Brussels Regulatory Brief: February 2016

Antitrust and competition

CJEU: presumption of participation in a collusive practice for companies failing to report the cartel

The Court of Justice of the European Union (‘CJEU’) has recently clarified how participation in cartels can be presumed under EU competition rules.

An online booking system used for package holidays had sent to travel agents an automatic message announcing the new policy of tour operators to cap their discounts at 3% and imposing such limit through technical means.

With a preliminary ruling of 21 January 2016, the CJEU stated that the tour operators could have breached competition law if they clearly failed to distance themselves from the price cap mentioned in the message.  In other words, they may be presumed to have participated in a collusive practice, if they were aware of the message.

The CJEU clarified that the travel agents may defend themselves by providing evidence that they were not aware of the message, e.g. because they did not receive it or did not look at it.  In addition, they may also rebut any involvement into the alleged collusive scheme by: (i) publicly distancing themselves from that practice, e.g. by sending a clear and express objection to the administrator of the online booking system; (ii) reporting it to the administrative authorities; or (iii) systematically applying a discount exceeding the cap.

EU-Italy agreement on State guarantees for banks’ non-performing loans

European Commission (‘Commission’) and the Italian Government reached an agreement on the State guarantee mechanism for Italian banks’ non-performing loans.

The agreement was reached on 26 January 2016, during a meeting between Commissioner Vestager and Italy’s Finance Minister Padoan which sought to help banks to free their balance sheets, improve their ability to lend to the economy, and eliminate a key element of vulnerability of the Italian banking system.

The most problematic aspect of the negotiations between the EU and Italy related to the price of loans to be sold.  In particular, this must be consistent with EU State aid rules, which strictly limit the ability of national governments to support and grant any competitive advantage to financial institutions.

The State guarantee to the banks will be priced at market conditions and therefore will not be considered as State aid.  The price will reflect the level of risk and the length of maturity of a comparable product.

Privacy, Data Protection and Information Management

EU institutions strike a deal on the data protection reform package

On 18 December 2015, the Council’s Committee of Permanent Representatives (‘Coreper’) approved the political agreement reached by negotiators of the European Parliament (‘EP’), the Council and the Commission on 15 December 2015 on the much-awaited EU data protection reform after nearly three years of intensive negotiations. This vote came as the EP’s Committee of Civil Liberties, Justice and Home Affairs also endorsed the deal the day before.

The EU data protection reform package includes two legislative proposals: the regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘General Data Protection Regulation’ or ‘GDPR’) and the directive on the processing of data to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties (‘Data Protection Directive’). The EU data protection reform aims at putting an end to the old 1995 patchwork of national data protection laws currently existing with common data protection rules across the EU and making them fit for the digital world.

The GDPR includes inter alia increased power for national data protection authorities (‘DPAs’), companies’ data breach notification requirements to DPAs and their customers, stiff fines of up to 4% of companies’ annual global turnover and a so-called ‘one-stop-shop’ regime subjecting companies to a single regulator, the one of their home country or of whatever country their European headquarters is located in. It also requires the appointment of mandatory data protection officers (‘DPOs’) in the public sector, large companies or where the controller or processor’s core activities consist of processing operations requiring regular and systematic monitoring.

The Data Protection Directive provides for rules intended to ensure better cooperation between police and criminal justice authorities, render international cooperation easier and safer, reduce red tape for authorities and enhance citizens’ fundamental right to data protection when their data is used by law enforcement authorities.      

The Council must now adopt its formal position at first reading on the agreed texts expected to take place in early 2016, possibly in mid-March during the next meeting of the Justice and Home Affairs Council. The EP will then have to adopt the same texts in second reading for the EU data protection reform package to be adopted.

Once adopted and published in the Official Journal, the GDPR will apply directly in all EU countries and will take effect two years later, while Member States will have to transpose the Data Protection Directive into their national laws within two years. These two legal acts should thus be operational in 2018.

Furthermore, the Commission will rest on the new EU data protection rules with a view to improving trust and security in digital services, particularly with regards the processing of personal data, and will present a legislative proposal to review the e-Privacy Directive in mid-2017 in this respect.

EU institutions reach a political agreement on new rules on cybersecurity

On 14 January 2016, the EP’s Committee on Internal Market and Consumer Affairs endorsed the informal deal struck by negotiators of the EP, Council and Commission on 7 December 2015 on the Network and Information Security Directive (‘NIS Directive’) after being approved by the Coreper on 18 December 2015. This Directive put forward by the Commission in February 2013 sets out the first ever EU-wide cybersecurity rules aimed at making Europe’s online environment more secure. 

