Quarterly Legal and Regulatory Update - Payments, E-Money and Crypto-Assets - cloudfront.net
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Payments, E-Money and Crypto-Assets
Quarterly Legal and Regulatory Update
Period covered: 1 October 2020 – 31 December 2020
TABLE OF CONTENTS
DIGITAL FINANCE &
PAYMENTS CYBERSECURITY CENTRAL BANK OF IRELAND
CRYPTO-ASSETS
AML & CFT DATA PROTECTION
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
1. PAYMENTS
1.1 RTS supplementing PSD2 regarding the appointment of central contact points published in the Official Journal of the European
Union
On 9 October 2020, the Commission Delegated Regulation (EU) 2020/1423 supplementing the Directive on payment services in the
internal market (EU) 2015/2366 (Payment Services Directive 2 or PSD2) with regard to regulatory technical standards (RTS) on the
criteria for appointing central contact points within the field of payment services, and on the functions of those central contact points, was
published in the Official Journal of the European Union (OJ).
The RTS specify the criteria to be applied when determining the circumstances when the appointment of a central contact point pursuant
to Article 29(4) PSD2 is appropriate, and the functions of those contact points.
A copy of the RTS can be accessed here.
1.2 EBA launches public consultation on guidelines on major incident reporting under PSD2
On 14 October 2020, the European Banking Authority (EBA) launched a public consultation, and accompanying consultation paper, on
the proposed revision of the guidelines on major incident reporting under PSD2 (Guidelines).
The Guidelines apply in relation to the classification and reporting of major operational or security incidents in accordance with Article 96
PSD2 and are addressed to Payment Service Providers (PSPs) and the competent authorities (CAs) under PSD2.
The aim of the amendments is to simplify the major incident reporting under PSD2 and the reporting templates, to capture additional
security incidents and to reduce the number of operational incidents that are required to be reported by no longer including those that do
not have a significant impact on the operations of PSPs.
The consultation paper proposes, amongst other items:
to increase the absolute amount thresholds of the incident classification criterion ‘Transactions affected’;
to introduce changes to the calculation of the criteria ‘Transactions affected’ and ‘Payment service users affected’ in the ‘lower
impact level’;
to introduce a new incident classification criterion ‘breach of security measures’ aimed at capturing incidents where the breach of
the security measures of the PSP has an impact on the availability, integrity, confidentiality and/or authenticity of the payment
services related data, processes and/or systems.
The consultation period ended on 14 December 2020, and the Final Report on the application of the revised Guidelines on major incident
reporting under PSD2 is expected to be published shortly. The amended Guidelines are expected to become applicable in Q4 2021.
The consultation paper can be accessed here.
1.3 CJEU publishes decision on application of PSD2 to contactless payment cards
On 11 November 2020, the Court of Justice of the European Union (CJEU) published a preliminary ruling in DenizBank AG v Verein fur
Konsumenteninformation (Case C 287/19). An opinion by Advocate General Campos Sánchez-Bordona was published in this case on
30 April 2020.
© 2020 Dillon Eustace. All rights reserved. 2
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
The request for a preliminary ruling concerns the application of PSD2 to the use of personalised multifunctional bank cards that are
equipped with near-field communication (NFC) functionality, known as “contactless payment cards.”
The CJEU held that Article 52(6)(a) PSD2, read in conjunction with Article 54(1), must be interpreted to mean that PSD2 does not restrict
the type of terms of the framework contract between the PSP and the user of its services that can be amended by tacit consent. This is
without prejudice to a review of the unfairness of these terms in the light of the provisions of the Directive on unfair terms in consumer
contracts (Directive 93/13/EEC). The CJEU diverged from the Advocate General’s opinion on this point.
The CJEU held that the NFC or ‘contactless’ function is legally separable from the other functions of a bank card, therefore it constitutes
a ‘payment instrument’ within the meaning of Article 4(14) PSD2.
The CJEU also held that contactless low-value payment using the NFC functionality of a contactless payment card constitutes
‘anonymous’ use of the payment instrument in question, within the meaning of Article 63(1)(b) PSD2.
Finally, the CJEU held that, per Article 63(1)(a) PSD2, a PSP who intends to rely on the derogation provided for in that provision may not
simply assert that it is impossible to block the payment instrument concerned or to prevent its continued use, where, in the light of the
objective state of available technical knowledge, that impossibility cannot be established.
The CJEU judgment can be accessed here.
