statutory instrument (S.I.)

The European Commission’s (EC) International Standard Contractual Clauses (SCCs), which we previously discussed here, contain extensive third party beneficiary rights. The EC’s decision made clear that with these new international transfer SCCs, the parties can decide for themselves which EU Member State law will govern their SCCs, provided that the Member State’s laws allowed for third-party beneficiary rights. Where a Member State’s laws did not allow for third-party beneficiary rights, then the SCCs would have to be governed by the law of another Member State that recognises third party beneficiary rights.

Ireland had been the only member state that did not allow for third-party beneficiary rights as the law had required strict privity of contract. Despite some commentary about data subjects being able to use a theory of agency to enforce their rights, the Irish Department of Justice issued a statutory instrument (S.I.) to amend the Irish Data Protection Act 2018.

With the new SCCs entering into force on the 27th of June, a new Irish S.I., the EUROPEAN UNION (ENFORCEMENT OF DATA SUBJECTS’ RIGHTS ON TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION) REGULATIONS 2021, was issued and came into force on the 24th of June—just days before the SCCs became effective. S.I. No. 297 of 2021 amends Section 117A of the Irish Data Protection Act by providing an express right for individuals to enforce third party beneficiary rights granted to data subjects under the SCCs. What’s more, this S.I. also allows for data subjects to enforce third party beneficiary rights under binding corporate rules and any other standard data protection clauses that may be adopted by a national supervisory authority and approved by the EC.Continue Reading New SCCs: Ireland amends its legislation to allow for third-party rights