Author Archives: Claude-Etienne Armingaud

GDPR and Data Transfers 2.0 – Navigating Through Post-Schrems II Waters

juin 11th, 2021 | Posted by Claude-Etienne Armingaud in Uncategorized - (0 Comments)

Depending on whether you are an optimist or a pessimist, it will have taken the European Commission either three years and two weeks (since the entry into force of the General Data Protection Regulation (GDPR) or eleven months (since the Schrems II decision — see our Alert here) to publish its finalized revision of the most flexible tool to allow for the transfer of personal data to partners located in countries not otherwise providing an adequate level of data protection (Adequate Countries): the Standard Contractual Clauses (SCCs).

While Schrems II made headlines with its cancellation of the Privacy Shield framework, this mechanism only affected 5,000 companies in the United States. SCCs, on the other hand, remain the most widely used instrument to ensure an end-to-end sufficient level protection of personal data covered by European data protection. With their original version dating back 2001, an update was severely needed to align them with GDPR’s extensive reach and requirements.


  • The new SCCs were published on 4 June 2021:
    • Starting on 27 June 2021, companies will need to transition to the new SCCs;
    • On 27 December 2022, companies must have finalized their transition to the new SCCs.
  • Affected companies include:
    • EU-based entities sharing data with partners and providers located in countries deemed not to offer an adequate level of protection;
    • Non EU-based entities otherwise subject to GDPR’s extensive territorial reach (see our Alert here) sharing data with partners and providers located in countries deemed not to offer an adequate level of protection; and
    • Non-EU based entities receiving or processing personal data from or on behalf of EU-based partners or non-EU partners otherwise subject to GDPR.
  • Key new elements include:
    • Data exporting entities will need to assess the importing countries’ regulatory framework;
    • Where such framework cannot safeguard the transferred data subject to GDPR, additional measures must be implemented contractually, organizationally and/or technically;
    • Each and every step of the assessment, and the relevancy of the remediation measures, must be thoroughly documented; and
    • In the case of a controller/processor/sub-processor relationship, the new SCCs consolidate the requirements into a single agreement addressing the data processing requirements under Article 28 GDPR and the data transfer agreement.
  • While the new SCCs provide for a general framework, many issues are left to:


While the SCCs predecessors from 2004 and 2010 focused on the transfers of personal data from the European Union to third countries, GDPR’s extraterritorial reach made them obsolete in several ways since 25 May 2018.

The new SCCs clarify that their scope encompasses all situations where personal data processing covered by GDPR is made available to or accessible by third parties in non-Adequate Countries.

As a reminder (see our Alert for more details), GDPR applies to the personal data processing implemented by entities that are:

  • Located within the European Union/European Economic Area (EEA) and in that instance, for all the personal data processing they implement; or
  • Located outside of the European Union/EEA, but for the personal data processing which would consist in:
    • Offering products or services to individuals in the European Union (e.g. localized e-commerce services); or
    • Monitoring the behavior of individuals in the European Union (e.g. cookies).

The first consequence of the SCCs will be to provide stakeholders not located in the European Union with a self-contained framework of reference to achieve their own compliance with GDPR when it applies to them.

But one aspect remains unclear at this stage: the sharing of personal data with stakeholders located in non-Adequate Countries, regardless of whether GDPR applies directly to them, would still be considered a restricted data transfer under Article 44 GDPR, as such restriction applies to the country of establishment. However, the SCCs do not address that specific situation. Hopefully, this will be clarified in the expected Guidelines from the EDPB.

Practically speaking, your company would likely require SCCs if:
  • Your company is established in the European Union/EEA and:
    • Makes the personal data available to service providers (e.g. hosting service providers) located in a non-Adequate Country, especially in case of sub-contracting;
    • Shares personal data with other group companies or commercial partners in a non-Adequate Country for their own specific purposes; or
    • Provides services to entities located in a non-Adequate Country, even if your company cannot process the personal data for any other purpose than those services.
  • Your company is not established in the European Union/EEA but:
    • Falls within GDPR’s territorial scope and:
      • Uses service providers located in a non-Adequate Country;
      • Shares personal data with other group companies or commercial partners in a non-Adequate Country for their own specific purpose.
    • Does not fall within GDPR’s scope and:
      • Uses service providers located in the European Union/EEA.


