Author Archives: Claude-Etienne Armingaud

Guidelines on transparency under Regulation 2016/679

April 11th, 2018 | Posted by Claude-Etienne Armingaud in Europe | Guidelines | Privacy - (0 Comments)

WP260 rev.01 – Adopted on 29 November 2017 – As last Revised and Adopted on 11 April 2018

Introduction

  1. These guidelines provide practical guidance and interpretative assistance from the Article 29 Working Party (WP29) on the new obligation of transparency concerning the processing of personal data under the General Data Protection Regulation (the “GDPR”). Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/680, these guidelines also apply to the interpretation of that principle. These guidelines are, like all WP29 guidelines, intended to be generally applicable and relevant to controllers irrespective of the sectoral, industry or regulatory specifications particular to any given data controller. As such, these guidelines cannot address the nuances and many variables which may arise in the context of the transparency obligations of a specific sector, industry or regulated area. However, these guidelines are intended to enable controllers to understand, at a high level, WP29’s interpretation of what the transparency obligations entail in practice and to indicate the approach which WP29 considers controllers should take to being transparent while embedding fairness and accountability into their transparency measures.
  2. Transparency is a long established feature of the law of the EU. It is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary, challenge those processes. It is also an expression of the principle of fairness in relation to the processing of personal data expressed in Article 8 of the Charter of Fundamental Rights of the European Union. Under the GDPR (Article 5(1)(a)), in addition to the requirements that data must be processed lawfully and fairly, transparency is now included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. It also follows from Article 5.2 that the controller must always be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject. Connected to this, the accountability principle requires transparency of processing operations in order that data controllers are able to demonstrate compliance with their obligations under the GDPR.
  3. In accordance with Recital 171 of the GDPR, where processing is already under way prior to 25 May 2018, a data controller should ensure that it is compliant with its transparency obligations as of 25 May 2018 (along with all other obligations under the GDPR). This means that prior to 25 May 2018, data controllers should revisit all information provided to data subjects on processing of their personal data (for example in privacy statements/ notices etc.) to ensure that they adhere to the requirements in relation to transparency which are discussed in these guidelines. Where changes or additions are made to such information, controllers should make it clear to data subjects that these changes have been effected in order to comply with the GDPR. WP29 recommends that such changes or additions be actively brought to the attention of data subjects but at a minimum controllers should make this information publicly available (e.g. on their website). However, if the changes or additions are material or substantive, then in line with paragraphs 29 to 32 below, such changes should be actively brought to the attention of the data subject.
  4. Transparency, when adhered to by data controllers, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by, for example, providing or withdrawing informed consent and actioning their data subject rights. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles. The practical (information) requirements are outlined in Articles 12-14 of the GDPR. However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects.
  5. The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. This is clear from Article 12 which provides that transparency applies at the following stages of the data processing cycle:

Go to the full Guidelines.

K&L Gates LLP’s E. Drouard has substantial experience in advising clients on data protection while Claude-Etienne Armingaud specialises in cross-border transactions and outsourcing contracts in the fields of fintech, IoT and big data.

Notable transactional work included Armingaud’s advice to Bridgestone on its €12m share deal with Eliocity/Xee, which also entailed assistance with IT, IP and data protection due diligence. On the data protection front, the practice’s caseload includes advice to Carglass on the implementation of its GDPR compliance programme, and assisting BNP Paribas with its personal data privacy policy. The department’s client roster also includes JCDecaux, Microsoft, SNCF and SloClap.

Source: Legal 500

The French Autorité des Marchés Financiers has recently published a synthesis of the contributions it received in response to its public consultation on Initial Coin Offerings (ICOs) to obtain stakeholder views on how these new types of blockchain offerings might be regulated.

The consultation included a presentation of ICOs, a warning on the risks they present, a legal analysis of ICOs with respect to the rules overseen by the AMF and the regulatory options proposed by the AMF. Respondents were invited to give their views on all of these points.

