Author Archives: Claude-Etienne Armingaud

Survey on the Economics on Personal Data on Mobile Apps Launched by France’s Privacy Watchdog

January 27th, 2023 | Posted by Claude-Etienne Armingaud in France | Privacy - (0 Comments)

This survey follows the CNIL’s announcement on 24 November 2022 that it aims at “better understanding the economic challenges associated with the collection and processing of personal data in mobile applications” as part of its 2022-2024 strategic plan.

The CNIL considered data collection via mobile applications greatly lacks transparency as opposed to cookies collection on websites.

The expected inputs are to be used for the purpose of drafting recommendations to be submitted to public consultation during the second semester of this year.

Concurrently to its ever-active enforcement of website cookie framework, the CNIL also recently started going after mobile applications for their use of personal data, often leverage as a primary source of revenue for free-to-play mobile games. The most recent example being the French mobile game publisher Voodoo SAS, with a fine of EUR3 million for breach of user consent for targeted ads on 29 December 2022. Indeed, the CNIL considered that even when users did not consent to the tracking for advertising purposes, Voodoo still accessed the IDFV (Apple’s “IDentifier For Vendors” (“IDFV”) – an identifier assigned to app operators, which facilitates targeted advertising) and processed browsing information for advertising purposes, constituting a violation of French privacy law and the GDPR.

The CNIL now calls for economic contributions from experts, interest groups, regulatory entities and experienced private individuals in the field. The call for contributions closes on 10 February 2023. Contributions can be submitted by completing a questionnaire and/or a written statement at the following email address: ecodesapplis@cnil.fr.

All contributions will be covered by professional secrecy and will be published in the form of a synthetic and aggregated report.

First publication on Cyber Law Watch with Camille Scarparo.

EU Digital Services Act: Fundamental Changes for Online Intermediaries?

November 5th, 2022 | Posted by Claude-Etienne Armingaud in Competition | eCommerce | Europe | internet | Legislation - (0 Comments)

On 27 October 2022, the Digital Services Act (DSA) was published in the EU Official Journal as Regulation (EU) 2022/2065, with the aim to fully harmonize the rules on the safety of online services and the dissemination of illegal content online. The Digital Services Act will require online intermediaries to amend their terms of service, to better handle complaints, and to increase their transparency, especially with respect to advertising.

(more…)

, , , , , ,

🇫🇷 Flottes connectees, reglementation et experiences reussies

October 27th, 2022 | Posted by Claude-Etienne Armingaud in Conference | Connected Cars | France | Privacy - (0 Comments)

Très heureux d’avoir accueilli ce matin en nos locaux GEOTAB pour la conférence « Flottes connectées, réglementation et expériences réussies », modérée par François Denis, Directeur Général France GEOTAB.

Claude-Etienne Armingaud, CIPP/E, associé Protection des données, nous a exposé les enjeux du droit des données à caractère personnel en lien avec les véhicules connectés.

Pascal Six, Business Development Manager, a retracé la manière dont GEOTAB a développé et continue d’adapter son offre, dans le respect des lois applicables en matière de protection des données à caractère personnel.

Pour terminer, Bertrand MATHIEU Directeur des Opérations VAC / Hardouin Loc, nous a fait part de son expérience client réussie avec GEOTAB.

Merci aux intervenants et participants !

UK Data Protection: Beware of the Consequences of Unsolicited Marketing Emails

October 12th, 2022 | Posted by Claude-Etienne Armingaud in English | Europe | Marketing | Privacy - (0 Comments)

Sending unsolicited marketing emails could prove costly to UK organisations, as bike and car accessory retailer Halfords have recently discovered.

Last month, Halfords were handed a fine of £30,000 by the Information Commissioner’s Office (ICO) for sending around half a million unsolicited marketing email messages to customers who had not previously opted-in to marketing (see here).

The fine was issued under the Privacy and Electronic Communications Regulations (PECR), which gives people specific privacy rights in relation to electronic communications and restricts how unsolicited direct marketing is carried out.

