All questions

Intellectual property and data protection

Protection of fintech technology can take place by several means. The protection of software seems to be the most relevant, as fintech technology usually translates into computer systems and applications. Software is protected in Portugal under the same legal rules that apply to copyright protection (according to Decree-Law No. 252/94, which transposed Directive No. 91/250/CEE, later repealed by Directive No. 2009/24/CE, on computer programs, as amended). Copyright on the computer program belongs to the employer if the software is created by an employee in the execution of his or her duties or following the instructions given by the employer. Copyright does not require registry to exist, but this can be done in the General-Inspection for Cultural Activities (IGAC). Software can also be protected by patent in the cases where it meets the criteria to be considered a computer implemented invention, which is an invention whose implementation involves the use of a computer, computer network or other programmable apparatus. In addition, computer-implemented business models can also be patented, to the extent that they are claimed as a technical solution for a technical problem (e.g., automating a response considering the data collected) and involving technical considerations (e.g., the reading of the database). Otherwise, business models are not patentable. All in all, a case-by-case analysis is necessary to determine if protection by patent is feasible.

Technology developed in the context of a fintech business can also be protected as trade secret. Trade secrecy protects against any act of a person that assesses, appropriates or copies (or any other conduct that, under the circumstances, is considered contrary to honest commercial practices), without consent, information that is secret, that has a commercial value due to that fact and that has been subject to reasonable steps, by the person lawfully in control of the information, to keep it secret (for instance, the execution of non-disclosure agreements). Current national legal provisions on trade secrecy, which are included in the Industrial Property Code – approved by Decree-Law No. 110/2018, of 10 December – have been subject to considerable revision and expansion, which is mostly related to the transposition of Directive (EU) 2016/943 of 8 June 2016, on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. The Directive brought substantial changes to the trade secrecy regime, notably on the protection criteria and the enforcement regime, which is expected to become clearer and more effective with the mentioned legislative change.

A computer platform usually also comprises a set of data, as well as visual interfaces. The data may also be protected as a database if the requirements set in law (Decree-Law No. 122/2000, which transposed Directive No. 96/9/CE, as amended, on the protection of databases) are met. Interfaces can further be protected by copyright under the Copyright Code (approved by Decree-Law No. 63/85, as amended) in their look and feel, screen display and individual visual elements, if they all meet the criteria to be protected (mainly, are 'creative'). Copyright protection, in this case, belongs to the employer or the person that orders the creation, if so established or if the name of the creator is not referred to in the work. In this case, the creator may require a special compensation if the creation exceeds the performance of the task or when the creation is used or brings benefits not included or foreseen in the creator's remuneration.

Fintech businesses collect, control and process vast amounts of personal data (including know-your-customer data) and, as a result, they are subject to data privacy rules.

These rules are, from 25 May 2018, the ones provided in the General Data Protection Regulation (GDPR) (EU Regulation No. 2016/679, of 27 April). The GDPR applies not only to Fintech companies established in the EU but also to companies established outside the EU, in case they have customers in the European Union and the processing of the customers' personal data is made in the context of the offering of services to those data subjects, irrespective of whether a payment of the data subject is required. The European Data Protection Board (EDPB) has clarified, in its Guidelines 3/2018 on the territorial scope of the GDPR, adopted on 16 November 2018, that the intention to target customers in the EU is key to assessing whether entities established outside the territory of the EU are subject to the GDPR.

In general, the processing of personal data requires customer's consent. Pre-ticked opt-in or opt-out boxes will no longer be allowed, since consent must be expressed through a statement or by a clear affirmative action. The GDPR places onerous accountability obligations on data controllers to evidence compliance, which constitutes a major paradigm shift in the data protection regime. This includes, among others, conduct data protection impact assessments for more risky processing operations (such as those involving the processing of personal data that could be used to commit financial fraud), and implement data protection by design and by default.

These general data protection rules are complemented by bank secrecy and AML rules, which fintech companies will have to observe when providing services to their clients.

Bank secrecy rules determine that disclosure of clients' personal data protected by bank secrecy (including cross-border transfers) is permitted only with prior customer consent or if the processing is necessary to obtain one of the following:

  1. compliance with a legal obligation to which the data controller is subject;
  2. the pursuit of the legitimate interests of the data controller or the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests of the data subject; or
  3. the performance of a task carried out in the public interest.

In the past, the Portuguese Data Protection Authority had already ruled in a specific case that all personal data processed by a bank is subject to bank secrecy.

In the case of processing clients' data for the purposes of anti-money laundering reporting, the disclosure of specific relevant personal data is based upon the fulfilment of a legal obligation, and there is no need to obtain data subject consent. As the concept of 'client authorisation' under PSEMLF and the financial institution's legal framework differs from the concept of 'consent' under the GDPR, many banks and other financial institutions opt to collect clients' authorisation to disclose information covered by banking secrecy in the context of their general client terms and conditions.

Another important aspect of data processing in the context of fintech business is the definition of clients' profiles and business segmentation, as well as automated decision-making based on profiling. Automated decisions that produce effects concerning the data subject or that significantly affect him or her and are based solely on the automated processing of data intended to evaluate certain personal aspects relating to him or her are not permitted.

The GDPR has introduced new provisions to address the risks arising from profiling and automated decision-making. Mainly, under the GDPR, one may only carry out this type of decision-making where the decision is either necessary for the entry into or performance of a contract or authorised by the EU or Member State law applicable to the controller, or, finally, based on the individual's explicit consent. Where one of these grounds applies, additional safeguards must be introduced, as well as disclosure of specific information about automated individual decision-making, including profiling. Lastly, there are additional restrictions on using special categories of data (such as health-related data or biometric data) for any processing of personal data, which can ultimately impact the way Fintech companies will implement Strong Customer Authentication mechanisms under the PSD2 Regulatory Technical Standards, as the Regulatory Technical Standards suggest the use of the payment service users' biometric data in that context.

Without prejudice to the above, Portuguese legislation implementing or densifying the GDPR is currently in preparation and may bring some additional adjustments or restrictions to the rules set out in the GDPR, notably concerning additional safeguards regarding the processing of financial data. The CNPD has consistently ruled that financial data are sensitive data, in the sense that they reveal aspects of an individual private life and, thus, said data should be protected under the Portuguese Constitution. This may prove influential in the final version of the Portuguese data protection implementing act and may affect fintech companies operating in Portugal or offering services to Portuguese customers.