Archive for Post

  1. Post

    Corporate sustainability will extend to value chains – four tips for implementing due diligence duty

    The CSDDD will apply to large companies with more than 500 employees and a net global turnover of over 150 million euros. Lower thresholds apply to companies that make at least 20 million euros of their net turnover in the textile industry, the minerals industry or in agriculture and forestry: in this case, the thresholds are 250 employees and 40 million euros. The CSDDD will also apply to non-EU companies with a net turnover of 300 million euros or more in the EU. The financial sector will be left out of the scope of application initially, but the directive will include an option to expand the scope later. The practical implementation of the due diligence processes calls for systematic and continuous activities that are reflected throughout the value chain. Companies must identify and assess any negative impacts in their own operations, their subsidiaries and their business partners. Negative impacts must be prevented and, if this is not possible, mitigated. Companies must also assess and, if necessary, renew their procurement processes, documentation and agreements to comply with corporate sustainability requirements. 1. Evaluate value chains and identify risks As part of preparing for the due diligence duty, companies should carry out a systematic and comprehensive evaluation of their value chains, procurement processes and related contracts. This evaluation should provide an in-depth overview of the environmental and human rights impacts in the operations of the company and its business partners. After this, companies should prioritise the actions required to prevent, mitigate and correct negative impacts. The thorough evaluation of the value chain, risk identification and the possible renewal of the procurement processes call for multidisciplinary skills and close cooperation with the company’s business partners. It is a good idea to ensure the necessary skills and sufficient resources for the sustainability work already from the get-go so that unexpected surprises can be avoided during implementation. 2. Pay attention to contract management Another key aspect of implementing due diligence processes is contracts with the company’s subcontractors and other business partners. Companies should ensure that the actions required by due diligence are also incorporated in their contracts. They should also assess whether their business partners can be reasonably expected to adhere to the provisions related to due diligence and aim to ensure compliance with such provisions. However, contractual provisions must not result in the other contracting party bearing responsibility for due diligence compliance or noncompliance. The implementation of due diligence processes may result in a need to renew the company’s contracts to such a degree that a comprehensive review and update of the contract management system is in order. Companies should ensure that they have efficient and up-to-date contract management systems and processes that support the management, oversight and potential updating of contracts. 3. Include business partners whenever possible The new guidelines adopted by the Commission this June provide a framework for cooperation between competitors as well as cooperation in trade associations in sustainability projects and make it possible for various stakeholders to work together. The reform allows cooperation that promotes sustainability and ensures compliance with legally binding international treaties’ obligations or prohibitions. Companies should take advantage of this opportunity and engage in cooperation whenever permitted. Cooperation could mean sharing information and best practices or leveraging competition law flexibility as part of implementing due diligence processes. 4. Ensure that policies lead to actions While the due diligence duty is in many respects connected to contracts, risk management and internal operating models and policies, its implementation also requires actions on the practical level. It is not enough to promote matters on paper; companies must make concrete changes as well as document these changes carefully and transparently. The due diligence duty means that sustainability must permeate the company’s operations as a whole and be integral parts of its strategy.

    Published: 14.12.2023
  2. Post

    Russian countersanctions restricting exit from the country: Is there room for investment treaty claims?

