UK: Government Publishes New Proposed Data Protection Law

July 27th, 2022 | Posted by Claude-Etienne Armingaud in English | Europe | Legislation | Privacy - (0 Comments)

The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

  • The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
  • Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
  • More exemptions from the requirement to obtain consent to cookies.
  • Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

First Publication: K&L Gates Cyber Law Watch in collaboration with Noirin McFadden & Keisha Phippen

France: New Requirements Concerning the Sale of Digital Goods

July 21st, 2022 | Posted by Claude-Etienne Armingaud in eCommerce | France | internet | IT | Legislation - (0 Comments)

On 29 June 2022,  Decree n° 2022-946 (the “Decree”) supplemented the regulatory framework resulting from the Ordinance n° 2021-1247 of 29 September 2021 on the legal warranty of conformity for goods, digital content and digital services (the “Ordinance”). Stakeholders have under 1 October 2022 to implement the following measures, aiming at protecting consumers of digital goods.

1. General information about the Ordinance

Implementing two 2019 European directives on certain aspects of contracts for the supply of digital content and digital services and contracts for the sale of goods (respectively Directives (EU) 2019/770 and 2019/771 dated 20 May 2019), the Ordinance aimed to foster the safety of consumers when purchasing both physical and digital goods and, to a lesser extent, to reduce the environmental impact of digital goods.

This Ordinance amended the French Consumer Code in depth, notably by expanding the legal warranty of conformity, which now covers digital products and services but is also applicable to both B2C as well as B2B contracts, when the latter are executed between professionals and non-professionals (i.e. legal entities acting outside of their direct professional activities).

(more…)

GDPR: The Importance of Managing DSARs

June 22nd, 2022 | Posted by Claude-Etienne Armingaud in France | Privacy - (0 Comments)

Individuals having difficulties in obtaining responses to their personal data subject access requests (DSAR) from French telephone operator Free Mobile filed several complaints before the Frenchdata protection authority (CNIL). These requests related to accessing their personal data and objecting to receiving direct marketing messages by electronic means. After its investigations, the CNIL imposed a fine of €300,000 against Free Mobile on 28 December 2021.

(more…)

France: Supervisory Authority Publishes Guidance on the Use of Website Analytics in Compliance With GDPR

June 22nd, 2022 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy | Social Networks - (0 Comments)

Following the 2020 Court of Justice of the European Union’s (CJEU) ruling invalidating the Privacy Shield (see our alert here), personal data transfers from the European Union to the United States required EU companies to implement additional safeguard mechanisms, as the CJEU considered that U.S. legislation did not provide sufficient guarantees against the risk of access by public authorities (including intelligence services) to the imported data.

(more…)

France: Influencers and Digital Advertising

June 9th, 2022 | Posted by Claude-Etienne Armingaud in France | Social Networks - (0 Comments)

Over the past decade, influence marketing has changed the way advertising is handled by companies. Influencers have entered the marketing world by leveraging massive followings on social media platforms, and brands have recognized the value of the new category of advertising professionals.

Even though the use of influencers has become a mainstay of advertising, French legislation has yet to meet this evolution, resulting in an often opaque legal framework.

The broad spread-out provisions applicable to influencers also generate difficulties in understanding influencers legal status, in particular when they are underage. This notably raises the question whether influencers are employees of the brands they advertise for—and therefore subject to labor law—or if they should be considered independent contractors, with their relationship with brands subject to commercial legislation.

Such opaque legal framework raises questions about the applicable regime, as well as the legal status of influencers. Even though there is no specific regime for influencers, recent legislation was adopted in order to protect children influencers (see our alert here).

(more…)

, , , , , , , , , , , , , , , , , , , ,

Guidelines 06/2022 on the practical implementation of amicable settlements

May 12th, 2022 | Posted by Claude-Etienne Armingaud in Europe | Guidelines | Privacy - (0 Comments)

EDPB Guidelines on Amicable Settlements: Key Points

The European Data Protection Board (EDPB) has released guidelines on how supervisory authorities (SAs) should handle amicable settlements under GDPR. Here are the key takeaways:

What is an Amicable Settlement?

  • A process where data protection authorities facilitate resolution of complaints between data subjects and controllers
  • Aims to achieve compliance with GDPR while satisfying both parties’ interests
  • Most suitable for cases involving:
    • Limited number of data subjects
    • Non-systematic violations
    • Incidental/accidental breaches
    • Limited personal data
    • Non-serious violations

Key Principles

  • Not all EU countries allow amicable settlements (14 countries explicitly don’t permit them)
  • Can be used in both local cases and cross-border processing scenarios
  • Must respect principles of good administration and due process
  • Should lead to swift resolution while maintaining high level of data protection

Cross-border Cases

In One-Stop-Shop (OSS) mechanism:

Important Considerations

  • Settlement doesn’t prevent further investigation if systemic issues are discovered
  • Can be partial – some aspects of complaint may require formal investigation
  • Must be documented and communicated properly to all parties
  • Should include proof of compliance from controller and satisfaction from data subject

These guidelines represent a significant step toward harmonizing how data protection authorities handle complaints across the EU, while maintaining flexibility to account for national legal frameworks and specific case circumstances.

Go to the full guidelines.

