Author Archives: Claude-Etienne Armingaud

Deployment of AI in the Workplace in France – The Importance of Consulting with the Work Forces

February 26th, 2025 | Posted by Claude-Etienne Armingaud in Artificial intelligence - (0 Comments)

In a significant ruling on 14 February 2025, the First Instance Court of Nanterre, France ordered a company to suspend the deployment of several artificial intelligence tools until proper consultation with its Works Council has been completed.

The company started implementing new AI applications while the mandatory Works Council consultation process was still ongoing. Despite the claim that these tools were merely in a “pilot phase,” the court found that their deployment to employees constituted actual implementation rather than simple experimentation.

The court’s decision emphasizes the importance of respecting employee representation rights in the digital transformation of workplaces, especially in France. This injunctive relief ruled that the premature implementation of the AI tools constituted a “manifestly unlawful disturbance” of the Works Council prerogatives.

This case sets an important precedent for companies implementing AI technologies in France, highlighting the necessity of proper employee consultation procedures before deploying new technological tools in the workplace, in addition to the recently adopted EU AI Act.

New EDPB Statement on Age Assurance: What You Need to Know

February 17th, 2025 | Posted by Claude-Etienne Armingaud in Non classé - (0 Comments)

On 11 February 2024, the European Data Protection Board (EDPB) adopted a new statement on age assurance. This statement, while not legally binding, will guide the enforcement of age-gating methods across the EU. Age assurance refers to the methods used to determine an individual’s age or age range with varying levels of confidence or certainty.

The EDPB’s statement addresses several online scenarios where age verification is crucial. These include situations where legal age requirements exist for purchasing products, using services that could pose risks to children, or engaging in legal activities. It also emphasizes the responsibility to protect children by ensuring that services are designed and provided in an age-appropriate manner.

Platforms publishing notably adult content and which may be mandated under local laws to implement age control methods will need to take this guidance into consideration.

Implementation Requirements

Perform and document a risk-based assessment explaining the necessity of age assurance for your service and identifying specific risks. The age verification system should collect only the minimum age-related data necessary, typically just determining if a user is above or below the relevant age threshold. The chosen method must not enable tracking, profiling, or identification beyond what’s necessary for age verification.

Technical Requirements

Implement privacy-enhancing technologies that favor user-held data and secure local processing. Ensure multiple verification methods are available to prevent discrimination against users without access to certain tools. Consider a “no-log” policy where age verification data is not retained after the process.

Required Documentation

Conduct a Data Protection Impact Assessment (DPIA) before implementing any age assurance system. Develop clear policies documenting your age assurance governance framework, including roles and responsibilities, data protection measures, and compliance monitoring procedures.

From chaos to control: Compliance with DORA, NIS2 and the EU AI Act

Streamline Compliance, Optimize Cybersecurity Risk, and Protect Your Business with a Unified Approach

It’s time to move beyond reactive risk management. This event series is dedicated to the cybersecurity and business continuity regulations DORA and NIS2 as well as the EU AI Act and how integrated risk management can help you stay compliant.

Join our expert-led sessions to discover how Integrated Risk Management (IRM) is no longer a luxury, but a necessity for navigating today’s complex business environment. You will find out how you can move from a siloed approach to a more holistic management of risks weighing on your business.

During the webinar, our team of experts will be focussing in more detail on:

What NIS2, DORA and the EU AI Act mean in terms of compliance for businesses across Europe
Why Integrated Risk Management is a must for organizations who want to confidently navigate these regulatory challenges.

During our deminar session, find out how to focus on what matters and manage what counts. See NAVEX One in action!

Our team of experts will showcase a practical use case demonstrating

How to transition from inefficient spreadsheets to a fully integrated IRM system
What it needs to become compliant with NIS2, DORA and the EU AI Act
How your programme will be able to achieve measurable ROI and cost savings for your business.

Speakers

Jan Strappers

Jan Stappers

Regulatory Solution Director

NAVEX

Image of Jason

Jason Gottschalk

Partner – Cyber Security Practice

BDO LLP (London)

Claude-Etienne Armingaud

Partner

K&L Gates (Paris)

Dr. Ulrike Elteste

Counsel

K&L Gates (Frankfurt)

More information & registration here

Chambers France: TMT – Data Protection 2025

February 10th, 2025 | Posted by Claude-Etienne Armingaud in Privacy | Rankings - (0 Comments)

Ranked as “Up & Coming”

Source: Chambers Europe

Client testimonials:

“Claude-Étienne Armingaud is a true joy to work with. He is always prepared, knowledgeable in his areas of expertise and brings such a friendly attitude to the relationship.”

