GDPR – New Guidelines on Territorial Scope

November 26th, 2018 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)

On 23 November 2018, the European Data Protection Board (“EDPB”) – the gathering of all European Union (EU) data protection authorities – adopted new draft guidelines on territorial scope of the General Data Protection Regulation (“GDPR” – external source). The EDPB was previously known as the Article 29 Working Party.

The long awaited guidelines (“Guidelines”, available here) provide a common interpretation on the scope of application of the GDPR. Its territorial scope, laid down in Article 3 GDPR, states that GDPR applies to:

The Guidelines provide clarification for both EU and non-EU based companies to assess whether all or parts of their activities would fall under the scope of the GDPR and to what extent they would be subject to the application of the GDPR.

Notably, the Guidelines clarified aspects which had been subject to controversy or misinterpretation in the six months since GDPR’s entry into force, such as:

  • A non-EU controller using an EU processor for activities outside of the EU not targeting EU residents does not have to comply with GDPR. An EU processor will be subject to the relevant GDPR provisions directly applicable to data processors;
  • The irrelevancy of the “targeting” criterion when considering applicability of the GDPR to monitoring activities; and
  • Citizenship, established residency or other type of legal status of the data subject is irrelevant to determine the application of the targeting criterion.

Moreover, the Guidelines also clarified the criteria of the appointment of an EU representative defined in Article 27 GDPR for non-EU controllers and processors.

The Guidelines will still be subject to a public consultation before being revised and ultimately adopted in a final version.

K&L Gates’ Data Protection team remains at your disposal to assist you in the completion of your contributions, which will need to be submitted before 18 January 2019.

Blockchain & Data Protection: Trustless Should Not Mean Distrusted!

November 8th, 2018 | Posted by Claude-Etienne Armingaud in Blockchain | Europe | France | IT | Privacy - (0 Comments)

Amidst the international tidal wave caused by the entry into force of the EU General Data Protection Regulation (“GDPR”) in May 2018, many half, or even false truths have been spread about hindrance on a global scale of innovative technologies. However, we must keep in mind that Europe has adopted a long-standing position of technology-neutral regulations and data protection is no exception.

Indeed, from a GDPR perspective, no technology would be prohibited or regulated by nature – only its application to a specific purpose may be regulated, inasmuch as it involves personal data -whether relating to the participants and miners or the payload data itself- and falls within its broad geographical scope (see our previous Alert for more details).
(more…)

Adequacy Agreements, Legislation and Compliance in a GDPR World

November 8th, 2018 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | France | Interview | Legislation | Privacy | Region - (0 Comments)

While Capitol Hill is inundated with proposed privacy legislations from the Data Breach Prevention and Compensation Act (DBPCA), the CLOUD Act and the ENCRYPT Act, organizations the world over are trying to understand how to get their own regulations deemed adequate enough to ensure the flow of business in the EU, now that GDPR is a reality.
(more…)

The New EU-Japan Personal Data Deal: EU and Japan to Each Recognize the Other’s Personal Data Protection System as Equivalent – What It Means For Businesses and Next Steps

August 24th, 2018 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)

On 17 July 2018, the European Union (the “EU”) and Japan reached an agreement to recognize each other’s data protections systems as “equivalent”, and each commits to complete internal procedures by fall 2018 (the “Data Agreement”). Once adopted, this will allow businesses to transfer personal data from the European Economic Area 1)The EEA brings together the EU Member States and the three EFTA (European Free Trade Association) States (Norway, Liechtenstein and Iceland) into a … Continue reading(the “EEA”) to Japan and vice versa without being required to provide further additional safeguards for each transfer.

The Data Agreement concludes the two-year-long dialogue regarding mutual recognition of personal data protection regimes between the two parties, and it was issued along with the EU-Japan Economic Partnership Agreement, a long-awaited EU-Japan free trade deal. Prior to the final Data Agreement, in December 2017, the governments issued a joint statement to resolve issues essentially within the existing personal data protection framework to enable free data transfer between the two parties.
(more…)

References

References
1 The EEA brings together the EU Member States and the three EFTA (European Free Trade Association) States (Norway, Liechtenstein and Iceland) into a single market that seeks to guarantee the free movement of goods, people, services and capital.

