TMT 2022

Last Updated February 22, 2022

Portugal

Law and Practice

Authors



Morais Leitão, Galvão Teles, Soares da Silva & Associados, SP, RL is a leading full-service law firm in Portugal, with a solid background of decades of experience. Broadly recognised, Morais Leitão is a reference in several branches and sectors of the law on both a national and an international level. The firm’s reputation amongst both peers and clients stems from the excellence of the legal services provided. The firm’s work is characterised by its unique technical expertise, combined with a distinctive approach and cutting-edge solutions that often challenge some of the most conventional practices. With a team comprising over 250 lawyers at a client’s disposal, Morais Leitão is headquartered in Lisbon and has additional offices in Porto and Funchal. Due to its network of associations and alliances with local firms and the creation of the Morais Leitão Legal Circle in 2010, the firm can also offer support through offices in Angola (ALC Advogados), Cabo Verde (VPQ Advogados) and Mozambique (MDR Advogados).

Recent years have seen a sizeable increase in migration by Portuguese corporate users of their IT infrastructure to cloud-based services. Cost reductions and efficiencies have been the main driver for this trend, but other factors such as the self-service, flexible and scalable nature of cloud services have also contributed. According to Eurostat, while in 2020 29% of Portuguese companies had access to computing resources hosted by third parties, in December 2021 35% of Portuguese companies did.

Council of Ministers Resolution No 29/2020 encouraged the development of a legislative framework to facilitate research, simulation and testing activities, in a real environment, for innovative technologies, products, services, and models in Portugal (including, among others, artificial intelligence, blockchain, virtual reality, big data, 5G or Internet of Things), through the creation of Technological Free Zones (TFZs).

One year later, Decree Law 67/2021, of 30 July, set out the legal framework for establishing TFZs in Portugal. Even though this statute does not officially create the TFZs (for now), it determines the conditions for their implementation, intending to set up several TFZs, each especially focused on specific technologies or sectors.

Portugal will, therefore, join countries such as Australia, Canada, India and Singapore. In particular, the government highlights three goals to be achieved through the creation of TFZs:

  • to promote Portugal’s positioning in R&D activities and its participation in international projects;
  • to attract innovative projects and foreign investment related to emerging technologies; and
  • to promote a culture of experimentation aimed at ensuring the sustainability of technological development.

Moreover, the Portuguese government introduced an Action Plan for Digital Transition through the Council of Ministers Resolution No 30/2020, which is considered an essential instrument for the country's development. This action plan foresees, in particular, a cloud strategy for the public administration, aiming to create a strategic framework for its integration in the cloud through the adoption of computing tools, and the digital transformation of businesses. In this context, in December 2020, the Portuguese government and Amazon Web Services (AWS) signed a Memorandum of Understanding (MoU) to help accelerate adoption of cloud computing in the public sector and contribute to the national digital transition strategy of Portugal.

Laws and Regulations in Relation to the Cloud

In Portugal, there are no national laws or regulations specifically regulating cloud computing.

However, Law No 46/2018 of 13 August, which establishes the legal framework for security in cyberspace and transposes Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016, concerning measures for a high common level of security of network and information systems across the European Union (NIS Directive), defines “cloud computing services” as digital services that allow access to a scalable and adaptable set of shared computing resources (Article 3 (p)). It also qualifies the providers of such services as digital services providers (Article 11) to whom the cybersecurity regime applies.

This legal framework was recently developed in greater detail by Decree Law No 65/2021, which also implemented EU Regulation 2019/881 setting up a national cybersecurity certification scheme. This statute brought into place security requirements for networks and information systems as well as detailed procedures for security incident reporting. These rules apply to critical infrastructure operators, operators of essential services, digital service providers and public administration entities and involve compliance with several obligations – for instance, appointing a security officer and a permanent point of contact, and maintaining an updated asset inventory and security plan.

Furthermore, in the context of entrusting processes or data to the cloud, certain limitations can nevertheless arise from general provisions (namely those governing the provision of services, consumer protection rules, IP law and data protection law). In practice, the contract terms between the cloud service provider and its client should stipulate, or circumvent, any relevant limitations.

General contract rules will apply to the formation and performance of cloud service contracts. These may vary from entirely standardised terms of service to more flexible and negotiated arrangements, with a content more tailored to the cloud service user’s requirements.

Typical issues raised in the context of cloud computing service contracts include the following:

  • compliance with data protection regulations imposed on the customers of a cloud services provider; 
  • liability in case of a security breach that involves a disclosure or a loss of confidential information and/or personal data;
  • the question of the return or deletion of personal data and confidential information and the deadline to execute these actions after the conclusion of the services provided by the cloud service provider;
  • the deadline for the cloud service provider to notify the customer of a personal data breach; 
  • technical and operative requirements to ensure the security of the information stored by the cloud service provider;
  • SLA objectives and penalties, namely the time to solve technical problems which may lead to a lack of service access provided by the cloud service provider. 

Industry-Specific Regulations/Guidelines

In Portugal, there is no industry-specific legal regulation in relation to the cloud. However, there are industry recommendations and guidelines, notably for the financial services industry.

The Portuguese Central Bank (Banco de Portugal or BdP), which is also the supervisory authority for the financial services sector, has stated its intention to ensure compliance with the European Banking Authority’s (EBA) guidelines on outsourcing arrangements in its Carta Circular (guideline) No CC/2019/25. Although this refers explicitly to the 2017 Cloud Outsourcing Guidelines, these have been subsequently revised by the EBA in February 2019 and the current (and broader, covering also non-cloud outsourcing contracts) version is assumed to apply as of 30 September 2019.

Under the guidelines, specific requirements apply if the contracting of cloud-based services by a financial services provider constitutes a material outsourcing, involving the outsourcing to a cloud services provider of "critical or important" functions, such as those involving banking activities or payment functions.