1.4 European Union (Interchange Fees for Card-based Payment Transactions) (Amendment) Regulations 2020 (S.I. No. 525 of 2020)
published in Iris Oifigiúil
On 17 November 2020, the European Union (Interchange Fees for Card-based Payment Transactions) (Amendment) Regulations 2020
(Statutory Instrument No. 525 of 2020) (Amendment Regulations) were published in Iris Oifigiúil.
The Amendment Regulations amend the European Union (Interchange Fees for Card-based Payment Transactions) Regulations 2015
(S.I. No. 550 of 2015) (2015 Regulations).
The 2015 Regulations are amended by the substitution of the following Regulation for Regulation 5:
“5. Payment service providers shall not offer or request a per transaction interchange fee of more than 0.10% of the value of the transaction
for any domestic debit card transaction.”
Regulation 5 of the 2015 Regulations is replaced in order to update a provision that falls away on the 09 December 2020. This was a
discretion contained in the Regulation on interchange fees for card-based payment transactions (Regulation (EU) No. 751/2015) that
Ireland chose to avail of in 2015. The change to the existing legislation involves the replacement of a weighted average approach set out
in Regulation 5 to capping interchange fees for consumer debit transactions with a per transaction cap approach.
The Amendment Regulations came into operation on 9 December 2020.
The Amendment Regulations are available here.
The 2015 Regulations are available here.
1.5 EPC publishes 2021 EPC SEPA payment scheme rulebooks
On 26 November 2020, the European Payments Council (EPC) published the 2021 EPC Single Euro Payments Area (SEPA) payment
scheme rulebooks and the related Implementation Guidelines.
2021 SEPA Credit Transfer rulebook version 1.0, which can be accessed here.
2021 SEPA Instant Credit Transfer rulebook version 1.0, which can be accessed here.
© 2020 Dillon Eustace. All rights reserved. 3
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
2021 SEPA Direct Debit Core rulebook version 1.0, which can be accessed here.
2021 SEPA Direct Debit Business-to-Business rulebook version 1.0, which can be accessed here.
The 2021 rulebooks replace version 1.2 of the 2019 rulebooks. Annex IV of each 2021 rulebook contains a table summarising all changes
made in each rulebook, as compared to the 2019 rulebook.
The rulebooks enter into force on 21 November 2021.
1.6 EPC publishes 2020 Payment Threats and Fraud Trends Report
On 7 December 2020, the EPC published its 2020 Payment Threats and Fraud Trends Report (Report).
The Report provides an overview of the most important threats and “fraud enablers” such as social engineering and phishing, malware,
Advanced Persistent Threats (APTs), (Distributed) Denial of Service ((D)DoS), botnets and monetisation channels. The Report addresses
how these identified threats impact payment-relevant processes, for example cards, SEPA schemes and mobile wallets, and suggests
controls and mitigation measures to address these risks.
The Report offers a number of conclusions concerning payment threats and “fraud enablers”, including:
social engineering attacks and phishing attempts are still increasing and remain instrumental. There has been a shift from
consumers and retailers to company executives, employees (“CEO fraud”) and PSPs;
awareness campaigns remain an important countermeasure against social engineering and should target individual and corporate
customers, as well as employees;
ransomware has been on the rise over the past year, requiring new mitigation measures; and
APT is identified as one of the most sophisticated and lucrative types of payment fraud going forward. It must be considered as a
potential high risk not only for payment infrastructures but also for all network related payment ecosystems.
The Report can be accessed here.
1.7 EDPB publishes guidelines on the interplay of PSD2 and the GDPR
On 15 December 2020, the EDPB adopted version 2.0 of the Guidelines 06/2020 on the interplay of the PSD2 and the GDPR
(Guidelines).
The Guidelines aim to provide further guidance on data protection aspects in the context of PSD2, in particular the relationship between
relevant provisions of the GDPR and PSD2.
The Guidelines focus on the processing of data by account information service providers (AISPs) and payment initiation service providers
(PISPs). The Guidelines address the conditions for granting access to payment account information by account servicing payment service
providers (ASPSPs) and for the processing of personal data by PISPs and AISPs, including the requirements and safeguards in relation
to the processing of personal data by PISPs and AISPs for purposes other than the initial purposes for which the data have been collected,
especially when they have been collected in the context of the provision of an account information service.