    Russia introduced its first countersanctions in early 2022 to respond to the threatening exodus of Western businesses. Among other things, Russia published a draft law on the nationalisation of foreign companies. The nationalisation law would have enabled the Russian government to nationalise the operations of nearly all foreign companies associated with unfriendly states looking to cease their operations and leave Russia, unless such foreign investors sell their shares in a way that preserves the related business activity and jobs. The nationalisation law was not ultimately enacted, but Russian countersanctions have grown stricter over time. In April 2023, Russia introduced legislation establishing a basis for placing certain Russian assets controlled by foreign investors associated with unfriendly states under ‘temporary’ government administration. Shortly thereafter, Russia brought the local subsidiaries of two energy companies – Uniper and Fortum – under state control. Later in July, Russia similarly took control of the Russian subsidiaries of food-products company Danone and brewing company Carlsberg. At the same time, Russia has also imposed very strict rules for exiting the country. These exit restrictions have caused significant harm to many foreign businesses seeking to exit Russia. Indeed, while we have seen many Western companies follow through with their decision to exit Russia during the past two years and have had the privilege to advise several companies – such as Valio , Fazer , Huhtamäki , and Ramirent and Cramo – in doing so, most if not all exits have been affected by the exit restrictions. Therefore, even after a successful exit from the country, it continues to be paramount for foreign investors to evaluate whether they suffered damages because of the Russian countersanctions and to assess the remedies they may have available against Russia for interfering with their investments. As we blogged already in March 2022, one form of legal protection may stem from international investment treaties. This blog post gives its readers an overview of the Russian countersanctions restricting divestment of Russian assets and the key features of the bilateral investment treaty between Finland and Russia (Finland-Russia BIT). Countersanctions restricting exits from Russia In 2022, Russia introduced countersanctions making a variety of transactions between Russian entities and companies from or associated with unfriendly states subject to a prior approval of the Government Commission on Monitoring Foreign Investments in Russia (GovCom). Currently, all unfriendly foreign investors must obtain the GovCom’s permission for the direct or indirect transfer of shares in Russian entities. From late 2022 onwards, the Russian countersanctions regime has required unfriendly foreign investors to sell their shares for less than the market value and to either defer the payment of the sale price or to make a ‘voluntary contribution’ to the Russian state budget. In March 2023, the option of deferring payment of the sale price was abolished, and all sales under the regime will now incur a contribution to the Russian state budget. To summarise, the conditions for obtaining a permit from the GovCom under the regime currently in place are the following: 1. The investor must submit an audited asset valuation report prepared by a GovCom certified appraiser. 2. The sale price cannot exceed 50% of the appraised market value. 3. The investor must make a ‘voluntary contribution’ to the Russian state budget of 15% of the appraised market value of the assets. 4. As a part of the permit process, the GovCom sets KPIs for the investor and/or the Russian target company to ensure the continuation of the overall business activities, employment as well as fulfilment of contractual and other obligations of the target company following the contemplated sale. 5. When selling a public company, up to 20% of the shares must be placed at auction. It is also noteworthy that the GovCom is not subject to any statutory processing time for the applications for exit permits. In practice, the processing times vary considerably and are also getting longer and longer. Protection for foreign investments under investment treaties Russia has entered into bilateral investment treaties (BITs) with over 60 states, including Finland, many of which it has now designated as ‘unfriendly’. The Finland-Russia BIT, like other Russian BITs, contains several standards of protection for foreign investors and their investments, such as: Fair and equitable treatment (FET): Russia must not take arbitrary, unfair or discriminatory measures against investors or their investments that would violate the investors’ legitimate expectations and opportunities to benefit from their investment. Prohibition of unlawful and uncompensated expropriation: Russia must not adopt compulsory measures of nationalisation, requisition, or other measures to expropriate investments, unless certain conditions are met, such as non-discrimination and payment of adequate compensation. Most favoured nation (MFN) treatment: Russia must not treat foreign investors or their investments less favourably than it treats investors and investments from other states. This also means that investors may benefit from more favourable provisions of other investment treaties entered into by Russia. Free transfer of investments and returns: Russia must guarantee the right of foreign investors to freely transfer payments related to their investments out of Russia, without undue delay or restriction, and in a freely convertible currency. All of these protections are relevant in the context of Russia’s exit restrictions, which may adversely affect the value, profitability and viability of foreign investments in Russia. For example: Russia may breach its FET obligation by restricting the ability of foreign shareholders to sell their shares in Russian companies, and thereby significantly reducing the value of these shares. Depending on the formulation of the expropriation standard in the applicable treaty, this could also potentially constitute unlawful and uncompensated expropriation by Russia. Russia may infringe its non-discrimination and FET obligations by imposing exit restrictions on investors or their investments in Russia based on investors’ ‘unfriendly’ nationality. Russia may violate its free transfer obligation by restricting the free transfers of funds outside of Russia by individuals and companies from ‘unfriendly’ states, especially if the restriction is prolonged or becomes permanent. It is important to note that the specific language of different treaty standards varies from one BIT to another. Accordingly, the scope of protection offered by one treaty under the different treaty standards may be limited in comparison to the protection offered by another treaty. Though such limitations may potentially be overcome through use of MFN provisions in the relevant treaties, it is important for Finnish investors to also recognise that their investments in Russia may enjoy direct treaty protection under a BIT between a third state and Russia, if their investment into Russia has been structured through a subsidiary located in such a third state. In the field of energy, a foreign investment in Russia may also be protected under the provisions of the multilateral Energy Charter Treaty (ECT). Arbitration as a mechanism for resolving disputes Investment treaties contain legal mechanisms that allow foreign investors to seek compensation for damages caused by the host state’s actions. Investment treaties typically lay down that disputes between investors and the host state relating to the investment or the protection offered by the investment treaty may be settled by arbitration. Through arbitral proceedings, an investor may be awarded compensation for any losses it may have incurred because of Russia’s actions violating the provisions of the investment treaty. Bringing an investment treaty claim against the Russian Federation is not without its challenges. The Russian Federation has a track record of disregarding international law and failing to comply with the awards issued by international tribunals. As such, successful investors would likely need to seek enforcement of the award through national courts to recover any compensation awarded. The feasibility of recovering any compensation from the Russian Federation through Russian courts is currently highly unlikely. Rather, enforcement would likely need to be sought in other countries where assets belonging to the Russian Federation are located. This is possible under the provisions of the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards (the New York Convention), which allows investors to seek enforcement of arbitral awards in any contracting state where Russia has assets. Investors may, however, expect Russia to challenge the enforcement also before the national courts of such enforcement states. Additionally, if enforcement is sought against Russian assets that have been frozen under the applicable sanctions regime, attention would also have to be paid to the particulars of that regime. Enforcement against frozen assets is in many instances possible only by way of obtaining an authorisation to release the assets from the relevant authorities. What is next for foreign investors in Russia? Despite the challenges associated with holding Russia accountable for the potential violations of the protections it has guaranteed to foreign investors under international law, many investors are still considering investment treaty claims against the Russian Federation. It has been publicly reported that at least two Nordic companies have served Russia with notices of dispute concerning potential investment treaty claims. If you are a foreign investor whose investments in Russia have been impacted by the Russian Federation’s countersanctions, we recommend evaluating the potential financial harm you have suffered and the possibilities of raising an investment treaty claim.

