Following the 2020 Court of Justice of the European Union’s (CJEU) ruling invalidating the Privacy Shield (see our alert here), personal data transfers from the European Union to the United States required EU companies to implement additional safeguard mechanisms, as the CJEU considered that U.S. legislation did not provide sufficient guarantees against the risk of access by public authorities (including intelligence services) to the imported data.
(more…)UK: Queen’s Speech Heralds GDPR Overhaul
June 7th, 2022 | Posted by in Brexit | Privacy - (0 Comments)In the Queen’s speech at the state opening of parliament on 10 May 2022, the UK government announced its intention to change the UK’s data protection regime in a new Data Reform Bill. This follows a consultation last Autumn on how the UK GDPR could be reformed following the UK’s exit from the European Union (EU).
The government claims that the new Bill would:
- Create a data protection framework focused on “privacy outcomes” that would reduce the burdens on businesses, and a “clearer regulatory environment” to encourage “responsible innovation”.
- Ensure that citizens’ data is “protected to a gold standard”, while enabling more efficient sharing of data between public bodies.
- Modernise the Information Commissioner’s Office and require it to be “more accountable to Parliament and the public”.
The Queen’s speech also announced plans to replace the Human Rights Act 1998, which incorporated the European Convention on Human Rights into UK law. According to the government a new “Bill of Rights” would “end the abuse of the human rights framework and restore some common sense to [the] justice system”. This would be achieved by “establishing the primacy of UK case law”, which means that UK courts would no longer be required to follow the case law of the European Court of Human Rights.
Taken together, both of these proposed new legislative measures could change the balance of protection of individuals’ rights in the UK, both generally and in the specific area of personal data regulation. Their development will be closely watched by data protection professionals, because any significant changes in the UK data protection regime could prompt the EU to review its post-Brexit UK adequacy decision, potentially leading to the end of decades of seamless transfers of personal data from the EU to the UK.
First publication on K&L Gates Cyber Law Watch in collaboration with Nóirín McFadden
Litigation Minute: Creating an Incident Response Plan
May 10th, 2022 | Posted by in Privacy | Violation de données - (0 Comments)WHAT YOU NEED TO KNOW IN A MINUTE OR LESS
Reported incidents of data breaches have reached record levels over the last two years1)Experian Data Breach Resolution. (2021). Eighth Annual Study: Is Your Company Ready for a Big Data Breach? Ponemon Institute.. Given this undeniable reality, a data security incident response plan is no longer a luxury; it is a vital tool in every company’s larger crisis management plan. A well-thought-out and thorough response plan can not only significantly reduce the confusion that often follows a data security incident, but can also reduce the pitfalls that often lead to regulatory scrutiny and putative class actions in the United States and the fairly recent “group actions” in the European Union.
In a minute or less, here are the essential components of a working incident response plan.
(more…)Legal 500 Rankings 2022 – Data Privacy and Data Protection – Tier 2 & Leading Individual – France
April 11th, 2022 | Posted by in France | Privacy | Rankings - (0 Comments)‘Specialist in new technologies’, K&L Gates LLP‘s team has an outstanding reputation for legal advice on innovative technologies and data-related concerns. Claude-Etienne Armingaud and Raphael Bloch are recognised as ‘exceptional lawyers who miss no details and who know their fields to perfection’. Claude-Etienne Armingaud has developed particular knowledge of multijurisdictional transactional matters dealing with IT outsourcing and data protection for blockchain and fintech, connected cars, and big data services.
Leading individuals: Claude-Etienne Armingaud – K&L Gates LLP
Practice head(s): Claude-Etienne Armingaud
Other key lawyers: Raphael Bloch
(more…)International Personal Data Transfers: An Eventful Week
March 25th, 2022 | Posted by in Brexit | Data Transfer | Europe | Privacy - (0 Comments)Transfer from the UK
On 21 March 2022, the United Kingdom finalized the adoption of its own version of the European Union’s (EU) Standard Contractual Clauses (SCC), a contractual mechanism aiming at securing personal data protected under a data protection framework to third countries not deemed to offer an “adequate” level of data protection.
On 16 July 2020, while the United Kingdom was still an EU Member State, the European Court of Justice (CJEU), through its Schrems II decision, added new requirements to the SCC (see our Alert here), relating to safeguards against access to personal data protected under EU’s General Data Protection Regulation (GDPR) by intelligence agencies. As a consequence, the European Union adopted new versions of the SCC in June 2021 (see our Alert here), but the United Kingdom having finalized Brexit in the meantime, did not adopt the new SCCs, instead operating the previous versions of the SCC, and an updated document for transfers initiated under the UK GDPR was needed.
The UK’s draft International Data Transfer Agreement (IDTA) and Addendum were laid before Parliament on 22 February 2022 and finally adopted on 21 March 2022 without changes. The IDTA is an equivalent contract to the SCC, but uses a tabular approach in place of the modules used by the SCC. The alternative instrument that was introduced, the Addendum, provides UK data exporters with a semi-seamless mechanism where they can leverage their existing SCC for transfers initiated under the EU GDPR. The Addendum consists of a form effectively selecting the relevant options of the SCC and amending EU terminology and legal references to UK-specific ones. It is likely to be more widely used than the IDTA, particularly as data exporters with operations in both the UK and the EU will look to reduce the number of contracts they need to enter into. Overall, the IDTA and the Addendum represent a narrowing in the divergence that had appeared recently in the differing safeguards required by the UK and the EU for data exporters engaged in personal data transfers from their respective jurisdictions.
