K&L Gates ranked “Recommended” with Claude-Etienne Armingaud.
Source: Leaders League
(more…)Once again included in the Best Lawyers in France ranking for Privacy and Data Security Law
Source: Best Lawyers
Closing in on the fifth anniversary of the entry into force of the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on 22 May 2023 that it had fined Meta for EUR 1,2b (USD 1.3b), the highest GDPR fine levied since 2018.
Further to the DPC decision (Decision), and in addition to the record fine, Meta will need to:
The core of the grievances relates to a decade-long (and going) crusade initiated by datactivist Maximilien Schrems and its data protection association, None of Your Business (noyb). The crusade started in 2013, with a first step resulting in a resounding cancelation of the Safe Harbor framework, which allowed personal data to be freely transferred from the European Union to the United States, in the 2015 Schrems I case (see our Alert). It was subsequently followed by a same action against Safe Habor’s successor, the Privacy Shield Framework, leading to the same result in the Schrems II case (see our Alerts here, here and here).
(more…)Backed by a global network spanning five continents, the data protection, privacy and security group at K&L Gates LLP assists financial institutions and multinationals in mining, biotech (Anika Therapeutics), energy (Envision), home appliances (SharkNinja), pharmaceuticals (Ipsen), manufacturing (K&N Engineering), luxury goods and tech, on wide array of matters across the practice area. Headed by Claude-Etienne Armingaud, an expert in multi-jurisdictional transactional matters, dealing with IT outsourcing and data protection, the group also assists clients with GDPR compliance, data sharing agreements and data protection elements of M&A transactions.
Version 2.0 dated 14 February 2023
Go to the official PDF version.
The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:
If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.
Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.
These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.
(more…)In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.
May the enforcement be with you!
First publication: K&L Gates Hub with Eleonora Curreri
GDPR fines have been increasing over the last 18 months, and it is proving to be a complex environment for the regulators and the regulated. But GDPR has not led to seismic changes (the possibility of entirely new operating models, for example), but has had a major effect on the ways organizations collect and use data. This panel will discuss the last few years and look ahead to gauge what we have learned and how things will and should change.
Speakers Include:
Jacob Høedt Larsen, Head of Communications, Wired Relations
Andreea Lisievici, Head of Data Protection Compliance, Volvo Car Corporation
Claude-Etienne Armingaud, CIPP/E, Partner & Practice Group Coordinator – Technology, Sourcing and Privacy, K&L Gates
The French Law n°2016-1691 of 9 December 2016 relating to transparency, the fight against corruption, and the modernization of economic life, known as the “Sapin II” Act 1)Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016) introduced to legal entities additional compliance requirements to address corruption in order for France to meet the highest European and international standards.
Sapin II has established a general principle of prevention and detection of corruption risks under the control of a national anticorruption structure, the French Anti-Corruption Agency (AFA), whose main mission is to help economic and public players in the process.
The AFA noted in its 2019 annual activity report 2)French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).that anticorruption measures implemented by economic and public players were still incomplete.
On 12 January 2021, the AFA published new recommendations entered into force on 13 January 2021 (Recommendations, here in French).
The AFA specifies the practical procedures for implementing an anticorruption system structured around three foundational principles, namely:
References
↑1 | Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016) |
---|---|
↑2 | French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French). |
On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.
What is the Privacy Shield
The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.
(more…)The current COVID-19 pandemic continues to raise many issues on employee privacy and how employers may balance processing their employees’ data with ensuring safety in the workplace. The French Supervisory Authority (CNIL) has provided guidance on the methods that may be used by employers to collect and process health data from their employees (outside of medical care data) in order to detect possible symptoms related to COVID-19, as well as data relating to travel or events. In addition, more generally, the French Labor Ministry has published a “National protocol regarding the end of the lockdown for companies to ensure health and safety of the employees” (Protocol), in order to help employers manage the various tasks and issues related to the end of the lockdown and employees’ return to work. This document does not have legal force, but sets out the general recommendations and principles of prevention regarding the protection of employees’ health and safety in the context of the current health crisis.
