Access the full list of the EDPB and WP29 Guidelines here, including consultation versions, now-current versions and redlines between versions.

This program provides timely updates, best practices, and emerging developments in today’s data protection, privacy, and security industry.

Listen to the latest episodes now!

Speakers:

Governments around the globe have turned their attention to the power of accumulated data, and to the use of competition law powers to enact legislative initiatives. From the EU’s Digital Markets Act and proposed Data Act, to the UK’s Data Protection and Digital Information Bill, laws addressing competition, privacy and wider data access issues are becoming increasingly intertwined. Privacy and competition regulators, alongside consumer protection agencies and associations, are working more closely together than ever before. The EU Court of Justice has been asked for clarity on how such regulators should interact going forward. In some countries, we are also seeing a testing of the use of competition mechanisms for bringing group actions on privacy issues. In this session, we will discuss the interactions between privacy, consumer protection and competition, and how these are likely to shape compliance tactics, litigation strategies and regulatory interactions going forward.

What you will learn:

  • Privacy compliance efforts necessitate a multifaceted strategy.
  • Data sharing” between authorities can put companies at risk of multi-front enforcement actions.
  • Best line of defense remains documentation and communication.

In alignment with the ongoing concerns from several European data protection authorities publishing guidelines on data scrapping (i.e., the Dutch DPA, the Italian DPA and the UK Information Commissioner’s Office), the Global Privacy Assembly (GPA)’s International Enforcement Cooperation Working Group (IEWG) recently published a Joint statement on data scraping and the protection of privacy (signed by the Canadian, British, Australian, Swiss, Norwegian, Moroccan, Mexican, and Jersey data protection authorities) to provide further input for businesses when considering data.

The statement emphasizes that:

Even publicly accessible data is subject to privacy laws across most jurisdictions – meaning that scraping activities must comply with data protection regulations requiring a (i) lawful basis for data collection and, (ii) transparency with individuals, including obtaining consent where necessary.

Collecting mass data can constitute a reportable data breach if it includes unauthorized access to personal data.

Relying on platform terms (e.g., Instagram) for data scraping does not automatically ensure compliance as (i) this contractually authorized use of scraped personal data is not automatically compliant with data protection and artificial intelligence (AI) laws, and (ii) it is difficult to determine whether scraped data is used solely for purposes allowed by the contract terms.

When training AI models, it is critical to adhere not only to privacy regulations but also to emerging AI laws as ensuring AI model transparency and data processing limitations is now increasingly expected by privacy regulators.

The sensitivity of this topic underscores the close relationship between data protection and the ever-data-hungry artificial intelligence industry.

First Publication on K&L Gates Cyber Law Watch blog, in collaboration with Anna Gaentzhirt

Launched in 2015, the EU’s Digital Single Market Strategy aimed to foster the digital harmonization between the EU member states and contribute to economic growth, boosting jobs, competition, investment and innovation in the EU.

The EU AI Act characterizes a fundamental element of this strategy. By adopting the first general-purpose regulation of artificial intelligence in the world, Brussels sent a global message to all stakeholders, in the EU and abroad, that they need to pay attention to the AI discussion happening in Europe.

The EU AI Act achieves a delicate balancing act between the specifics, including generative AI, systemic models and computing power threshold, and its general risk-based approach. To do so, the act includes a tiered implementation over a three-year period and a flexible possibility to revise some of the more factual elements that would be prone to rapid obsolescence, such as updating the threshold of the floating point operations per second — a measurement of the performance of a computer for general-purpose AI models presumed to have high impact capabilities. At the same time, the plurality of stakeholders involved in the interpretation of the act and its interplay with other adopted, currently in discussion or yet-to-come regulations will require careful monitoring by the impacted players in the AI ecosystems.

(more…)

Dans le cadre de notre nouveau cycle de conférences autour du numérique et des problématiques « cyber », nous avons le plaisir de vous convier à un petit déjeuner organisé dans nos locaux parisiens, à l’occasion duquel Claude-Etienne Armingaud, CIPP/E (Associé, Protection des données & Technologies) se penchera sur la préparation des entreprises dans le cadre de leur mise en conformité au regard du Règlement sur les Données (EU Data Act). Une belle occasion d’échanger, de s’inspirer et d’entrer en relation avec des professionnels du domaine !

Les places étant limitées, nous vous invitons à vous inscrire dès à présent via le lien suivant : https://ow.ly/183L50TAWbP.

We kindly invite you to the K&L Gates Legal & Compliance Breakfast on 8 October 2024 in Frankfurt.

Please join us for coffee, tea and croissants and take away impulses and new momentum for the work on your data strategy.

We will discuss how the Data Act and the AI Act impact a company’s data strategy. How does one reconcile them with each other and with other elements of the legal framework, like GDPR and antitrust laws?

Our key note speaker will be Claude-Étienne Armingaud, a partner at K&L Gates‘ Paris office. He coordinates our European technology and privacy practices and has been building pragmatic legal solutions on both sides of the Atlantic for many years.

We look forward to welcoming you at our Frankfurt office on level 28 of the „Opernturm“ tower.

Please register by clicking here.

Don’t miss the plenary session “AI, the future of law?” on Thursday, October 17 from 2 p.m. to 4 p.m. at the Palais du Grand Large in Saint-Malo. This event, organized by the ACE – Young Lawyers commission, will be introduced by its president Ludovic Blanc (Lawyer at the Paris Bar, President of ACE-JA national).

