Access the full list of the EDPB and WP29 Guidelines here, including consultation versions, now-current versions and redlines between versions.
List of the EDPB Guidelines
May 30th, 2023 | Posted by in Guidelines | Non classé | Privacy - (0 Comments)Gateway to Privacy – Our K&L Gates Data Protection Podcast
February 22nd, 2023 | Posted by in Europe | Podcast | Privacy | World - (0 Comments)This program provides timely updates, best practices, and emerging developments in today’s data protection, privacy, and security industry.
Guidelines 02/2024 on Article 48 GDPR
December 2nd, 2024 | Posted by in Data Transfer | Europe | Guidelines | Privacy - (0 Comments)Adopted on 02 December 2024 – For public consultation
EXECUTIVE SUMMARY
Article 48 GDPR provides that: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”.
The purpose of these guidelines is to clarify the rationale and objective of this article, including its interaction with the other provisions of Chapter V of the GDPR, and to provide practical recommendations for controllers and processors in the EU that may receive requests from third country authorities to disclose or transfer personal data.
The main objective of the provision is to clarify that judgments or decisions from third country authorities cannot automatically and directly be recognised or enforced in an EU Member State, thus underlining the legal sovereignty vis-a-vis third country law. As a general rule, recognition and enforceability of foreign judgements and decisions is ensured by applicable international agreements.
Regardless of whether an applicable international agreement exists, if a controller or processor in the EU receives and answers a request from a third country authority for personal data, such data flow is a transfer under the GDPR and must comply with Article 6 and the provisions of Chapter V.
An international agreement may provide for both a legal basis (under Article 6(1)(c) or 6(1)(e)) and a ground for transfer (under Article 46(2)(a)).
In the absence of an international agreement, or if the agreement does not provide for a legal basis under Article 6(1)(c) or 6(1)(e), other legal bases could be considered. Similarly, if there is no international agreement or the agreement does not provide for appropriate safeguards under Article 46(2)(a), other grounds for transfer could apply, including the derogations in Article 49.
C3PO: Competition and Consumer Convergence toward Privacy Operations
November 20th, 2024 | Posted by in Competition | Conference | Europe | France | Privacy - (0 Comments)Speakers:
- Claude-Étienne Armingaud, CIPP/E, Partner, Data Protection Privacy and Security Practice Group Coordinator, K&L Gates
- Shereen Kenyon, Senior Manager Data Privacy and Data Protection Officer, SharkNinja
- Elodie Vandenhende, Deputy Head of the Digital Economy Unit, French Competition Authority
- Jörn Wittmann, Group Privacy Ambassador, Volkswagen AG
Governments around the globe have turned their attention to the power of accumulated data, and to the use of competition law powers to enact legislative initiatives. From the EU’s Digital Markets Act and proposed Data Act, to the UK’s Data Protection and Digital Information Bill, laws addressing competition, privacy and wider data access issues are becoming increasingly intertwined. Privacy and competition regulators, alongside consumer protection agencies and associations, are working more closely together than ever before. The EU Court of Justice has been asked for clarity on how such regulators should interact going forward. In some countries, we are also seeing a testing of the use of competition mechanisms for bringing group actions on privacy issues. In this session, we will discuss the interactions between privacy, consumer protection and competition, and how these are likely to shape compliance tactics, litigation strategies and regulatory interactions going forward.
What you will learn:
- Privacy compliance efforts necessitate a multifaceted strategy.
- “Data sharing” between authorities can put companies at risk of multi-front enforcement actions.
- Best line of defense remains documentation and communication.
Navigating the Intersection of Data Scraping and Artificial Intelligence–A Global Data Protection Authorities’ Take
November 18th, 2024 | Posted by in Artificial Intelligence | Privacy | World - (0 Comments)In alignment with the ongoing concerns from several European data protection authorities publishing guidelines on data scrapping (i.e., the Dutch DPA, the Italian DPA and the UK Information Commissioner’s Office), the Global Privacy Assembly (GPA)’s International Enforcement Cooperation Working Group (IEWG) recently published a Joint statement on data scraping and the protection of privacy (signed by the Canadian, British, Australian, Swiss, Norwegian, Moroccan, Mexican, and Jersey data protection authorities) to provide further input for businesses when considering data.
The statement emphasizes that:
Even publicly accessible data is subject to privacy laws across most jurisdictions – meaning that scraping activities must comply with data protection regulations requiring a (i) lawful basis for data collection and, (ii) transparency with individuals, including obtaining consent where necessary.
