EU: Third-party beneficiary rights under revised SCCs
The newly revised Standard Contractual Clauses ('SCCs') make significant changes to areas such as third-party beneficiary rights, calling into question the relevance of different doctrinal approaches to this area in EU Member States. Petruta Pirvan, IAPP Training Collaborator at Purpose and Means, clarifies the significance of third-party beneficiary rights under the EU's revised SCCs and the doctrine of privity in common-law countries.
New rules for trans-border data flow
Starting as of 2 June 2021, organisations are able to use the European Commission's ('the Commission') long-awaited revamped version of the SCCs for transfers of data to recipients in third-countries or to international organisations adopted by the Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021. Published in the aftermath of the Court of Justice of the European Union's decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'), the new SCCs implement some of the requirements of the Schrems II decision while adapting the provisions to the specifications of the General Data Protection Regulation (Regulation (EU) 20216/679). Under Article 46(5) of the GDPR, the old SCCs remained in force in the interim to allow for a smooth transition from the regime under the Data Protection Directive (Directive 95/46/EC) to the GDPR. Therefore, there was no doubt that the old SCCs were in obvious need of updating to align with the GDPR and what a better time for updates than the months following the controversial Schrems II decision.
The differences between the old and the new version of SCCs are significant and no less than debatable. Some appreciate that the new SCCs act as a compensation mechanism for the lack of data protection laws and practices in non-EEA countries, which can often make it very complicated for organisations in all sort of industries to maintain their international data transfers engagements with non-EEA providers of services to the EU market. Some publications already penned down that pressure is growing on companies to store their data locally in Europe.
Third-party beneficiary rights under the new SCCs
The primarily scope of the new SCCs remains that of creating enforceable rights for data subjects under the domestic law of the EU.
Data flows of personal data which are undergoing processing or are intended for processing after transfer to a third-country or to an international organisation are allowed only if enforceable data subject rights and legal remedies to data subjects are available.
Therefore, the main body of the new SCCs comprises the data exporter and the data importer promise that the SCCs can be enforced by data subjects themselves as third-party beneficiaries for almost all of the listed obligations. Therefore, where a data subject suffers material or non-material damage as a consequence of any breach of the third-party beneficiary rights under the SCCs, the data subject is entitled to compensation.
The third-party beneficiary right (also known as ius quaesitum tertio) is a benefit to enforcement and compensation received by a person who may have the right to sue on the basis of a contract, despite not having originally been an active party to the contract for the reason of the third-party being in fact the intended beneficiary of the contract.
According to Clause 3 in the new SCCs, data subjects can enforce the majority of the provisions of the new SCCs as third-party beneficiaries. Although the new SCCs have a longer list of clauses that data subjects cannot invoke against the parties to the SCCs, in practice they simply exclude all the provisions that apply specifically between the data importer and the data exporter or to interactions with data protection authorities.
Under the old SCCs regime, if data subjects wished to bring a claim for noncompliance with the SCCs, they first had to bring that claim against the data exporter or if that was not possible against the data importer or, if that was not possible, against a sub-processor (provided that there was one). This approach was a hurdle for the data subjects and so the new SCCs redress this situation by allowing data subjects to enforce their rights against either the data exporter and/or data importer, as the data subject wishes.
For that purpose, the new SCCs provides for the liability of each party to the data subject, and for the data subject's entitlement to receive compensation for any material or non-material damages caused by the breach of the third-party beneficiary right. The data subject is entitled to bring an action in the court of law against any of the data exporter, data importer, or sub-processor and have the entire prejudice covered by any of them.
Therefore, the indemnification clause in the earlier draft of the new SCCs has been replaced with a 'contribution clause.' This clause reflects Article 82(5) of the GDPR, which provides that where a controller or processor has paid full compensation for damages suffered, that controller or processor shall be entitled to claim back from the others responsible the part of the compensation corresponding to their part of responsibility for the damage.
As per the last paragraph of Recital 12 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021: 'In the event of a dispute between the data importer and a data subject who invokes his or her rights as a third-party beneficiary, the data subject should be able to lodge a complaint with the competent supervisory authority or refer the dispute to the competent courts in the EU.'
