France: New Requirements Concerning the Sale of Digital Goods

July 21st, 2022 | Posted by Claude-Etienne Armingaud in eCommerce | France | internet | IT | Legislation - (0 Comments)

On 29 June 2022,  Decree n° 2022-946 (the “Decree”) supplemented the regulatory framework resulting from the Ordinance n° 2021-1247 of 29 September 2021 on the legal warranty of conformity for goods, digital content and digital services (the “Ordinance”). Stakeholders have under 1 October 2022 to implement the following measures, aiming at protecting consumers of digital goods.

1. General information about the Ordinance

Implementing two 2019 European directives on certain aspects of contracts for the supply of digital content and digital services and contracts for the sale of goods (respectively Directives (EU) 2019/770 and 2019/771 dated 20 May 2019), the Ordinance aimed to foster the safety of consumers when purchasing both physical and digital goods and, to a lesser extent, to reduce the environmental impact of digital goods.

This Ordinance amended the French Consumer Code in depth, notably by expanding the legal warranty of conformity, which now covers digital products and services but is also applicable to both B2C as well as B2B contracts, when the latter are executed between professionals and non-professionals (i.e. legal entities acting outside of their direct professional activities).

(more…)

Managing risk in international data transfers

June 30th, 2022 | Posted by Claude-Etienne Armingaud in Non classé - (0 Comments)

FW: Could you provide an overview of trends in global data flows? To what extent is the business world now unavoidably reliant on the ability to share information instantly over vast distances?

Armingaud: A global economy, with data being the fuel for that economy, means that globalised data is unavoidable. This tendency is in particular driven by more and more jurisdictions adopting rules on data transfers of personal data. Cross-border data transfer trends could be roughly described as, on the one hand, a Western trend, for example the EU’s General Data Protection Regulation (GDPR) aimed at data protection and restriction of transfers, in particular contractually framing personal data transfers, and, on the other hand, an Eastern data protectionism trend, such as China’s Personal Information Protection Law (PIPL) and Indonesia’s data protection laws and regulations, aimed at a general restrictive data localisation requirement, which may be linked to a broader concept of data sovereignty.

FW: How would you characterise the risks and complexities involved in cross-border data transfers? Drilling down, what particular factors do organisations need to consider?

Armingaud: Risks pertaining to cross-border data transfers relate to regulatory compliance to ensure that such transfers are valid in light of a lack on foreseeability since the Schrems II decision. Less obvious, but not negligible, is whether proper information is being given to data subjects regarding data transfers. The French Data Protection Authority (CNIL) recently suspended the use of cookies on such grounds. Organisations also need to consider onward transfers that require end-to-end visibility by data exporters and the risks of a shared or joint several liability qualification as per the joint controller relationship between parties.

FW: How do regulations governing data transfers vary between jurisdictions? To what extent do these variances add additional layers of risk?

Armingaud: Both the Western and Eastern cross-border transfer restriction trends – data protection and data protectionism – are essentially opposed. This divergence of opinion over how to deal with personal data necessarily calls for more complex agreements – which is leading to frustration and incomprehension during negotiations on both sides – or to separate, regional templates, which may lead to potential discrepancies in warranties.

FW: How important is it for organisations to undertake a data transfer risk assessment (TRA)? What steps need to be taken when conducting a TRA to ensure it is effective, up to date and compliant with current regulatory requirements and privacy laws?

Armingaud: Pertaining to the accountability principle, a data transfer risk assessment is mandatory. To quote the European Data Protection Board (EDPB): “Knowing your transfers is an essential first step to fulfil your obligations under the principle of accountability.” Mapping a transfer requires the entity to perform a 360-degree overview of the process, asking and being able to answer questions on who, why, what, how and how long, from initial export to final import of the personal data.

FW: What kinds of tools, such as encryption and containerisation, may be used to protect privileged, sensitive or confidential information being transferred internationally?

Armingaud: To protect personal data, we need to make use of what is referred to under article 32 of the GDPR as technical and organisational measures (TOMs). These are not restricted to only technical tools but also fall under pure process. In that sense, annex II of the EC Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries provides a set of process type examples of TOMs, including ‘measures for ensuring data minimisation’, ‘measures for ensuring data quality’ and ‘measures for ensuring limited data retention’. Implementing TOMs requires the controller to carry out a proportionality test relying on the underlying personal data and the processing operations. It is, however, sometimes easier, less time consuming and less expensive to set out a maximum level of TOMs regardless of the sensitivity of the processing.