Legal 500 Rankings 2022 Data Privacy and Data Protection Tier 2 & Leading Individual France

April 11th, 2022 | Posted by Claude-Etienne Armingaud in France | Privacy | Rankings - (0 Comments)

‘Specialist in new technologies’, K&L Gates LLP‘s team has an outstanding reputation for legal advice on innovative technologies and data-related concerns. Claude-Etienne Armingaud and Raphael Bloch are recognised as ‘exceptional lawyers who miss no details and who know their fields to perfection’. Claude-Etienne Armingaud has developed particular knowledge of multijurisdictional transactional matters dealing with IT outsourcing and data protection for blockchain and fintech, connected cars, and big data services.

Leading individuals: Claude-Etienne Armingaud – K&L Gates LLP

Practice head(s): Claude-Etienne Armingaud

Other key lawyers: Raphael Bloch

(more…)

,

International Personal Data Transfers: An Eventful Week

March 25th, 2022 | Posted by Claude-Etienne Armingaud in Brexit | Data Transfer | Europe | Privacy - (0 Comments)

Transfer from the UK

On 21 March 2022, the United Kingdom finalized the adoption of its own version of the European Union’s (EU) Standard Contractual Clauses (SCC), a contractual mechanism aiming at securing personal data protected under a data protection framework to third countries not deemed to offer an “adequate” level of data protection.

On 16 July 2020, while the United Kingdom was still an EU Member State, the European Court of Justice (CJEU), through its Schrems II decision, added new requirements to the SCC (see our Alert here), relating to safeguards against access to personal data protected under EU’s General Data Protection Regulation (GDPR) by intelligence agencies. As a consequence, the European Union adopted new versions of the SCC in June 2021 (see our Alert here), but the United Kingdom having finalized Brexit in the meantime, did not adopt the new SCCs, instead operating the previous versions of the SCC, and an updated document for transfers initiated under the UK GDPR was needed.

The UK’s draft International Data Transfer Agreement (IDTA) and Addendum  were laid before Parliament on 22 February 2022 and finally adopted on 21 March 2022 without changes. The IDTA is an equivalent contract to the SCC, but uses a tabular approach in place of the modules used by the SCC. The alternative instrument that was introduced, the Addendum, provides UK data exporters with a semi-seamless mechanism where they can leverage their existing SCC for transfers initiated under the EU GDPR. The Addendum consists of a form effectively selecting the relevant options of the SCC and amending EU terminology and legal references to UK-specific ones. It is likely to be more widely used than the IDTA, particularly as data exporters with operations in both the UK and the EU will look to reduce the number of contracts they need to enter into. Overall, the IDTA and the Addendum represent a narrowing in the divergence that had appeared recently in the differing safeguards required by the UK and the EU for data exporters engaged in personal data transfers from their respective jurisdictions.

As a reminder:

  • Transfers between the EU and the UK do not need any specific measures as per the adequacy decision currently in place (see our Alert here)
  • all data transfer agreements under the EU GDPR based on the previous versions of the SCC will need to be migrated to the new SCC on or before 27 December 2022; and
  • all data transfer agreements under the UK GDPR executed on or before 21 September 2022 on the basis of any Transitional Standard Clauses (based on the previous versions of the SCC) will need to be migrated to an IDTA or Addendum on or before 21 March 2024.

Transfer from the EU to the US: En Route for Schrems III?

On 25 March 2022, European Commission President Ursula von der Leyen and United States President Joe Biden announced  an “agreement in principle” on a new EU-US data sharing system, expected to replace the Privacy Shield framework invalidated under the CJEU’s Schrems II decision in 2020 (see our Alert here).

As no draft of that “agreement” has been circulated, the existing grievances against U.S. intelligence agencies’ access to personal data protected under GDPR remain and concerns relating to ‘effective legal remedies’ available to individuals protected under GDPR (Data Subjects) will need to be addressed. Data activist Maximilian Schrems and his organization, noyb, already announced that they would closely monitor the development of this new framework and challenge any decision which would not abide by the CJEU’s 2020 Schrems II decision.

While such a political statement is encouraging for the future of international data transfers, this announcement should not be construed as relieving companies subject to GDPR’s territorial scope (see our Alert here) from implementing adequate data transfer mechanisms until more concrete elements are adopted.

Such transfer mechanisms notably include:

K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at a global level.

First publication: K&L Gates Hub in collaboration with Noirin McFadden, Thomas Nietsch and Keisha Phippen

Online Advertising Where Are We Headed?

March 18th, 2022 | Posted by Claude-Etienne Armingaud in Conference | cookies | Europe | France | Privacy - (0 Comments)

Event: IAPP Data Protection Intensive: France

Date: 18 March 2022

Time: 8:00 AM ET

Location: Le Méridien Etoile, 81 Boulevard Gouvion Saint-Cyr 75848 Cedex 17, 75017 Paris

The dynamics in online advertising have always been head spinning — but the latest developments promise to go beyond. The slow death of third-party cookies is shaking up the industry and raises new questions privacy professionals have to grapple with. With the upcoming e-Privacy Regulation, a new law is taking shape. And to add even more complexity, French lawmakers are eager to push through a new privacy law for online marketing based on the old e-Privacy Directive. Hear from industry experts what to expect and how to navigate the uncertainties. This panel will also address cutting edge questions like cookie walls, nudging, or dark patterns.

French authority falls in line with ECJ position on general retention of metadata

March 16th, 2022 | Posted by Claude-Etienne Armingaud in France | Legislation | Press | Privacy - (0 Comments)

Quoted by Global Data Review:

Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.

“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.

“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”

Read full article here.

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits, as well as some analytics by Google and social buttons. By clicking “Accept”, you consent to the use of ALL the cookies. You may also customize the selection
Cookie settingsACCEPT REJECT