”Claude-Étienne Armingaud is a premier expert in his area. He works hard to stay ahead of the trends to offer quality advice, and it shows.”

”Claude-Étienne Armingaud’s multiculturalism is present in his broad understanding of various aspects of the law. He’s the French Swiss Army knife of lawyers.”

”Claude-Étienne Armingaud is an exceptional expert in the field of new technologies and digital law. His in-depth knowledge of IT issues places him among the key leaders in the sector in France.”

”Claude-Étienne Armingaud provides sophisticated yet very practical advice, which is exactly what clients require. He is definitively a market leader. He is also very approachable and down to earth.”

CJEU Upholds EDPB’s Authority to Order Broader Investigations in Cross-Border Cases

January 29th, 2025 | Posted by Claude-Etienne Armingaud in Case Law | Europe | Privacy - (0 Comments)

In a landmark judgment delivered on 29 January 2025, the General Court of the European Union has affirmed the European Data Protection Board‘s (EDPB) authority to require national supervisory authorities to broaden their investigations in cross-border data protection cases.

The case arose from the Irish Data Protection Commission‘s (DPC) challenge to three EDPB binding decisions concerning Meta’s data processing practices for Facebook, Instagram, and WhatsApp. The EDPB had instructed the DPC to conduct new investigations into Meta’s processing of special categories of personal data and issue new draft decisions.

The Court’s ruling emphasizes that the EDPB’s power to order broader investigations is subject to specific safeguards. Such orders can only be issued following a “relevant and reasoned objection” from another supervisory authority that demonstrates significant risks to data subjects’ rights. Additionally, these decisions require approval from a two-thirds majority of EDPB members.

Notably, the Court rejected the DPC’s argument that this authority undermines national supervisory authorities’ independence. Instead, it found that the EDPB’s role supports the consistent application of the GDPR across the EU while respecting national authorities’ operational autonomy in conducting investigations.

This decision reinforces the EDPB’s role as a central authority in ensuring comprehensive data protection investigations, particularly in cases involving major tech platforms. It clarifies that while the one-stop-shop mechanism aims for procedural efficiency, this cannot override the fundamental right to data protection.

The ruling sets a significant precedent for future cross-border enforcement actions, emphasizing that national supervisory authorities must be prepared to expand their investigations when legitimate concerns are raised by their counterparts in other EU member states.

Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models

December 17th, 2024 | Posted by Claude-Etienne Armingaud in Artificial Intelligence | Europe | Privacy - (0 Comments)

Go to official publication on EDPB website.

Adopted on 17 December 2024.

Executive summary

AI technologies create many opportunities and benefits across a wide range of sectors and social activities.

By protecting the fundamental right to data protection, GDPR supports these opportunities and promotes other EU fundamental rights, including the right to freedom of thought, expression and information, the right to education or the freedom to conduct a business. In this way, GDPR is a legal framework that encourages responsible innovation.

In this context, taking into account the data protection questions raised by these technologies, the Irish supervisory authority requested the EDPB to issue an opinion on matters of general application pursuant to Article 64(2) GDPR. The request relates to the processing of personal data in the context of the development and deployment phases of Artificial Intelligence (“AI”) models. In more details, the request asked: (1) when and how an AI model can be considered as ‘anonymous’; (2) how controllers can demonstrate the appropriateness of legitimate interest as a legal basis in the development and (3) deployment phases; and (4) what are the consequences of the unlawful processing of personal data in the development phase of an AI model on the subsequent processing or operation of the AI model.

With respect to the first question, the Opinion mentionsthat claims of an AI model’s anonymity should be assessed by competent SAs on a case-by-case basis, since the EDPB considers that AI models trained with personal data cannot, in all cases, be considered anonymous. For an AI model to be considered anonymous, both (1) the likelihood of direct (including probabilistic) extraction of personal data regarding individuals whose personal data were used to develop the model and (2) the likelihood of obtaining, intentionally or not, such personal data from queries, should be insignificant, taking into account ‘all the means reasonably likely to be used’ by the controller or another person.

