‘Specialist in new technologies’, K&L Gates LLP‘s team has an outstanding reputation for legal advice on innovative technologies and data-related concerns. Claude-Etienne Armingaud and Raphael Bloch are recognised as ‘exceptional lawyers who miss no details and who know their fields to perfection’. Claude-Etienne Armingaud has developed particular knowledge of multijurisdictional transactional matters dealing with IT outsourcing and data protection for blockchain and fintech, connected cars, and big data services.

Leading individuals: Claude-Etienne Armingaud – K&L Gates LLP

Practice head(s): Claude-Etienne Armingaud

Other key lawyers: Raphael Bloch

Testimonials

‘K&L Gates remains true to its values of promoting technology and social justice.’

‘On diversity, K&L Gates is one of the most visible among law firms, notably with its ‘Conversations About Race’ conference series. Claude-Etienne Armingaud’s presence on the Diversity Committee is also appreciated insofar as most Anglo-Saxon firms are satisfied with an American-American approach and not a global one.’

‘Specialist in new technologies, Claude-Etienne Armingaud has been with us since the very beginning. He was able to advise us on all the regulatory aspects of our activity.’

‘Claude-Etienne Armingaud and Raphael Bloch are both exceptional lawyers who miss no details and who know their fields to perfection. They know how to adapt to our needs and are absolutely always available. It goes without saying that we recommend them without hesitation whenever possible.’

‘The impressive knowledge of the field of personal data protection is undoubtedly the asset of the team of this law firm. Knowing all regulations and legislative updates regarding personal data allows for practical and in-depth advice. They are pragmatic and competent in any matter of personal data protection whatever the legal basis to be used: French legislation, European regulations, international texts. I highly recommend the K&L Gates for any digital society legal issue born.’

‘Claude-Etienne Armingaud has shown invaluable support which, by providing his expertise in the field of personal data, helps to save time and explores new avenues to trace any problem. Working with him has left me with the most positive impressions and he remains the first to contact if I encounter any difficulties regarding data protection policies and procedures.’

Key clients

  • Microsoft, Inc.
  • Coty, Inc.
  • Docaposte
  • Ergotron
  • Maytronics Limited
  • Sinch AB
  • Channel Advisor Corporation
  • AR24
  • Masraf Al Rayan QSC
  • Carnegie Mellon University (CMU)
  • Ravel Technologies
  • Cyber Civil Rights Initiative

Work highlights

  • Assisting Ergotron, a US company manufacturing desks, mobile carts and screen stands, with its GDPR compliance.
  • Assisted Carnegie Mellon University with the GDPR compliance of its documentation for the testing and deployment of AI-backed solutions.
  • Advised Sinch AB within the framework of its acquisition of SAP Digital Interconnect with a focus on IT and data protection laws.

Source: Legal500

Transfer from the UK

On 21 March 2022, the United Kingdom finalized the adoption of its own version of the European Union’s (EU) Standard Contractual Clauses (SCC), a contractual mechanism aiming at securing personal data protected under a data protection framework to third countries not deemed to offer an “adequate” level of data protection.

On 16 July 2020, while the United Kingdom was still an EU Member State, the European Court of Justice (CJEU), through its Schrems II decision, added new requirements to the SCC (see our Alert here), relating to safeguards against access to personal data protected under EU’s General Data Protection Regulation (GDPR) by intelligence agencies. As a consequence, the European Union adopted new versions of the SCC in June 2021 (see our Alert here), but the United Kingdom having finalized Brexit in the meantime, did not adopt the new SCCs, instead operating the previous versions of the SCC, and an updated document for transfers initiated under the UK GDPR was needed.

