Author Archives: Claude-Etienne Armingaud

Join us on 19 January 2022 – 1.30pm GMT

Host – Paul Hampton, Senior Product Manager, Thales

Speakers :

  • Stewart Room, Partner, Global Head of Data Protection & Cyber Security, DWF
  • Claude-Étienne Armingaud, CIPP/E, Partner – Practice Group Coordinator | Data Protection, Privacy and Security, K&L Gates LLP
  • Ray Walshe, Director and EU Observatory for ICT Standards, Dublin City University

Most organisations have felt the impact of accelerating their cloud adoption strategies in the past two years. While beneficial to the enterprise in numerous areas, such as faster application development, combined with the ability to experiment and quickly leverage elasticity and resiliency, these benefits have also brought significant new security challenges.

Today, enterprises are grappling with security issues never before faced or addressed. The debate of shared responsibility between provider and customer, data sovereignty, the utopian cloud environment and the constant changing of threat models to name a few.

This session will draw on the recent findings of the 2021 Thales Cloud Security Report to discuss how European enterprises are handling the data security repercussions of an accelerated cloud deployment.

Areas for Discussion

• The widespread use of SaaS within the enterprise

• Cloud complexity with ‘lift & shift’, multicloud, and hybrid

• Encryption in the cloud is not as widespread as enterprises think

• How successful are enterprises in maintaining compliance and avoiding breaches in the cloud

• Who owns responsibility for the security of data in the cloud

More information and registration here

EU-Republic of Korea Adequacy Decisions Finalized

December 29th, 2021 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy - (0 Comments)

Following the conclusion of the adequacy talks in March 2021, the European Commission has adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.

With regards to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, the reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, the several addition safeguards have been implemented including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§70).

The Republic of Korea adequacy decision complements the Free Trade Agreement (FTA) of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.

Unlike the UK adequacy decision which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework, that would lead to divergence with the EU regulations (§220). 

The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the UK).

The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

First publication: K&L Gates Hub in collaboration with Andrew L. Chung, Camille Scarparo and Eric Yoon

The Sumal Case or The Liability of Subsidiaries

December 29th, 2021 | Posted by Claude-Etienne Armingaud in Competition | Privacy - (0 Comments)

On 6 October 2021, the Court of Justice of the European Union (CJEU or the Court) issued a judgment in case C-882/19 following a request for a preliminary ruling by the Court of Appeal of Barcelona (the Referring Court). 

The CJEU´s ruling could prove to have a real practical impact for victims of competition law breaches since it may open the door to suing a domestic subsidiary of a cartel member. The Court ruled that the victim of an anticompetitive practice had to be able to claim compensation from the subsidiary established in its member state for the damage caused by the conduct of the parent company (which had been sanctioned by the Commission), provided that: 

  • The subsidiary and the parent company together characterize a single economic unit; and
  • There was a concrete link between the economic activity of that subsidiary and the subject matter of the competition law infringement for which the parent company has been held liable.

The EU Commission had imposed a record fine of €2.93 billion on the leading European truck manufacturers for a 14-years’ duration cartel involving agreements on the sale prices of trucks (decision adopted on 19 July 2016). One of the cartel members was the parent company of the defendant in the case at hand.

(more…)

France is widely known for its author-centric intellectual property right (IPR) framework: except for a limited number of very specific situations, all IPR must be expressly assigned and there is no “work for hire” doctrine.

This situation is changing, further to Decree n°2021-1658 dated 15 December 2021, replicating the regime applicable to inventions and software created by employees or public servants to those made by natural persons accommodated by private or public law entities carrying out research.

This decree amended the French Intellectual Property Code (FIPC), by creating two new articles: L.113-9-1 (with regard to software IPR) and L.611-7-1 (with regard to patent IPR) FIPC.

(more…)

OneTrust Certified Privacy Professional

December 27th, 2021 | Posted by Claude-Etienne Armingaud in Privacy - (0 Comments)

Best Lawyers France 2021 – Privacy and Data Security Law

November 2nd, 2021 | Posted by Claude-Etienne Armingaud in Non classé - (0 Comments)

Claude-Etienne Armingaud from K&L Gates ranked among the Best Lawyers France 2021 for Privacy and Data Security Law

Algo Avocats - Sandra Tubert
Altana - Pierre Lubet
Artemont - Farid Bouguettaya
August Debouzy - Florence Chaffiol
Baker McKenzie - Magalie Dansac Le Clerc
Bid & Bird - Merav Griguer, Ariane Mole
Bouchara & Avocat - Navessa Bouchara
Vercken & Gaullier - Florence Gaullier
Cohen & Gresser - Guillaume Seligmann
Cornet Vincent Ségurel - François Herpe
De Gaulle Fleurance & Associés - Georges Courtois, Jean-Marie Job
Delcade - Olivier Hayat
Delsol Avocat - Jeanne Bossi Malafosse
Derrienic Associés - Alexandre Fiévée, Fran_ois-Pierre Lani, Pierre-Yves Margnous
DLA Piper - Denis Lebeau-Marianna, Carol Umhoefer
Eversheds Sutherlands - Vincent Denoyelle
EY - Yaël Cohen-Hadria
Fréal Schiul Sainte Marie Willemant - Christinae Feral-Schulh, Bruno Grégoire Sainte Marie, Justine Sinibaldi
Franklin - Valérie Aumage
Gibson Dunn & Crutcher - Ahmed Baladi, Vera Lukic
Herald Avocats - Anne Cousin
Hogan Lovells - Etienne Drouard
K&L Gates - Claude-Etienne Armingaud
Latham & Watkins - Jean-Luc Juhan, Myria Saaarinen
Latournerie Wolfrom - Marie-Hélène Tonnelier
Lxing - Chloé Torres
Luzi Avocats - Olivia Luzi
McDermott Will & Emery - Romain Perray
Mulliez Avocats - Florence Mulliez
Next Avocat - Etienne Papin
Osborne Clarke - Claire Bouchenard, Béatrice Delmas-Linel
Racine - Hélène Cournarie
Reinhart Marville Torre - Laurent Marville
Squire Patton Boggs - Catherine Muyl
Taj - Hérvé Gabadou
White & Case - Clara Hasindork, Bertrand LIard