Collecting mass data can constitute a reportable data breach if it includes unauthorized access to personal data.
Relying on platform terms (e.g., Instagram) for data scraping does not automatically ensure compliance as (i) this contractually authorized use of scraped personal data is not automatically compliant with data protection and artificial intelligence (AI) laws, and (ii) it is difficult to determine whether scraped data is used solely for purposes allowed by the contract terms.
When training AI models, it is critical to adhere not only to privacy regulations but also to emerging AI laws as ensuring AI model transparency and data processing limitations is now increasingly expected by privacy regulators.
The sensitivity of this topic underscores the close relationship between data protection and the ever-data-hungry artificial intelligence industry.
First Publication on K&L Gates Cyber Law Watch blog, in collaboration with Anna Gaentzhirt
Top 10 operational impacts of the EU AI Act – Regulatory implementation and application alongside EU digital strategy
October 29th, 2024 | Posted by in Europe | Intelligence Artificielle | Legislation - (0 Comments)Launched in 2015, the EU’s Digital Single Market Strategy aimed to foster the digital harmonization between the EU member states and contribute to economic growth, boosting jobs, competition, investment and innovation in the EU.
The EU AI Act characterizes a fundamental element of this strategy. By adopting the first general-purpose regulation of artificial intelligence in the world, Brussels sent a global message to all stakeholders, in the EU and abroad, that they need to pay attention to the AI discussion happening in Europe.
The EU AI Act achieves a delicate balancing act between the specifics, including generative AI, systemic models and computing power threshold, and its general risk-based approach. To do so, the act includes a tiered implementation over a three-year period and a flexible possibility to revise some of the more factual elements that would be prone to rapid obsolescence, such as updating the threshold of the floating point operations per second — a measurement of the performance of a computer for general-purpose AI models presumed to have high impact capabilities. At the same time, the plurality of stakeholders involved in the interpretation of the act and its interplay with other adopted, currently in discussion or yet-to-come regulations will require careful monitoring by the impacted players in the AI ecosystems.
(more…)Cyber Securi-Tea or Coffee – The Data Act or the multiverse of data
October 15th, 2024 | Posted by in Conference | Europe | IT - (0 Comments)Dans le cadre de notre nouveau cycle de conférences autour du numérique et des problématiques « cyber », nous avons le plaisir de vous convier à un petit déjeuner organisé dans nos locaux parisiens, à l’occasion duquel Claude-Etienne Armingaud, CIPP/E (Associé, Protection des données & Technologies) se penchera sur la préparation des entreprises dans le cadre de leur mise en conformité au regard du Règlement sur les Données (EU Data Act). Une belle occasion d’échanger, de s’inspirer et d’entrer en relation avec des professionnels du domaine !
Les places étant limitées, nous vous invitons à vous inscrire dès à présent via le lien suivant : https://ow.ly/183L50TAWbP.
Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR
October 8th, 2024 | Posted by in Europe | Guidelines | Privacy - (0 Comments)Version 1.0 – Adopted on 8 October 2024
These guidelines analyse the criteria set down in Article 6(1)(f) GDPR that controllers must meet to lawfully engage in the processing of personal data that is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party”.
Article 6(1)(f) GDPR is one of the six legal bases for the lawful processing of personal data envisaged by the GDPR. Article 6(1)(f) GDPR should neither be treated as a “last resort” for rare or unexpected situations where other legal bases are deemed not to apply nor should it be automatically chosen or its use unduly extended on the basis of a perception that Article 6(1)(f) GDPR is less constraining than other legal bases.
For processing to be based on Article 6(1)(f) GDPR, three cumulative conditions must be fulfilled: • First, the pursuit of a legitimate interest by the controller or by a third party; • Second, the need to process personal data for the purposes of the legitimate interest(s) pursued; and • Third, the interests or fundamental freedoms and rights of the concerned data subjects do not take precedence over the legitimate interest(s) of the controller or of a third party.
In order to determine whether a given processing of personal data may be based on Article 6(1)(f) GDPR, controllers should carefully assess and document whether these three cumulative conditions are met. This assessment should be done before carrying out the relevant processing operations.
