20

19FINTECH&DATA

HIGHLIGHTS

FINTECH

2019 for credit andpayments market – abrief overview

2019 marks another year of successfulgrowth for Lithuania‘s credit and paymentsmarket. A warm welcome to more than 30new market participants: the Bank ofLithuania (“BoL”) has issued 19 electronicmoney institution (EMI), 10 paymentinstitution (PI), 2 specialized bank and onebanking licences. Such a great attentionfrom investors once again proves that ourcountry’s FinTech sector is amongst themost progressive in Europe.Congratulations #Litechnia!

2019 was a busy year for the BoL – inaddition to the issuance of new licenses, theBoL was actively supervising the existingfinancial market participants. Based onpublicly available information provided onthe BoL’s website, FinTech companies wereimposed fines the total amount of whichexceeds € 1 200 000. The greatest fineswere imposed for non-compliance with AMLrequirements. Furthermore, several EMIsand PIs were sanctioned due to breach ofthe requirements applicable to thesafeguarding of customers’ funds.

DIGITAL NEWS

News 1/4In February, the Board of the BoL hasupdated its position on virtual assets andICO (“Position”). The updated version of thePosition was adopted considering themarket and regulatory evolvements fromthe initial Position published back in January2014. The BoL has substituted the term"virtual currency" with “virtual asset”,clarified how and when virtual assets maybe used for payments and made otherimportant updates. However, the keyprincipals of the initial Position remainedunaltered. Full text can be found here >>

News 2/4Considering the growing businesses’interest in raising capital in the way of STO,in October 2019 the Bank of Lithuania hasissued the Guidelines on Security TokenOffering (“Guidelines”). Although, as the BoLitself has emphasized, the Guidelines donot aim to create new regulatoryarrangements, they definitely bring clarityto applicable regulations and help entitiesavoiding confusion. Full text can be found here >>

News 3/4During 2019, BoL’s LBChain - a blockchain-based sandbox, which combines regulatoryand technological infrastructures - hasentered its final stage. By September 2019,several Fintech companies from differentEuropean countries had a chance to testtheir products with the help of project’sparticipants, including Deloitte. At the endof October, the BoL issued an open call forFinTech companies to participate in the finaltesting session, which will help to select themost suitable solution for the market.According to the BoL, BoL aims to create auniversal platform that will serve for both,testing of existing products as well asassisting in the creation of new ones. More information about LBChain canbe found here >>

News 4/4 The growing attention on the topic of thecentral bank digital currency (“CBDC”) hasalso prompted a group of Lithuanianauthors to discuss possible CBDCimplementation types and existinginitiatives within central banks. In thiscontext, in the beginning of 2020, ourcentral bank is planning to issue LBCoin –the world‘s first blockchain-based digitalcollector coin.  Full text can be found here >> More information about LBCoin can befound here >>

According to Basel AML Index 2019,Lithuania remains amongst the countrieswith the lowest risk of money launderingand terrorist financing (ML / TF). Basel AMLIndex is an independent index based onresearch released by Basel Institute onGovernance – a non-profit organizationrating countries based on the risk level ofML / TF. Full report can be found here >>

MONEYVAL – the Committee of Experts onthe Evaluation of Anti-Money LaunderingMeasures and the Financing of Terrorism –has acknowledged the Bank of Lithuania asa supervisor that proactively implementsanti-money laundering measures. Aftercompleting a comprehensive assessment ofthe situation in the country, Moneyvalrecognized the progress made by our localregulator. More information can be found here >>

MONEY LAUNDERING

PREVENTION NEWS

News 1/3

News 2/3

News 3/3In December, the Lithuanian Parliament hasdecided to supplement Lithuanian Law onthe Prevention of Money Laundering andTerrorist Financing (“AML Law”) bytransposing the provisions of the EU 5thAnti-Money Laundering Directive. To name but a few, the AML Law extendsthe scope of obliged entities, includingvirtual currency platforms and walletproviders, grants easier access toinformation on ultimate beneficialownership and introduces many moreimportant rules. Most of the requirements come into effectalready on 10 January 2020.   Full wording of the AML Law can befound here >>

