Cybersecurity Directive and Code - A step forward for security in the information society.

By Tania Otero

Compensation for Termination of Distribution Agreements and Legal Consequences.

By Florencia Arrébola

Cybersecurity Directive and Code - A step forward for security in the information society.

Tania Otero

The information society in which we presently live must face up certain problems that affect security of network and information systems and the need of international cooperation to improve security, confidentiality and information exchange.

When dealing with new challenges, both nationally and internationally, public authorities have lacked homogenous legal means. For this reason, both national and international agencies have decided to act jointly and response the current problems on cybersecurity by approving certain regulations.

1. Directive 2016/1148 of 06.07.16 of the European Parliament and Council

Last 6th July 2016, the European Parliament and the Council approved Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (hereinafter referred to as the Directive).

Among the risk management measures proposed, there are those designed to determine all risks of incidents, prevent, detect and manage incidents and mitigate their repercussions. Security of network and information systems includes security of data preserved, transferred and processed, as set out in the Recitals of the Directive.

(…) both national and international agencies have decided to act jointly and response the current problems on cybersecurity (…)

The Directive became effective last 8th August to improve the functioning of the internal market by approving the following decisions:

₋ Establishing obligations for all Member States to adopt a national strategy of security of network and information systems.

₋ Building a Cooperation Group to support and facilitate the strategic cooperation and information exchange between Member States and develop confidence and security among them.

₋ Creating a response team network to incidents of computer security to contribute to the development of confidence and security between Member States and promote an efficient operating cooperation.

₋ Establishing requirements regarding security and notice for operators of essential services and digital service providers.

₋ Establishing obligations for the Member States to designate competent national authorities, single points of contact and CSIRT with tasks relating to security of network and information systems.

Furthermore, the Directive establishes the security and notification requirements applicable to operators of essential services and providers of digital services. Member States shall identify the operators of essential services and the providers of digital services established in their territory. Essential services shall mean such entities providing an essential service for the maintenance of critical economic and societal activities; the provision of the service is dependent on the network and information systems; and those on which an incident would have a significant disruptive effect.

Member States may transpose the Directive until 9th May 2018.

2. Agreement of the European Commission dated 05.07.16 to increase cooperation regarding cybersecurity

Additionally to the European action referred to above, the Commission signed on 5th July 2016 with the industry an agreement on cybersecurity implementing a new public-private association on the issue. A 450 million Euros investment is expected from the European Union in this association. Pursuant to declarations of the Commission, the purpose of the association will be to increase the cooperation in the early stages of the research and innovation process and build solutions of cybersecurity for several sectors, such as energy, health, transport and finance.

Finally, the Commission proposes to study the possible framework of European certification for security products of ICT.

3. Code of Law of Cybersecurity prepared by the Spanish National Institute of Cybersecurity (INCIBE)

On a national level, Spain has been forced to adapt its legislation to the current technological reality. In this regard, in July 2015 the reform of the Criminal Code became effective and among several modifications, the following were introduced with respect to computer crimes:

• Article 197 bis on non-authorized access to computer systems was incorporated.

• Article 197 ter was incorporated, which punishes the production, acquisition, import or delivery to third parties of access or software developed or adapted basically to commit any crimes in sections 1 and 2 of article 197 or article 197 bis.

The last legislative development on this issue took place on 12th August with the publication by the Spanish National Institute of Cybersecurity of a collection of all the Spanish rules on cybersecurity (hereinafter referred to as the Code). The Code has been published in the Official State Gazette BOE together with a brief author’s note, Mr. Francisco Pérez Bes, General Secretary of the Spanish National Institute of Cybersecurity.
As stated by Mr. Francisco Pérez Bes the purpose of the document is to establish the general guidelines of use of the cyberspace by promoting an integrating view that ensures security and progress in Spain.

The purpose on a national level is to attain security of cyberspace by developing and applying a national policy, maintaining the legal system on cybersecurity updated.

This initiative has revealed the need to compile all Spanish regulations on the issue to be able to bring together all legislation and additionally analyse the critical points.

The Code includes all Spanish regulations on cybersecurity, which is divided into the following sections:

• Spanish Constitution
  • Regulations on national security
  • Critical infrastructures
  • Regulations on security
  • Response team to security incidents
  • Telecommunications and users
  • Cyber delinquency
  • Data protection
  • Relations with the administration

Such national regulations will be modified in the near future in order to be adapted to the new European requirements imposed through the Directive.

Finally, under the Directive both operators of essential services and operators of digital services shall: (i) adopt measures ensuring a level of security of network and information systems appropriate with respect to the risk posed, (ii) adopt appropriate measures to prevent and minimise the effects of incidents affecting security of the network and information systems used for the provision of the services with a view to ensuring their continuity and (iii) notify without undue delay the competent authority or the CSIRT of incidents having a significant impact on the continuity of the services they provide. Notifications shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident. Notification shall not make the notifying party subject to increased liability.

