August may be perceived as the month where France shuts down for the summer. Yet, just before the summer ’23 holiday, the French Data Protection Authority (“CNIL”) published several call to action for the various players of the data ecosystems in general and in artificial intelligence (AI) in particular, following its 16 May 2023 announcement of an AI action plan:

  • Opening and re-use of publicly accessible data – The CNIL published a draft guidance on the such data usage, and all stakeholders are invited to weight in until 15 October 2023 before its finalization. While non-binding, this guidance is expected to lead the way on how the EU’s Supervisory Authority will apprehend and enforce the General Data Protection Regulation (“GDPR”) when personal data is scraped from online sources and subsequently used for subsequent purposes. This notably focuses on Art. 14 GDPR and the indirect collection of personal data and specific prior information requirements. Artificial Intelligence is explicitly mentioned by the CNIL in the draft, as such data, which feeds large-language models, “undeniably contributes to the development of the digital economy and is at the core of artificial intelligence.” Stakeholders are invited to submit their observations online through the dedicated portal.
  • Artificial Intelligence Sandbox – Following in the footsteps of its connected cameras, EdTech & eHealth initiatives, the CNIL is launching an AI sandbox call for projects, where stakeholders involved in AI in connection with public services may apply to receive dedicated assistance by the regulator to co-construct AI systems complying with data protection and privacy rules.
  • Creation of databases for Artificial Intelligence uses – Open to the broadest possible array of stakeholders (including individuals), this call for contributions notably addresses the specific issue relating to the use of publicly accessible data and aims at informing the CNIL of the various positions at play and how to balance GDPR’s requirements (information, legitimate interests, exercise of rights) with data subjects’ expectations. Stakeholders are invited to submit their observations online through the dedicated form (in French – our free translation in English is available below)- no deadline for submission has been set.
(more…)

K&L Gates ranked “Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

Once again included in the Best Lawyers in France ranking for Privacy and Data Security Law

Source: Best Lawyers

K&L Gates ranked “Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

Claude-Etienne Armingaud from K&L Gates ranked among the Best Lawyers France 2021 for Privacy and Data Security Law

Algo Avocats - Sandra Tubert
Altana - Pierre Lubet
Artemont - Farid Bouguettaya
August Debouzy - Florence Chaffiol
Baker McKenzie - Magalie Dansac Le Clerc
Bid & Bird - Merav Griguer, Ariane Mole
Bouchara & Avocat - Navessa Bouchara
Vercken & Gaullier - Florence Gaullier
Cohen & Gresser - Guillaume Seligmann
Cornet Vincent Ségurel - François Herpe
De Gaulle Fleurance & Associés - Georges Courtois, Jean-Marie Job
Delcade - Olivier Hayat
Delsol Avocat - Jeanne Bossi Malafosse
Derrienic Associés - Alexandre Fiévée, Fran_ois-Pierre Lani, Pierre-Yves Margnous
DLA Piper - Denis Lebeau-Marianna, Carol Umhoefer
Eversheds Sutherlands - Vincent Denoyelle
EY - Yaël Cohen-Hadria
Fréal Schiul Sainte Marie Willemant - Christinae Feral-Schulh, Bruno Grégoire Sainte Marie, Justine Sinibaldi
Franklin - Valérie Aumage
Gibson Dunn & Crutcher - Ahmed Baladi, Vera Lukic
Herald Avocats - Anne Cousin
Hogan Lovells - Etienne Drouard
K&L Gates - Claude-Etienne Armingaud
Latham & Watkins - Jean-Luc Juhan, Myria Saaarinen
Latournerie Wolfrom - Marie-Hélène Tonnelier
Lxing - Chloé Torres
Luzi Avocats - Olivia Luzi
McDermott Will & Emery - Romain Perray
Mulliez Avocats - Florence Mulliez
Next Avocat - Etienne Papin
Osborne Clarke - Claire Bouchenard, Béatrice Delmas-Linel
Racine - Hélène Cournarie
Reinhart Marville Torre - Laurent Marville
Squire Patton Boggs - Catherine Muyl
Taj - Hérvé Gabadou
White & Case - Clara Hasindork, Bertrand LIard

Source: Best Lawyers

K&L Gates ranked “Highly Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

Brexit: Deal Or No-Deal? Data is the Question
With the Brexit deadline looming ahead on 31 October 2019, the situation seemingly reaches new levels of uncertainty every day. Last week, the U.K. Supreme Court’s eleven judges unanimously ruled that Prime Minister Boris Johnson’s decision on 9 September 2019, to prorogue Parliament was “unlawful and void.” Parliament will therefore carry on its Brexit discussions…with now only thirty days left to finalise a deal. Although Parliament, while still in session, passed a law to extend the Brexit deadline, such an extension would still require approval by the EU.

So how should companies prepare, on either side of the Channel (and beyond), in the coming months for the more-likely-by-the-day-scenario of No-Deal?

(more…)

K&L Gates ranked “Excellent” with E. Drouard & Claude-Etienne Armingaud.

Source: Leaders League

On January 21, 2019, the French Data Protection Authority (Commission Nationale de l’Information et des Libertés, or “CNIL”) published its first sanction rendered under the General Data Protection Regulation (“GDPR”).

Barely eight months after GDPR entered into force, and the subsequent group actions that were introduced in France, the CNIL followed in their footsteps its other European counterparts. However, while Portugal in July drew first against a hospital with a EUR 400,000 fines, the Austrian and German follow-ups, respectively for EUR 4,800 and 20,000 underwhelmed in contrast with the EUR 20 million, or 4% of the global turnover of a company (which ever the greatest) maximum fines allowed under GDPR.

Today’s CNIL decision nevertheless set the possible path for upcoming application of GDPR, by striking a EUR 50 million fine against Google LLC.

This sanction followed the group complaints formed by Maximilian Schrems’s association “None Of Your Business” (“NOYB” – already behind the cancellation of the Safe Harbor in 2015 and currently litigating against the Standard Contractual Clauses in Ireland) and La Quadrature du Net (“LQDN”), which received a mandate from 10,000 individuals to refer the matter to the CNIL.

The CNIL grounded its decision on the lack of transparency and inadequate information of the individuals in order to deem the consent regarding the ads personalization invalid.

On the one hand, the CNIL highlighted that the information of the data subjects was diluted in a myriad of documents while applying to a plurality of services at once (e.g. Google search, You Tube, Google Home, Google Maps, Playstore…). This did not allow the user to gain a “just perception of the nature and the volume of data collected.”

On the other hand, the consent-gathering mechanism was deemed inadequate to obtain the “specific” and “unambiguousconsent required for such data processing operations. The CNIL notably criticized the blanket acceptance of “the processing of [users’] information as described above and further explained in the Privacy Policy”, which, according to the Regulator, does not allow the users to opt-it to the each particular processing operation at stake without additional steps for the users to reach the required information.

This decision, in addition to be the first rendered by the CNIL under GDPR, will also in all likelihood be the last under the current Secretary General, Isabelle Falque-Pierrotin, who will be replaced on February 1st, after heading the CNIL since 2011.

On 2 July 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).

As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).

(more…)