© 2020 Dillon Eustace. All rights reserved. 4
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
The Guidelines also address different notions of explicit consent under the PSD2 and the GDPR, the processing of ‘silent party data’, the
processing of special categories of personal data by PISPs and AISPs, and the application of the main data protection principles set forth
by the GDPR, including data minimisation, transparency, accountability and security measures.
This version of the Guidelines replace version 1.0, published 17 July 2020.
The Guidelines can be accessed here.
2. DIGITAL FINANCE & CRYPTO-ASSETS
2.1 European Parliament adopts resolution on digital finance
On 8 October 2020, the European Parliament voted in plenary to adopt a Resolution with recommendations to the European Commission
on Digital Finance with regard to emerging risks in crypto-assets, specifically regulatory and supervisory challenges in the area of financial
services, institutions and markets (Resolution).
The Resolution calls for a single European supervisor to work closely with the European Supervisory Authorities (ESAs) and national
competent authorities (NCAs) based on a common rulebook and product intervention powers for oversight, in certain areas of crypto-
asset related activities.
The Resolution points to regulatory gaps in EU legislation to prevent money laundering and advises that targeted changes should be
made to the existing provisions.
The Resolution calls for legislative changes to be made in the area of ICT and to cyber security requirements for the EU financial sector
with a focus on modernisation, compliance with international standards, and operational resilience testing.
The Resolution is based on a report of the Committee on Economic and Monetary Affairs of the European Parliament (ECON), published
18 September 2020 (ECON Report).
The Resolution can be accessed here, and the accompanying press release can be accessed here.
The ECON Report can be accessed here.
2.2 ECB publishes report on digital euro
On 8 October 2020, the European Central Bank (ECB) published a report on the digital euro (Report). The Report examines the issuance
of a digital euro - that is an electronic form of central bank money similar to banknotes but in a digital form. A digital euro would be
accessible to all citizens and firms, allowing daily payments to be made in a fast and secure way. The aim of the digital euro is to
complement cash, not replace it.
The Report examines the circumstances under which the issuance of a digital euro will be required, notably where there is:
increased demand for electronic payments, to the extent that there is a requirement for a European risk-free digital means of
payment;
a significant decline in the use of cash as a means of payment in the euro area;
the launch of global private means of payment that may raise regulatory concerns; and
© 2020 Dillon Eustace. All rights reserved. 5
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
a broad uptake of central bank digital currency issued by foreign central banks.
The decision to issue a digital euro has not yet been taken. However, the Eurosystem intends to engage widely with stakeholders to
assess the benefits and challenges they expect from a digital euro.
On 12 October 2020, the ECB launched a public consultation seeking the views from a broad range of potential users, which can be
accessed here. The closing date for feedback is 12 January 2021.
The Report can be accessed here.
2.3 FSB publishes high-level recommendations on regulation of “Global Stablecoin" arrangements
On 13 October 2020, the Financial Stability Board (FSB) published its final report and high-level recommendations on Regulation,
Supervision and Oversight of “Global Stablecoin” (GSC) Arrangements (Report).
The FSB coordinates the work of national financial authorities and international standard-setting bodies. It also develops and promotes
the implementation of effective regulatory, supervisory, and other financial sector policies in the interest of financial stability.
The Report addresses “stablecoins”, a specific category of crypto-assets, and the risks to financial stability that such arrangements
present.
The Report sets out 10 high-level recommendations that promote coordinated and effective regulation, supervision and oversight of GSC
arrangements to address these risks, while supporting responsible innovation and providing sufficient flexibility for jurisdictions to
implement domestic approaches.
The recommendations are addressed to authorities at jurisdictional level and focus on privately issued GSCs predominately intended for
retail use.
The Report confirms that GSC arrangements are expected to adhere to all applicable regulatory standards, and risks to financial stability
must be addressed before commencing operation. GSC arrangements are also expected to adapt to new regulatory requirements as
necessary.
The Report emphasises the need for authorities to engage in close international cooperation and address potential gaps in their domestic
frameworks in order to achieve common regulatory outcomes across jurisdictions and reduce opportunities for regulatory arbitrage in the
supervision of GSC arrangements.
The Report is available here.
2.4 European Commission seeking feedback on proposal for a Regulation on digital operational resilience for the financial sector
The European Commission is seeking feedback on its proposal for a Regulation on digital operational resilience for the financial sector
by amending the Credit Rating Agencies Regulation (1060/2009/EU) (CRA), European Market Infrastructure Regulation No 648/2012
(EMIR), Markets in Financial Instruments Regulation (600/2014/EU) (MiFIR) and the Central Securities Depositories Regulation
(909/2014) (CSDR).
