As of 1 January 2021, the Brexit transition period (Transition Period) ended, and the United Kingdom (UK) officially finalized its exit from the European Union (EU) and the 11th-hour commercial agreement (Agreement) should allow for a smoother transition on the data protection front as the General Data Protection Regulation (GDPR) stops being directly applicable to the UK. It also provided the UK with a six-month grace period to hope for an adequacy decision that would allow for the free transfer of personal data from the EU to the UK.

As the European Data Protection Board (EDPB) amended on 13 January 2021 its Brexit communications² further to the Agreement (Communications), it only addresses:

  • The issue of data transfers from the EU to the UK;
  • The end of the One-Stop-Shop (OSS) mechanism for the UK; and
  • The need for UK entities that would be subject to GDPR to appoint a representative further to Art. 27 GDPR.

However, aside from enacting the end of the OSS and commenting that “the EDPB has been liaising with the ICO [Information Commissioner’s Office, the UK’s Supervisory Authority] over the past months in order to enable a smooth shift to this new situation by ensuring that the EEA authorities follow a shared and efficient approach in handling the existing complaints and cross-border cases involving the ICO, whilst minimizing delays and possible inconveniences to affected complainants[,]” the EDPB did not comment on how such collaboration will effectively play out for companies whose lead Supervisory Authority was the ICO.

Read the full article on Radar First blog.

43rd EDPB Meeting

December 17th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 42nd EDPB meeting
    2. Draft agenda of the 43rd EDPB meeting
  2. Consistency mechanism, Guidelines and EDPB
    1. Key Provision ESG
      1. Guidelines on restrictions under Article 23 GDPR
    2. Financial Matters ESG
      1. Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (after public consultation)
    3. International Transfer ESG
      1. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (after public consultation)
  3. Current Focus of the EDPB Members
    1. Data Governance Act COM (2020) 767 proposal – presentation by European Commission
    2. Information about the European Commission request for a joint EDPS-EDPB opinion regarding the Data Governance Act
    3. EDPB Strategy
    4. Support Pool of Experts
    5. Request for information from the European Commission regarding Brexit state of play (end of transitional period as well as the impact on EU-UK data flows and further information on possible adequacy decisions)
    6. Information note on data transfers under the GDPR to the United Kingdom after the Brexit transition period
  4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Cooperation ESG
      1. [BREXIT] Involvement of the UK SA in cooperation and consistency mechanisms
      2. Review of the internal documents on local cases
      3. Handling cross border complaints against public bodies or authorities – request for mandate
      4. Guidelines on handling complaints: revision of the mandate – request for mandate
    2. Compliance, e-Government and Health ESG
      1. Guidelines on certification criteria assessment – request for mandate
    3. Financial Matters ESG
      1. Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing
    4. International Transfers ESG
      1. Art. 64 GDPR Opinion on the draft decision of the Dutch Supervisory Authority regarding the Controller Binding Corporate Rules of Equinix
    5. Compliance, e-Government and Health ESG
      1. Stakeholder event on processing of data for medical and scientific research purposes – request for mandate
    6. Technology ESG
      1. Guidelines on anonymisation / pseudonymisation – request for mandate
    7. EDPB Secretariat
      1. 2021 February plenary
      2. Survey future meetings post COVID
  5. Any other business

Through its Act no.2020-1266 dated 19 October 2020 (the Act), the French legislator elected to regulate the commercial exploitation of the images of children aged 16 and under on online platforms (Kidfluencers).

Despite the potentially lucrative consequences of these emerging practices, Kidfluencers operated in a legal vacuum which could have resulted in parents exploiting their children, without the latter reaping any financial benefits or regaining any control of their images upon coming of age.

First and foremost, the Act extends the existing legal framework of child models, under Article L7124-1 of the French Labor Code (FLC). As such, Kidfluencers will require a written authorization from the French Administration prior to being engaged or broadcasted, inter alia:

  • By any entertainment provider, regardless of the medium or broadcast type;
  • In order to perform “modeling activities,” broadly defined under Article L7123-2 FLC as presenting oneself, directly or indirectly through the reproduction of one’s image, either through photographs or video, notably by presenting a product, service of commercial message;
  • By eSport competition organizers; and
  • By “Employer whose activities consist in creating audiovisual recording whose main subject is a child aged 16 or under, for the purpose of for-profit broadcasting on an online video sharing platform”.

The latter category was notably introduced to characterize the parents or legal guardians of the influencers as the “employer” of the Kidfluencer. As they may not be as aware of the legal undertakings as the other providers and organizers mentioned, the Administration will provide them with specific information relating to the Kidfluencers’ rights and the risks associated with exhibiting their image online.

Moreover, a portion of the revenue gained by Kidfluencers would be placed in escrow on a French public bank account until their majority.

Secondly, in situation when the broadcast would not be performed for profit, the Act introduces additional protective measures for Kidfluencers: instead of a prior authorization, a simple declaration of the activity will be required, when the published content exceeds certain thresholds in terms of (i) duration or individual items; or (ii) direct or indirect revenues. Such thresholds will be addressed in a supplemental decree to be adopted shortly.

