Masterclass – From GDPR to the new world of 2021: revolutions are accelerating

The Laurence Simons Search Talking Head series continues with an interview with Anne-Marie Pecoraro, Partner at UGGC Avocats (and Founder of A Turquoise, a law firm which has just merged with UGGC).

Anne-Marie is a French law expert specialising in international matters related to intellectual property, new technologies, media, and entertainment law.

Laurent Pompanon, Principal Consultant at Laurence Simons Search, catches up with multi-lingual Anne-Marie to gain an insight into her remarkable career, post Brexit data transfers and best practices in data processing. 

Laurent Pompanon (LP):  Hello Anne-Marie, thank you for answering our questions today. Can you sum up your professional journey so far for our readers please?

Anne-Marie Pecoraro (AMP): I am passionate about economic, audiovisual and technology law, audiovisual law, and technology, and by luck and affinity I had the opportunity throughout my career to defend owners and intellectual property cases. I worked at the SACD, firstly for audiovisual productions and then I worked for Warner Music, and once I joined the Bar, I defended audiovisual and musical projects.  I also represented some very famous designers, especially for the protection of their brands and licenses.

I like to listen to and support creative project leaders, to structure strategies to enable them to thrive. The 90s and 2000s were the days of technological revolutions, so I rooted my practice in technology, culture, expertise, and integrated it with innovation. This is also what we owe to the future generations we help to train: to provide them with tools to understand the future, through solid knowledge and a concern for ethical solutions. Data Protection Law has seen fundamental developments, exciting legal twists, and I help my clients to integrate it and to look for its positive effects.  There was the GDPR revolution that brought a huge plus to the European Union, setting a common global standard and the example to the world, and I accompanied my clients through every disruption and opportunity.  The understanding of my clients’ sectors, e.g., techno, media, culture, luxury, lifestyle, philanthropic or trade union organisations etc., has allowed my team to develop a dynamic and strategic style in intellectual property, trademark advocacy, media and communication law, technology law and economic law.

LP: You recently joined the firm UGGC, what motivated this choice and what are your ambitions?

AP: It was obvious after meeting the excellent teams of UGGC Lawyers that they offer the profile of the lawyers of tomorrow, ready to overcome market transformations with sharp expertise.  I share many values with UGGC, including an international vision, a complementary view of diversity, and a strength and desire to build the future together.

LP: You are very active, among other things, on the issues raised by the GDPR. What are the main issues faced by your clients?

AP: Having been dealing for years with clients issues related to the protection and processing of personal data, I have dedicated myself to offering quality expertise, reinforced by my merger with UGGC where my partners, Corinne Khayat and Elisabeth Logeais, have a solid experience in this field.  Sales sites, services, games, charities, foreign groups, for all types of operators we help our clients gain better compliance through control of their processes.

We provide our clients with recognised expertise in information technology, working methods and an ethics consistent with the GDPR.

Our efficient work practices are part of a comprehensive communication strategy for the best interests of clients. Indeed, the GDPR is not always a constraint, but also an argument for giving value, enriching an organisation, when it manages to avail itself of the efforts made, against its competitors. We have always encouraged international ties by forging privileged relationships with European, American, and Asian correspondents. Compliance being taken into account as a advantage in international competition gives an enriched vision of the GDPR’s strengths.

The entry into force of the General Data Protection Regulations (the so-called ” GDPR “) on 25 May 2018 has raised considerable economic, ethical, and societal challenges. We work in partnership with experts (such as DPO-CSE EXPERTISE’s “DPO” Data Protection Delegates, or EBRC’s cybersecurity experts) and we use appropriate software and legal tech to support the GDPR in several countries.

All clients are affected by personal data issues – personal data that they must process, collect or transfer in accordance with the GDPR. The first approach to compliance often takes the form of audits, known as “GDPR audits,” which our firm works on as a team. It is also formative work – including for clients’ employees – because it needs to be developed with a  good knowledge of the GDPR and to include innovative and practical ideas to adapt the recommendations to the structure and its market – foundations, companies, consulting firms etc.

We have also had the opportunity to work with many organisations, including schools, transport authorities, and health institutes, focusing on health data, in terms of audits and compliance with the GDPR.

Finally, as this is a recent regulation – evolving and sometimes lacking clarity – I am interrogated almost daily on all kinds of issues relating to the GDPR: methods of data collection, protection of sensitive data including medical data, evidence of the obtention of consent, and in particular transfer of data outside the EU. Indeed, a first setback had upset the international US-EU landscape with the cancellation of Safe Harbour by the CJEU in 2015, so that another agreement had been put in place in July 2016, called the Privacy Shield.  Again, this tool has been cancelled, leading clients to take emergency measures!

LS: You have just mentioned the issues of data transfers with abroad, what does the recent invalidation of the privacy shield by the CJEU (Court of Justice of the European Union) call into question? Who is involved and what will happen in the coming months?

AP: The GDPR provides that a transfer of data outside the EU can only be carried out if

(i) appropriate safeguards are put in place

(ii) the persons concerned have effectively enforceable rights (Article 46, paragraph 1 and paragraph 2, under c), of the GDPR).

The Privacy Shield, or “Data Protection Shield” in France, was part of an agreement reached on 12 July 2016 by the European Union Commission, the US Department of Commerce, and the Swiss Administration.  It aimed to implement a system to protect personal data transferred from the EU and Switzerland to the United States.

As previously mentioned, this agreement replaced the previous Safe Harbour device in France, which had already been cancelled in 2015 by the CJEU at the “Shrems 1” decision!

The CJEU also cancelled the Privacy Shield on 16 July with the “Shrems 2” decision. This is a situation that is not new but can be difficult to get through. The Court considered, for multiple reasons, that the Privacy Shield did not provide sufficient safeguards for protection.

