In the context of legal frameworks like eIDAS, a common misconception is the exclusive focus on Qualified Electronic Signatures (QES), dismissing Advanced (AdES) and Simple Electronic Signatures (SES) as inadequate. Article 25(1) of eIDAS clarifies that SES and AdES are legally valid and admissible, depending on the transaction’s context. Legal professionals often insist on QES, leading to unnecessary burdens, as these signatures require hardware and stricter identity verification, which may not be essential for all transactions. The flexibility in eIDAS allows organisations to adopt AdES or SES in many scenarios, thus balancing cost, efficiency, and legal compliance.
For GDPR, a common misunderstanding involves the belief that pseudonymisation or encryption fully exempts organisations from compliance. While these measures enhance data security, pseudonymised data is still subject to GDPR, as it can be re-identified with additional information. Article 4(5) and Recital 26 confirm that even with these techniques, the data is not anonymised, and organisations must still comply with GDPR requirements, such as honoring data subject rights. Lawyers advising on GDPR compliance should therefore emphasise that technical measures like encryption and pseudonymisation lower risks but do not eliminate the need for broader regulatory adherence.
In the case of MiCA, some legal practitioners mistakenly believe that it applies to all crypto assets, overlooking that MiCA is designed to regulate crypto assets not covered by existing laws like MiFID II. MiCA specifically excludes assets deemed financial instruments under MiFID II, which means a case-by-case assessment is required to determine the proper regulatory framework. Misapplying MiCA can result in unnecessary compliance efforts, or worse, failure to adhere to the appropriate regulations, leading to legal and financial consequences for organisations handling crypto assets.
Read more: Lexology