To conduct their assessment, SAs should review the documentation provided by the controller to demonstrate the anonymity of the model. In that regard, the Opinion provides a non-prescriptive and non-exhaustive list of methods that may be used by controllers in their demonstration of anonymity, and thus be considered by SAs when assessing a controller’s claim of anonymity. This covers, for instance, the approaches taken by controllers, during the development phase, to prevent or limit the collection of personal data used for training, to reduce their identifiability, to prevent their extraction or to provide assurance regarding state of the art resistance to attacks.

With respect to the second and third questions, the Opinion provides general considerations for SAs to take into account when assessing whether controllers can rely on legitimate interest as an appropriate legal basis for processing conducted in the context of the development and the deployment of AI models.

The Opinion recalls that there is no hierarchy between the legal bases provided by the GDPR, and that it is for controllers to identify the appropriate legal basis for their processing activities. The Opinion then recalls the three-step test that should be conducted when assessing the use of legitimate interest as a legal basis, i.e. (1) identifying the legitimate interest pursued by the controller or a third party; (2) analysing the necessity of the processing for the purposes of the legitimate interest(s) pursued (also referred to as “necessity test”); and (3) assessing that the legitimate interest(s) is (are) not overridden by the interests or fundamental rights and freedoms of the data subjects (also referred to as “balancing test”).

With respect to the first step, the Opinion recalls that an interest may be regarded as legitimate if the following three cumulative criteria are met: the interest (1) is lawful; (2) is clearly and precisely articulated; and (3) is real and present (i.e. not speculative). Such interest may cover, for instance, in the development of an AI model – developing the service of a conversational agent to assist users, or in its deployment – improving threat detection in an information system.

With respect to the second step, the Opinion recalls that the assessment of necessity entails considering: (1) whether the processing activity will allow for the pursuit of the legitimate interest; and (2) whether there is no less intrusive way of pursuing this interest. When assessing whether the condition of necessity is met, SAs should pay particular attention to the amount of personal data processed and whether it is proportionate to pursue the legitimate interest at stake, also in light of the data minimisation principle.

With respect to the third step, the Opinion recalls that the balancing test should be conducted taking into account the specific circumstances of each case. It then provides an overview of the elements that SAs may take into account when evaluating whether the interest of a controller or a third party is overridden by the interests, fundamental rights and freedoms of data subjects.

As part of the third step, the Opinion highlights specific risks to fundamental rights that may emerge either in the development or the deployment phases of AI models. It also clarifies that the processing of personal data that takes place during the development and deployment phases of AI models may impact data subjects in different ways, which may be positive or negative. To assess such impact, SAs may consider the nature of the data processed by the models, the context of the processing and the possible further consequences of the processing.

The Opinion additionally highlights the role of data subjects’ reasonable expectations in the balancing test. This can be important due to the complexity of the technologies used in AI models and the fact that it may be difficult for data subjects to understand the variety of their potential uses, as well as the different processing activities involved. In this regard, both the information provided to data subjects and the context of the processing may be among the elements to be considered to assess whether data subjects can reasonably expect their personal data to be processed. With regard to the context, this may include: whether or not the personal data was publicly available, the nature of the relationship between the data subject and the controller (and whether a link exists between the two), the nature of the service, the context in which the personal data was collected, the source from which the data was collected (i.e., the website or service where the personal data was collected and the privacy settings they offer), the potential further uses of the model, and whether data subjects are actually aware that their personal data is online at all.

The Opinion also recalls that, when the data subjects’ interests, rights and freedoms seem to override the legitimate interest(s) being pursued by the controller or a third party, the controller may consider introducing mitigating measures to limit the impact of the processing on these data subjects. Mitigating measures should not be confused with the measures that the controller is legally required to adopt anyway to ensure compliance with the GDPR. In addition, the measures should be tailored to the circumstances of the case and the characteristics of the AI model, including its intended use. In this respect, the Opinion provides a non-exhaustive list of examples of mitigating measures in relation to the development phase (also with regard to web scraping) and the deployment phase. Mitigating measures may be subject to rapid evolution and should be tailored to the circumstances of the case. Therefore, it remains for the SAs to assess the appropriateness of the mitigating measures implemented on a case-by-case basis.

