to the point: technology & digitalisation | October 2021

After our summer break, our newsletter is back with news and other interesting articles about technology and the law. One recent development that we wanted to share with you is the Austrian Government's tax reform, which – for certain reasons – has not yet been adopted. These reforms would have included tax savings for employee participations, a long-awaited tax measure in the Austrian start-up scene. However, the yet-to-be adopted reform was not warmly welcomed by start-ups in Austria, since it provides that Austrian employees may benefit from tax-exempted bonus payments of up to EUR 3,000 per year. The bonus may be granted as participation in the employer's success – or for any other reason. This falls below the expectations of many start-ups, similarly to the situation in Germany, where the government's tax reform appears to be unattractive as a whole. Anyways, even a small step towards tax relief and tax savings for employees is welcome, and we hope that this is only the beginning in Austria (and elsewhere). Please enjoy our newsletter and remember to subscribe.

CEO fraud or "Fake President Fraud" is a common cyber scam where an organisation is attacked via spoof attack to gather data or to defraud it. In 2016, Austria's FACC suffered from a major CEO fraud attack where the attackers tricked an employee of FACC into wiring EUR 54m to the attacker's account. FACC subsequently dismissed the CEO and CFO and sued them for damages. In a recent decision, the Austrian Supreme Court determined that although the internal payment operations of FACC were not complied with (the internal guidelines provided a two-men rule for payment authorisations, but in fact a single employee authorised payments), neither the CEO nor the CFO had any knowledge of such deficiencies. The CEO and CFO would have been liable only if they had any suspicion of the deficiencies, which was not the case. This is one of the first major rulings by an Austrian court on a cyberattack, and confirms the general view that executives are only responsible for setting up, maintaining and verifying an appropriate organisation, but not for individual non-compliances.

While it may seem that the internet has created a truly open and interconnected world, significant legal barriers remain in place, leading to digital borders in cyberspace. From a European perspective, the GDPR prescribes extensive limitations to international transfers of personal data. In particular, EU data exporters must rely on so-called "transfer tools", ensuring that the exported data will receive a level of protection equivalent to that under the GDPR.

For data exports to the US, this transfer tool was provided by the EU-US Privacy Shield agreement. But this agreement was invalidated by the ECJ in its "Schrems II" ruling, creating a legal black hole that sucked in all data transfers across the Atlantic. The ECJ noted, though, that an-other transfer tool is still available for data exports to the US: the standard contractual clauses ("SCCs") issued by the EU Commission.

In June 2021, the EU Commission revised these SCCs. All EU data exporters relying on the old set of SCCs must switch to the new set by 27 December 2022. Before entering into SCCs, how-ever, the parties are required to assess whether laws and practices applicable to the data importer may allow public authorities to access the data. This assessment must be documented and provided to the EU data protection authorities at their request.

Thus, for EU data exporters, a considerable administrative effort is inevitable. At Schoenherr, we are developing legal tech tools that will help our clients to significantly streamline these administrative efforts and safely navigate through the new legal landscape:

• On the one hand, we are developing an online tool that will make the conclusion of the new SCCs as easy as a mouse click.
• On the other hand, we are creating a highly standardised tool for assessing and documenting the local laws and practices in a document called Transfer Impact Assessment ("TIA"). Our TIA approach is designed to create a maximum level of synergy, saving costs and reducing efforts for our clients significantly.

We expect to roll out both tools by end of 2021. Please feel free to reach out if you are interested. In any case, we will keep you up to date in our newsletter!

The question of how and whether the government would also regulate the taxation of crypto assets in the "eco-social" tax reform of 2021 has now been clarified. In last week's Council of Ministers meeting it was decided that "Cryptocurrencies have developed a de facto proximity to capital assets. In order to create legal clarity, an explicit legal provision on the tax treatment of cryptocurrencies is to be made in national law. The provision is to be embedded in the existing taxation system."

This means that the special situation for crypto assets such as Bitcoin or Ethereum will probably soon be a thing of the past. Currently, crypto assets are subject to an income tax rate of 0 to 55 %, and anyone who holds them for more than a year does not pay any tax on the generated profits. However, this will now change if the Ministry of Finance no longer considers Bitcoin and other crypto assets "other (incorporeal) assets" as it did before, but rather as capital assets. In this case, this would mean the elimination of the one-year speculation period. Profits from trading in crypto assets would then be taxable regardless of the holding period but would be subject to a uniform special tax, most likely at a rate of 27.5 %, as is currently the case for capital gains.

According to voices from the Ministry of Finance, the new rules will be implemented this year. It remains to be seen how the market will react.

A Swiss company specialising in sports has taken a big step and tokenised its shares with the help of a blockchain company (Taurus) and the prestigious Swiss bank Credite Suisse to enter the digital crypto world.

For this purpose, an end-to-end encryption and management for a booking system was developed and the shares were represented as tokens on the Ethereum blockchain via a smart contract. The tokenised shares were then deposited with Credit Suisse. In this way, various legal constructs were also used to bring the tokenisation in line with the laws applicable in Switzerland and the standards of the "Capital Markets and Technology Association" (CMTA).

