Once again included in the Best Lawyers in France ranking for Privacy and Data Security Law

Source: Best Lawyers

In this webinar, our lawyers discuss generative artificial intelligence (AI). Fast paced growth in generative AI is changing the way we work and live. With such changes come complex issues and uncertainty. We will address the legal, policy and ethical risks, mitigation, and best practices to consider as you develop generative AI products and services, or use generative AI in the operation of your business.

With Annette Becker, Guillermo Christensen, Whitney McCollum, Jilie Rizzo, and Mark Wittow

If you were not able to join last Tuesday, you can watch the replay below:

Source: K&L Gates Hub

Access the full text of the EU AI Act here.

Speakers:

  • Zelda Olentia, Senior Product Manager, RadarFirst
  • Claude-Étienne Armingaud, CIPP/E, Partner, Data Protection Privacy and Security Practice Group Coordinator, K&L Gates LLP

Air Date: Wednesday 14 June at 1 pm ET / 10 am PT. Replay on demand available here!

Description

Gartner predicts that by the end of 2024, 75% of the world’s population will have its personal data covered under modern privacy regulations. This exponential increase from only 10% global coverage in 2020 raises the stakes for global organizations. The challenge will be to ensure compliance, while safeguarding trust for an unprecedented volume of regulated data.

Join the upcoming live Q&A to learn what’s driving this expansion and how to prepare. You’ll hear from Zelda Olentia, Senior Product Manager at RadarFirst, and special guest, Claude-Etienne Armingaud who is a partner at K&L Gates LLP and a coordinator for the Firm’s Data Protection, Privacy, and Security practice group.

In this session we will cover:

  What is driving the expansion of privacy regulation?

  Where are we on this path towards 65% global coverage?

  How do you scale privacy operations for international privacy laws quickly and effectively before year-end 2024?

Register Now >>

Version 2.1 dated 24 May 2023 – Go to the official PDF version.

Executive Summary

The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine.

The calculation of the amount of the fine is at the discretion of the supervisory authority, subject to the rules provided for in the GDPR. In that context, the GDPR requires that the amount of the fine shall in each individual case be effective, proportionate and dissuasive (Article 83(1) GDPR). Moreover, when setting the amount of the fine, supervisory authorities shall give due regard to a list of circumstances that refer to features of the infringement (its seriousness) or of the character of the perpetrator (Article 83(2) GDPR). Lastly, the amount of the fine shall not exceed the maximum amounts provided for in Articles 83(4) (5) and (6) GDPR. The quantification of the amount of the fine is therefore based on a specific evaluation carried out in each case, within the parameters provided for by the GDPR.

Taking the abovementioned into account, the EDPB has devised the following methodology, consisting of five steps, for calculating administrative fines for infringements of the GDPR.

Firstly, the processing operations in the case must be identified and the application of Article 83(3) GDPR needs to be evaluated (Chapter 3). Second, the starting point for further calculation of the amount  of  the fine needs to be identified (Chapter 4). This is done by evaluating the classification of the infringement in the GDPR, evaluating the seriousness of the infringement in light of the circumstances of the case, and evaluating the turnover of the undertaking. The third step is the evaluation of aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly (Chapter 5). The fourth step is identifying the relevant legal maximums for the different infringements. Increases applied in previous or next steps cannot exceed this maximum amount (Chapter 6). Lastly, it needs to be analysed whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality. The fine can still be adjusted accordingly (Chapter 7), however without exceeding the relevant legal maximum.

Throughout all abovementioned steps, it must be borne in mind that the calculation of a fine is no mere mathematical exercise. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can – in all cases – be any amount up to and including the legal maximum.

These Guidelines and its methodology will remain under constant review of the EDPB.

(more…)

Access the full list of the EDPB and WP29 Guidelines here, including consultation versions, now-current versions and redlines between versions.

Closing in on the fifth anniversary of the entry into force of the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on 22 May 2023 that it had fined Meta for EUR 1,2b (USD 1.3b), the highest GDPR fine levied since 2018.

Further to the DPC decision (Decision), and in addition to the record fine, Meta will need to:

  • suspend any future transfers of personal data to the United States within five months from the date of notification of the decision to Meta Ireland;
  • ensure the compliance of its data processing operations by ceasing the unlawful processing, including storage, in the United States of personal data of its users in the European Economic Area, transferred without sufficient safeguards, within six months from the date of notification of the DPC’s decision to Meta Ireland.

