The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

  • The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
  • Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
  • More exemptions from the requirement to obtain consent to cookies.
  • Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

First Publication: K&L Gates Cyber Law Watch in collaboration with Noirin McFadden & Keisha Phippen

On 29 June 2022,  Decree n° 2022-946 (the “Decree”) supplemented the regulatory framework resulting from the Ordinance n° 2021-1247 of 29 September 2021 on the legal warranty of conformity for goods, digital content and digital services (the “Ordinance”). Stakeholders have under 1 October 2022 to implement the following measures, aiming at protecting consumers of digital goods.

1. General information about the Ordinance

Implementing two 2019 European directives on certain aspects of contracts for the supply of digital content and digital services and contracts for the sale of goods (respectively Directives (EU) 2019/770 and 2019/771 dated 20 May 2019), the Ordinance aimed to foster the safety of consumers when purchasing both physical and digital goods and, to a lesser extent, to reduce the environmental impact of digital goods.

This Ordinance amended the French Consumer Code in depth, notably by expanding the legal warranty of conformity, which now covers digital products and services but is also applicable to both B2C as well as B2B contracts, when the latter are executed between professionals and non-professionals (i.e. legal entities acting outside of their direct professional activities).

2. Decree specifications

The Decree supplements the regulatory provisions already in force concerning the legal warranty of conformity for digital content and digital services.

It enshrines the general obligation of pre-contractual information for the professional seller to disclose to the consumer and the non-professional the existence of the legal warranty of conformity and its implementation.

For that purpose, standard boxes containing these warranties are to be inserted within the general terms and conditions. Similar to physical goods, the purchaser of a digital good, content or service, which would not compliant with the warranty of conformity has a two-step remedy:

  • If – the digital good can be brought into conformity, it will then need (i) be repaired or replaced, (ii) free of charge, (iii) without causing major inconvenience for the purchaser and (vi) within a reasonable period of time (within 30 days).
  • If the previous conditions are not met, the purchaser can obtain a price reduction, or terminate the contract and obtain refund.

Will those additions of standard boxes lead to a more informed consumer? With the inability to ensure that terms and conditions are read, and by loading the consumers with an even more substantial set of compliance information, the objective seems unlikely to be achieved.

Moreover, the Decree also clarifies the requirements for information the purchaser with regard to software updates for digital goods and services, including the period of availability of such updates.

The producer of such digital goods or services will be required to communicate to the seller all information concerning the compatibility of the updates with the functionalities of the digital goods or services. In addition, if the purchaser acquired a benefit instead of, or in addition to a price (e.g. free access to an option of a mobile application), the professional seller will now be compelled to indicate in their general terms and conditions how the professional seller benefits from it (e.g. use of personal data). If their personal data is used in this context, the professional seller is required to specify the methods of exploitation of the data processing for advertising or commercial purposes. Such position seems counterintuitive considering the trends of the European Union data protection authorities to dismiss the information lodged in the terms and conditions, and rather require a dedicated privacy policy.

Furthermore, the producer will be required to inform the seller (who will then need to convey such information to the purchaser) about the consequences of the updates necessary for the proper operation of the software supporting the digital good, both, in a generally intelligible manner and free of charge.

Conclusion

In order to comply with this new Decree, companies now have three months left to update their BtoC terms and conditions. While the initial intent of this regulatory changes was to protect consumers, we can nonetheless wonder whether these additional compliance requirements will effectively drive a meaningful positive impact on consumers or instead add yet another layer of complexity and contribute to the information fatigue.

K&L Gates Global Data Protection team, including each of our European offices, remain available to assist you. 

First publication: K&L Gates Hub, in collaboration with Camille Scarparo & Louise Bégué

Quoted by Global Data Review:

Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.

“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.

“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”

Read full article here.

FEDERAL DECREE-LAW NO. (45) OF 2021 ON PERSONAL DATA PROTECTION

We, Khalifa bin Zayed Al Nahyan, President of the United Arab Emirates,

  • After perusal of the Constitution;
  • Federal Law No. (1) of 1972 on the Mandates of Ministries and Authorities of Ministers, as amended;
  • Federal Decree-Law No. (3) of 2003 Organizing the Telecommunications Sector, as amended;
  • Federal Law No. (6) of 2010 concerning Credit Information, as amended;
  • Federal Law No. (14) of 2016 concerning Violations and Administrative Sanctions in the Federal Government;
  • Federal Law No. (2) of 2019 concerning the Use of the Information and Communication Technology in the Area of Health;
  • Federal Decree-Law No. (14) of 2018 concerning the Central Bank and the Organization of Financial Institutions and Activities, as amended;
  • Federal Decree-Law No. (44) of 2021 concerning the Establishment of UAE Data Office;
  • Based on what have been presented by the Minister of Cabinet Affairs, and the approval of the Cabinet,

Promulgate the following Federal Decree-Law:

ARTICLE (1) – DEFINITIONS

In application of the provisions of this Decree-Law, the following words and expressions shall have the meanings ascribed to each of them, unless the context otherwise requires:

