Author Archives: Claude-Etienne Armingaud

International Personal Data Transfers: An Eventful Week

March 25th, 2022 | Posted by Claude-Etienne Armingaud in Brexit | Data Transfer | Europe | Privacy - (0 Comments)

Transfer from the UK

On 21 March 2022, the United Kingdom finalized the adoption of its own version of the European Union’s (EU) Standard Contractual Clauses (SCC), a contractual mechanism aiming at securing personal data protected under a data protection framework to third countries not deemed to offer an “adequate” level of data protection.

On 16 July 2020, while the United Kingdom was still an EU Member State, the European Court of Justice (CJEU), through its Schrems II decision, added new requirements to the SCC (see our Alert here), relating to safeguards against access to personal data protected under EU’s General Data Protection Regulation (GDPR) by intelligence agencies. As a consequence, the European Union adopted new versions of the SCC in June 2021 (see our Alert here), but the United Kingdom having finalized Brexit in the meantime, did not adopt the new SCCs, instead operating the previous versions of the SCC, and an updated document for transfers initiated under the UK GDPR was needed.

The UK’s draft International Data Transfer Agreement (IDTA) and Addendum  were laid before Parliament on 22 February 2022 and finally adopted on 21 March 2022 without changes. The IDTA is an equivalent contract to the SCC, but uses a tabular approach in place of the modules used by the SCC. The alternative instrument that was introduced, the Addendum, provides UK data exporters with a semi-seamless mechanism where they can leverage their existing SCC for transfers initiated under the EU GDPR. The Addendum consists of a form effectively selecting the relevant options of the SCC and amending EU terminology and legal references to UK-specific ones. It is likely to be more widely used than the IDTA, particularly as data exporters with operations in both the UK and the EU will look to reduce the number of contracts they need to enter into. Overall, the IDTA and the Addendum represent a narrowing in the divergence that had appeared recently in the differing safeguards required by the UK and the EU for data exporters engaged in personal data transfers from their respective jurisdictions.

As a reminder:

  • Transfers between the EU and the UK do not need any specific measures as per the adequacy decision currently in place (see our Alert here)
  • all data transfer agreements under the EU GDPR based on the previous versions of the SCC will need to be migrated to the new SCC on or before 27 December 2022; and
  • all data transfer agreements under the UK GDPR executed on or before 21 September 2022 on the basis of any Transitional Standard Clauses (based on the previous versions of the SCC) will need to be migrated to an IDTA or Addendum on or before 21 March 2024.

Transfer from the EU to the US: En Route for Schrems III?

On 25 March 2022, European Commission President Ursula von der Leyen and United States President Joe Biden announced  an “agreement in principle” on a new EU-US data sharing system, expected to replace the Privacy Shield framework invalidated under the CJEU’s Schrems II decision in 2020 (see our Alert here).

As no draft of that “agreement” has been circulated, the existing grievances against U.S. intelligence agencies’ access to personal data protected under GDPR remain and concerns relating to ‘effective legal remedies’ available to individuals protected under GDPR (Data Subjects) will need to be addressed. Data activist Maximilian Schrems and his organization, noyb, already announced that they would closely monitor the development of this new framework and challenge any decision which would not abide by the CJEU’s 2020 Schrems II decision.

While such a political statement is encouraging for the future of international data transfers, this announcement should not be construed as relieving companies subject to GDPR’s territorial scope (see our Alert here) from implementing adequate data transfer mechanisms until more concrete elements are adopted.

Such transfer mechanisms notably include:

K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at a global level.

First publication: K&L Gates Hub in collaboration with Noirin McFadden, Thomas Nietsch and Keisha Phippen

Online Advertising — Where Are We Headed?

