Following the 2020 Court of Justice of the European Union’s (CJEU) ruling invalidating the Privacy Shield (see our alert here), personal data transfers from the European Union to the United States required EU companies to implement additional safeguard mechanisms, as the CJEU considered that U.S. legislation did not provide sufficient guarantees against the risk of access by public authorities (including intelligence services) to the imported data.
(more…)Author Archives: Claude-Etienne Armingaud
UK: Queen’s Speech Heralds GDPR Overhaul
June 7th, 2022 | Posted by in Brexit | Privacy - (0 Comments) In the Queen’s speech at the state opening of parliament on 10 May 2022, the UK government announced its intention to change the UK’s data protection regime in a new Data Reform Bill. This follows a consultation last Autumn on how the UK GDPR could be reformed following the UK’s exit from the European Union (EU).
The government claims that the new Bill would:
- Create a data protection framework focused on “privacy outcomes” that would reduce the burdens on businesses, and a “clearer regulatory environment” to encourage “responsible innovation”.
- Ensure that citizens’ data is “protected to a gold standard”, while enabling more efficient sharing of data between public bodies.
- Modernise the Information Commissioner’s Office and require it to be “more accountable to Parliament and the public”.
The Queen’s speech also announced plans to replace the Human Rights Act 1998, which incorporated the European Convention on Human Rights into UK law. According to the government a new “Bill of Rights” would “end the abuse of the human rights framework and restore some common sense to [the] justice system”. This would be achieved by “establishing the primacy of UK case law”, which means that UK courts would no longer be required to follow the case law of the European Court of Human Rights.
Taken together, both of these proposed new legislative measures could change the balance of protection of individuals’ rights in the UK, both generally and in the specific area of personal data regulation. Their development will be closely watched by data protection professionals, because any significant changes in the UK data protection regime could prompt the EU to review its post-Brexit UK adequacy decision, potentially leading to the end of decades of seamless transfers of personal data from the EU to the UK.
First publication on K&L Gates Cyber Law Watch in collaboration with Nóirín McFadden
Guidelines 06/2022 on the practical implementation of amicable settlements
May 12th, 2022 | Posted by in Europe | Guidelines | Privacy - (0 Comments) EDPB Guidelines on Amicable Settlements: Key Points
The European Data Protection Board (EDPB) has released guidelines on how supervisory authorities (SAs) should handle amicable settlements under GDPR. Here are the key takeaways:
What is an Amicable Settlement?
- A process where data protection authorities facilitate resolution of complaints between data subjects and controllers
- Aims to achieve compliance with GDPR while satisfying both parties’ interests
- Most suitable for cases involving:
- Limited number of data subjects
- Non-systematic violations
- Incidental/accidental breaches
- Limited personal data
- Non-serious violations
Key Principles
- Not all EU countries allow amicable settlements (14 countries explicitly don’t permit them)
- Can be used in both local cases and cross-border processing scenarios
- Must respect principles of good administration and due process
- Should lead to swift resolution while maintaining high level of data protection
Cross-border Cases
In One-Stop-Shop (OSS) mechanism:
- Lead Supervisory Authority (LSA) must keep Concerned Supervisory Authorities (CSAs) informed
- Settlement requires formal decision under Article 60 GDPR
- CSAs must be consulted before finalizing settlement
- LSA remains “sole interlocutor” with the controller
Important Considerations
- Settlement doesn’t prevent further investigation if systemic issues are discovered
- Can be partial – some aspects of complaint may require formal investigation
- Must be documented and communicated properly to all parties
- Should include proof of compliance from controller and satisfaction from data subject
These guidelines represent a significant step toward harmonizing how data protection authorities handle complaints across the EU, while maintaining flexibility to account for national legal frameworks and specific case circumstances.
Litigation Minute: Creating an Incident Response Plan
May 10th, 2022 | Posted by in Privacy | Violation de données - (0 Comments) WHAT YOU NEED TO KNOW IN A MINUTE OR LESS
Reported incidents of data breaches have reached record levels over the last two years1)Experian Data Breach Resolution. (2021). Eighth Annual Study: Is Your Company Ready for a Big Data Breach? Ponemon Institute.. Given this undeniable reality, a data security incident response plan is no longer a luxury; it is a vital tool in every company’s larger crisis management plan. A well-thought-out and thorough response plan can not only significantly reduce the confusion that often follows a data security incident, but can also reduce the pitfalls that often lead to regulatory scrutiny and putative class actions in the United States and the fairly recent “group actions” in the European Union.
In a minute or less, here are the essential components of a working incident response plan.
(more…)References
| ↑1 | Experian Data Breach Resolution. (2021). Eighth Annual Study: Is Your Company Ready for a Big Data Breach? Ponemon Institute. |
|---|
Legal 500 Rankings 2022 – Data Privacy and Data Protection – Tier 2 & Leading Individual – France
April 11th, 2022 | Posted by in France | Privacy | Rankings - (0 Comments) ‘Specialist in new technologies’, K&L Gates LLP‘s team has an outstanding reputation for legal advice on innovative technologies and data-related concerns. Claude-Etienne Armingaud and Raphael Bloch are recognised as ‘exceptional lawyers who miss no details and who know their fields to perfection’. Claude-Etienne Armingaud has developed particular knowledge of multijurisdictional transactional matters dealing with IT outsourcing and data protection for blockchain and fintech, connected cars, and big data services.