As a reminder:
- Transfers between the EU and the UK do not need any specific measures as per the adequacy decision currently in place (see our Alert here)
- all data transfer agreements under the EU GDPR based on the previous versions of the SCC will need to be migrated to the new SCC on or before 27 December 2022; and
- all data transfer agreements under the UK GDPR executed on or before 21 September 2022 on the basis of any Transitional Standard Clauses (based on the previous versions of the SCC) will need to be migrated to an IDTA or Addendum on or before 21 March 2024.
Transfer from the EU to the US: En Route for Schrems III?
On 25 March 2022, European Commission President Ursula von der Leyen and United States President Joe Biden announced an “agreement in principle” on a new EU-US data sharing system, expected to replace the Privacy Shield framework invalidated under the CJEU’s Schrems II decision in 2020 (see our Alert here).
As no draft of that “agreement” has been circulated, the existing grievances against U.S. intelligence agencies’ access to personal data protected under GDPR remain and concerns relating to ‘effective legal remedies’ available to individuals protected under GDPR (Data Subjects) will need to be addressed. Data activist Maximilian Schrems and his organization, noyb, already announced that they would closely monitor the development of this new framework and challenge any decision which would not abide by the CJEU’s 2020 Schrems II decision.
While such a political statement is encouraging for the future of international data transfers, this announcement should not be construed as relieving companies subject to GDPR’s territorial scope (see our Alert here) from implementing adequate data transfer mechanisms until more concrete elements are adopted.
Such transfer mechanisms notably include:
- A transfer impact assessment (TIA), analyzing the regulatory framework applicable to the destination country and any supplemental technical and organizational measures to be implemented to safeguard the transferred personal data from undue access;
- Implementation of a transfer mechanism, such as the SCC (see above) or adhesion to Binding Corporate Rules, or to a Code of Conduct (see our Alert here).
K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at a global level.
First publication: K&L Gates Hub in collaboration with Noirin McFadden, Thomas Nietsch and Keisha Phippen
French authority falls in line with ECJ position on general retention of metadata
March 16th, 2022 | Posted by in France | Legislation | Press | Privacy - (0 Comments)Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.
“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.
“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”
Read full article here.
Leaders League Rankings 2022 – Technologies, internet & telecommunications – Data protection law – Law firm – France
March 8th, 2022 | Posted by in IT | Privacy | Rankings - (0 Comments)K&L Gates ranked “Highly Recommended – Band 1” with Claude-Etienne Armingaud.
Source: Leaders League
(more…)🇺🇸 Conference Data Protection World Forum – Roundtable: Cloudy horizons with the threat of breaches
January 4th, 2022 | Posted by in Conference | Data Breach | Privacy - (0 Comments)Join us on 19 January 2022 – 1.30pm GMT
Host – Paul Hampton, Senior Product Manager, Thales
Speakers :
- Stewart Room, Partner, Global Head of Data Protection & Cyber Security, DWF
- Claude-Étienne Armingaud, CIPP/E, Partner – Practice Group Coordinator | Data Protection, Privacy and Security, K&L Gates LLP
- Ray Walshe, Director and EU Observatory for ICT Standards, Dublin City University
Most organisations have felt the impact of accelerating their cloud adoption strategies in the past two years. While beneficial to the enterprise in numerous areas, such as faster application development, combined with the ability to experiment and quickly leverage elasticity and resiliency, these benefits have also brought significant new security challenges.
Today, enterprises are grappling with security issues never before faced or addressed. The debate of shared responsibility between provider and customer, data sovereignty, the utopian cloud environment and the constant changing of threat models to name a few.
This session will draw on the recent findings of the 2021 Thales Cloud Security Report to discuss how European enterprises are handling the data security repercussions of an accelerated cloud deployment.
Areas for Discussion
• The widespread use of SaaS within the enterprise
• Cloud complexity with ‘lift & shift’, multicloud, and hybrid
• Encryption in the cloud is not as widespread as enterprises think
• How successful are enterprises in maintaining compliance and avoiding breaches in the cloud
• Who owns responsibility for the security of data in the cloud
More information and registration here
EU-Republic of Korea Adequacy Decisions Finalized
December 29th, 2021 | Posted by in Data Transfer | Privacy - (0 Comments)Following the conclusion of the adequacy talks in March 2021, the European Commission has adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.
Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.
With regards to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, the reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, the several addition safeguards have been implemented including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§70).
The Republic of Korea adequacy decision complements the Free Trade Agreement (FTA) of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.
Unlike the UK adequacy decision which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework, that would lead to divergence with the EU regulations (§220).
The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the UK).
The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.
First publication: K&L Gates Hub in collaboration with Andrew L. Chung, Camille Scarparo and Eric Yoon
Copyright © 2024 All rights reserved.
Designed by 