Backed by a global network spanning five continents, the data protection, privacy and security group at K&L Gates LLP assists financial institutions and multinationals in mining, biotech (Anika Therapeutics), energy (Envision), home appliances (SharkNinja), pharmaceuticals (Ipsen), manufacturing (K&N Engineering), luxury goods and tech, on wide array of matters across the practice area. Headed by Claude-Etienne Armingaud, an expert in multi-jurisdictional transactional matters, dealing with IT outsourcing and data protection, the group also assists clients with GDPR compliance, data sharing agreements and data protection elements of M&A transactions.
Legal 500 Rankings 2023 – Data Privacy and Data Protection – Tier 2 & Leading Individual – FranceApril 12th, 2023 | Posted by in France | Privacy | Rankings - (0 Comments)
Leaders League Rankings 2023 – Technologies, internet & telecommunications – Data protection law – Law firm – FranceMarch 3rd, 2023 | Posted by in France | Privacy | Rankings - (0 Comments)
K&L Gates ranked “Highly Recommended – Band 1” with Claude-Etienne Armingaud.
Source: Leaders League(more…)
Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPRFebruary 25th, 2023 | Posted by in Data Transfer | Europe | Privacy - (0 Comments)
Version 2.0 dated 14 February 2023
Go to the official PDF version.
The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:
- A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
- The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
- The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.
If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.
Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.
These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.(more…)
Gateway to Privacy: This Is the Way – GDPR Article 5 ComplianceFebruary 25th, 2023 | Posted by in Case Law | Communication | Europe | Podcast | Privacy - (0 Comments)
In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.
May the enforcement be with you!
First publication: K&L Gates Hub with Eleonora Curreri
Leaders League Rankings 2022 – Technologies, internet & telecommunications – Data protection law – Law firm – FranceMarch 8th, 2022 | Posted by in IT | Privacy | Rankings - (0 Comments)
K&L Gates ranked “Highly Recommended – Band 1” with Claude-Etienne Armingaud.
Source: Leaders League(more…)
Best Lawyers France 2021 – Privacy and Data Security LawNovember 2nd, 2021 | Posted by in France | Privacy | Rankings - (0 Comments)
Claude-Etienne Armingaud from K&L Gates ranked among the Best Lawyers France 2021 for Privacy and Data Security Law
Source: Best Lawyers
GDPR – Brexit UK Consults On New Data Protection RegimeSeptember 15th, 2021 | Posted by in Brexit | Privacy - (0 Comments)
The UK government has unveiled its much-trailed plans to reform its data protection laws, outlined in a consultation document which is open for public comment until 19 November 2021.
Since Brexit was finalised at the start of 2021, the United Kingdom has retained much of the EU General Data Protection Regulation. The government’s plans, if implemented, would see the UK move away from the EU’s approach in several key ways, which may lead to trouble for the continuation of the adequacy decision granted by the EU in June. If terminated, the adequacy decision, currently permitting free flows of personal data between the EU and the UK, could cause increased costs and bureaucracy for businesses on both sides of the Channel to continue their data transfers.
Some of the changes to the UK GDPR proposed in the consultation document are:
- Making the legitimate interests lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.
- Removal of the right to human review of decisions made on the basis of solely automated data processing.
- Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.
The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:
- Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.
- Removing the requirement for websites to obtain consent before serving some analytics cookies.
- Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.
First publication: Cyber Law Watch with Noirin McFadden
🇺🇸 PrivSec Global – Global Data Protection and Privacy Law Developments: What Lessons Have Enterprise Organisations Learned from the First Three Years of The GDPRSeptember 6th, 2021 | Posted by in Conference | Data Breach | Data Transfer | Europe | Privacy - (0 Comments)
GDPR fines have been increasing over the last 18 months, and it is proving to be a complex environment for the regulators and the regulated. But GDPR has not led to seismic changes (the possibility of entirely new operating models, for example), but has had a major effect on the ways organizations collect and use data. This panel will discuss the last few years and look ahead to gauge what we have learned and how things will and should change.
