Category: Serbia

On July 10, 2023, the European Commission adopted a new mechanism for personal data transfer between the EU and the US – the Decision no. C (2023) 4745 (“the Decision”), which stipulates that the US provide adequate and appropriate level of protection, i.e., that corresponds to the one existing in the EU in terms of personal data transferred from the EU to the US companies, without the obligation to undertake any further protective measures. The Decision entered into force and started to apply on the day of its adoption.

However, this (third) attempt of the European Commission to establish the subject mechanism will probably be (re-)discussed before the European Court of Justice (“CJEU”). According to NOYB, the organisation of privacy activists, whose founder Max Schrems achieved the cancellation of previous mechanisms (judgements of the CJEU known as Schrems I and Schrems II), the arrangement established by the Decision is largely a copy of the Privacy Shield.

As a reminder, Privacy Shield is a legal mechanism used since 2016 as a basis for transfer of personal data from the EU to the US, which was put out of force by the decision of the CJEU of July 16, 2020 (when the decision of the European Commission 2016/1250 on EU-USA Privacy Shield arrangement was declared invalid).

In 2016, the Privacy Shield itself replaced Safe Harbour Privacy Principles, a legal document adopted by the EU and the US, which, alike the Privacy Shield, enabled controllers established in the US to certify under certain terms as safe controllers of personal data originating from the EU.

Privacy Shield issues

As we have already written in one of our previous articles (available here), Privacy Shield arrangement was abolished because there was a direct conflict between extensive powers of the authorities established by the US regulations on one side and fundamental rights guaranteed in the EU on the other side. In other words, it did not allow data subjects to exercise protection before an independent body, nor did it provide guarantees equivalent to those requested by the EU regulations, such as independence in work and legal force of the decisions that would be binding upon the US intelligence services.

Namely, while the US regulations (e.g., Foreign Intelligence Surveillance Act, i.e., FISA) are extremely restrictive with regard to personal data protection (i.e., enable significant interference with individuals’ privacy), the EU regulations since 1995 allow the transfer of such data outside the EU only if there is substantially equivalent protection in the destination country.

Content of the Decision

According to the information from the website of the European Commission, the new EU-US data privacy framework introduces new binding safeguards, which remove the reasons for which the CJEU abolished the Privacy Shield arrangement, including limited access to the EU data by the US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court, to which EU individuals will have access.

The new framework introduces significant improvements compared to the mechanism that used to exist within the Privacy Shield. For instance, if the Data Protection Review Court establishes that data were collected contrary to the new safeguards, it will be allowed to order their deletion.

According to the new mechanism, the US companies (as data recipients) will have access to it upon certification, i.e., by undertaking to abide by a series of rules and obligations established thereunder, such as the obligation to delete data once they become obsolete, as well as to ensure continuous data protection in case of sharing with third parties.

In addition to the Data Protection Review Court, the new framework provides for other redress mechanisms to individuals in case of personal data infringement, i.e., through arbitration procedure.

Position of the NOYB

However, according to NOYB, this latest attempt to regulate personal data transfer between the EU and the US does not introduce any substantial but rather cosmetic changes. For instance:

Although processing of personal data originating from the EU by the US intelligence services is formally limited to what is necessary and proportionate, NOYB deems that the notion “proportional” is differently interpreted in the US compared to the EU regulations and position of the CJEU on that matter, which may be a basis for future disputes;
The US failed to amend the FISA rules, notably Section 702, which refers to surveillance by competent US authorities over individuals outside the US through providers of electronic communication services, which rules are particularly problematic from the aspect of EU regulations.
In general, NOYB finds that the changes introduced by the Decision compared to the Privacy Shield are not at a satisfactory level, hence it announced that it will challenge the new framework before the CJEU. It therefore remains to be seen whether there will be Schrems III judgment in the future.

Significance of the EU decision on adequate level of personal data protection in the US for transfers from the Republic of Serbia to the US

When it comes to transfer of personal data between the Republic of Serbia and the US, the Decision on the List of countries, parts of their territories, one or several sectors of certain activities in such countries and international organisations which are deemed to have adequate level of personal data protection (Off. Gazette of RS no. 55/2019) established that the transfer of personal data from Serbia to the US is limited to the “Privacy Shield framework“.

