When the General Data Protection Regulation (“GDPR” – external source) came into force throughout the European Union nearly three years ago, one of its most eye-catching features was its extraterritorial jurisdiction provisions. These extend the reach of the GDPR to businesses located outside the European Union who offer goods or services to EU residents or who monitor the behavior of EU residents (See Art. 3(2)(a) and (b) GDPR).

Under the threat of becoming liable for a breach of the GDPR and potential fines of up to €20m or four percent of global turnover (whichever the higher), many businesses based in the United States and other locations outside the European Union have simply taken a stance of refusing to deal with EU residents, including taking measures such as geo-blocking websites to EU-based visitors. Other businesses, in the United States and elsewhere, have found themselves contemplating whether they might be subject to the GDPR and how to react merely because they have made a new EU-based business connection, acquired the contact details of a potential customer in the European Union, or even become aware that an employee at a customer organization had moved to the European Union.

A court in the United Kingdom has now considered the limits of extraterritorial jurisdiction of the GDPR, which may provide some reassurance to overseas businesses that limited contact with EU residents via a website may not necessarily lead to them being subject to the GDPR.

(more…)

The French Supervisory Authority has set 31 March 2021 as the end of the “reasonable period” to bring websites and mobile applications into compliance.

Following the adoption and publication of its updated guidelines along with practical recommendations on the use of cookies on 1 October 2020 (see our alert on the subject here), the French Supervisory Authority (CNIL) reaffirmed on 4 February 2021 the need for private and public players to comply with the new obligations regarding cookies and other tracers (together, CookiesSee the CNIL press release of 4 February 2021 (in French)).

To make its action plan on online advertising effective and in view targeting of the deficiencies witnessed in both the public and private sectors, the CNIL set a specific deadline for the implementation of its recommendation: 31 March 2021.

(more…)

This article names K&L Gates among Global Data Review’s inaugural GDR 100, a ranking of the world’s best data law firms. The GDR 100 is the only global ranking that captures the capabilities, track record, and market reputation of the leading firms in the field. The ranking is based on in-depth submissions submitted by hundreds of law firms around the world, and profiles K&L Gates lawyers including Melbourne partner Cameron Abbott and Paris partner Claude-Etienne Armingaud. Read the article here (subscription required). 

As of 1 January 2021, the Brexit transition period (Transition Period) ended, and the United Kingdom (UK) officially finalized its exit from the European Union (EU) and the 11th-hour commercial agreement (Agreement) should allow for a smoother transition on the data protection front as the General Data Protection Regulation (GDPR) stops being directly applicable to the UK. It also provided the UK with a six-month grace period to hope for an adequacy decision that would allow for the free transfer of personal data from the EU to the UK.

As the European Data Protection Board (EDPB) amended on 13 January 2021 its Brexit communications² further to the Agreement (Communications), it only addresses:

  • The issue of data transfers from the EU to the UK;
  • The end of the One-Stop-Shop (OSS) mechanism for the UK; and
  • The need for UK entities that would be subject to GDPR to appoint a representative further to Art. 27 GDPR.

However, aside from enacting the end of the OSS and commenting that “the EDPB has been liaising with the ICO [Information Commissioner’s Office, the UK’s Supervisory Authority] over the past months in order to enable a smooth shift to this new situation by ensuring that the EEA authorities follow a shared and efficient approach in handling the existing complaints and cross-border cases involving the ICO, whilst minimizing delays and possible inconveniences to affected complainants[,]” the EDPB did not comment on how such collaboration will effectively play out for companies whose lead Supervisory Authority was the ICO.

Read the full article on Radar First blog.

43rd EDPB Meeting

December 17th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 42nd EDPB meeting
    2. Draft agenda of the 43rd EDPB meeting
  2. Consistency mechanism, Guidelines and EDPB
    1. Key Provision ESG
      1. Guidelines on restrictions under Article 23 GDPR
    2. Financial Matters ESG
      1. Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (after public consultation)
    3. International Transfer ESG
      1. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (after public consultation)
  3. Current Focus of the EDPB Members
    1. Data Governance Act COM (2020) 767 proposal – presentation by European Commission
    2. Information about the European Commission request for a joint EDPS-EDPB opinion regarding the Data Governance Act
    3. EDPB Strategy
    4. Support Pool of Experts
    5. Request for information from the European Commission regarding Brexit state of play (end of transitional period as well as the impact on EU-UK data flows and further information on possible adequacy decisions)
    6. Information note on data transfers under the GDPR to the United Kingdom after the Brexit transition period
  4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Cooperation ESG
      1. [BREXIT] Involvement of the UK SA in cooperation and consistency mechanisms
      2. Review of the internal documents on local cases
      3. Handling cross border complaints against public bodies or authorities – request for mandate
      4. Guidelines on handling complaints: revision of the mandate – request for mandate
    2. Compliance, e-Government and Health ESG
      1. Guidelines on certification criteria assessment – request for mandate
    3. Financial Matters ESG
      1. Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing
    4. International Transfers ESG
      1. Art. 64 GDPR Opinion on the draft decision of the Dutch Supervisory Authority regarding the Controller Binding Corporate Rules of Equinix
    5. Compliance, e-Government and Health ESG
      1. Stakeholder event on processing of data for medical and scientific research purposes – request for mandate
    6. Technology ESG
      1. Guidelines on anonymisation / pseudonymisation – request for mandate
    7. EDPB Secretariat
      1. 2021 February plenary
      2. Survey future meetings post COVID
  5. Any other business

Through its Act no.2020-1266 dated 19 October 2020 (the Act), the French legislator elected to regulate the commercial exploitation of the images of children aged 16 and under on online platforms (Kidfluencers).

