CEE Legal Matters

Author: admin

  • Seizure and Examination of Mobile Data and Data Carriers in Austria: Where Do We Stand and What’s Next?

    Few topics have sparked as much controversy in 2024 as the seizure and examination of mobile data carriers and the data found therein. Despite an urgent need to have the legal framework amended by the end of 2024, a new draft bill was published only on 20 November 2024. We take a look.

    The current legal framework

    If the Public Prosecutor’s Office (PPO) wants to seize objects (for evidentiary purposes, to secure civil-law claims or to secure the enforcement of property rights), the Austrian Code of Criminal Procedure (ACCP) requires that the PPO establishes the status of the suspicion on which the investigative measure is based, the objects to be seized and their relevance, and why the seizure is proportionate and necessary; in other words, why the evidentiary purpose of the measure would be jeopardised if more lenient actions would be taken. Importantly, a court order is not necessary, as opposed to house searches or surveillance measures.

    For a long time, the seizure and subsequent analysis of mobile data and data carriers was not treated any differently. Mobile data carriers were treated like “ordinary” objects, regardless of the external and internal data found when analysing them.

    However, this changed due to two decisions in particular:

    Decision by the Constitutional Court, December 2023

    On 14 December 2024 (G 352/2021), the Constitutional Court of Austria rendered a landmark verdict on whether the provisions applicable to the seizure of “ordinary” objects also apply to the seizure of mobile data and data carriers. The Court concurred with numerous experts and rejected this notion. In essence, it stated that the invasion of data protection and privacy was particularly intense, as access to a data carrier not only provided a snapshot of the person’s behaviour, but comprehensive insight into significant parts of their past and present life.

    The Court further provided a guideline on which aspects would need to be considered when amending the legal framework. Most prominently, the PPO would need to obtain an order by the respective court of first instance. Furthermore, the lawmaker would have to ensure that the analysis is comprehensible and verifiable, and the data carriers would only be evaluated to the extent necessary. It would also have to be ensured that the persons concerned received the information necessary to safeguard their rights in the proceedings. The Court also suggested implementing independent supervision, which reviewed whether the PPO or the police remained within the scope of the court order.

    The Court granted the lawmaker time until 31 December 2024 to amend the current provisions. From 1 January 2025, the current provisions on seizures of all kinds will cease to be in force.

    Decision by the ECJ, October 2024

    The uncertainty regarding the seizure of mobile data and data carriers was further aggravated by a decision of the European Court of Justice (ECJ) dated 4 October 2024 (C-548/21). This decision was based on Directive (EU) 2016/680, read in light of certain provisions of the EU Charter of Fundamental Rights.

    In the decision, the ECJ stated that mobile data and data carriers could be seized and analysed regardless of the seriousness of the offence. Therefore, such measures are not restricted only to grave offences.

    However, the ECJ then essentially took a stance previously also taken by the Constitutional Court in its earlier (and completely separate) decision, highlighting the requirement of a court order, clear and precise rules defining the type or categories of the offences concerned to ensure proportionality, and the rights of the persons concerned to be informed about the purpose of the data processing and the remedies available to them.

    Contrary to the decision by the Constitutional Court, the ECJ’s decision binds all Member States with immediate effect regarding the interpretation of the relevant EU law provisions. A national court that disregards a decision of the ECJ risks violating EU law.

    Decision by the Vienna Regional Criminal Court, October / November 2024

    Additionally, in a recent (unpublished and pending) decision by the Vienna Regional Criminal Court (332 HR 369/23 m), the Court stated that the processing of data not relevant as evidence, or of personal data not necessary for the purposes of the investigation, constitutes a violation of the law. Data resulting from such unlawful conduct must immediately be erased from the copies of data or mirror images.

    The status of the amendment of the current legal framework

    In June 2024, the Government presented a draft bill to amend the provisions on the seizure and analysis of mobile data and data carriers, which also included other amendments to the ACCP. However, due to heavy criticism, the draft bill was pulled.

