Claude-Etienne, Armingaud, Associé
K&L Gates

Stéphane Bonifassi, Associé fondateur
Bonifassi Avocats

Les options d’examen et d’analyse assistées par la technologie sont de plus en plus utilisées dans les enquêtes internes et externes, notamment par les multinationales. L’utilisation de l’analyse des données peut apporter efficacité, précision et réduction des coûts. Cependant, le croisement entre le droit et la technologie soulève des préoccupations uniques en matière de protection de la vie privée et d’autres questions juridiques lors des enquêtes internes et externes : cette session permettra de vous mettre à niveau. Les sujets de discussion incluront :

  • Étudier la manière dont l’analyse des données et la découverte électronique peuvent aider les enquêtes multinationales.
  • Comprendre vos obligations selon la loi Schrems II, le RGPD et d’autres législations.
  • Apprendre les meilleures pratiques pour se conformer à ces obligations lors des enquêtes internes ou externes, de la diligence raisonnable et de la dénonciation des dysfonctionnements.
  • Comparer et intégrer des lignes directrices de la CNIL et du Conseil européen de la protection des données, entre autres.
  • Déterminer l’impact de la proposition de cadre transatlantique pour la protection des données sur votre pratique quotidienne.

Plus d’information

Read the full text.


Global law firm K&L Gates has advised Envision Digital, one of the world’s largest managers of renewable energy, on its acquisition of the Nantes-based software publisher QOS Energy. 

Envision Digital, which operates the EnOSTM net zero platform, manages more than 400 GW of renewable energy globally. The Singapore-headquartered company has more than 1,000 employees and 12 international offices, spanning the United Kingdom, France, Germany, the Netherlands, Norway, Malaysia, China, Japan, and the United States.

Founded in Nantes in 2010, QOS Energy is a leading provider of energy management software. It has developed a web-based platform called “Qantum,” dedicated to monitoring and managing the performance of solar and wind energy production and storage facilities.

The Paris-based deal team advising Envision Digital was led by Raphaël Bloch (partner) with the assistance of Samuel Boccara (senior associate). Employment law advice was provided by Christine Artus (partner) and Natacha Meyer (associate), while Claude-Etienne Armingaud (partner) and Camille Scarparo (associate) advised on intellectual property and IT matters. Additional support was provided by Brussels-based partners Melanie Bruneau and Philip Torbøl and counsels Miguel Angel Caramello Alvarez and Antoine de Rohan Chabot, who advised on foreign investment-related issues, and Singapore-based client relationship lawyers Lai Foong Chan and Lucas Nicolet-Serra.

Virtual products, the metaverse, and non-fungible tokens (NFTs) have recently been expanding and receiving considerable attention from investors, the general public; as well as the art world – within the span of a year, NFT-backed virtual works of art have been reaching new height, from Beeple, Everydays: The First 5000 Days (March 2021 – US$ 69.3) to The Merge (December 2021 – US$ 91.8). Today, the most valuable living artist in history is a virtual work of art author (Pak, author of The Merge).

With the rise of this new market, numerous stakeholders have tried to expand the protection of these digital creations through trademark registration before the European Union Intellectual Property Office (EUIPO) or its national counterparts in the European Union. However, they also found that the current 11th Nice Classification lacked clarity and precision on that matter. Indeed, the “virtual goods” may represent an electronic version of an existing tangible goods, but the applicants were likely to face rejection from the trademark offices, as the classification as a “good” still requires a physical embodiment.

In June 2022, the EUIPO finally addressed this issue to provide clarity, by going on the record to consider virtual products (including NFTs, or more likely the underlying virtual works to which such NFTs would be appended) as digital content or images, hence belonging to Class 9 which encompasses instruments for science or research, audio-visual and information technology equipment, as well as security and safety equipment. This new approach is part of its 2023 draft Guidelines which aims at harmonising IP practices across the EUIPO, increasing predictability and ensuring compliance, consistency and coherence.

Consequently, virtual goods and NFTs will be added to the upcoming 12th edition of the Nice Classification. However, the EUIPO rightfully considers NFTs to be certificates, distinct from the virtual element they authenticate. A specific wording has been established in the draft directive, namely “downloadable digital files authenticated by non-fungible token”, the term “non-fungible token” being deemed, in and of itself, not acceptable by EUIPO without a proper link to the underlying asset.

The EUIPO is not going to further modify this Class to address all possible situation, but advises applicants to specify which content the virtual products are referring to, e.g.“downloadable virtual products, namely virtual pieces of furniture.

Concerning virtual services and NFTs, the actual principles are maintained and applicants need to refer to pre-established definitions.

This decision from EUIPO allows for the facilitation of virtual products and NFTs trademarks. Internal and external stakeholders have until 3 October 2022 to escalate observations on draft directives to the EUIPO.

First publication on the K&L Gates IP Blog in collaboration with Louise Bégué

Following the positions expressed by the Austrian, German and French Supervisory Authorities (see our previous Alert), the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali, Garante-) published on 9 June 2022 a specific measure, according to which website analytics solutions used to measure online audience (Analytics Service Solutions) infringe on the EU General Data Protection Regulation no. 2016/679 (GDPRexternal source) when such use implies a transfer of personal data to a third country without an adequate level of personal data protection, such as the United States. Generally speaking, the Garante, aligned its position on the matter with its counterparts.


The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

  • The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
  • Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
  • More exemptions from the requirement to obtain consent to cookies.
  • Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

First Publication: K&L Gates Cyber Law Watch in collaboration with Noirin McFadden & Keisha Phippen

On 29 June 2022,  Decree n° 2022-946 (the “Decree”) supplemented the regulatory framework resulting from the Ordinance n° 2021-1247 of 29 September 2021 on the legal warranty of conformity for goods, digital content and digital services (the “Ordinance”). Stakeholders have under 1 October 2022 to implement the following measures, aiming at protecting consumers of digital goods.