  • State    : The United Arab Emirates.
  • Office    : The UAE Data Office established under the referenced Federal Decree-Law No. (44) of 2021.
  • Data    : An organized or unorganized set of information, facts, concepts, instructions, observations or measurements in the form of numbers, letters, words, symbols, pictures, videos, signals, audio, maps or otherwise, which is interpreted, exchanged or processed by individuals or computers. Data includes information wherever used herein.
  • Personal Data    : Any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as his name, voice, picture, identification number, electronic identifier, geographical location, or one or more physical, physiological, cultural or social characteristics. Personal Data includes Sensitive Personal Data and Biometric Data.
  • Sensitive Personal Data    : Any information that directly or indirectly reveals a person’s race, ethnicity, political or philosophical views, religious beliefs, criminal record, biometric data, or any data related to such person’s health such as his physical, psychological, mental, corporal, genetic or sexual state, including any information related to such person’s provision with healthcare services that reveal his health condition.
  • Biometric Data    : Any Personal Data resulting from specific technical Processing relating to the physical, physiological or behavioral characteristics of the Data Subject, which allow the identification or confirm the unique identification of the Data Subject, such as facial image or dactyloscopic data.
  • Data Subject    : The natural person to whom Personal Data relates.
  • Establishment    : Any company or individual proprietorship incorporated inside or outside the State, including companies partially or wholly owned by the Federal or Local Government or in which the Federal or Local Government owns shares.
  • Controller    : The Establishment or the natural person who is in the possession of the Personal Data and who, by virtue of its activity, alone or jointly with others determines the means, methods, standards and purposes of the Processing of such Personal Data.
  • Processor    : An Establishment or a natural person who processes the Personal Data on behalf of the Controller and under his supervision and instructions.
  • Data Protection Officer    : A natural or legal person appointed by the Controller or the Processor in order to verify that the entity he belongs to complies with the Personal Data protection controls, requirements, procedures and rules provided for herein, and to ensure the integrity of its systems and procedures to achieve the compliance with the provisions hereof
  • Processing    : An operation or set of operations which is performed on Personal Data using any electronic means including the Processing or other means, such as collection, storage, recording, structuring, adaptation or alteration, handling, retrieval, exchange, sharing, use, characterization, disclosure by transmission, dissemination, distribution or otherwise making available, alignment, combination, restriction, erasure, destruction or creation of a model of Personal Data.
  • Automated Processing    : A Processing operation which is performed using an electronic system or programme operating in an automated manner, either in a complete autonomous way without any human intervention or partially under a limited human supervision and intervention.
  • Personal Data Protection    : A set of technical organizational measures, procedures and processes determined in accordance with the provisions of this Decree-Law, which would preserve the privacy, confidentiality, integrity, integration and availability of Personal Data.
  • Pseudonymization    : The Processing of Personal Data in such a manner that such data cannot be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and safely and is subject to technical and organizational measures and procedures determined in accordance with the provisions of this Decree-Law, in order to ensure that the Personal Data is not attributed to an identified or identifiable natural person.
  • Anonymization    : The Processing performed on Personal Data in such a manner that conceals the Data Subject, does not permit the attribution of such data to him and prevents his identification by any means.
  • Data Breach    : A breach of security and Personal Data through unauthorized or unlawful access thereto, such as replication, transmission, distribution, exchange, transfer, circulation or Processing in such a manner leading to the disclosure or divulgence to third parties, or otherwise the destruction or modification of such data while being stored, transferred and processed.
  • Profiling    : A form of Automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to the Data Subject, in particular to analyze or predict aspects concerning his financial condition or performance, health, personal preferences, interests, behavior, location, movements or reliability.
  • Cross-border Processing    : The dissemination, use, publication, transmission, receipt, retrieval, use, sharing or Processing of Personal Data outside the geographical scope of the State.
  • Consent    : The consent by which the Data Subject authorizes third parties to process Personal Data relating to him, provided that such consent is clear, specific and unambiguous indication of the Data Subject’s agreement, by a statement or clear affirmative action, to the Processing of the Personal Data relating to him.

ARTICLE (2) – SCOPE OF APPLICATION OF THE DECREE-LAW

1.    The provisions of this Decree-Law apply to the Processing of Personal Data, either in whole or in part, through electronic automated means, or other than such means, by:

a.    a Data Subject who has domicile or place of business in the State.

b.    a Controller or Processor established in the State that conducts Personal Data Processing activities for Data Subjects who are in or outside the State.

c.    a Controller or Processor not established in the State that conducts Personal Data Processing activities for Data Subjects who are in the State.

2.    The provisions of this Decree-Law do not apply to:

a.    governmental Data.
b.    governmental authorities which control and process Personal Data.
c.    Personal Data which is in the possession of security and judicial authorities.
d.    Data Subject who processes Data relating to him for personal purposes.
e.    health Personal Data regulated under a special legislation governing their protection and Processing.
f.    banking and credit Personal Data and information regulated under a legislation governing their protection and Processing.
g.    companies and organizations incorporated in the free zones of the State and governed by special Personal Data protection legislation.

ARTICLE (3) – POWER OF THE OFFICE TO EXEMPT

Without prejudice to any other functions assigned to the Office under any other legislation, the Office shall have the power to exempt certain Establishments which do not process a large scale of Personal Data from any or all requirements and conditions of the provisions of Personal Data protection provided for herein, in accordance with the standards and controls specified by the Executive Regulations of this Decree-Law.