    A new draft bill was published only on 20 November 2024, just in time to enable its entry into force in 2024 (subject to the passing of a resolution to that effect).

    The key points of the draft bill are:

    • Introduction of a new investigative measure for the “seizure of data carriers and data”, separating this measure from the seizure of “ordinary” objects.
       
    • Requirement of a prior court order.
       
    • Requirement to set out the data categories, period and data content by the Public Prosecutor’s Office (and court) when ordering such a measure.
       
    • Implementation of nullity sanctions (“Nichtigkeitssanktionen“) if the measure has not been lawfully ordered and authorised.
       
    • Implementation of rights for the suspects and victims to participate in the selection of relevant facts for the investigations or criminal proceedings.

     As previously, in addition to the amendment of the regime to seize and analyse mobile data and data carriers, the draft bill contains many other amendments to the ACCP, such as implementing measures to expedite pre-trial proceedings.

    In light of the recent elections in Austria, which have left the previous government that drafted the bill without a majority, it remains to be seen whether this draft bill will come into force and, if so, whether it will undergo any changes.

    Decree of the Ministry of Justice, 11 November 2024

    For the time being, legal practitioners remain in limbo about the circumstances under which the seizure and analysis of mobile data and data carriers are lawful. Addressing this legal uncertainty and attempting to offer at least a temporary solution, particularly due to the decision of the ECJ, the Ministry of Justice recently published a Decree on how the PPO are to proceed. Accordingly,

    • it must be clearly defined which data categories and data contents are to be analysed in relation to which period and for which investigation purposes. If certain data were not explicitly included when they were originally seized, a separate order for their analysis is required; if further data need to be analysed, the act must again be legitimised by a separate order.
       
    • in cases in which access to potentially all data stored on a carrier not only provides a selective picture of the behaviour of the suspect or person concerned, a court order should be obtained;
       
    • a transparent approach to the analysis of the data must be ensured and the accused must be given the opportunity to contribute to the search for exculpatory material, by providing relevant data categories and suitable search selectors; and
       
    • personal data that has been collected and became part of the investigation file in contravention of the provisions of the ACCP must be deleted ex officio.

    The subordinate authorities (in particular the PPO) are bound by the provisions of the Decree, provided these do not contradict the laws.

    Conclusion

    Seizures and analysis of mobile data and data carriers are a fundamental part of criminal investigations and beyond. Therefore, it is to be hoped that the lawmaker will soon amend the current legal framework by addressing the courts’ concerns.

    Whatever the outcome, it is to be expected that any legal framework that comes into force will be thoroughly challenged by those individuals and legal entities affected by such measures.

    By Oliver M. Loksa, Counsel, Schoenherr

  • CCAO Advises TSKB on Financing Facilities for Metafor Yenilenebilir Enerji and Knot Enerji

    CCAO has advised Turkiye Sinai Kalkinma Bankasi on financing facilities to Metafor Yenilenebilir Enerji and Knot Enerji for their respective solar and hybrid solar energy power plant projects. 

    TSKB is the Industrial Development Bank of Turkey.

    Metafor Yenilenebilir Enerji and Knot Enerji, subsidiaries of Is Enerji, develop energy projects.

    The CCAO team included Partner Onur Taktak, Senior Associate Onur Gorkem Koksal, and Associates Ecem Ozbek and Can Demirkan.

  • Arina Stivrina Joins Walless as Associate Partner

    Evo Legal Founder Arina Stivrina has joined Walless’ Latvia team as an Associate Partner.

    Before joining Walless, Stivrina spent six months at the helm of Evo Legal. Before that, she was with TGS Baltic as an Associate between 2019 and 2022 and as a Senior Associate and Co-Head of Data Protection and Technology between 2022 and 2024. Earlier, she was a Lawyer with Triniti between 2017 and 2019.