An investigation carried out by the ICO found that the retailer broke the laws governing electronic communications by sending out emails relating to a government voucher scheme that gave people £50 off the cost of repairing a bike at any participating store or mechanic in England. The email not only pointed customers to the government website, it also invited them to book a bike assessment and to redeem their voucher at their chosen Halfords store. The ICO concluded that the insinuation of Halfords having a direct connection with the government scheme encouraged its customers to redeem the voucher in its stores and that Halfords was therefore advertising its own services.

PECR prevents organisations from sending emails or messages to people unless they have consented to it or they are an existing customer who has bought similar products or services in the past (known as the “soft opt-in” rule).

Halfords argued that the email constituted a service message and should not be categorised as direct marketing, but the ICO maintained that the email did constitute direct marketing because it satisfied the definition of such under Paragraph 35 of the ICO’s Direct Marketing Guidance (see here).  In addition, the ICO concluded that the soft opt-in rule could not apply because the targeted customers had already opted out. 

Andy Curry, Head of Investigations at the ICO said: “This [decision] sends a message to similar organisations to review their electronic marketing operations, and that we will take necessary action if they break the law.”

First publication: K&L Gates Cyber Law Watch in collaboration with Keisha Phippen

🇺🇸 AntiCor France, Surmontez les defis du RGPD et des lois sur la protection de la vie privee dans le contexte de l’anti-corruption

October 10th, 2022 | Posted by Claude-Etienne Armingaud in Conference | Data Transfer | Europe | France | Privacy - (0 Comments)

Claude-Etienne, Armingaud, Associé
K&L Gates

Stéphane Bonifassi, Associé fondateur
Bonifassi Avocats

Les options d’examen et d’analyse assistées par la technologie sont de plus en plus utilisées dans les enquêtes internes et externes, notamment par les multinationales. L’utilisation de l’analyse des données peut apporter efficacité, précision et réduction des coûts. Cependant, le croisement entre le droit et la technologie soulève des préoccupations uniques en matière de protection de la vie privée et d’autres questions juridiques lors des enquêtes internes et externes : cette session permettra de vous mettre à niveau. Les sujets de discussion incluront :

  • Étudier la manière dont l’analyse des données et la découverte électronique peuvent aider les enquêtes multinationales.
  • Comprendre vos obligations selon la loi Schrems II, le RGPD et d’autres législations.
  • Apprendre les meilleures pratiques pour se conformer à ces obligations lors des enquêtes internes ou externes, de la diligence raisonnable et de la dénonciation des dysfonctionnements.
  • Comparer et intégrer des lignes directrices de la CNIL et du Conseil européen de la protection des données, entre autres.
  • Déterminer l’impact de la proposition de cadre transatlantique pour la protection des données sur votre pratique quotidienne.

Plus d’information

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance) [Full Text]

September 14th, 2022 | Posted by Claude-Etienne Armingaud in Competition | English | Europe | internet | IT | Legislation | Marketing | Privacy | Social Networks - (0 Comments)

Read the full text.

(more…)

, , , ,

K&L GATES ADVISES ENVISION DIGITAL ON ACQUISITION OF QOS ENERGY

September 2nd, 2022 | Posted by Claude-Etienne Armingaud in Communication | Deal - (0 Comments)

Global law firm K&L Gates has advised Envision Digital, one of the world’s largest managers of renewable energy, on its acquisition of the Nantes-based software publisher QOS Energy. 

Envision Digital, which operates the EnOSTM net zero platform, manages more than 400 GW of renewable energy globally. The Singapore-headquartered company has more than 1,000 employees and 12 international offices, spanning the United Kingdom, France, Germany, the Netherlands, Norway, Malaysia, China, Japan, and the United States.

Founded in Nantes in 2010, QOS Energy is a leading provider of energy management software. It has developed a web-based platform called “Qantum,” dedicated to monitoring and managing the performance of solar and wind energy production and storage facilities.

