You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu
Welcome to the September edition of Schoenherr's to the point: technology & digitalisation newsletter!
We are excited to present a selection of legal developments in the area of technology & digitalisation in the wider CEE region.
In an attempt to become faster and more energy-efficient, the world's second most important blockchain changed its consensus mechanism from Proof of Work to Proof of Stake on 15 September.
What does this mean? Previously, the Ethereum network ran on a blockchain that used Proof of Work (PoW) as its consensus mechanism (Ethereum Mainnet). To validate and generate the blocks in the blockchain, PoW requires nodes (miners) to solve a complex task using mining hardware and computing power to run the network. The fastest node receives a reward.
With the Merge, the old PoW blockchain has now been merged with the new beacon chain. The new beacon chain no longer uses the consensus mechanism PoW and instead relies on Proof of Stake (PoS).
Proof of Stake involves the use of validators instead of miners. In this consensus mechanism, node operators must deposit 32 Ether (ETH) as collateral (via a smart contract - staking) to become network validators and receive rewards. One node is then chosen at random as recipient of the rewards.
Those who neither have 32 Ether, nor want to run a validator node yet still want to use their Ether, can do so by joining a staking pool. A staking pool combines the stakes of multiple people to put up the required 32 ETH for an Ethereum validator node. The block rewards of such node are then shared with the staking pool in proportion to the ETH deposited per individual account.
What does the Merge bring to the table?
With the switch to the PoS mechanism, Ethereum promises a number of advantages: for example, the new method is significantly more energy-efficient than the previously used proof of work. The high-performance – and correspondingly power-hungry – hardware required for the mining process is now no longer needed. Therefore, Ethereum developers can more or less predict that the power requirement will drop by a whopping 99.95 %.
In addition, transactions are also expected to get faster, because Proof of Stake means that significantly fewer validations are performed on the blockchain at the same time. This should also be accompanied by lower transaction fees; these are (still) unreasonably high for Ethereum compared to other cryptocurrencies.
In any case, the price of ETH has nevertheless dropped after the successful merge and should therefore also be well observed. In addition, the merger of the new beacon chain with the old mainnet has major implications for an industry worth billions – for investors, startups, mining companies, staking providers and even tax consultants.
Licences connected to NFTs are still far from being the norm. As a result, most NFTs still do not convey sufficient or appropriate IP rights to their underlying content. Moreover, they have to deal with practical difficulties inherent in the nature of NFTs. The need for licences tailored to the NFT market is therefore evident. To overcome the practical difficulties and tackle these issues, publicly available NFT licence systems have emerged. But are they any good? Continue reading here.
Until now, consumers could easily take out microloans for online purchases in instalments via providers such as Klarna and PayPal without credit checks. This easy access naturally involves dangers for consumers. According to consumer activists, it is often not even clear to consumers that what buy now pay later offers are loans. In addition, there is a risk that consumers will carelessly conclude too many buy-now-pay-later loans and lose track. There is also a danger that they will end up buying things they cannot actually afford. In some cases, these microloans are already being used for everyday purchases.
The EU now intends to put a stop to this with a new consumer credit directive aimed at protecting consumers from such debt traps in the future. According to this directive, credit checks will also be required in the future for buy-now-pay-later offers. But what kind of directive would it be if it did not have wide-ranging exceptions? Thus, for example, no credit checks are necessary with the instalment purchase of "Internetable devices". Interest-free loans and loans without late payments are also not to be covered by the new directive.
Since this is a directive that Member States must implement into national law, it will be interesting to see which exceptions will emerge.
The draft of the Austrian Company Law Digitalisation Act 2022 (Gesellschaftsrechtliches Digitalisierungsgesetz 2022) intends to transpose parts of the so-called Digitalisation Directive of the European Union (Directive (EU) 2019/1151) regarding the use of digital tools and processes in company law into Austrian law.
The following aspects of the Austrian Company Law Digitalisation Act 2022 are noteworthy for the daily corporate and VC practices:
The Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit, "BInBDI") has imposed a fine of 525,000 euros on the subsidiary of a Berlin-based e-commerce group due to a conflict of interest concerning the company's Data Protection Officer. The company had appointed a DPO who, in their role as a DPO, had to "independently oversee" the company's data protection decisions. However, the same DPO was also the Managing Director of two service companies that processed personal data on behalf of the very company for which they served as DPO. In other words, they oversaw data protection decisions that they themselves had made in another capacity. The fine is not yet legally binding (the German press statement of the BInBDI can be found here).