March 18th, 2022 | Posted by Claude-Etienne Armingaud in Conference | cookies | Europe | France | Privacy - (0 Comments)

Event: IAPP Data Protection Intensive: France

Date: 18 March 2022

Time: 8:00 AM ET

Location: Le Méridien Etoile, 81 Boulevard Gouvion Saint-Cyr 75848 Cedex 17, 75017 Paris

The dynamics in online advertising have always been head spinning — but the latest developments promise to go beyond. The slow death of third-party cookies is shaking up the industry and raises new questions privacy professionals have to grapple with. With the upcoming e-Privacy Regulation, a new law is taking shape. And to add even more complexity, French lawmakers are eager to push through a new privacy law for online marketing based on the old e-Privacy Directive. Hear from industry experts what to expect and how to navigate the uncertainties. This panel will also address cutting edge questions like cookie walls, nudging, or dark patterns.

French authority falls in line with ECJ position on general retention of metadata

March 16th, 2022 | Posted by Claude-Etienne Armingaud in France | Legislation | Press | Privacy - (0 Comments)

Quoted by Global Data Review:

Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.

“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.

“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”

Read full article here.

Leaders League Rankings 2022 – Technologies, internet & telecommunications – Data protection law – Law firm – France

March 8th, 2022 | Posted by Claude-Etienne Armingaud in IT | Privacy | Rankings - (0 Comments)

K&L Gates ranked “Highly Recommended – Band 1” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

,

Leaders League Ranking 2022 – Intellectual property – Management of trademark, design and model portfolios – France

March 8th, 2022 | Posted by Claude-Etienne Armingaud in Intellectual Property | Rankings | Trademarks - (0 Comments)

K&L Gates ranked “Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

The French Competition Authority Self-Referral for An Opinion on The Cloud-Computing Sector

February 21st, 2022 | Posted by Claude-Etienne Armingaud in Competition | France - (0 Comments)

During his January 2022 hearing before France’s National Assembly, the newly appointed chairman of the French competition authority (AdlC), Benoit Coeuré, stated that the digital sector would be one of the principal subject matters of his chairmanship (see press release here in English). 

His intention is to focus on “the emergence of new essential infrastructures such as cloud-computing” and that, in consequence, “it would be important and justified for the AdlC to rapidly undertake in-depth work on the consequences of cloud-computing in all sectors in conjunction with the relevant sectoral authorities.”

Pursuant to Article L. 462-4 of the French Commercial Code, the AdlC has therefore decided to conduct a wide analysis of the matter in order to assess the competitive situation of the cloud-computing ecosystem.

A BOOMING SECTOR

This opinion comes at a time when the cloud-computing market is booming at both the European and French level, with an average annual growth expected to exceed 25% over the next few years, with strong value-creation challenges for the economy, and allowing for a 2030 market prediction 10 times larger than in 2020.

Over the last few years, cloud computing has become a complex ecosystem of technologies, products, and services, giving rise to a wealthy economy where several cloud-computing service providers compete for an ever-increasing share of the service market. This peaking sector allows for more efficient ways of working, which has ended up being especially valuable during the COVID-19 pandemic.

This “cloud boom” also serves as the backbone of a widespread digitalization of the economy, which is supported by the French government with its new national plan to support the French cloud industry.

THE NECESSITY FOR GLOBAL ANALYSIS 

The AdlC’s purpose to conduct a broad analysis of the cloud-computing sector is pushed by both a European and international dynamic.

In this regard, the AdlC intends to provide for a definition of the relevant markets in the sector. 

This commitment can be traced back to the European Commission’s (EU Commission) early analysis of the “IT outsourcing services” market encompassing the “public cloud computing services” as one of its sub-segments.1  Concurrently and from a transatlantic perspective, the U.S. Federal Trade Commission is also pushing forward with an antitrust scrutiny in the cloud-computing business. 

The AdlC intends to study the competitive dynamics of the sector and the presence of operators in the various segments of the value chain (including their contractual relations) in a context where multiple alliances and partnerships are concluded for the provision of cloud services. 

Should the AdlC identify potential improvements, proposals may be issued for the competitive functioning of the sector.
Taking into account the variety and complexity of the cloud-computing technologies involved, the AdlC announced that, for the first time, the investigation unit will comprise lawyers, economists, and data scientists notably from the newly created Digital Economy Department.