ARTICLE (4) – PROCESSING OF PERSONAL DATA WITHOUT CONSENT OF THE DATA SUBJECT

The Processing of Personal Data without consent of the Data Subject is prohibited. However, such prohibition is excluded and the Processing is lawful in the following situations:

1.    where the Processing is necessary for the reasons of public interest.
2.    where the Processing is related to Personal Data which is made publicly available by Data Subject.
3.    where the Processing is necessary to initiate or defend in any procedures relating to claim of rights and legal actions or is in relation to judicial or security procedures.
4.    where the Processing is necessary for the purposes of occupational or preventive medicine to assess the working capacity of an employee, medical diagnosis, the provision of health or social care or the treatment or the management of health or social care systems and services, in accordance with legislation in force in the State.
5.    where the Processing is necessary for the protection of public health, such as the protection from infectious diseases and pandemics, or for ensuring the safety and quality of healthcare, medicines, drugs and medical appliances, in accordance with legislation in force in the State.
6.    where the Processing is necessary for archiving purposes or for scientific, historical or statistical studies in accordance with legislation in force in the State.
7.    where the Processing is necessary for the protection of interests of the Data Subject.
8.    where the Processing is required for the Controller or Processor to perform its obligations and establish its rights prescribed by law in the area of recruitment or social security or the laws relating to social protection, to the extent permitted by such laws.
9.    where the Processing is necessary for the performance of a contract to which the Data Subject is a party or for taking any actions upon request of the Data Subject for the purpose of concluding, amending or terminating a contract.
10.    where the Processing is necessary for the compliance with obligations prescribed under other laws of the State to which the Controller is subject.
11.    any other situations specified by the Executive Regulations of this Decree-Law.

ARTICLE (5) – PERSONAL DATA PROTECTION CONTROLS

The Processing of Personal Data shall take place in accordance with the following rules:

1.    the Processing must be fair, transparent and lawful.
2.    the Personal Data must have been collected for a clear specific purpose, and shall not be processed at a later stage in such a manner that is contrary to such purpose. However, Data may be processed if the purpose thereof is similar or close to the purpose for which the Data was collected.
3.    the Personal Data shall be adequate and restricted to what is necessary for the purpose for which the Processing is performed.
4.    the Personal Data must be correct and accurate and subject to update, where relevant.
5.    measures or actions to ensure the erasure or rectification of incorrect Personal Data must be in place.
6.    the Personal Data must be safely stored and protected from any Breach or unlawful or unauthorized Processing by putting in place and implementing appropriate technical and organizational measures and actions in pursuance of laws and legislation in force in this regard.
7.    the Personal Data must not be stored after the end of the purpose of their Processing, and may be maintained in case the identity of the Data Subject is concealed using “Anonymization” function.
8.    any other controls specified by the Executive Regulations of this Decree-Law.

ARTICLE (6) – CONDITIONS FOR CONSENT TO DATA PROCESSING

1.    For the Consent of Data Subject to be valid, it is conditional that:

a.    the Controller is able to prove the Consent of the Data Subject if the Processing is based on the Consent of Data Subject to the Processing of Personal Data concerning him.
b.    the Consent must be clear, simple, unambiguous and accessible, whether in written or electronic form.
c.    the Consent must contain the right of Data Subject to withdraw his Consent, and withdrawal process must be easy.

2.    A Data Subject shall have the right at any time to withdraw his Consent to the Processing of Personal Data concerning him, and such withdrawal shall not affect the lawfulness and legitimacy of the Processing performed on the basis of any Consent given prior to such withdrawal.

ARTICLE (7) – THE GENERAL OBLIGATIONS OF THE CONTROLLER

The Controller shall:

1.    subject to the nature, scope and purposes of the Processing and the risks to the privacy and confidentiality of Personal Data relating to the Data Subject, implement appropriate technical and organizational measures and actions to apply the standard criteria necessary for the protection and security of Personal Data, and ensure that such Data is not subject to Breach, corruption, modification or manipulation.
2.    implement the appropriate measures, either during the identification of Processing means or during the Processing itself, for the purposes of compliance with the provisions of this Decree-Law including the controls provided for in Article (5) hereof. Such measures include Pseudonymization.
3.    implement the appropriate technical and organizational measures in relation to the automatic setup, to ensure that the Processing of Personal Data is restricted to the specific purpose thereof. This obligation shall apply to the scale and kind of Personal Data collected, the type of the Processing taking place, the duration of storage of such Data, and the accessibility thereto.
4.    maintain a record of Personal Data processed, which shall contain the details of both the Controller and the Data Protection Officer, a description of categories of Personal Data, Data related to persons authorized to access Personal Data, the timeframe, restrictions and scopes of the Processing, the applicable erasure, modification or Processing mechanism, the purpose of the Processing, any Data related to the Cross-border transfer and Processing of such Data, and a description of technical and organizational actions relating to information security and Processing operations The Controller shall provide such register to the Office, whenever requested to do so.
5.    appoint Processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the Processing requirements, rules and controls provided for in this Decree-Law and its Executive Regulations and implementing resolutions.
6.    provide the Office, upon decision of the competent judicial authority, with any information requested by the Office in pursuance of its functions stated in this Decree-Law and its Executive Regulations.
7.    any other obligations specified by the Executive Regulations of this Decree-Law.

