Competition / Regulation
Vertically integrated companies may face higher cartel fines
Captive sales should be included in the turnover figure used as a basis for calculating cartel fines. Advocate General Wathelet stated this in a recent court opinion. If followed by the European Court of Justice, this may not only end the European Commission’s varying approach to internal sales when calculating cartel fines. Vertically integrated groups may also be faced with a sharp increase in fines imposed for participating in cartels.
In its 2007 decision imposing a fine of EUR 148 million on glass maker Guardian Industries (Guardian) for cartel involvement, the European Commission took no account of captive sales, i.e., the sales made internally within vertically integrated companies, when calculating the fines to be imposed on the cartel members. Despite being the smallest of the four cartel members, Guardian received the heaviest penalty because it was the only cartel member which was not vertically integrated. The Advocate General agreed with Guardian that this method of calculating fines discriminates against Guardian as a non-vertically integrated company. He therefore recommended that the European Court of Justice reduce Guardian's fine by an amount equivalent to the proportion of internal sales in the relevant market, which would mean a fine of EUR 93.24 million instead of EUR 148 million.
According to the Advocate General, the European Commission departed from its previous decision-making practice as well as earlier case law of the EU courts when it excluded captive sales from the turnover figure used as a basis for calculating the fine, without providing "the least statement of reasons" for doing so. The Advocate General was not convinced by the Commission's argument that being obliged to always take captive sales into account when calculating fines would result in a sharp increase in the amounts of fines imposed on vertically integrated groups participating in cartels. The AG finds that the effect of increasing fines for vertically integrated groups is a consequence of the EU legislature's choosing to refer to turnover, rather than operating profit or net profit, when calculating fines.
If the European Court of Justice follows the AG's opinion, this may not only end the European Commission's varying approach to internal sales when calculating cartel fines. Vertically integrated groups may also be faced with a sharp increase in fines imposed for participating in cartels.
Cartel members may also be liable for damages from sales by non-cartelists
Cartel members may soon have to worry not only about potential fines by competition authorities and damages claims by cartel victims, but also about providing compensation to customers of non-cartel members. The European Court of Justice recently ruled that cartel members may be liable for damages resulting from umbrella pricing. Umbrella pricing occurs when non-cartel members, unknowing of the cartel’s existence, charge higher prices than they would have done under normal competitive conditions. This ruling will probably lead to an increase in the number of damages claims against cartel members based on umbrella pricing, but it is unlikely to result in an avalanche of claims.
The case relates to a request for a preliminary ruling by the Austrian Supreme Court in a case where a customer of a non-cartel member is suing four companies involved in an elevator cartel for damages before the Austrian civil courts on the basis of the "umbrella effect". According to the customer, the non-cartel members, unknowing of the cartel's existence, charged higher prices than they would have done under normal competitive conditions. Austrian national law categorically excludes the liability of cartel members for umbrella pricing.
The European Court of Justice considered the categorical exclusion at odds with the cartel prohibition laid down in Article 101 of the Treaty on the Functioning of the European Union. The full effectiveness of the cartel prohibition would be at risk if individuals could not claim damages for losses caused by a contract or by conduct that could restrict or distort
competition. Any person is thus entitled to claim compensation for harm suffered where there is a causal relationship between that harm and an agreement or practice caught by the cartel prohibition. Consequently, the victim of umbrella pricing may obtain compensation for the loss caused by purchasing products from non-cartelists at higher prices, where it is established that:
• the cartel at issue was, in the circumstances of the case and, in particular, the specific aspects of the relevant market, liable to have the effect of umbrella pricing being applied by third parties acting independently
• those circumstances and specific aspects could not be ignored by the members of that cartel.
The ECJ left it up to the national court that referred the case to determine whether those conditions are satisfied. This ruling will probably lead to an increase in the number of damages claims against cartel members based on umbrella pricing. However, it is unlikely to result in an avalanche of claims, since it will always be necessary to carry out a comprehensive assessment of the relevant circumstances and evidence to determine whether a cartel did indeed give rise to umbrella pricing.
De Brauw introduces 'Dawn Raids' app
We have recently introduced a Dawn Raids app. The app provides practical information on what to do and what not to do during a dawn raid by the European Commission, the ACM, DNB, the AFM, the CPB or the Dutch Public Prosecution Service.
