When the General Data Protection Regulation (“GDPR” – external source) came into force throughout the European Union nearly three years ago, one of its most eye-catching features was its extraterritorial jurisdiction provisions. These extend the reach of the GDPR to businesses located outside the European Union who offer goods or services to EU residents or who monitor the behavior of EU residents (See Art. 3(2)(a) and (b) GDPR).

Under the threat of becoming liable for a breach of the GDPR and potential fines of up to €20m or four percent of global turnover (whichever the higher), many businesses based in the United States and other locations outside the European Union have simply taken a stance of refusing to deal with EU residents, including taking measures such as geo-blocking websites to EU-based visitors. Other businesses, in the United States and elsewhere, have found themselves contemplating whether they might be subject to the GDPR and how to react merely because they have made a new EU-based business connection, acquired the contact details of a potential customer in the European Union, or even become aware that an employee at a customer organization had moved to the European Union.

A court in the United Kingdom has now considered the limits of extraterritorial jurisdiction of the GDPR, which may provide some reassurance to overseas businesses that limited contact with EU residents via a website may not necessarily lead to them being subject to the GDPR.

(more…)

The French Supervisory Authority has set 31 March 2021 as the end of the “reasonable period” to bring websites and mobile applications into compliance.

Following the adoption and publication of its updated guidelines along with practical recommendations on the use of cookies on 1 October 2020 (see our alert on the subject here), the French Supervisory Authority (CNIL) reaffirmed on 4 February 2021 the need for private and public players to comply with the new obligations regarding cookies and other tracers (together, CookiesSee the CNIL press release of 4 February 2021 (in French)).

To make its action plan on online advertising effective and in view targeting of the deficiencies witnessed in both the public and private sectors, the CNIL set a specific deadline for the implementation of its recommendation: 31 March 2021.

(more…)

This article names K&L Gates among Global Data Review’s inaugural GDR 100, a ranking of the world’s best data law firms. The GDR 100 is the only global ranking that captures the capabilities, track record, and market reputation of the leading firms in the field. The ranking is based on in-depth submissions submitted by hundreds of law firms around the world, and profiles K&L Gates lawyers including Melbourne partner Cameron Abbott and Paris partner Claude-Etienne Armingaud. Read the article here (subscription required). 

The European Union (EU) and the United Kingdom (UK) finally came to an agreement on 24 December 2020 (EU-UK Trade and Cooperation Agreement, the Agreement), less than ten days after the European Data Protection Board (EDPB) published a statement on the consequences a no-deal situation would have on the flows of personal data between the EU and the UK (for previous coverage of General Data Protection Regulation (GDPR) and Brexit, please see our alert here). This statement has since been updated on 13 January 2021.

(more…)

As of 1 January 2021, the Brexit transition period (Transition Period) ended, and the United Kingdom (UK) officially finalized its exit from the European Union (EU) and the 11th-hour commercial agreement (Agreement) should allow for a smoother transition on the data protection front as the General Data Protection Regulation (GDPR) stops being directly applicable to the UK. It also provided the UK with a six-month grace period to hope for an adequacy decision that would allow for the free transfer of personal data from the EU to the UK.

As the European Data Protection Board (EDPB) amended on 13 January 2021 its Brexit communications² further to the Agreement (Communications), it only addresses:

  • The issue of data transfers from the EU to the UK;
  • The end of the One-Stop-Shop (OSS) mechanism for the UK; and
  • The need for UK entities that would be subject to GDPR to appoint a representative further to Art. 27 GDPR.

However, aside from enacting the end of the OSS and commenting that “the EDPB has been liaising with the ICO [Information Commissioner’s Office, the UK’s Supervisory Authority] over the past months in order to enable a smooth shift to this new situation by ensuring that the EEA authorities follow a shared and efficient approach in handling the existing complaints and cross-border cases involving the ICO, whilst minimizing delays and possible inconveniences to affected complainants[,]” the EDPB did not comment on how such collaboration will effectively play out for companies whose lead Supervisory Authority was the ICO.

Read the full article on Radar First blog.