FW: What essential advice would you offer to organisations on establishing an effective international data transfer solution that manages risk and provides an adequate level of protection?

Armingaud: If I were to offer only one word of advice, it would be to ‘document’. Data protection is less about what you are doing and more about why you are doing it. Being prepared and able to justify any action when processing data ensures that either you are doing it right or you have a justified and legitimate answer for it, as per the accountability principle.

FW: Given that the volume of data transferred around the world will only increase, do you expect the associated risks and regulatory regimes to intensify? What key issues are likely to dominate this issue over the coming years?

Armingaud: It is not so much that the volume is increasing, but the sensitivity of the underlying data. There is an increasing frustration within many countries arising from the perceived data wealth being funnelled to the US and generating less value in the country of origin. I would expect to see more data localisation requirements, so protecting individuals against foreign access will, for all intents and purposes, dictate the future evolution of regulations.

Read the full article on Financier Worldwide Magazine

GDPR: The Importance of Managing DSARs

June 22nd, 2022 | Posted by Claude-Etienne Armingaud in France | Privacy - (0 Comments)

Individuals having difficulties in obtaining responses to their personal data subject access requests (DSAR) from French telephone operator Free Mobile filed several complaints before the Frenchdata protection authority (CNIL). These requests related to accessing their personal data and objecting to receiving direct marketing messages by electronic means. After its investigations, the CNIL imposed a fine of €300,000 against Free Mobile on 28 December 2021.

(more…)

France: Supervisory Authority Publishes Guidance on the Use of Website Analytics in Compliance With GDPR

June 22nd, 2022 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy | Social Networks - (0 Comments)

Following the 2020 Court of Justice of the European Union’s (CJEU) ruling invalidating the Privacy Shield (see our alert here), personal data transfers from the European Union to the United States required EU companies to implement additional safeguard mechanisms, as the CJEU considered that U.S. legislation did not provide sufficient guarantees against the risk of access by public authorities (including intelligence services) to the imported data.

(more…)

France: Influencers and Digital Advertising

June 9th, 2022 | Posted by Claude-Etienne Armingaud in France | Social Networks - (0 Comments)

Over the past decade, influence marketing has changed the way advertising is handled by companies. Influencers have entered the marketing world by leveraging massive followings on social media platforms, and brands have recognized the value of the new category of advertising professionals.

Even though the use of influencers has become a mainstay of advertising, French legislation has yet to meet this evolution, resulting in an often opaque legal framework.

The broad spread-out provisions applicable to influencers also generate difficulties in understanding influencers legal status, in particular when they are underage. This notably raises the question whether influencers are employees of the brands they advertise for—and therefore subject to labor law—or if they should be considered independent contractors, with their relationship with brands subject to commercial legislation.

Such opaque legal framework raises questions about the applicable regime, as well as the legal status of influencers. Even though there is no specific regime for influencers, recent legislation was adopted in order to protect children influencers (see our alert here).

(more…)

, , , , , , , , , , , , , , , , , , , ,

UK: Queen’s Speech Heralds GDPR Overhaul

June 7th, 2022 | Posted by Claude-Etienne Armingaud in Brexit | Privacy - (0 Comments)

In the Queen’s speech at the state opening of parliament on 10 May 2022, the UK government announced its intention to change the UK’s data protection regime in a new Data Reform Bill. This follows a consultation last Autumn on how the UK GDPR could be reformed following the UK’s exit from the European Union (EU).

The government claims that the new Bill would:

  • Create a data protection framework focused on “privacy outcomes” that would reduce the burdens on businesses, and a “clearer regulatory environment” to encourage “responsible innovation”.
  • Ensure that citizens’ data is “protected to a gold standard”, while enabling more efficient sharing of data between public bodies.
  • Modernise the Information Commissioner’s Office and require it to be “more accountable to Parliament and the public”.

The Queen’s speech also announced plans to replace the Human Rights Act 1998, which incorporated the European Convention on Human Rights into UK law. According to the government a new “Bill of Rights” would “end the abuse of the human rights framework and restore some common sense to [the] justice system”. This would be achieved by “establishing the primacy of UK case law”, which means that UK courts would no longer be required to follow the case law of the European Court of Human Rights.