Failing to obtain the authorization or to proceed with the notification would entitle the Administration to seize a court in order to take down the related content.

Finally, the Act also implements a collaborative framework for the online video sharing platforms, and enjoin them to publish dedicated policies to aiming at

  • Informing users of the applicable Kidfluencers’ regulatory framework;
  • Informing Kidfluencers directly of the consequences on their private life of the broadcasting of their image, of the legal and psychological consequences and of the means they have to protect their rights and dignity;
  • Encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity;
  • Preventing the processing of personal data relating to minors for commercial purposes, such as targeted advertisement, further to the broadcasting a Kidfluencers video;
  • Detecting situations where the recording or broadcasting of Kidfluencers’ videos could impact their dignity, psychological or physical integrity; and
  • Helping Kidfluencers to easily exercise their right to be forgotten on the video-sharing platforms.

While a welcomed step to protect children online, sometimes from their own families, the Act will need to be completed with regard to the thresholds triggering its applicability. In addition, by mainly addressing online video sharing platforms, the Act could have benefited from a more homogenous framework for online platform allowing the sharing of both still and moving pictures. Indeed, while still images could be included in the modeling provision, it remains to be seen how extensively it will be enforced.

Amidst the current discussions surrounding the Digital Services Act at the European level, this France-specific framework creates yet another undertaking for online platforms to implement additional measures to support public policies. And by encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity, the Act could generate extra-territorial consequences, forcing the platforms to deploy such reporting mechanism at a global scale.

K&L Gates IP/IT team in Paris remains available to assist you in assessing the changes triggered by this Act. Please get in touch if you would like to discuss the steps that your organization might want to consider to prepare now for this new Kidfluencer framework.

First publication: K&L Gates Fashion Law Watch

42nd EDPB Meeting

November 19th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 41st EDPB meeting
    2. Draft agenda of the 42nd EDPB meeting
    3. Publication of minutes of 40th Plenary meeting
    4. Request to extend the deadline for public consultation re recommendation 01/2020 on sup. measures
  2. Current Focus of the EDPB Members
    1. Presentation by the European Commission of the new (updated) two sets of SCCs
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Technology ESG
      1. Statement on eprivacy regulation
      2. Letter to News Media Europe and others regarding cookie walls
    2. International Transfer ESG
      1. Template for BCR approval decision by a supervisory authority
  4. Any other business
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 40th EDPB meeting
    2. Draft agenda of the 41st EDPB meeting
  2. Current Focus of the EDPB Members
    1. Art. 65 ongoing procedure
    2. Draft Art. 65 Decision
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Recommendation on measures that supplement transfer instruments to ensure compliance with the EU level of protection of personal data
    2. Update of the European Essential Guarantees recommendations

With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.

(more…)

40th EDPB Meeting

October 20th, 2020 | Posted by Claude-Etienne Armingaud in Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1.1. Minutes of the 39 th EDPB meeting
    1.2. Draft agenda of the 40th EDPB meeting
  2. Current Focus of the EDPB Members
    2.1. Recommendation on measures that supplement transfer instruments to ensure compliance with the EU level of protection of personal data – state of play
    2.2. Review of the Adequacy Decision of Japan
  3. Consistency mechanism and Guidelines
    3.1. Guidelines 04/2019 on Article 25 Data Protection by Design and by Default (after public consultation)
  4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    4.1. Cooperation ESG Brexit-related matters
    4.2. Enforcement ESG
    Coordinated Enforcement Framework
    4.3. Technology ESG
    Response letter to Mr A. Dix on the copyright directive1
    4.4. Financial Matters ESG
    Statement and possible letter regarding data protection and current framework on anti-money laundering and countering terrorist financing – request for mandate
    4.5. Secretariat
    Implementation of SEC DPO rules
    Consistency procedure for Art. 46.3(b) GDPR administrative
    arrangements
  5. Any other business

We are currently experiencing an interesting time in our economy around the future of work. In describing the future of work, there are four main aspects that come into play: (i) People will be able to work remotely and with flexible schedules; (ii) New industries and jobs will be created complementary to technology; (iii) There will be more entrepreneurship and self-employment; and (iv) Due to technology advancements, there will be fewer jobs that require humans.

Against this backdrop, the COVID-19 outbreak pointed out that these new working norms are going to become the future. In fact, more and more companies wonder whether people can work effectively and achieve a level of work-life balance in light of these new working conditions. At the same time, there is considerable research showing that diversity can be the answer to these considerations, leading to a significant performance advantage.

As law firms around the world have been forced into an unplanned experiment with remote and flexible working, the webinar will aim to explore what the new COVID-19 reality means for the workforce and how can they embrace the pandemic’s opportunities for learning and thriving in the workplace.

K&L Gates ranked “Highly Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

Following the French Administrative Supreme Court (Conseil d’État) dated 19 June 2020 (see our Alert here), the French Supervisory (CNIL) published on 01 October 2020 its updated guidelines (the Guidelines), replacing its former guidelines published on 04 July 2019 (July Guidelines), along with practical recommendations (the Recommendation) on cookies and other tracking technologies (together, Cookies).

(more…)