    According to Walless, “Arina brings extensive expertise in business law, data protection, IT law, intellectual property, and litigation. The Walless team is excited to welcome Arina aboard and looks forward to the valuable contributions she will bring to both the firm and its clients.”

  • CMS Advises Goldbach Group on Sale of Goldbach Austria to Azerion

    CMS has advised Goldbach Group on the sale of Goldbach Austria to Azerion.

    The transaction remains contingent on regulatory approval.

    Zurich-based Goldbach Group is a marketer and broker of digital and linear advertising in Switzerland, Germany, and Austria.

    Azerion is a digital advertising and entertainment media platform. 

    The CMS team included Partners Alexander Rakosi and Dieter Zandler, Attorneys at Law Marie-Christine Lidl and Lisa Oberlechner, and Associate Alexander Sommergruber.

    Editor’s Note: After this article was published, CEE Legal Matters learned that Cerha Hempel advised Azerion. The firm’s team included Managing Partner Clemens Hasenauer and Partner Harald Stingl.

  • Cobalt Advises Latvenergo on Acquisition of DSE Aizpute Solar

    Cobalt has advised Latvenergo on its acquisition of DSE Aizpute Solar from developer Danish Sun Energy ApS. Sorainen reportedly advised the sellers.

    Latvenergo is a Latvian energy company.

    According to Cobalt, “the transaction paves the way for the construction of a solar power plant with a total capacity of 265 megawatt-peak by the end of 2025. The total construction costs of the solar park are estimated at up to EUR 135 million. The solar park project involves the construction of a new substation, Cirava, which will connect to a 330-kilovolt high-voltage line of the Latvian national grid.”

    The Cobalt team included Partners Gatis Flinters, Dace Silava-Tomsone, and Sandija Novicka, Senior Associate Martins Tarlaps, and Associates Toms Dreika, Krista Helmute, and Vadims Zvicevics.

  • Lakatos, Koves and Partners Advises Green Power Investment on Sale of Two Hungarian Photovoltaic Projects

    Lakatos, Koves and Partners has advised Green Power Investment on the sale of two Hungarian photovoltaic projects with a combined capacity of 7.7 megawatts to an unidentified Austrian investor.

    Green Power Investment is a Czech Republic-based renewable energy company.

    The Lakatos, Koves and Partners team included Partner Adam Mattyus, Lawyers Kornel Dirner and Julia Varkonyi, and Trainee Lawyer David Nagy.

    Lakatos, Koves & Partners could not provide additional information on the matter.

  • Today is the Deadline for Early Submissions for the Deal of the Year: FAQ and Best Practices

    Submissions received by COB today will receive feedback, so if you are contemplating putting deals forward for consideration, this is your opportunity to also learn what could be done to improve your submission.

    The full submission guidelines and instructions on submitting deals are here.

    As many of you know, CEELM hosted a Townhall this Wednesday. Below is a summary of some of the questions raised during the session or sent via email in the past few days, followed by the two main pieces of advice from our side looking at past submissions in hopes it’ll help you with your submissions:

    FAQ

    Q: What is the difference between early (today) and normal submissions (January 10)?

    A: Submissions received by COB today will also receive feedback. Those received past today until January 10 will only receive a receipt confirmation. 

    Q: Can we have a deadline extension?

    A: We are running a very tight schedule (already preparing the juror panels in fact). We’re not able to offer extensions. 

    Q: How many deals can I submit?

    A: Any firm can submit up to three (3) deals per country, independent of whether they have an office in that jurisdiction or not.  

    Q: Can I submit the same deal for multiple countries?

    A: Yes. Simply fill in the submission form again and change the country for which you’d like the deal to be considered.

    Q: Can I submit confidential deals?

    A: No. And do not include confidential matters in the submission form and mark them as “confidential”. Submissions are passed to the jurors (all external to CEELM) as received. 

    Q: Can I submit a deal if the value is confidential?

