A Practice Note highlighting issues to consider when counseling a prospective buyer of an AI company. This Note discusses the primary due diligence issues relating to AI and machine learning (ML) and strategies to mitigate or allocate risks in the context of an M&A transaction. This Note is also helpful for AI company targets that seek to anticipate potential issues. In this Note, the term AI company refers to a company involved in the research, development, or monetization of a product or service that is primarily powered by an ML algorithm or model that creates functionality or utility through the use of AI.

Read the full article on Practical Law, written in collaboration with by Annette Becker, Alex V. Imas, Jake Bernstein, Mark H. Wittow, Melanie Bruneau, Marion Baumann, Kenneth S. Knox, Julie F. Rizzo, Cameron Abbott, Thomas Nietsch, and Nicole H. Buckley.

Quoted in Agenda article “New EU AI Rules Will Have Global Impact“:

The scope of the EU AI Act will apply to all companies whose AI systems are used or affect EU-based individuals, according to Claude-Etienne Armingaud, a partner in K&L Gates’ Paris office and a member of the law firm’s technology transactions and sourcing practice group.

Due to its breadth, global companies developing AI systems, most of which are headquartered either in the U.S. or in China, will face two options: “Get in line with the EU AI Act or abstain from the EU market,” Armingaud said.

Some companies threatened to exit the European market after the EU’s General Data Protection Regulation, or GDPR, became effective in 2018, but many didn’t actually follow through, according to Armingaud.

“So, without a doubt, all companies dabbling in AI will need to comply if they truly want to remain global,” he said.

Agenda – New EU AI Rules Will Have Global Impact

Quoted by Global Data Review:

Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.

“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.

“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”

Read full article here.

On 4 July 2019, the French Data Protection (CNIL) published its Guidelines on Cookies and Other Tracking Technologies (the Guidelines, available in French here). The Guidelines further detailed the nature of the interplay between the General Data Protection Regulation (GDPR) which reinforced expectations towards obtaining consent to data processing operations when such consent is required), and the ePrivacy Directive which more specifically addresses the privacy requirements on cookies and other tracking technologies. Indeed, while the ePrivacy Directive was expected to be updated through an ePrivacy Regulation (latest draft proposal available here), on or before GDPR entered into force, it remains under discussion at the European level to this day, and subject to intense lobbying by all stakeholders.

Further to the publication of the Guidelines, several French professional associations in the online marketing, distance selling and online media activities initiated legal action against the CNIL, before the French Administrative Supreme Court (the Conseil d’État), on the grounds that the CNIL acted above and beyond its authority in adopting the Guidelines, notably by (i) generally prohibiting “cookie walls”, (ii) recognizing a right of data subjects to refuse cookies, (iii) requiring the identification of the data controller for the cookies, (iv) mandating an exhaustive and up-to-date information of the data subjects on the cookies, regardless of their involvement in data processing operations, (v) requiring that the users’ agreement must be expressed by a separate action for each of the distinct purposes brought to their knowledge with a view to the storage of information or access to information already stored in their terminal equipment, and (vi) imposing maximum data retention periods for cookies.


Following its press release on the development of a new third country transfer module, the EU Data Protection Code of Conduct for Cloud Service Providers is proud to welcome internationally renowned law firm K&L Gates LLP as Supporter.

Brussels, 06. October 2020 – Pending the approval of its Code of Conduct under Europe’s General Data Protection Regulation (GDPR), the EU Cloud Code of Conduct (EU Cloud CoC) initiated the development of an on-top module to tackle the recent decision from the Court of Justice of the European Union (CJEU) “Schrems II”. Post-Schrems II, such an additional module is considered extremely helpful by the industry. GDPR explicitly refers to codes of conduct as an appropriate safeguard in its Article 46.2.(e). Provided that approved codes of conduct require independent oversight by an accredited monitoring body, codes of conduct may be the missing link how to create “supplementary measures” as called-for by the CJEU.

“Addressing Schrems II surely will be demanding. Therefore, the General Assembly highly welcomes the addition of this well-known international law firm. This adds to our large pool of subject matter experts and experience that will be necessary in developing an additional module for third party data transfers.”, said Jonathan Sage, Government and Regulatory Affairs Executive at IBM and Chairman of the EU Cloud CoC General Assembly.

The EU Cloud CoC, in its core version, addresses requirements pursuant to Article 28 GDPR for processors. Consequently, the Code focuses on establishing best practices to address relevant legal requirements. Drafting a third country transfer mechanism will require close negotiations with different stakeholders, as such a mechanism easily corelates with non-GDPR related aspects, such as political and societal.

“Our clients are in dire need of stable, yet flexible solutions. The Schrems II ruling created massive turbulence not just for service providers but also, and especially, for customers, who are lacking any foreseeability on the compliance of internationally provided services. We are willing to contribute to this upcoming future standard with our distinct expertise in finding practical solutions for all of our clients, and thus inherently balancing interests of providers and customers alike, through such self-regulation mechanism for the whole ecosystem. Our involvement in the EU Cloud CoC will be led by Dr. Thomas Nietsch from our Berlin Office.” said Claude-Etienne Armingaud, CIPP/E and Practice Group Coordinator for Data Protection, Privacy, and Security at K&L Gates LLP.

Considering the press conference announcing this development, one may note that European Supervisory Authorities and also the European Commission are welcoming initiatives like the one as of the EU Cloud CoC. The EU Cloud CoC General Assembly is looking forward to a cooperative dialogue with relevant stakeholders, inviting interested parties to join, to make sure that the upcoming module is meeting legal requirements, but also data subjects and industry needs, as this will be key for broad market adoption and effectiveness.


The EU Cloud Code of Conduct is a sector-specific Code pursuant to GDPR Article 40, currently pending the endorsement and official approval by supervisory authorities. Among the key benefits of the Code is its applicability to the full spectrum of cloud services, as all services types (SaaS, PaaS, IaaS) can be declared adherent against the Code.

The Code’s General Assembly members are eligible to declare their services adherent and make them subject to the robust monitoring and assessment of the Code’s Monitoring Body, thereby underpinning GDPR compliance. The General Assembly has recently announced the next evolution of its Code by drafting a dedicated module for third country transfers. Find out more about the Code , the Third Country Transfer Initiative and learn how easy it is to join the General Assembly of the EU Cloud Code of Conduct.

First publication : EU CoC Cloud

Brexit: Deal Or No-Deal? Data is the Question
With the Brexit deadline looming ahead on 31 October 2019, the situation seemingly reaches new levels of uncertainty every day. Last week, the U.K. Supreme Court’s eleven judges unanimously ruled that Prime Minister Boris Johnson’s decision on 9 September 2019, to prorogue Parliament was “unlawful and void.” Parliament will therefore carry on its Brexit discussions…with now only thirty days left to finalise a deal. Although Parliament, while still in session, passed a law to extend the Brexit deadline, such an extension would still require approval by the EU.

So how should companies prepare, on either side of the Channel (and beyond), in the coming months for the more-likely-by-the-day-scenario of No-Deal?


New China Article:

However, the convention has been signed by 75 contracting countries only, said Claude-Etienne Armingaud, Paris partner at K&L Gates. One of the most notable absentees is the United States, he added.
Read full article here.

New China Article:

However, the convention has been signed by 75 contracting countries only, said Claude-Etienne Armingaud, Paris partner at K&L Gates. One of the most notable absentees is the United States, he added.
Read full article here.