With regard to the condition relating to the pursuit of a legitimate interest, not all interests of the controller or a third party may be deemed legitimate; only those interests that are lawful, precisely articulated and present may be validly invoked to rely on Article 6(1)(f) GDPR as a legal basis. It is also the responsibility of the controller to inform the data subject of the legitimate interests pursued where that processing is based on Article 6(1)(f) GDPR.
With regard to the condition that the processing of personal data be necessary for the purposes of the legitimate interests pursued, it should be ascertained whether the legitimate interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, also taking into account the principles enshrined in Article 5(1) GDPR. If such other means exist, the processing may not be based on Article 6(1)(f) GDPR.
With regard to the condition that the interests or fundamental rights and freedoms of the person concerned by the data processing do not take precedence over the legitimate interests of the controller or of a third party, that condition entails a balancing of the opposing rights and interests at issue which depends in principle on the specific circumstances of the relevant processing. The processing may take place only if the outcome of this balancing exercise is that the legitimate interests being pursued are not overridden by the data subjects’ interests, rights and freedoms.
A proper Article 6(1)(f) GDPR assessment is not a straightforward exercise. Rather, the assessment — and in particular the balancing of opposing interests and rights — requires full consideration of a number of factors, such as the nature and source of the relevant legitimate interest(s), the impact of the processing on the data subject and their reasonable expectations about the processing, and the existence of additional safeguards which could limit undue impact on the data subject. The present guidelines provide guidance on how such an assessment should be carried out in practice, including in a number of specific contexts (e.g., fraud prevention, direct marketing, information security, etc.) where this legal basis may be considered.
The guidelines also explain the relationship that exists between Article 6(1)(f) GDPR and a number of data subject rights under the GDPR.
Lost in transition? – Data Strategy & Opportunities in the New EU Legal Frameworks
October 8th, 2024 | Posted by in Conference | Europe | Intelligence Artificielle | IT | Legislation | Privacy - (0 Comments)We kindly invite you to the K&L Gates Legal & Compliance Breakfast on 8 October 2024 in Frankfurt.
Please join us for coffee, tea and croissants and take away impulses and new momentum for the work on your data strategy.
We will discuss how the Data Act and the AI Act impact a company’s data strategy. How does one reconcile them with each other and with other elements of the legal framework, like GDPR and antitrust laws?
Our key note speaker will be Claude-Étienne Armingaud, a partner at K&L Gates‘ Paris office. He coordinates our European technology and privacy practices and has been building pragmatic legal solutions on both sides of the Atlantic for many years.
We look forward to welcoming you at our Frankfurt office on level 28 of the „Opernturm“ tower.
Please register by clicking here.
AI – The Future of Law Firms?
October 4th, 2024 | Posted by in Conference | Intelligence Artificielle - (0 Comments)Don’t miss the plenary session “AI, the future of law?” on Thursday, October 17 from 2 p.m. to 4 p.m. at the Palais du Grand Large in Saint-Malo. This event, organized by the ACE – Young Lawyers commission, will be introduced by its president Ludovic Blanc (Lawyer at the Paris Bar, President of ACE-JA national).
Our partner Claude-Etienne Armingaud, CIPP/E (Partner, Data Protection & Technologies), François GIRAULT (Lawyer at the Montpellier Bar, President of the CNB Prospective and Innovation Commission, Vice-President ACE Ouest Méditerranée, Vice-President Liberal Professions CPME 34), Philippe BARON (Lawyer at 2BMP Avocats, President of the CNB Digital Commission) and Christiane Féral-Schuhl (Lawyer at the Paris Bar in digital law, former President of the National Council of Bars, former President of the Paris Bar Association) will participate in this essential discussion on the impact of AI on the legal profession.
This meeting will be hosted by Anne-Cécile Sarfati, journalist and columnist, with a Live Show presented by Tiphaine MARY (Maître et Talons), Lawyer at the Paris Bar.
Do not hesitate to reserve your place by registering via the following link: https://lnkd.in/gJQ7qqfV.
K&L Gates Short Listed for Leading Law Firm at PICCASO Privacy Awards
August 30th, 2024 | Posted by in Europe | Privacy | Rankings - (0 Comments)After being individually shortlisted as “Leader of the Year: Legal” in 2023, the full European Data Protection, Privacy and Security team of K&L Gates is once again recognized for its expertise by being shortlisted as “Leading Law Firm” for the Piccaso Awards Europe 2024.
Congrats to the team and see you in London!
Copyright © 2024 All rights reserved.
Designed by 