1. General information about the Ordinance

Implementing two 2019 European directives on certain aspects of contracts for the supply of digital content and digital services and contracts for the sale of goods (respectively Directives (EU) 2019/770 and 2019/771 dated 20 May 2019), the Ordinance aimed to foster the safety of consumers when purchasing both physical and digital goods and, to a lesser extent, to reduce the environmental impact of digital goods.

This Ordinance amended the French Consumer Code in depth, notably by expanding the legal warranty of conformity, which now covers digital products and services but is also applicable to both B2C as well as B2B contracts, when the latter are executed between professionals and non-professionals (i.e. legal entities acting outside of their direct professional activities).


FW: Could you provide an overview of trends in global data flows? To what extent is the business world now unavoidably reliant on the ability to share information instantly over vast distances?

Armingaud: A global economy, with data being the fuel for that economy, means that globalised data is unavoidable. This tendency is in particular driven by more and more jurisdictions adopting rules on data transfers of personal data. Cross-border data transfer trends could be roughly described as, on the one hand, a Western trend, for example the EU’s General Data Protection Regulation (GDPR) aimed at data protection and restriction of transfers, in particular contractually framing personal data transfers, and, on the other hand, an Eastern data protectionism trend, such as China’s Personal Information Protection Law (PIPL) and Indonesia’s data protection laws and regulations, aimed at a general restrictive data localisation requirement, which may be linked to a broader concept of data sovereignty.

FW: How would you characterise the risks and complexities involved in cross-border data transfers? Drilling down, what particular factors do organisations need to consider?

Armingaud: Risks pertaining to cross-border data transfers relate to regulatory compliance to ensure that such transfers are valid in light of a lack on foreseeability since the Schrems II decision. Less obvious, but not negligible, is whether proper information is being given to data subjects regarding data transfers. The French Data Protection Authority (CNIL) recently suspended the use of cookies on such grounds. Organisations also need to consider onward transfers that require end-to-end visibility by data exporters and the risks of a shared or joint several liability qualification as per the joint controller relationship between parties.

FW: How do regulations governing data transfers vary between jurisdictions? To what extent do these variances add additional layers of risk?

Armingaud: Both the Western and Eastern cross-border transfer restriction trends – data protection and data protectionism – are essentially opposed. This divergence of opinion over how to deal with personal data necessarily calls for more complex agreements – which is leading to frustration and incomprehension during negotiations on both sides – or to separate, regional templates, which may lead to potential discrepancies in warranties.

FW: How important is it for organisations to undertake a data transfer risk assessment (TRA)? What steps need to be taken when conducting a TRA to ensure it is effective, up to date and compliant with current regulatory requirements and privacy laws?

Armingaud: Pertaining to the accountability principle, a data transfer risk assessment is mandatory. To quote the European Data Protection Board (EDPB): “Knowing your transfers is an essential first step to fulfil your obligations under the principle of accountability.” Mapping a transfer requires the entity to perform a 360-degree overview of the process, asking and being able to answer questions on who, why, what, how and how long, from initial export to final import of the personal data.

FW: What kinds of tools, such as encryption and containerisation, may be used to protect privileged, sensitive or confidential information being transferred internationally?

Armingaud: To protect personal data, we need to make use of what is referred to under article 32 of the GDPR as technical and organisational measures (TOMs). These are not restricted to only technical tools but also fall under pure process. In that sense, annex II of the EC Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries provides a set of process type examples of TOMs, including ‘measures for ensuring data minimisation’, ‘measures for ensuring data quality’ and ‘measures for ensuring limited data retention’. Implementing TOMs requires the controller to carry out a proportionality test relying on the underlying personal data and the processing operations. It is, however, sometimes easier, less time consuming and less expensive to set out a maximum level of TOMs regardless of the sensitivity of the processing.

FW: What essential advice would you offer to organisations on establishing an effective international data transfer solution that manages risk and provides an adequate level of protection?

Armingaud: If I were to offer only one word of advice, it would be to ‘document’. Data protection is less about what you are doing and more about why you are doing it. Being prepared and able to justify any action when processing data ensures that either you are doing it right or you have a justified and legitimate answer for it, as per the accountability principle.

FW: Given that the volume of data transferred around the world will only increase, do you expect the associated risks and regulatory regimes to intensify? What key issues are likely to dominate this issue over the coming years?

Armingaud: It is not so much that the volume is increasing, but the sensitivity of the underlying data. There is an increasing frustration within many countries arising from the perceived data wealth being funnelled to the US and generating less value in the country of origin. I would expect to see more data localisation requirements, so protecting individuals against foreign access will, for all intents and purposes, dictate the future evolution of regulations.

Read the full article on Financier Worldwide Magazine

Individuals having difficulties in obtaining responses to their personal data subject access requests (DSAR) from French telephone operator Free Mobile filed several complaints before the Frenchdata protection authority (CNIL). These requests related to accessing their personal data and objecting to receiving direct marketing messages by electronic means. After its investigations, the CNIL imposed a fine of €300,000 against Free Mobile on 28 December 2021.


Following the 2020 Court of Justice of the European Union’s (CJEU) ruling invalidating the Privacy Shield (see our alert here), personal data transfers from the European Union to the United States required EU companies to implement additional safeguard mechanisms, as the CJEU considered that U.S. legislation did not provide sufficient guarantees against the risk of access by public authorities (including intelligence services) to the imported data.