According to Patrick Ploeger, partner at De Brauw and one of the initiators of the app, "Clients want to prepare as well as possible for a dawn raid. A lot can be at stake, and during the hectic moments of a dawn raid, many things can go wrong. This app is an answer to our clients' needs to have a clear overview of the process of a dawn raid and shows who should do what at what time."
The app shows you what to do during a dawn raid and what follow-up steps to take after the raid. The app also provides practical instructions to receptionists and IT specialists at organisations undergoing a dawn raid and guidance on how to answer potential questions and on supplying confidential information. In addition, the app contains contact details of dawn raid specialists of our firm who can assist during a dawn raid.
The app is available for iOS and Android
Download on the UK app store
Download on the US app store
Solvency II finally final
The European Council has approved the Omnibus II Directive (O2). With the adoption of O2, the Solvency II framework Directive (2009/138/EC; S2) is finally final. This does not mean that all is clear. Further details concerning many subjects still need to be provided in delegated and implementing acts and in guidelines. Yet, we now finally have the definitive text of the framework directive. The text of O2 is expected to be published in May 2014.
Our April 2014 Legal alert outlines the main elements of this framework directive.Click here
for the English language version and here for the Dutch language version of this alert.
Another piece of the puzzle: Solvency II guidelines under consultation
In a recent publication, we highlighted that with the approval of the Omnibus II Directive (O2), the Solvency II framework Directive (2009/138/EC: S2) is finally final and noted that further details concerning many subjects still need to be provided in delegated and implementing acts and in guidelines. The European Insurance and Occupational Pensions Authority (EIOPA) has recently concluded its public consultation on the first set of Implementing Technical Standards (ITS) and is currently in the process of consulting the first set of guidelines (S2 GL). Insurers should participate in this consultation to be able to influence their future regulatory landscape.
Guidelines are non-binding instruments, addressed to National Competent Authorities (NCAs) or financial Institutions. They aim to ensure the common, uniform and consistent application of European Union law and to establish consistent, efficient and effective supervisory practices. Though the GL are non-binding, they provide important guidance for NCAs and non-compliance needs to be reported and explained to EIOPA.
This first set of S2 GL that is currently being consulted addresses:
• Pillar 1
• Internal models
• Pillar 2
• Supervisory Review Process
The Pillar 1 S2 GL provide details on the following topics:
• technical provisions (contract boundaries, valuation)
• own funds (ancillary own funds, classification of own funds, ring-fenced funds, treatment of related undertakings - including participations)
• Solvency Capital Requirement (SCR) standard formula (look-through approach, basis risk, application of outwards reinsurance arrangements to the non-life underwriting risk sub-module, treatment of market and counterparty risk exposures, application of the life underwriting risk module, health catastrophe risk sub-module, loss-absorbing capacity of technical provisions and deferred taxes, undertaking specific parameters)
• group solvency
The S2 GL on the Use of Internal Models provide guidance on the following:
• application for use of an internal model
• model changes
• tests and standards for approval (assumption setting and expert judgment, methodological consistency, probability distribution forecast, calibration – approximations, profit and loss attribution, validation, documentation, external models and data)
• internal models for groups - functioning of colleges
The Pillar 2 S2 GL provide guidance on the following topics:
• system of governance
• Own Risk and Solvency Assessment (ORSA)
Supervisory Review Process
The Supervisory Review Process (SRP) S2 GL focus on:
• the general principles to be applied by supervisors when performing the SRP (consistency, proportionality, etc.)
• the stages of this process
The S2 GL on the methodology for Equivalence assessment are designed to assist the group supervisor with its task of verifying whether a third country regime is at least equivalent under article 227 (group solvency) and/or article 260 (group supervision) of S2. This verification can be initiated on request or at the group supervisor's initiative if the European Commission has not adopted delegated acts determining that the supervisory regime of the third country is (provisionally/temporarily) equivalent to the S2 regime.
The consultation period for the first set of S2 ITS ended on 30 June 2014. The European Commission is expected to publish the final version of these ITS later this year.
EIOPA has announced it will consult on a second set of S2 ITS that address the quantitative basis (Pillar 1), qualitative requirements (Pillar 2), reporting and disclosure (Pillar 3) and supervisory transparency as well as a second set of S2 GL that provides further guidance on qualitative requirements, reporting and disclosure. Both consultations are planned to start in December of this year.