Leading individuals: Claude-Etienne Armingaud – K&L Gates LLP
Practice head(s): Claude-Etienne Armingaud
Other key lawyers: Raphael Bloch
(more…)Legal 500 Rankings 2022 – Industry focus: IT, telecoms and the internet – Tier 3 – France
April 11th, 2022 | Posted by in internet | IT | Rankings - (0 Comments) K&L Gates LLP has strong expertise in innovative systems, combining strength in technology, data protection and IP. Notably undertaking innovative and complex work, the team has advised on encryption and security software for Enigma Software/Cyclonis and secure GPS services for ICaune. Developing a focus on connected transport matters, the firm advises some of the biggest names in this growing area. Claude-Etienne Armingaud is the head of the practice.
Practice head(s): Claude-Etienne Armingaud
(more…)International Personal Data Transfers: An Eventful Week
March 25th, 2022 | Posted by in Brexit | Data Transfer | Europe | Privacy - (0 Comments) Transfer from the UK
On 21 March 2022, the United Kingdom finalized the adoption of its own version of the European Union’s (EU) Standard Contractual Clauses (SCC), a contractual mechanism aiming at securing personal data protected under a data protection framework to third countries not deemed to offer an “adequate” level of data protection.
On 16 July 2020, while the United Kingdom was still an EU Member State, the European Court of Justice (CJEU), through its Schrems II decision, added new requirements to the SCC (see our Alert here), relating to safeguards against access to personal data protected under EU’s General Data Protection Regulation (GDPR) by intelligence agencies. As a consequence, the European Union adopted new versions of the SCC in June 2021 (see our Alert here), but the United Kingdom having finalized Brexit in the meantime, did not adopt the new SCCs, instead operating the previous versions of the SCC, and an updated document for transfers initiated under the UK GDPR was needed.
The UK’s draft International Data Transfer Agreement (IDTA) and Addendum were laid before Parliament on 22 February 2022 and finally adopted on 21 March 2022 without changes. The IDTA is an equivalent contract to the SCC, but uses a tabular approach in place of the modules used by the SCC. The alternative instrument that was introduced, the Addendum, provides UK data exporters with a semi-seamless mechanism where they can leverage their existing SCC for transfers initiated under the EU GDPR. The Addendum consists of a form effectively selecting the relevant options of the SCC and amending EU terminology and legal references to UK-specific ones. It is likely to be more widely used than the IDTA, particularly as data exporters with operations in both the UK and the EU will look to reduce the number of contracts they need to enter into. Overall, the IDTA and the Addendum represent a narrowing in the divergence that had appeared recently in the differing safeguards required by the UK and the EU for data exporters engaged in personal data transfers from their respective jurisdictions.
As a reminder:
- Transfers between the EU and the UK do not need any specific measures as per the adequacy decision currently in place (see our Alert here)
- all data transfer agreements under the EU GDPR based on the previous versions of the SCC will need to be migrated to the new SCC on or before 27 December 2022; and
- all data transfer agreements under the UK GDPR executed on or before 21 September 2022 on the basis of any Transitional Standard Clauses (based on the previous versions of the SCC) will need to be migrated to an IDTA or Addendum on or before 21 March 2024.
Transfer from the EU to the US: En Route for Schrems III?
On 25 March 2022, European Commission President Ursula von der Leyen and United States President Joe Biden announced an “agreement in principle” on a new EU-US data sharing system, expected to replace the Privacy Shield framework invalidated under the CJEU’s Schrems II decision in 2020 (see our Alert here).
As no draft of that “agreement” has been circulated, the existing grievances against U.S. intelligence agencies’ access to personal data protected under GDPR remain and concerns relating to ‘effective legal remedies’ available to individuals protected under GDPR (Data Subjects) will need to be addressed. Data activist Maximilian Schrems and his organization, noyb, already announced that they would closely monitor the development of this new framework and challenge any decision which would not abide by the CJEU’s 2020 Schrems II decision.
While such a political statement is encouraging for the future of international data transfers, this announcement should not be construed as relieving companies subject to GDPR’s territorial scope (see our Alert here) from implementing adequate data transfer mechanisms until more concrete elements are adopted.
Such transfer mechanisms notably include:
- A transfer impact assessment (TIA), analyzing the regulatory framework applicable to the destination country and any supplemental technical and organizational measures to be implemented to safeguard the transferred personal data from undue access;
- Implementation of a transfer mechanism, such as the SCC (see above) or adhesion to Binding Corporate Rules, or to a Code of Conduct (see our Alert here).
K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at a global level.
First publication: K&L Gates Hub in collaboration with Noirin McFadden, Thomas Nietsch and Keisha Phippen
French authority falls in line with ECJ position on general retention of metadata
March 16th, 2022 | Posted by in France | Legislation | Press | Privacy - (0 Comments) Quoted by Global Data Review:
Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.
“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.
“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”
Read full article here.
Copyright © 2025 All rights reserved.
Designed by 