Processing of Personal Data in the Context of the Cloud

The processing of personal data in the context of cloud computing is subject to the general rules on data protection established in the GDPR. Special attention should be given to the rules regarding data transfers to non-EEA countries, namely whether or not the transfers are made on the basis of an adequacy decision and whether appropriate safeguards for data protection are in place.

If a cloud services provider has a data centre in a non-EEA country, that factor should be taken into account. Also, attention and due care should be given to the appropriate technical and organisational measures against unauthorised access, as well as the availability and integrity of the personal data stored in the cloud (eg, encryption of the personal data).

It should be noted that cloud service providers are processors in light of the GDPR. Therefore, according to Article 28 of the GDPR, an agreement should be concluded to regulate the processing of personal data carried out by the processor, which should include the identification of the processors contracted by the cloud service provider (ie, subprocessors).

Additionally, it is worth mentioning that it is not prohibited to use cloud service providers located outside the EEA. However, according to the GDPR, any transfer of personal data to non-EEA countries shall take place only if:

  • the European Commission has decided that the country in question ensures an adequate level of protection for personal data;
  • the controller or processor has provided appropriate safeguards (eg, standard contractual binding clauses), and on condition that enforceable data subjects' rights and effective legal remedies for data subjects are available; or
  • in the absence of an adequacy decision from the European Commission and of appropriate safeguards, and on an exceptional basis*:
    1. the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
    2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request and the transfer of personal data is occasional;
    3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
    4. the transfer is necessary for important reasons of public interest;
    5. the transfer is necessary for the establishment, exercise or defence of legal claims;
    6. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
    7. the transfer is made from a register which, according to EU or member state law, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU or member state law for consultation are fulfilled in the particular case.

* According to Article 29 Working Party – which was the independent EU Advisory Body on Data Protection and Privacy and which, with the entry into force of the GDPR on 25 May 2018, has been replaced by the European Data Protection Board – these derogations are exceptions from the rule that personal data may not be transferred to a non-EEA country unless the country provides for an adequate level of data protection or appropriate safeguards are put in place.

Blockchain (or distributed ledger) technology may be described as an encrypted database which keeps an irreversible and updated record of transaction information. The blockchain database compiles transactions in blocks, which are time-stamped, and distributed across a network of peer-to-peer participants (decentralised model). An integral copy of the database is stored in each of the network’s computers, or nodes. To date, although many other potential applications hold enormous interest, blockchain has mainly been used in the context of cryptocurrencies and digital financial transactions.

With the publication of Law No 58/2020, of 31 August, implementing Directive (EU) 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU, Banco de Portugal has taken on the supervision of entities that manage virtual assets, or cryptocurrencies, in compliance with the legal and regulatory provisions applicable to the prevention of money laundering and financing of terrorism (exclusively).

In particular, BdP is responsible for registering entities that perform “exchange services between virtual assets and fiat currencies or between one or more virtual assets”, “virtual asset transfer services” and/or “custody or custody services and administration of virtual assets or instruments that allow controlling, holding, storing or transferring these assets, including private cryptographic keys”.

It should also be noted that, following the publication of Law No 58/2020, of 31 August, the BdP launched a public consultation on a draft notice (and the respective explanatory memorandum) aimed at regulating the information and documentation:

  • of the application for registration by entities wishing to carry out activities with virtual assets;
  • of the requests for changes in the facts subject to registration by entities carrying out activities with virtual assets.

The public consultation ended in December 2020 and its results were published in 2021.

In addition, we note that in December 2021, the BdP announced the creation of a “contact group” to discuss the phenomenon of cryptocurrencies and the possible issuance of a digital euro, a project under discussion within the European Central Bank (ECB).

Risk and Liability

Risk and liability issues will depend on the specific blockchain solutions or applications in question and on the blockchain’s private/permissioned or public/permissionless network structure. In any circumstance, and given the lack of specific legal rules or regulations, it is advisable for all entities involved to carefully assess potential risk and liability implications and to set up an appropriate contractual framework regulating these matters. This will involve allocating liability between blockchain developers and platform operators (eg, for smart contracts), notably for system errors and failures, and between the latter and downstream users (in this case, probably through more standardised contract terms). In addition to contractual regulation, insurance coverage may be advisable depending on the extent of each participant’s liabilities.

Risk has received greater regulatory attention in the context of cryptocurrencies. In line with similar moves by many other European central banks and regulatory authorities for the financial sector, Banco de Portugal has issued several public statements with warnings on cryptocurrencies, notably a statement addressing Bitcoin (November 2013) and a subsequent one addressing the risks of using cryptocurrencies in general (October 2014).

The Portuguese capital markets authority (CMVM) has also published similar warnings to investors. In November 2017 it issued a warning concerning the potential risks of ICOs (initial coin offerings) for investors. More recently, in July 2018, CMVM published a notice addressed to entities involved in ICOs on the legal qualification of tokens. In this notice, it emphasised the need for the legal nature of tokens being offered in an ICO to be assessed, notably as to the possible qualification as securities. CMVM further stated that tokens may, depending on a case-by-case assessment, qualify as (atypical) securities under Portuguese law. 

Furthermore, in December 2020, the BdP also published a paper on crypto-assets, identifying the main risks underlying the use of crypto-assets:

  • volatility risk – ie, the risk associated to the fluctuation of the market value;
  • operational risk, related to the unsupervised trading platforms;
  • regulatory risk, due to different approaches from regulators, supervisors and other authorities;
  • anonymity – ie, associated to the risk of crypto-assists being used for criminal purposes;
  • tax invasion risk; and
  • risk arising from the absence or definitory information.

Finally, in March 2021, CMVM considered that, although the involvement of more investors in the capital market is beneficial for the economy, a relevant number of proposals have arisen for investments in instruments that are not under its supervision. In this context, it published a set of questions and answers on cryptocurrencies.