2019 for EMIs and PIs started withrequirements on additional reports andinformation to be submitted to the BoL.Based on the BoL’s Resolution dated 20December 2018, starting from the firstquarter of 2019 EMIs and PIs are obliged tosubmit reports on services, receivedcomplaints, performance indicators andsafeguarding of received funds and others. More information can be found here >>

In 2019, the BoL was actively aiming toincrease the protection of customer fundsheld by EMIs and PIs. In June 2019, theBank of Lithuania published a publicconsultation “Increasing the Protection ofCustomer Funds Held by Payment andElectronic Money Institutions”, the results ofwhich were published in December. Theconsultation was conducted due to EMI/PIsector’s need to ensure proper protectionof customer funds, especially where thosefunds are held with credit institutions whichbecome insolvent. The BoL will continueraising the question on safeguarding EMI/PIcustomer funds at EU-level discussions.  More information can be found here >>

News 1/4

News 2/4

OTHER REGULATORY

UPDATES

14 September 2019 marks the final date ofPSD2 Directive transposition to Lithuanianlaw. By this time, payment service providerswere meant to have implemented dedicatedAPIs for third-party providers. It remains tobe seen how this requirement isimplemented in practice.

November was an important month forpayment services providers, creditinstitutions and investment firms asEuropean Banking Authority (“EBA”) haspublished guidelines on information andcommunication technology (ICT) andsecurity risk management addressed tofinancial institutions (“EBA Guidelines”). TheGuidelines set out expectations on ICT riskmanagement and mitigation. The EBAGuidelines will enter into force on 30 June2020. Once into force, the EBA Guidelines willreplace the Guidelines on securitymeasures for operational and security risks(EBA GL/2017/17), which will then berepealed. Therefore, the existing marketplayers should start preparing and thenewcomers should already consider theEBA Guidelines when applying for thelicense.  Full wording of the EBA Guidelines canbe found here >>

News 3/4

News 4/4

DATA

Data news: highlightsof 2019

2019 was a busy year for the State DataProtection Inspectorate (“Inspectorate”).During this year, the Inspectorate hasconducted 86 inspections of datacontrollers. Some of the inspections, i. e.inspections conducted on hotels as well ascompanies providing lease services, weresummarized and  published by theInspectorate publicly. Interestingly, 35 out of86 inspections conducted, resulted in nobreach. The remaining inspections resultedin one fine, 47 orders and 1recommendation imposed by theInspectorate on the data controllers.  During the year 2019, the Inspectoratereceived 97 notifications on the databreaches. The majority of the breachesrelated to data confidentiality. TheInspectorate also received 626 claims,which the Inspectorate examined and,where necessary, imposed sanctions,including fines and orders. Based on publicly available information onthe website of the Inspectorate, theInspectorate has imposed a total of 4 fines,which amount to EUR 67 400.

In March 2019, the Inspectorate hasapproved the list of data processingoperations subject to the requirement toperform data protection impact assessment(DPIA). The latter includes processingoperations where the data of under-aged isprocessed, where personal code isprocessed, processing operations wherepersonal data of employees is processed formonitoring or control purposes and manyothers. Before commencing any processingoperations, organizations should checkwhether such operations are subject to DPIA. A full list of processing operationsrequiring DPIA can be found here >>

On 14 November 2019, the LithuanianParliament has adopted an amendment tothe Law on Electronic Communications (“E-communications Law”). Based on theamendment, as of January 17 2020, theInspectorate will be able to appoint fines ofup to EUR 60,000 for unlawful dataprocessing for direct marketingpurposes. The amendment to E-communicationsLaw can be found here >>

REGULATORY

UPDATESNews 1/4

News 2/4

In December 2019, the Inspectorate haspublished the Guidelines on the securitymeasures and risk assessment of thepersonal data processed (“Guidelines”). TheGuidelines do not have obligatory power,however, they may serve as a useful tool fordata controllers and processors whenpreparing internal privacy documents and(or) commencing data processingactivities. Full text of the Guidelines can be found here >>