Source: Best Lawyers

K&L Gates ranked “Recommended” with Claude-Etienne Armingaud in e-health and connected heath.

Source: Leaders League

GDPR – Brexit UK Consults On New Data Protection Regime

September 15th, 2021 | Posted by Claude-Etienne Armingaud in Brexit | Privacy - (0 Comments)

The UK government has unveiled its much-trailed plans to reform its data protection laws, outlined in a consultation document which is open for public comment until 19 November 2021.

Since Brexit was finalised at the start of 2021, the United Kingdom has retained much of the EU General Data Protection Regulation. The government’s plans, if implemented, would see the UK move away from the EU’s approach in several key ways, which may lead to trouble for the continuation of the adequacy decision granted by the EU in June. If terminated, the adequacy decision, currently permitting free flows of personal data between the EU and the UK, could cause increased costs and bureaucracy for businesses on both sides of the Channel to continue their data transfers. 

Some of the changes to the UK GDPR proposed in the consultation document are:

  • Making the legitimate interests lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.
  • Removal of the right to human review of decisions made on the basis of solely automated data processing.
  • Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.

The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:

  • Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.
  • Removing the requirement for websites to obtain consent before serving some analytics cookies.
  • Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.

First publication: Cyber Law Watch with Noirin McFadden

GDPR – Irish Supervisory Authority Fines WhatsApp EUR 225m

September 9th, 2021 | Posted by Claude-Etienne Armingaud in Privacy - (0 Comments)

Further to investigations initiated by the Data Protection Commission (or DPC, the Irish supervisory authority) in 2018, Whatsapp Ireland Limited has received a EUR 225 million fine on 2 September 2021. The company infringed multiple GDPR provisions including in relation with the information provided to data subjects which breached the obligation to ensure transparency of processing (Articles 13 and 14 GDPR).

Following GDPR’s one-stop-shop mechanism and as WhatsApp operates cross-border flows of personal data, the DPC had initially been designated as lead supervisory authority (‘LSA’). Article 60 GDPR requires the LSA to submit a draft decision to its impacted counterparts across the European Union (the ‘Concerned Supervisory Authorities’). Such draft has been submitted in December 2020 and the Hungarian, Portuguese, Italian, French, Dutch, Polish, German (local and federal) Concerned Supervisory Authorities unanimously raised objections to the DPC in January 2021. The objections mostly addressed the lax approach by the DPC in the assessment of WhatsApp’s breach of GDPR as well as the amount of the initially contemplated fine in view of the dozens of millions of individuals affected by such breach across the European Union.

This resulted in a non-consensual situation, escalading to the dispute resolution process under Article 65 GDPR conducted by the European Data Protection Board (EDPB). The binding decision, adopted on 28 July 2021 and subsequently notified to the DPC, required the Irish supervisory authority to reassess and increase the fine, thus leading to the second-highest fine under GDPR since its entry into force in 2018.

First publication: Cyber Law Watch with Camille Scarparo & Léa Fertani

GDPR – UK Unveils Plan to Diverge from GDPR

September 6th, 2021 | Posted by Claude-Etienne Armingaud in Brexit | Data Transfer | Privacy - (0 Comments)

The UK government has announced that it intends to consult on a new, post-Brexit data protection regime, potentially moving away from the UK General Data Protection Regulation that currently underpins the UK’s data protection legislation. The Digital Secretary, Oliver Dowden, said, “It means reforming our own data laws so that they’re based on common sense, not box-ticking.

A public consultation on the new legislation will follow, but it is clear that the United Kingdom must be careful about any changes it makes to its data regime in order to avoid disrupting the EU-UK adequacy decision with EU GDPR awarded just two months ago. The adequacy decision allows personal data from the European Union to flow freely to the United Kingdom (and vice versa), without businesses needing to put any additional paperwork in place. In granting the adequacy decision, the European Union placed particular emphasis on the fact that the United Kingdom was continuing to base its data protection laws on the same EU GDPR rules that had applied when it was a member of the European Union. A European Commission spokesperson commented that the EU will be closely monitoring any developments in UK data laws and noted that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.

It will be interesting to see how far the United Kingdom diverges, particularly as the current trend is that other countries seem to be keen to state that their data protection laws closely follow the EU GDPR.

The UK government also announced that its preferred candidate to be the next Information Commissioner, head of the UK data protection regulator, will be John Edwards, currently in charge of New Zealand’s data regulator, a country that also maintains an EU adequacy decision.

First publication: K&L Gates Cyber Law Watch Blog with Noirin McFadden