Intellectual Property

Blockchain technology created for an application may be protected by Portuguese copyright law and the Portuguese legislation applicable to trade secrets. Under Portuguese law, it is harder to protect an application involving blockchain technology by means of a patent due to the exclusion of source and object code from patentability, except if there is an invention (technical contribution) embodied in that source or object code used with blockchain technology.   

Data Privacy

Depending on the use case of a specific blockchain application, both personal and non-personal data may be used by participants and registered in the ledger. Where personal data is involved, several issues regarding compliance of the blockchain with the framework data protection rules of the GDPR have been raised and are currently subject to debate. In Portugal, for instance, the Portuguese Data Protection Authority (CNPD) has singled out the processing of personal data using blockchain technologies as one of the three topics for in-depth review in its Action Plan for 2020.

A factor of potential conflict between the blockchain architecture and data protection rules results from the fact that in a blockchain there is no single, centrally responsible, data controller; rather, data may be stored and processed or updated by all participants in the blockchain, in a decentralised design (which is an essential feature of blockchain technology and sets it apart from more traditional models relying on the intervention of trusted third parties). This may make it more difficult for data owners to enforce their rights under the GDPR.

Another point of tension is the apparent incompatibility between the blockchain’s immutable or irreversible design, which seeks to prevent or minimise changes to data (as a crucial means of enhancing security and trust in the database) and the rights to rectification and erasure (right to be forgotten) which the GDPR guarantees to data subjects. Given the potential similarities, in some cases, between a blockchain’s storage and verification of transaction information and the functions traditionally performed by public registry systems (eg, real estate or commercial registry) it seems plausible that the right to erase personal data in this context might warrant a more restrictive interpretation.

Service Levels

Service levels regarding the use of a particular blockchain application or platform should be defined and regulated in the relevant contracts between developer, platform manager and end-user, as applicable.

Jurisdictional Issues

The fact that a blockchain is distributed to multiple nodes that may be physically located anywhere, and potentially spread out across several jurisdictions, is certain to raise choice of law and jurisdictional issues in the event of disputes. As for other cases of cross-border activities, participants should address the matter by drafting clear choice of law and jurisdiction clauses in their contracts in order to establish an internal governance structure and determine the applicable law and dispute resolution process for a particular transaction, in particular in the case of private or permissioned networks. Compatibility of these contractual provisions with mandatory rules of private international law may need to be assessed on a case-by-case basis.

Big data, machine learning and artificial intelligence (AI) do not have a specific legal or regulatory framework in Portugal but are increasingly topics of debate and study, notably with a view to the framing and adoption of regulatory frameworks in future. A new and mostly innovation-friendly regulatory paradigm seems to be emerging. An example of this new paradigm is a recent Issues Paper from the Portuguese Competition Authority on Technological Innovation and Competition in the Financial Sector, which has proposed the creation of regulatory sandboxes to encourage the development of fintech start-ups and new business models for the financial sector, namely to foster the emergence of “robo-advisers” – ie, investment advisory applications powered by AI.

Additionally, it should be noted that when personal data is processed in this context the requirements of the GDPR must be fulfilled. Special attention should be given to the rules regarding retention periods. According to the GDPR, personal data can only be kept while it is necessary for the purposes for which personal data was collected, and the controller shall establish retention periods of personal data which comply with this rule.

It is also worth mentioning that personal data which has been anonymised is no longer considered to be personal data as defined in the GDPR. Therefore, the requirements under GDPR do not have to be observed if personal data are anonymised.

Internet of Things (IoT) projects have been developing at an interesting rate in Portugal. Although there are no particular restrictions bearing on the scope of these projects, there are concerns about certain issues, such as safeguarding personal data that may be conveyed between connected devices and relevant to the provision of a given service.

Currently, larger customers of IoT solutions have been expressing concerns about potential lock-in in the context of long-term contracts with their connectivity providers as alternative IoT standards are being developed in parallel. On the other hand, electronic communications operators have been striving to develop integrated solutions that add significant value to customers for specific applications, moving beyond the mere provision of mobile connectivity.

A particular potential restriction that has also been weighing on the deployment of machine-to-machine (M2M) projects is the possibility that local authorities or municipalities may decide to subject the roll-out of micro-cells to licensing procedures, permits and specific fees. However, the enactment of Article 57 of the European Electronic Communications Code (approved by Directive (EU) 2018/1972 of the European Parliament and of the Council) and its implementation into Portuguese law should suffice to lay major concerns in this field to rest, although implementation of the Directive has still not taken place.

The Portuguese regulatory authority for electronic communications and the postal sector (ANACOM) sent the draft project for the implementation of the European Electronic Communications Code to the government and to Parliament at the end of 2020. However, the new law on electronic communications in Portugal has not yet been approved. 

In July 2021, ANACOM also adopted a resolution introducing changes to the National Frequency Framework allowing for additional spectrum frequencies in the 870-876 MHz and 915-921 MHz ranges to be available for short-range devices, with the goal of fostering innovative IoT and M2M applications and enhanced Wi-Fi and RFID solutions.

IT service agreements in Portugal are typically based on models and drafts imported from US agreements, given that the USA has historically been at the forefront of IT development and business. Indeed, one need only think of Microsoft, Google, Oracle, Amazon and IBM to see that most of the largest IT service providers in the world have US origins. As a consequence of this, most IT services agreements in Portugal follow the same general structure and have similar clauses to those that can be found in most other jurisdictions.

By and large, the main challenge in the negotiation and performance of an IT service agreement in Portugal is the SLA (service level agreement) goals. In other words, defining what the service level objectives and criteria are, how to handle defects of different severity and what the consequences are for non-compliance (eg, payment of penalties, accumulation of credits).

In addition to the commercial conditions, which are often a major source of discussion, the liability of the parties and possible caps to such liability are also topics that frequently lead negotiations astray. Naturally, the greater the risks of IT failure for the client, the greater the importance of the liability issue in IT agreements with IT providers. By way of example, the financial and utilities sectors give great relevance to the IT supplier’s liability since they are regulated sectors that are obliged to provide constant service to the end customer. In Portugal, it is not possible for parties to previously exclude all liability, a rule that is often difficult for some IT providers to accept.