Although the Privacy Shield arrangement was put out of force back in 2020, the stated decision has not been accordingly amended in the meantime.

Having in mind that the said decision still contains identical wording regarding the transfer of personal data to the US (limited to “Privacy Shield framework”), one can say that it also encompasses the legal framework, i.e., mechanism that has replaced the Privacy Shield, hence such transfer is allowed to the US companies that are certified in terms of the Decision.

However, it remains to be seen what position shall be taken by the Commissioner for Information of Public Importance and Personal Data Protection.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.

By Ivana Ruzicic, Managing Partner, and Lara Maksimovic, Senior Associate, PR Legal

JPM & Partners has successfully represented the interests of Colas Rail in an arbitration proceeding against a subcontractor and its bank.

Colas Rail is a railway construction company.

According to JPM & Partners, “the arbitration involved a significant dispute against a subcontractor and its bank with reference to damages arising in connection to the breach and violation of the subcontract agreement as well as an unlawful discount of the promissory notes issued as collateral.”

The JPM & Partners team included Partner Djordje Novcic, Senior Associate Ivana Petkovic, and Associate Dusan Zegarac.

On July 10, 2023, the Council of the European Union (“Council”) officially adopted the Regulation of the European Parliament and of the Council concerning batteries and waste batteries (“Regulation”). This Regulation covers the entire battery life cycle, from production to reuse and recycling, aiming explicitly at safety, sustainability, and enhancing competitiveness.

The Regulation applies to various battery types, including waste portable batteries, electric vehicle batteries, industrial batteries, and starting, lighting, and ignition (“SLI“) batteries primarily found in vehicles and machinery. It also extends to batteries designed for lightweight modes of transport, such as electric bikes and e-scooters.

The adaptation process for this Regulation commenced in December 2020 when the European Commission proposed it. The proposal aimed to improve the operation of the domestic market, promote the concept of a circular economy, and mitigate the environmental and social impacts across every phase of a battery’s lifespan. This initiative links with the European Green Deal, the Circular Economy Action Plan, and the New Industrial Strategy.

The Regulation outlines several key measures. First, it actively encourages the recycling and proper disposal of portable batteries. This comprehensive framework establishes ambitious targets for battery collection rates, emphasizes the recovery of valuable materials like lithium, and mandates minimum levels of recycled content for various battery types. The Regulation aims to foster a more sustainable approach to battery production and management by implementing these measures. The Regulation establishes specific targets for battery producers to ensure the collection of waste portable batteries: at least 63% by the end of 2027, increasing to 73% by the end of 2030. It also introduces specific collection goals for waste batteries used in lightweight transportation, requiring a minimum collection of 51% by the end of 2028, and an increased target of 61% by the end of 2031.

The Regulation recognizes lithium’s importance in battery production, setting targets for its recovery from waste batteries: an initial 50% recovery rate by the end of 2027, rising to 80% by the end of 2031. These targets are adjustable to accommodate market and technological advancements, as well as the availability of lithium.

The Regulation introduces mandatory minimum levels of recycled content for different battery categories to promote a circular economy and reduce reliance on virgin materials. Industrial, SLI and Electric Vehicle batteries are subject to these requirements. The minimum recycled content levels are initially set as follows: 16% for cobalt, 85% for lead, 6% for lithium, and 6% for nickel. Furthermore, batteries are required to provide documentation attesting to their recycled content.

In addition, electric vehicle batteries, lightweight modes of transportation, and rechargeable industrial batteries above 2kWh capacity must now have mandatory carbon footprint declarations and labeling. The design of portable batteries in appliances should also be simplified to facilitate easy removal and replacement by consumers.

The Regulation also introduces digital battery passports and QR codes, which will provide consumers with information regarding batteries’ main characteristics, including their capacity and the amount of certain hazardous substances present. In this way consumers are enabled to make informed decisions when buying and discarding batteries.

