We are pleased to present the Spring 2017 edition of our Corporate and Commercial Law global update. This quarterly publication highlights a range of international corporate law matters and covers recent law developments in specific countries. In this issue, we have articles from a total of 36 jurisdictions on current legal affairs around the globe:
- Albania: new bankruptcy law
- Argentina: criminal liability for legal entities
- Australia: modernizing the foreign investment regime
- Austria: addressing gender imbalance on supervisory boards
- Belgium: abuse of rights in the dissolution of a limited liability company
- Brazil: Brazilian Central Bank — compliance matters
- Bulgaria: new procedure seeks to stabilize companies before insolvency
- China: opening up to foreign investment
- Colombia: changes to the International Investments Regime
- Croatia: reshaping public procurement legal framework
- Czech Republic: amending the Civil Code
- Estonia: a new flexible and tax-transparent investment vehicle
- European Union: Court of Justice rules on dynamic IP addresses
- Finland: legislation on three-dimensional real estate
- France: new anti-corruption measures
- Greece: simplifying company setup procedures
- Guatemala: developing a competition law
- Hong Kong: improved provisions for winding up companies
- India: mergers and amalgamations under the new company law
- Japan: reforms to support M&A and enhance corporate governance
- Lithuania: new regulations on bondholders and shareholders
- Luxembourg: simplified dissolutions – a new legal tool in Luxembourg
- Netherlands: modernizing the partnerships law
- Norway: risks in the event of a seller’s bankruptcy
- Poland: restrictions on investment land trade
- Portugal: legal framework for crowdfunding
- Russia: personal data operators face new regulatory pressure
- Serbia: update on the new Health Care Law
- Slovakia: introducing simple joint-stock company
- Spain: capital increase by in-kind contribution vs. spin-off
- Switzerland: update on company law reform / purchase price adjustment by an independent expert — fast lane or dead end?
- Turkey: maximizing dividends with interim distributions
- UK: High Court approves reverse cross-border merger
- Ukraine: establishing the Export Credit Agency
- Venezuela: examining the Exchange Control Regime
- Vietnam: amendment and supplement to the investment law
Excerpt – EU: Court of Justice rules on dynamic IP addresses
The European Court of Justice (ECJ) has weighed in on a long-debated area of data protection law by ruling that the definition of personal data extends to dynamic IP addresses.
In a ruling dated 19 October 2016 (ref.: C582/14), the ECJ found that dynamic IP addresses constitute personal data whenever the website host that processed the IP address has the legal means to obtain additional information from the provider to identify the person concerned.
Internet providers assign IP addresses to their users so that connected devices can be identified. Dynamic IP addresses are reassigned for each new internet connection, making it impossible for third parties to identify users directly.
Objective standard applies
The ruling is particularly noteworthy because the ECJ does not make the decision contingent on whether the information needed to identify the person is in the hands of a single party processing the data (the controller). Instead, it is sufficient for the controller to have the legal means to obtain the information from a third party, regardless of whether these means are actually employed.
Thus, an objective standard applies when identifying whether there is a reference to the person.
Personal data in the EU
The EU General Data Protection Regulation (GDPR), which will apply in all EU states from May 2018, also provides for an objective standard.
In Article 4(1), the GDPR defines personal data as any information relating to an identified or identifiable natural person. Identification can take place indirectly — by reference to an identifier, for example. A determination of whether a person is identifiable should take into account all the means reasonably likely to be used (Recital 26 GDPR).
Therefore, a person is identifiable if the additional information needed for identification is accessible and obtainable with a certain effort. This includes the possibility that the information must be obtained from a third party using legal means.
Implications for day-to-day business
Based on the ECJ’s ruling and in view of the GDPR, more and more data is likely to be classified as personal data, likely including identifiers or log-in information that can be related objectively to individual persons.
Such data can be processed only with statutory authorization or consent. This is particularly relevant for day-today business because companies will have to apply data protection regulations more often.
In response, companies should prepare for a broader application of the regulations and should familiarize themselves with the more stringent requirements of the GDPR.
EY Legal Services Contacts:
Rutger Lambriex – EY Global Corporate Law Leader
Stephen d’Errico – Corporate Law Leader and Editor