    Published: 12.12.2023
  3. Post

    Agreements define data sharing and re-use

    The Commission aims for a single market for data In its 2020 data strategy , the European Commission deemed that data is insufficiently available for re-use and that data sharing is hampered, in part, by companies’ fear of losing their competitive edge. According to the Commission , the strategy aims to make the EU a leader in a data-driven society by creating a single market for data that will allow data ‘to flow freely within the EU and across sectors for the benefit of businesses, researchers and public administrations.’ In February 2022, the Commission published its proposal for the new Data Act (DA). This Act aims to increase data availability and create a regulatory framework for sharing data between different actors in the EU, including rules on who can use and access what data and for which purposes. The Data Act is part of the Commission’s larger proposal package, the so-called Big Five , that also includes the Data Governance Act (DGA), the Digital Markets Act (DMA), the Digital Services Act (DSA) and the Artificial Intelligence Act (AIA). As for the Data Act, the legislative process is well underway, and its goals include rules on who can access and control what data, among other things. Data protection through agreements In this connection, it should be noted that data itself is not protected under any special IP rights. Instead, the protection is largely based on agreements between companies and, in some cases, on the protection of trade secrets. Data can also form a database that is protected. In practice, the underlying data set must always be identified so that the related rights and restrictions can be evaluated. Agreeing on how the data can be used is key when data is shared and re-used. The important thing is to understand the nature of the data and, consequently, what rights may be attached to it. It is equally important to know what the data will be used for, i.e. what rights the user needs to have. This allows for the data user to control the risks associated with third-party rights through agreements. For the party sharing the data, a formal agreement on data sharing provides an opportunity to protect data such as trade secrets, for example by restricting the use of the data to a specific purpose. Progressing protection procedures In Finland, the business and industry organisations recognised the need to develop the practices for data sharing agreements early on. The Technology Industries of Finland drafted the model terms for data sharing in 2019. In addition, the IT2022 terms , drafted in cooperation by IT supplier and client organisations, include new special terms and conditions for data use. Efficient use of data always requires that industry-specific characteristics are taken into account in data sharing agreements so that reaching commercial goals is supported. We have assisted clients in various fields in matters related to data use and data agreements. If you would like to discuss the protection of your company’s data or any of the other topics covered in this blog in more detail, please do not hesitate to contact the authors.

    Published: 7.12.2023
  4. Post

    Sustainability an increasing part of board duties

    The Finnish legislation on sustainability reporting will enter into force at the turn of the year, affecting the operations of large listed companies and other large public-interest entities. Companies must publish their first sustainability report under the new standards in the spring of 2025 as part of their annual report, and it is the board’s duty to ensure that the report is properly drafted and its correctness appropriately verified. Transparent sustainability reporting will pave the way towards the upcoming Corporate Sustainability Due Diligence Directive. The CSDDD would hold large companies liable for the negative impacts of their operations and value chains. Companies would have to identify, prevent, mitigate and correct the negative impacts of their operations on a practical level, and the board would, for its part, be responsible for the execution of due diligence measures. The EU’s regulatory projects raise the question whether the Union is being too ambitious. The governing idea seems to be that others will follow in Europe’s footsteps. It remains to be seen whether this will actually happen or whether Europe will end up going its separate way. Nevertheless, with the inevitable arrival of corporate sustainability reporting and due diligence, company boards have an excellent opportunity to put the report data into use and assess how the business operations could promote sustainability targets while also accounting for growth and profitability. Sustainability reports can be expected to become a key criterion in assessing a company’s attractiveness for investors. In the capital markets, the possibilities brought on by sustainable practices are as essential to a company’s equity story as the practices themselves. Right now, the key thing is to ensure that the channels for gathering data for the reports are in place, allowing the company to draft a report by the deadline. Even if a company is not yet subject to the new obligations, it is a good idea to prepare for transparent reporting – and perhaps draft a standardised sustainability report as a test run.