The Regulation introduces strict due diligence regulations for operators, requiring them to verify the origin of raw materials utilized in batteries made available in the market. It is important to note that the Regulation includes a provision that exempts small and medium-sized enterprises (SMEs) from complying with the due diligence rules.

The Council’s vote marks the conclusion of the adoption process. The Regulation will now be signed by the Council and the European Parliament, followed by its publication in the EU’s Official Journal. It is set to take effect 20 days after publication. Our ESG team will follow the impact of the Regulation on Serbia and the region – so stay tuned.

By Nemanja Sladakovic, Senior Associate, and Milica Novakovic, Associate, Gecic Law

The Foreign Subsidies Regulation (FSR), one of the EU’s latest state aid instruments, entered into force on January 12, 2023. Now, after six months, it starts to apply. This regulation establishes rules to govern foreign subsidies that could distort the EU’s internal market. It empowers the European Commission (“Commission”) to investigate financial contributions provided by non-EU countries to companies operating in the EU. If these contributions are found to be distortive subsidies, the Commission can enforce corrective measures to remedy these effects.

Our team provided a thorough overview of the regulation and its implications this article. In short, the FSR’s scope encompasses concentrations, public procurements, and all other market situations, introducing three tools:

The first tool allows the Commission to investigate concentrations which involve financial contributions from governments of non-EU countries, where at least one of the undertakings concerned is established in the EU and generates an aggregate turnover of at least EUR 500 million in the EU, and the combined aggregate financial contributions granted to the undertakings concerned exceeded EUR 50 million in the past three financial years.

The second tool enables the Commission to scrutinize bids in public procurement procedures that include financial contributions from non-EU governments, where the estimated contract value is at least EUR 250 million, and the bid involves a foreign financial contribution of at least EUR 4 million per third country in the three financial years prior to the notification.

The third tool permits the Commission to investigate other market situations on its own initiative (ex-officio review). If there is a suspicion that a specific foreign subsidy may be harmful to the internal market, this tool allows the Commission (1) to request data regarding the problematic subsidy from market participants under investigation or other market participants, during preliminary review, and (2) to conduct inspections within and outside the EU to gather the relevant data, if necessary.

Regarding notifiable concentrations and public procurement procedures, the Commission can investigate foreign subsidies provided up to three years before the transaction. The FSR will not apply to concentrations concluded and public procurements initiated before July 12, 2023. In all other instances, the Commission can examine subsidies given up to 10 years in the past. However, the FSR only applies to subsidies granted within the five years preceding July 12, 2023, if such subsidies distort the Single Market after the start of application.

The FSR also introduces a “balancing test” for assessing whether the benefits of subsidies outweigh the potential adverse effects on the EU market. Therefore, if the Commission finds that there is a foreign financial contribution with distortive effects, it will weigh its negative distortive effects against its positive impact to determine redressive measures.

In the ensuing months, we anticipate further developments related to the FSR. Specifically, the notification obligation for companies will become effective as of October 12, 2023. Thus, companies receiving foreign financial contributions in non-EU countries and operating in the EU should be mindful of this new EU legal instrument.

Stay tuned for more updates!

By Branko Gabric, Counsel and Dusan Jablan, Associates, Gecic Law

In one of our previous texts (available here) we wrote about the connection between the protection of competition and protection of personal data, namely whether competition authorities may consider infringements of personal data in their investigations.

In relation thereto, below we present a text regarding a judgment of the Court of Justice of the EU (“the CJEU”) enacted on July 4, 2023, in a case pertaining to company Meta, the owner of Facebook (CJEU – C-251/21 Meta Platforms and Others v Bundeskartellamt), according to which competition authorities, while examining the abuse of dominant position, may decide on (non)compliance of activities of a business entity with provisions of the GDPR (“the Judgment”).

Circumstances of the case

Namely, company Meta (Meta Platforms Ireland), as mentioned before, provides the service of social network Facebook, while other companies within Meta group provide the services of other networks, i.e., applications (such as Instagram and WhatsApp).