Historically, EU data protection encompassed two main scenarios for the old SCCs: (i) the data exporting entity always had to be a data controller, and (ii) the data importer could either be another data controller or a data processor.

In addition, local interpretations under the previous European Directive 95/46 sometimes exempted situations where the transfer occurred from an EU processor toward a non-EU controller. However, since the founding text was a directive, not all countries recognized such exemptions.

Finally, the old SCCs did not address onward transfers by importing data processors (sub-processing), leading to a complex contractual framework where the EU exporter would either need to directly execute the SCCs with the sub-contractor, or create an agency mechanism with the data importer.

For non-EU companies, the plurality of scenarios (as well as the plurality of versions under each scenario) led to confusion on the most relevant instruments.

The new SCCs harmonize this landscape by providing a modular template encompassing the four situations, which may now be used between:

  • A Data Controller Exporter and a Data Controller Importer (Module 1)
    • Module 1 addresses situations where each party acts as an independent data controller. The importing data controller will however be limited in the future use of the personal data for further processing. While GDPR is fairly liberal with such subsequent processing operations, the new SCCs restrict the available legal bases for these operations to only (i) the consent of the data subjects; (ii) the necessity for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or (iii) the necessity to protect the vital interests of the data subject or of another natural person. Notably absent is the necessity for compliance with a legal or regulatory obligation of the data importer where no actual proceedings have started — which can be explained by the concerns resulting from the Schrems II decision on intelligence and surveillance frameworks abroad.
  • A Data Controller Exporter and a Data Processor Importer (Module 2)
    • Module 2 will also serve the purpose of a data processing agreement mandated by Art. 28 GDPR in addition to the data transfer.
  • A Data Processor Exporter and a Data Controller Importer (Module 3)
    • Module 3 seems incongruous in view of the data transfer aspects. While data processors subject to GDPR effectively need to address the provision of data by a controller, which may not itself be subject to GDPR, the relevant undertakings would likely take the shape of a data processing agreement characterizing the role of the processor and limiting the purposes for which it may, on behalf of the controller, process the personal data. The limited number of provisions of the draft SCCs in that scenario would tend to reinforce this analysis, as they merely address instructions, security and documentation (except where the processor combines the controller’s personal data with others collected directly by the processor in the European Union).
  • A Data Processor Exporter and a Data Processor Importer (Module 4)
    • This modular approach will allow companies to build their own SCCs depending on the data processing operations at stake, especially considering that these operations can be more complex than originally anticipated, often with data sharing of differing natures being extant within the same transaction.

A notably absent scenario in the list above is the “joint controllers” situation under Article 26 GDPR. This would seem to reinforce the idea that that when two entities decide, together, the means and purposes of a data processing operation, GDPR is directly applicable to such processing and, therefore, the sharing of data for that processing operation should not be construed as a data transfer. On the other hand, any provision of the data by or to a processor located in a non-Adequate Country will itself be a data transfer, which may expose the joint liability of the joint controllers.


In order to allow stakeholders to digest the new framework and proceed with renegotiations of their existing contractual arrangement, the old SCCs will remain usable until 26 September 2021, after which they will be effectively repealed and the new SCCs will become the only acceptable SCCs for new agreements.

However, old SCCs that would be in place by September will remain valid until 26 December 2022, effectively creating a 15-month transition period, provided that no change in the processing operations would require their update in the meantime.

While this may seem a lengthy window, you should not forget that the consequences of the Schrems II decision have been applicable since 16 July 2020 and the new SCCs only provides for an easier implementation of its requirements. Coupled with the many aspects of the new SCCs that will still be subject to contractual negotiations (see Section 7 below), they will therefore dictate for the transition to start without delay. 


In line with GDPR’s accountability tenets, the parties will be required to provide extensive details on the personal data processing operations associated with the transfers.

While this exercise should prove to be relatively easy where both parties performed their due diligence obligations and data mapping exercises, the overall philosophy of GDPR will also mandate that these appendices be completed as a stand-alone document.