The entry into force of the GDPR in May 2018 has also brought personal data protection to the forefront of IT service agreements. Data privacy has ceased to be a residual issue regulated by a single clause in the IT services agreement. It is now standard in any IT agreement for data privacy to merit its own lengthy appendix.

Finally, the SaaS (software as a service), IaaS (infrastructure as a service) and PaaS (platform as a service) models that have become commonplace over the last decade have raised many new and interesting issues in Portugal and abroad. One of the hot topics that currently surfaces in every major cross-border IT services agreement is how the payments foreseen in the agreement should be taxed (eg, from VAT, double taxation and withholding tax perspectives). Regarding this subject, clarity is still often lacking.

Core Rules regarding Data Protection

The core rules regarding data protection in Portugal are set out in Regulation (EU) 2016/679 (GDPR) and in Law No 58/2019 of 8 August, which ensures the implementation in Portugal of the GDPR.

Another important set of rules regarding data protection is Law No 7/2009 (Labour Code), which establishes, in Articles 16 to 22, norms on data processing in the workplace, namely, rules pertaining to the processing of an employee’s biometric data, the demand for medical exams as a condition for employment and the use of remote surveillance methods.

Distinction between Companies/Individuals

The GDPR lays down rules relating to the processing of personal data. According to the GDPR, personal data means “any information relating to an identified or identifiable natural person (‘data subject’)”. Therefore, while data pertaining to natural persons is protected under the GDPR and Portuguese Law No 58/2019 of 8 August, there is no general framework for the protection of legal persons’ data.

However, Portuguese Law No 41/2004 of 18 August, which regulates the protection of personal data in the electronic communications sector, contains specific provisions for the sending of unsolicited communications for direct marketing purposes to natural and legal persons.

Additionally, it should be noted that professional data of natural persons is considered personal data for the purposes of the GDPR (eg, professional mobile phone number). Only professional data exclusively concerning the legal person is not personal data in light of the GDPR (eg, the general telephone number of the company).

General Processing of Data

Under the GDPR, personal data must be processed lawfully, fairly and in a transparent manner, with respect for the principles of purpose limitation and data minimisation, with accuracy, only for the period necessary for the processing’s purpose and with respect for the required organisational measures to ensure the data’s integrity and confidentiality. Additionally, data subjects enjoy the rights to information, access, rectification, erasure, restriction of processing, data portability, object and to not be subjected to automated individual decision-making.

The monitoring of private use by employees of company computer resources is governed primarily by Article 22 of the Labour Code which establishes that, while every employee has a right to the privacy of any personal email communications and non-professional information they may send, receive or access, employers are entitled to set out rules for the use of company resources and email accounts.

The CNPD has published guidelines on the monitoring and limitation of employee use, for private or personal purposes, of company computer resources in an employment context; monitoring of an employee’s personal email or social network accounts is not permitted, even if they are accessed through a company computer.

Resolution 1638/2013 of the CNPD states that the monitoring means adopted must have the least impact possible on employee privacy rights and the related data processing must be limited to what is strictly indispensable. Generic monitoring methodologies based on parameters applying to all employees must be preferentially implemented by companies (eg, monitoring of the overall number, cost and duration of voice calls, number of messages sent, type of file attachments and time spent browsing the internet) and are considered generally sufficient to detect situations of abuse. As for traffic data, monitoring should be limited to the time and duration of communications, avoiding details such as numbers called, email addresses or visited websites.

Personal data processed in this context may be maintained for a maximum of six months, notwithstanding its possible use in disciplinary or judicial proceedings. In addition, employees must be informed in advance of the company’s monitoring procedures and the corresponding data processing purposes and limitations.

Rules governing the personal use of company computer resources must be submitted to a privacy impact assessment and set out in an internal regulation. Companies must establish safety measures to ensure that any access for monitoring purposes is traceable, including through the use of digitally signed logs and time-stamps, in order to allow for internal and external audits.

The scope of local telecommunications rules, contained in Law No 5/2004, amended 15 times since its publication (amended and restated by Law No 51/2011 and last amended by Decree Law No 49/2020) covers any fixed and mobile communications services as well as wireless and satellite services.

In accordance with the 2002 EU regulatory framework for electronic communications, Articles 3 (ff) and 2 (1) (b) of Law No 5/2004 define an “electronic communications service” as a “service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, without prejudice to the exclusion referred to in point b) of paragraph 1 of Article 2”; this referral excludes any services which exercise editorial control over content – ie, the “mere” transmission of content is included in the concept as opposed to the actual production of content.

Any services satisfying this definition are covered by the Portuguese telecommunications rules regardless of the underlying technology (given the principle of technological neutrality). VoIP (voice-over internet protocol) services are covered in accordance with a summary regulatory framework adopted by ANACOM in 2006, including the creation of a specific numbering range (30) for nomadic use. According to this framework, VoIP services are regulated, in equivalent terms to the provision of fixed telephony services over the PSTN, with regard to numbering resources (geographic numbering is available on fixed access VoIP services), number portability, interconnection, quality of service and access to emergency services.

As for the requirements for bringing a product/service to the market, under the general authorisation regime that also applies in Portugal – in line with the EU regulatory framework – no licence or authorisation is required for the provision of electronic communications networks or services. This applies to any of the services mentioned above, whether these are publicly available or not. The offer of electronic communications services only requires prior notification to ANACOM – the regulatory authority for the telecommunications and postal sectors, which also performs supervisory, audit and sanctioning functions – after which the network/service provider may commence activities. ANACOM maintains a register of all undertakings that offer electronic communications services.

Despite the above, any activity requiring the use of radio spectrum frequencies or numbering resources depends on the award, by ANACOM, of the respective individual rights of use.

