The new standard contractual clauses (“SCCs“) issued by the European Commission (see our prior blog post here) continue to prove controversial. Among other things, the SCCs require that the law of the European Union (“EU“) Member State underpinning them provides third-party beneficiary rights. Most EU Member States are civil law jurisdictions that already provide such rights. Ireland, however, is a common law jurisdiction like the U.S. and the UK, and as such, depends largely on evolving case law to define the scope of various rights and obligations.
Consequently, some commentators have raised questions about whether Irish law adequately protects third-party beneficiaries, since Ireland still retains the doctrine of privity of contract, a concept with effectively holds that only parties to a contract can enforce it. That said, Irish courts have gradually pared back this doctrine over the years, declining to enforce it strictly and tending instead to take a broader, more equitable view that allows for exceptions. In particular, Irish courts have deferred to the legislature where it has introduced laws that explicitly include third-party rights. Indeed, the original Irish data protection legislation served as a case in point, as it intentionally excluded the doctrine of privity, although this explicit exclusion was dropped from the final text of the Data Protection Act 2018.
While there are other grounds upon which an Irish court could nevertheless uphold third-party rights under data protection law, there remains some uncertainty over how the new SCCs would protect third-party beneficiaries under Irish law in the same manner as the civil law systems of other European countries. Perception of a problem can itself be a problem.
The Irish Department of Justice has indicated that it is in the process of addressing this uncertainty by amending legislation to the Data Protection Act 2018. They are working on a final draft for this amendment and intend to have it in place soon, before the new SCCs become operable. Once such an amendment is finalized, Irish law will then will then explicitly offer specific protections for third-party beneficiaries of an international data transfer made pursuant to the new SCCs.
* * * * * * * * * * *
UPDATE: June 25, 2021
New Irish law was signed on June 24, 2021, to allow for third-party beneficiary rights in Irish data protection law. This removes an ambiguity that had arisen for companies adopting the EC Standard Contractual Clauses and Binding Corporate Rules under Irish law.