Author Archives: Claude-Etienne Armingaud

Legal 500 Rankings 2021 – Data Privacy and Data Protection – Band 2

April 15th, 2021 | Posted by Claude-Etienne Armingaud in Privacy | Rankings - (0 Comments)

With notable experience in the implementation of GDPR compliance and data protection, the team at K&L Gates LLP coordinates with the firm’s wider European practice to act for multinational clients in the luxury goods, entertainment, and telecoms sectors. Practice head Claude-Etienne Armingaud frequently acts for fintech clients in contentious multi-jurisdictional matters regarding IP and IT data protection. In March 2020, associate Clara Schmit joined from D’Alverny Demont Associés.

Practice head(s): Claude-Étienne Armingaud

Other key lawyers: Clara Schmit

Testimonials

‘Claude-Etienne Armingaud is the best at what he does, plain and simply. Fast, reliable, and efficient.’

‘A team which is very familiar with the evolution of the regulatory framework applicable to data, and which has often participated in the work of developing new guidelines with the CNIL.’

‘Claude-Etienne Armingaud is very familiar with the issues of data protection and privacy. He supports a large clientele in various fields of intervention.’

(more…)

, ,

Sapin II – What Recommendations Should Be Followed From 2021 Onwards

April 12th, 2021 | Posted by Claude-Etienne Armingaud in France | Privacy - (0 Comments)

The French Law n°2016-1691 of 9 December 2016 relating to transparency, the fight against corruption, and the modernization of economic life, known as the “Sapin II” Act 1)Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016) introduced to legal entities additional compliance requirements to address corruption in order for France to meet the highest European and international standards.

Sapin II has established a general principle of prevention and detection of corruption risks under the control of a national anticorruption structure, the French Anti-Corruption Agency (AFA),  whose main mission is to help economic and public players in the process.

The AFA noted in its 2019 annual activity report 2)French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).that anticorruption measures implemented by economic and public players were still incomplete.

On 12 January 2021, the AFA published new recommendations entered into force on 13 January 2021 (Recommendations, here in French).

The AFA specifies the practical procedures for implementing an anticorruption system structured around three foundational principles, namely:

  • Governing body’s commitment;
  • Understanding the entity’s exposure to probity risks; and
  • Risk management.
(more…)

References

References
1 Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016)
2 French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).

, , ,

German Supervisory Authority Initiates-Post-Schrems II Enforcement Against EU Companies Using U.S. Service Providers

April 2nd, 2021 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy - (0 Comments)

Since the Schrems II decision of the Court of Justice of the European Union (CJEU) last year (see our alert here), companies in the European Union found themselves between a rock and a hard place, as many still rely on U.S.-based online service providers in one capacity or another, and the CJEU, in addition to totally invalidating the Privacy Shield framework, mandated additional requirements over the Standard Contractual Clauses (SCCs), the most widely used lawful transfer mechanisms.

Following this CJEU decision, the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht) has now effectively barred a European online magazine from using the popular U.S.-based newsletter delivery service, Mailchimp.

Companies using Mailchimp to route their newsletters must generally transfer personal data (e.g., the recipients’ email addresses) to Mailchimp’s servers in the United States. Previously certified under the late EU-U.S. Privacy Shield framework, Mailchimp had to pivot to offer its European customers an alternative transfer mechanism, i.e. the SCCs. While their general validity was left untouched by the Schrems II decision, the CJEU argued that it may be required for companies relying on the SCCs to assess whether additional safeguards should be implemented on top of the SCCs in order to effectively protect personal data.

As expressly mentioned in the Schrems II decision, transfers to cloud service providers in the United States would require such additional safeguards, due to the broad investigative powers of U.S. authorities, e.g., under Section 702 (50 U.S.C. § 1881a) of the Foreign Intelligence Surveillance Act (Cloud Services Act).

Until now, it had seemed that the EU supervisory authorities had granted companies an unofficial grace period to adjust to the amended legal situation, especially as new templates for SCCs taking into consideration the Schrems II decision are expected to be finalized in the coming weeks.

The action of the Bavarian Data Protection Authority shows that this restraint might have come to an end. In a recent press release concerning this investigation, the authority commented that the case was exemplary for their enforcement of the requirements of the Schrems II decision, which had already been taken up with a high degree of intensity even without publicly perceived investigations or sanctions. 

The Bavarian Data Protection Authority based its action expressly on the fact that the European company has not assessed whether additional safeguards for transferring personal data to Mailchimp were required, in particular as Mailchimp may be subject to the Cloud Services Act. While no fine was imposed in this case and the Bavarian Data Protection Authority did not issue a formal decision, the authority still informed the company that their use of Mailchimp was (in their view) not in line with General Data Protection Regulation (GDPR) requirements. The company also promised to cease using Mailchimp in the future.