News 3/4

News 4/4Through the year 2019, the EuropeanData Protection Board (EDPB) hasadopted a number of documents that areof significant importance to the consistentapplication of data protection rulesthroughout the European Union,including Lithuania. The EDPB has, among others, adoptedthe following: o   Guidelines on codes of conduct. Thelatter provide guidance in relation to theapplication of Articles 40 and 41 of GDPR,i.e. submission, approval, and publicationof codes of conduct;

o   Guidelines on Video Surveillance. Thelatter clarify how the GDPR applies to theprocessing of personal data when usingvideo devices and aim to ensure theconsistent application of the GDPR in thisregard; o   Guidelines on Territorial Scope. Thelatter may help when assessing whether aparticular processing by a controller or aprocessor falls into the scope of applicationof GDPR; o   Guidelines on Data Protection by Design& Default. The latter will help to effectivelyimplement the data protection principlesand data subjects’ rights and freedoms bydesign and by default; o   Report on the third Annual PrivacyShield Review. The report confirms that theU.S. continues to ensure an adequate levelof protection for personal data transferredunder the Privacy Shield from the EU toparticipating companies in the U.S. o   Guidelines on the criteria of the Right tobe forgotten in the search engines casesunder the GDPR. The latter provides forinterpretation of Article 17 of GDPR, whichgoverns the data subjects’ rights to erasure.These guidelines will be complemented byanother set of guidelines on the criteria forhandling complaints about refusals ofdelisting. More information about the activitiesof the EDPB can be found here >>

On July 29 2019, the Court of Justice of theEuropean Union (“CJEU”) released itsjudgment in case C-40/17, Fashion IDGmbH & Co. KG vs. VerbraucherzentraleNRW eV. Fashion ID is an online clothingretailer that embedded the Facebook ‘Like’button on its website. The mentionedbutton enabled Fashion ID to share thedata of website visitors with Facebookwithout notifying the website visitors onsuch disclosure. Fashion ID was alleged tobe in breach of providing an appropriatenotice to the data subjects. According tothe CJEU, Facebook LIKE button makes thewebsite operator and Facebook joint datacontrollers. Furthermore, the CJEU concluded thatFashion ID, as a website operator, mustobtain data subjects’ consent beforecollecting and disclosing personal data ofits website visitors to Facebook. The CJEUalso held that website operator mustinform the website visitors of the datadisclosure to Facebook at the time of thecollection of the data. More information can be found here >>

SIGNIFICANT

CASE LAWCase 1/4

On 26 September 2019, the CJEU releasedits long awaited judgments in cases C-507/17, Google v. CNIL and C-136/17, G.C.and Others v. CNIL regarding the territorialscope of the “right to be forgotten”. TheFrench data protection authority (“CNIL”)claimed that, in responding to the requestto be forgotten, Google must remove thelinks from the results on all of its searchengine’s domain name extensions— i.e.Google must conduct a worldwide removal.In a major victory for Google, the CJEUruled that the “right to be forgotten” onlinedoes not extend beyond the borders of theEuropean Union. What is also important,the CJEU emphasized that the “right to beforgotten” is not absolute – a balancebetween this right and other fundamentalrights must be found.

More information can be found here >>

Case 2/4

Case 3/4In October, the CJEU released anotherimportant judgement. This time with regardto consent for the use of cookies. The CJEUheld that consent to process user data inthe EU is only valid when it is explicit, i.e.website users have to give the consentactively and specifically by e.g. ticking a box.A German website Planet49 sought consentfor the use of cookies through a pre-tickedbox.

The CJEU held that the consent to dropcookies must meet the GDPR standards; i.e. must be “freely given” and “informed.”According to the CJEU, a pre-ticked boxdoes not constitute a freely given andinformative consent. More information can be found here >>

Case 4/4

On 19 December 2019, the AdvocateGeneral Henrik Saugmandsgaard Øe (AG)published his opinion on the case broughtby the privacy rights activist Max Schrems(C-311/18, Data Protection Commissionerv. Facebook Ireland Limited, MaximillianSchrems) (Schrems II). The case concernsthe validity of the standard contractualclauses (SCCs). In Avocate General’sOpinion, the SCCs are valid in the light ofthe EU data protection legislation. Eventhough the Advocate General’s opinion isnot binding and is still to be confirmed bythe CJEU, for now, SCCs, as a data transfermechanism, remains valid. This is a hugerelief for organizations, as SCCs is the mostcommonly used mechanism ininternational data transfers. More information can be found here >>

CONTACT US

Monika Žlabienė

Managing Associate |Technology & Data Service LineLeader

mzlabiene@deloittece.com

+370 6 086 6668

Deloitte Legal