Business model of this company implies, among other, personalised advertising on Facebook based on detailed analysis of activities of the users of this application and other online services provided by Meta group. Namely, the users provide their personal data upon registration on Facebook, whereas Meta also collects users’ data through other services rendered by companies from this group and through third parties’ applications, i.e., from other web locations. All these data are subsequently linked to the users’ accounts and such aggregate view of the data allows Meta to draw detailed conclusions about users’ preferences and interests.

The said data are processed by Meta based on agreement to which the users of Facebook adhere when they accept the general terms of use (which need to be accepted to use the social network concerned).

The German Federal Cartel Office (Bundeskartellamt), as competent competition authority, brought proceedings against several companies from Meta group (Meta Platforms, Meta Platforms Ireland and Facebook Deutschland) and passed a decision prohibiting the stated companies from making, through their general terms, the use of Facebook subject to the processing of their off-Facebook data, as well as from processing the data without the users’ consent, finding that such processing constitutes an abuse of dominant position of Meta company on the market of online social networks in Germany. The reason for such decision is based on principles and provisions of the GDPR and the authority concerned deems that such processing is neither founded nor justified in the light of Article 6(1) and Article 9(2) of the GDPR.

Meta brought an action against the decision before the Higher Regional Court in Düsseldorf and the latter subsequently referred to the CJEU for preliminary decision.

Findings of the Court

Following are the key statements of the Judgment.

Firstly, the CJEU took the position that, in the context of examining the abuse of dominant position of a business entity on a market, it might be necessary that a national competition authority examines whether the practice of such entity is in line with other rules, i.e., those that do not strictly refer to the protection of competition, such as the GDPR for example.

Accordingly, the CJEU established that, under the provisions of Article 51 of the GDPR and Article 4(3) of the Treaty on the EU, a national competition authority may establish that a business entity’s general terms of use and their application are not in conformity with the GDPR, when this is necessary to examine the existence of abuse of dominant position.

If a business entity’s actions, that are subject to examination by a competition authority as regards their compliance with the GDPR, were previously examined by a personal data protection authority or a court, the competition authority may not waive such decision. Namely, the respective authority shall be obliged to consider such position, however it may draw its own conclusion from the aspect of regulations on the protection of competition.

In this case, the CJEU considered and established that collection of personal data by means of interfaces, cookies or similar technologies – data on users’ visits to certain websites and applications, the linking of those data with the user’s account and the use of those data by the operator of the social network, must be regarded as processing of special categories of personal data in terms of Article 9 of the GDPR.

As a rule, such processing is prohibited, subject to derogations provided for in Article 9(2) of the GDPR.

In addition, the CJEU examined whether the processing activities performed by companies of Meta group are based on appropriate legal grounds in terms of Article 6(1) of GDPR and established that the processing related to the enforcement of the agreement concluded with users shall only be legitimate providing that it is objectively indispensable. This is the case when the main subject, i.e., aim of the agreement cannot be achieved without the processing concerned.

In relation thereto, the CJEU expressed doubt as to whether Meta meets the stated requirements and noted that, in the absence of the data subject’s consent, personalised advertising by which Facebook finances its operations cannot support legitimate interest as legal grounds for data processing in terms of the GDPR.

Finally, the CJEU found that the fact that the social network operator, as controller of personal data, holds dominant position in a market, does not prevent the users of the stated network to provide valid consent to processing of their personal data by virtue of Article 4(11) of the GDPR.

However, given that such position may influence the freedom of choice of the users and/or create a distinctive imbalance between them and the data controllers, the CJEU underlined that this is an important factor for establishing whether the consent is legally valid, in particular freely given (which is fir the controller to prove).

By Ivana Ruzicic, Partner, and Lara Maksimovic, Senior Associate, PR Legal

On 30 June 2023, the web portal for freelancers operated by the Tax Administration was launched. 