The core of the grievances relates to a decade-long (and going) crusade initiated by datactivist Maximilien Schrems and its data protection association, None of Your Business (noyb). The crusade started in 2013, with a first step resulting in a resounding cancelation of the Safe Harbor framework, which allowed personal data to be freely transferred from the European Union to the United States, in the 2015 Schrems I case (see our Alert). It was subsequently followed by a same action against Safe Habor’s successor, the Privacy Shield Framework, leading to the same result in the Schrems II case (see our Alerts here, here and here).

(more…)

Version 2.1 – Adopted on 24 May 2023

Version history

Version 1.013 April 2021Adoption of the Guidelines for public consultation
Version 2.024 May 2023Adoption of the Guidelines after public consultation
Version 2.115 July 2024Editorial corrections

Executive summary

Article 65(1)(a) GDPR is a dispute resolution mechanism meant to ensure the correct and consistent application of the GDPR in cases involving cross-border processing of personal data. It aims to resolve conflicting views among the LSA(s) and CSA(s) on the merits of the case, in particular whether there is an infringement of the GDPR or not, in order to ensure the correct and consistent application of the GDPR in individual cases. These Guidelines clarify the application of the dispute resolution procedure under Article 65(1)(a) GDPR.

Article 65(1)(a) GDPR requires the EDPB issues a binding decision whenever a Lead Supervisory Authority (LSA) issues a draft decision and receives objections from Concerned Supervisory Authorities (CSAs) that either it does not follow or it deems to be not relevant and reasoned.

These Guidelines clarify the applicable legal framework and main stages of the procedure, in accordance with the relevant provisions of the Charter of Fundamental Rights of the European Union, the GDPR and EDPB Rules of Procedure. The Guidelines also clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. In accordance with Article 65(1)(a) GDPR, the EDPB binding decision shall concern all the matters which are the subject of the relevant and reasoned objection. Consequently, the EDPB will first assess whether the objection(s) raised meet the “relevant and reasoned” standard set in Article 4(24) GDPR. Only for the objections meeting this threshold, the EDPB will take a position on the merits of the substantial issues raised. The Guidelines analyse examples of objections signalling disagreements between the LSA and CSA(s) on specific matters and clarify the EDPB’s competence in each case.

The Guidelines also clarify the applicable procedural safeguards and remedies, in accordance with the relevant provisions of the Charter of Fundamental Rights of the European Union, the GDPR and EDPB Rules of Procedure. In particular, these Guidelines address the right to be heard, the right of access to the file, the duty for the EDPB to provide reasoning for its decisions, as well as a description of the available judicial remedies.

These Guidelines do not concern dispute resolution by the EDPB in cases where: (1) there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment (Article 65(1)(b) GDPR); or (2) a competent supervisory authority does not request the opinion of the Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64 (Article 65(1)(c) GDPR).

Go to the full Guidelines.

In this episode, Claude-Etienne Armingaud, Eleonora Curreri, and Camille Scarparo celebrate the fifth anniversary of GDPR accompanied with lawyers from our European offices; Thomas Nietsch and Andreas Müller (Berlin), Nóirín McFadden (London), and Gianmarco Marani (Milan). They reflect on how embedded GDPR has become in the cultural scene and with private enforcement. They also touch on the future for UK GDPR and the Data Protection and Digital Information (No.2) Bill.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri, Gianmarco Marani, Andreas Müller, Noirin M. McFadden, Dr. Thomas Nietsch, Camille Scarparo

K&L Gates LLP has carved out a niche for work involving medical technology and IT in the healthcare sector. The firm assists with joint ventures and acquisitions in this space, as well as providing advice on GDPR and further data compliance matters.

Source: Legal 500

The team at K&L Gates LLP has strong capabilities advising clients active in the areas of luxury goods, the metaverse and energy, on innovative technologies such as VR and augmented reality, in matters which are often cross-border in nature. It is also well-equipped to advise on e-commerce launches, GDPR due diligence reviews, and acquisition matters. The team, led by Claude-Etienne Armingaud, often works in collaboration with other global offices.

Practice head(s): Claude-Etienne Armingaud

(more…)