Once again, global law firm K&L Gates LLP has been ranked among the world’s 100 leading data law firms by Global Data Review’s GDR 100. The annual list examines law firms’ privacy and data protection capabilities, use of IP and confidentiality laws to protect proprietary data, and the firm’s work on all other personal and non-personal data laws at a global level. 

Nearly two dozen K&L Gates lawyers were recognized in the 2024 GDR 100, including Paris partner Claude-Étienne Armingaud. Other partners leading the practice and identified in the profile include Melbourne partner Cameron Abbott, Seattle partners Shannan FrisbieWhitney McCollumDavid Bateman, and Carley Andrews, Washington, D.C., partner Bruce Heiman, Chicago partner Limo Cherian, London partner Sarah Turpin, and Research Triangle Park partners Gina Bertolini and Leah Richardson.

Clients provided positive feedback of their experience working with K&L Gates’ lawyers stating the team has “deep knowledge of privacy laws and regulations, but they also understand the business impact of their advice. This sets them apart from other firms in the market.”

K&L Gates’ Data Protection, Privacy, and Security practice boasts more than 60 lawyers and professionals with experience in various technologies and methodologies. From assessing risk to incident response, breach, and crisis counseling globally, the team is qualified to handle most data privacy and security compliance issues. The practice also assists with cross-border mergers and acquisitions and specialized services focused on emerging areas such as biometric data compliance and defense.

The full K&L Gates profile can be read at Global Data Review (subscription required).

The ‘young and innovative team’ at K&L Gates LLP has a strong reputation in the market for its ability to handle data protection liability issues in M&A transactions and global data protection compliance mandates. Areas of activity for the practice include machine learning, autonomous driving and blockchain-based services. Claude-Étienne Armingaud heads up the team and is described as a ‘fount of knowledge on the subject of privacy and data protection‘. He is frequently sought out by clients from the software industry for assistance with cross-border technology transactions.

Leading individuals: Claude-Etienne Armingaud – K&L Gates LLP

Practice head(s): Claude-Etienne Armingaud

Other Key Lawyer(s): Camille Scarparo

(more…)

Entering Chambers Europe/France TMT: Data Protection ranking as an Up & Coming lawyer.

Client testimonials:

Claude-Étienne has a vision that goes beyond IT into other areas, so he gives multidisciplinary and strategic insights. He is also pleasant to work with and efficient.

He works really efficiently for us; he is really dedicated and clearly passionate about it too.

Source: Chambers Europe

K&L Gates ranked “Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

Once again included in the Best Lawyers in France ranking for Privacy and Data Security Law

Source: Best Lawyers

Closing in on the fifth anniversary of the entry into force of the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on 22 May 2023 that it had fined Meta for EUR 1,2b (USD 1.3b), the highest GDPR fine levied since 2018.

Further to the DPC decision (Decision), and in addition to the record fine, Meta will need to:

  • suspend any future transfers of personal data to the United States within five months from the date of notification of the decision to Meta Ireland;
  • ensure the compliance of its data processing operations by ceasing the unlawful processing, including storage, in the United States of personal data of its users in the European Economic Area, transferred without sufficient safeguards, within six months from the date of notification of the DPC’s decision to Meta Ireland.

The core of the grievances relates to a decade-long (and going) crusade initiated by datactivist Maximilien Schrems and its data protection association, None of Your Business (noyb). The crusade started in 2013, with a first step resulting in a resounding cancelation of the Safe Harbor framework, which allowed personal data to be freely transferred from the European Union to the United States, in the 2015 Schrems I case (see our Alert). It was subsequently followed by a same action against Safe Habor’s successor, the Privacy Shield Framework, leading to the same result in the Schrems II case (see our Alerts here, here and here).

(more…)

Backed by a global network spanning five continents, the data protection, privacy and security group at K&L Gates LLP assists financial institutions and multinationals in mining, biotech (Anika Therapeutics), energy (Envision), home appliances (SharkNinja), pharmaceuticals (Ipsen), manufacturing (K&N Engineering), luxury goods and tech, on wide array of matters across the practice area. Headed by Claude-Etienne Armingaud, an expert in multi-jurisdictional transactional matters, dealing with IT outsourcing and data protection, the group also assists clients with GDPR compliance, data sharing agreements and data protection elements of M&A transactions.

Leading individuals: Claude-Etienne Armingaud – K&L Gates LLP

Practice head(s): Claude-Etienne Armingaud

(more…)

Version 2.0 dated 14 February 2023
Go to the official PDF version.

Executive Summary

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.

Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.

These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.

(more…)

In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri

GDPR fines have been increasing over the last 18 months, and it is proving to be a complex environment for the regulators and the regulated. But GDPR has not led to seismic changes (the possibility of entirely new operating models, for example), but has had a major effect on the ways organizations collect and use data. This panel will discuss the last few years and look ahead to gauge what we have learned and how things will and should change.

Speakers Include:

Jacob Høedt Larsen, Head of Communications, Wired Relations

Andreea Lisievici, Head of Data Protection Compliance, Volvo Car Corporation

Claude-Etienne Armingaud, CIPP/E, Partner & Practice Group Coordinator – Technology, Sourcing and Privacy, K&L Gates

More information.