The EIOPA S2 timeline as well as the consultation documents for the first set of S2 GL can be found on the EIOPA website. The consultation period for the first set of S2 GL ends 29 August 2014. Insurers should not miss this opportunity to voice any suggestions they might have with regard to any of the topics addressed.
MiFID II: getting ready for implementation
The European Council adopted a set of legislation on 13 May 2014 regulating the trade in financial instruments and the investment services sector, known as MiFID II. Investment firms and banks that provide investment services or engage in investment activities will have to start preparing for a number of changes to their governance and business organisation. As MiFID II significantly extends not only the scope but also the detail of the regulation, most investment firms will have to review existing activities and may need to adjust their compliance monitoring accordingly. Under MiFID II they will have to take into account that supervisory authorities will have a greater set of supervisory tools at their disposal and that stricter sanctions will apply. Our recent legal alert outlines the main elements of MiFID II and its practical implications (in English and Dutch).
Intellectual Property / Information & Communication Technology
Guidance on personal data security breaches: when obliged to notify and when exempt
The Article 29 Working Party has published an opinion providing guidance on whether or not companies are required to notify data subjects in the event of a personal data breach. The opinion offers best practices for data controllers by analysing concrete examples of personal data breaches and illustrating precautionary measures that may prevent personal
data breaches or mitigate any consequences.
The Article 29 Working Party (Working Party) published an opinion on 25 March 2014 providing guidance on whether or not companies, being the data controller, are required to notify data subjects in the event of a security breach involving personal data. The Working Party describes what companies can do when implementing an IT system to avoid a personal data breach in the first place or, at least, what measures could have been implemented to exempt the company from the obligation to notify data subjects.
Notification is already considered a best practice
Under the current EU Data Protection Directive, there is no generic explicit notification obligation for companies in the event of a security breach involving personal data as yet. So far, only telecom operators have an explicit obligation to notify competent supervisory authorities, and under certain circumstances even data subjects, under the EU e-Privacy Directive.
Based on the existing security breach notification obligation for telecom operators and the fact that there are two EU bills pending which will introduce a general security breach notifications for all companies processing personal data (the General Data Protection Regulation and the Draft Network & Information Security Directive), the Working Party considers that notifying the supervisory authorities and data subjects on a security breach already constitutes a best practice.
Working Party providesguidance on when to notify
The Working Party provides a non-exhaustive list of examples of security breaches that adversely affect data subjects and therefore are not exempted from notification to data subjects. These include security breaches due to:
• the theft of laptops containing sensitive medical data of children
• unauthorised global access to a CRM system by a third party
• an envelope with credit card slips that is mistakenly thrown away instead of being destroyed
• a breach of a database containing passwords of users of a telecom operator
• the theft of laptops containing encrypted financial data
• a vulnerable web application of an internet service provider.
The Working Party analyses for all examples: (i) the potential consequences and adverse effects of the security breach, and (ii) what appropriate safeguards might have reduced the risks if implemented prior to the security breach.
An example: vulnerable web application not exempted
An example of a security breach analysed in the opinion that is not exempted from notification to data subjects is the unauthorised access of personal data related to the customers of a life insurance broker due to a vulnerable web application where that personal data included names, addresses and completed medical questionnaires.
• The Working Party states that potential consequences and adverse effects of the security breach may include: (i) identity fraud or phishing, (ii) an emotional impact if the data subjects hide their diagnosed medical conditions, and (iii) an impact on the work and/or family environment.
When are companies exempted from notification?
A company is not required to notify data subjects affected by a security breach when it demonstrates – to the satisfaction of a supervisory authority – that it has implemented and applied appropriate technological protection measures that render the personal data in the specific security breach unintelligible to any person who is not authorised to access it (such
as encryption or anonymisation techniques). In such case, the security breach is unlikely to adversely affect the data subjects concerned and will therefore exempt the company from its obligation to notify data subjects.
Companies are advised to:
• be proactive and take appropriate technical and organisational measures to avoid personal data breaches in the first place
• implement appropriate anonymisation and encryption measures to make use of pseudonyms and data unintelligible
• adopt and implement a response procedure for personal data breach to quickly and adequately deal with suspected personal data security breaches.
European Court of Justice implements "right to be forgotten"
The ECJ issued a landmark decision ruling that individuals have a right to request Google to delete links to webpages with their personal data from Google search results even if publication of personal data on those webpages is lawful. The search engine operator qualifies as "data controller" of the personal data contained in third-party webpages that it makes available in the search results. Google and other search engine operators are therefore fully responsible for the content they display. Deletion from search results may be requested if the information published is inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing. Along with Google, the decision has the potential to affect not only the operations of all search engines with establishments in the EU, but also of any integrator of third-party data sources containing personal data.