The feedback period is open until 15 February 2021. The feedback will be presented to the European Parliament and the Council with
the aim of informing the legislative debate.
The legislative proposal aims to introduce a harmonised and comprehensive framework on digital operational resilience for European
financial institutions. The legislative proposal sets out requirements applicable to:
© 2020 Dillon Eustace. All rights reserved. 6
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
financial entities in respect of Information and Communication Technologies (ICT) risk management;
contractual arrangements between ICT third-party service providers and financial entities; and
the oversight framework for critical third-party service providers and rules on cooperation between CAs.
The text of the proposal can be accessed here. Feedback may be submitted to the European Commission through its dedicated webpage,
which may be accessed here.
2.5 European Commission seeking feedback on proposal for a Directive amending existing EU financial services legislation in
respect of crypto-assets and digital operational resilience
The European Commission is seeking feedback on its proposal for a Directive clarifying and amending existing EU financial services
legislation in respect of crypto-assets and digital operational resilience.
The feedback period is open until 4 March 2021. The feedback will be presented to the European Parliament and the Council with the
aim of informing the legislative debate.
More specifically, the proposed Directive will:
amend various operational risk or risk management requirements in a number of Directives by introducing precise cross-references
in order to attain legal clarity. These amendments complement the proposal for a Regulation on digital operational resilience;
clarify the legal treatment of crypto-assets qualifying as financial instruments by amending the definition of a ‘financial instrument’
in the Markets in Financial Instruments Directive (2014/65/EU) (MiFID II); and
provide for the temporary exemption of distributed ledger technology (DLT) market infrastructures from certain provisions in MiFID
II in order to enable them to develop solutions for the trading and settlement of transactions of crypto-assets that would qualify as
financial instruments. This measure complements the proposal for a Regulation on a pilot regime for DLT market infrastructures.
The text of the proposal can be accessed here. Feedback may be submitted to the European Commission through its dedicated webpage,
which may be accessed here.
2.6 European Commission seeking feedback on proposal for a Regulation on a pilot regime for market infrastructures based on
DLT
The European Commission is seeking feedback on its proposal for a Regulation on a pilot regime for market infrastructures based on
DLT, i.e. the use of technology that trades and settles transactions in financial instruments in crypto-asset form.
Existing EU financial services legislation often pre-dates DLT and in some cases this may hinder its adoption or innovation. The purpose
of the pilot regime is to allow regulators to gain experience of the use of DLT in market infrastructures and to allow companies to test out
solutions using DLT. The pilot regime provides for derogations from existing rules and will allow companies learn more about how existing
rules fare in practice. The proposal seeks to improve legal certainty, support innovation, instil consumer and investor protection and
market integrity, and to ensure financial stability.
The feedback period is open until 11 January 2021. The feedback will be presented to the European Parliament and the Council with the
aim of informing the legislative debate.
© 2020 Dillon Eustace. All rights reserved. 7
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
The text of the Proposal can be accessed here. Feedback may be submitted to the European Commission through its dedicated webpage,
which may be accessed here.
2.6 European Commission seeking feedback on Proposal for a Regulation on Markets in Crypto-assets
The European Commission is seeking feedback on its Proposal for a Regulation on Markets in Crypto-assets (MiCA).
The proposed Regulation will replace existing national frameworks applicable to crypto-assets not covered by existing EU financial
services legislation and will establish rules for ‘stablecoins’, including when these are e-money. It will establish uniform rules for crypto-
asset service providers and issuers at EU level.
The feedback period is open until 11 January 2021. The feedback will be presented to the European Parliament and the Council with the
aim of informing the legislative debate.
The text of the Proposal can be accessed here, and its accompanying annexes can be accessed here. Feedback may be submitted to
the European Commission through its dedicated webpage, which may be accessed here.
3. CYBERSECURITY
3.1 Department of Justice and Equality publishes report on Cybercrime: Current Threats and Responses
On October 8 2020, the Department of Justice and Equality published a report on Cybercrime: Current Threats and Responses (Report).
The Report examines the existing research literature on cybercrime including current and emerging threats, the Irish anti-cybercrime
landscape and models of best practice for combatting cybercrime in order to inform both policy and practice across the criminal justice
system in Ireland.
