French IP Law Update – The Delicate Balance between Employers and Inventors: A French Revolution?

January 20th, 2022 | Posted by Claude-Etienne Armingaud in France | Intellectual Property | Patent - (0 Comments)

Counsel from jurisdictions where payments to employee-inventors only arise from contracts or employee incentive programs are sometimes surprised when they first become involved with jurisdictions that have statutory payment schemes for employee-inventors. Intellectual property (IP) management policies not written and designed with these jurisdictions in mind can lead to issues that may come to light only when a problem arises or in diligence. Even if a company has a process in place for making inventor payments, they also, in some circumstances, need to provide locally required notice and information to the inventor. Attorneys outside these jurisdictions need to be aware of these rules when conducting IP diligence, and when they are involved in managing patent prosecution dockets where the priority case originates in jurisdictions that have these requirements. One example of such a notice requirement is in France. 

(more…)

United Arab Emirates – Federal Decree-Law No.(45) of 2021 on Personal Data Protection

January 2nd, 2022 | Posted by Claude-Etienne Armingaud in Legislation | World - (0 Comments)

FEDERAL DECREE-LAW NO. (45) OF 2021 ON PERSONAL DATA PROTECTION

Read the full text.

(more…)

Guidelines 01/2021 on Examples regarding Personal Data Breach Notification

December 14th, 2021 | Posted by Claude-Etienne Armingaud in Data Breach | Europe | Guidelines - (0 Comments)

Adopted on 14 December 2021 – Version 2.0

Version history

Version 1.014 January 2021Adoption of the Guidelines for public consultation
Version 2.014 December 2021Adoption of the Guidelines after public consultation

1. INTRODUCTION

  1. The GDPR introduces, in certain cases, the requirement for a personal data breach to be notified to the competent national supervisory authority (hereinafter “SA”) and to communicate the breach to the individuals whose personal data have been affected by the breach (Articles 33 and 34).
  2. The Article 29 Working Party already produced a general guidance on data breach notification in October 2017, analysing the relevant Sections of the GDPR (Guidelines on Personal data breach notification under Regulation 2016/679, WP 250) (hereinafter “Guidelines WP250”). However, due to its nature and timing, this guideline did not address all practical issues in sufficient detail. Therefore, the need has arisen for a practice-oriented, case-based guidance, that utilizes the experiences gained by SAs since the GDPR is applicable.
  3. This document is intended to complement the Guidelines WP 250 and it reflects the common experiences of the SAs of the EEA since the GDPR became applicable. Its aim is to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.
  4. As part of any attempt to address a breach the controller and processor should first be able to recognize one. The GDPR defines a “personal data breach” in Article 4(12) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
  5. In its Opinion 03/2014 on breach notification and in its Guidelines WP 250, WP29 explained that breaches can be categorised according to the following three well-known information security principles:
  • Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data;
  • Integrity breach” – where there is an unauthorised or accidental alteration of personal data; and
  • Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
  1. A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals. One of the most important obligation of the data controller is to evaluate these risks to the rights and freedoms of data subjects and to implement appropriate technical and organizational measures to address them.
  2. Accordingly, the GDPR requires the controller to:
  1. Data breaches are problems in and of themselves, but they may be also symptoms of a vulnerable, possibly outdated data security regime, they may also indicate system weaknesses to be addressed. As a general truth, it is always better to prevent data breaches by preparing in advance, since several consequences of them are by nature irreversible. Before a controller can fully assess the risk arising from a breach caused by some form of attack, the root cause of the issue should be identified, in order to identify whether any vulnerabilities that gave rise to the incident are still present, and are still therefore exploitable. In many cases the controller is able to identify that the incident is likely to result in a risk, and is therefore to be notified. In other cases the notification does not need to be postponed until the risk and impact surrounding the breach has been fully assessed, since the full risk assessment can happen in parallel to notification, and the information thus gained may be provided to the SA in phases without undue further delay.
  2. The breach should be notified when the controller is of the opinion that it is likely to result in a risk to the rights and freedoms of the data subject. Controllers should make this assessment at the time they become aware of the breach. The controller should not wait for a detailed forensic examination and (early) mitigation steps before assessing whether or not the data breach is likely to result in a risk and thus should be notified.
  3. If a controller self-assesses the risk to be unlikely, but it turns out that the risk materializes, the competent SA can use its corrective powers and may resolve to sanctions
  4. Every controller and processor should have plans, procedures in place for handling eventual data breaches. Organisations should have clear reporting lines and persons responsible for certain aspects of the recovery process.
  5. Training and awareness on data protection issues for the staff of the controller and processor focusing on personal data breach management (identification of a personal data breach incident and further actions to be taken, etc.) is also essential for the controllers and processors. This training should be regularly repeated, depending on the type of the processing activity and size of the controller, addressing latest trends and alerts coming from cyberattacks or other security incidents.
  6. The principle of accountability and the concept of data protection by design could incorporate analysis that feeds into a data controller’s and data processor’s own “Handbook on Handling Personal Data Breach” that aims to establish facts for each facet of the processing at each major stage of the operation. Such a handbook prepared in advance would provide a much quicker source of information to allow data controllers and data processors to mitigate the risks and meet the obligations without undue delay. This would ensure that if a personal data breach was to occur, people in the organisation would know what to do, and the incident would more than likely be handled quicker than if there were no mitigations or plan in place.
  7. Though the cases presented below are fictitious, they are based on typical cases from the SA’s collective experience with data breach notifications. The analyses offered relate explicitly to the cases under scrutiny, but with the goal to provide assistance for data controllers in assessing their own data breaches. Any modification in the circumstances of the cases described below may result in different or more significant levels of risk, thus requiring different or additional measures. These guidelines structure the cases according to certain categories of breaches (e.g. ransomware attacks). Certain mitigating measures are called for in each case when dealing with a certain category of breaches. These measures are not necessarily repeated in each case analysis belonging to the same category of breaches. For the cases belonging to the same category only the differences are laid out. Therefore, the reader should read all cases relevant to relevant category of a breach to identify and distinguish all the correct measures to be taken.
  8. The internal documentation of a breach is an obligation independent of the risks pertaining to the breach, and must be performed in each and every case. The cases presented below try to shed some light on whether or not to notify the breach to the SA and communicate it to the data subjects affected.