THE NEXT STEPS

A broad public consultation will be taking place in the next few months to gather comments and suggestions from the stakeholders. Comments are to be sent to the AdlC through the following email address: avis.cloud@autoritedelaconcurrence.fr

The final opinion is expected to be issued by the beginning of 2023.

The firm’s global competition and data protection team (including the competition team and data protection team in each of our European offices) remains available to assist you in achieving the compliance of your data and antitrust matters at global levels.

First publication: K&L Gates Hub with Camille Scarparo

GDPR, Cookies and the Ever-Filling Jar of European Data Protection

January 27th, 2022 | Posted by Claude-Etienne Armingaud in cookies | Europe | Privacy - (0 Comments)

European regulators unofficially announced the major theme of this new year, through the release of several decisions pertaining to cookies and other tracking technologies in the first 10 days of 2022.

As the General Data Protection Regulation (GDPR) is approaching the fourth anniversary of its entry into force, the ePrivacy Regulation—a companion piece to address online communication and that was supposed to be adopted at the same time—remains in the limbo of the European legislative process.

In the meantime, the effects of the Schrems II decision of 16 July 2020 (see our alert here), which canceled the Privacy Shield and placed stricter requirements on the use of standard contractual clauses, continues to ripple through data protection compliance efforts of companies worldwide.

(more…)

French IP Law Update – The Delicate Balance between Employers and Inventors: A French Revolution?

January 20th, 2022 | Posted by Claude-Etienne Armingaud in France | Intellectual Property | Patent - (0 Comments)

Counsel from jurisdictions where payments to employee-inventors only arise from contracts or employee incentive programs are sometimes surprised when they first become involved with jurisdictions that have statutory payment schemes for employee-inventors. Intellectual property (IP) management policies not written and designed with these jurisdictions in mind can lead to issues that may come to light only when a problem arises or in diligence. Even if a company has a process in place for making inventor payments, they also, in some circumstances, need to provide locally required notice and information to the inventor. Attorneys outside these jurisdictions need to be aware of these rules when conducting IP diligence, and when they are involved in managing patent prosecution dockets where the priority case originates in jurisdictions that have these requirements. One example of such a notice requirement is in France. 

(more…)

🇺🇸 Conference Data Protection World Forum – Roundtable: Cloudy horizons with the threat of breaches

January 4th, 2022 | Posted by Claude-Etienne Armingaud in Conference | Data Breach | Privacy - (0 Comments)

Join us on 19 January 2022 – 1.30pm GMT

Host – Paul Hampton, Senior Product Manager, Thales

Speakers :

  • Stewart Room, Partner, Global Head of Data Protection & Cyber Security, DWF
  • Claude-Étienne Armingaud, CIPP/E, Partner – Practice Group Coordinator | Data Protection, Privacy and Security, K&L Gates LLP
  • Ray Walshe, Director and EU Observatory for ICT Standards, Dublin City University

Most organisations have felt the impact of accelerating their cloud adoption strategies in the past two years. While beneficial to the enterprise in numerous areas, such as faster application development, combined with the ability to experiment and quickly leverage elasticity and resiliency, these benefits have also brought significant new security challenges.

Today, enterprises are grappling with security issues never before faced or addressed. The debate of shared responsibility between provider and customer, data sovereignty, the utopian cloud environment and the constant changing of threat models to name a few.

This session will draw on the recent findings of the 2021 Thales Cloud Security Report to discuss how European enterprises are handling the data security repercussions of an accelerated cloud deployment.

Areas for Discussion

• The widespread use of SaaS within the enterprise

• Cloud complexity with ‘lift & shift’, multicloud, and hybrid

• Encryption in the cloud is not as widespread as enterprises think

• How successful are enterprises in maintaining compliance and avoiding breaches in the cloud

• Who owns responsibility for the security of data in the cloud

More information and registration here

United Arab Emirates – Federal Decree-Law No.(45) of 2021 on Personal Data Protection

January 2nd, 2022 | Posted by Claude-Etienne Armingaud in Legislation | World - (0 Comments)

FEDERAL DECREE-LAW NO. (45) OF 2021 ON PERSONAL DATA PROTECTION

Read the full text.

(more…)