The current legal framework will be overhauled when EU Directive 2018/1972, approving the Electronic Communications European Code, is finally implemented into the Portuguese legal system. Currently, a draft bill (Proposal No 83/XIV) is still pending parliamentary approval.

The main requirements for providing an audio-visual service are contained in the statutes governing television and radio broadcasting, respectively Law No 27/2007 (Television Law), last amended by Law No 74/2020, and Law No 54/2010 (Radio Law), last amended by Law No 78/2015.

The above-mentioned Law No 74/2020 was published on 19 November 2020 – though it will only enter into force 90 days after that date – and transposed into the Portuguese legal framework Directive 2018/1808 of the European Parliament and of the Council of 14 November 2018. These amendments have widened the Television Law's material scope to regulate more closely the offer to the public of video sharing platforms and rules on their content.

Under both the Television Law and the Radio Law, broadcasting may only be performed by corporate persons or co-operatives that pursue these activities as their main corporate object. With regard to television activity, a minimum share capital is set forth in the above-mentioned law, whose amount depends on the service and coverage offered.

Both television and radio broadcasting activities are subject to a licence provided they require the use of terrestrial broadcasting spectrum. Licences are awarded by the media regulator (ERC) pursuant to a public tender launched by government decision. In the case of television, the licensing requirement applies to the organisation of free unrestricted access (free-to-air) channels and to the selection and aggregation of conditional access or per subscription channels. If the broadcasting services do not involve the use of radio spectrum, they are only subject to an authorisation by ERC. Moreover, the licenses or authorisations related to these activities are, generally, issued for a period of 15 years, renewable for equal periods. They are given to a specific entity and non-transferable and have as a condition the provision of those services in the generality of the national territory, including the Autonomous Regions (Madeira and Azores).

Applications to ERC for television or radio broadcasting licences must be decided within 90 days from the date they are accepted as complete. Applications for an authorisation must be decided by ERC within 30 days, or 15 days in the case of radio broadcasting.

The fees for obtaining a licence/authorisation for broadcasting activities are set out in Annex IV to Decree Law No 70/2009. The award or renewal of a national licence to television and radio operators who require the use of spectrum cost, respectively, EUR286,518 and EUR28,662; fees are lower for licences with a merely regional or local geographic scope. The award or renewal of authorisations to television and radio operators cost, respectively, EUR28,662 and EUR3,774.

These activities shall both comply with the competition rules, and their legal frameworks prevent them from being exercised or financed, directly or indirectly, by political parties or associations, trade union organisations, or public associations, except if it is exercised exclusively through the internet or refers to conditional access channels.

The above requirements do not apply to companies with online video channels or streaming service providers, such as Netflix or Amazon Prime, for instance, which remain essentially unregulated.

There are several laws which specifically require companies to use encryption technology to safeguard data integrity or otherwise establish duties related to encryption.

Law No 5/2004, which still contains the general framework for electronic communications, allows the national regulatory authority for communications (ANACOM) to require that electronic communications service providers supply the competent national authorities with the means to decrypt or decipher data, whenever those measures are offered to consumers. Under the rights of use to the mobile spectrum frequencies issued to the three mobile network operators in Portugal, all are required to supply the competent national authorities with the aforementioned means.

Another important set of rules related to electronic communications is contained in Law No 32/2008 and Ordinance No 469/2009, which govern the retention and transmission of traffic and location data for the investigation of serious crimes. Here electronic communications service providers are required to encrypt the information transmitted through an asymmetric cipher, when fulfilling a request for traffic and/or location data made by the judicial authorities.

Similarly, Organic Law No 4/2017 and Ordinance No 237-A/2018, which govern the access to telecommunications and internet data by the Portuguese Intelligence Services, require electronic communications service providers to encrypt the information transmitted through an asymmetric cipher, when answering a request for traffic and/or location data made by intelligence officials.

Another instance where companies are required to encrypt data is found in Law No 34/2013 and Ordinance No 273/2013, which govern private security activities. Here private security companies are required to encrypt any surveillance footage captured by security cameras that is transmitted and to change the encryption key every six months.

Finally, Law No 46/2018, which transposes Directive (EU) 2016/1148, and Commission Implementing Regulation (EU) 2018/151, which together provide a general framework for network and information security, require that digital service providers adopt technical measures aimed at network and information security risk management, which may include the use of encryption.

The use of encryption does not exempt an organisation from following any rules.

In the context of the pandemic, the Portuguese government has enacted specific legislation enabling electronic communications operators to adopt exceptional traffic management measures in order to prevent or mitigate network congestion during lockdown periods.

Although some measures ceased to exist during 2021, there are still exceptional measures in force that are worth mentioning.

Currently, the rules in force for the electronic communications sector are regulated by Decree Law No 56-B/2021, of 7 July (which establishes the guarantee of supply of essential services), amended by Decree Law No 70-A/2021, of 6 August and by Decree Law No 119-B/2021 and the Resolution of the Council of Ministers No 181-A/2021.

These rules prohibit the suspension of supply of electronic communication services in cases where consumers were in financial difficulty due to the pandemic. This obligation was already provided for in Law No 7/2020 of 10 April and has been successively extended.

Also, until 31 March 2022, consumers who are unemployed or whose household income has fallen by 20% or more compared with their income in the previous month may unilaterally terminate telecommunications contracts, without the service provider being entitled to compensation, or temporarily suspend telecommunications contracts, without penalties or additional clauses, resuming on 1 April 2022 or on a date to be agreed between supplier and consumer.

Finally, these rules also foresee that in the event of unemployment, a drop in household income of 20% or more, or infection by COVID-19, the client that has a debt related to the supply of electronic communications services must be given the opportunity of setting a payment plan defined jointly by the provider and the client.