ARTICLE (8) – THE GENERAL OBLIGATIONS OF THE PROCESSOR

The Processor shall:

1.    perform and implement the Processing on instructions from the Controller, and pursuant to contracts and agreements between them, which identify in particular the scope, subject, purpose, nature and type of Personal Data, and the categories of Data Subjects.
2.    implement the appropriate technical and organizational measures and actions to protect the Personal Data at the design stage, either during the identification of Processing means or during the Processing itself, taking into regard the cost of implementation of such measures and actions and the nature, scope and purpose of the Processing.
3.    perform the Processing in line with its purpose and within the specified timeframe. If the Processing extends beyond the specified timeframe, the Processor must inform the Controller to allow it extend such timeframe or to give appropriate instructions.
4.    erase data after the expiration of the Processing timeframe or surrender them to the Controller.
5.    not take any act which might result in the disclosure of Personal Data or the Processing findings unless in cases permitted by law.
6.    protect and secure the Processing and secure electronic means and devices used in the Processing and Personal Data contained therein.
7.    maintain a record of Personal Data processed on behalf of the Controller, which shall contain the details of the Controller, the Processor and the Data Protection Officer, a description of categories of Personal Data, Data related to persons authorized to access Personal Data, the timeframe, restrictions and scopes of the Processing, the applicable erasure, modification or Processing mechanism, the purpose of the Processing, any Data related to the Cross-border transfer and Processing of such Data and a description of technical and organizational actions
8.    relating to information security and Processing operations The Processor shall provide such register to the Office, whenever requested to do so.
9.    provide all means to demonstrate its compliance with the provisions of this Decree-Law on demand by the Controller or the Office.
10.    process the Personal Data in accordance with the rules, conditions and controls specified by this Decree-Law and its Executive Regulations or under which instructions are issued by the Office.
11.    in the case of joint Processors, the Processing shall take place pursuant to a written contract or agreement clearly defining their respective obligations, responsibilities and roles in the Processing; failing which, they shall be deemed jointly liable for the obligations and responsibilities stated in this Decree-Law and its Executive Regulations.
12.    The Executive Regulations of this Decree-Law shall determine the procedures, controls, conditions and technical and standard criteria relating to such obligations.

ARTICLE (9) – NOTIFICATION OF PERSONAL DATA BREACH

1.    In addition to its obligations provided for herein, the Controller shall immediately after having become aware of it, notify the Office of any Personal Data Breach relating to a Data Subject which is likely to result in a risk to privacy, confidentiality, and security of his Data and the findings of the investigation within such period and in accordance with such procedures and conditions specified by the Executive Regulations of this Decree-Law, provided notification is accompanied by the following statement and documents:

a.    a description of the nature, form, reasons, approximate number and records of the Breach.
b.    the Details of its Data Protection Officer.
c.    the potential and expected effects of the Breach.
d.    a description of actions and measures taken by it and those proposed to be taken to rectify such Breach and minimize its negative effects.
e.    documentation of the Breach and the corrective actions taken by it.
f.    any other requirements requested by the Office.

2.    In any event, the Controller shall inform the Data Subject where such Breach is likely to result in a risk to the privacy, confidentiality and security of Personal Data concerning him within such period and in accordance with such procedures and conditions specified by the Executive Regulations of this Decree-Law, and shall inform him of the actions taken by it.
3.    The Processor shall, immediately after having become aware of it, notify the Controller of any Personal Data Breach relating to a Data Subject, and the Controller shall in turn notify the Office pursuant to subclause (1) above.
4.    The Office shall, following the receipt of the notification from the Controller, ascertain the reasons for the Breach to ensure the integrity of the security actions taken, and impose the administrative sanctions referred to in Article (26) hereof if it is proved that a contravention of the provisions of this Decree-Law and its implementing resolutions has been committed by the Controller or the Processor.

ARTICLE (10) – DESIGNATION OF DATA PROTECTION OFFICER

1.    The Controller and the Processor shall appoint a Data Protection Officer that has the adequate skills and knowledge to protect the Personal Data, in any of the following events:

a.    where the Processing is likely to result in a high risk to the privacy and confidentiality of Personal Data relating to the Data Subject as a result of adoption of new technologies or due to the amount of Data.
b.    where the Processing involves a systematic and overall assessment of Sensitive Personal Data including Profiling and Automated Processing.
c.    where the Processing involves a large scale of Sensitive Personal Data.

2.    The Data Protection Officer may be an employee of the Controller or the Processor, or authorized by them, whether from inside or outside the State.
3.    The Controller or the Processor shall designate the contact details of the Data Protection Officer and inform the Office accordingly.
4.    The Executive Regulations of this Decree-Law shall specify the kinds of technologies and the standards of determination of the amount of Data required under this Article.