Jacob Høedt Larsen, Head of Communications, Wired Relations
Andreea Lisievici, Head of Data Protection Compliance, Volvo Car Corporation
Claude-Etienne Armingaud, CIPP/E, Partner & Practice Group Coordinator – Technology, Sourcing and Privacy, K&L Gates
A New Framework for Transfers of Personal Data EU and Korea Conclude Adequacy Decision TalksJune 25th, 2021 | Posted by in Data Transfer | Europe | Privacy | World - (0 Comments)
On 30 March 2021, the European Commission, in a joint statement with the Personal Information Protection Commission, the data protection authority of the Republic of Korea (Korea), declared that Korea ensured a level of protection for personal data that is similar to the level provided in the European Union (the EU) and, as such, is a jurisdiction deemed “adequate.” Further to this joint declaration, the European Commission completed its internal procedures and formally adopted the substance of this joint statement in a draft adequacy decision published on 14 June 2021. Once finalized, businesses will be allowed to transfer personal data freely from the EU and European Economic Area (EEA) to Korea without being required to provide further safeguards as required for “third country transfers” under the EU General Data Protection Regulation 2016/679 (GDPR). Once so adopted, the adequacy decision would cover transfers of personal data to commercial operators located in Korea, as well as Korean public authorities. However, the transfer of personal credit information that is subject to jurisdiction of Korea’s Financial Services Commission will be excluded from the coverage of the adequacy decision.
The adequacy decision only relates to the transfer of personal data from the EU/EEA to a recipient in Korea, but it does not cover the general applicability of GDPR. In this context, any company (even outside the EU/EEA) that directly collects personal data from EU residents in connection with offering goods or services or monitoring of behavior of EU residents will still need to comply with the obligations set out in the GDPR for its collection of personal data. Also, significantly, the adequacy decision only covers data flow in one direction, from the EU to Korea, but not in the opposite direction, i.e., from Korea to the EEA. As noted below, barring any further statutory amendments, Korean privacy laws still require data handlers to obtain the consent of data subjects (as opposed to an opt-out) prior to transferring their personal data outside of Korea.
The conclusion of adequacy talks between Korea and the European Commission is a major step in their ongoing four-year dialogue regarding mutual recognition of personal data protection regimes. Korea has been preparing for this adequacy decision since 2015, when the Korean government established a joint public-private sector task force, which was charged with conducting data regulation-related feasibility studies, self-assessments, and comparative analyses in preparation for the first round of adequacy negotiations with the EU in 2017. After two extensive rounds of adequacy negotiations between the representatives of the European Commission and Korea ended without an adequacy finding, Korea decided to make significant amendments to its data protection laws. Such amendments were enacted by the National Assembly, Korea’s national legislature, in January 2020 and became effective in August 2020, thus paving the way for the March 2021 joint statement.(more…)
GDPR – Data Transfers 2.0: Navigating Through Post-Schrems II WatersJune 11th, 2021 | Posted by in Data Transfer | Europe | Privacy | World - (0 Comments)
Depending on whether you are an optimist or a pessimist, it will have taken the European Commission either three years and two weeks (since the entry into force of the General Data Protection Regulation (GDPR) or eleven months (since the Schrems II decision — see our Alert here) to publish its finalized revision of the most flexible tool to allow for the transfer of personal data to partners located in countries not otherwise providing an adequate level of data protection (Adequate Countries): the Standard Contractual Clauses (SCCs).
While Schrems II made headlines with its cancellation of the Privacy Shield framework, this mechanism only affected 5,000 companies in the United States. SCCs, on the other hand, remain the most widely used instrument to ensure an end-to-end sufficient level protection of personal data covered by European data protection. With their original version dating back 2001, an update was severely needed to align them with GDPR’s extensive reach and requirements.
IN A NUTSHELL:
- The new SCCs were published on 4 June 2021:
- Starting on 27 June 2021, companies will need to transition to the new SCCs;
- On 27 December 2022, companies must have finalized their transition to the new SCCs.
- Affected companies include:
- EU-based entities sharing data with partners and providers located in countries deemed not to offer an adequate level of protection;
- Non EU-based entities otherwise subject to GDPR’s extensive territorial reach (see our Alert here) sharing data with partners and providers located in countries deemed not to offer an adequate level of protection; and
- Non-EU based entities receiving or processing personal data from or on behalf of EU-based partners or non-EU partners otherwise subject to GDPR.
- Key new elements include:
- Data exporting entities will need to assess the importing countries’ regulatory framework;
- Where such framework cannot safeguard the transferred data subject to GDPR, additional measures must be implemented contractually, organizationally and/or technically;
- Each and every step of the assessment, and the relevancy of the remediation measures, must be thoroughly documented; and
- In the case of a controller/processor/sub-processor relationship, the new SCCs consolidate the requirements into a single agreement addressing the data processing requirements under Article 28 GDPR and the data transfer agreement.
- While the new SCCs provide for a general framework, many issues are left to:
- The expected interpretation and guidance from the European Data Protection Board (EDPB); and
- Contractual negotiations between the stakeholders.