multiple public entities and charged with preparing a recommendation on the legislative changes required to enable the introduction of new technologies related to autonomous driving (self-driving cars) in the automobile sector. The recommendation in question has not yet been made available.
Morais Leitão has partnered with legal services AI provider Luminance, an AI platform for lawyers, in the development of a starter-pack of 15 legal clauses in Portuguese. These are now available to the approximately 190 law firms and organisations worldwide that deploy this machine-learning technology.
Internet of Things (IoT) projects have been developing at an interesting rate in Portugal. Although there are no particular restrictions bearing on the scope of these projects, there are concerns about certain issues, such as safeguarding personal data that may be conveyed between connected devices and relevant to the provision of a given service.
Currently, larger customers of IoT solutions have been expressing concerns about potential lock-in in the context of long-term contracts with their connectivity providers as alternative IoT standards are being developed in parallel. On the other hand, electronic communications operators have been striving to develop integrated solutions that add significant value to customers for specific applications, moving beyond the mere provision of mobile connectivity.
A particular potential restriction that has also been weighing on the deployment of machine-to-machine (M2M) projects is the possibility that local authorities or municipalities may decide to subject the roll-out of micro-cells to licensing procedures, permits and specific fees. However, the enactment of Article 57 of the European Electronic Communications Code (approved by Directive (EU) 2018/1972 of the European Parliament and of the Council) and its implementation into Portuguese law should suffice to lay major concerns in this field to rest.
The Portuguese regulatory authority for electronic communications and the postal sector (ANACOM) sent the draft project for the transposition of the European Electronic Communications Code to the government and to Parliament at the end of last year. However, this January 2021, the new law on electronic communications in Portugal has not yet been approved.
During 2019, ANACOM also kicked off a procedure to approve a specific regulation with the object of creating a specific numbering range within the National Numbering Plan for M2M services, including the regulation of number format and length and of conditions associated to their use, with particular reference to number portability and extraterritorial use. The procedure is still pending.
IT service agreements in Portugal are typically based on models and drafts imported from US agreements, given that the USA has historically been at the forefront of IT development and business. Indeed, one need only think of Microsoft, Google, Oracle, Amazon and IBM to see that most of the largest IT service providers in the world have US origins. As a consequence of this, most IT services agreements in Portugal follow the same general structure and have similar clauses to those that can be found in most other jurisdictions.
By and large, the main challenge in the negotiation and performance of an IT service agreement in Portugal is the SLA (service level agreement) goals. In other words, defining what the service level objectives and criteria are, how to handle defects of different severity and what the consequences are for non-compliance (eg, payment of penalties, accumulation of credits, etc).
In addition to the commercial conditions, which are often a major source of discussion, the liability of the parties and possible caps to such liability are also topics that frequently lead negotiations astray. Naturally, the greater the risks of IT failure for the client, the greater the importance of the liability issue in IT agreements with IT providers. By way of example, the financial and utilities sectors give great relevance to the IT supplier’s liability since they are regulated sectors that are obliged to provide constant service to the end customer. In Portugal, it is not possible for parties to previously exclude all liability, a rule that is often difficult for some IT providers to accept.
The entry into force of the GDPR in May 2018 has also brought personal data protection to the forefront of IT service agreements. Data privacy has ceased to be a residual issue regulated by a single clause in the IT services agreement. It is now standard in any IT agreement for data privacy to merit its own lengthy appendix.
Finally, the SaaS (software as a service), IaaS (infrastructure as a service) and PaaS (platform as a service) models that have become commonplace over the last decade have raised many new and interesting issues in Portugal and abroad. One of the hot topics that currently surfaces in every major cross-border IT services agreement is how the payments foreseen in the agreement should be taxed (eg, from VAT, double taxation and withholding tax perspectives). Regarding this subject, clarity is still often lacking.
Core Rules Regarding Data Protection
The core rules regarding data protection in Portugal are set out in Regulation (EU) 2016/679 (GDPR) and in Law No 58/2019 of 8 August, which ensures the implementation in Portugal of the GDPR.
Another important set of rules regarding data protection is Law No 7/2009 (Labour Code), which establishes, in Articles 16 to 22, norms on data processing in the workplace, namely, rules pertaining to the processing of an employee’s biometric data, the demand for medical exams as a condition for employment and the use of remote surveillance methods.
Distinction between Companies/Individuals
The GDPR lays down rules relating to the processing of personal data. According to the GDPR, personal data means “any information relating to an identified or identifiable natural person (‘data subject’)”. Therefore, while data pertaining to natural persons is protected under the GDPR and Portuguese Law No 58/2019 of 8 August, there is no general framework for the protection of legal persons’ data.