The English version of the synthesis can be found here, the French version here and our previous coverage of the consultation can be found here.

First published on K&L Gates Fintech Law Blog.

Mode information on K&L Gates website

On 26 October 2017, France’s Financial Markets Authority, the “Autorité des Marchés Financiers” (“AMF”), published a discussion paper focusing on initial coin offerings (“ICOs”) that highlights the (many) dangers that arise from these unregulated transactions and discusses the regulation options that it currently foresees.
(more…)

The French Connected Cars “Compliance Package” in EU Pole Position

October 19th, 2017 | Posted by Claude-Etienne Armingaud in Connected Cars | France | Privacy - (0 Comments)

On 17 October 2017, after about 18 months of waiting, a consultation involving more than 20 players, and two intermediate versions, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) has released the final version of its “compliance package” on Connected Cars (“Compliance Package”).

(more…)

In June 2017, the Article 29 Working Party – the gathering the all Member States’ Data Protection Authorities (DPAs) – announced that the five last guidelines to be adopted as companion pieces to the General Data Protection Regulation (“GDPR”) would be published in December 2017. Further to this announcement, the French DPA, the CNIL, is now seeking the contributions of the relevant stakeholders impacted by two out of five topics, whether they be sole or joint “data controllers”, “data processors” or “data subjects”.

(more…)

Further to the adoption of Act no.2016-1691, dated 9 December 2016, on Transparency, Anti-Corruption and Modernization of Economic Life (“Sapin II” – see our compliance coverage here) and the public consultation whose results were made public on 30 August 2017 (see our coverage here), the French Ministry of Finance published a draft document aiming at adapting the French legal framework to the use of blockchain technology.

The proposed draft (which may be accessed here in French) address the possibility, for company, to register in a “shared electronic registry”:

  • Negotiable debt securities;
  • Units or shares of undertakings for collective investment;
  • Capital securities issued by corporations and debt securities other than negotiable debt securities, provided that they are not traded on a trading platform

The conditions under which such registration would possible expressly exclude any item admitted to the operations of a central depository or delivered in a system for the payment and delivery of financial instruments. In addition, the bylaws of the issuer must expressly provide for the possibility to use such shared electronic registries.

In any case, the French regulatory framework would subject to French law whenever the issuer is headquartered in France or the issuance itself is already governed by French law.

Additional technical measures will subsequently be devised by a supplementing Decree, in order to provide the required safeguards.

While assessing the relevancy of a blockchain framework for corporate titles remains difficult in the absence of such technical details, all players are welcome to provide the Ministry with observations on the proposed framework until 9 October 2017.

First published on the K&L Gates Fintech Law Blog with Emilie Oberlis.

The French Act no.2016-1691 dated 9 December 2016 on Transparency, Anti-Corruption and Modernization of Economic Life (Or “Sapin II” – see our compliance coverage here) empowered the Government to amend the regulatory framework to facilitate the transmission of certain financial securities through blockchain technology

1)Article 120 of Sapin II “The Government may by way of executive orders within the 12 months following this Act take the measures necessary to (…) … Continue reading

In order to prepare such executive order, the Ministry of Finance initiated last Spring a public consultation, whose results were made public on 30 August 2017.

The 43 contributions included the points of view of local associations, banks, management companies, fintech pure players, academics, law firms and consultants, and provided operational and technical aspects to be taken into consideration in order for the new regulatory framework not to hinder the adoption of blockchain technology, while balancing security and foreseeability for all the players involved.

(more…)

References

References
1 Article 120 of Sapin II “The Government may by way of executive orders within the 12 months following this Act take the measures necessary to (…) amend the regulatory framework applicable to securities in order to allow the representation and the transmission (via a shared electronic recording device) of securities that are not admitted to the operations of a central depositary or a system of payment and delivery of financial instruments.”

K&L Gates ranked “Recommended – Band 2” with E. Drouard & Claude-Etienne Armingaud.

Source: Leaders League