43rd EDPB Meeting

December 17th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 42nd EDPB meeting
    2. Draft agenda of the 43rd EDPB meeting
  2. Consistency mechanism, Guidelines and EDPB
    1. Key Provision ESG
      1. Guidelines on restrictions under Article 23 GDPR
    2. Financial Matters ESG
      1. Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (after public consultation)
    3. International Transfer ESG
      1. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (after public consultation)
  3. Current Focus of the EDPB Members
    1. Data Governance Act COM (2020) 767 proposal – presentation by European Commission
    2. Information about the European Commission request for a joint EDPS-EDPB opinion regarding the Data Governance Act
    3. EDPB Strategy
    4. Support Pool of Experts
    5. Request for information from the European Commission regarding Brexit state of play (end of transitional period as well as the impact on EU-UK data flows and further information on possible adequacy decisions)
    6. Information note on data transfers under the GDPR to the United Kingdom after the Brexit transition period
  4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Cooperation ESG
      1. [BREXIT] Involvement of the UK SA in cooperation and consistency mechanisms
      2. Review of the internal documents on local cases
      3. Handling cross border complaints against public bodies or authorities – request for mandate
      4. Guidelines on handling complaints: revision of the mandate – request for mandate
    2. Compliance, e-Government and Health ESG
      1. Guidelines on certification criteria assessment – request for mandate
    3. Financial Matters ESG
      1. Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing
    4. International Transfers ESG
      1. Art. 64 GDPR Opinion on the draft decision of the Dutch Supervisory Authority regarding the Controller Binding Corporate Rules of Equinix
    5. Compliance, e-Government and Health ESG
      1. Stakeholder event on processing of data for medical and scientific research purposes – request for mandate
    6. Technology ESG
      1. Guidelines on anonymisation / pseudonymisation – request for mandate
    7. EDPB Secretariat
      1. 2021 February plenary
      2. Survey future meetings post COVID
  5. Any other business

42nd EDPB Meeting

November 19th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 41st EDPB meeting
    2. Draft agenda of the 42nd EDPB meeting
    3. Publication of minutes of 40th Plenary meeting
    4. Request to extend the deadline for public consultation re recommendation 01/2020 on sup. measures
  2. Current Focus of the EDPB Members
    1. Presentation by the European Commission of the new (updated) two sets of SCCs
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Technology ESG
      1. Statement on eprivacy regulation
      2. Letter to News Media Europe and others regarding cookie walls
    2. International Transfer ESG
      1. Template for BCR approval decision by a supervisory authority
  4. Any other business
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 40th EDPB meeting
    2. Draft agenda of the 41st EDPB meeting
  2. Current Focus of the EDPB Members
    1. Art. 65 ongoing procedure
    2. Draft Art. 65 Decision
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Recommendation on measures that supplement transfer instruments to ensure compliance with the EU level of protection of personal data
    2. Update of the European Essential Guarantees recommendations

With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.

(more…)

40th EDPB Meeting

October 20th, 2020 | Posted by Claude-Etienne Armingaud in Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1.1. Minutes of the 39 th EDPB meeting
    1.2. Draft agenda of the 40th EDPB meeting
  2. Current Focus of the EDPB Members
    2.1. Recommendation on measures that supplement transfer instruments to ensure compliance with the EU level of protection of personal data – state of play
    2.2. Review of the Adequacy Decision of Japan
  3. Consistency mechanism and Guidelines
    3.1. Guidelines 04/2019 on Article 25 Data Protection by Design and by Default (after public consultation)
  4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    4.1. Cooperation ESG Brexit-related matters
    4.2. Enforcement ESG
    Coordinated Enforcement Framework
    4.3. Technology ESG
    Response letter to Mr A. Dix on the copyright directive1
    4.4. Financial Matters ESG
    Statement and possible letter regarding data protection and current framework on anti-money laundering and countering terrorist financing – request for mandate
    4.5. Secretariat
    Implementation of SEC DPO rules
    Consistency procedure for Art. 46.3(b) GDPR administrative
    arrangements
  5. Any other business