Morais Leitão, Galvão Teles, Soares da Silva & Associados, SP, RL

Rua Castilho, 165
1070-050 Lisboa
Portuga

+351 21 381 74 00

+351 21 381 74 99

mlgtslisboa@mlgts.pt www.mlgts.pt
Author Business Card

Trends and Developments


Authors



Sérvulo & Associados – Sociedade de Advogados, SP, RL is a Portuguese full-service firm with more than 20 years of legal experience, which occupies a leading position in the Portuguese legal market. Recognised for the quality of its legal services in all relevant areas of law and strategic sectors, Sérvulo has a highly competent multidisciplinary team of more than 100 lawyers, motivated by a single purpose: to transform academic research and accumulated knowledge in the design of sound legal solutions, thus creating added value for its clients. Sérvulo is trusted by a vast number of major private and public entities, both domestic and international, in the Portuguese-speaking legal markets and in all the most significant economic sectors. It houses a roster of lawyers who are fully capable of facing all of the challenges that may arise at any time and in any field of the law. Sérvulo’s practice areas are recognised by the main legal directories.

COVID-19: Impact, Consequences and Resilience

Despite the optimistic forecast for 2021, which was expected to be a year of economic recovery in a (hopefully) post COVID-19 world, we are still faced with the hard reality that, regardless of a hesitant partial return to a sort of “normal” life during the warmer months – with some recovery of international travel and associated tourism, as well as retail consumption – the fight against COVID-19 remains the primary focus of both governments and of society as whole.

Even given widespread vaccination across Europe – in which regard Portugal has had impressive results, due to a huge logistic effort by the government, aided by the military and with the overwhelming acceptance of the population – due to the appearance of new virus variants and the colder months in the northern hemisphere, it seems that 2022, or at least the first half of it, will still be mostly focused on managing the pandemic and finding the necessary public resources to do so, with the possibility of going back to restrictions or even partial lockdowns.

If it was already clear that the pandemic produced profound changes in the economy and in society, this is even more clear following 2021, when good recovery indicators turned into new restrictive measures and the general public acquired new consumer and work habits (confirmed by supportive private practices and legislative measures), once again confirming the need and the continuity of online sales alternatives, the continuous reinforcement of network capacity and in business investment in the digitalisation of operations.

It is worth noting that the public sector and companies are now turning to 2019 compliance targets, that were put on hold for the past two years, and are rethinking their policies and procedures. As for the TMT sector, generally it has had the opportunity to assess market gaps and new business opportunities for expansion into areas that were clearly not ready for long periods of confinement and preferential remote working.

The last two years have provided a huge boost for technological development. There has been a constant challenge to the reliability of communications networks, as well as the dematerialisation of retail outlets resulting in a digitalisation of business with the proliferation of, for example, digital ordering and delivery systems in the food sector and other retail business, which is now largely widespread as a consumer habit in the majority of the urban population.

All this calls for digitalisation, which has now coincided with a period of revolution in the Portuguese communications paradigm with the introduction of the fifth generation of mobile services (5G) in communications networks. If the last years have taught us something, it is that technology can provide possible solutions to help adapt society to the new reality, bringing new business and investments opportunities.

On a different note, it is relevant to mention that, due to the veto by the national Parliament of the annual state budget for 2022 in late November 2021, which led to a political crisis triggering the fall of the government and the convening of early elections scheduled for late January, it is expected that legislative work, as well as implementation of government policies, will only be fully resumed by the second quarter of 2022, when the new government will be fully in office.

5G Implementation

After a long and heavily criticised auction process that started on 14 January 2021 – preceded by an even more difficult preparation process, heavily delayed during 2020 due to the lockdown and suspension of non-essential public services for most part of that year, as well as ongoing litigation between the mobile service network operators in the Portuguese market and ANACOM, the Portuguese Regulator of electronic communications and postal services – the auction process finally ended by October 2021.

Criticism from consolidated operators in the Portuguese market (dominated by three major companies) such as MEO, which challenged in court ANACOM’s proposals and rules with few results, was based on an alleged constant change of rules by ANACOM, with the purpose of favouring the entry of new operators in the market and thus increasing competition in the mobile segment. Even if there are challenges after the end of the auction, on which no information is currently available, this will not condition the immediate advance of the commercialisation.

In any case, the spectrum bands were attributed, earning the Portuguese state a total amount of EUR566.8 million in the two bidding phases, with six companies acquiring the spectrum lots made available. It is interesting to note that, unlike what happened with the 2011 spectrum allocation for 4G, where TMN (today MEO), Vodafone and Optimus (today NOS) monopolised the spectrum, we now have three new companies entering the market with significant stakes – Dense Air (40MHz), Dixarobil (95MHz) and NOWO (70MHz) – apart from the three companies already consolidated in the market: MEO (104MHz), Vodafone (110MHz) and NOS (134MHz).

Thus, there are now six companies with licences to use frequencies for 5G development, which represents a significant change in the market with the entry of new players, which will undoubtedly bring important consequences and business opportunities.

The closing of the auction was an important step in the implementation of this technology, and all companies licensed to use the 5G spectrum have already been issued the Right to Use Frequencies (DUF, “Direito de Utilização de Frequências”) and are now authorised to begin commercial operation of this technology. This is expected to occur soon, with Vodafone already providing 5G services on a trial basis until the end of January 2022.

Additionally, there is a strong demand by consumers and widespread sale of devices ready for 5G connection, backed with a wave of advertising, as well as several information campaigns on the future possibilities and technological impacts.

Throughout 2021, there was also a recurrent demand for land plots that could be used to site telecommunications towers. With more companies operating in the scope of 5G, this demand is expected to continue, given the need to increase geographic coverage.

In addition, during December 2021, ANACOM has been consulting the market on possible interest in the 26GHz frequency band, which, not being part of the spectrum bands auctioned, has several applications distinct from the others, as it has a higher data transmission capacity. The leasing of such a frequency will be paramount, especially for telecom operators, and we can expect interesting opportunities and developments in this field.

