Best Lawyers France 2021 – Privacy and Data Security Law

November 2nd, 2021 | Posted by Claude-Etienne Armingaud in France | Privacy | Rankings - (0 Comments)

Claude-Etienne Armingaud from K&L Gates ranked among the Best Lawyers France 2021 for Privacy and Data Security Law

Algo Avocats - Sandra Tubert Altana - Pierre Lubet Artemont - Farid Bouguettaya August Debouzy - Florence Chaffiol Baker McKenzie - Magalie Dansac Le Clerc Bid & Bird - Merav Griguer, Ariane Mole Bouchara & Avocat - Navessa Bouchara Vercken & Gaullier - Florence Gaullier Cohen & Gresser - Guillaume Seligmann Cornet Vincent Ségurel - François Herpe De Gaulle Fleurance & Associés - Georges Courtois, Jean-Marie Job Delcade - Olivier Hayat Delsol Avocat - Jeanne Bossi Malafosse Derrienic Associés - Alexandre Fiévée, Fran_ois-Pierre Lani, Pierre-Yves Margnous DLA Piper - Denis Lebeau-Marianna, Carol Umhoefer Eversheds Sutherlands - Vincent Denoyelle EY - Yaël Cohen-Hadria Fréal Schiul Sainte Marie Willemant - Christinae Feral-Schulh, Bruno Grégoire Sainte Marie, Justine Sinibaldi Franklin - Valérie Aumage Gibson Dunn & Crutcher - Ahmed Baladi, Vera Lukic Herald Avocats - Anne Cousin Hogan Lovells - Etienne Drouard K&L Gates - Claude-Etienne Armingaud Latham & Watkins - Jean-Luc Juhan, Myria Saaarinen Latournerie Wolfrom - Marie-Hélène Tonnelier Lxing - Chloé Torres Luzi Avocats - Olivia Luzi McDermott Will & Emery - Romain Perray Mulliez Avocats - Florence Mulliez Next Avocat - Etienne Papin Osborne Clarke - Claire Bouchenard, Béatrice Delmas-Linel Racine - Hélène Cournarie Reinhart Marville Torre - Laurent Marville Squire Patton Boggs - Catherine Muyl Taj - Hérvé Gabadou White & Case - Clara Hasindork, Bertrand LIard

Source: Best Lawyers

, , , ,

Leaders League Ranking 2021 – Health, pharma & biotechnology – E-Health – France

October 7th, 2021 | Posted by Claude-Etienne Armingaud in Rankings - (0 Comments)

K&L Gates ranked “Recommended” with Claude-Etienne Armingaud in e-health and connected heath.

Source: Leaders League

🇺🇸 GDPR developments under focus on day one of PrivSec Global

September 22nd, 2021 | Posted by Claude-Etienne Armingaud in Conference | Data Transfer | Europe | Privacy | World - (0 Comments)

On a first day packed with fascinating insight at PrivSec Global, experts explored lessons that enterprise organisations have learned from the first three years of the GDPR.

(more…)

GDPR – Brexit UK Consults On New Data Protection Regime

September 15th, 2021 | Posted by Claude-Etienne Armingaud in Brexit | Privacy - (0 Comments)

The UK government has unveiled its much-trailed plans to reform its data protection laws, outlined in a consultation document which is open for public comment until 19 November 2021.

Since Brexit was finalised at the start of 2021, the United Kingdom has retained much of the EU General Data Protection Regulation. The government’s plans, if implemented, would see the UK move away from the EU’s approach in several key ways, which may lead to trouble for the continuation of the adequacy decision granted by the EU in June. If terminated, the adequacy decision, currently permitting free flows of personal data between the EU and the UK, could cause increased costs and bureaucracy for businesses on both sides of the Channel to continue their data transfers. 

Some of the changes to the UK GDPR proposed in the consultation document are:

  • Making the legitimate interests lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.
  • Removal of the right to human review of decisions made on the basis of solely automated data processing.
  • Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.

The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:

  • Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.
  • Removing the requirement for websites to obtain consent before serving some analytics cookies.
  • Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.

First publication: Cyber Law Watch with Noirin McFadden

, ,

GDPR – Irish Supervisory Authority Fines WhatsApp EUR 225m

September 9th, 2021 | Posted by Claude-Etienne Armingaud in Privacy - (0 Comments)

Further to investigations initiated by the Data Protection Commission (or DPC, the Irish supervisory authority) in 2018, Whatsapp Ireland Limited has received a EUR 225 million fine on 2 September 2021. The company infringed multiple GDPR provisions including in relation with the information provided to data subjects which breached the obligation to ensure transparency of processing (Articles 13 and 14 GDPR).