Taken together, both of these proposed new legislative measures could change the balance of protection of individuals’ rights in the UK, both generally and in the specific area of personal data regulation. Their development will be closely watched by data protection professionals, because any significant changes in the UK data protection regime could prompt the EU to review its post-Brexit UK adequacy decision, potentially leading to the end of decades of seamless transfers of personal data from the EU to the UK.

First publication on K&L Gates Cyber Law Watch in collaboration with Nóirín McFadden

Guidelines 06/2022 on the practical implementation of amicable settlements

May 12th, 2022 | Posted by Claude-Etienne Armingaud in Europe | Guidelines | Privacy - (0 Comments)

EDPB Guidelines on Amicable Settlements: Key Points

The European Data Protection Board (EDPB) has released guidelines on how supervisory authorities (SAs) should handle amicable settlements under GDPR. Here are the key takeaways:

What is an Amicable Settlement?

  • A process where data protection authorities facilitate resolution of complaints between data subjects and controllers
  • Aims to achieve compliance with GDPR while satisfying both parties’ interests
  • Most suitable for cases involving:
    • Limited number of data subjects
    • Non-systematic violations
    • Incidental/accidental breaches
    • Limited personal data
    • Non-serious violations

Key Principles

  • Not all EU countries allow amicable settlements (14 countries explicitly don’t permit them)
  • Can be used in both local cases and cross-border processing scenarios
  • Must respect principles of good administration and due process
  • Should lead to swift resolution while maintaining high level of data protection

Cross-border Cases

In One-Stop-Shop (OSS) mechanism:

Important Considerations

  • Settlement doesn’t prevent further investigation if systemic issues are discovered
  • Can be partial – some aspects of complaint may require formal investigation
  • Must be documented and communicated properly to all parties
  • Should include proof of compliance from controller and satisfaction from data subject

These guidelines represent a significant step toward harmonizing how data protection authorities handle complaints across the EU, while maintaining flexibility to account for national legal frameworks and specific case circumstances.

Go to the full guidelines.

Litigation Minute: Creating an Incident Response Plan

May 10th, 2022 | Posted by Claude-Etienne Armingaud in Privacy | Violation de données - (0 Comments)

WHAT YOU NEED TO KNOW IN A MINUTE OR LESS

Reported incidents of data breaches have reached record levels over the last two years1)Experian Data Breach Resolution. (2021). Eighth Annual Study: Is Your Company Ready for a Big Data Breach? Ponemon Institute.. Given this undeniable reality, a data security incident response plan is no longer a luxury; it is a vital tool in every company’s larger crisis management plan. A well-thought-out and thorough response plan can not only significantly reduce the confusion that often follows a data security incident, but can also reduce the pitfalls that often lead to regulatory scrutiny and putative class actions in the United States and the fairly recent “group actions” in the European Union.

In a minute or less, here are the essential components of a working incident response plan.

(more…)

References

References
1 Experian Data Breach Resolution. (2021). Eighth Annual Study: Is Your Company Ready for a Big Data Breach? Ponemon Institute.

Legal 500 Rankings 2022 – Data Privacy and Data Protection – Tier 2 & Leading Individual – France

April 11th, 2022 | Posted by Claude-Etienne Armingaud in France | Privacy | Rankings - (0 Comments)

‘Specialist in new technologies’, K&L Gates LLP‘s team has an outstanding reputation for legal advice on innovative technologies and data-related concerns. Claude-Etienne Armingaud and Raphael Bloch are recognised as ‘exceptional lawyers who miss no details and who know their fields to perfection’. Claude-Etienne Armingaud has developed particular knowledge of multijurisdictional transactional matters dealing with IT outsourcing and data protection for blockchain and fintech, connected cars, and big data services.

Leading individuals: Claude-Etienne Armingaud – K&L Gates LLP

Practice head(s): Claude-Etienne Armingaud

Other key lawyers: Raphael Bloch

(more…)

,

Legal 500 Rankings 2022 – Industry focus: IT, telecoms and the internet – Tier 3 – France

April 11th, 2022 | Posted by Claude-Etienne Armingaud in internet | IT | Rankings - (0 Comments)

K&L Gates LLP has strong expertise in innovative systems, combining strength in technology, data protection and IP. Notably undertaking innovative and complex work, the team has advised on encryption and security software for Enigma Software/Cyclonis and secure GPS services for ICaune. Developing a focus on connected transport matters, the firm advises some of the biggest names in this growing area. Claude-Etienne Armingaud is the head of  the practice.

Practice head(s): Claude-Etienne Armingaud

(more…)

,