In the medium term, it will be possible to see the implementation of new commercial models that will give rise to new clients and revenue streams from sectors such as agriculture, transport and health. It is also expected that the introduction of AI solutions will reach the telecommunications sector, supported by a fast and high-capacity system such as 5G.

Development of the Telecommunications Market in Portugal

Some interesting conclusions on the state of the telecommunications market in Portugal can be drawn from the increase in the contracting of optic fibre services, where eight out of every ten new customers choose optic fibre. Residential customers of high-speed services at a fixed location reached 3.2 million by the end of the third quarter of 2021, 8.6% more than in the same period of 2020. Also, at a national level we have witnessed a generalised growth in subscriptions to high-speed services, with an estimated 5.9 million homes wired with high-speed networks by December 2021. We note a predominance of FTTH "fibre to the home" versus HFC "hybrid fibre coaxial".

Another relevant point is the continued growth in the subscription to package services, in part due to the marketing strategies employed by economic agents, but with impressive numbers: by December 2021, 90 out of every 100 households had subscribed to some type of package. In this, field MEO leads in the share of revenue from bundled services, followed by NOS, Vodafone and NOWO.

Sub-allocation of E.164 Numbers from the National Numbering Plan

With the approval of the Regulation on the sub-assignment of E.164 numbers from the National Numbering Plan, electronic communication companies that intend to develop new business models will be able to sub-assign numbers attributed from the National Numbering Plan. The Regulation aims at defining the rules applicable to the sub-assignment as requested by companies without resulting in the imposition of a new obligation on companies holding rights of use of numbers assigned by ANACOM, in accordance with European practice. This means that companies offering electronic communications services will now be able to sub-allocate numbers from the National Numbering Plan assigned to them to other companies, which can then make the subsequent allocation to the end user, increasing consumer choice and allowing entrance of new players into the market.

Industrial Development

Technological development needs industrial follow-up, but the semiconductor industry is suffering from the effects of the pandemic, and this will most likely extend to 2022, even if perhaps it is not as severe as the 2020–21 shortage, as some production lines are already recovering the usual activity and stocks. This lack of supply is a natural consequence not only of the pandemic (with the closing of non-essential production lines and redirecting the available resources to essential VMOs), but also of the substantial increase in demand without a corresponding increase in supply.

This lack of supply in chip production is an excellent business opportunity for investment, with records already being broken in venture capital investments in semiconductor companies.

Personal Data Protection and the Role of the CNPD

The Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, CNPD) has long been seen as a somewhat neglected authority in terms of funding and available resources, limited to a narrower range of action, tending to operate by complaint and more focused on the protection of personal data in the labour context.

However, recently we have been witnessing a heightening of its activity, namely by the issuance of opinions and participation in major processes, such as the one before the European Committee that applied an aggravated fine to WhatsApp for changing its privacy policy and, in July 2021, the prosecution of the municipality of Lisbon for the transmission of personal data of promoters of demonstrations to third entities.

CNPD has adopted a very restrictive position regarding the proposals submitted by security forces for new means of surveillance using drone cameras. It has also vehemently opposed the draft law (Draft Law No 111/XIV/2.ª) on updating the standards of surveillance, as it considers substantially extending the regime currently in force by combining a multiplicity of means of image collection (particularly through drones, bodycams or even by real-time access to video-surveillance systems) operated by private entities with the possibility to convert images into biometric templates, without any limitation and guarantees of non-discrimination, enabling the monitoring of movements of specific citizens through facial recognition without defining purposes and other required criteria.

Regarding the use of cookies, we can expect further developments and guidelines from CNPD, so that organisations can align their practices with legal requirements. Moreover, it is currently carrying out a general survey on how public entities are using certain online services and tools, focusing on the processing of personal data, including the use of cookies and widgets, with a view to a coherent and global intervention for the entire public administration.

Data Governance Act and Results of the Public Consultation on Fair Data Economy

The year 2022 is likely to see fruitful legislative work in the areas of data protection and the regulation of data transfers. Highlighting the political agreement on European Data Spaces and the building of what is intended to be, in the words of Margrethe Vestager (Executive Vice-President for A Europe Fit for the Digital Age), "a first building block for establishing a solid and fair data-driven economy".

The consultation ran from 3 June to 3 September 2021 and looked at proposals to create fairness in data sharing, value for consumers and businesses. This survey is one of the preparatory acts that will accompany the regulatory review of the Directive on the legal protection of databases and the Data Act. The responses were clear that action at EU or national level on data sharing between companies and governments is considered necessary in the public interest, especially for emergency and crisis management, removing obstacles to data transmission in these circumstances.

The main intent of the Data Act will be to clarify for EU consumers and businesses who can use and access what data and for what purposes. The correct legislative adequacy to an increasingly transversal practice, and one where the risk of improper access to data is increasing, is very important to ensure that the digital transition and growth is made in the most fair and transparent way. These revisions, along with other legislation, could be significant in 2022.

Santa Maria, Azores Spaceport

To take advantage of the strategic geographical location of the island of Santa Maria in the Azores, Portugal has begun to draw up plans for the creation of a spaceport. The allocation of the project encountered obstacles in 2020 and 2021 and was not awarded due to the exclusion of competitors. However, on the initiative of the Azores regional government, the project will be reviewed and is expected to progress in the near future.

The Portuguese Space Agency addressed the 13th European Space Conference on the lack of average space capacity in the EU and how a spaceport in the Azores could be essential to meet this objective and move towards European progress in space exploration.

This is excellent news for tech and other businesses, with great opportunities arising both in the development of the port infrastructure as well as the possibilities brought by NewSpace to the technological sector and product development in Portugal. The ease and reduced cost of launching microstats or cube satellites (satellites with 1mᵌ launched in bulk) allow an increase in microgravity testing on various products, which will be an advantage for Portuguese companies wishing to test their products, as well as for other companies adapting their business model to facilitate this space demand. It also represents an interesting business opportunity, and we can expect demanding legal challenges.

