Can Irish law be used to govern the new standard contractual clauses ("SCCs") proposed by the European Commission?
Many US and wider international conglomerates have their EU headquarters in Ireland, and rely on SCCs for their global personal data exports from the EU. In doing so, their SCCs are typically governed by Irish law (because the current SCCs provide that they must be governed by the law of the country in which the data exporter – in this case, the Irish HQ – is established). However, under the Commission's draft new SCCs, using Irish law to govern the SCC may no longer be possible.
The issue arises due to the treatment (or, rather, the lack) of third party beneficiary rights under Irish law. Both the current and the draft new SCCs endeavour to provide third party beneficiary rights for data subjects – so that, if the data exporter or data importer is in breach of the SCCs, the data subject can enforce its rights against the appropriate entity. Without that, the data subject risks being left without recourse if his or her data is exported in breach of the SCC's requirements.
What are third party beneficiary rights?
In simple terms, third party beneficiary rights are the right for someone who is not a party to a contract (say, a data subject) to enforce provisions expressed or intended for his or her benefit against the parties to the contract (say, a data exporter or data importer under the SCCs). SCCs are, of course, only entered into between the data exporter and the data importer; no data subjects are parties – and so, for data subjects to enforce their rights under the SCCs, they need to rely on third party beneficiary rights.
However, third party beneficiary rights do not generally exist under Irish law. Instead, under Irish law, the principle of "privity of contract" prevails. This means that only the parties who directly agreed` a contract can enforce it. (Note that there are exceptions allowing non-parties to enforce a contract in certain limited contexts, such as a principal exercising its rights under a contract entered into by the principal's agent on behalf of the principal, but trying to apply those in the context of SCCs would be cumbersome and artificial, and not really reflective of the data exporter/data subject relationship.)
What does this all have to do with choosing Irish law as the governing law for the new SCCs?
The draft new SCCs give third party beneficiary rights to data subjects (against both data exporter and data importer) under many of its terms. This isn't particularly new – as noted above, the current SCCs do this too. What is new, though, is that the draft new SCCs say that they must be governed by the laws of a Member State that provides for third party beneficiary rights.
Specifically, the governing law clause of the draft new SCCs says (emphasis added):
"[OPTION 1: These Clauses shall be governed by the law of one of the Member States of the European Union, provided such law allows for third party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]
[OPTION 2 (for Module Two and Three): These Clauses shall be governed by the law of the Member State of the European Union where the data exporter is established. Where such law does not allow for third party beneficiary rights, they shall be governed by the law of another Member State of the European Union that allows for third party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]"
And now you can see the problem: Irish law does not generally provide for third party beneficiary rights; ergo, on the face of the draft new SCCs, Irish law cannot be used to govern the new SCCs. English law does provide for third party beneficiary rights but, of course, post-Brexit it can't be chosen as the governing law for SCCs because the UK is no longer an EU Member State.
Why hasn't this been a problem before?
As noted above, the current SCCs do already provide for third party beneficiary rights in favour of data subjects. What they don't do is to restrict the governing law that can be used (for example, by specifying that the governing law must recognise third party beneficiary rights), beyond requiring that the governing law must be that of the data exporter's Member State. So, in principle, Irish law can be used for the current SCCs – just not the future SCCs (at least as they are currently drafted).
Of course, if a data subject tried to exercise his or her third party beneficiary rights under current SCCs that are governed by Irish law they could run into difficulty. The fact that no one has raised this issue previously likely simply reflects the reality that most data subjects remain unaware of the existence of SCCs, and even fewer have ever tried to enforce their rights under them. But maybe the drafters of the new SCCs had recognised and tried to address the issue by restricting what law can be used to govern them.
Ultimately, this all suggests that unless Ireland changes its laws to clearly allow third party beneficiary rights in favour of data subjects under SCCs, or the European Commission rewords this governing law provision, Irish data exporting companies may end up having to specify another EU Member State's laws to govern their SCCs - such as Belgium, France, Germany, etc... In fact, anywhere in the EU other than Ireland!
Whether, and how, the Irish government, European Commission, and Irish DPC will respond to this issue remains to be seen.
Sign up to our email digest