Go to the full Guidelines.

Best Lawyers France 2021 – Privacy and Data Security Law

November 2nd, 2021 | Posted by Claude-Etienne Armingaud in France | Privacy | Rankings - (0 Comments)

Claude-Etienne Armingaud from K&L Gates ranked among the Best Lawyers France 2021 for Privacy and Data Security Law

Algo Avocats - Sandra Tubert Altana - Pierre Lubet Artemont - Farid Bouguettaya August Debouzy - Florence Chaffiol Baker McKenzie - Magalie Dansac Le Clerc Bid & Bird - Merav Griguer, Ariane Mole Bouchara & Avocat - Navessa Bouchara Vercken & Gaullier - Florence Gaullier Cohen & Gresser - Guillaume Seligmann Cornet Vincent Ségurel - François Herpe De Gaulle Fleurance & Associés - Georges Courtois, Jean-Marie Job Delcade - Olivier Hayat Delsol Avocat - Jeanne Bossi Malafosse Derrienic Associés - Alexandre Fiévée, Fran_ois-Pierre Lani, Pierre-Yves Margnous DLA Piper - Denis Lebeau-Marianna, Carol Umhoefer Eversheds Sutherlands - Vincent Denoyelle EY - Yaël Cohen-Hadria Fréal Schiul Sainte Marie Willemant - Christinae Feral-Schulh, Bruno Grégoire Sainte Marie, Justine Sinibaldi Franklin - Valérie Aumage Gibson Dunn & Crutcher - Ahmed Baladi, Vera Lukic Herald Avocats - Anne Cousin Hogan Lovells - Etienne Drouard K&L Gates - Claude-Etienne Armingaud Latham & Watkins - Jean-Luc Juhan, Myria Saaarinen Latournerie Wolfrom - Marie-Hélène Tonnelier Lxing - Chloé Torres Luzi Avocats - Olivia Luzi McDermott Will & Emery - Romain Perray Mulliez Avocats - Florence Mulliez Next Avocat - Etienne Papin Osborne Clarke - Claire Bouchenard, Béatrice Delmas-Linel Racine - Hélène Cournarie Reinhart Marville Torre - Laurent Marville Squire Patton Boggs - Catherine Muyl Taj - Hérvé Gabadou White & Case - Clara Hasindork, Bertrand LIard