 

The main purpose of the portal is to enable freelancers to submit their tax returns. More precisely, the portal allows the following persons to submit tax returns:

• Serbian natural person – resident of the Republic of Serbia, who realizes income by working in the Republic of Serbia, from a payer of income from abroad (legal entity, entrepreneur, or natural person), or Serbian natural person or other entity that at the time of payment of income does not calculate and pay taxes and contributions in the Republic of Serbia; or
• Serbian natural person – resident of the Republic of Serbia, who realizes income by working in another country from a payer of income from abroad (legal entity, entrepreneur or natural person) or other entity that at the time of payment of income does not calculate and pay taxes and contributions in the Republic of Serbia; or
• foreign natural person – non-resident, who realizes income by working in the Republic of Serbia, from a payer of income from abroad (legal entity, entrepreneur or natural person) or other entity that at the time of payment of income does not calculate and pay taxes and contributions in the Republic of Serbia.

On top of this, the portal offers a number of useful tools related to the tax regime applicable to freelancers. For instance, you can find the self-assessment test on the portal, which should tell you whether you are able to submit the tax returns via the portal. The portal also has an online informative calculator of taxes. Apart from these, the portal contains important information related to the tax regime of freelancers, such as useful documents, Q&A, link for accessing the CROSO website, etc.

By Sava Draca, Milijana Tomic and Katarina Tomic, Senior Associates,  Karanovic & Partners

After the roundtable discussion organized by the Lawyer’s Academy of the Serbian Bar Association on the topic of SKY ECC communication as evidence in criminal proceedings on June 29, 2023, we summarize the key conclusions on an extremely relevant issue – SKY ECC hacking.

For those who are not familiar, data from the messaging encryption platform SKY ECC has recently been “intercepted” by the police in a somewhat unclear procedure. This has resulted not only in the arrest of many suspects but also in the media disclosure of the content of their exchanged messages, without any verification of their authenticity.

This highly controversial situation has sparked numerous debates, as it revolves around a “story” that lacks supporting evidence. With the introduction of prosecutorial investigations and the burden of proof lying on the prosecution’s side, it is no longer sufficient to simply “know what happened.” What is “known” must be proven through subjective and material evidence 

SKY ECC serves as a sort of police testimony, mostly unsupported by any subjective or material evidence, which is currently used to detain the accused. As per our experience and the words of attorney Miodrag Stojanović (Republika Srpska) and attorney Bojana Franović Kovačević (Montenegro), Balkan prosecutors openly admit that they have no other evidence beyond SKY ECC communication (hence the media sensationalism).

One of the fundamental rights that each of us should have is the right to a fair trial. This right is guaranteed as a standard by international legal instruments and constitutions of many countries worldwide. Even if the accused is charged with a serious criminal offense, it is essential to ensure their right to defense and a fair process, including the right to legal representation, access to evidence, and the presumption of innocence.

However, the collective conclusion of the roundtable is that despite the evident violation of communication privacy, the use of SKY ECC communication is perceived as a technological victory of the police in the war against organized crime.

Regardless of the fact that these messages have provided crucial context against the accused, they still have the right to defense and the right to challenge the evidence. But what happens when there is no such evidence?

The defense has the right to investigate how the messages were obtained and to raise questions about their authenticity and integrity. However, if it is not allowed for a police officer to testify, for example, “…the accused confessed everything to us, but when the lawyer arrived he changed his mind…”, then why even discuss it? The courts have previously refused to admit such evidence during the proceedings at all.

However, in the cases based on SKY ECC communication, it will be treated throughout the trial as justification for detention and in hope that during the long-term detention, some corroborating evidence may appear. So, what’s the difference and the reason for this? Technological advancement. 

Excessive surveillance and privacy breaches occur daily for all of us. The “hacking” of the SKY ECC platform is presented as a bitter pill we should swallow, as it is directed “only” against organized crime. However, this situation opens the doors to abuse and violations of the rights of many innocent individuals who are not subjects of any investigation but may become targets of subsequent “interceptions” of their private communications, as mass surveillance is becoming popular. 