With respect to the fourth question, the Opinion generally recalls that SAs enjoy discretionary powers to assess the possible infringement(s) and choose appropriate, necessary, and proportionate measures, taking into account the circumstances of each individual case. The Opinion then considers three scenarios.

Under scenario 1, personal data is retained in the AI model (meaning that the model cannot be considered anonymous, as detailed in the first question) and is subsequently processed by the same controller (for instance in the context of the deployment of the model). The Opinion states that whether the development and deployment phases involve separate purposes (thus constituting separate processing activities) and the extent to which the lack of legal basis for the initial processing activity impacts the lawfulness of the subsequent processing, should be assessed on a case-by-case basis, depending on the context of the case.

Under scenario 2, personal data is retained in the model and is processed by another controller in the context of the deployment of the model. In this regard, the Opinion states that SAs should take into account whether the controller deploying the model conducted an appropriate assessment, as part of its accountability obligations to demonstrate compliance with Article 5(1)(a) and Article 6 GDPR, to ascertain that the AI model was not developed by unlawfully processing personal data. This assessment should take into account, for instance, the source of the personal data and whether the processing in the development phase was subject to the finding of an infringement, particularly if it was determined by a SA or a court, and should be less or more detailed depending on the risks raised by the processing in the deployment phase.

Under scenario 3, a controller unlawfully processes personal data to develop the AI model, then ensures that it is anonymised, before the same or another controller initiates another processing of personal data in the context of the deployment. In this regard, the Opinion states that if it can be demonstrated that the subsequent operation of the AI model does not entail the processing of personal data, the EDPB considers that the GDPR would not apply. Hence, the unlawfulness of the initial processing should not impact the subsequent operation of the model. Further, the EDPB considers that, when controllers subsequently process personal data collected during the deployment phase, after the model has been anonymised, the GDPR would apply in relation to these processing operations. In these cases, the Opinion considers that, as regards the GDPR, the lawfulness of the processing carried out in the deployment phase should not be impacted by the unlawfulness of the initial processing.

The European Data Protection Board Having regard to Article 63 and Article 64(2) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, Having regard to Article 10 and Article 22 of its Rules of Procedure, Whereas:

(1) The main role of the European Data Protection Board (hereafter the “Board” or the “EDPB”) is to ensure the consistent application of the GDPR throughout the European Economic Area (“EEA”). Article 64(2) GDPR provides that any supervisory authority (“SA”), the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one EEA Member State be examined by the Board with a view to obtaining an opinion. The aim of this opinion is to examine a matter of general application or which produces effects in more than one EEA Member State.

(2) The opinion of the Board shall be adopted pursuant to Article 64(3) GDPR in conjunction with Article 10(2) of the EDPB Rules of Procedure within eight weeks from when the Chair and the competent supervisory authority have decided that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter.

(more…)

Guidelines 02/2024 on Article 48 GDPR

December 2nd, 2024 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Guidelines | Privacy - (0 Comments)

Adopted on 02 December 2024 – For public consultation

EXECUTIVE SUMMARY

Article 48 GDPR provides that: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”.

The purpose of these guidelines is to clarify the rationale and objective of this article, including its interaction with the other provisions of Chapter V of the GDPR, and to provide practical recommendations for controllers and processors in the EU that may receive requests from third country authorities to disclose or transfer personal data.

The main objective of the provision is to clarify that judgments or decisions from third country authorities cannot automatically and directly be recognised or enforced in an EU Member State, thus underlining the legal sovereignty vis-a-vis third country law. As a general rule, recognition and enforceability of foreign judgements and decisions is ensured by applicable international agreements.

Regardless of whether an applicable international agreement exists, if a controller or processor in the EU receives and answers a request from a third country authority for personal data, such data flow is a transfer under the GDPR and must comply with Article 6 and the provisions of Chapter V.

An international agreement may provide for both a legal basis (under Article 6(1)(c) or 6(1)(e)) and a ground for transfer (under Article 46(2)(a)).

In the absence of an international agreement, or if the agreement does not provide for a legal basis under Article 6(1)(c) or 6(1)(e), other legal bases could be considered. Similarly, if there is no international agreement or the agreement does not provide for appropriate safeguards under Article 46(2)(a), other grounds for transfer could apply, including the derogations in Article 49.

Go to the full Guidelines.