Source: Best Lawyers

, , , ,

🇺🇸 GDPR developments under focus on day one of PrivSec Global

September 22nd, 2021 | Posted by Claude-Etienne Armingaud in Conference | Data Transfer | Europe | Privacy | World - (0 Comments)

On a first day packed with fascinating insight at PrivSec Global, experts explored lessons that enterprise organisations have learned from the first three years of the GDPR.

(more…)

🇺🇸 PrivSec Global – Global Data Protection and Privacy Law Developments: What Lessons Have Enterprise Organisations Learned from the First Three Years of The GDPR

September 6th, 2021 | Posted by Claude-Etienne Armingaud in Conference | Data Breach | Data Transfer | Europe | Privacy - (0 Comments)

GDPR fines have been increasing over the last 18 months, and it is proving to be a complex environment for the regulators and the regulated. But GDPR has not led to seismic changes (the possibility of entirely new operating models, for example), but has had a major effect on the ways organizations collect and use data. This panel will discuss the last few years and look ahead to gauge what we have learned and how things will and should change.

Speakers Include:

Jacob Høedt Larsen, Head of Communications, Wired Relations

Andreea Lisievici, Head of Data Protection Compliance, Volvo Car Corporation

Claude-Etienne Armingaud, CIPP/E, Partner & Practice Group Coordinator – Technology, Sourcing and Privacy, K&L Gates

More information.

, , , , ,

GDPR – France Fines Monsanto EUR 400,000 in relation with lobbying practices

July 30th, 2021 | Posted by Claude-Etienne Armingaud in Competition | France | Privacy - (0 Comments)

The French data protection Supervisory Authority (The CNIL) has issued a fine totaling EUR 400,000 against Monsanto for failing to inform individuals whose personal data was collected and processed  for lobbying purposes.

Further to the revelation by several media outlets, in May 2019, that Monsanto kept records on more than 200 political and civil society figures (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe, the CNIL received seven complaints from individuals whose personal data was included in those records. The personal data included in those records included professional details (e.g. company name, position, business address, business phone number, mobile phone number, business email address and Twitter account), along with a score of 1 to 5, aiming at evaluating  their influence, credibility and support for Monsanto on various topics such as pesticides or genetically modified organisms.

(more…)

A New Framework for Transfers of Personal Data EU and Korea Conclude Adequacy Decision Talks

June 25th, 2021 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy | World - (0 Comments)

BACKGROUND

On 30 March 2021, the European Commission, in a joint statement with the Personal Information Protection Commission, the data protection authority of the Republic of Korea (Korea), declared that Korea ensured a level of protection for personal data that is similar to the level provided in the European Union (the EU) and, as such, is a jurisdiction deemed “adequate.” Further to this joint declaration, the European Commission completed its internal procedures and formally adopted the substance of this joint statement in a draft adequacy decision published on 14 June 2021. Once finalized, businesses will be allowed to transfer personal data freely from the EU and European Economic Area (EEA) to Korea without being required to provide further safeguards as required for “third country transfers” under the EU General Data Protection Regulation 2016/679 (GDPR). Once so adopted, the adequacy decision would cover transfers of personal data to commercial operators located in Korea, as well as Korean public authorities. However, the transfer of personal credit information that is subject to jurisdiction of Korea’s Financial Services Commission will be excluded from the coverage of the adequacy decision.  