Read about this ruling in our Legal alert of 16 May 2014.
EU guidance on legitimate interests of data controller to support big data
A recent opinion by the Article 29 Working Party provides practical guidance on the applicability of the "legitimate interests" of a data controller as one of the grounds for the lawful processing of personal data under the EU Data Protection Directive 95/46/EC. The processing of personal data based on controller's "legitimate interests" is a valuable option for data controllers, in particular where consent is unobtainable or impractical, such as in certain types of processing by companies that handle big data. Referring to legitimate interests as a ground for data processing requires a thorough assessment of, on the one hand, the legitimate interests pursued by data controller or by any third parties to whom the data are disclosed, and on the other hand, the interests and fundamental rights of the data subject. The balancing test between these two interests is necessary for deciding whether the rights of the data subject can be overridden.
This Opinion is highly relevant in the context of the recent Memo on Big Data issued by the European Commission on 2 July 2014, as it ensures the unified interpretation and implementation of the "legitimate interests" ground for data processing under the current Directive throughout the EU. It also provides policy recommendations for the future EU General Data Protection Regulation. Businesses involved in processing big data or in combining existing data with new data sources should carefully study this Opinion.
The Opinion was published on 9 April 2014 by the Working Party and provides a detailed analysis of the criteria that make data processing legitimate per Article 7 of Directive 95/46/EC. From six legal grounds for the processing of personal data stipulated in Article 7, the most known and widely used are:
• the unambiguous consent of the data subject
• processing that is necessary for the performance of a contract with the data subject
• processing necessary for compliance with a legal obligation of controller.
A less constraining ground for processing, as stipulated under Article 7(f), permits the processing of personal data necessary for the purposes of the legitimate interests pursued by the controller or third parties, subject to an additional test balancing the data controller's interests against the data subject’s fundamental rights and interests.
Application of the balancing test
For a proper assessment of the balancing test, companies have to consider a number of factors, including:
• the nature and source of the controller's legitimate interest and whether the data processing is necessary and proportionate for the exercise of a fundamental right (e.g., freedom of expression by a newspaper publishing about a corrupt official or interests of the wider community in whistleblowing schemes to combat financial fraud)
• the impact of processing on the data subject and their reasonable expectations about what will happen with their data, as well as the nature of the data (i.e., sensitive data) and how it is processed (e.g., large amounts of personal data are processed or combined with other data, such as profiling or for commercial purposes)
• additional safeguards which could limit the impact of processing on the data subject (e.g., data minimisation, anonymisation, pseudonymisation, unconditional right to opt-out).
If the balancing test falls in favour of the data subject, companies are not allowed to use Article 7 (f) as a legal ground for the processing of personal data.
New obligations for data controller
If the Working Party's legislative advice on the legitimate interests ground is followed, the data controllers under the proposed regulation will be required to conduct their assessment as described above. They will also have to thoroughly document their assessment and communicate their processing of personal data, as well as any other additional safeguards used, to the data subjects affected.
If your company is involved in big data, the legitimate interests ground may be an important alternative to the processing of personal data based on prior consent. Companies that opt for the legitimate interest ground must do a thorough balancing test to weigh the company's interests against the interests of the data subject.
We also recommend that companies closely monitor legislative developments on this issue. The results of the public consultation on this Opinion are expected shortly and will offer additional insight into the applicability of the controller's legitimate interest as a ground for processing of personal data.
Read the full text of the Opinion here.
Read the memo of the European Commission "Making the most of the Data-Driven Economy" here.
Read also our previous publications on this issue.
If you have any questions or require further information regarding this Europe update please contact:
Amsterdam Martijn Snoep | T +31 20 577 1365 | E email@example.com
Brussels Jaap de Keijzer | T +32 2 545 1105 | E firstname.lastname@example.org
London Ernest Meyer Swantée | T +44 20 7562 4361 | E email@example.com
New York Pierre Nijnens | T +1 212 259 4102 | E firstname.lastname@example.org
Shanghai Gaby Smeenk | T +86 21 6157 5132 | E email@example.com
Singapore Dieter Wolff | T +65 9396 1540 | E firstname.lastname@example.org