However, Portuguese Law No 41/2004 of 18 August, which regulates the protection of personal data in the electronic communications sector, contains specific provisions for the sending of unsolicited communications for direct marketing purposes to natural and legal persons.
Additionally, it should be noted that professional data of natural persons is considered personal data for the purposes of the GDPR (eg, professional mobile phone number). Only professional data exclusively concerning the legal person is not personal data in light of the GDPR (eg, the general telephone number of the company).
General Processing of Data
Under the GDPR, personal data must be processed lawfully, fairly and in a transparent manner, with respect for the principles of purpose limitation and data minimisation, with accuracy, only for the period necessary for the processing’s purpose and with respect for the required organisational measures to ensure the data’s integrity and confidentiality. Additionally, data subjects enjoy the rights to information, access, rectification, erasure, restriction of processing, data portability, object and to not be subjected to automated individual decision-making.
The monitoring of private use by employees of company computer resources is governed primarily by Article 22 of the Labour Code which establishes that, while every employee has a right to the privacy of any personal email communications and non-professional information he or she may send, receive or access, employers are entitled to set out rules for the use of company resources and email accounts.
The CNPD has published guidelines on the monitoring and limitation of employee use, for private or personal purposes, of company computer resources in an employment context; monitoring of an employee’s personal email or social network accounts is not permitted, even if they are accessed through a company computer.
Resolution 1638/2013 of the CNPD states that the monitoring means adopted must have the least impact possible on employee privacy rights and the related data processing must be limited to what is strictly indispensable. Generic monitoring methodologies based on parameters applying to all employees must be preferentially implemented by companies (eg, monitoring of the overall number, cost and duration of voice calls, number of messages sent, type of file attachments and time spent browsing the internet) and are considered generally sufficient to detect situations of abuse. As for traffic data, monitoring should be limited to the time and duration of communications, avoiding details such as numbers called, email addresses or visited websites.
Personal data processed in this context may be maintained for a maximum of six months, notwithstanding its possible use in disciplinary or judicial proceedings. In addition, employees must be informed in advance of the company’s monitoring procedures and the corresponding data processing purposes and limitations.
Rules governing the personal use of company computer resources must be submitted to a privacy impact assessment and set out in an internal regulation. Companies must establish safety measures to ensure that any access for monitoring purposes is traceable, including through the use of digitally signed logs and time-stamps, in order to allow for internal and external audits.
The scope of local telecommunications rules, contained in Law No 5/2004, amended 13 times since its publication (amended and restated by Law No 51/2011 and last amended by Decree-Law No 92/2017, which implemented Directive 2014/61/EU) covers any fixed and mobile communications services as well as wireless and satellite services.
In accordance with the EU regulatory framework for electronic communications, Articles 3 (ff) and 2 (1) (b) of Law No 5/2004 defines an “electronic communications service” as a “service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, without prejudice to the exclusion referred to in point b) of paragraph 1 of Article 2”; this referral excludes any services which exercise editorial control over content – ie, the “mere” transmission of content is included in the concept as opposed to the actual production of content.
Any services satisfying this definition are covered by the Portuguese telecommunications rules regardless of the underlying technology (given the principle of technological neutrality). VoIP (voice-over internet protocol) services are covered in accordance with a summary regulatory framework adopted by ANACOM in 2006, including the creation of a specific numbering range (30) for nomadic use. According to this framework, VoIP services are regulated, in equivalent terms to the provision of fixed telephony services over the PSTN, with regard to numbering resources (geographic numbering is available on fixed access VoIP services), number portability, interconnection, quality of service and access to emergency services.
As for the requirements for bringing a product/service to the market, under the general authorisation regime that also applies in Portugal – in line with the EU regulatory framework – no licence or authorisation is required for the provision of electronic communications networks or services. This applies to any of the services mentioned above, whether these are publicly available or not. The offer of electronic communications services only requires prior notification to ANACOM – the regulatory authority for the telecommunications and postal sectors, which also performs supervisory, audit and sanctioning functions – after which the network/service provider may commence activities. ANACOM maintains a register of all undertakings that offer electronic communications services.
Despite the above, any activity requiring the use of radio spectrum frequencies or numbering resources depends on the award, by ANACOM, of the respective individual rights of use.
The main requirements for providing an audio-visual service are contained in the statutes governing television and radio broadcasting, respectively Law No 27/2007 (Television Law), last amended by Law No 74/2020, and Law No 54/2010 (Radio Law), last amended by Law No 78/2015.