C3PO: Competition and Consumer Convergence toward Privacy Operations

Speakers:

Claude-Étienne Armingaud, CIPP/E, Partner, Data Protection Privacy and Security Practice Group Coordinator, K&L Gates
Shereen Kenyon, Senior Manager Data Privacy and Data Protection Officer, SharkNinja
Elodie Vandenhende, Deputy Head of the Digital Economy Unit, French Competition Authority
Jörn Wittmann, Group Privacy Ambassador, Volkswagen AG

Governments around the globe have turned their attention to the power of accumulated data, and to the use of competition law powers to enact legislative initiatives. From the EU’s Digital Markets Act and proposed Data Act, to the UK’s Data Protection and Digital Information Bill, laws addressing competition, privacy and wider data access issues are becoming increasingly intertwined. Privacy and competition regulators, alongside consumer protection agencies and associations, are working more closely together than ever before. The EU Court of Justice has been asked for clarity on how such regulators should interact going forward. In some countries, we are also seeing a testing of the use of competition mechanisms for bringing group actions on privacy issues. In this session, we will discuss the interactions between privacy, consumer protection and competition, and how these are likely to shape compliance tactics, litigation strategies and regulatory interactions going forward.

What you will learn:

Privacy compliance efforts necessitate a multifaceted strategy.
“Data sharing” between authorities can put companies at risk of multi-front enforcement actions.
Best line of defense remains documentation and communication.

Navigating the Intersection of Data Scraping and Artificial Intelligence–A Global Data Protection Authorities’ Take

November 18th, 2024 | Posted by Claude-Etienne Armingaud in Artificial Intelligence | Privacy | World - (0 Comments)

In alignment with the ongoing concerns from several European data protection authorities publishing guidelines on data scrapping (i.e., the Dutch DPA, the Italian DPA and the UK Information Commissioner’s Office), the Global Privacy Assembly (GPA)’s International Enforcement Cooperation Working Group (IEWG) recently published a Joint statement on data scraping and the protection of privacy (signed by the Canadian, British, Australian, Swiss, Norwegian, Moroccan, Mexican, and Jersey data protection authorities) to provide further input for businesses when considering data.

The statement emphasizes that:

Even publicly accessible data is subject to privacy laws across most jurisdictions – meaning that scraping activities must comply with data protection regulations requiring a (i) lawful basis for data collection and, (ii) transparency with individuals, including obtaining consent where necessary.

Collecting mass data can constitute a reportable data breach if it includes unauthorized access to personal data.

Relying on platform terms (e.g., Instagram) for data scraping does not automatically ensure compliance as (i) this contractually authorized use of scraped personal data is not automatically compliant with data protection and artificial intelligence (AI) laws, and (ii) it is difficult to determine whether scraped data is used solely for purposes allowed by the contract terms.

When training AI models, it is critical to adhere not only to privacy regulations but also to emerging AI laws as ensuring AI model transparency and data processing limitations is now increasingly expected by privacy regulators.

The sensitivity of this topic underscores the close relationship between data protection and the ever-data-hungry artificial intelligence industry.

First Publication on K&L Gates Cyber Law Watch blog, in collaboration with Anna Gaentzhirt

Top 10 operational impacts of the EU AI Act – Regulatory implementation and application alongside EU digital strategy

October 29th, 2024 | Posted by Claude-Etienne Armingaud in Artificial intelligence | Europe | Legislation - (0 Comments)

Launched in 2015, the EU’s Digital Single Market Strategy aimed to foster the digital harmonization between the EU member states and contribute to economic growth, boosting jobs, competition, investment and innovation in the EU.

The EU AI Act characterizes a fundamental element of this strategy. By adopting the first general-purpose regulation of artificial intelligence in the world, Brussels sent a global message to all stakeholders, in the EU and abroad, that they need to pay attention to the AI discussion happening in Europe.

The EU AI Act achieves a delicate balancing act between the specifics, including generative AI, systemic models and computing power threshold, and its general risk-based approach. To do so, the act includes a tiered implementation over a three-year period and a flexible possibility to revise some of the more factual elements that would be prone to rapid obsolescence, such as updating the threshold of the floating point operations per second — a measurement of the performance of a computer for general-purpose AI models presumed to have high impact capabilities. At the same time, the plurality of stakeholders involved in the interpretation of the act and its interplay with other adopted, currently in discussion or yet-to-come regulations will require careful monitoring by the impacted players in the AI ecosystems.