    Published: 4.12.2023
  5. Post

    Whistleblowing and data protection – frequently asked questions

    The Whistleblower Act lays down some new requirements, for example with respect to the handling of reports, the protection of the reporting person and providing information about the reporting channel. In this blog, we will answer some typical data protection questions that have surfaced in organisations when establishing an internal reporting channel. In addition to fulfilling the requirements of the Whistleblower Act, it is also important that the reporting channel is implemented and the reports handled in accordance with the data protection legislation. The requirements of data protection regulation must be complied with already when implementing the channel so that the reports and the personal data included therein can be handled legally in the first place. A reporting channel that meets data protection obligations along with proper privacy documentation are key tools for an organisation to demonstrate compliance. What data protection matters should be kept in mind when establishing a reporting channel? When planning the implementation of the reporting channel and the report handling process, the organisation must define the grounds and purposes for processing personal data. The purposes of use and the grounds for processing will vary based on whether the channel is intended for reports concerning only infringements in the scope of the Whistleblower Act or whether it will also be used for reporting other suspected abusive practices, such as employment relationship matters or breaches of the organisation’s internal guidelines. The purposes and grounds for processing must be included, for example in the records of processing activities, data mapping documentation or other similar internal data protection documentation. All those subject to processing of personal data must be informed of the processing as required by law, and the  da subjects’ legal rights under data protection legislation must be ensured. These obligations must be fulfilled not only for the reporting person but also for the person concerned and anyone who participates in the investigation. When planning the internal processes concerning the rights of the data subjects, it should be noted that the Whistleblower Act restricts these rights in some respects, for example by restricting the right to request access to one’s own personal data. Organisations must also prepare a data protection impact assessment under data protection legislation before implementing a reporting channel. This assessment is a type of internal risk assessment in which the organisation must describe the processing of personal data within the context of the reporting channel, assess whether the processing is necessary and proportionate and, in particular, assess the risks caused by the processing and the necessary actions to mitigate these risks. If the organisation falls under the scope of the Act on Co-operation, the processing of personal data within the context of the reporting channel must be handled with the personnel in a dialogue procedure under the Act on Co-operation before the implementation of the channel can be decided on. This dialogue also provides a good opportunity to discus with the personnel on the data protection documentation of the reporting channel. Which data protection obligations apply to report handling? The report handling process and the storage of related data must be organised in such a way that the access is restricted by means of technical and organisational safeguards to only the parties entitled to handle the reports. In addition to the reports, this applies to all data related to investigations, such as any internal emails and interview notes. The data storage locations and the measures to restrict access must be included in the data protection and data security documentation. Pursuant to the Whistleblower Act, reports can, as a rule, only be handled by pre-designated persons who must be both impartial and independent. However, during the investigation it might become necessary to include other internal or external experts in the process. The Act makes this possible, as more handlers or external experts can be assigned to a report on a case-by-case basis. Under the Whistleblower Act, the persons responsible for the handling of the report have an obligation to keep confidential the identity and any information that can directly or indirectly reveal the identity of the reporting person and the person concerned. This confidential information cannot be disclosed without the express consent of the person it concerns, unless the recipient is a party expressly specified in the Act, such as a competent authority. The reporting person must receive prior notification that their identity will be revealed, unless providing this notification would compromise the investigation of the report or the related pre-trial investigation or trial. In practice, the sharing of data concerning reports must be restricted to a minimum, and the legal basis for data sharing must be ensured on a case-by-case basis. The report handling process and resources should be defined in a way that minimises the need to disclose reports and the related personal data to parties others than the pre-designated persons, the case-specific experts who participate in the investigation and the other recipients defined under the Whistleblower Act. Those in charge of handling the reports must have sufficient skills and the autonomy to investigate the matter independently. Insofar as possible, they should also have the authority to decide on the necessary follow-up. It is good practice to document the report handlers’ tasks and authority with respect to the investigation and follow-up in the handling process description. Can a report be disclosed to the management? The Whistleblower Act does not explicitly provide for the conditions under which reports can be disclosed to the management or board of directors, among others. As a general rule, the Act does not prevent disclosing anonymous information. The regular reporting on infringements should be done in an anonymous format. However, the requirements concerning confidentiality and report handling may limit the possibilities for disclosing information that may reveal the identity of the reporting person or the person concerned. Disclosing such information should be assessed on a case-by-case basis. The Whistleblower Act does not prevent designating a person who is part of the organisation’s management as one of the persons responsible for handling reports, provided that the person can act independently and impartially. It is also possible for the person responsible for handling reports to refer the matter concerning a suspected infringement to a stakeholder in the organisation who is in charge of deciding on follow-up actions. In individual cases, this can make it possible to disclose the report to senior management if it is the management’s responsibility to decide on such actions. For how long can reports be stored? Personal data included in the reports and investigation data can be retained only as long as necessary for the purposes of use defined by the organisation. The retention periods of reports are based on the type of suspected infringement and the possible follow-up, for example. As the situations are varied, it is often impossible to set a clearly defined retention period that would apply to all reports. A report under the Whistleblower Act must be deleted no later than five years after the report was received, unless its storage is necessary for the purposes of protecting legal rights or complying with legal obligations or for a trial. If the report concerns a suspected infringement unrelated to the Whistleblower Act, the retention period is determined on different grounds. The retention periods and their criteria for reports and other investigation data must be defined as accurately as possible and included in the data protection documentation. Furthermore, organisations should adopt a practice in which any unnecessary personal data which clearly bears no significance to the handling of the report is removed when the report is received. Another good practice is to assess the retention need regularly during and after the investigation so that any unnecessary data can be deleted. The procedure for deleting unnecessary data should be assigned internally, for example to the persons responsible for the handling of reports.   For more information, read our previous blogs on whistleblowing channels: It is advisable to start preparing a whistleblowing channel now The new Whistleblower Protection Act is approved – here’s how to prepare for investigating reports

