New rules for transborder data flows

Data flows of personal data which are undergoing processing or are intended for processing after transfer to a third-country or to an international organization are allowed only if enforceable data subjects rights and legal remedies to data subjects are available.

Starting with 27th of June 2021 organizations are able to use the European Commission’s long-awaited revamped version of the Standard Contractual Clauses (SCCs) for transfers of data to recipients in third-countries or to international organizations adopted by the EU Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021.

Published in the aftermath of the puzzling Facebook Ireland and Schrems CJEU decision the new SCCs implements some of the requirements of the afore mentioned CJEU decision while adapting the provisions to the specifications of the GDPR. Under Article 46(5) of the EU’s General Data Protection Regulation (GDPR), the old SCCs remained in force in the interim to allow for a smooth transition from the regime under the Data Protection Directive 95/46/EC to the GDPR. Therefore, there was no doubt that the old SCCs were in obvious need of updating to align with the GDPR and what a better time for updates than the months following the controversial Facebook Ireland and Schrems CJEU decision.

The differences between the old and the new version of SCCs are significant and no less than debatable. Some appreciate that the new SCCs is a compensation mechanism for the lack of data protection laws and practices in non-EEA countries making it very complicated for organizations in all sort of industries to maintain their international data transfers engagements with non-EEA providers of services to the European Union market. Some publications already penned down that pressure is growing on companies to store their data locally in Europe.

Third-party beneficiary rights under the new SCCs

The primarily scope of the new SCCs remains that of creating enforceable rights for data subjects under the domestic law of the European Union.

Therefore, the main body of the new SCCs comprises the data exporter and the data importer promise that the SCCs can be enforced by data subjects themselves as third-party beneficiaries for almost all of the listed obligations. Therefore, where a data subject suffers material or non-material damage as a consequence of any breach of the third-party beneficiary rights under the SCCs, the data subject is entitled to compensation.

The third-party beneficiary right (also known as ius quaesitum tertio) is a benefit to enforcement and compensation received by a person who may have the right to sue basis of a contract, despite not having originally been an active party to the contract for the reason of the third-party being in fact the intended beneficiary of the contract.

According to Clause 3 in the new SCCs data subjects can enforce the majority of the provisions of the new SCCs as third-party beneficiaries. Although the new SCCs have a longer list of clauses that data subjects cannot invoke against the parties to the SCCs, in practice they simply exclude all the provisions that apply specifically between the data importer and the data exporter or to interactions with data protection authorities.

Under the old SCCs regime if data subjects wished to bring a claim for noncompliance with the SCCs, they first had to bring that claim against the data exporter, or if that was not possible against the data importer or if that was not possible either against a sub-processor provided that there was one. This approach was a hurdle for the data subjects hence, the new SCCs redressed this situation allowing for data subjects to enforce their rights against the data exporter and/or data importer, as the data subject wishes.

For that purpose, the new SCCs provides for the liability of each party to the data subject, and for the data subject entitlement to receive compensation, for any material or non-material damages caused by the breach of the third-party beneficiary right. The data subject is entitled to bring action in the court of law against any of the data exporter, data importer of sub-processor for having the entire prejudiced covered by any of them.

Therefore, the indemnification clause in the earlier draft of the new SCCs has been replaced with a “contribution clause”. This clause reflects Art 82 para. 5 of the GDPR which provides that where a controller or processor has paid full compensation for damages suffered, that controller or processor shall be entitled to claim back from the others responsible controllers or processors the part of the compensation corresponding to their part of responsibility for the damage.

As per the last paragraph of Recital 12 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021: “In the event of a dispute between the data importer and a data subject who invokes his or her rights as a third-party beneficiary, the data subject should be able to lodge a complaint with the competent supervisory authority or refer the dispute to the competent courts in the EU.”

Data subjects in the Member States can start legal proceedings against the data exporter and/or data importer before the SA or Courts of the Member State in which the data subject has the habitual residence.