Transposition of the European Electronic Communications Code

The year 2021 should have been the one that Portugal finally began to apply the European Electronic Communications Code – ECC (approved by Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018, already amended), but this has not been the case. Thus, Portugal has now received two notices from Brussels urging the transposition of the Directive. Consequently, it is very likely that 2022 will be a year of developments.

The draft legislation (Proposal of Law 83/XIV/2) submitted by the government was the subject of several hearings by representatives of CNPD, ANACOM, the National Security Office and the National Centre for Cybersecurity, among others, and is undergoing intense discussion. However, due to the dissolution of Parliament and the current political situation, we do not expect this legislative proceeding to be concluded before the second half of 2022.

Changes in Consumer Law Implementing Directives 2019/771 and 2019/770

In 2021, there were significant changes regarding consumer protection in Portugal, finally bringing Portuguese law closer to European law and the general practice.

Coming into force on 1 January 2022, Decree Law No 84/2021 of 18 October 2021 (transposing EU Directive 2019/771 and Directive (EU) 2019/770), is intended to strengthen consumer rights. In addition to the obvious intention to adapt the general principle of the need for conformity of digital goods (or services) with the contract to the digital dimension of the market and ensure a high level of consumer protection in the digital environment, several relevant changes in terms of consumer protection stand out, namely:

  • the broadening of the concept of "good", including the concept for digital content and services;
  • changes in the legal guarantee periods for movable and immovable goods/real estate;
  • the regulation of commercial guarantees (the former voluntary guarantees);
  • the consolidation of the concept of conformity of goods with the contract;
  • strengthening of the consumer rights in the event of lack of conformity of the goods and the establishment of preference thresholds in the exercise of such rights; and
  • implementing the joint and several liability of the online marketplace service provider (online platforms/marketplaces) towards the consumer.

The new rules apply to all new contracts or, in the preceding continuing service contracts, to the instalments/effects produced after this date. The new law is a real game-changer in the supply of goods, services and digital content and brings a general need for adaptation from the retail sellers acting in Portugal, calling for changes in the sales policies and practices of many sellers in both traditional and online commerce, as well as in the capacity of response, along with their collaborators, to consumer complaints. Hence, some activity is expected to take place in this review of sales models and policies.

Harmonised Rules on Artificial Intelligence (AI)

The proliferation of AI will reach all sectors sooner or later and will provoke genuine administrative reforms. The anticipation with which business models are adapted will be fundamental in defining medium-term strategies. Whether in self-driving cars or in simpler electronic mechanisms, AI is coming and will revolutionise our reality. The next year should bring some advances both technologically and legislatively, with the discussion of the proposal presented by the European Commission.

The Artificial Intelligence Act (Regulation laying down harmonised rules on artificial intelligence) as proposed by the European Commission intends to establish a threshold of safety regarding AI applications and ensure fundamental rights protection.

Legislative progress in this field will further allow the development of these applications, which have infinite possibilities. The presented proposal focuses, for example, on the prohibition of unacceptable AI practices – banning systems that can manipulate individuals by exploiting personal or otherwise private data – the definition of high-risk systems, transparency and compliance obligations, as well as the creation of national supervisory authorities for AI systems.

Conclusion

It is unquestionable that the pandemic has changed the world – the way we relate with others, how we work, how we do business and how we shop, and has had a serious impact on the legal and regulatory framework, which will continue in the years to come.

A common thread runs through all the above topics: technological development requires legal and economic support, and TMT legal action development is living proof of this. The real issue is how we react to change – and in all contexts we have seen a willingness to step forward and to overcome the challenges.

Opportunities and challenges arise at every corner. A keen eye and ambition allows us to seize these new opportunities, maintaining the high levels of compliance required by various regulators. As far as the legal environment is concerned, the challenges are also increasing, with major legislative efforts to regulate new technological developments.

Sérvulo & Associados – Sociedade de Advogados, SP, RL

Rua Garrett, 64
1200-204
Lisboa
Portugal

+351 21 093 30 00

+351 21 093 30 01 / 02

geral@servulo.com www.servulo.com
Author Business Card

Law and Practice

Authors



Morais Leitão, Galvão Teles, Soares da Silva & Associados, SP, RL is a leading full-service law firm in Portugal, with a solid background of decades of experience. Broadly recognised, Morais Leitão is a reference in several branches and sectors of the law on both a national and an international level. The firm’s reputation amongst both peers and clients stems from the excellence of the legal services provided. The firm’s work is characterised by its unique technical expertise, combined with a distinctive approach and cutting-edge solutions that often challenge some of the most conventional practices. With a team comprising over 250 lawyers at a client’s disposal, Morais Leitão is headquartered in Lisbon and has additional offices in Porto and Funchal. Due to its network of associations and alliances with local firms and the creation of the Morais Leitão Legal Circle in 2010, the firm can also offer support through offices in Angola (ALC Advogados), Cabo Verde (VPQ Advogados) and Mozambique (MDR Advogados).

Trends and Development

Authors



Sérvulo & Associados – Sociedade de Advogados, SP, RL is a Portuguese full-service firm with more than 20 years of legal experience, which occupies a leading position in the Portuguese legal market. Recognised for the quality of its legal services in all relevant areas of law and strategic sectors, Sérvulo has a highly competent multidisciplinary team of more than 100 lawyers, motivated by a single purpose: to transform academic research and accumulated knowledge in the design of sound legal solutions, thus creating added value for its clients. Sérvulo is trusted by a vast number of major private and public entities, both domestic and international, in the Portuguese-speaking legal markets and in all the most significant economic sectors. It houses a roster of lawyers who are fully capable of facing all of the challenges that may arise at any time and in any field of the law. Sérvulo’s practice areas are recognised by the main legal directories.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.