    Published: 29.11.2023
  6. Post

    Permitting hydrogen projects in a changing operating environment: storage and transport of hydrogen

    The legislation in force does not comprehensibly account for the special characteristics of hydrogen projects, and new legislative initiatives or authority guidelines have not yet been issued. In this second part of our two-part blog on green hydrogen, we will take a closer look at the permitting aspects concerning hydrogen storage and transport. The first part discussed the permitting of hydrogen production plants . The permit procedure for hydrogen transport and storage calls for diligence If hydrogen transport pipelines and hydrogen storage installations exceed the limits laid down in the list of projects included in the Act on the Environmental Impact Assessment Procedure as Annex 1, they require an environmental impact assessment (EIA) procedure. Projects requiring an EIA procedure include, in accordance with paragraph 8 a of the list of projects, pipelines intended for the transport of chemicals or gas with a diameter of more than DN 800 millimetres and a length of more than 40 kilometres and, in accordance with paragraph 8 c, installations for storage of chemical products with a total capacity of at least 50,000 cubic metres. Other projects with impacts comparable to those of the listed projects may also require an EIA procedure. The Environmental Protection Act does not include the construction of transport pipelines and storage installations intended for chemicals in its list of activities subject to an environmental permit, which means that hydrogen transport and storage infrastructure projects do not automatically require a permit. However, a specific project related to the transport and storage of hydrogen may need one because of its impacts. In addition, the storage and treatment of liquid hydrogen may require an environmental permit based on table 2, paragraph 5 d of the list of activities subject to a permit. The Act on Transport of Dangerous Goods, on the other hand, may be applicable to the transport of hydrogen by road or by vessel. That would mean, among other things, certain qualification requirements for the personnel participating in the transport. As for the storage of hydrogen at a production facility, it may require a permit for the large-scale industrial handling and storage of a dangerous chemical as provided by section 23 of the Chemicals Safety Act if the quantity stored exceeds a certain limit. In accordance with section 37 of the Chemicals Safety Act, the construction of a transport pipeline for a dangerous chemical outside a production facility requires a construction permit issued by the Finnish Safety and Chemicals Agency (Tukes). According to the legislative materials of the Act , the provisions of the act would, at the time of adoption of the proposal, apply mainly to the transport of natural gas. However, the wording of section 37 refers to any dangerous chemicals, which means that the construction of a hydrogen transport pipeline also falls within its scope. According to the Tukes guide Safety requirements for chemical piping (available only in Finnish), Tukes will provide further information on the application of legislation concerning hydrogen transport pipelines. If transport infrastructure related to hydrogen production is constructed at sea, the construction project is likely to require a water resources management project permit referred to in the Water Act. Hydrogen infrastructure and the related regulation are developing rapidly Finland does not have a hydrogen transmission network yet, but this is about to change as Gasgrid established a company, Gasgrid Vetyverkot Oy , to develop the national hydrogen infrastructure in March. The state-owned company has been mandated to ‘promote development of the national hydrogen infrastructure, international infrastructure cooperation and the hydrogen market in the Baltic Sea Region as soon as possible’. Finland’s first hydrogen transmission infrastructure demonstration project from Joutseno to Imatra has proceeded to basic design stage. Legislation on hydrogen infrastructure is currently being prepared in the EU, too. The European Commission’s Gas Package consists of a proposal for a directive and for a regulation on the internal markets for renewable and natural gases and for hydrogen that create a framework for the development of hydrogen transmission infrastructure. The European Parliament and the Council are currently negotiating the Gas Package. The proposals aim at simplifying the entry into the energy system of renewable and low-carbon gases and at enabling the shift away from natural gas. Renewable and low-carbon gases play an important part in achieving the goal of EU’s climate neutrality by 2050. As is the case with electricity and natural gas networks, it is likely that the broad outline of the legislation concerning hydrogen network legislation will be determined on the EU level. National legislation will likely focus on the finer details of the permit procedures related to the construction of transmission networks and the engagement in network activities. In Finland, the provisions concerning hydrogen could be issued either by adopting a separate hydrogen market act or by introducing new hydrogen-related provisions into the Natural Gas Market Act. It is to be hoped that the Government will start preparing national legislation as soon as possible after the adoption of the Gas Package.