The Report notes that the most significant cybercrime trends and threats currently include:
Ransomware;
Other malware threats;
Data breaches and network attacks;
Spearphishing (targeting specific individuals for the purposes of distributing malware or extracting sensitive information); and
Attacks against critical infrastructure.
The Report addresses a range of questions, including:
What relevant legislation is in place to combat cybercrime and how effective has this been; and
What are the models of best practice for responding to the threat of cybercrime nationally and internationally.
The Report seeks to act as a springboard for future research on best practice in the area of cybercrime.
The Report can be accessed here.
© 2020 Dillon Eustace. All rights reserved. 8
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
3.2 European Commission presents new Cybersecurity Strategy
On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy
presented a new EU Cybersecurity Strategy (Strategy).
The aim of the Strategy is to bolster Europe’s collective resilience against cyber threats and help to ensure that all citizens and businesses
can fully benefit from trustworthy and reliable services and digital tools.
Alongside the Strategy, the European Commission adopted two legislative proposals:
A Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive), which can be accessed here;
and
A Directive on the resilience of critical entities, which can be accessed here.
A Communication setting out the Strategy can be accessed here.
A Q&A on the EU Cybersecurity Strategy can be accessed here.
4. THE CENTRAL BANK OF IRELAND
4.1 New Central Bank Pre-Approval Control Functions to take effect
On 9 October 2020, the CBI published the Central Bank Reform Act 2010 (Sections 20 & 22) (Amendment) Regulations 2020 (Amending
Regulations) which expand the Pre-Approval Controlled Functions (PCF) regime. Of relevance to payments and e-money firms is the
introduction of a new PCF role in respect of Chief Information Officers (PCF 49).
The CBI has published an FAQ in respect of the introduction of the new and revised PCFs, which can be accessed here.
The updated list of CBI PCF roles can be accessed here.
The Amending Regulations can be accessed here.
PCF-49: If the individual discharging the relevant PCF-49 role changes after 5 October 2020, the prior approval
Key Action Points
of the CBI will be required by completing and submitting an individual questionnaire.
4.2 CBI issues second “Dear CEO” letter on Fitness and Probity
On 17 November 2020, the CBI issued a second “Dear CEO” on fitness and probity, following thematic on-site inspections which it
conducted on a sample of firms in the insurance and banking sectors (Letter). The CBI's first "Dear CEO" letter on the topic was issued
in April 2019.
The CBI has highlighted that it expects all regulated financial service providers to take appropriate action to deal with the issues addressed
in the Letter, and that the Letter should be read in conjunction with its prior “Dear CEO” letter, the Fitness and Probity Standards and
associated fitness and probity guidance.
Please see the Dillon Eustace briefing paper entitled “CBI issues second “Dear CEO” letter on fitness and probity”, which looks at some
of the CBI’s key findings. This briefing paper can be accessed here.
© 2020 Dillon Eustace. All rights reserved. 9
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
The Letter can be accessed here.
5. ANTI-MONEY LAUNDERING (AML) AND COUNTERING THE FINANCING OF TERRORISM (CFT)
5.1 CBI publishes sixth issue of Anti-Money Laundering Bulletin focusing on transaction monitoring
On 2 October 2020, the CBI published the sixth issue of its Anti-Money Laundering Bulletin focusing on transaction monitoring (Bulletin).
The Bulletin highlights the importance of transaction monitoring, which the CBI states will continue to be a key focus area in its ongoing
supervision of compliance by designated persons with anti-AML and CFT requirements. The Bulletin sets out the CBI’s findings following
supervisory engagements across multiple credit and financial institutions and sets out the CBI’s expectations with regard to the application
of transaction monitoring controls.
Please see the Dillon Eustace briefing paper entitled “Central Bank issues AML Bulletin on Transaction Monitoring” which provides a
detailed summary of the Bulletin. The Dillon Eustace briefing paper can be accessed here.
A copy of the sixth edition of the Bulletin can be accessed here.
