🇫🇷 OneTrust TrustWeek Paris: Charting GDPR – Navigating the EU and global data laws

October 17th, 2023 | Posted by Claude-Etienne Armingaud in Conference | Data Transfer | Europe | Privacy | World - (0 Comments)

Post-Brexit EU businesses have needed to rethink how they approach showing compliance with a host of regulations, managing international data transfers and building trust with data subjects. Having to comply with the GDPR, prepare for other data protection bills, all while continuing to comply with the EU-GDPR as well as a host of global regulations means businesses might look to certification as a common system for adequacy as a one-stop shop, when addressing the overlaps and more crucially closing the gaps on their privacy compliance programs.

Featured speakers:

  • Noshin Khan, Senior Compliance Counsel, Ethics Center of Excellence, OneTrust 
  • Claude-Étienne Armingaud, Partner, K&L Gates

Register here.

, , ,

UK Government Approves Adequacy of UK-US Data Bridge

October 4th, 2023 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy | World - (0 Comments)

The UK Government has laid adequacy regulations before Parliament that, once in force from 12 October 2023, will permit use of the UK – US “Data Bridge” as a safeguard for personal data transfers from the UK to the US under Article 44 UK GDPR.

The UK – US “Data Bridge,” AKA the UK Extension to the EU – US Data Privacy Framework (Framework), allows UK organisations to transfer personal data to organisations located in the United States that have self-certified their compliance with certain data protection principles and appear on the Data Privacy Framework List. This scheme, administered by the US Department of Commerce, provides a redress mechanism for data subjects in the European Union to enforce their rights under the EU General Data Protection Regulation, in relation to a participating US organisation’s compliance with the Framework, and to US national security agencies’ access to personal data. This new redress mechanism attempts to prevent a challenge to the Framework similar to the Schrems II case, which invalidated the Framework’s predecessor EU – US Privacy Shield. Despite this, the Framework has already been the subject of a short-lived case at the Court of Justice of the EU, and there may be more legal challenges.

Alongside the adequacy regulations, the UK government published an analysis of the US laws relating to US national security agencies’ access to the personal data of European data subjects. This analysis effectively completes the international data transfer risk assessment (TRA), which UK organisations have been required to carry out before transferring personal data to the US. It is likely that UK organisations relying on the other Article 44 UK GDPR safeguards, such as the International Data Transfer Agreement, may also rely on this analysis in place of completing a TRA.

First publication: K&L Gate Cyber Law Watch Blog in collaboration with Noirin McFadden

🇺🇸 Generative AI Legal, Policy and Ethical Considerations

June 27th, 2023 | Posted by Claude-Etienne Armingaud in Artificial Intelligence | Conference | Europe | IT | Privacy | World - (0 Comments)

In this webinar, our lawyers discuss generative artificial intelligence (AI). Fast paced growth in generative AI is changing the way we work and live. With such changes come complex issues and uncertainty. We will address the legal, policy and ethical risks, mitigation, and best practices to consider as you develop generative AI products and services, or use generative AI in the operation of your business.

With Annette Becker, Guillermo Christensen, Whitney McCollum, Jilie Rizzo, and Mark Wittow

If you were not able to join last Tuesday, you can watch the replay below:

Source: K&L Gates Hub

European Parliament Adopts Negotiating Mandate on European Union’s Artificial Intelligence Act; Trilogues Begin

June 26th, 2023 | Posted by Claude-Etienne Armingaud in Artificial Intelligence | Ethics | Europe | IT | Legislation | Non classé - (0 Comments)

On 14 June 2023, the European Parliament (Parliament) plenary voted on its position on the Artificial Intelligence Act (AI Act), which was adopted by a large majority, with 499 votes in favor, 28 against, and 93 abstentions. The newly adopted text (Parliament position) will serve as the Parliament’s negotiating position during the forthcoming interinstitutional negotiations (trilogues) with the Council of the European Union (Council) and the European Commission (Commission).

The members of Parliament (MEPs) proposed several changes to the Commission’s proposal, published on 21 April 2021, including expanding the list of high-risk uses and prohibited AI practices. Specific transparency and safety provisions were also added on foundation models and generative AI systems. MEPs also introduced a definition of AI that is aligned with the definition provided by the Organisation for Economic Co-operation and Development. In addition, the text reinforces natural persons’ (or their groups’) right to file a complaint about AI systems and receive explanations of decisions based on high-risk AI systems that significantly impact their fundamental rights.

Definition

The Parliament position provides that AI, or an AI System, should refer to “a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations, or decisions, that influence physical or virtual environments.” This amends the Commission’s proposal, where an AI System was solely limited to software acting for human-defined objectives and now encompasses the metaverses through the explicit inclusion of “virtual environments.”

Agreement on the final version of the definition of AI is expected to be found at the technical level during trilogue negotiations, as it does appear to be a noncontentious item.

Another notable inclusion relates to foundation models (Foundation Models) that were not yet in the public eye when the Commission’s proposal was published and were defined as a subset of AI System “trained on broad data at scale, is designed for generality of output, and can be adapted to a wide range of distinctive tasks.

(more…)

🇺🇸 Safeguarding the World’s Trust – The Privacy Collective

June 14th, 2023 | Posted by Claude-Etienne Armingaud in Conference | Europe | Privacy | World - (0 Comments)

Speakers:

  • Zelda Olentia, Senior Product Manager, RadarFirst
  • Claude-Étienne Armingaud, CIPP/E, Partner, Data Protection Privacy and Security Practice Group Coordinator, K&L Gates LLP

Air Date: Wednesday 14 June at 1 pm ET / 10 am PT. Replay on demand available here!