In first overturning decision in this type of cases the Serbian Court of Appeal’s on July 07, 2023 provides following explanation: “…among other things, when assessing the admissibility and legality of evidence obtained in another country and submitted through international legal assistance, it is not sufficient to merely state, as the first instance court does in the reasoning of the initial judgment, that the evidence was obtained through international legal assistance. According to the Court of Appeal, the trial court failed to first provide clear and reasoned grounds regarding the legality of the submitted SKY ECC communications, based on the criteria of the state in which they were obtained. This should have been done through an analysis of how they were obtained in the Republic of France and an evaluation of whether such communication was acquired in a manner inconsistent with the principles of our legal system and generally accepted rules of international law.

In this regard, the trial court was obligated to analyze the fact that the evidence and information in the case files indicate that, given the joint judicial investigation by the Dutch, Belgian, and French authorities, the encrypted solution for SKY ECC phones was used by criminal organizations operating in these three countries, and some even at the international level. The search and seizure of data contained in the SKY ECC platform’s server database were carried out based on the decision of the competent judicial authority of the Republic of France, authorizing the installation of technical devices for capturing computer data on the external connection of the server, issued on December 21, 2020 in accordance with the criminal procedure code of the

Republic of France. This was done to capture the cryptographic elements of each phone using the SKY ECC encryption system, which, when combined with cryptographic elements obtained from interceptions, would enable the decryption of individual messages received by these phones. Therefore, according to the Court of Appeal, the trial court, when assessing whether the data collected by foreign authorities can be used as evidence in a domestic criminal case, should have considered, first and foremost, that they were obtained in accordance with the applicable laws of the Republic of France and based on a decision of the competent judicial authority of that country. 

Furthermore, considering that the purpose of the request was to submit evidence and supporting materials rather than carry out a specific evidentiary action, the trial court’s statements regarding the evidence obtained by the competent authority of the Republic of France being substantively equivalent to the evidentiary action and evidence obtained in accordance with the provisions of the criminal procedure code – computer data search are unclear. This is especially important considering that computer data search involves searching processed and personal data and comparing them with data already present in databases relating to the suspect and the criminal offense. Accordingly, by the nature of things, it is performed on servers located within our territory, while in the present case, it concerns an encrypted communication platform with servers abroad. 

Moreover, the trial court’s statements that the evidence acquired by the competent authorities of the Republic of France and obtained through international legal assistance in the cases of the Special Department for organized crime of the Higher Court in Belgrade as an “incidental findings”, can be used as such in the proceeding are unclear…”.

 

Given the information presented above, when charges are brought against the defendants solely based on SKY ECC communication, without any supporting evidence, the probability of acquittals will significantly rise.

 

By Danilo Nikolic and Luka Nikolic, Partners, JPM & Partners

On July 4, the EU Commission introduced a new Procedural Regulation aimed at enhancing cooperation among data protection authorities (“DPAs“) when enforcing the General Data Protection Regulation (“GDPR“) in cross-border cases.

The Procedural Regulation focuses on establishing clear guidelines for DPAs handling cases involving individuals in multiple Member States without impacting any substantial elements of the GDPR, including the rights of data subjects, obligations of data controllers and processors, or the lawful grounds for processing personal data.

A notable aspect of the Procedural Regulation is a provision that mandates the lead DPA to share a “summary of key issues” with relevant counterparts. This summary is intended to outline the main elements of the investigation and provide insights into the lead authority’s stance on the matter, facilitating early input and a unified approach among authorities, thus mitigating the potential for divergent viewpoints.

For individuals, introducing these new rules will shed light on what they need to include in their complaints and ensure they are actively engaged in the process. Similarly, businesses will better understand their due process rights during DPA investigations into possible GDPR infringements.

The proposal streamlines cross-border complaints, making them easier to pursue by eliminating hindrances that arise from the variance in rules across DPAs. It also ensures that parties under investigation have a say throughout the process, including during dispute resolution by the European Data Protection Board (“EDPB“). The proposal clarifies the administrative file’s composition and delineates the parties’ entitlement to access it. In addition, it enables DPAs to exchange views early in investigations and employ collaborative instruments such as joint investigations and mutual assistance. The proposal also establishes specific rules to expedite the GDPR’s dispute resolution mechanism and sets standard cross-border cooperation and dispute resolution deadlines.