The UK’s draft International Data Transfer Agreement (IDTA) and Addendum  were laid before Parliament on 22 February 2022 and finally adopted on 21 March 2022 without changes. The IDTA is an equivalent contract to the SCC, but uses a tabular approach in place of the modules used by the SCC. The alternative instrument that was introduced, the Addendum, provides UK data exporters with a semi-seamless mechanism where they can leverage their existing SCC for transfers initiated under the EU GDPR. The Addendum consists of a form effectively selecting the relevant options of the SCC and amending EU terminology and legal references to UK-specific ones. It is likely to be more widely used than the IDTA, particularly as data exporters with operations in both the UK and the EU will look to reduce the number of contracts they need to enter into. Overall, the IDTA and the Addendum represent a narrowing in the divergence that had appeared recently in the differing safeguards required by the UK and the EU for data exporters engaged in personal data transfers from their respective jurisdictions.

As a reminder:

  • Transfers between the EU and the UK do not need any specific measures as per the adequacy decision currently in place (see our Alert here)
  • all data transfer agreements under the EU GDPR based on the previous versions of the SCC will need to be migrated to the new SCC on or before 27 December 2022; and
  • all data transfer agreements under the UK GDPR executed on or before 21 September 2022 on the basis of any Transitional Standard Clauses (based on the previous versions of the SCC) will need to be migrated to an IDTA or Addendum on or before 21 March 2024.

Transfer from the EU to the US: En Route for Schrems III?

On 25 March 2022, European Commission President Ursula von der Leyen and United States President Joe Biden announced  an “agreement in principle” on a new EU-US data sharing system, expected to replace the Privacy Shield framework invalidated under the CJEU’s Schrems II decision in 2020 (see our Alert here).

As no draft of that “agreement” has been circulated, the existing grievances against U.S. intelligence agencies’ access to personal data protected under GDPR remain and concerns relating to ‘effective legal remedies’ available to individuals protected under GDPR (Data Subjects) will need to be addressed. Data activist Maximilian Schrems and his organization, noyb, already announced that they would closely monitor the development of this new framework and challenge any decision which would not abide by the CJEU’s 2020 Schrems II decision.

While such a political statement is encouraging for the future of international data transfers, this announcement should not be construed as relieving companies subject to GDPR’s territorial scope (see our Alert here) from implementing adequate data transfer mechanisms until more concrete elements are adopted.

Such transfer mechanisms notably include:

  • A transfer impact assessment (TIA), analyzing the regulatory framework applicable to the destination country and any supplemental technical and organizational measures to be implemented to safeguard the transferred personal data from undue access;
  • Implementation of a transfer mechanism, such as the SCC (see above) or adhesion to Binding Corporate Rules, or to a Code of Conduct (see our Alert here).

K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at a global level.

First publication: K&L Gates Hub in collaboration with Noirin McFadden, Thomas Nietsch and Keisha Phippen

Quoted by Global Data Review:

Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.

“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.

“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”

Read full article here.

K&L Gates ranked “Highly Recommended – Band 1” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

Join us on 19 January 2022 – 1.30pm GMT

Host – Paul Hampton, Senior Product Manager, Thales

Speakers :

  • Stewart Room, Partner, Global Head of Data Protection & Cyber Security, DWF
  • Claude-Étienne Armingaud, CIPP/E, Partner – Practice Group Coordinator | Data Protection, Privacy and Security, K&L Gates LLP
  • Ray Walshe, Director and EU Observatory for ICT Standards, Dublin City University

Most organisations have felt the impact of accelerating their cloud adoption strategies in the past two years. While beneficial to the enterprise in numerous areas, such as faster application development, combined with the ability to experiment and quickly leverage elasticity and resiliency, these benefits have also brought significant new security challenges.

Today, enterprises are grappling with security issues never before faced or addressed. The debate of shared responsibility between provider and customer, data sovereignty, the utopian cloud environment and the constant changing of threat models to name a few.

This session will draw on the recent findings of the 2021 Thales Cloud Security Report to discuss how European enterprises are handling the data security repercussions of an accelerated cloud deployment.

Areas for Discussion

• The widespread use of SaaS within the enterprise

• Cloud complexity with ‘lift & shift’, multicloud, and hybrid

• Encryption in the cloud is not as widespread as enterprises think

• How successful are enterprises in maintaining compliance and avoiding breaches in the cloud

• Who owns responsibility for the security of data in the cloud

More information and registration here

Following the conclusion of the adequacy talks in March 2021, the European Commission has adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.