Data subjects in non-Member States can start legal proceedings against the data exporter and/or data importer before the SA or Courts of the Member State of the data exporter and/or data importer establishment or if the data exporter and/or data importer do not have an establishment in the Union before the SA or the Courts of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established.

Third-party beneficiary rights and the doctrine of privity in common-law countries

Two points needs to be made with regards to the interplay between the third-party beneficiary rights and the doctrine of privity in common-law systems.

First, the third-party beneficiary rights are intrinsically linked to the stipulations regarding the law governing the SCCs. Or, according to the second paragraph of Recital 12 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021: “(…) while the parties should be allowed to choose the law of one of the Member States as governing the standard contractual clauses, that law must allow for third-party beneficiary rights.”

Second, under traditional common-law, the ius quaesitum tertio principle was not recognized. Instead, the common-law system relies on the doctrine of privity of contract, which restricts rights, obligations, and liabilities arising from a contract to the contracting parties only (said to be privy to the contract). In other words, according to the doctrine of privity of contract only the parties to a contract can enforce it. However, United Kingdom significantly reformed the common law doctrine of privity by introducing a number of allowances and exceptions for ius quaesitum tertio in English law.

What about other common-law countries like Ireland?

Having said that, some commentators asked themselves if companies will be prevented from choosing Irish law as the governing law of their SCCs since Ireland is a common-law jurisdiction and as such, depends on the doctrine of privity of contract.

Unlike UK approach, Irish courts have backed-up this doctrine over the years, declining nevertheless to enforce it strictly and inflexibly and tending instead to apply case-by-case exceptions. In practice, the privity rules have been circumvented by way of assignment of contract, by collateral warranties or by suing in tort (eg, for negligence). The original Irish Data Protection Act 2018 (which gave effect to the GDPR in Ireland) intentionally excluded the doctrine of privity, although this explicit exclusion was dropped from the final text.

Nevertheless, this concern cannot hold water today at least for two reasons.

First, Irish law was amended on June 24, 2021 just few days before the new SCCs came into effect, precisely for the purpose of allowing for third-party beneficiary rights in Irish data protection law. This removes an ambiguity that had arisen for companies adopting SCCs and BCRs under Irish law.

Second, Clause 9 of the old SCCs which provided that “The Clauses shall be governed by the law of the Member States in which the data exporter is established” was modified to include two options for module one, two and three and one option for module four.

In a nutshell, under Clause 17 of the new SCCs the governing law is either the law of one of the Members States as per the contracting party’s choice, either the law of the Member State of the data exporter provided that such law allows for third-party beneficiary rights. Therefore, the new SCCs unlike the old version do not restrict anymore the governing law of the SCCs to that of the data exporter, allowing for partys to the SCCs to make their choice as long as their choice is for the law of a Member State that allows for third-party beneficiary rights.

No flag raised under the old SCCs

As pointed above Ireland refurbished its legislation in this respect just few days before the new SCCs came into effect. Why did nobody raise a flag under the old SCCs? No one raising the flag under the old SCCs could be a reflection of the fact that most data subjects remained unaware of the existence of SCCs and their rights stemming from them, let alone attempting to enforce their rights under them. Nevertheless, the legislator took a pro-active approach trying to address the issue at hand in the new version of SCCs by providing for flexible options that would benefit the third-party beneficiaries.

As for the English law although it provides for third party beneficiary rights post-Brexit it cannot be chosen as the governing law for SCCs because the UK is no longer an EU Member State.

Conclusion

Companies must bear in mind that the use of the SCCs for transfers of data to non-EU recipients forms part of a larger picture now. Companies have to clearly understand where personal data is being sent and accessed from, the roles of the receiving parties, the requirement to assess the laws of the third countries and to understand whether any additional security or otherwise contractual safeguards can mitigate gaps and risk to data subject’s rights stemming from the importing country legislation. At the same time, data subjects in third-countries can claim the rights conferred under the GDPR under the third-party beneficiary clause.

Third-party beneficiary rights under the new SCCs

Author Petruta Pirva, Founder and Legal Counsel Data Privacy and Digital Law @EU Digital Partners