These include: all operators to which the GDPR applies, which may circulate personal data outside the EU and in the US (for example on servers located on US soil).

Currently, these operators do not have a certain legal framework to carry out these transfers. They must therefore ensure transfer by transfer to comply with all the security conditions set by the GDPR.

The European Data Protection Committee (ECDP), which is a kind of “European CNIL” which oversees the action of European authorities on personal data, published guidelines on 11 November to help companies get a clearer picture. They detailed a 6-step guide to ensure the legality of the transfer abroad:

1- Identify transfers.

2 – Identify the security tools to secure them.

3- Analyse their effectiveness.

4 – Adopting additional measures.

5 – Integrate them.

6 – Frequently reassess transfer security.

The most prudent operators will be assisted by data professionals such as our firm to help them in this process.

LS: What impact do you think Brexit could have on data transfer issues between the European Union and the UK?

AP: The United Kingdom withdrew from the European Union on 1 January 2020, but the withdrawal agreement (Article 71) provides that the provisions of the GDPR remain applicable there until 31 December 2020.

Until then, therefore, Brexit has not yet had an impact on data transfer issues between the EU and the UK. The United Kingdom is still a fictional part of the European Union when it comes to the protection of personal data. In all cases, after this transition period until 1 January 2021, the British government announced its decision to keep the GDPR in the English legal order. *

On the one hand, as the United Kingdom is a so-called dualistic system, it has essentially incorporated the GDPR into its own legal order in 2018, by adopting a data protection law that incorporates all the provisions of the GDPR (Data Protection Act). So, the UK already has a certain level of security. On the other hand, it is not excluded that in the deal to be concluded at the end of the year it is expected that by exception to Brexit the GDPR will continue to apply in the United Kingdom.

But if really no deal is concluded – this is the no deal hypothesis – then guarantees will have to be provided, by seeking an equivalent level of protection, either by concluding a kind of Privacy Shield between the EU and the UK, hoping that it will not be cancelled, by the implementation by each operator, transfer by transfer, of security measures. The European Data Protection Committee (ECDP), already mentioned – has anticipated this situation by already issuing a note in 2019 on data transfers to the UK in the event of a no deal.  It is available on the internet. In essence, it takes the same steps that operators must apply when they wish to make transfers to the US now that there is no longer a Privacy Shield: it is necessary to identify the treatments and secure them. Again, a prudent operator wishing to transfer data to the UK after 1 January 2021 will contact a professional.

LP: Cyber security issues are a major concern for many companies.  What is your role as a lawyer in this context, who do you work with and on what issues?

AP : Cybersecurity issues are indeed at the heart of my clients’ concerns and a priority for the GDPR. My role as a lawyer is to protect my clients in relation to: 

  • that my clients have upstream technologies, framed by solid contracts and processes, that allow them to protect both their information assets and that of the people whose data they process.
  • that my clients can continue their business even after identifying an infringement of their cybersecurity, whether intentional (cyberattack) or not.  In this case, my job may be, on a non-limiting basis, to accompany criminal complaints, to make a report under the Code of Criminal Procedure, to implement the alert procedures or to frame the responsibilities.

In addition, as these are mainly technical issues, we have been working since 2019 in partnership with DPO CSE EXPERTISE (GIE of data protection consultants integrating technicians and DPO) as well as with the specialist cybersecurity service provider EBRC.  Together, we offer a 360-degree offer and can respond to all the problems faced by our clients: to ASSIST, SUPPORT and COUNSEL the internal DPO as well as the technical teams.

With DPO CSE EXPERTISE, we support our clients by offering DPO and outsourced cybersecurity services to SMALLes, SMEs, ETI, GE, CSE, non-profit organisations and professional unions. We have field experience combining our legal expertise (including international) as well as new technological tools. We provide the cybersecurity part through audits, vulnerability testing (web, servers, networks, workstation, digital services etc.) and integrity as well as attack simulations. We provide advice and recommendations on authentication mechanisms, logging systems and TLS25 implementation for a website and ISO/CIS 27000 standards. We support our clients in all stages by supporting projects (MOA) and above all keeping them compliant with long-term support. (2)

Finally, I would like to conclude a more global perspective, the transfer of data from Europe to servers located in the United States refer to the thorny issue of technological sovereignty.

We note a shift, from state sovereignty, which could be our historical model, to a technological sovereignty of the most popular digital enterprises; when we know that the GAFA have a turnover higher than the GDP of France, and when we know the will of their leaders to cement their positions in the international sphere in a way that competes with the States, we must be aware of the very strong influence of these giants on the standards adopted.

Why would France, and more generally Europe, have more difficulty creating champion platforms for which the Americans have the prerogative?

The lawyers encourage all French start-ups, all potential “Unicornes”, so that France, by restoring its technological sovereignty, also restores its potential for development and growth.

Finally, on Tuesday 15 December 2020, the European Commission published the draft regulations on digital services (better known as the Digital Services Act) and digital markets (better known as the Digital Markets Act).

These two draft regulations, to come into force by 2022, aim to propose a comprehensive set of new rules that will apply to all digital services, including social networks, online marketplaces and any type of online platform active in the European Union (hereafter “EU”).

This is a very important turning point in the European Union, likely to impact all organisations, all activities. These regulations could represent a new thunderbolt, as was the GDPR, and our teams of lawyers specialising in digital law are ready to assist clients with any legal issues they may encounter in this area, 

1. EDPD, Information note on data transfers under the GDPR in the event of a no-deal Brexit, Adopted on 12 February 2019, Updated on 4 October 2019, on :

2. Start-up valued at more than $1 billion.