The Paris-based deal team advising Envision Digital was led by Raphaël Bloch (partner) with the assistance of Samuel Boccara (senior associate). Employment law advice was provided by Christine Artus (partner) and Natacha Meyer (associate), while Claude-Etienne Armingaud (partner) and Camille Scarparo (associate) advised on intellectual property and IT matters. Additional support was provided by Brussels-based partners Melanie Bruneau and Philip Torbøl and counsels Miguel Angel Caramello Alvarez and Antoine de Rohan Chabot, who advised on foreign investment-related issues, and Singapore-based client relationship lawyers Lai Foong Chan and Lucas Nicolet-Serra.

The New Digital Frontiers: How IP is adapting to virtual worlds, from NFTs to virtual products

August 24th, 2022 | Posted by Claude-Etienne Armingaud in Blockchain | Intellectual Property | Trademarks - (0 Comments)

Virtual products, the metaverse, and non-fungible tokens (NFTs) have recently been expanding and receiving considerable attention from investors, the general public; as well as the art world – within the span of a year, NFT-backed virtual works of art have been reaching new height, from Beeple, Everydays: The First 5000 Days (March 2021 – US$ 69.3) to The Merge (December 2021 – US$ 91.8). Today, the most valuable living artist in history is a virtual work of art author (Pak, author of The Merge).

With the rise of this new market, numerous stakeholders have tried to expand the protection of these digital creations through trademark registration before the European Union Intellectual Property Office (EUIPO) or its national counterparts in the European Union. However, they also found that the current 11th Nice Classification lacked clarity and precision on that matter. Indeed, the “virtual goods” may represent an electronic version of an existing tangible goods, but the applicants were likely to face rejection from the trademark offices, as the classification as a “good” still requires a physical embodiment.

In June 2022, the EUIPO finally addressed this issue to provide clarity, by going on the record to consider virtual products (including NFTs, or more likely the underlying virtual works to which such NFTs would be appended) as digital content or images, hence belonging to Class 9 which encompasses instruments for science or research, audio-visual and information technology equipment, as well as security and safety equipment. This new approach is part of its 2023 draft Guidelines which aims at harmonising IP practices across the EUIPO, increasing predictability and ensuring compliance, consistency and coherence.

Consequently, virtual goods and NFTs will be added to the upcoming 12th edition of the Nice Classification. However, the EUIPO rightfully considers NFTs to be certificates, distinct from the virtual element they authenticate. A specific wording has been established in the draft directive, namely “downloadable digital files authenticated by non-fungible token”, the term “non-fungible token” being deemed, in and of itself, not acceptable by EUIPO without a proper link to the underlying asset.

The EUIPO is not going to further modify this Class to address all possible situation, but advises applicants to specify which content the virtual products are referring to, e.g.“downloadable virtual products, namely virtual pieces of furniture.

Concerning virtual services and NFTs, the actual principles are maintained and applicants need to refer to pre-established definitions.

This decision from EUIPO allows for the facilitation of virtual products and NFTs trademarks. Internal and external stakeholders have until 3 October 2022 to escalate observations on draft directives to the EUIPO.

First publication on the K&L Gates IP Blog in collaboration with Louise Bégué

Italy: Supervisory Authority Weighs in on Website Analytics

July 29th, 2022 | Posted by Claude-Etienne Armingaud in cookies | English | Europe | internet | Privacy | Social Networks - (0 Comments)

Following the positions expressed by the Austrian, German and French Supervisory Authorities (see our previous Alert), the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali, Garante-) published on 9 June 2022 a specific measure, according to which website analytics solutions used to measure online audience (Analytics Service Solutions) infringe on the EU General Data Protection Regulation no. 2016/679 (GDPRexternal source) when such use implies a transfer of personal data to a third country without an adequate level of personal data protection, such as the United States. Generally speaking, the Garante, aligned its position on the matter with its counterparts.

(more…)

UK: Government Publishes New Proposed Data Protection Law

July 27th, 2022 | Posted by Claude-Etienne Armingaud in English | Europe | Legislation | Privacy - (0 Comments)

The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

  • The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
  • Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
  • More exemptions from the requirement to obtain consent to cookies.
  • Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

First Publication: K&L Gates Cyber Law Watch in collaboration with Noirin McFadden & Keisha Phippen