ARTICLE (11) – ROLES OF DATA PROTECTION OFFICER

1.    The Data Protection Officer shall monitor compliance of the Controller or processor with the provisions of this Decree-Law and its executive Regulations and implementing resolutions as well as the instructions issued by the Office. The Data Protection Officer shall in particular have the following tasks and duties:

a.    monitor the adequacy and quality of procedures applicable within the Controller or Processor.
b.    receive the requests and complaints relating to Personal Data in accordance with the provisions of this Decree-Law and its executive regulations.
c.    provide technical advice in relation to the periodic assessment and verification procedures regarding the Personal Data protection systems and intrusion prevention systems within the Controller and Processor, document the results of such assessment, and make relevant recommendations including the risk assessment procedures.
d.    act as the contact point between the Controller or Processor, as the case may be, and the Office in respect of the Controller or Processor’s application of the provisions of Personal Data Processing provided for herein.
e.    Any other tasks or authorities determined under the Executive Regulations of this Decree-Law.

2.    The Data Protection Officer shall keep confidential information and Data received in the performance of his tasks and authorities under the provisions of this Decree-Law and its executive regulations and in accordance with the legislation in force in the State.

ARTICLE (12) – OBLIGATIONS OF CONTROLLER AND PROCESSOR TO THE DATA PROTECTION OFFICER

1.    The Controller and Processor shall provide all means to ensure that the Data Protection Officer carries out his roles and tasks provided for in Article (11) hereof as intended. The Controller and Processor shall in particular:

a.    ensure that the Data Protection Officer is involved, properly and in a timely manner, in all issues which relate to the protection of Personal Data.
b.    ensure that the Data Protection Officer is provided with all necessary resources and support to cavy out his tasks.
c.    the Data Protection Officer shall not be dismissed or penalized for performing his tasks in accordance with the provisions of this Decree-Law.
d.    ensure that the Data Protection Officer is not entrusted with any tasks that result in a conflict of interests with his tasks specified hereunder.

2.    A Data Subject shall have the right to directly communicate with the Data Protection Officer in relation to Personal Data concerning him and to the Processing of such Data in order to be able to exercise his rights pursuant to the provisions of this Decree-Law.

ARTICLE (13) – RIGHT OF ACCESS TO INFORMATION

1.    A Data Subject shall have the right, upon request submitted to the Controller and at no charge, obtain the following information:

a.    the categories of Personal Data processed.
b.    the purposes of the Processing.
c.    automated decision-making, including Profiling.
d.    target sectors or enterprises with whom Personal Data concerning him are shared inside and outside the State.
e.    controls and standards relating to the duration of storage and archiving of Personal Data concerning him.
f.    actions for the rectification, erasure or restriction of the Processing and objection to Personal Data concerning him.
g.    safeguards in the case of Cross-border Processing pursuant to Article (22) and (23) hereof.
h.    actions to be taken in the case of Breach of Personal Data concerning him, in particular where the Breach presents a direct and serious threat to the privacy and confidentiality of Personal Data relating to him.
i.    how to lodge a complaint with the Office.

2.    In any event, the Controller shall, prior to the Processing, provide the Data Subject with the information referred to in para. (b), (d) and (g) of subclause (1) above.
3.    The Controller shall have the right to reject the request of the Data Subject to obtain information referred to in subclause (1) above, if he found that:

a.    the request is not related to information referred to in subclause (1) above or is excessively repeated.
b.    the request is in contravention of the judicial procedures or investigations carried out by the competent entities.
c.    the request has a negative impact on the Controller’s endeavors to protect information security.
d.    the request relates to the privacy and confidentiality of Personal Data concerning a third party.

ARTICLE (14) – RIGHT TO REQUEST PERSONAL DATA PORTABILITY

1.    A Data Subject shall have the right to receive his Personal Data, which he has provided to a Controller, in a structured and machine-readable format where Processing is based on the Consent of Data Subject, or is necessary for the performance of a contractual obligation, or performed by automated means.
2.    A Data Subject shall have the right to transfer Personal Data concerning him to another Controller, wherever technically possible.

ARTICLE (15) – RIGHT TO RECTIFICATION OR ERASURE OF PERSONAL DATA

1.    A Data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate Personal Data concerning him or to complete such Data.
2.    Without prejudice to legislation in force in the State and for reasons of public interest, A Data Subject shall have the right to require the Controller to erase the Personal Data concerning him in any of the following cases:

a.    where the Personal Data concerning him are no longer necessary for the purposes for which they were collected or processed.
b.    If the Data Subject withdraws his Consent on which the Processing is based.
c.    If the Data Subject objects to the Processing, or there are no legitimate grounds to continue the Processing by the Controller.
d.    The Personal Data concerning him is processed in violation of the provisions of this Decree-Law and the legislation in force, and the erasure is needed for compliance with legislation and approved standards applicable in this regard.

3.    Notwithstanding subclause (2) above, A Data Subject shall not have the right to request the Controller to erase Personal Data concerning him in the following cases:

a.    If the request relates to the erasure of Personal Data relating to public health with private institutions.
b.    If the request affects investigations, claim or defense of rights and legal actions in respect of the Controller.
c.    If the request is in conflict with other legislation to which the Controller is subject.
d.    Any other cases specified by the Executive Regulations of this Decree-Law.

ARTICLE (16) – RIGHT TO RESTRICTION OF PROCESSING

1.    A Data Subject shall have the right to require the Controller to restrict and stop the Processing in any of the following cases:

a.    where the Data Subject contests the accuracy of Personal Data concerning him, in which case the Processing is restricted for a limited period enabling the Controller to verify the accuracy of the Personal Data.
b.    where the Data Subject objects to the Processing of Personal Data relating to him contrary to the agreed purposes.
c.    where the Processing is performed in contravention of the provisions of this Decree-Law and the legislation in force.

