The European Commission’s (EC) International Standard Contractual Clauses (SCCs), which we previously discussed here, contain extensive third party beneficiary rights. The EC’s decision made clear that with these new international transfer SCCs, the parties can decide for themselves which EU Member State law will govern their SCCs, provided that the Member State’s laws allowed for third-party beneficiary rights. Where a Member State’s laws did not allow for third-party beneficiary rights, then the SCCs would have to be governed by the law of another Member State that recognises third party beneficiary rights.

Ireland had been the only member state that did not allow for third-party beneficiary rights as the law had required strict privity of contract. Despite some commentary about data subjects being able to use a theory of agency to enforce their rights, the Irish Department of Justice issued a statutory instrument (S.I.) to amend the Irish Data Protection Act 2018.

With the new SCCs entering into force on the 27th of June, a new Irish S.I., the EUROPEAN UNION (ENFORCEMENT OF DATA SUBJECTS’ RIGHTS ON TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION) REGULATIONS 2021, was issued and came into force on the 24th of June—just days before the SCCs became effective. S.I. No. 297 of 2021 amends Section 117A of the Irish Data Protection Act by providing an express right for individuals to enforce third party beneficiary rights granted to data subjects under the SCCs. What’s more, this S.I. also allows for data subjects to enforce third party beneficiary rights under binding corporate rules and any other standard data protection clauses that may be adopted by a national supervisory authority and approved by the EC.Continue Reading New SCCs: Ireland amends its legislation to allow for third-party rights

Article 23 of the General Data Protection Regulation (GDPR) allows EU Member States to restrict the scope of data subjects’ GDPR rights and organisations’ GDPR obligations.

The Irish data protection authority, the Data Protection Commission (DPC), released guidelines (Guidelines) on GDPR Article 23 on 19 June 2018. The Irish Data Protection Act 2018 (the Act) was recently passed by the Irish parliament. The Act fills in the details of the derogations left to EU Member States under GDPR.

The Guidelines’ purpose is to provide advice for the Irish government when drafting regulations that restrict data subjects’ rights and organisations’ obligations.

GDPR Article 23

Any proposed restriction requires a detailed analysis of the following conditions to justify why it is required and how it will apply. Restrictions must:Continue Reading Ireland: New guidelines on restrictions on data subject rights

In June 2013, the Federal Trade Commission (FTC) and Ireland’s Office of the Data Protection Commissioner signed a memorandum of understanding establishing a mutual assistance and information exchange program to secure compliance with data protection and privacy laws on both sides of the Atlantic.

The privacy and data protection laws between Ireland and the United