On 23 November 2018, the European Data Protection Board (“EDPB”) – the gathering of all European Union (EU) data protection authorities – adopted new draft guidelines on territorial scope of the General Data Protection Regulation (“GDPR” – external source). The EDPB was previously known as the Article 29 Working Party.

The long awaited guidelines (“Guidelines”, available here) provide a common interpretation on the scope of application of the GDPR. Its territorial scope, laid down in Article 3 GDPR, states that GDPR applies to:

The Guidelines provide clarification for both EU and non-EU based companies to assess whether all or parts of their activities would fall under the scope of the GDPR and to what extent they would be subject to the application of the GDPR.

Notably, the Guidelines clarified aspects which had been subject to controversy or misinterpretation in the six months since GDPR’s entry into force, such as:

  • A non-EU controller using an EU processor for activities outside of the EU not targeting EU residents does not have to comply with GDPR. An EU processor will be subject to the relevant GDPR provisions directly applicable to data processors;
  • The irrelevancy of the “targeting” criterion when considering applicability of the GDPR to monitoring activities; and
  • Citizenship, established residency or other type of legal status of the data subject is irrelevant to determine the application of the targeting criterion.

Moreover, the Guidelines also clarified the criteria of the appointment of an EU representative defined in Article 27 GDPR for non-EU controllers and processors.

The Guidelines will still be subject to a public consultation before being revised and ultimately adopted in a final version.

K&L Gates’ Data Protection team remains at your disposal to assist you in the completion of your contributions, which will need to be submitted before 18 January 2019.

(more…)

Amidst the international tidal wave caused by the entry into force of the EU General Data Protection Regulation (“GDPR”) in May 2018, many half, or even false truths have been spread about hindrance on a global scale of innovative technologies. However, we must keep in mind that Europe has adopted a long-standing position of technology-neutral regulations and data protection is no exception.

Indeed, from a GDPR perspective, no technology would be prohibited or regulated by nature – only its application to a specific purpose may be regulated, inasmuch as it involves personal data -whether relating to the participants and miners or the payload data itself- and falls within its broad geographical scope (see our previous Alert for more details).
(more…)

While Capitol Hill is inundated with proposed privacy legislations from the Data Breach Prevention and Compensation Act (DBPCA), the CLOUD Act and the ENCRYPT Act, organizations the world over are trying to understand how to get their own regulations deemed adequate enough to ensure the flow of business in the EU, now that GDPR is a reality.
(more…)

On 17 July 2018, the European Union (the “EU”) and Japan reached an agreement to recognize each other’s data protections systems as “equivalent”, and each commits to complete internal procedures by fall 2018 (the “Data Agreement”). Once adopted, this will allow businesses to transfer personal data from the European Economic Area 1)The EEA brings together the EU Member States and the three EFTA (European Free Trade Association) States (Norway, Liechtenstein and Iceland) into a … Continue reading(the “EEA”) to Japan and vice versa without being required to provide further additional safeguards for each transfer.

The Data Agreement concludes the two-year-long dialogue regarding mutual recognition of personal data protection regimes between the two parties, and it was issued along with the EU-Japan Economic Partnership Agreement, a long-awaited EU-Japan free trade deal. Prior to the final Data Agreement, in December 2017, the governments issued a joint statement to resolve issues essentially within the existing personal data protection framework to enable free data transfer between the two parties.
(more…)

References

References
1 The EEA brings together the EU Member States and the three EFTA (European Free Trade Association) States (Norway, Liechtenstein and Iceland) into a single market that seeks to guarantee the free movement of goods, people, services and capital.

On 2 July 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).

As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).

(more…)

K&L Gates ranked “Excellent” with E. Drouard & Claude-Etienne Armingaud.

Source: Leaders League

K&L Gates ranked “Highly Recommended – Band 1” with E. Drouard & Claude-Etienne Armingaud.

Source: Leaders League

K&L Gates ranked “Recommended – Band 2” with E. Drouard & Claude-Etienne Armingaud.

Source: Leaders League

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

(more…)