Despite the potentially lucrative consequences of these emerging practices, Kidfluencers operated in a legal vacuum which could have resulted in parents exploiting their children, without the latter reaping any financial benefits or regaining any control of their images upon coming of age.

First and foremost, the Act extends the existing legal framework of child models, under Article L7124-1 of the French Labor Code (FLC). As such, Kidfluencers will require a written authorization from the French Administration prior to being engaged or broadcasted, inter alia:

  • By any entertainment provider, regardless of the medium or broadcast type;
  • In order to perform “modeling activities,” broadly defined under Article L7123-2 FLC as presenting oneself, directly or indirectly through the reproduction of one’s image, either through photographs or video, notably by presenting a product, service of commercial message;
  • By eSport competition organizers; and
  • By “Employer whose activities consist in creating audiovisual recording whose main subject is a child aged 16 or under, for the purpose of for-profit broadcasting on an online video sharing platform”.

The latter category was notably introduced to characterize the parents or legal guardians of the influencers as the “employer” of the Kidfluencer. As they may not be as aware of the legal undertakings as the other providers and organizers mentioned, the Administration will provide them with specific information relating to the Kidfluencers’ rights and the risks associated with exhibiting their image online.

Moreover, a portion of the revenue gained by Kidfluencers would be placed in escrow on a French public bank account until their majority.

Secondly, in situation when the broadcast would not be performed for profit, the Act introduces additional protective measures for Kidfluencers: instead of a prior authorization, a simple declaration of the activity will be required, when the published content exceeds certain thresholds in terms of (i) duration or individual items; or (ii) direct or indirect revenues. Such thresholds will be addressed in a supplemental decree to be adopted shortly.

Failing to obtain the authorization or to proceed with the notification would entitle the Administration to seize a court in order to take down the related content.

Finally, the Act also implements a collaborative framework for the online video sharing platforms, and enjoin them to publish dedicated policies to aiming at

  • Informing users of the applicable Kidfluencers’ regulatory framework;
  • Informing Kidfluencers directly of the consequences on their private life of the broadcasting of their image, of the legal and psychological consequences and of the means they have to protect their rights and dignity;
  • Encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity;
  • Preventing the processing of personal data relating to minors for commercial purposes, such as targeted advertisement, further to the broadcasting a Kidfluencers video;
  • Detecting situations where the recording or broadcasting of Kidfluencers’ videos could impact their dignity, psychological or physical integrity; and
  • Helping Kidfluencers to easily exercise their right to be forgotten on the video-sharing platforms.

While a welcomed step to protect children online, sometimes from their own families, the Act will need to be completed with regard to the thresholds triggering its applicability. In addition, by mainly addressing online video sharing platforms, the Act could have benefited from a more homogenous framework for online platform allowing the sharing of both still and moving pictures. Indeed, while still images could be included in the modeling provision, it remains to be seen how extensively it will be enforced.

Amidst the current discussions surrounding the Digital Services Act at the European level, this France-specific framework creates yet another undertaking for online platforms to implement additional measures to support public policies. And by encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity, the Act could generate extra-territorial consequences, forcing the platforms to deploy such reporting mechanism at a global scale.

K&L Gates IP/IT team in Paris remains available to assist you in assessing the changes triggered by this Act. Please get in touch if you would like to discuss the steps that your organization might want to consider to prepare now for this new Kidfluencer framework.

First publication: K&L Gates Fashion Law Watch

42nd EDPB Meeting

November 19th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 41st EDPB meeting
    2. Draft agenda of the 42nd EDPB meeting
    3. Publication of minutes of 40th Plenary meeting
    4. Request to extend the deadline for public consultation re recommendation 01/2020 on sup. measures
  2. Current Focus of the EDPB Members
    1. Presentation by the European Commission of the new (updated) two sets of SCCs
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Technology ESG
      1. Statement on eprivacy regulation
      2. Letter to News Media Europe and others regarding cookie walls
    2. International Transfer ESG
      1. Template for BCR approval decision by a supervisory authority
  4. Any other business
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 40th EDPB meeting
    2. Draft agenda of the 41st EDPB meeting
  2. Current Focus of the EDPB Members
    1. Art. 65 ongoing procedure
    2. Draft Art. 65 Decision
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Recommendation on measures that supplement transfer instruments to ensure compliance with the EU level of protection of personal data
    2. Update of the European Essential Guarantees recommendations

With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.

(more…)

K&L Gates ranked “Highly Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)