The above-mentioned Law No 74/2020 was published on 19 November 2020 – though it will only enter into force 90 days after that date – and transposed into the Portuguese legal framework Directive 2018/1808 of the European Parliament and of the Council of 14 November 2018. These amendments have widened the Television Law's material scope to regulate more closely the offer to the public of video sharing platforms and rules on their content.
Under both the Television Law and the Radio Law, broadcasting may only be performed by corporate persons or co-operatives that pursue these activities as their main corporate object. With regard to television activity, a minimum share capital is set forth in the above-mentioned law, whose amount depends on the service and coverage offered.
Both television and radio broadcasting activities are subject to a licence provided they require the use of terrestrial broadcasting spectrum. Licences are awarded by the media regulator (ERC) pursuant to a public tender launched by government decision. In the case of television, the licensing requirement applies to the organisation of free unrestricted access (free-to-air) channels and to the selection and aggregation of conditional access or per subscription channels. If the broadcasting services do not involve the use of radio spectrum, they are only subject to an authorisation by ERC. Moreover, the licenses or authorisations related to these activities are, generally, issued for a period of 15 years, renewable for equal periods. They are given to a specific entity and non-transferable and have as a condition the provision of those services in the generality of the national territory, including the Autonomous Regions (Madeira and Azores).
Applications to ERC for television or radio broadcasting licences must be decided within 90 days from the date they are accepted as complete. Applications for an authorisation must be decided by ERC within 30 days, or 15 days in the case of radio broadcasting.
The fees for obtaining a licence/authorisation for broadcasting activities are set out in Annex IV to Decree-Law No 70/2009. The award or renewal of a national licence to television and radio operators who require the use of spectrum cost, respectively, EUR286,518 and EUR28,662; fees are lower for licences with a merely regional or local geographic scope. The award or renewal of authorisations to television and radio operators cost, respectively, EUR28,662 and EUR3,774.
These activities shall both comply with the competition rules, and their legal frameworks prevent them from being exercised or financed, directly or indirectly, by political parties or associations, trade union organisations, or public associations, except if it is exercised exclusively through the internet or refers to conditional access channels.
The above requirements do not apply to companies with online video channels or streaming service providers, such as Netflix or Amazon Prime, for instance, which remain essentially unregulated.
There are several laws which specifically require companies to use encryption technology to safeguard data integrity or otherwise establish duties related to encryption.
Law No 5/2004, which establishes the general framework for electronic communications, allows the national regulatory authority for communications (ANACOM) to require that electronic communications service providers supply the competent national authorities with the means to decrypt or decipher data, whenever those measures are offered to consumers. Under the rights of use to the mobile spectrum frequencies issued to the three mobile network operators in Portugal, all are required to supply the competent national authorities with the aforementioned means.
Another important set of rules related to electronic communications is contained in Law No 32/2008 and Ordinance No 469/2009, which govern the retention and transmission of traffic and location data for the investigation of serious crimes. Here electronic communications service providers are required to encrypt the information transmitted through an asymmetric cipher, when fulfilling a request for traffic and/or location data made by the judicial authorities.
Similarly, Organic Law No 4/2017 and Ordinance No 237-A/2018, which govern the access to telecommunications and internet data by the Portuguese Intelligence Services, require electronic communications service providers to encrypt the information transmitted through an asymmetric cipher, when answering a request for traffic and/or location data made by intelligence officials.
Another instance where companies are required to encrypt data is found in Law No 34/2013 and Ordinance No 273/2013, which govern private security activities. Here private security companies are required to encrypt any surveillance footage captured by security cameras that is transmitted and to change the encryption key every six months.
Finally, Law No 46/2018, which transposes Directive (EU) 2016/1148, and Commission Implementing Regulation (EU) 2018/151, which together provide a general framework for network and information security, require that digital service providers adopt technical measures aimed at network and information security risk management, which may include the use of encryption.
The use of encryption does not exempt an organisation from following any rules.
In the context of the pandemic, the Portuguese government has enacted specific legislation enabling electronic communications operators to adopt exceptional traffic management measures in order to prevent or mitigate network congestion during lockdown periods.
In particular, Decree Law No 10-D/2020 of 23 March was aimed at responding to the sizeable increase in traffic volumes (both voice and, especially, data) on fixed and mobile networks – due to work-from-home policies and a more intensive use of entertainment and interactive services – by adopting exceptional and temporary measures for the electronic communications sector, such as identifying critical electronic communications services and defining categories of priority customers.