    Published: 20.11.2023
  7. Post

    Collective legal remedies now apply to data protection – are you prepared?

    The GDPR does, as such, provide for the data subjects’ right to compensation for material and non-material damage caused by an infringement of the Regulation. However, in Finnish case law, the compensations have been rather modest. As an example, the Personal Injury Advisory Board recommends a compensation of only EUR 200–5,000 for damages related to a data protection or personal privacy violation. This, coupled with the toll taken by trials, has often resulted in private persons having a very limited interest to claim damages in data protection matters. The legal state of injured parties improved in June 2023 with the entry into force of the new Act on Representative Actions for Injunctive Measures and the Act Amending the Act on Class Actions. These two acts make it possible to bring class actions and representative actions in data protection matters, among others. It remains to be seen whether this legislative reform, aiming to strengthen collective legal protection, has major practical effect; to date, only one consumer organisation has taken advantage of the new possibility to register as a consumer organisation and represent consumers in class action and representative action processes. From a fully authority-driven class action process towards organisations’ right to bring actions The legislative amendments follow the national implementation of the EU’s Representative Actions Directive. Before these amendments entered into force, the Consumer Ombudsman had the right to bring class actions in certain matters under its jurisdiction, but this option was never used. An authority-driven class action process has proved challenging due to the authorities’ limited resources, among other reasons. The amendments aim to fix the situation by making bringing class actions possible also for consumer organisations that may be more motivated as well as better equipped to raise funding for pursuing actions, for example. The amendments make it possible to bring so-called representative actions and class actions in data protection matters. A representative action can seek to prohibit a trader from continuing a certain practice, while a class action can claim compensation for damage suffered by the consumers. A consumer organisation or an authority set out in law can bring an action on behalf of consumers. However, a consumer organisation may only bring actions if the Ministry of Justice has designated it as a ‘qualified entity’. Organisations can apply for this designation in accordance with the Act on the Designation of Organisations Promoting the Collective Interests of Consumers as Qualified Entities. The new possibility to bring actions has not yet gained much popularity, which is reflected by the fact that, at the time of writing, the Ministry of Justice has received only one designation application from a consumer organisation. It is interesting to note that while the Data Protection Ombudsman is a qualified entity for representative actions for injunctive measures, only a consumer organisation can bring a class action for a redress measure in a data protection matter. The appropriateness of this solution remains unclear, as even before entry into force of the amendments, the Data Protection Ombudsman had the power to prohibit a data controller from acting illegally or from handling personal data in a certain way, reinforced also with a conditional fine. In any case, the consumer organisations’ new possibility to promote the interests of consumers in data protection matters in the form of class and representative actions means a new collective legal remedy, the practical significance of which remains to be seen. Two-forum model and looming legal costs limit bringing class actions In Finland, the amendments widened the scope of application of class actions from what it used to be in the era preceding the Representative Actions Directive. Now, in addition to matters concerning consumer transactions, class and representative actions can be brought also in matters concerning data protection, financial services, passenger rights and telecommunications. Class actions will continue to be heard in the Helsinki District Court, but representative actions for injunctive measures will be handled by the Market Court. This model of two separate processes for injunctive measures and redress measures can prove problematic especially for smaller consumer organisations, as they may need to institute matters in different forums. The legislative decision to have two forums is interesting particularly against the backdrop of the 2013 Market Court reform, in which the injunctive and redress claims under the Unfair Business Practices Act were instead centralised to the Market Court. The goal of this centralisation was to repair the then-current arrangement in which the injunctive matters under the Unfair Business Practices Act were heard by the Market Court, whereas the compensation matters under the same Act were heard by general courts. This arrangement was deemed impractical, and it was abolished in the Market Court reform. It will be interesting to see whether the two-forum model in class actions will be long-lived. The amendments at hand bring complexity to the terminology concerning different actions: in Finnish legislation, the representative actions referred to in the Representative Actions Directive are divided into edustajakanteet (representative actions) that cover injunctive measures and ryhmäkanteet (class actions) that cover redress measures. Together, these two form the collective remedies required under the Representative Actions Directive. The terminological confusion is reflected in the Swedish-language versions of the Act on Class Actions and Act on Representative Actions for Injunctive Measures, in which both types of action are referred to with the same umbrella term of grupptalan . The procedural rules governing legal costs remain unchanged, and the general rule for collective actions is that the losing party bears the legal costs of both parties. This practice that potentially burdens the consumer organisation with the legal costs of both parties is likely to further raise the bar for bringing class and representative actions. Class and representative actions can be financed with third-party funding, but the law lays down relatively strict conditions for such funding in order to prevent abusive litigation. In any case, the incentives for bringing actions in Finland remain rather moderate compared to, for example, the United States, where each party often bears its own legal costs in class action lawsuits. The future remains open It is, without question, important that the rights of private persons suffering from infringements are realised efficiently also in data protection matters. At the same time, we must be careful as to avoid overreactions. In the United States, for example, class actions are very common, and while they may contribute to companies taking regulatory matters seriously, it can also be claimed that the Finnish authority-driven tradition results in decisions that are more appropriate for the overall situation. The future will show how the European class and representative action landscape will develop as a result of the amendments. It will be interesting to see whether the number of actions will truly increase or whether the possibility of being faced with a class action will remain merely a theoretical risk as it has been until now.

