European Commission (EC)

The European Data Protection Board (EDPB) recently adopted Guidelines 05/2021 (the Guidelines) on the interplay between what it means to be outside the European Economic Area (EEA) but directly applicable to the General Data Protection Regulation (GDPR) and what constitutes an international transfer under Chapter V of the GDPR.

The Guidelines set out a ‘cumulative’ definition providing a three-step assessment, and each step of the definition needs to be satisfied before a transfer is deemed to be a transfer of personal data. The guidance seeks to address the questions raised by the European Commission (EC) when it issued the standard contractual clauses (SCCs) earlier this year. The main question is whether personal data processed by a company outside the EEA but subject to the GDPR is a transfer or not.

The Guidelines seek to settle that question that such movements of personal data are not transfers. Instead, the Guidelines state the controllers or processors of such personal data, due to their being subject to the GDPR, must apply Chapter V to the personal data they transfer to a third country as if they were located in the EEA. What can be deemed a ‘geographic’ transfer rather than a legal one separately subject to Chapter V. The Guidelines, however, are open for a consultation period, so the question does not have a definitive answer yet.Continue Reading GDPR: Is it a transfer? Is it not a transfer? It’s EDPB guidance on Chapter V

The European Commission’s (EC) International Standard Contractual Clauses (SCCs), which we previously discussed here, contain extensive third party beneficiary rights. The EC’s decision made clear that with these new international transfer SCCs, the parties can decide for themselves which EU Member State law will govern their SCCs, provided that the Member State’s laws allowed for third-party beneficiary rights. Where a Member State’s laws did not allow for third-party beneficiary rights, then the SCCs would have to be governed by the law of another Member State that recognises third party beneficiary rights.

Ireland had been the only member state that did not allow for third-party beneficiary rights as the law had required strict privity of contract. Despite some commentary about data subjects being able to use a theory of agency to enforce their rights, the Irish Department of Justice issued a statutory instrument (S.I.) to amend the Irish Data Protection Act 2018.

With the new SCCs entering into force on the 27th of June, a new Irish S.I., the EUROPEAN UNION (ENFORCEMENT OF DATA SUBJECTS’ RIGHTS ON TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION) REGULATIONS 2021, was issued and came into force on the 24th of June—just days before the SCCs became effective. S.I. No. 297 of 2021 amends Section 117A of the Irish Data Protection Act by providing an express right for individuals to enforce third party beneficiary rights granted to data subjects under the SCCs. What’s more, this S.I. also allows for data subjects to enforce third party beneficiary rights under binding corporate rules and any other standard data protection clauses that may be adopted by a national supervisory authority and approved by the EC.Continue Reading New SCCs: Ireland amends its legislation to allow for third-party rights