Following GDPR’s one-stop-shop mechanism and as WhatsApp operates cross-border flows of personal data, the DPC had initially been designated as lead supervisory authority (‘LSA’). Article 60 GDPR requires the LSA to submit a draft decision to its impacted counterparts across the European Union (the ‘Concerned Supervisory Authorities’). Such draft has been submitted in December 2020 and the Hungarian, Portuguese, Italian, French, Dutch, Polish, German (local and federal) Concerned Supervisory Authorities unanimously raised objections to the DPC in January 2021. The objections mostly addressed the lax approach by the DPC in the assessment of WhatsApp’s breach of GDPR as well as the amount of the initially contemplated fine in view of the dozens of millions of individuals affected by such breach across the European Union.

This resulted in a non-consensual situation, escalading to the dispute resolution process under Article 65 GDPR conducted by the European Data Protection Board (EDPB). The binding decision, adopted on 28 July 2021 and subsequently notified to the DPC, required the Irish supervisory authority to reassess and increase the fine, thus leading to the second-highest fine under GDPR since its entry into force in 2018.

First publication: Cyber Law Watch with Camille Scarparo & Léa Fertani

🇺🇸 PrivSec Global – Global Data Protection and Privacy Law Developments: What Lessons Have Enterprise Organisations Learned from the First Three Years of The GDPR

September 6th, 2021 | Posted by Claude-Etienne Armingaud in Conference | Data Breach | Data Transfer | Europe | Privacy - (0 Comments)

GDPR fines have been increasing over the last 18 months, and it is proving to be a complex environment for the regulators and the regulated. But GDPR has not led to seismic changes (the possibility of entirely new operating models, for example), but has had a major effect on the ways organizations collect and use data. This panel will discuss the last few years and look ahead to gauge what we have learned and how things will and should change.

Speakers Include:

Jacob Høedt Larsen, Head of Communications, Wired Relations

Andreea Lisievici, Head of Data Protection Compliance, Volvo Car Corporation

Claude-Etienne Armingaud, CIPP/E, Partner & Practice Group Coordinator – Technology, Sourcing and Privacy, K&L Gates

More information.

, , , , ,

GDPR – UK Unveils Plan to Diverge from GDPR

September 6th, 2021 | Posted by Claude-Etienne Armingaud in Brexit | Data Transfer | Privacy - (0 Comments)

The UK government has announced that it intends to consult on a new, post-Brexit data protection regime, potentially moving away from the UK General Data Protection Regulation that currently underpins the UK’s data protection legislation. The Digital Secretary, Oliver Dowden, said, “It means reforming our own data laws so that they’re based on common sense, not box-ticking.

A public consultation on the new legislation will follow, but it is clear that the United Kingdom must be careful about any changes it makes to its data regime in order to avoid disrupting the EU-UK adequacy decision with EU GDPR awarded just two months ago. The adequacy decision allows personal data from the European Union to flow freely to the United Kingdom (and vice versa), without businesses needing to put any additional paperwork in place. In granting the adequacy decision, the European Union placed particular emphasis on the fact that the United Kingdom was continuing to base its data protection laws on the same EU GDPR rules that had applied when it was a member of the European Union. A European Commission spokesperson commented that the EU will be closely monitoring any developments in UK data laws and noted that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.

It will be interesting to see how far the United Kingdom diverges, particularly as the current trend is that other countries seem to be keen to state that their data protection laws closely follow the EU GDPR.

The UK government also announced that its preferred candidate to be the next Information Commissioner, head of the UK data protection regulator, will be John Edwards, currently in charge of New Zealand’s data regulator, a country that also maintains an EU adequacy decision.

First publication: K&L Gates Cyber Law Watch Blog with Noirin McFadden

GDPR – France Fines Monsanto EUR 400,000 in relation with lobbying practices

July 30th, 2021 | Posted by Claude-Etienne Armingaud in Competition | France | Privacy - (0 Comments)

The French data protection Supervisory Authority (The CNIL) has issued a fine totaling EUR 400,000 against Monsanto for failing to inform individuals whose personal data was collected and processed  for lobbying purposes.

Further to the revelation by several media outlets, in May 2019, that Monsanto kept records on more than 200 political and civil society figures (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe, the CNIL received seven complaints from individuals whose personal data was included in those records. The personal data included in those records included professional details (e.g. company name, position, business address, business phone number, mobile phone number, business email address and Twitter account), along with a score of 1 to 5, aiming at evaluating  their influence, credibility and support for Monsanto on various topics such as pesticides or genetically modified organisms.

(more…)

EU-UK Adequacy Decisions Finalized

June 30th, 2021 | Posted by Claude-Etienne Armingaud in Brexit | Data Transfer | Privacy - (0 Comments)

On 28 June 2021, within 48 hours of the expiration of the post-Brexit grace period under the UK-EU Trade and Cooperation Agreement, the European Commission has adopted two adequacy decisions addressing the transfers of personal data to the United Kingdom under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive, respectively (together, the UK Adequacy Decisions).

Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.

The UK Adequacy Decisions will allow a seamless flow of personal data between the United Kingdom and the European Union, concluding a six-month race against time (see our alert here).

Key Points to Note:
  1. Despite the severe concerns raised by the European Data Protection Board in its Opinion 14/2021, due to the United Kingdom’s national security, intelligence, and surveillance regime, the European Commission deemed that the United Kingdom provided for “strong safeguards” in relation to access to personal data by public authorities for national security reasons. 
  2. The European Commission will closely monitor any evolution in the UK data protection framework that would lead to divergence with the EU regulations. This is particularly relevant because the United Kingdom announced it could revise its privacy framework for a more liberal approach in the coming months (see the Final Report from the Task Force on Innovation, Growth and Regulatory Reform), foreshadowing the UK government’s National Data Strategy, currently under consideration. As such, the European Commission may intervene at any given point to repeal the UK Adequacy Decisions.
  3. The UK Adequacy Decisions are subject to a sunset clause, i.e., unless expressly renewed, based on a new assessment of the UK regulatory framework, the UK Adequacy Decisions will expire in four years. This is markedly a different process from prior adequacy decisions, which typically renew by default without any need to go through a new review and adoption process. The addition of the sunset clause seems to suggest that the United Kingdom’s cards have been marked, and if the relationship between the United Kingdom and the European Union deteriorates in the next few years, this could mean the end of EU-UK adequacy at that time.
  4. For the time being, any personal data transfers relating to UK immigration control are excluded from the scope of the UK Adequacy Decisions, pending remediation under UK law.
  5. While the United Kingdom now belongs to the increasing group of third countries benefiting from an adequacy decision (including Japan and the Republic of Korea), it does not relieve companies subject to the UK data protection framework from the requirement to appoint an EU representative under Article 27 GDPR or, similarly, for EU companies subject to the UK GDPR to appoint a representative in the United Kingdom.

The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

First publication: K&L Gates Hub in collaboration with Sunny J. KumarNoirin M. McFaddenKeisha Phippen

A New Framework for Transfers of Personal Data EU and Korea Conclude Adequacy Decision Talks

June 25th, 2021 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy | World - (0 Comments)

BACKGROUND

On 30 March 2021, the European Commission, in a joint statement with the Personal Information Protection Commission, the data protection authority of the Republic of Korea (Korea), declared that Korea ensured a level of protection for personal data that is similar to the level provided in the European Union (the EU) and, as such, is a jurisdiction deemed “adequate.” Further to this joint declaration, the European Commission completed its internal procedures and formally adopted the substance of this joint statement in a draft adequacy decision published on 14 June 2021. Once finalized, businesses will be allowed to transfer personal data freely from the EU and European Economic Area (EEA) to Korea without being required to provide further safeguards as required for “third country transfers” under the EU General Data Protection Regulation 2016/679 (GDPR). Once so adopted, the adequacy decision would cover transfers of personal data to commercial operators located in Korea, as well as Korean public authorities. However, the transfer of personal credit information that is subject to jurisdiction of Korea’s Financial Services Commission will be excluded from the coverage of the adequacy decision.  

The adequacy decision only relates to the transfer of personal data from the EU/EEA to a recipient in Korea, but it does not cover the general applicability of GDPR. In this context, any company (even outside the EU/EEA) that directly collects personal data from EU residents in connection with offering goods or services or monitoring of behavior of EU residents will still need to comply with the obligations set out in the GDPR for its collection of personal data. Also, significantly, the adequacy decision only covers data flow in one direction, from the EU to Korea, but not in the opposite direction, i.e., from Korea to the EEA. As noted below, barring any further statutory amendments, Korean privacy laws still require data handlers to obtain the consent of data subjects (as opposed to an opt-out) prior to transferring their personal data outside of Korea.

The conclusion of adequacy talks between Korea and the European Commission is a major step in their ongoing four-year dialogue regarding mutual recognition of personal data protection regimes. Korea has been preparing for this adequacy decision since 2015, when the Korean government established a joint public-private sector task force, which was charged with conducting data regulation-related feasibility studies, self-assessments, and comparative analyses in preparation for the first round of adequacy negotiations with the EU in 2017. After two extensive rounds of adequacy negotiations between the representatives of the European Commission and Korea ended without an adequacy finding, Korea decided to make significant amendments to its data protection laws. Such amendments were enacted by the National Assembly, Korea’s national legislature, in January 2020 and became effective in August 2020, thus paving the way for the March 2021 joint statement.

(more…)

, , , , ,