Well, that’s a wrap on #DPI23 France!
IAPP DPI: France 2023March 16th, 2023 | Posted by in Conference | France | Privacy - (0 Comments)
Leaders League Ranking 2023 – Technologies, internet & telecommunications – IT, software & digital projects – FranceMarch 3rd, 2023 | Posted by in France | IT | Rankings | Software - (0 Comments)
K&L Gates ranked “Highly Recommended, Band 2/2” with Claude-Etienne Armingaud.
Source: Leaders League(more…)
Leaders League Rankings 2023 – Technologies, internet & telecommunications – Data protection law – Law firm – FranceMarch 3rd, 2023 | Posted by in France | Privacy | Rankings - (0 Comments)
K&L Gates ranked “Highly Recommended – Band 1” with Claude-Etienne Armingaud.
Source: Leaders League(more…)
Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPRFebruary 25th, 2023 | Posted by in Data Transfer | Europe | Privacy - (0 Comments)
The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:
- A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
- The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
- The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.
If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.
Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.
These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.(more…)
Gateway to Privacy: This Is the Way – GDPR Article 5 ComplianceFebruary 25th, 2023 | Posted by in Case Law | Communication | Europe | Podcast | Privacy - (0 Comments)
In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.
May the enforcement be with you!
First publication: K&L Gates Hub with Eleonora Curreri
Survey on the Economics on Personal Data on Mobile Apps Launched by France’s Privacy WatchdogJanuary 27th, 2023 | Posted by in France | Privacy - (0 Comments)
This survey follows the CNIL’s announcement on 24 November 2022 that it aims at “better understanding the economic challenges associated with the collection and processing of personal data in mobile applications” as part of its 2022-2024 strategic plan.
The CNIL considered data collection via mobile applications greatly lacks transparency as opposed to cookies collection on websites.
The expected inputs are to be used for the purpose of drafting recommendations to be submitted to public consultation during the second semester of this year.
Concurrently to its ever-active enforcement of website cookie framework, the CNIL also recently started going after mobile applications for their use of personal data, often leverage as a primary source of revenue for free-to-play mobile games. The most recent example being the French mobile game publisher Voodoo SAS, with a fine of EUR3 million for breach of user consent for targeted ads on 29 December 2022. Indeed, the CNIL considered that even when users did not consent to the tracking for advertising purposes, Voodoo still accessed the IDFV (Apple’s “IDentifier For Vendors” (“IDFV”) – an identifier assigned to app operators, which facilitates targeted advertising) and processed browsing information for advertising purposes, constituting a violation of French privacy law and the GDPR.
The CNIL now calls for economic contributions from experts, interest groups, regulatory entities and experienced private individuals in the field. The call for contributions closes on 10 February 2023. Contributions can be submitted by completing a questionnaire and/or a written statement at the following email address: firstname.lastname@example.org.
All contributions will be covered by professional secrecy and will be published in the form of a synthetic and aggregated report.
First publication on Cyber Law Watch with Camille Scarparo.
EU Digital Services Act: Fundamental Changes for Online Intermediaries?November 5th, 2022 | Posted by in Competition | eCommerce | Europe | internet | Legislation - (0 Comments)
On 27 October 2022, the Digital Services Act (DSA) was published in the EU Official Journal as Regulation (EU) 2022/2065, with the aim to fully harmonize the rules on the safety of online services and the dissemination of illegal content online. The Digital Services Act will require online intermediaries to amend their terms of service, to better handle complaints, and to increase their transparency, especially with respect to advertising.(more…)
UK Data Protection: Beware of the Consequences of Unsolicited Marketing EmailsOctober 12th, 2022 | Posted by in English | Europe | Marketing | Privacy - (0 Comments)
Sending unsolicited marketing emails could prove costly to UK organisations, as bike and car accessory retailer Halfords have recently discovered.
Last month, Halfords were handed a fine of £30,000 by the Information Commissioner’s Office (ICO) for sending around half a million unsolicited marketing email messages to customers who had not previously opted-in to marketing (see here).
The fine was issued under the Privacy and Electronic Communications Regulations (PECR), which gives people specific privacy rights in relation to electronic communications and restricts how unsolicited direct marketing is carried out.
An investigation carried out by the ICO found that the retailer broke the laws governing electronic communications by sending out emails relating to a government voucher scheme that gave people £50 off the cost of repairing a bike at any participating store or mechanic in England. The email not only pointed customers to the government website, it also invited them to book a bike assessment and to redeem their voucher at their chosen Halfords store. The ICO concluded that the insinuation of Halfords having a direct connection with the government scheme encouraged its customers to redeem the voucher in its stores and that Halfords was therefore advertising its own services.
PECR prevents organisations from sending emails or messages to people unless they have consented to it or they are an existing customer who has bought similar products or services in the past (known as the “soft opt-in” rule).
Halfords argued that the email constituted a service message and should not be categorised as direct marketing, but the ICO maintained that the email did constitute direct marketing because it satisfied the definition of such under Paragraph 35 of the ICO’s Direct Marketing Guidance (see here). In addition, the ICO concluded that the soft opt-in rule could not apply because the targeted customers had already opted out.
Andy Curry, Head of Investigations at the ICO said: “This [decision] sends a message to similar organisations to review their electronic marketing operations, and that we will take necessary action if they break the law.”
First publication: K&L Gates Cyber Law Watch in collaboration with Keisha Phippen