    A: The precise value of the deal does not need to be included in your submission – see the next Q/A

    Q: What is the ranking criteria?

    A: We ask our jurors to take a holistic look at each deal and consider the deal size/value, its complexity and novelty, its impact on the jurisdiction for which it is considered, and its impact on the wider CEE region. While you may not be able to disclose the specific value, feel free to offer ranges or indicators (e.g., the target was the largest retailer by revenue in Country X). 

    Q: What qualifies as a deal? Does it have to be a pure M&A deal?

    A: No. The only types of matters that CANNOT be considered are disputes. Beyond that, past shortlisted/winning deals have included traditional M&As, financings, refinancings, restructurings, PPPs, infrastructure projects, concessions, IPOs, bond issuances, etc. Ongoing advisory work (e.g., ongoing labor law advice) is not project/transactional in nature, and thus would be unlikely to be considered.

    Q: Does the deal need to be reported on by CEELM to be eligible?

    A: No, it does not.

    Q: If the deal is signed but not closed yet, is it eligible?

    A: No. Only deals closed between January 1, 2024, and December 31, 2024, are eligible. 

    Best Practices 

    1. Focus on the deal, not your firm

    Jurors are asked to rank the deals, not the firms working on them. Too many firms either simply copy/paste their press releases on a deal or waste limited word count on talking up their firm (or listing their lawyers who worked on the matter). Focus on the significance of the deal itself. 

    2. Show, don’t say

    Too often, submissions state a deal is “groundbreaking” and involves “leading companies.” Most deals competing will tick off those boxes – that’s why they are put forward. Tell jurors what the complexities of the deal were, what novelties were involved in the deal, and what makes the company(ies) involved “leading” ones, be it its size, revenue, market share, etc. 

    The submissions online form includes all other relevant instructions but, if you have any questions please contact CEE Legal Matters’ Managing Editor, Radu Cotarcea, at radu.cotarcea@ceelm.com

    Good luck, one and all! 

  • Albania’s Privacy Reform: Exploring Key Proposals in the Draft Data Protection Law

    The long-anticipated initiative to establish a new legal framework for personal data protection in Albania is finally moving forward, as the Council of Ministers has approved a draft law that aligns closely with the European Union’s General Data Protection Regulation (GDPR). This proposed legislation promises to bring significance in this important but frequently underappreciated legal domain. With its comprehensive approach and alignment with EU standards, the new law aims to greatly improve privacy protection in the national context.

    Broadening the Scope and Applicability

    A defining characteristic of the draft law is its expanded and clarified scope compared to the current legislation. Under the current law, data protection rules apply to Albanian controllers and foreign ones using undefined “means” within Albania’s territory, leaving foreign controllers uncertain as to whether they must comply with Albanian regulations.

    The draft law eliminates this confusion by broadening the scope of applicability to foreign controllers situated outside Albania if their processing activities relate to offering goods or services to or monitoring the behaviour of data subjects within Albania.

    The reframing of the scope addresses a long-standing ambiguity regarding the applicability of the national legislation to certain foreign controllers, aligning with GDPR’s extraterritorial reach.

    Strengthened Definitions and Consent Requirements

    The draft law enshrines a refined set of definitions that echo key GDPR concepts but most distinctively introduces essential terms such as “pseudonymization,” “profiling,” and “data minimization,” all of which are absent in the current Albanian law. Furthermore, it delineates between subcategories of personal and sensitive data by including definitions for biometric, genetic, criminal, and health data, enabling a better understanding of the data that comprise each category and mitigating any implementation difficulties.

    The draft law also sets forth more stringent requirements around data subject consent. While a written form is not necessarily required, controllers have the burden of proof to demonstrate that the consent was freely given, duly informed, unambiguous, given particularly for data processing and separated from other consents or agreements; for example, consent to process data for account registration cannot simultaneously serve as consent for marketing activities, ensuring transparency and genuine choice for data subjects.