    Published: 14.11.2023
  8. Post

    Prepare for the new wave of digital regulation

    Many companies are still trying to figure out what AI means exactly. Legislators have had the same problem: the definition of AI and, consequently, the AI Act’s scope of application have raised a great deal of debate. Under the broadest interpretation, many common present-day software solutions could be labelled `artificial intelligence’. At the moment, however, it seems that the definition included in the Act will be somewhat narrower than the wording in the first draft. Even though the AI Act is not yet in force, every company that produces and uses technology should already find out the extent to which the new regulation could apply to it since the proposal includes obligations to both producers and users of AI solutions. The AI Act introduces new regulatory techniques The AI Act introduces regulatory techniques that are somewhat new to the general IT industry.  The exact obligations imposed by the Act depend on the risk rating the Act gives to a particular AI solution, and the specific content of the obligations is also determined by standards separate from legislation in the same way as, for example, in product safety legislation. Even though the Act does include a set of obligations, many of them are relatively generally formulated in the Act itself. The idea is that the obligations will be specified in more detail in technical standards, and compliance with these standards creates the presumption of compliance with legislation. Even though it is only a presumption, we have long since learned from product safety legislation that in practice the standards form an integral part of the regulatory framework. The supervision of AI solutions raises questions The supervisory solutions related to the Act have also raised a lot of discussion. Since many AI solutions are, in practice, based on the processing of personal data, many issues related to AI, such as the use of customer data to improve the service itself and the transfer of data to third-country cloud services, are already familiar from data protection legislation. To avoid the problem of having several supervisory authorities, some have suggested that data protection authorities would be the natural choice for supervising AI as well. This solution is not, however, without problems. Under the AI Act, high risk systems subject to the most severe restrictions would also include systems where the related risks do not necessarily concern the processing of personal data. For example, the suggested high risk rating of road transport and electricity supply systems is likely based on concerns other than those related to personal data, even though some personal data is processed in these systems. In addition, it should be taken into account that the regulatory techniques based on product safety and technical standards would be more or less new to data protection authorities. We will keep monitoring the development of the AI Act and its supervision arrangements with great interest. Perhaps some conclusions may be drawn from the fact that the suggested national supervisory authority for the EU Data Governance Act is the Finnish Transport and Communications Agency. We are also interested in seeing how the contractual practices around AI will develop. For example, Microsoft has already released an update to its terms and conditions, defining liabilities related to AI-generated content. Now is the time to establish contractual and market practices, and many want to take part in steering the development. The EU is revamping digital regulation AI is not the only digital regulation project by the EU that provokes discussion among businesses, far from it. There are several ongoing regulatory projects, and the upcoming EU Data Act, for example, is a key aspect in the regulation agenda of many companies. Among other things, the Act will require device manufacturers to increase the transparency and shareability of the data collected by their devices. We are here to support our clients through the change of digital regulation in terms of both AI and other solutions. If you wish to discuss AI, its regulation or other themes of this blog in more detail, please do not hesitate to contact the authors.

    Published: 8.11.2023
  9. Post

    New recommendation by the FIN-FSA: principles applied in communication with analysts should be addressed in the issuers’ disclosure policy