With regards to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, the reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, the several addition safeguards have been implemented including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§70).

The Republic of Korea adequacy decision complements the Free Trade Agreement (FTA) of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.

Unlike the UK adequacy decision which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework, that would lead to divergence with the EU regulations (§220). 

The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the UK).

The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

First publication: K&L Gates Hub in collaboration with Andrew L. Chung, Camille Scarparo and Eric Yoon

On 6 October 2021, the Court of Justice of the European Union (CJEU or the Court) issued a judgment in case C-882/19 following a request for a preliminary ruling by the Court of Appeal of Barcelona (the Referring Court). 

The CJEU´s ruling could prove to have a real practical impact for victims of competition law breaches since it may open the door to suing a domestic subsidiary of a cartel member. The Court ruled that the victim of an anticompetitive practice had to be able to claim compensation from the subsidiary established in its member state for the damage caused by the conduct of the parent company (which had been sanctioned by the Commission), provided that: 

  • The subsidiary and the parent company together characterize a single economic unit; and
  • There was a concrete link between the economic activity of that subsidiary and the subject matter of the competition law infringement for which the parent company has been held liable.

The EU Commission had imposed a record fine of €2.93 billion on the leading European truck manufacturers for a 14-years’ duration cartel involving agreements on the sale prices of trucks (decision adopted on 19 July 2016). One of the cartel members was the parent company of the defendant in the case at hand.

(more…)

The UK government has unveiled its much-trailed plans to reform its data protection laws, outlined in a consultation document which is open for public comment until 19 November 2021.

Since Brexit was finalised at the start of 2021, the United Kingdom has retained much of the EU General Data Protection Regulation. The government’s plans, if implemented, would see the UK move away from the EU’s approach in several key ways, which may lead to trouble for the continuation of the adequacy decision granted by the EU in June. If terminated, the adequacy decision, currently permitting free flows of personal data between the EU and the UK, could cause increased costs and bureaucracy for businesses on both sides of the Channel to continue their data transfers. 

Some of the changes to the UK GDPR proposed in the consultation document are:

  • Making the legitimate interests lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.
  • Removal of the right to human review of decisions made on the basis of solely automated data processing.
  • Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.

The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:

  • Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.
  • Removing the requirement for websites to obtain consent before serving some analytics cookies.
  • Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.

First publication: Cyber Law Watch with Noirin McFadden

Further to investigations initiated by the Data Protection Commission (or DPC, the Irish supervisory authority) in 2018, Whatsapp Ireland Limited has received a EUR 225 million fine on 2 September 2021. The company infringed multiple GDPR provisions including in relation with the information provided to data subjects which breached the obligation to ensure transparency of processing (Articles 13 and 14 GDPR).

Following GDPR’s one-stop-shop mechanism and as WhatsApp operates cross-border flows of personal data, the DPC had initially been designated as lead supervisory authority (‘LSA’). Article 60 GDPR requires the LSA to submit a draft decision to its impacted counterparts across the European Union (the ‘Concerned Supervisory Authorities’). Such draft has been submitted in December 2020 and the Hungarian, Portuguese, Italian, French, Dutch, Polish, German (local and federal) Concerned Supervisory Authorities unanimously raised objections to the DPC in January 2021. The objections mostly addressed the lax approach by the DPC in the assessment of WhatsApp’s breach of GDPR as well as the amount of the initially contemplated fine in view of the dozens of millions of individuals affected by such breach across the European Union.

This resulted in a non-consensual situation, escalading to the dispute resolution process under Article 65 GDPR conducted by the European Data Protection Board (EDPB). The binding decision, adopted on 28 July 2021 and subsequently notified to the DPC, required the Irish supervisory authority to reassess and increase the fine, thus leading to the second-highest fine under GDPR since its entry into force in 2018.

First publication: Cyber Law Watch with Camille Scarparo & Léa Fertani