2.    A Data Subject shall have the right to require the Controller to continue keeping the Personal Data relating to him after the expiry of the purpose of Processing, where the Personal Data is necessary to pursue or defend in procedures relating to the claim of rights and legal actions.
3.    Notwithstanding subclause (1) above, the Controller shall have the right to process the Personal Data relating to the Data Subject without his consent in any of the following cases:

a.    where the Processing is restricted to the storage of Personal Data.
b.    where the Processing is necessary to initiate or defend in any procedures relating to the claim of rights or judicial actions or is related to judicial procedures.
c.    where the Processing is necessary for the protection of third party rights pursuant to legislation in force.
d.    where the Processing is necessary for the reasons of protection of public interest.
4.    In any event, the Data Subject must be informed by the Controller when the restriction referred to in this Article is lifted.

ARTICLE (17) – RIGHT TO STOP PROCESSING

A Data Subject shall have the right to object to the Processing of Personal Data relating to him and stop the Processing in any of the following events:
1.    where Personal Data is Processed for direct marketing purposes, including Profiling to the extent that it is related to such direct marketing.
2.    where the Personal Data is processed for statistical survey purposes, unless the Processing is necessary for the reasons of public interest.
3.    where the Personal Data is processed in contravention of the provisions of Article (5) hereof.

ARTICLE (18) – RIGHT OF PROCESSING AND AUTOMATED PROCESSING

1.    A Data Subject shall have the right to object to automated decision-making that have legal implications or seriously affect the Data Subject, including Profiling.
2.    Notwithstanding subclause (1) above, a Data Subject shall not have the right to object to automated decision-making in the following cases:

a.    The Automated Processing is performed under the terms of contract between the Data Subject and Controller.
b.    The Automated Processing is necessary under other legislation in force in e State.
c.    If the Data Subject has given his Consent to the Automated Processing pursuant to the conditions stated in Article (6) hereof.

3.    The Controller shall implement appropriate measures and actions to protect the privacy and confidentiality of the Personal Data relating to the Data Subject in cases referred to in subclause (2) above, and to avoid any harm to, or prejudice of rights of the Data Subject.
4.    The Controller shall involve the human element in the review of Automated Processing decisions upon request of the Data Subject.

ARTICLE (19) – MEANS OF COMMUNICATION WITH CONTROLLERS

The Controller shall provide clear and appropriate means and mechanisms that enable the Data Subject to communicate with him and request the exercise of any of his rights provided for herein.

ARTICLE (20) – PERSONAL DATA INFORMATION SECURITY

1.    The Controller and the Processor shall put in place, and implement appropriate technical and organizational measures and actions to ensure a high information security level that is appropriate to the risks associated with the Processing in accordance with the best international standards and practices. This may include:

a.    encryption of Personal Data and implementation of Data Pseudonymization.
b.    implementation of measures and actions that guarantee the continued confidentiality, integrity, safety and flexibility of Processing systems and services.
c.    Implementation of measures and actions that guarantee the retrieval of, and access to the Personal Data in due time in case of any actual or technical failure.
d.    Implementation of actions that guarantee the smooth testing, assessment and evaluation of the effectiveness of technical and organizational measures in such a manner that ensures the security of Processing.

2.    In assessing the level of information security referred to in subclause (1) above, due regard shall be given to:

a.    risks associated with the Processing including corruption, loss, accidental or unlawful modification or unauthorized disclosure of, or access to the Personal Data transferred, stored or processed.
b.    the cost, nature, scope and purpose of the Processing, and the disparity in potential risks to the privacy and confidentiality of Personal Data relating to the Data Subject.

ARTICLE (21) – PERSONAL DATA PROTECTION IMPACT ASSESSMENT

1.    Subject to the nature, scope and purpose of the Processing, the Controller shall, prior to the Processing, carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data, when using any modern technologies that are likely to result in a high risk to the privacy and confidentiality of Personal Data of the Data Subject.
2.    Impact assessment provided for in subclause (1) above is necessary in the following cases:

a.    where the Processing involves a systematic and extensive evaluation of personal aspects relating to the Data Subject which is based on Automated Processing, including Profiling, or has legal effects or might significantly affect the Data Subject.
b.    where the Processing involves a large scale of Sensitive Personal Data.

3.    The assessment referred to in subclause (1) above shall at least include:

a.    a clear systematic description of the envisaged Processing operations on the protection of Personal Data and the purpose of the Processing of such Data.
b.    assessment of the necessity and proportionality of the Processing operations in relation to the purpose thereof.
c.    assessment of the potential risks to the privacy and confidentiality of Personal Data relating to the Data Subject.
d.    actions and measures envisaged to reduce the potential risks to the protection of the Personal Data.

4.    The Controller may carry out one assessment of a set of Processing operations that are similar in nature and risks.
5.    The Controller shall coordinate with the Data Protection Officer when assessing the impact of Personal Data protection.
6.    The Office shall prepare a list of types of Processing operations that are not bound by Personal Data impact assessment and make it publicly available on its website.
7.    The Controller shall review the assessment outcomes on periodic basis to ensure that the Processing is performed in line with the assessment in case the level of risks associated with the Processing operations varies.