In essence, the proposed Procedural Regulation fosters a more expeditious and equitable process, facilitating timely investigations and the effective resolution of issues. Implementing these measures is anticipated to lead to faster case resolution, providing prompt remedies for individuals and instilling a greater degree of legal certainty for all parties involved.

By Branko Gabric, Counsel and Nikola Ivkovic, Associates, Gecic Law

On July 4, 2023, the Court of Justice of the European Union (“CJEU“) pronounced a momentous judgment in Meta Platforms and Others.

For the first time, the CJEU ruled that national competition authorities may determine GDPR infringements when examining an abuse of a dominant position. The CJEU’s decision clarifies the relationship between the General Data Protection Regulation (“GDPR”) and EU competition law, establishing that they can coexist and complement each other without conflict. The case centered on Meta Platforms Ireland, which runs Facebook in the EU.

The ruling has its roots in a decision issued by Germany’s antitrust regulator, the Federal Competition Authority – Bundeskartellamt (“FCO“), which followed an extensive investigation into Facebook’s operations. Meta Platforms Ireland’s user data collection practices were scrutinized, particularly their data and cookie policies. Users registering on Facebook were bound by the company’s terms and conditions, enabling the collection and linking of user activities both on and off the social network. Referred to as “off-Facebook data,” this included information about users’ visits to third-party websites and apps and their use of other Meta Group services like Instagram and WhatsApp. This data was instrumental in delivering personalized advertising on the platform.

In response, the FCO expressly prohibited the processing of off-Facebook data without the express consent of German private users. The FCO determined that Facebook holds a dominant position in the German social network market and has violated competition law by misusing this dominance through its data collection practices, which are non-compliant with the GDPR.

The CJEU addressed whether national competition authorities have the right to decide whether data processing operations comply with GDPR rules. In addition, the CJEU underscored the possibility that competition authorities might need to consider non-competition norms, such as those outlined in the GDPR when investigating abuse of a dominant position. However, the CJEU made it clear that if a national competition authority identifies GDPR violations, its job is not to replace the designated supervisory authorities but rather to demonstrate the abuse of a dominant position and implement appropriate remedies within the scope of competition law.

The CJEU emphasized the significance of consultation and collaboration between national competition authorities and the authorities in charge of GDPR enforcement to ensure consistent application of the GDPR. Before a national competition authority evaluates a company’s compliance with GDPR rules, it must ascertain whether the relevant supervisory authorities or the Court has made any previous relevant decisions. Even if there are such rulings, the competition authority is not bound by them but must consider them while arriving at its conclusions based on competition law.

It is important to note that this judgment was preceded by the Opinion of AG Rantos, delivered on September 20, 2022, and it is a vivid example of the Advocate General’s role in navigating complex cases before the CJEU by proposing independent legal solutions and logical reasoning, which often forms the basis of the ruling and its raison d’etre. AG Rantos opined that a competition authority “does not have the competence to make a ruling, primarily, on a breach of [the GDPR] or to impose the penalties envisaged.” However, he also considered this irrelevant and reasoned that nothing in the GDPR prevents a competition authority “from being able to take account, as an incidental question, of the compatibility of conduct with the provisions of the GDPR.”

Ultimately, the competition authority is tasked with evaluating whether there has been a violation of competition law. The CJEU’s decision raised important questions about how data is processed. The CJEU investigated whether Meta Platforms Ireland’s handling of both sensitive and non-sensitive data complied with the lawful basis stated in the GDPR that allows data processing without explicit consent from the data subject. The CJEU also questioned whether the personalized content and user-friendly services offered by the Meta group met the requirements considered objectively necessary and proportionate for providing social network services to data subjects.

Furthermore, the CJEU observed that the financial reasoning behind Facebook’s targeted advertising did not justify processing data without the user’s explicit consent. The CJEU explained that having a dominant market position does not per se mean that users’ ability to provide valid consent under the GDPR is compromised. What matters is how the dominant position affects users’ freedom of choice and the resulting power imbalance between the users and the company controlling their data. These factors are crucial when determining whether consent is freely given. However, as a dominant market position has the potential to impact users’ freedom of choice and create an imbalance between them and the data controller, it is significant in assessing the validity and, specifically, the voluntary nature of the given consent.