After the announcements this spring that Microsoft will be buying Activision Blizzard (World of Warcraft, Starcraft), Take-Two Interactive was buying the mobile studio Zynga (Farmville) and Sony was buying Bungie (Destiny), the concentration process in the video game industry has continued relentlessly this summer. In a shopping spree, Swedish video game and media holding company Embracer acquired renowned gaming studios like Crystal Dynamics, Eidos-Montreal and Square Enix Montréal, including a whole catalogue of IP, such as Tomb Raider, Deus Ex, Thief and much more. In addition, Embracer announced that it had entered into an agreement to acquire Middle-Earth Enterprises, a company that owns a vast intellectual property catalogue and worldwide rights to The Lord of the Rings trilogy and The Hobbit by J.R.R. Tolkien. This shift in the gaming industry to combine ownership of IP and its exploitation under one roof can be increasingly observed. Yet that was not all: in September, Chinese tech giant Tencent raised its stake in French video game company Ubisoft and there were even rumours that Amazon would like to strengthen its gaming portfolio by buying Electronic Arts. These reports have since been refuted, but not without impacting Electronic Arts' stock price. It will be exciting to see how the gaming industry will develop in the coming months and whether the trend towards IP concentration will continue.
Watches, cars, intercoms, lamps, industrial machinery or printers. As the "Internet of Things" (IoT) continues its triumphant rise, more and more devices are able to directly connect to the internet and thus offer a variety of new features. But this also comes with a downside, as it provides a potential gateway for criminals who may exploit security vulnerabilities in these smart devices and abuse them to infiltrate people's systems. Statistically, a ransomware attack happens somewhere in the world every 11 seconds, causing estimated costs of around EUR 20bln worldwide in 2021 alone.
To address these problems, the European Commission presented its proposal for a Cyber Resilience Regulation (COM/2022/454 final) on 15 September 2022, introducing harmonised cybersecurity requirements for manufacturers and developers of products with digital elements, regarding both software and hardware.
The two main issues identified by the Commission in this context are that some products placed on the market lack cybersecurity standards already at the design stage and that some manufacturers are not willing to address security concerns regarding their products once they have put them into circulation.
The Commission now aims to solve these problems by setting out essential requirements that must be met before a product with digital elements is placed on the market. It also defines rules for the design, development and production of products with digital elements as well as obligations for vulnerability handling processes to ensure a high standard of cybersecurity throughout a product's entire lifecycle. Users must also be provided with a minimum of information and instructions for the respective good with digital elements according to Annex II.
In addition, manufacturers must demonstrate fulfilment of the requirements under the regulation by carrying out a conformity assessment either via self-assessment or by a qualified third party. Certain categories of products with particularly high risk, so-called "critical products with digital elements" (e.g. operating systems, firewalls, routers, modems or smart meters) are subject to even stricter requirements and must, for instance, have the conformity assessment carried out by a qualified third party. For most smart everyday devices, however, a self-assessment will usually suffice in order not to burden manufacturers with excessive costs.
Another novelty is a reporting obligation similar to the mandatory data breach notification in accordance with the GDPR. Manufacturers must report any actively exploited vulnerability or any incident having an impact on the security of their product to the European Union Agency for Cybersecurity without undue delay and no later than 24 hours after becoming aware of it.
Failure to comply with the essential cybersecurity requirements set out in the regulation can result in fines of up to EUR 15m or 2.5 % of annual global turnover, whichever is higher.
In the world of antitrust nothing has ever been as hotly debated as the Digital Markets Act (DMA), which was passed just before the summer break. Now, as vacation season is coming to a close, the discourse on competition policy in digital markets is again picking up speed, not only in the EU, but almost everywhere in the world. The countries in which tech barons have nothing to fear from new competition law requirements are becoming fewer and fewer. While Silicon Valley was until recently considered a safe haven, the Biden administration now seems to mostly support the European Commission's ambitions, encouraging a comeback of the market structure-based understanding of competition. A remarkable development, considering this approach was banned from American antitrust policy nearly two decades ago. Just recently, the White House unveiled six principles to reform Big Tech platforms, including promoting technology sector competition, increasing transparency about platforms' algorithms and ending discriminatory algorithmic decision-making. The European zeitgeist that competition in these markets cannot be sustained without direct state intervention thus seems to have crossed the Atlantic. And while it will take some time before the DMA actually has an impact in the EU, it can already be said that the new law has become a Magna Carta of digital antitrust law and – as such – ushers in a new era for tech regulation around the world.
Anna Katharina
Tipotsch
Associate
austria vienna