5.2 Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020
The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020 (Bill) was passed by Dáil Éireann on 17
December 2020 and is currently before Seanad Éireann, Second Stage. The purpose of the Bill is to transpose the criminal justice
elements of Directive (EU) 2015/849 (Fifth EU Anti-Money Laundering Directive or MLD 5) by amending the Criminal Justice (Money
Laundering and Terrorist Financing) Act 2010 in line with AMLD 5. The Bill seeks to:
improve the safeguards for financial transactions to and from high-risk third countries;
bring a number of new ‘designated persons’ under the existing legislation (notably virtual asset service providers and custodian
wallet providers);
improve the transparency of beneficial ownership of legal entities. Where a designated person is entering a business relationship
with another entity, the designated person must take steps to obtain the relevant information from the appropriate register of
beneficial ownership prior to commencing the business relationship;
provide for a new defence in relation to ‘tipping off’ where the designated person can prove that the entity to whom the information
was disclosed was a specified financial institution, which is connected to the designated person or part of the same group structure;
enhance existing customer due diligence (CDD) requirements;
set new limits on the use of anonymous pre-paid cards. A person supplying such an instrument will now be required to conduct
CDD when the value of the requested card is €150 or higher;
broaden the definition of a politically exposed person (PEP) to include ‘any individual performing a prescribed function’;
provide for Ministerial guidance which will clarify domestic ‘prominent public functions’ that will give rise to a person being
designated as a PEP; and
make a number of technical amendments to other provisions of Acts already in force.
© 2020 Dillon Eustace. All rights reserved. 10
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
The Bill’s progress can be tracked here.
6. DATA PROTECTION
6.1 EDPB adopts Guidelines on Data Protection by Design and Default
On 20 October 2020, the European Data Protection Board (EDPB) adopted the final version of its Guidelines on Data Protection by
Design & Default (Guidelines).
The Guidelines address the obligation upon controllers, irrespective of size and complexity of processing, to effectively implement the
data protection principles and data subjects’ rights and freedoms by design and default, as set out in Article 25 of Regulation (EU)
2016/679 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation or
GDPR).
The Guidelines offer general guidance on the obligation upon controllers, which requires the implementation of appropriate measures
and necessary safeguards that provide effective implementation of the data protection principles. In addition, controllers should be able
to demonstrate that the implemented measures are effective.
The Guidelines also contain guidance on how to effectively implement the data protection principles in Article 5 GDPR, listing key design
and default elements as well as practical cases for illustration.
The Guidelines can be accessed here.
6.2 EDPB adopts Recommendations on ‘supplementary measures’ relating to third country transfers
On 10 November 2020, the EDPB adopted two sets of Recommendations. The Recommendations contain a roadmap of the steps data
exporters must take to find out whether they need to put in place supplementary measures to be able to transfer data outside the EEA in
accordance with EU law, and help them identify those measures that could be effective. The Recommendations comprise:
Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of
personal data; and
Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.
Recommendations 01/2020 were adopted with the aim of assisting controllers and processors acting as data exporters comply with their
duty to identify and implement appropriate “supplementary measures” and promote the consistent application of the GDPR across the
EEA, particularly in light of the CJEU’s recent “Schrems II” ruling (Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd
and Maximillian Schrems).
Recommendations 02/2020 provide data exporters with guidance to determine whether the legal framework governing public authorities’
access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the
protection of personal data, and therefore as not impinging on the commitments of the Article 46 GDPR transfer tool the data exporter
and importer rely on.
Recommendations 01/2020 can be accessed here. Recommendations 01/2020 were subject to a public consultation, which closed on
21 December 2020.
Recommendations 02/2020 can be accessed here.
© 2020 Dillon Eustace. All rights reserved. 11
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
6.3 European Commission publishes new draft Standard Contractual Clauses
On 12 November 2020, the European Commission published two new draft sets of standard contractual clauses (SCC):
for transferring personal data to non-EU countries (Third Country SCC); and
between controllers & processors located in the EU (Controller-Processor SCC).
The Third Country SCCs will replace the existing SCCs in place. The purpose of the Third Country SCCs is to ensure that the level of
protection of personal data ensured by the GDPR, when transferred to a third country, is not undermined. The Third Country SCCs have
been updated to bring them in line with the requirements set out in the GDPR and the CJEU’s recent “Schrems II” ruling (Case C-311/18
Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems).
Controllers and processors will have twelve months to implement the new Third Country SCCs from the date they come into force.
The Controller-Processor SCCs are new and aim to ensure harmonisation and legal certainty in relation to the contract between a
controller and processor that a controller is obliged to impose under Article 28 GDPR. These SCCs are not mandatory and are intended
to provide guidance. Parties may choose to rely on the Controller-Processor SCCs or negotiate an individual contract containing the
compulsory elements laid out in Article 28(3) and (4) GDPR.
The consultation period ended on 10 December 2020. The European Commission has requested a joint opinion from EDPB and the
European Data Protection Supervisor (EDPS) on the implementing acts of both sets of SCCs. The SCCs are expected to be formally
adopted by the European Commission in early 2021.