In this significant ruling, the Luxembourg-based Court approved giving antitrust authorities more leeway in Big Tech probes. The ruling casts doubt on the rationale for data processing without express consent and highlights how crucial it is to protect user privacy. In addition to emphasizing the importance of a balanced strategy between personalized advertising and user choice, it also draws attention to the impact of a dominant market position on the validity of permission. This important ruling helps us better understand how user rights, competition law, and data protection interact.

By Branko Gabric, Counsel, Milica Novakovic and Nikola Ivkovic Associates, Gecic Law

The new General Product Safety Regulation of the EU, which has recently entered into force, was published in the Official Journal of the EU on May 23, 2023, and it shall start to apply on December 13, 2024 (“the Regulation”).

The Regulation is a new key instrument in the EU product safety legal framework, replacing the current General Product Safety Directive and the Food Imitating Product Directive. The Regulation therefore improves the EU regulatory framework regarding product safety and addresses the new challenges posed by the digitisation of economy.

Application and aim of the Regulation

Namely, the Regulation sets out general rules on product safety placed in the EU market, for the purpose of improving market functioning along with ensuring high level of consumer protection.

The Regulation applies to products placed in the market if there are no special provisions within the EU law with the same purpose, i.e., which regulate the safety of specific products concerned. If the products according to the EU regulations are subject to special safety requirements, the Regulation shall only apply to those aspects and risks or categories of risks that are not envisaged by such requirements.

Furthermore, the Regulation pertains to so-called non-food products and to all sales channels. Provision of Article 2, paragraph 2 of the Regulation enlists the categories of products that are exempt from its application (e.g., food, feed, medicinal products for human or veterinary use, living plants and animals etc.).

In addition, the General Regulation applies to products placed in the market whether new, used, repaired or reconditioned, unless the products need to be repaired or reconditioned prior to being used, i.e., if they are placed on the market and are clearly marked as such.

Content of the Regulation

The Regulation particularly focuses on distance sales and stipulates that the products offered for sale online or through other means of distance sales should be considered to have been made available on the market if the offer for sale is targeted at consumers in the EU, i.e., if the relevant economic operator directs, by any means, its activities to one or more Member States and prescribes special obligations of such entities. Therefore, if a manufacturer does not have seat in the EU, it shall be obliged, inter alia, to clearly and visibly indicate on the product offer the name, postal and electronic address of the responsible person for products placed on the EU market (from Article 16, paragraph 1 of the Regulation).

In relation thereto, the Regulation prescribes that the product covered by its provisions shall not be placed on the market unless there is an economic operator in the EU territory with seat in the EU, which is responsible for such product in terms of provision 4(3) of the EU Regulation on market surveillance and compliance of products (2019/1020). Accordingly, if a product is placed on the EU market by an entity that does not have official seat on the EU territory, the prescribed obligations shall be performed on its behalf and for its account by an authorized representative (with seat in the EU) who has a written mandate.

In addition, the Regulation stipulates special obligations for providers of online marketplaces. For instance, they are obliged to register in the Safety Gate Portal (providing the general public with free of charge and open access to selected information regarding product safety, e.g., on dangerous products), to designate a single point of contact to enable consumers to communicate directly and rapidly with them in relation to product safety issues, to ensure that they have internal processes for product safety in place in order to comply without undue delay with the relevant requirements of this Regulation etc.

In addition to the Safety Gate Portal, as a rapid alert system, the Regulation also provides for the Safety Business Gateway portal, through which businesses and providers of online marketplaces can easily provide all relevant information to national market surveillance authorities and consumers.

According to the Regulation, the EU Member States shall lay down the rules on penalties applicable to infringements of the Regulation and shall ensure that they are effective, proportionate and dissuasive.

Considering all of the previous trends and legislative practice in Serbia, we can expect that relevant domestic legislation will be harmonized with the Regulation requirements in the upcoming period.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.

By Ivana Ruzicic, Partner, and Lara Maksimovic, Senior Associate, PR Legal