Compensation for Termination of Distribution Agreements and Legal Consequences

Florencia Arrébola

Distribution agreements are atypical agreements to the extent they have no specific regulation and are thus governed by the general rules of the Civil Code and the relevant case law progressively created. Since they are not specifically regulated, their termination is an extremely contentious issue in our courts. In some cases, but not generally, Act 12/1992 regulating the agency agreements are analogically applied to distribution agreements.

In the event of any breach by any of the parties to the agreement, the other shall be entitled to terminate for breach of contract and require the relevant damages under article 1124 of the civil code. Such breach shall operate when certain conditions that have been established by case law, are met. Notwithstanding this, there is not a unitary criterion or determined conditions to qualify the reasons for termination and withdrawal as fair or unfair. However, when withdrawal is justified, the other party shall not be entitled to compensation for damages or even in the case of lack of prior notice, if any.

(…) there is not a unitary criterion or determined conditions to qualify the reasons for termination and withdrawal as fair or unfair

One of the most litigious matters of this kind of contracts is the distributor’s compensation upon termination of the agreement, particularly in indefinite term agreements, since contracts cannot be assigned a perpetual nature, thus the parties being entitled to withdraw.

Given that nothing is regulated in the Civil Code, we must have resort to the criteria applied by courts, which could summarize the following withdrawal reasons that shall be considered as justified:

(i) Withdrawal with prior notice, in the cases of indefinite distribution agreements. There is not a defined term to determine a sufficient prior notice term; however, the terms established by article 16.3.a of the Unfair Competition Act (LCD) and article 25 of the Agency Agreement Act (LCA) must be taken into account as a guiding criterion only, in all cases evaluating the nature, execution and other particularities of the distribution agreement in question. Courts understand that in these cases, withdrawal must not be mandatorily justified on any other reason.

(ii) Withdrawal in the event of breach by the distributor.

(iii) Withdrawal in the event of the company being dismantled due to the death of the founding partner and/or the sole director, a justified reason in the nature of some contracts, based on the person (intuitu personae) or the reliance on a certain person.

(iv) Such unilateral modification of the agreement implying a variation of the material elements, provided that they have not been accepted by the other party. This circumstance may be justified in contracts of indefinite term, provided that such contractual variations are not reasonable or justified considering the commercial logic.

Damages resulting from early termination of distribution agreements must be differentiated: (i) on the one hand, damages caused by non-compliance of the prior notice terms, for which it must be proven that such non-compliance caused damages that could have been avoided or mitigated if the prior notice term had been longer, (ii) and on the other hand, damages caused by contractual termination must be considered, i.e., such non-amortized expenses incurred following the supplier’s instructions or to carry out the activity subject matter of the distribution agreement.

The Supreme Court, in its recent Judgment 3627/2016 of 19th July 2016, has clarified the circumstances considered when determining the origin of the compensation for the damages caused due to unilateral termination of contract, taking into account the nature of the damages caused.

Firstly, compensation for contractual damages due to withdrawal of the distribution agreement which result from breach of the reasonable and non-abusive prior notice term exercised by the principal, is governed by, and in the absence of an express agreement, the general regulations provided in the Civil Code (CC), articles 1101 and 1106 CC. This confirms that there is not an automatic application of the compensation regulations provided in the LCA, since the loss suffered by the distribution must be effectively valued, i.e., the loss of profit undergone by the distributor, which corresponds to the profit of the principal, to the extent it implies an increase in its net worth correlative to a deprivation of the distributor. This circumstance is even more evident when we are dealing with long-term trading relations due to the extension of the principal’s clientele and the business consolidation.

The Supreme Court (TS) in its Judgment 3627/2016, did not automatically applied article 28 LCA relating to compensation for clients, but it integrated such compensation within the loss of profit framework as a guiding criteria to calculate the compensation due to insufficient prior notice, since both the compensation for clients and the insufficient prior notice have the same compensatory nature.

The TS applied this solution to the extent contractual damages closely resembles the compensatory function of the right to compensation for clients, since an insufficient prior notice term may imply, not only that the distributor cannot adapt its resources to the new situation and orderly liquidate the pending relations, but also that the principal cannot benefit from a client portfolio created and/or improved by the distributor, which in turn unexpectedly and unjustifiably loses such client portfolio.

Secondly, compensation based on salary and social security expenses (structural costs) incurred by the distributor under the distribution agreement, must be also taken into account when such expenses could have been avoided if the prior notice of the withdrawal of contract had been made sufficiently in advance. Therefore, we will be also based on articles 1101 and 1106 CC for determining the compensation for structural costs.

As regards the prior notice term considered as reasonable, article 25 LCA or article 16.3 LCD cannot be automatically applied, which have a guiding nature only, to the extent that the particular contract must be considered.

In conclusion, when dealing with distribution agreements, a generic rule cannot be automatically applied to determine the corresponding compensation in cases of termination, but the specific circumstances of each case must be valued and the criteria established by case law must be applied.