Our partner Claude-Etienne Armingaud, CIPP/E (Partner, Data Protection & Technologies), François GIRAULT (Lawyer at the Montpellier Bar, President of the CNB Prospective and Innovation Commission, Vice-President ACE Ouest Méditerranée, Vice-President Liberal Professions CPME 34), Philippe BARON (Lawyer at 2BMP Avocats, President of the CNB Digital Commission) and Christiane Féral-Schuhl (Lawyer at the Paris Bar in digital law, former President of the National Council of Bars, former President of the Paris Bar Association) will participate in this essential discussion on the impact of AI on the legal profession.

This meeting will be hosted by Anne-Cécile Sarfati, journalist and columnist, with a Live Show presented by Tiphaine MARY (Maître et Talons), Lawyer at the Paris Bar.

Do not hesitate to reserve your place by registering via the following link: https://lnkd.in/gJQ7qqfV.

After being individually shortlisted as “Leader of the Year: Legal” in 2023, the full European Data Protection, Privacy and Security team of K&L Gates is once again recognized for its expertise by being shortlisted as “Leading Law Firm” for the Piccaso Awards Europe 2024.

Congrats to the team and see you in London!

  1. My company is not established in the EU. Should I really worry about the EU Data Act applying to my company?
  2. What are the operational impacts of the EU Data Act on my products‘ interface?
  3. My products are already on the market, can I still provide them as I am today?
  4. What data is in the EU Data Act scope?
  5. Does the EU Data Act provide for a harmonized framework for blockchain-based smart contracts?
  6. Who can request the sharing of data?
  7. How should data be made available?
  8. Are there any limitations on how the data can be shared?
  9. Can I invoke intellectual property right to forego the data sharing?
  10. Should the data be made available to public entities as well?
  11. Will I need to update my contracts as well?
  12. Will the data be required to stay in the European Union?
  13. When will all this become an operational reality for me?
  14. What are the EU Data Act penalties?
(more…)

Recent legislative updates have emerged in France, focusing on the intricate balance between national regulation and European Union directives —especially relevant to the evolving sector of commercial influence. The French law no. 2024-356, passed on 22 April 2024 (“DADDUE Law”), has granted the government a nine-month window to modify previous statutes to align with European standards.

The DADDUE Law will harmonize French national law (notably Law no. 2023-451 on the Regulation of commercial influence of 09 June 2023, see our previous post on this topic) with various European texts, including the e-commerce directive and directives like the DSA and SMA.

Among the articles set for revision are:

  • Article 1 regarding the definition of influence;
  • Article 2 on influencers’ agents;
  • Article 4 on prohibited sectors of promotion;
  • Article 5 on advertising disclosure requirements;
  • Article 8 on the framework of contracts between influencers and agents; and
  • Article 9 on insurance mandates for non-European influencers.

This underscores an initiative to refine the French national law on commercial influence in response to feedback from the European Commission.

The DADDUE Law will also repeal five articles within the prior law (articles 10, 11, 12, 15, and 18) that intersect with the Digital Services Act (DSA), on the obligations for hosting providers to implement alert systems for reporting illegal content and to comply promptly with legal and administrative injunctions to remove such content.

Furthermore, a government report will be presented within the next three months to address the necessary adjustments to Law no. 2023-566 on setting a digital majority age and battling online hatred, again drawing on remarks from the European Commission.

The path paved by the Law of 22 April 2024 requires a meticulous approach to legislative adaptation, ensuring that national regulations resonate with broader, collective European goals. This development is pivotal for professionals within the digital influence sphere and platforms hosting user-generated content, who must stay abreast of the changing legal landscape to sustain compliance and foster responsible online interactions.

First publicationK&L Gates Fashion Law Watch Blog – in collaboration with Kenza Berrada

Digital intermediation service platforms within the sectors of chauffeur-driven transportation and goods delivery have new responsibilities since the enactment of Decree no. 2024-388 on 25 Avril 2024. Operating under the framework established by Article L. 7345-1 of the French Labor Code, this Decree has initiated a systematic collection and transmission protocol for data concerning platform workers’ activities to the French Employment Platforms Social Relations Authority (“ARPE”).

This new system aims to bolster the production of statistical reports, as instrumental means to inform and transform the dialogue with the representative organizations.

Along these lines, platforms hold an equally important responsibility to revise their privacy notices. Transparency is paramount—the notices must clearly articulate these new data processing operations to the individuals concerned, ensuring that workers are fully aware of how their personal data is captured, utilized, and shared.

The implementation of Decree no. 2024-388 also signals a proactive step towards enhancing social dialogue tools within the affected sectors. Empowering ARPE to collect and leverage the data within its statutory power creates an opening for more informed policy-making and a more significant discourse between platforms, workers, and representative organizations.

The inception of the Decree manifests a shift towards a more transparent and regulated digital labor market. It requires those in authority—data controllers and intermediation platforms alike—to engage in a comprehensive update of operational protocols and privacy frameworks, thereby securing data subject rights while contributing to a broader socio-economic analysis. Such task will necessitate a keen understanding of both legal obligations and the ethical standards underscoring the digital economy.

The crucial evolution underlying the enactment of the Decree will require Platforms acting as data controllers to update in alignment their records of processing activities (RoPA) and meticulously document the nature, purpose, scope of data processed and the operational procedures for transferring requisite data to the ARPE.

First publicationK&L Gates Cyber Law Watch Blog– in collaboration with Kenza Berrada