While there are other reasons why an Irish court could nevertheless enforce the rights of third parties under the Data Protection Act, there is still some uncertainty as to how the new CSCs would protect third party beneficiaries under Irish law in the same way as civil justice systems in other European countries. The perception of a problem can itself be a problem. The European Commission`s (EC) International Standard Contractual Clauses (SCCs), which we have already discussed here, contain extensive rights of third party beneficiaries. The European Commission`s decision clarified that with these new CISs, the parties can decide for themselves, for international transfers, which law of the EU Member States applies to their CBAs, provided that the law of the Member State allows third party beneficiaries. If the law of one Member State does not allow the rights of third party beneficiaries, CBCs should be governed by the law of another Member State recognising the rights of third party beneficiaries. As far as English law is concerned, although it provides rights for third party beneficiaries, it cannot be chosen as the law applicable to CBAs after Brexit, as the UK is no longer an EU Member State. As a result, there will be a lot of uncertainty as to when the new CBAs will actually be needed, especially for intra-group data transfers, but also in other transfer scenarios. In-depth examinations of the applicability of the GDPR to data recipients from third countries should in future be part of the definition of the appropriate (contractual) data transfer regime. Flows of personal data that are currently processed or intended to be processed after their transfer to a third country or to an international organisation are only permitted if enforceable rights and remedies of data subjects are available against data subjects. Following the now well-known decision of the Court of Justice of the European Union, Schrems II, which repealed the Privacy Shield, the European Commission has adopted new standard contractual clauses that can serve as a basis for the transfer of personal data to third countries. They entered into force on 27 June 2021. To this end, the new CLAs provide for the liability of each party towards the data subject and the right of the data subject to compensation for all material or immaterial damage caused by the violation of the right of the third party beneficiary. The data subject has the right to take legal action against any data exporter, data importer or sub-processor and to cover all damages caused by any of these data.
In its decision to repeal the Privacy Shield, the Court underlined (inter alia) the importance of respect for the rule of law and the possibility of access to remedies for individuals in such a third country, which led the European Data Protection Board to make comprehensive recommendations on how bodies transferring data to third countries should ensure their security. The recommendations of the European Data Protection Board are exceptionally detailed and extremely (too?) strict for those who transfer data to third countries. In light of the judgment and recommendations, the “old” standard contractual clauses proved to be inappropriate, leading to the adoption of new clauses by the European Commission on 4 June 2021. Companies need to consider many aspects of the new CBAs. The flexibilities and complexities involved must be taken into account in the matrix of other recent developments affecting cross-border data transfers, including: the case law of the Court of Justice of the European Union on the extraterritorial application of the GDPR; the adoption of new data protection laws in third countries such as India, Brazil, China and Australia; Brexit and the ICO decision on the new British SCCs, coupled with the Schrems II judgment; and, last but not least, the current activities of Member States` supervisory authorities to investigate and enforce compliance with data transfers. As previously reported, Ireland reformed its legislation in this regard only a few days before the entry into force of the new CLAs. Why has no one marked this problem among the old CCTs? This could be due to the fact that most of the persons concerned were not aware of the existence of the CLAs and the rights resulting from them, let alone that they were trying to enforce their rights under them. Nevertheless, the legislator took a proactive approach to addressing the problem posed in the new version of the CLAs by providing flexible options that would benefit third-party beneficiaries.
As a result, some commentators have raised the question of whether Irish law adequately protects third party beneficiaries, given that Ireland still maintains the doctrine of contract confidentiality, a concept that effectively assumes that only the parties to a contract can apply it. However, the Irish courts have gradually withdrawn this doctrine over the years, refusing to apply it strictly and instead tending to adopt a broader and fairer view that allows for exceptions. In particular, Irish courts have turned to the legislator, where it has introduced laws that explicitly incorporate the rights of third parties. In fact, the original Irish data protection legislation served as a typical example, as it deliberately excluded the privacy doctrine, although this explicit exclusion was removed from the final text of the Data Protection Act 2018. First, the Irish law was amended on 24 June 2021, just a few days before the entry into force of the new CBAs, precisely to allow third party beneficiaries to benefit from the rights in the Irish Data Protection Act. This removes an ambiguity that had arisen for companies introducing CLAs and binding corporate rules under Irish law. .