Under the General Data Protection Regulation (GDPR) framework, the CNIL guidance available here in French) reiterates a number of core principles:
In the private sector, Articles L. 4121-1 and R. 4422-1 of the French Labor Code (FLC) provide for a safety obligation incumbent on employers, which must implement occupational risk prevention, information and training actions. The company and its legal representatives are criminally liable for the employee security obligation. Employers that fail to provide employees with safe and appropriate working conditions would face a court risk and could be held liable for not ensuring the employees’ safety and security on the workplace. Since 2015, the French Supreme Court has held that the employer’s obligation with regard to employees’ health and safety is an enhanced best efforts obligation (obligation de moyen renforcée). Therefore, the employer can avoid liability by proving that preventive measures have been implemented. French Supreme Court case law holds that the employer has complied with this legal obligation to take the necessary measures to ensure the safety and protect physical and mental health of employee when it is demonstrated that he has taken all measures to prevent, adapt and provide information on the risks, in accordance with Articles L. 4121-1 and L. 4121-2 of the FLC.
In the context of the current pandemic, the employer’s safety obligation is more topical than ever. In order to comply with this mission, employers have the right to process personal data, albeit only when strictly necessary to foster that purpose. In this respect, the CNIL encourages employers to regularly consult the information and recommendations published by the French Labor Ministry, in order to better understand their obligations in this period of health crisis.
According to the CNIL’s position, employers are entitled, in this context, to:
On the other hand, Article L.4122-1 FLC provides that each employee has a safety obligation which requires them to preserve not only their own health and safety, but also, the health and safety of other individuals with whom they may come into contact in the course of their professional activity, be it other workers or customers. However, in practice, employers might be in a delicate situation if they were to take disciplinary sanctions against these employees, and they might face labor court actions.
While French employees are usually only required to provide an illness certificate, which does not provide any specifics on the health status other than inability to work, the CNIL understands that the contagiousness of the COVID-19 pandemic mandates self-reporting be more specific to enable employers to take any measure required to ensure the safety in the workplace.
However, this reinforced duty to provide information does not extend to individuals working in isolated conditions, e.g. without contact with other individuals and/or working remotely. For such “isolated” workers, the classic rules of labor law apply and employers are not allowed to mandate such disclosure of personal data.
When organizing the return to work, employers are encouraged to facilitate dialogue with its employees and employee representative. Employers may require certain information, and may ask employees to inform the company’s management of, in particular, any travel to risk areas and risk factors related to their health or relatives. However, this organizational requirement must be compliant with the GDPR for the processing of employees’ personal data.
In any case, employers may only process elements related to (i) the date, (ii) the identity of the person, (iii) the contamination status reported by the employee, and (iv) the data related to the organizational measures to be put in place.
The CNIL emphasizes the particular sensitivity of health-related data, which is considered a “special category of personal data” under Article 9 GDPR, and thus requires processing under robust conditions of security and confidentiality, as well as limited access to authorized personnel. Consequently, employers wishing to take steps to ensure the health of their employees must rely on their occupational health service.
Processing operations pertaining to such special category of personal data is, by principle, prohibited under GDPR, unless they fall within one of the exceptions provided under GDPR, namely:
In the context of the pandemic, the CNIL highlights that (2) and (8) would be the only relevant bases to ensure the safety in the workplace.
In that regard, the coordination with health authorities, as potential recipients of the data, is authorized, to ensure the medical care of the exposed person. Nevertheless, the identity of the individual, effectively or presumably infected, must not, under any circumstances, be communicated to other employees.
Considering that GDPR and its French implementation only apply to automated processing (particularly computer processing) or to non-automated processing where a physical file is materialized, this means that the simple verification of temperatures prior to access to premises would not trigger application of GDPR insofar as no trace of this check is kept and if no other operation is carried out. On the other hand, any automated temperature verification, such as through use of thermal cameras, would be subject to GDPR. Given that other less intrusive methods to achieve a similar purpose exist, they may not pass muster for the data minimization tenet of GDPR.
Based on the CNIL and French Labor Ministry guidance, the following could be considered by employers in order to effectively and efficiently organize their employees’ return to work:
First publication: K&L Gates Hub in collaboration with Christine Artus, Sarah Chihi, Anne Ragu, Clara Schmit