    Local Representatives Instead of Prior Notifications

    Under the current law, all data controllers—both Albanian and foreign—are required to file a notification with Albania’s Data Protection Commissioner (the “Commissioner”) before commencing data processing activities. Such notification should contain a summary of the planned processing activities. However, the draft law removes this general notification requirement. Instead, it introduces a new obligation specifically for foreign controllers: they must appoint a local representative in Albania. This representative should be registered with the Commissioner and will serve as the point of contact for both the Commissioner and Albanian data subjects, ensuring greater accountability and local accessibility for foreign entities engaging with Albanian data subjects.

    Data Protection Officer (DPO): Ensuring Compliance and Independence

    Under the new law, certain entities must appoint a Data Protection Officer (DPO) to oversee compliance, act as a liaison with the Commissioner, and address data protection concerns raised by data subjects. This requirement applies to (i) public authorities, (ii) entities engaged in large-scale monitoring of data subjects, or (iii) those processing sensitive data such as health records or criminal information. DPOs are granted full operational independence, reporting directly to top management and protected from dismissal or penalties related to their duties. This role serves as an important check on data processing activities, fostering trust and accountability in data handling practices.

    Expanded Data Subject Rights

    The proposed legislation also expands the range of rights afforded to data subjects, granting them more control over their personal data. While the core rights of access, rectification, and erasure remain intact, the draft law envisages additional rights, most notably the right to data portability and the right to be forgotten. The latter enables data subjects to request the deletion of personal data under specific conditions, strengthening privacy in a digital era where data traces are often permanent, and their usage is not rarely abusive. Meanwhile, the right to data portability, applicable when data processing is automated and based on consent or contracts, grants data subjects the ability to easily receive and transfer their data across controllers and platforms. 

    Responsibilities of Controllers and Processors

    Another key component of the new law is the shift from modest requirements governing controller-processor relationships to a framework with significantly strengthened obligations. In this context, a material novelty are the provisions regulating the relationships between multiple controllers, which are set to resolve past challenges associated with assigning responsibility among entities that jointly determine the purposes and means of processing. Should the draft law be enacted, these entities will be required to formalize their cooperation through agreements that clearly delineate their respective obligations, with the main provisions of these agreements made accessible to data subjects.

    Incorporating the Privacy by Design and by Default Principles

    Similar to GDPR, the draft law also introduces the principles of Data Protection by Design and Data Protection by Default, which require controllers to integrate data protection measures into every stage of their operations.

    Data Protection by Design dictates that controllers implement and maintain appropriate safeguards from the outset, such as pseudonymisation (masking identifiable information) and data minimisation (restricting data collection to only what is strictly necessary). For example, if a mobile app collects location data, it may only store general location information instead of precise coordinates, thereby reducing the sensitivity of the stored data and minimising exposure risks. Complementarily, Data Protection by Default requires that, by default, only essential data processing is conducted. This means users’ privacy settings should start at the highest level of protection. For instance, a social media platform might initially hide profile details from public view and only display them with the user’s explicit consent, thus ensuring that personal information remains protected unless the user decides otherwise.

    Personal Data Breach obligations

    Controllers must document all data breaches and notify the Commissioner of those likely to impact data subjects, within 72 hours of detection. In addition, data processors will have to notify the controllers of the breach without undue delay. If a breach poses high risks to data subjects’ rights or freedoms, the controller must promptly inform the affected parties, unless appropriate protective measures, such as encryption or additional safeguards, have been implemented to reduce the risk. In cases where individual notifications would impose an excessive burden, the controller may opt for a public announcement or similar measure to notify data subjects.

    Supervision and Penalties

    The Commissioner’s role as a supervisory authority is solidified, with an extended renewable seven-year term to ensure continuity. However, the qualifications required for this role seem exceptionally high—arguably to an excessive degree—potentially limiting the pool of eligible applicants and risking unnecessary barriers to entry for otherwise capable candidates.