There is a new player in the crypto market: Mr Goxx, a little hamster who is getting ready to prove his skills in the wild crypto market.

He trades cryptocurrencies like Bitcoin, Ethereum and Doge and has already outperformed the S&P 500 since June.

Mr Goxx's owners have set up a special trading office for the furry little fellow – the Goxx Box. It contains a tiny desk with wooden charts, a wheel and two tunnels. When Mr Goxx stops running in his wheel, it stops – like a wheel of fortune – on one of the 30 cryptocurrencies. Next, the trading hamster runs through one of two tunnels equipped with weight sensors. One activates a buy order and the other activates a sell order for the cryptocurrency previously selected by the wheel.

In any case, the rodent is demonstrating astounding trading prowess. According to his Twitch channel, Mr Goxx's portfolio has increased almost 20 % since he started trading in June. Moreover, the hamster is so far outperforming Bitcoin, the Nasdaq 100 index, Warren Buffett's holding company Berkshire Hathaway, and the S&P 500 (as of 12 September).

The distinctiveness of cryptocurrencies is in their ability to enable decentralised payments. This means there is no need for an intermediary to facilitate a transaction. But before delving into crypto trading, one must exchange fiat money into one of the virtual currencies. This usually happens through an exchange or broker, run by an entity and therefore a centralised point of contact. The same goes for exchanging crypto assets into other crypto assets.

To truly decentralise the world of crypto, several decentralised exchanges have begun to crop up. One prominent example is Uniswap, a decentralised crypto exchange application that runs on the blockchain, which means it is not being operated by its creators (Uniswap Labs) but rather by itself. Literally anyone can contribute to the source code on GitHub, which (after getting peer reviewed and voted on) gets deployed on the blockchain.

Recently, the US Securities and Exchange Commission (SEC) started to investigate Uniswap Labs to look for more information on how investors use Uniswap and how the platform is marketed. This comes as no surprise, as it is a time of increased regulatory interest in cryptocurrencies and the digital asset market.

In the meantime, Jack Dorsey (co-founder of Twitter and payments provider Square) announced that Square is working on a platform for decentralised bitcoin exchanges. "We've determined [TBD's] direction: help us build an open platform to create a decentralized exchange for #Bitcoin" he posted at the end of August.

Sources: Reuters and Cryptobriefing

On 24 August 2021 the Polish Financial Supervisory Authority (Komisja Nadzoru Finansowego) published a statement regarding the use of social media by supervised entities such as commercial and cooperative banks, brokerage houses, insurance companies, stock exchange companies and investment fund companies, as well as employees of such entities (the "Statement").

The Statement is a reaction to the increase in social media engagement of supervised entities and refers to the cooperation between them and marketing agencies or internet influencers. It creates a set of ground rules for the use of social media and introduces, among others, the following principles and obligations:

• each supervised entity should create and introduce a social media use policy and publish it on its website and every social network it uses for content publishing;
• when publishing content related to the supervised activities, employees must use their business accounts only;
• before engaging in social media activity, especially communication with other users, the possibility of using the data in compliance with the law should be analysed and verified;
• information, including marketing information (analogous to the use of other communication channels), should be accurate, clear and not misleading;
• in creating and using tags, including hashtags, a supervised entity should bear in mind that they are part of an information message and often carry specific content; the context of their use should therefore meet the requirements provided for information addressed to customers or potential customers;
• in situations where a supervised entity or its employees share supervised activity-related content posted by other users on social networking sites, the supervised entity is responsible for that content.

The purpose of the Statement is to provide uniform rules for the use of social media by financial institutions. In addition to clarifying the understanding of the relevant legal regulations, the Statement also contains practical examples in the form of graphics relating to typical situations of social media use (and showing good and bad examples of such use).

The Statement is subject to public market consultation. The collected comments will be discussed during special meetings in order to incorporate them into the text of the Statement.

The recently published Draft Guidelines (available here) of the European Banking Authority (EBA) on the scope and interpretation of the limited network exemption (LNE) under the Payment Services Directive 2 (PSD2) can have a significant impact on businesses relying on this exemption (if implemented as proposed by the EBA). One of the many key proposals would restrict the use of a payment instrument across various shop brands of a retail group. Another proposal clarifies that limitations of a payment instrument re-lying on the LNE merely in the terms & conditions would not be sufficient and that a technical restriction is required.

For a full overview of the EBA's key proposals, see our latest Legal Insight (here).

After 18 years, the long-planned amendment of the Austrian Telecommunications Act (TKG) is finally going to be updated. The revised act partly implements EU requirements in line with the European Electronics Communications Code (EECC). It introduces, among other things, a uniform Europe-wide warning system for crises: warnings will be sent via text messages, for example in the event of environmental disasters. It is also intended to promote broadband expansion and ensure security in the 5G network. In line with the EECC, a "monitoring system" will be introduced for any "high-risk suppliers" in the construction of 5G networks. Those provisions – which were also part of the EECC – aim at preventing possible espionage by manufacturing countries.

The amendment also sets new standards for consumer protection. When concluding a new telecommunications service contract every customer will receive a comprehensive summary of the contract that facilitates a comparison with other offers. The newly published draft of the TKG can be found on the website of the Austrian parliament.