Description

Gartner predicts that by the end of 2024, 75% of the world’s population will have its personal data covered under modern privacy regulations. This exponential increase from only 10% global coverage in 2020 raises the stakes for global organizations. The challenge will be to ensure compliance, while safeguarding trust for an unprecedented volume of regulated data.

Join the upcoming live Q&A to learn what’s driving this expansion and how to prepare. You’ll hear from Zelda Olentia, Senior Product Manager at RadarFirst, and special guest, Claude-Etienne Armingaud who is a partner at K&L Gates LLP and a coordinator for the Firm’s Data Protection, Privacy, and Security practice group.

In this session we will cover:

  What is driving the expansion of privacy regulation?

  Where are we on this path towards 65% global coverage?

  How do you scale privacy operations for international privacy laws quickly and effectively before year-end 2024?

Register Now >>

Irish Supervisory Authority “Poking” at Meta’s GDPR Practices

May 26th, 2023 | Posted by Claude-Etienne Armingaud in Case Law | Data Transfer | Europe | Privacy - (0 Comments)

Closing in on the fifth anniversary of the entry into force of the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on 22 May 2023 that it had fined Meta for EUR 1,2b (USD 1.3b), the highest GDPR fine levied since 2018.

Further to the DPC decision (Decision), and in addition to the record fine, Meta will need to:

  • suspend any future transfers of personal data to the United States within five months from the date of notification of the decision to Meta Ireland;
  • ensure the compliance of its data processing operations by ceasing the unlawful processing, including storage, in the United States of personal data of its users in the European Economic Area, transferred without sufficient safeguards, within six months from the date of notification of the DPC’s decision to Meta Ireland.

The core of the grievances relates to a decade-long (and going) crusade initiated by datactivist Maximilien Schrems and its data protection association, None of Your Business (noyb). The crusade started in 2013, with a first step resulting in a resounding cancelation of the Safe Harbor framework, which allowed personal data to be freely transferred from the European Union to the United States, in the 2015 Schrems I case (see our Alert). It was subsequently followed by a same action against Safe Habor’s successor, the Privacy Shield Framework, leading to the same result in the Schrems II case (see our Alerts here, here and here).

(more…)

, , , ,

🇺🇸 Gateway to Privacy: May the Enforcement Be With You – Reflections on Five Years of GDPR

May 4th, 2023 | Posted by Claude-Etienne Armingaud in Conference | Europe | Podcast | Privacy - (0 Comments)

In this episode, Claude-Etienne Armingaud, Eleonora Curreri, and Camille Scarparo celebrate the fifth anniversary of GDPR accompanied with lawyers from our European offices; Thomas Nietsch and Andreas Müller (Berlin), Nóirín McFadden (London), and Gianmarco Marani (Milan). They reflect on how embedded GDPR has become in the cultural scene and with private enforcement. They also touch on the future for UK GDPR and the Data Protection and Digital Information (No.2) Bill.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri, Gianmarco Marani, Andreas Müller, Noirin M. McFadden, Dr. Thomas Nietsch, Camille Scarparo

, ,

Gateway to Privacy: Let Go of Everything You Fear to Lose – Training as the First Step to GDPR Compliance

April 11th, 2023 | Posted by Claude-Etienne Armingaud in Data Breach | Europe | Non classé | Podcast | Privacy - (0 Comments)

In this episode, Claude Etienne Armingaud, Eleonora Curreri, and Camille Scarparo introduce a case regarding a U.S. company’s data privacy breach, the consequences a company may face for being non-compliant with GDPR for companies established outside of the EU, and which steps companies can take to prevent these situations.

First publication: K&L Gates Hub with Eleonora Curreri & Camille Scarparo

🇺🇸 IAPP DPI France – Codes of Conduct — GDPR’s Prodigal Son Finally Arriving?

March 14th, 2023 | Posted by Claude-Etienne Armingaud in Conference | Data Transfer | Europe | France | Privacy | World - (0 Comments)

Claude-Étienne Armingaud, CIPP/E, Partner, Data Protection Privacy and Security Practice Group Coordinator, K&L Gates

Gabriela MercuriManaging Director, SCOPE Europe

Jörn WittmannDirector Privacy Legislative Strategy and Public Policy, Volkswagen AG

Codes of conduct overseen by accredited monitoring bodies are one of the breakthrough innovations introduced by EU General Data Protection Regulation. As part of its accountability framework, GDPR not only shifted the onus of demonstrative compliance, but also created the possibility for stakeholders to engage in co-regulatory practices. The goal was to allow the industry to support regulatory implementation by developing workable guidance to concretize the GDPR’s provisions. More flexible than other previously adopted compliance tools, CoCs generated high expectations, particularly in the wake of Schrems II, as a possible solution to address international data transfers and enable legal foreseeability. CoCs have not yet reached their full potential, with only a handful of national CoCs deployed and even less at the pan-European level. However, as the cloud ecosystem leads the way, this panel will explore the background of this sectoral success while highlighting CoC’s benefits, as well as their limitations.

What you will learn:

• How to understand the relevancy of CoCs in a post-GDPR, post-Schrems II era.

• What CoCs can bring to an ecosystem, as well as what they should not be pursued for.

• The future of international data transfers amid emerging data protection systems at global levels.

More information.

Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

February 25th, 2023 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy - (0 Comments)

Version 2.0 dated 14 February 2023
Go to the official PDF version.

Executive Summary

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.

Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.

These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.

(more…)

, , , ,