The adequacy decision only relates to the transfer of personal data from the EU/EEA to a recipient in Korea, but it does not cover the general applicability of GDPR. In this context, any company (even outside the EU/EEA) that directly collects personal data from EU residents in connection with offering goods or services or monitoring of behavior of EU residents will still need to comply with the obligations set out in the GDPR for its collection of personal data. Also, significantly, the adequacy decision only covers data flow in one direction, from the EU to Korea, but not in the opposite direction, i.e., from Korea to the EEA. As noted below, barring any further statutory amendments, Korean privacy laws still require data handlers to obtain the consent of data subjects (as opposed to an opt-out) prior to transferring their personal data outside of Korea.

The conclusion of adequacy talks between Korea and the European Commission is a major step in their ongoing four-year dialogue regarding mutual recognition of personal data protection regimes. Korea has been preparing for this adequacy decision since 2015, when the Korean government established a joint public-private sector task force, which was charged with conducting data regulation-related feasibility studies, self-assessments, and comparative analyses in preparation for the first round of adequacy negotiations with the EU in 2017. After two extensive rounds of adequacy negotiations between the representatives of the European Commission and Korea ended without an adequacy finding, Korea decided to make significant amendments to its data protection laws. Such amendments were enacted by the National Assembly, Korea’s national legislature, in January 2020 and became effective in August 2020, thus paving the way for the March 2021 joint statement.

(more…)

, , , , ,

GDPR – Data Transfers 2.0: Navigating Through Post-Schrems II Waters

June 11th, 2021 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy | World - (0 Comments)

Depending on whether you are an optimist or a pessimist, it will have taken the European Commission either three years and two weeks (since the entry into force of the General Data Protection Regulation (GDPR) or eleven months (since the Schrems II decision — see our Alert here) to publish its finalized revision of the most flexible tool to allow for the transfer of personal data to partners located in countries not otherwise providing an adequate level of data protection (Adequate Countries): the Standard Contractual Clauses (SCCs).

While Schrems II made headlines with its cancellation of the Privacy Shield framework, this mechanism only affected 5,000 companies in the United States. SCCs, on the other hand, remain the most widely used instrument to ensure an end-to-end sufficient level protection of personal data covered by European data protection. With their original version dating back 2001, an update was severely needed to align them with GDPR’s extensive reach and requirements.

IN A NUTSHELL:

  • The new SCCs were published on 4 June 2021:
    • Starting on 27 June 2021, companies will need to transition to the new SCCs;
    • On 27 December 2022, companies must have finalized their transition to the new SCCs.
  • Affected companies include:
  • Key new elements include:
    • Data exporting entities will need to assess the importing countries’ regulatory framework;
    • Where such framework cannot safeguard the transferred data subject to GDPR, additional measures must be implemented contractually, organizationally and/or technically;
    • Each and every step of the assessment, and the relevancy of the remediation measures, must be thoroughly documented; and
    • In the case of a controller/processor/sub-processor relationship, the new SCCs consolidate the requirements into a single agreement addressing the data processing requirements under Article 28 GDPR and the data transfer agreement.
  • While the new SCCs provide for a general framework, many issues are left to:
(more…)

, , , , ,

Sapin II – What Recommendations Should Be Followed From 2021 Onwards

April 12th, 2021 | Posted by Claude-Etienne Armingaud in France | Privacy - (0 Comments)

The French Law n°2016-1691 of 9 December 2016 relating to transparency, the fight against corruption, and the modernization of economic life, known as the “Sapin II” Act 1)Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016) introduced to legal entities additional compliance requirements to address corruption in order for France to meet the highest European and international standards.

Sapin II has established a general principle of prevention and detection of corruption risks under the control of a national anticorruption structure, the French Anti-Corruption Agency (AFA),  whose main mission is to help economic and public players in the process.

The AFA noted in its 2019 annual activity report 2)French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).that anticorruption measures implemented by economic and public players were still incomplete.

On 12 January 2021, the AFA published new recommendations entered into force on 13 January 2021 (Recommendations, here in French).

The AFA specifies the practical procedures for implementing an anticorruption system structured around three foundational principles, namely:

  • Governing body’s commitment;
  • Understanding the entity’s exposure to probity risks; and
  • Risk management.
(more…)

References

References
1 Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016)
2 French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).

, , ,