Far too often, companies merely referr to the services provided under underlying commercial contracts to describe the processing operations at stake. Considering that the transparency tenet of GDPR will mandate that all information be provided to the inquiring data subjects or competent Supervisory Authority, and that the underlying commercial contract may not, in itself, be sufficiently clear to easily convey all requirement elements, many companies will therefore be required to populate the SCCs as a stand-alone document with all relevant details.


Like the former SCCs’ framework, the provisions of the new SCCs are in most cases expressly enforceable by data subjects, meaning they can directly claim breach of any of the parties’ obligations under the SCCs in their own name and, for instance, claim remediation of such breach or compensation of damages incurred as result of such breach from the data exporter or data importer. These direct contractual claims supplement the statutory damage claims under Art. 82 GDPR which may be relevant as under certain jurisdictions contractual claims may be more beneficial for the claimant as tort law claims.

The extent of liability of the parties to the SCCs and in particular, internal allocation of liability is stipulated basically in compliance with Art. 82 GDPR, i.e., the data subject may claim damages from either data importer or data exporter but the party being subject to such claim may request compensation from the other party to the SCCs to the extent the damage was caused by that party. Consequently, limitations of liability are expected to remain a major pain point in data transfer negotiation and should be carefully reviewed.

Both data importers and data exporters must accept jurisdiction of the courts in an EU member state for any such claims brought by a data subject.


Adopting a risk-based approach, the EU Commission allows the exporter to rely on “practical experience” regarding how authorities implement access to personal data in the destination country. Therefore, it would not solely be limited by the letter of the law but also affected by its application.

This could potentially require the exporter to have legal opinions drawn by counsels in the importing jurisdiction, thereby establishing a sufficiently detailed survey of not only the legal framework applicable to the importer, but also how the framework is effectively enforced. This position seems to offer more flexibility than the EDPB’s position in November, which focused exclusively on the applicable law.

Companies should therefore consider supplementing their existing data maps with a heat map of the various intelligence and surveillance laws in force in countries with which they contemplate data sharing projects. Based on this assessment, they would subsequently need to implement bespoke technical and organizational measures (TOMs) for each country, or, as a last resort, deploy the most restrictive TOMs to the whole of their operations.

Where the TOMs required for the destination countries cannot be implemented (for instance, where the data importer is a large company pressing for its data protection terms to be adopted but not sufficient in view of the assessment previously made by the data exporter), the data exporter will need to search for an alternative partner.

Further to the recent position by a German Supervisory Authority (see our alert here), the commercial onus may shift to U.S.-based service providers to come up with acceptable terms in order to continue doing business with EU companies, or any other companies that would otherwise be, legally or on a voluntary basis, subject to GDPR.


While the new SCCs provide for a common baseline to address the international transfer of personal data, they are more a method than a contract. Indeed, while the foundational principles may be set forth in the SCCs, many critical details of implementation will remain subject to contractual negotiations.

In that regard, we notice that the draft SCCs initially provided for cost allocation for the cooperation of the data importer in establishing the data exporter’s own compliance. Whether such cost allocation was fair or not, it had the benefit of leveling the playing field.

These provisions have not been enshrined in the final version of the new SCCs. It will therefore be up to the data exporter to negotiate several aspects to ensure that (i) cooperation of the data importer will not be subject to additional (and sometime prohibitive) costs, which could effectively hinder its own compliance; and (ii) service levels for such cooperation are coherent with regulatory undertakings bearing on the exporter.

These additional contractual considerations would notably include:

  • How documented instructions will be conveyed from one party to the other;
  • The timeline, modalities, and costs for cooperation, audit, and information requests by the other party in case of inquiries by the other party, a data subject, a Supervisory Authority, or in case of a data breach;
  • The timeline, modalities, and costs for the return and deletion of the personal data held after the termination of the contract; and
  • Liability aspects as detailed in Section 5 above.

However, one contractual aspect that often was a difficult point of negotiation with service providers is ultimately resolved by the new SCCs: the processor using further data processors (Sub-Processors) will need to pro-actively inform the data controller of any contemplated changes in writing. Indeed, service providers were usually relying on a webpage listing their providers, and directing the controller to regularly check such lists for any changes. This hindered controller’s efforts to effectively evaluate the compliance of Sub-Processors in due time and form an objection to such appointment. Nevertheless, the process to lodge an objection will be left to the contractual negotiations. In any case, the Sub-Processors must be listed in a dedicated annex to the new SCCs, which will therefore require the parties to update the SCCs regularly.


