Portugal began 2016 in a complex political and economic climate: a new Government, a new President and an economy still coming out of a deep crisis. The telecommunications sector is also going through a period of transition and 2015 was a year of intense legislative discussions. We now highlight the main prospects for 2016.


Lisbon is fast emerging as a capital of incentives for innovation. Innumerable incubators and accelerators, consultants and independent entrepreneurs have set up in the city to foster start-ups. The Web Summit, one of the world's most influential events for entrepreneurship, technology and innovation, has chosen Lisbon as the host for its 2016, 2017 and 2018 events. This is expected to bring Portugal greater visibility and more business.


The reform of the Advertising Code is being debated. Among the most significant amendments proposed is a requirement that advertising done by telecommunications operators should be subject to prior approval by ANACOM (the National Communications Authority). This proposal was suggested after the Directorate-General of the consumer announced that companies in the telecommunications sector attract the most complaints from consumers. The Association of Telecommunications Operators has challenged the proposal on the grounds that it amounts to prior censorship. Consensus has not yet been reached on the final text.


Another significant legislative change that took place in 2015 was the approval of amendments to the Private Copy Law, which regulates the collection of fair compensation on devices useful storage of copies of works protected by copyright. The law has updated the list of products subject to the tax and it includes, among others, devices for storing digital copies including MP3 and USB devices, memory cards and internal or external storage drives. The responsibility for paying the fair compensation falls on manufacturers and importers, and this inevitably reflects an increase in the price of this range of products. The approval of these amendments was subject to a great deal of discussion and manufacturers and importers of digital equipment have publicly made it clear that they are unhappy with the final version of the text. 2016 will reveal how the rules are to be applied in practice and questions relating to the applicability of the law will come before the courts.


In its judgment in the Schrems case (C- 362/14), the Court of Justice of the European Union held that the European Commission's decision that the transfer of data to the United States under the Safe Harbour principles guarantees an adequate level of protection for personal data was invalid. Following this decision, anyone responsible for processing personal data established in Portugal, and who wishes to transfer personal data to the USA, cannot rely on the fact that the importer has signed up to Safe Harbour. Portuguese Data Protection Authority (CNPD) has begun to give notice to companies that declare international transfers of personal data under Safe Harbour to update the notifications/ request for authorisations to process personal data on this basis. As from now, international data transfers must be made in compliance with the European Commission's standard contractual clauses.


This is, without doubt, the hottest TMT issue for 2016. After a long period of discussion, in December 2015, political agreement was reached to approve the new Personal Data Protection Regulation. Its aim is to reform the rules applicable to protection of personal data in the European Union and its publication is expected in the first part of 2016. The changes introduced by the Regulation will require companies to revise their personal data protection procedures over the next two years, which is the period the Regulation will take to come into force.

Among the many innovations, we would highlight the following:

a) International scope of the Regulation

The regulation is applicable to all companies that offer goods or services to residents of the European Union, even if the company is not based there. This change implies a considerable increase in the number of companies that will be subject to the new rules.

b) Data Protection Officer

Companies whose main activities include operations that require regular and systematic handling of personal data or companies that process sensitive data on a large scale must appoint a data protection officer. This person will be responsible for all issues relating to data protection, and for providing information and guidance to the person responsible for data processing about his or her obligations. The data protection officer will also be responsible for monitoring compliance with rules set out in the Regulation.

c) Hacking

The Regulation also imposes a general obligation on companies to notify data protection authorities (in Portugal, the CNPD) within 72 of the discovery of any data breach, in cases in which the breaches imply any risk to the rights and freedoms of the data subjects.

d) Privacy by Design

Companies must take data protection and privacy into account throughout their structures by preparing privacy impact studies when the data processing procedure to be carried out may involve a high risk to the rights of the data subjects.

e) Sanctions

The maximum fine for an infringement of the Regulation is EUR 20 million or 4% of the total turnover of the infringing company. This represents a significant risk for both companies that handle data processing on a large scale and companies that are not used to dealing with this matter.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.