The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

  • The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
  • Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
  • More exemptions from the requirement to obtain consent to cookies.
  • Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

First Publication: K&L Gates Cyber Law Watch in collaboration with Noirin McFadden & Keisha Phippen

On 29 June 2022,  Decree n° 2022-946 (the “Decree”) supplemented the regulatory framework resulting from the Ordinance n° 2021-1247 of 29 September 2021 on the legal warranty of conformity for goods, digital content and digital services (the “Ordinance”). Stakeholders have under 1 October 2022 to implement the following measures, aiming at protecting consumers of digital goods.

1. General information about the Ordinance

Implementing two 2019 European directives on certain aspects of contracts for the supply of digital content and digital services and contracts for the sale of goods (respectively Directives (EU) 2019/770 and 2019/771 dated 20 May 2019), the Ordinance aimed to foster the safety of consumers when purchasing both physical and digital goods and, to a lesser extent, to reduce the environmental impact of digital goods.

This Ordinance amended the French Consumer Code in depth, notably by expanding the legal warranty of conformity, which now covers digital products and services but is also applicable to both B2C as well as B2B contracts, when the latter are executed between professionals and non-professionals (i.e. legal entities acting outside of their direct professional activities).

(more…)

Quoted by Global Data Review:

Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.

“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.

“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”

Read full article here.

FEDERAL DECREE-LAW NO. (45) OF 2021 ON PERSONAL DATA PROTECTION

Read the full text.

(more…)

Through its Act no.2020-1266 dated 19 October 2020 (the Act), the French legislator elected to regulate the commercial exploitation of the images of children aged 16 and under on online platforms (Kidfluencers).

Despite the potentially lucrative consequences of these emerging practices, Kidfluencers operated in a legal vacuum which could have resulted in parents exploiting their children, without the latter reaping any financial benefits or regaining any control of their images upon coming of age.

First and foremost, the Act extends the existing legal framework of child models, under Article L7124-1 of the French Labor Code (FLC). As such, Kidfluencers will require a written authorization from the French Administration prior to being engaged or broadcasted, inter alia:

  • By any entertainment provider, regardless of the medium or broadcast type;
  • In order to perform “modeling activities,” broadly defined under Article L7123-2 FLC as presenting oneself, directly or indirectly through the reproduction of one’s image, either through photographs or video, notably by presenting a product, service of commercial message;
  • By eSport competition organizers; and
  • By “Employer whose activities consist in creating audiovisual recording whose main subject is a child aged 16 or under, for the purpose of for-profit broadcasting on an online video sharing platform”.

The latter category was notably introduced to characterize the parents or legal guardians of the influencers as the “employer” of the Kidfluencer. As they may not be as aware of the legal undertakings as the other providers and organizers mentioned, the Administration will provide them with specific information relating to the Kidfluencers’ rights and the risks associated with exhibiting their image online.

Moreover, a portion of the revenue gained by Kidfluencers would be placed in escrow on a French public bank account until their majority.

Secondly, in situation when the broadcast would not be performed for profit, the Act introduces additional protective measures for Kidfluencers: instead of a prior authorization, a simple declaration of the activity will be required, when the published content exceeds certain thresholds in terms of (i) duration or individual items; or (ii) direct or indirect revenues. Such thresholds will be addressed in a supplemental decree to be adopted shortly.

Failing to obtain the authorization or to proceed with the notification would entitle the Administration to seize a court in order to take down the related content.

Finally, the Act also implements a collaborative framework for the online video sharing platforms, and enjoin them to publish dedicated policies to aiming at

  • Informing users of the applicable Kidfluencers’ regulatory framework;
  • Informing Kidfluencers directly of the consequences on their private life of the broadcasting of their image, of the legal and psychological consequences and of the means they have to protect their rights and dignity;
  • Encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity;
  • Preventing the processing of personal data relating to minors for commercial purposes, such as targeted advertisement, further to the broadcasting a Kidfluencers video;
  • Detecting situations where the recording or broadcasting of Kidfluencers’ videos could impact their dignity, psychological or physical integrity; and
  • Helping Kidfluencers to easily exercise their right to be forgotten on the video-sharing platforms.

While a welcomed step to protect children online, sometimes from their own families, the Act will need to be completed with regard to the thresholds triggering its applicability. In addition, by mainly addressing online video sharing platforms, the Act could have benefited from a more homogenous framework for online platform allowing the sharing of both still and moving pictures. Indeed, while still images could be included in the modeling provision, it remains to be seen how extensively it will be enforced.

Amidst the current discussions surrounding the Digital Services Act at the European level, this France-specific framework creates yet another undertaking for online platforms to implement additional measures to support public policies. And by encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity, the Act could generate extra-territorial consequences, forcing the platforms to deploy such reporting mechanism at a global scale.

K&L Gates IP/IT team in Paris remains available to assist you in assessing the changes triggered by this Act. Please get in touch if you would like to discuss the steps that your organization might want to consider to prepare now for this new Kidfluencer framework.

First publication: K&L Gates Fashion Law Watch

The California Consumer Privacy Act of 2018 (CCPA) stands to radically change the way organisations throughout the United States, and even the world, handle personal data. Coming into force on 1 January 2020, CCPA has motivated other U.S. states such as Washington and Texas to move toward having their own privacy laws. Increasingly, pressure is building in Washington, DC, to advance federal privacy legislation, both on the domestic and international scene. In addition to Japan obtaining a GDPR-adequacy recognition (followed soon by Korea and India), Brazil has adopted its General Data Protection Act (GDPA) which is heavily inspired by the EU GDPR and will come into force in August 2020. In this session, hear about the new laws and legislative initiatives, how they will change the way you do business internationally and how to get prepared.

Along with Delphine Charlot, CIPP/E, Senior Counsel, Privacy and Data Protection, Mastercard

On March 29, 2018, French President Emmanuel Macron announced his plan to turn France into a global leader in AI. This political leadership was subsequently translated into the Villani report on AI, highlighting autonomous vehicles (AVs) as a regulatory case study, and the Idrac report on AVs. Following these reports, the regulatory framework is currently being amended. This presentation will outline the key changes and how they will affect AV developments in France and in the EU.

More information on the Future of Transportation World Conference 2019 website.

AV Regulation Publication

A French Revolution, at last?

Despite optimistic statements in 2016 on both sides of the Atlantic (in between the European Commission’s communication on connected cars for Europe, and the Obama administration’s Detroit Auto Show announcement), it would seem that some of the hype surrounding connected and autonomous vehicles (“CAVs”) faltered. One reason may be the desensitization of the general public, as the initially promised 2020 deployment is dawning without a hint of general commercial availability in sight. On the other hand, the intricacies of the regulatory frameworks at stake also hinder the development of consumer-ready offers.

More often than not, France is perceived as an administrative maze, yet may become (unexpectedly to some) a leader in the race to regulating this incoming industry. However, far more than being limited to the automotive industry, regulating CAVs will serve as the blueprint for an artificial intelligence (“AI”) legal framework.

(more…)

While Capitol Hill is inundated with proposed privacy legislations from the Data Breach Prevention and Compensation Act (DBPCA), the CLOUD Act and the ENCRYPT Act, organizations the world over are trying to understand how to get their own regulations deemed adequate enough to ensure the flow of business in the EU, now that GDPR is a reality.
(more…)

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

(more…)