Under this legislation, services defined as critical are to be given priority for purposes of service continuity and include the following:
When providing these critical services, network and service providers must prioritise several categories of customers, notably public sector entities mainly involved in the provision of healthcare, security and logistical services.
Decree Law No 10-D/2020 also temporarily exempted electronic communications network and service providers from complying with several obligations, such as certain quality of service parameters, the standard deadlines for responding to consumer complaints, defined time periods within which to ensure specific mobile broadband coverage obligations, and an extension of remote portability request implementation deadlines to five business days.
This exceptional set of rules was repealed in August 2020. However, due to the second lockdown in Portugal, reinstated in January 2021, obligations such as identifying critical electronic communications services and defining categories of priority customers have been (re)imposed by Decree Law No 14-A/2021 of 12 January.
It is also worth mentioning the adoption of other exceptional and temporary measures in response to COVID-19, namely those provided for in Law No 7/2020 of 10 April. This statute approved a set of rules aimed at prohibiting the suspension of supply of electronic communication services during the initial state of emergency and the following month, in cases where consumers were in financial difficulty due to the pandemic. This prohibition is still in force, at least during the first part of 2021.
Following 2020 – the year of the pandemic – 2021 looks set to be another challenging year, with the economy continuing to be significantly affected by the COVID-19 crisis, and all efforts still being focused on fighting the virus, most recently by widespread vaccination.
The pandemic has changed habits and forms of consumption. The retail business, for example, is changing location at an even faster rate. Physical stores are increasingly being replaced by online commerce. Delivery logistics chains are strengthening to keep up with the growth of e-commerce, and companies are increasing their investments in platforms which give them global access to the consumer.
The 5G Auction in Portugal
For all these reasons, one of the important events in 2021, throughout Europe and in Portugal, will be the emergence of the fifth-generation mobile services (5G). After a turbulent preparation process, delayed in 2020 by the closure of public services imposed by COVID-19, and continuing discussions with the mobile service network operators serving the Portuguese market, ANACOM – the Portuguese regulator of electronic communications and of postal services – launched the auction that will allocate the radio frequencies for 5G.
The rules of the auction have been widely challenged by the three mobile network operators active in Portugal. This has already led to legal proceedings challenging the auction and its rules before the Portuguese courts and to complaints to the European Commission.
However, despite the contestation, the auction advances. It provides for specific frequency allocation rules for new mobile operators and creates obligations for pre-existing mobile network operators to offer national roaming in favour of the former, thus seeking to create conditions for the emergence of new mobile operators in the Portuguese market, and increasing competition in the mobile segment.
For a long time, ANACOM has been critical of the functioning of the mobile services market, considering that the three existing operators are unduly accommodated. The regulator has regarded this auction as the opportunity to introduce more competition into the market. We will wait for its outcome, but it is foreseen that the mobile services market will be different when the auction ends and the frequencies are allocated. Only time will tell us if emerging new players are able to compete effectively with pre-existing operators in an already mature market with very high voice and data penetration rates, good geographical coverage and affordable prices for most consumers.
This 5G spectrum allocation is essential for digital transformation. The digital economy presupposes an infrastructure that allows permanent connectivity from anywhere. This connectivity is ensured by new generation broadband networks, with high data-carrying capacity, at very high speeds and with very low latency. In mobile services, which allow ubiquitous connectivity, such infrastructure will be provided by 5G networks. Hence, the high economic value of the respective radio frequencies.
The Implications of 5G, Big Data and AI
The potential offered by 5G is enormous, with applications linked to the most varied industries, from automobiles to health, from financial services to the military. The amount of data that the new networks will be able to carry will be enormous. Allied to the enormous computing capacity that exists today, the possibilities, with artificial intelligence, to transport and process these enormous amounts of data (ie, big data) are truly transformational. Hence the importance of data and the care it requires, including from a legal point of view.
Cybersecurity is also crucial: an economy that functions based on communications networks and data is permanently exposed to cyber-attacks aimed precisely at obtaining data, information and all the potential that they hold.
New Technology and Legal Liability
It is another world, where human interaction with the machine will change and where human beings will be replaced in many tasks. For example, self-driving cars are under development, the result of the connectivity provided by 5G and big data. When we reflect on this reality and apply it to law, we understand that technology will also change many of the legal dogmas. Self-driving cars will have an impact on, for example, the rules of civil liability (and the insurance industry). How do we attribute "behaviour" (if one can speak of behaviour in this context)? How do we understand the concept of personal liability? How do we attribute responsibility? (A car accident due to a failure in the navigation software is attributed to whom? The manufacturer of the car? The person in charge of the software? The communications network that was disconnected for a moment and did not allow the application to be updated?)