ARTICLE (22) – CROSS-BORDER TRANSFER AND SHARING OF PERSONAL DATA FOR PROCESSING PURPOSES IN CASE THERE IS AN ADEQUATE LEVEL OF PROTECTION

A transfer of Personal Data outside the State may take place in the following cases approved by the Office:

1.    The state or territory to which Personal Data is transferred has Personal Data protection legislation in place, including the main provisions, measures, controls, requirements and rules in relation to the protection of confidentiality and privacy of the Personal Data relating to the Data Subject and his ability to exercise his rights, and provisions relating to the imposition of appropriate measures against the Controller or the Processor through a regulatory or judicial entity.
2.    The State’s accession to bilateral or multilateral agreements in respect of Personal Data protection with states to which Personal Data is transferred.

ARTICLE (23) – CROSS-BORDER TRANSFER AND SHARING OF PERSONAL DATA FOR PROCESSING PURPOSES IN THE ABSENCE OF AN ADEQUATE LEVEL OF PROTECTION

1.    Notwithstanding Article (22) hereof, a transfer of Personal Data outside the State may take place in the following cases:

a.    in states where no data protection law exists, Establishments operating in the State and in such states may transfer data under a contract or agreement binding the Establishment in such states to the provisions, measures, controls and conditions stated herein and containing provisions relating to the imposition of appropriate measures against the Controller or the Processor through a supervisory or judicial entity in such state which is specified in the contract.
b.    the express consent of the Data Subject to the Processing of Personal Data relating to him outside the State in such a manner that does not conflict with the public and security interest of the State.
c.    the transfer is necessary for performing obligations and establishing rights before judicial entities or exercising or defending them.
d.    the transfer is necessary for the entry into, or the performance of a contract between the Controller and the Data Subject, or between the Controller and a third party for the interests of the Data Subject.
e.    the transfer is necessary for the performance of an act relating to international judicial cooperation.
f.    the transfer is necessary for the protection of public interest.

2.    The Executive Regulations of this Decree-Law shall specify the controls and requirements regarding cases referred to in subclause (1) above, which must be met in case of transfer of the Personal Data outside the State.

ARTICLE (24) – COMPLAINT LODGING

1.    A Data Subject may lodge a complaint with the Office, if he has reasons to believe that a contravention of the provisions of this Decree-Law has been committed, or that the Controller or Processor is Processing Personal Data relating to him in contravention of its provisions in accordance with the rules and procedures determined by the Office in this regard.
2.    The Office shall receive complaints lodged by the Data Subject pursuant to subclause (1) above, and shall verify the same in coordination with the Controller and Processor.
3.    The Office may impose the administrative sanctions set forth in Article (26) hereof in case any contravention by the Controller or the Processor of the provisions of this Decree Law or the violation of its implementing resolutions is established.

ARTICLE (25) – GRIEVANCE AGAINST DECISIONS OF THE OFFICE

Any concerned party may file a grievance in writing with the Director General of the Office against any decision, administrative sanction or action taken against him by the Office within (30) thirty days of the date of his notification of such decision, administrative sanction or action. Such appeal grievance shall be determined within (30) thirty days after being filed.
No appeal may be brought against any decision made by the Office pursuant to this Decree-Law unless a grievance is filed against it. The Executive Regulations of this Decree-Law shall specify the procedures for filing and deciding on grievances.

ARTICLE (26) – ADMINISTRATIVE VIOLATIONS AND SANCTIONS

A decision, specifying the acts that constitute contravention of this Decree-Law and its executive regulations, and the administrative sanctions to be imposed, shall be issued by the Cabinet upon proposal of the Director General of the Office.

ARTICLE (27) – DELEGATION

The Cabinet may, upon proposal of the Director General of the Office, confer certain mandates of the Office stated in this Decree-Law on any competent local government authorities within their domestic jurisdiction.

ARTICLE (28) – EXECUTIVE REGULATIONS

The Executive Regulations of this Decree-Law shall be issued by the Cabinet, upon proposal of the Director General of the Office, within (6) six months following the date of issuance of this Decree-Law.

ARTICLE (29) – ADJUSTMENT OF POSITIONS

The Controller and the Processor shall adjust their respective positions in accordance with the provisions of this Decree-Law within a period not exceeding (6) six months after the date of issuance of its Executive Regulations. Such period may be extended by the Cabinet for additional similar periods.

ARTICLE (30) – REPEALS

Any provision contrary to, or in conflict with the provisions of this Decree-Law shall be repealed.

ARTICLE (31) – PUBLICATION AND ENTRY INTO FORCE OF THE DECREE-LAW

This Decree-Law shall be published in the Official Gazette and shall come into effect on January 2, 2022.


Khalifa bin Zayed Al Nahyan
President of the United Arab Emirates
Issued by us at the Presidential Palace in Abu Dhabi
Date    : 13 Safar 1443 Hijri
    : 20 September 2021

Through its Act no.2020-1266 dated 19 October 2020 (the Act), the French legislator elected to regulate the commercial exploitation of the images of children aged 16 and under on online platforms (Kidfluencers).

Despite the potentially lucrative consequences of these emerging practices, Kidfluencers operated in a legal vacuum which could have resulted in parents exploiting their children, without the latter reaping any financial benefits or regaining any control of their images upon coming of age.