However, it should be noted that the official reason for not imposing a fine was on the one hand, the low sensitivity of the data transferred (email addresses only) and, on the other hand, the limited scope of the transmission (only two newsletters were sent). The details of the case being leaked and officially commented on by the supervisory authority could be considered as a warning to other EU companies transferring data to U.S. cloud service providers, which should probably expect less leniency from the supervisory authorities from now on. 

The current case was rather clear, as the European company in question has apparently taken no steps at all to establish and document whether additional safeguards were required and were already (because of this omission) in breach of their statutory obligations under GDPR. Future cases will probably not be as easy to decide, in particular when an EU company has documented a respective assessment or even implemented additional safeguards, and supervisory authorities and ultimately courts will have to assess what is really required to ensure adequate security of personal data in countries outside the European Union. 

Following the decision of the Bavarian Data Protection Authority, EU companies using U.S. online service providers, especially cloud services, are therefore encouraged to check the basis of their data transfers to the United States and, if necessary, adapt them to the new legal situation in order to avoid facing potentially high fines. 

K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

First Publication: K&L Gates with Thomas Nietsch & Martin Fokken

, , , , , ,

Leaders League Ranking 2021 – Intellectual property – Management of trademark, design and model portfolios – France

March 14th, 2021 | Posted by Claude-Etienne Armingaud in Trademarks - (0 Comments)

K&L Gates ranked “Highly Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

, ,

Leaders League Rankings 2021 – Technologies, internet & telecommunications – Data protection law – Law firm – France

March 14th, 2021 | Posted by Claude-Etienne Armingaud in Privacy | Rankings - (0 Comments)

K&L Gates ranked “Highly Recommended – Band 1” with Claude-Etienne Armingaud.

Source: Leaders League

, ,

Technologies, internet & telecommunications – Internet – Ranking 2021 – Law firm – France

March 14th, 2021 | Posted by Claude-Etienne Armingaud in IT | Rankings - (0 Comments)

K&L Gates ranked “Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

, ,

Leaders League Ranking 2021 – Technologies, internet & telecommunications – IT, software & digital projects – France

March 14th, 2021 | Posted by Claude-Etienne Armingaud in IT | Rankings | Software - (0 Comments)

K&L Gates ranked “Highly Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

, , ,

Leaders League Ranking 2021 – Intellectual property – Brands, designs, and models – France

March 14th, 2021 | Posted by Claude-Etienne Armingaud in Rankings | Trademarks - (0 Comments)

K&L Gates ranked “Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

, , ,

GDPR/Data Scraping – A Clear Limitation by the French Data Protection Authority to Direct Marketing Practices

March 10th, 2021 | Posted by Claude-Etienne Armingaud in eCommerce | France | Privacy - (0 Comments)

The French Supervisory Authority (CNIL) wrapped up 2020 with a EUR 20,000 fine against NESTOR, a French food preparation and delivery company catering to office employees (see full Decision SAN-2020-018 in French).

The CNIL highlighted various breaches of the General Data Protection Regulation (GDPR) and the ePrivacy Directive regarding the processing of prospects and clients’ personal data by the CNIL, most notably:

While the fine is rather limited in view of the maximum potential amount of EUR 20 million or four percent of the turnover (whichever the greater), this decision presents an opportunity to examine web scraping and direct marketing practices, which are rapidly developing.

(more…)

, ,

GDPR – English High Court Examines Extent of GDPR’s Extraterritorial Jurisdiction

March 5th, 2021 | Posted by Claude-Etienne Armingaud in Brexit | Case Law | Europe | Privacy - (0 Comments)

When the General Data Protection Regulation (“GDPR” – external source) came into force throughout the European Union nearly three years ago, one of its most eye-catching features was its extraterritorial jurisdiction provisions. These extend the reach of the GDPR to businesses located outside the European Union who offer goods or services to EU residents or who monitor the behavior of EU residents (See Art. 3(2)(a) and (b) GDPR).

Under the threat of becoming liable for a breach of the GDPR and potential fines of up to €20m or four percent of global turnover (whichever the higher), many businesses based in the United States and other locations outside the European Union have simply taken a stance of refusing to deal with EU residents, including taking measures such as geo-blocking websites to EU-based visitors. Other businesses, in the United States and elsewhere, have found themselves contemplating whether they might be subject to the GDPR and how to react merely because they have made a new EU-based business connection, acquired the contact details of a potential customer in the European Union, or even become aware that an employee at a customer organization had moved to the European Union.

A court in the United Kingdom has now considered the limits of extraterritorial jurisdiction of the GDPR, which may provide some reassurance to overseas businesses that limited contact with EU residents via a website may not necessarily lead to them being subject to the GDPR.

(more…)

,