    Lately, issuers’ communication with analysts has been discussed in the media and among market participants, which makes the FIN-FSA’s recommendations for practices very welcome. A similar discussion was previously had in Sweden where the focus was on the aspect that analysts should not be better informed than the rest of the market and that issuers should not endeavour to guide the content of the analysts’ reports. In Finland, the discussion has mainly focused on the equal disclosure of information to the market. Non-public material information should not be disclosed to analysts In the Market newsletter, the FIN-FSA points out that an issuer cannot disclose inside information to analysts, i.e. information that has not been made public and is likely to materially affect the value of the issuer’s security. The FIN-FSA deems that this also applies in situations where the issuer communicates its own unpublished conclusions or comments on the views or assessments presented by analysts. It is essential that issuers do not provide analysts with information that has not yet been made available to the public. Pursuant to the Finnish Securities Markets Act, in their communications, issuers must comply with the requirement of equal treatment, according to which issuers are liable to keep sufficient information on factors that may have a material effect on the value of the issuer’s security equally available to the investors. This being the case, an issuer should not disclose material information in meetings with analysts that it has not made public, as that would not make the material information equally available to all investors. Most of the analysts’ reports are not freely available, so any information disclosed to analysts will only benefit the investors who have access to said information. Disclosing material information to analysts is also likely to muddle communication with investors as the premise of the regulation is that an issuer will always first disclose any information that materially affects the value of the security by a stock exchange release. If material information finds its way to the market in some other manner than a stock exchange release, it may remain unclear whether the issuer deems the information material. Investors also cannot be presumed to follow other sources than stock exchange releases in the same way in order to receive material information. Addressing communication with analysts in the disclosure policy In the Market newsletter, the FIN-FSA deems that issuers should add to their disclosure policies the principles according to which they communicate with analysts. The FIN-FSA had not previously taken a position on the matter, so this is a new practice recommended by the FIN-FSA. In the Market newsletter, the FIN-FSA recommends that: the issuer provides investors with the materials used in investor and analyst meetings and in publications of financial results on the issuer’s website, as up-to-date as possible; the issuer arranges the analyst meetings and the briefings related to publications of financial results via the internet, if possible, in a format that is open to all interested participants; the issuer does not comment on its valuation or the performance of its financial instrument when communicating with analysts; the issuer does not comment on the analyst’s forecast or the level of result in the consensus forecast; the issuer takes a reserved approach to commenting on analyses or reports by analysts and only comments on the correctness of information already published, if the issuer comments on analyses or reports at all. In addition to the practices recommended by the FIN-FSA above, the issuer should assess the need to add the following factors to the disclosure policy: who of the company’s representatives see to the communication with analysts and participate in analyst meetings; when analyst meetings are arranged and whether the start of a silent period and/or the preparations for the next publication of financial results poses any restrictions on arranging analyst meetings; where the information on the analyst meetings and their dates is announced (in the investor calendar on the website or somewhere else); whether information on the analysts following the company and their estimates should be provided on the company website; what are the objectives of the analyst meetings and other investor relations communication; a note that the analysts’ opinions, estimates and forecasts are their own and do not represent or reflect the opinions, estimates and forecasts of the issuer or its management; a principle specifying that the company does not favour any specific analyst or analysts; a principle specifying whether the analyst meetings are recorded and whether the recordings are made available on the company website or not. Practices followed in the communication to analysts should be assessed Due to this new recommendation by the FIN-FSA, issuers should assess whether all of the best practices for analyst communications have been sufficiently taken into account in their disclosure policy. It is essential to assess whether the issuer has any practices that directly or indirectly create a risk of unintentionally communicating unpublished material information to analysts. This assessment should also consider the dates of analyst meetings and to the level of detail of the company’s unpublished financial information at the time the analyst meetings are arranged. In accordance with the established practice in the market, issuers have either a 30-day or 21-day silent period before publication of financial results. During this time, issuers do not usually arrange analyst meetings or communicate with analysts. It is also advisable for issuers to assess whether the practices related to analyst meetings are currently sufficiently transparent and whether increased transparency could dispel any doubts about the company disclosing material information to analysts.

    Published: 31.10.2023
  10. Post

    Consumer Protection Act has been reformed – what should online stores know about it?

    Payment methods must be presented in a certain order The Consumer Protection Act will in future require that the payment methods available are presented in a certain order in distance selling: The payment methods that do not include the possibility to apply for, or use, credit or other deferred payment methods must be presented first. The payment methods that may include the possibility to apply for, or use of, credit or other deferred payment methods must be presented next. The payment methods that involve the application for, or use of, credit or other deferred payment methods may only be presented last in the list. However, this does not mean that online stores would have to offer all these payment methods, but the provision applies to the payment methods that they do offer to consumers from time to time. If a credit is the only payment method offered, it may in certain situations be deemed as an unreasonable contract term. Furthermore, it will no longer be allowed to offer any payment method as a default in distance selling, but instead the consumers must actively select the payment method themselves, separately for each contract. New obligation to authenticate consumers’ identity in distance selling In future, the Consumer Protection Act will also require that the consumer’s identity is, as a rule, authenticated in distance selling if the consumer selects a payment method that defers the payment. According to the Consumer Protection Act, the consumer’s identity must be authenticated using an identification method that meets the requirements of the electronic identification system referred to in Section 8 of the Act on Strong Electronic Identification and Electronic Trust Services or the strong identification requirements referred to in Section 8, Paragraph 24 and Section 85 c, Subsection 4 of the Payment Services Act. However, this new obligation to authenticate identity does not apply in the following situations: Chapter 7 (Consumer credits) or Chapter 7 a (Consumer credits related to residential immovable property) of the Consumer Protection Act or the Payment Services Act is applied to the payment method selected by the consumer. The consumer pays, in accordance with the contract, the purchase price when the goods are delivered. The service under the contract will be carried out in some other way than through a means of distance communication and the service provider offers the deferred payment itself. The question is of buying a commodity through telemarketing. Practical impact of the reforms remains to be seen The reforms of the Consumer Protection Act mentioned above are national legislation and not based on any EU Directives, for example. This raises the question of whether this kind of national legislation may hinder, for instance, the freedom to provide services within the EU.

    Published: 30.10.2023