Data subjects in the Member States can start legal proceedings against the data exporter and/or data importer before the supervisory authority or courts of the Member State in which the data subject has the habitual residence.
Data subjects in non-Member States can start legal proceedings against the data exporter and/or data importer before the supervisory authority or courts of the Member State of the data exporter and/or data importer establishment or, if the data exporter and/or data importer do not have an establishment in the EU, before the supervisory authority or the courts of the Member State in which the representative within the meaning of Article 27(1) of the GDPR is established.
Third-party beneficiary rights and the doctrine of privity in common-law countries
Two points needs to be made with regards to the interplay between the third-party beneficiary rights and the doctrine of privity in common-law systems.
First, the third-party beneficiary rights are intrinsically linked to the stipulations regarding the law governing the SCCs. Or, according to the second paragraph of Recital 12 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021: '(…) while the parties should be allowed to choose the law of one of the Member States as governing the standard contractual clauses, that law must allow for third-party beneficiary rights.'
Second, under traditional common-law, the ius quaesitum tertio principle was not recognised. Instead, the common-law system relies on the doctrine of privity of contract, which restricts rights, obligations, and liabilities arising from a contract to the contracting parties only (said to be privy to the contract). In other words, according to the doctrine of privity of contract only the parties to a contract can enforce it. However, the UK has significantly reformed the common law doctrine of privity by introducing a number of allowances and exceptions for ius quaesitum tertio in English law.
Having said that, some commentators asked themselves if companies will be prevented from choosing Irish law as the governing law of their SCCs since Ireland is a common-law jurisdiction and as such, depends on the doctrine of privity of contract.
Unlike the UK approach, Irish courts have backed-up this doctrine over the years, although they have nevertheless declined to enforce it strictly and inflexibly, tending instead to apply case-by-case exceptions. In practice, the privity rules have been circumvented by way of assignment of contract, by collateral warranties, or by suing in tort (e.g. for negligence). The original Irish Data Protection Act 2018 (which gave effect to the GDPR in Ireland) intentionally excluded the doctrine of privity, although this explicit exclusion was dropped from the final text.
Nevertheless, this concern cannot hold water today at least for two reasons.
First, Irish law was amended on 24 June 2021, just few days before the new SCCs came into effect, precisely for the purpose of allowing for third-party beneficiary rights in Irish data protection law. This removes an ambiguity that had arisen for companies adopting SCCs and Binding Corporate Rules under Irish law.
Second, Clause 9 of the old SCCs, which provided that 'The Clauses shall be governed by the law of the Member States in which the data exporter is established', was modified to include two options for module one, two and three and one option for module four.
In a nutshell, under Clause 17 of the new SCCs, the governing law is either the law of one of the Member States as per the contracting party's choice or the law of the Member State of the data exporter, provided that such law allows for third-party beneficiary rights. Therefore, the new SCCs, unlike the old version, do not restrict anymore the governing law of the SCCs to that of the data exporter, allowing for parties to the SCCs to make their choice as long as their choice is for the law of a Member State that allows for third-party beneficiary rights.
No flag raised under the old SCCs
As discussed above, Ireland reformed its legislation in this respect just few days before the new SCCs came into effect. Why did nobody flag this issue under the old SCCs? This could be a reflection of the fact that most data subjects remained unaware of the existence of SCCs and their rights stemming from them, let alone attempting to enforce their rights under them. Nevertheless, the legislator took a proactive approach trying to address the issue at hand in the new version of SCCs by providing for flexible options that would benefit the third-party beneficiaries.
As for English law, although it provides for third-party beneficiary rights, post-Brexit it cannot be chosen as the governing law for SCCs because the UK is no longer an EU Member State.
Companies must bear in mind that the use of the SCCs for transfers of data to non-EU recipients forms part of a larger picture now. Companies must clearly understand where personal data is being sent and accessed from, the roles of the receiving parties, the requirement to assess the laws of the third countries and to understand whether any additional security or other contractual safeguards can mitigate gaps and risks to data subject rights stemming from the importing country legislation. At the same time, data subjects in third countries can claim the rights conferred under the GDPR under the third-party beneficiary clause.
Petruta Pirvan IAPP Training Collaborator
Purpose and Means, Copenhagen