The United Kingdom adopted the old SCCs at the end of the transition period but due to Brexit, will not be automatically bound by the new SCCs. While it could of course choose to adopt them, the UK’s Supervisory Authority (the Information Commissioner’s Office, or ICO) has already announced that it will publish a new set of UK-specific SCCs for consultation this summer. Consequently, it could be several months before the UK adopts its own take on the new SCCs. This change to the EU SCCs does mean that UK and EU practice may likely diverge, and companies involved in data exports from both the UK and EU could need two sets of agreements to address each series of data flows.

In the meantime, we are also still waiting to hear if the EU will grant the adequacy decision to the UK. While a draft decision had been published, the relatively critical opinion of the EDPB on the draft UK adequacy decision published in April seem to have stalled its final adoption. As the temporary grace period granted under the Trade and Cooperation Agreement, which allowed data exports from the EU to the UK to continue will run out at the end of this month, and provided that the adequacy decision is not granted by then, UK data importers doing business with EU companies will also need to prepare for this worst-case scenario and execute the new EU SCCs.

The firm’s Global Data Protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

First published on K&L Gates Hub by Claude-Étienne Armingaud, Noirin McFadden and Thomas Nietsch

Spécificité propre à cette application, on y accède par cooptation, ce qui attise l’appétit des profanes pour ce club très select que fréquentent Elon Musk, Mark Zuckerberg et Bill Gates. « C’est un très bel outil du point de vue humain et intellectuel, dans lequel les personnes se sentent valorisées », estime l’avocat Claude Armingaud, associé du cabinet K&L Gates. Ce spécialiste du droit des nouvelles technologies et de la propriété intellectuelle est d’ailleurs devenu, comme plusieurs de ses confrères, un membre actif de ClubHouse. Il y anime le salon privé « The Privacy House » dédié à la protection des données personnelles.

Parmi les anomalies recensées, l’information sommaire des utilisateurs au moment de leur inscription et un accès à leurs contacts qui enjambe leur consentement. « Lorsqu’une personne s’inscrit, le réseau accède à tous ses contacts et à leurs numéros de téléphone, ce qui constitue une collecte indirecte de données personnelles au sens du RGPD. En principe, ces contacts doivent être informés de cette collecte au plus tard dans les 30 jours suivants, et doivent être en mesure d’exercer leurs droits d’opposition et d’accès à leurs données à tout moment. Sinon, une telle collecte pourrait constituer une violation majeure et caractérisée du RGPD », décrypte Me Armingaud.

Toutefois, relève Me Armingaud, « le risque existe que la plateforme, qui ne dispose pas encore d’un réel modèle économique, enregistre les conversations pour faire de l’analyse de contenu et du marketing. Si tel est le cas, et qu’elle n’en informe pas les utilisateurs, c’est un manquement au RGPD. Si elle compte le faire ultérieurement, elle devra procéder à cette information », détaille-t-il.

La question de l’enregistrement des conversations se pose avec d’autant plus d’acuité que « ClubHouse travaille avec un prestataire établi en Chine, où, d’ailleurs, l’application est interdite », note l’avocat. La voix est une donnée biométrique ultrasensible qui permet d’identifier la personne et, à travers elle, son état de santé, ses opinions et prises de position, autant d’informations à protéger dans le contexte tendu des relations avec la Chine. « Dès lors qu’elle est associée à un profil, la voix fait l’objet d’une protection renforcée du RGPD. Celui-ci interdit de traiter la voix à des fins d’identification », rappelle Me Armingaud.

Pour l’heure, l’enquête doit permettre d’établir si le RGPD s’applique à la société et si ses règles sont respectées. Si tel n’est pas le cas, « la Cnil pourra, le cas échéant, faire usage de ses propres pouvoirs répressifs » a-t-elle prévenu. Néanmoins, nuance Me Armingaud, en cas de sanction, « la société ne possédant aucun établissement en Europe, rien ne garantit que sa décision sera exécutée aux États-Unis, ce qui serait un véritable camouflet pour le RGPD ».