The political agreement reached foresees that operators of essential services and digital services providers will both have to fulfil cybersecurity requirements including taking cyber risks’ management measures and complying with security incidents’ reporting obligations.

These two categories of players will however be subject to different legal regimes: operators of essential services in critical sectors (such as energy, transport, banking, financial market infrastructures, health, water and digital infrastructures) will face stronger requirements than digital services providers (limited to e-commerce platforms, search engines and cloud services with an exemption for micro and small digital companies).

This difference of treatment is reflecting the degree of risk that any disruption to their services may imply for the economy and society. Social networks and payment-services providers (‘PSPs’) are however excluded from the scope of the NIS Directive under the provisional deal.

Furthermore, this agreement contains provisions providing for the establishment of a strategic cooperation group aimed at exchanging information and best practices, the drawing up of guidelines and the Member States’ assistance in cybersecurity building. A network of Computer Security Incidents Response Teams (‘CSIRTs’) build up by each Member State to cope with incidents is also to be set up to discuss cross-border security incidents and identify coordinated responses.

The political agreement is currently being checked by lawyer-linguists before being adopted by the Council in first reading followed by the EP in second reading. Once the two co-legislators have adopted the agreed text, probably in the first half of 2016, it will be published in the Official Journal and Member States will then be given 21 months to transpose the NIS Directive into their national laws and six further months to identify their operators of essential services on the basis of certain laid down criteria.

Additionally, the Commission aims to build on this achievement to launch a public-private partnership on cybersecurity in 2016 as foreseen in the Digital Single Market (DSM) strategy unveiled on 6 May 2015. It opened a public consultation in this regard on 18 December 2015 running until 11 March 2016 to ask stakeholders for their views on this matter.

Economic and financial affairs

Corporate taxation continues to be a key issue on the political and regulatory agenda. Following up on the Base Erosion and Profit Shifting (‘BEPS’) Action Plan adopted in October 2015 by the Organisation for Economic Cooperation and Development (OECD) and endorsed by the G20, the European Commission released an Anti-Tax Avoidance Package with the broad aim to implement the BEPS elements in the European Union framework. The Package includes various measures to tackle tax avoidance, as well as proposals on the automatic exchange of country-by-country reports between national tax authorities.

In addition to the Commission’s initiative, the EP is continuing its work on corporate taxation, with a particular focus on tax rulings. A so-called ‘TAXE II’ Committee was set up late last year with a wider scope than its predecessor ‘TAXE I’ Committee. It will scrutinise the implementation of BEPS measures in the EU and review the Commission’s work on competition issues in relation to tax rulings. Members of the EP already stated they will be firm in requesting documents from the European institutions and will organise further hearings with multinational companies suspected of aggressive tax planning.

The resolution pillar of the Banking Union goes live

As of 1 January 2016, the Single Resolution Mechanism (‘SRM’) became fully operational. With the Single Resolution Board (SRB) as key decision body, the SRM’s mission is to ensure the efficient resolution of credit institutions in the Banking Union area. In 2016, the SRM will continue designing resolution plans to prepare for any potential failure of institutions within its remit. In the event where a resolution is necessary, the SRM will be supported by the newly created Single Resolution Fund (‘SRF’). As the SRF will be progressively phased-in over an eight-year period, Member States agreed in December 2015 on a bridge financing mechanism to ensure the availability of necessary funds in the short-term.

This is a new step towards the completion of the Banking Union. The SRM represents the second pillar of the Banking Union, the first being the Single Supervision Mechanism (SSM) and the third being the European Deposit Insurance Scheme (EDIS).

Work in progress in building a Capital Markets Union

As the first set of public consultations launched in the framework of the Capital Markets Union (‘CMU’) ended in January 2016, the European Commission is expected to draw on their results for its forthcoming work on issues like regulatory framework for covered bonds and venture capital. Further initiatives might stem from the results of the call for evidence on the EU framework for financial services, through which the Commission hoped to identify existing inconstancies and unnecessary burdens in the current financial services regulatory framework. Regarding retail financial services, the Commission is still welcoming responses and suggestions following the publication of its Green Paper.

In parallel, the first legislative proposals put forward by the European Commission together with the CMU action plan in September 2015 are moving forward. In particular, the Council of the EU reached a common position on the proposal for a securitisation regulation, as well as on the related proposal to amend the Capital Requirements Regulation (CRR). However, progress in the EP is likely to take longer. At the same time, work on the legislative proposal on the Prospectus regulation is expected to continue both on the Council and Parliament side under the Dutch Presidency. Looking ahead, the Commission is expected to come up with proposals to stimulate venture capital and with a public consultation on the cross-border distribution of investment funds later in spring.