    Severe financial penalties are prescribed for significant data breaches, with fines for non-compliance potentially reaching up to 1 billion ALL (approximately EUR 10.2 million) or, for corporate entities, up to 2% of global annual turnover. For particularly egregious violations, such as unauthorised international data transfers or breaches of fundamental data processing principles, penalties can double, reaching 2 billion ALL (approximately EUR 20.4 million) or up to 4% of global annual turnover, whichever is higher. To understand the scale of these punishments, it would be sufficient to recall that currently, the highest fine is just a fraction of the above, specifically 2 million ALL (approximately EUR 20,000). Moreover, data subjects harmed by data misuse—whether financially or otherwise—are entitled to seek compensation from responsible controllers or processors.

    As noble as the commitment to raise awareness and promote accountability in the field of data protection is, it would hardly be an overstatement to claim that the severity of penalties lacks a sense of proportionality, particularly for smaller businesses in Albania, where such amount of fines could lead to gross financial hardship.

    What’s to Come?

    As of the present moment, the draft law has received approval from the Council of Ministers and is set to proceed through the formal legislative process. Given its status, it remains uncertain when the law will be fully enacted, or whether it will endure additional modifications or amendments to its provisions. However, what is certain is that if passed, it will have a lasting effect on Albania’s legal landscape.

    The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.

    By Anisa Rrumbullaku, Partner, and Sirius Tartari, Associate, Karanovic & Partners

  • Potamitis Vekris Advises Eurobank on Asset Management Agreements with Cerved

    Potamitis Vekris has advised Eurobank and Eurobank Leasing Single Member on asset management agreements and service level agreements with Cerved Property Services Single Member regarding the management of Eurobank Group’s real estate portfolio.

    Cerved Property Services is part of Italy-based Cerved, an information technology company.

    The Potamitis Vekris team included Partners Alexandros Metallinos and Theologos Mintzas and Associates Lucy Levi and Elisabetta Lentsiou.

    Potamitis Vekris did not respond to our inquiry on the matter.

  • Baker McKenzie and Esin Attorney Partnership Advises DFDS on Acquisition of Ekol Transport

    Baker McKenzie and its Turkish affiliate Esin Attorney Partnership advised DFDS on its acquisition of Ekol Transport and the international transport network connecting Turkiye and Europe from Ekol Logistics and individual sellers led by founder Ahmet Musul. Caliskan Okkan Toker reportedly advised the sellers.

    DFDS is a Danish international shipping and logistics company.

    According to Esin Attorney Partnership, Ekol Transport conducts international transportation business in Europe with more than 10 subsidiaries established in Germany, Italy, Spain, Poland, Hungary, France, the Netherlands, Greece, Romania, and Slovenia.

    The Esin Attorney Partnership team included Managing Partner Eren Kursun, Partner Orcun Solak, and Associates Mehmetcan Atasoy, Batuhan Hamamcioglu, Hilal Aydin, Kaan Karagol, and Bera Pektas.

    The Baker McKenzie team included Warsaw-based Managing Partner Weronika Achramowicz and Associates Michal Pakosz, Hanna Wiejowska, Anna Pawluczuk, and Mikolaj Karniszewski, Budapest-based Partner Akos Fehervary and Associate Nora Zsuzsanna Kovacs, as well as further lawyers in Germany, Italy, Spain, Hungary, France, and the Netherlands.

    Editor’s Note: After this article was published, Caliskan Okkan Toker confirmed its involvement to CEE Legal Matters. The firm’s team included Partners Sezer Caliskan and Mustafa Toker and Senior Associate Hazal Boduroglu.

    Additionally, Zepos & Yannopoulos announced that it had advised DFDS. The firm’s team included Partner Stefanos Charaktiniotis, Senior Associates Elpida Karathodorou and Anastasia Veneti, and Associate Rania Koliouli.