In all industries, technology combined with 5G networks will allow uses that will greatly disrupt our rules of civil law and non-contractual liability. In the health sector, to choose another example, there is the possibility of performing surgery remotely. Failure, error – caused not by an individual, but by the technological means he or she uses – will force the creation of new legal frameworks. This will have an impact on the insurance industry, which will see the concept of risk changing in a material way.
The European Electronic Communications Code
In terms of legislative changes, 2021 will also be the year in which – throughout Europe, including Portugal – the European Electronic Communications Code (approved by Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018, already amended) will finally begin to apply.
In addition to bringing together in a single text the essential regulation of electronic communications, which is now scattered over four key directives, the Code aims to standardise the interpretation of these concepts, update them and also resolve some problems to which the current framework has not been able to provide an adequate solution. One example is over-the-top (OTT) operators, and the competition they have brought to traditional service providers, who will now be subject to a set of obligations similar to those imposed on most traditional operators when they provide services which have the look and the feel of traditional services, in particular VoIP calling apps.
The new law is likely, in Portugal, to strictly implement the Code and not to bring many specificities, other than the intention of the government to eliminate public phones from universal service obligations. The government will soon approve the text of its draft legislation to be submitted to the Parliament and it is likely that it will not incorporate several suggestions from ANACOM, given the need to swiftly adopt the new implementing act.
One of the issues that ANACOM intended to be dealt with by the legislation implementing the Code was loyalty periods, to lower costs borne by consumers for early termination. ANACOM proposed that, in case of early termination, penalties charged by operators should be calculated as a percentage of the monthly fees payable by consumers for the remaining loyalty period.
In the telecommunications industry, 2021 could still be a year of consolidation. With the "commoditisation" of voice services and of connectivity, many operators now focus their offerings on services delivered from the cloud. This paradigm shift has led to some consolidation in the market, as well as to the appearance of new players.
Although the overwhelming use of cloud solutions in the Portuguese market shows that companies from all sectors have overcome a certain distrust in outsourcing non-core parts of their business to cloud service providers, international data transfers are still a growing concern. This affects Portugal’s ties with traditional trading partners such as the USA and the UK.
Following the Schrems II decision of the Court of Justice of the EU, the safeguards for international data transfers for the USA and other countries must be reinforced and additional safeguards obtained to ensure seamless data protection for EU data wherever they travel. This greatly affects cloud computer service providers from third countries, in particular from the USA. However, implementing Schrems II is challenging for companies, given the magnitude of the requirements introduced by the Court of Justice of the EU.
Brexit and Data Security
The same remarks apply to the uncertainty brought about by Brexit regarding data security. A solution is needed that allows the recognition of the UK as a country offering adequate protection for personal data. However, the transitional post-Brexit solution found to enable data transfers to the UK does not guarantee that such an outcome will be possible to achieve in a short timeframe. This is a concern for Portuguese companies, considering that the UK is one of the most important trading partners for Portugal.
Another area of consolidation is telecommunication towers. The last few years have seen the sale of part of the respective towers by the mobile network operators in Portugal. It is anticipated that this movement will continue, with an increase in business opportunities for the tower operators because of the auction for 5G, due to the need to develop and increase the geographical coverage of mobile networks.
On the media side, 2020 was also an intense year, particularly in television, with one of the Portuguese main television operators being the subject of several takeover bids. Two are still in dispute. The dominance of the Portuguese television market remains intense, which has attracted and will continue to attract opportunities for legal work in the corporate and capital market areas, as well as in regulation. In fact, the way in which some shareholder changes have taken place, overlooking the control and intervention of the regulatory authorities, has generated controversy, giving rise to several processes with the regulators of media, of capital markets and of competition.
It is also relevant to mention the approval of the law implementing the revised Audio-visual Media Services Directive (AVMS Directive) into national law.
One of the innovations brought by this legislation is the specific regulation of video-sharing platform providers, which fall under the obligation to actively protect consumers (including children) from harmful content and to regulate marketing activities and publicity, as well as to provide effective means to respond to complaints.
This is a ground-breaking change which makes the regulation of video-sharing platforms closer to that of television operators and, in that respect, introduces something close to a level playing field in services such as YouTube, TikTok or Facebook. One interesting aspect is that the media and audio-visual regulator, ERC, will oversee compliance of the platforms with the new obligations.
Finally, it should be noted that, due to the country-of-origin principle, the legislation will only apply to video-sharing platforms established in Portugal.