Lire l’article entretien complet avec Laurence Neuer sur

Le Cabinet K&L Gates est classé « Pratique Réputée » avec Claude-Etienne Armingaud.

SourcesMagazine Décideurs

Le Cabinet K&L Gates est classé avec « Forte Notoriété – Band 1″ avec Claude-Etienne Armingaud.

SourcesMagazine Décideurs

Le Cabinet K&L Gates est classé avec sa « Pratique Réputée » avec Claude-Etienne Armingaud.

SourcesMagazine Décideurs

Le Cabinet K&L Gates est classé avec sa « Pratique Réputée » avec Claude-Etienne Armingaud.

SourcesMagazine Décideurs

Le Cabinet K&L Gates est classé avec « Forte Notoriété » avec Claude-Etienne Armingaud.

Sources: Magazine Décideurs

La Commission Nationale de l’Informatique et des Libertés (CNIL) a clôturé l’année 2020 avec une amende de 20 000 euros à l’encontre la société française NESTOR spécialisée dans la préparation et la livraison de repas sur le lieu de travail (voir la décision complète CNIL, Décision SAN-2020-018, 8 Décembre 2020).

Plusieurs violations du Règlement Général sur la Protection des DonnéesRGPD ») et la Directive Vie privée et Communications électroniques (« Directive ePrivacy ») concernant le traitement des données à caractère personnel des clients et prospects ont été relevés par la CNIL, et notamment :

  • L’absence de consentement préalable des prospects à recevoir une communication électronique à des fins de marketing direct, en violation de l’Article L.34-5 du Code des Postes et des Communications Électroniques (« CPCE ») ;
  • Le manquement à l’obligation d’informer correctement les personnes concernées (Article 12 et 13 RGPD) soit :
    • Lors de la création de leur compte sur la plateforme de la société ;
    • Lors de la collecte indirecte de données via des sources externes.
  • L’incapacité à traiter correctement les demandes d’accès des personnes concernées (Article 15 RGPD).

Si l’amende apparait relativement limitée au regard du montant maximal de 20 millions d’euros ou de 4% du chiffre d’affaires pouvant être prononcé, cette décision reste une opportunité d’examiner de plus près les pratiques de web scraping et de marketing direct qui se développent rapidement.


Cookies: nouvelle campagne de sensibilisation de la CNIL

février 24th, 2021 | Posted by Claude-Etienne Armingaud in cookies | Données Personnelles | France - (0 Comments)

La CNIL fixe au 31 mars 2021 la fin du « délai raisonnable » pour mettre en conformité les sites web et applications mobiles.

Suite à l’adoption et la publication de ses lignes directrices modificatives et de la recommandation portant sur l’usage des cookies le 1er octobre 2020 (voir notre alerte sur ce sujet ici), la Commission nationale de l’informatique et des libertés (« CNIL ») a rappelé, le 4 février 2021, la nécessité pour les acteurs privés et publics de s’assurer de leur conformité aux nouvelles obligations en matière de cookies et autres traceurs (« Cookies » – Voir le communiqué de la CNIL du 4 février 2021).

Pour assurer l’effectivité de son plan d’action sur le ciblage publicitaire en ligne et pour lutter contre les lacunes constatées tant dans le secteur public que dans le secteur privé, la CNIL fixe un délai précis : la période d’adaptation accordée à l’ensemble des acteurs afin d’effectuer leur mise en conformité prendra fin le 31 mars 2021.



janvier 27th, 2021 | Posted by Claude-Etienne Armingaud in Conférence | Données Personnelles - (0 Comments)

Venez célébrer avec nous le #DataPrivacyDay2021 ce jeudi, et échanger sur les évènements à venir dans un cadre informel et dématérialisé (BYOB, évidemment).

Avec les Co-Chairs du KnowledgeNet France de l’IAPP:

Et la Young Privacy Professional volunteer, Meriem Ouarem, Data Privacy Counsel, Schneider Electric.

Inscription sur le site de l’IAPP.