First and foremost, the Act extends the existing legal framework of child models, under Article L7124-1 of the French Labor Code (FLC). As such, Kidfluencers will require a written authorization from the French Administration prior to being engaged or broadcasted, inter alia:

  • By any entertainment provider, regardless of the medium or broadcast type;
  • In order to perform “modeling activities,” broadly defined under Article L7123-2 FLC as presenting oneself, directly or indirectly through the reproduction of one’s image, either through photographs or video, notably by presenting a product, service of commercial message;
  • By eSport competition organizers; and
  • By “Employer whose activities consist in creating audiovisual recording whose main subject is a child aged 16 or under, for the purpose of for-profit broadcasting on an online video sharing platform”.

The latter category was notably introduced to characterize the parents or legal guardians of the influencers as the “employer” of the Kidfluencer. As they may not be as aware of the legal undertakings as the other providers and organizers mentioned, the Administration will provide them with specific information relating to the Kidfluencers’ rights and the risks associated with exhibiting their image online.

Moreover, a portion of the revenue gained by Kidfluencers would be placed in escrow on a French public bank account until their majority.

Secondly, in situation when the broadcast would not be performed for profit, the Act introduces additional protective measures for Kidfluencers: instead of a prior authorization, a simple declaration of the activity will be required, when the published content exceeds certain thresholds in terms of (i) duration or individual items; or (ii) direct or indirect revenues. Such thresholds will be addressed in a supplemental decree to be adopted shortly.

Failing to obtain the authorization or to proceed with the notification would entitle the Administration to seize a court in order to take down the related content.

Finally, the Act also implements a collaborative framework for the online video sharing platforms, and enjoin them to publish dedicated policies to aiming at

  • Informing users of the applicable Kidfluencers’ regulatory framework;
  • Informing Kidfluencers directly of the consequences on their private life of the broadcasting of their image, of the legal and psychological consequences and of the means they have to protect their rights and dignity;
  • Encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity;
  • Preventing the processing of personal data relating to minors for commercial purposes, such as targeted advertisement, further to the broadcasting a Kidfluencers video;
  • Detecting situations where the recording or broadcasting of Kidfluencers’ videos could impact their dignity, psychological or physical integrity; and
  • Helping Kidfluencers to easily exercise their right to be forgotten on the video-sharing platforms.

While a welcomed step to protect children online, sometimes from their own families, the Act will need to be completed with regard to the thresholds triggering its applicability. In addition, by mainly addressing online video sharing platforms, the Act could have benefited from a more homogenous framework for online platform allowing the sharing of both still and moving pictures. Indeed, while still images could be included in the modeling provision, it remains to be seen how extensively it will be enforced.

Amidst the current discussions surrounding the Digital Services Act at the European level, this France-specific framework creates yet another undertaking for online platforms to implement additional measures to support public policies. And by encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity, the Act could generate extra-territorial consequences, forcing the platforms to deploy such reporting mechanism at a global scale.

K&L Gates IP/IT team in Paris remains available to assist you in assessing the changes triggered by this Act. Please get in touch if you would like to discuss the steps that your organization might want to consider to prepare now for this new Kidfluencer framework.

First publication: K&L Gates Fashion Law Watch

A French Revolution, at last?

Despite optimistic statements in 2016 on both sides of the Atlantic (in between the European Commission’s communication on connected cars for Europe, and the Obama administration’s Detroit Auto Show announcement), it would seem that some of the hype surrounding connected and autonomous vehicles (“CAVs”) faltered. One reason may be the desensitization of the general public, as the initially promised 2020 deployment is dawning without a hint of general commercial availability in sight. On the other hand, the intricacies of the regulatory frameworks at stake also hinder the development of consumer-ready offers.

More often than not, France is perceived as an administrative maze, yet may become (unexpectedly to some) a leader in the race to regulating this incoming industry. However, far more than being limited to the automotive industry, regulating CAVs will serve as the blueprint for an artificial intelligence (“AI”) legal framework.

(more…)

While Capitol Hill is inundated with proposed privacy legislations from the Data Breach Prevention and Compensation Act (DBPCA), the CLOUD Act and the ENCRYPT Act, organizations the world over are trying to understand how to get their own regulations deemed adequate enough to ensure the flow of business in the EU, now that GDPR is a reality.
(more…)

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and oartciln the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

(more…)

The French Autorité des Marchés Financiers has recently published a synthesis of the contributions it received in response to its public consultation on Initial Coin Offerings (ICOs) to obtain stakeholder views on how these new types of blockchain offerings might be regulated.

The consultation included a presentation of ICOs, a warning on the risks they present, a legal analysis of ICOs with respect to the rules overseen by the AMF and the regulatory options proposed by the AMF. Respondents were invited to give their views on all of these points.

The English version of the synthesis can be found here, the French version here and our previous coverage of the consultation can be found here.

First published on K&L Gates Fintech Law Blog.

On 26 October 2017, France’s Financial Markets Authority, the “Autorité des Marchés Financiers” (“AMF”), published a discussion paper focusing on initial coin offerings (“ICOs”) that highlights the (many) dangers that arise from these unregulated transactions and discusses the regulation options that it currently foresees.
(more…)