The draft Third Country SCC, and its accompanying implementing decision, can be accessed here.
The draft Controller-Processor SCC, and its accompanying implementing decision, can be accessed here.
6.4 EDPB issues statement on the ePrivacy Regulation and the future role of Supervisory Authorities and the EDPB
On 19 November 2020, the EDPB issued a statement on the ePrivacy Regulation and the future role of Supervisory Authorities and the
EDPB (Statement).
The Statement addresses the proposed Regulation concerning the respect for private life and the protection of personal data in electronic
communications (ePrivacy Regulation) which is intended to replace Directive 2002/58/EC concerning the processing of personal data
and the protection of privacy in the electronic communications sector (ePrivacy Directive).
In the Statement, the EDPB emphasises that the future ePrivacy Regulation must not lower the level of protection offered by the current
ePrivacy Directive, noting that it should complement the GDPR by providing additional guarantees for confidentiality for all types of
electronic communication.
The EDPB expresses concern regarding discussions in the Council concerning the enforcement of the future ePrivacy Regulation which
could lead to fragmentation of supervision, procedural complexity and a lack of legal certainty. The EDPB notes that many provisions of
the future ePrivacy Regulation relate to the processing of personal data, and states that oversight should be entrusted to the same
national authorities which are responsible for the enforcement of the GDPR.
The EDPB concludes by inviting the Member States to support a more effective ePrivacy Regulation, as initially proposed by the European
Commission.
The Statement can be accessed here.
© 2020 Dillon Eustace. All rights reserved. 12
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
6.5 Transfers of Personal Data to Third Countries or International Organisations
On 9 December 2020, the Data Protection Commission updated its webpage entitled “Transfers of Personal Data to Third Countries or
International Organisations” (Webpage).
The Webpage addresses, amongst other items, Article 46 - Transfers subject to appropriate safeguards, taking into account the CJEU’s
recent “Schrems II” ruling (Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems) and recent
publications by the EDPB.
The Webpage can be accessed here.
6.6 Post Brexit - transfers of personal data from the EEA to the UK
Under the EU-UK Trade and Cooperation Agreement (Agreement) concluded on 24 December 2020, a “grace period” during which the
transfers of personal data from EEA Member States to the UK will not be considered a “third country” transfer under the GDPR was
agreed. The Agreement provides that the specified period will last for no longer than six months from 31 December 2020.
This means that during the specified period, personal data can continue to flow from the EEA to the UK without any additional safeguards,
such as SCCs, being required. This is subject to an important caveat: if, during this period, the UK amends the data protection laws it has
in place on 31 December 2020 or exercises certain powers under the UK Data Protection Act 2018 or the UK GDPR, without the
agreement of the EU Partnership Council, the specified period shall automatically end.
Please see the Dillon Eustace briefing paper entitled “Brexit: Welcome reprieve for data transfers from the EEA to the UK” which can be
accessed here.
© 2020 Dillon Eustace. All rights reserved. 13
9727498v3Payments, E-Money and Virtual Assets | Quarterly Legal and Regulatory Update | 1 October 2020 – 31 December 2020
If you have any questions in relation to the content of this update, to request copies of our most recent newsletters, briefings or articles,
or if you wish to be included on our mailing list going forward, please contact any of the team members below.
Keith Waine
E-mail: keith.waine@dilloneustace.ie
Tel : + 353 1 673 1822
Fax: + 353 1 667 0042
Karen Jennings
E-mail: karen.jennings@dilloneustace.ie
Tel : + 353 1 673 1810
Fax: + 353 1 667 0042
Enda McGeever
E-mail: enda.mcgeever@dilloneustace.ie
Tel : + 353 1 673 1751
Fax: + 353 1 667 0042
Laura Twomey
E-mail: laura.twomey@dilloneustace.ie
Tel : + 353 1 673 1848
Fax: + 353 1 667 0042
Seán Mahon
E-mail: sean.mahon@dilloneustace.ie
Tel : + 353 1 673 1707
Fax: + 353 1 667 0042
DISCLAIMER:
This document is for information purposes only and does not purport to represent legal advice. If you have any queries or would like
further information relating to any of the above matters, please refer to the contacts above or your usual contact in Dillon Eustace.
© 2020 Dillon Eustace. All rights reserved. 14
9727498v3You can also read