, , , ,

GDPR – What to Expect in France

July 18th, 2018 | Posted by Claude-Etienne Armingaud in France | Privacy - (0 Comments)

On 2 July 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).

As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).

(more…)

, , , , ,

Leaders League Ranking 2018 – Technologies, internet & telecommunications – Data protection law – France

July 1st, 2018 | Posted by Claude-Etienne Armingaud in Communication | France | Privacy | Rankings - (0 Comments)

K&L Gates ranked “Excellent” with E. Drouard & Claude-Etienne Armingaud.

Source: Leaders League

Leaders League Ranking 2018 – Technologies, internet & telecommunications – Internet – France

July 1st, 2018 | Posted by Claude-Etienne Armingaud in Communication | France | IT | Rankings - (0 Comments)

K&L Gates ranked “Highly Recommended – Band 1” with E. Drouard & Claude-Etienne Armingaud.

Source: Leaders League

Leaders League Ranking 2018 – Technologies, internet & telecommunications – IT law – France

July 1st, 2018 | Posted by Claude-Etienne Armingaud in Communication | France | IT | Rankings | Software | Trusted Services and eSignature - (0 Comments)

K&L Gates ranked “Recommended – Band 2” with E. Drouard & Claude-Etienne Armingaud.

Source: Leaders League

General Data Protection Regulation – GDPR [Full Text]

May 25th, 2018 | Posted by Claude-Etienne Armingaud in Europe | Legislation | Privacy - (0 Comments)

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

(more…)

, , , ,

Guidelines on transparency under Regulation 2016/679

April 11th, 2018 | Posted by Claude-Etienne Armingaud in Europe | Guidelines | Privacy - (0 Comments)

WP260 rev.01 – Adopted on 29 November 2017 – As last Revised and Adopted on 11 April 2018

Introduction

  1. These guidelines provide practical guidance and interpretative assistance from the Article 29 Working Party (WP29) on the new obligation of transparency concerning the processing of personal data under the General Data Protection Regulation (the “GDPR”). Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/680, these guidelines also apply to the interpretation of that principle. These guidelines are, like all WP29 guidelines, intended to be generally applicable and relevant to controllers irrespective of the sectoral, industry or regulatory specifications particular to any given data controller. As such, these guidelines cannot address the nuances and many variables which may arise in the context of the transparency obligations of a specific sector, industry or regulated area. However, these guidelines are intended to enable controllers to understand, at a high level, WP29’s interpretation of what the transparency obligations entail in practice and to indicate the approach which WP29 considers controllers should take to being transparent while embedding fairness and accountability into their transparency measures.
  2. Transparency is a long established feature of the law of the EU. It is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary, challenge those processes. It is also an expression of the principle of fairness in relation to the processing of personal data expressed in Article 8 of the Charter of Fundamental Rights of the European Union. Under the GDPR (Article 5(1)(a)), in addition to the requirements that data must be processed lawfully and fairly, transparency is now included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. It also follows from Article 5.2 that the controller must always be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject. Connected to this, the accountability principle requires transparency of processing operations in order that data controllers are able to demonstrate compliance with their obligations under the GDPR.
  3. In accordance with Recital 171 of the GDPR, where processing is already under way prior to 25 May 2018, a data controller should ensure that it is compliant with its transparency obligations as of 25 May 2018 (along with all other obligations under the GDPR). This means that prior to 25 May 2018, data controllers should revisit all information provided to data subjects on processing of their personal data (for example in privacy statements/ notices etc.) to ensure that they adhere to the requirements in relation to transparency which are discussed in these guidelines. Where changes or additions are made to such information, controllers should make it clear to data subjects that these changes have been effected in order to comply with the GDPR. WP29 recommends that such changes or additions be actively brought to the attention of data subjects but at a minimum controllers should make this information publicly available (e.g. on their website). However, if the changes or additions are material or substantive, then in line with paragraphs 29 to 32 below, such changes should be actively brought to the attention of the data subject.
  4. Transparency, when adhered to by data controllers, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by, for example, providing or withdrawing informed consent and actioning their data subject rights. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles. The practical (information) requirements are outlined in Articles 12-14 of the GDPR. However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects.
  5. The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. This is clear from Article 12 which provides that transparency applies at the following stages of the data processing cycle:

Go to the full Guidelines.