{"title":"Standard contractual clauses for cross-border transfers of health data after <i>Schrems II</i>.","authors":"Laura Bradford, Mateo Aboy, Kathleen Liddell","doi":"10.1093/jlb/lsab007","DOIUrl":null,"url":null,"abstract":"<p><p>Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in <i>Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems</i> (<i>Schrems II</i>) placed heavy conditions on their use. The <i>Schrems II</i> Court found that SCCs were valid as 'appropriate safeguards' for data transfers from EU entities to others outside the EU/EEA as long as unspecified 'supplementary measures' were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding <i>Schrems II</i> SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in <i>Schrems II</i> misunderstood the purpose of SCCs and other Article 46 GDPR 'appropriate safeguards'. The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission's new draft SCCs support this analysis.</p>","PeriodicalId":56266,"journal":{"name":"Journal of Law and the Biosciences","volume":"8 1","pages":"lsab007"},"PeriodicalIF":2.5000,"publicationDate":"2021-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ftp.ncbi.nlm.nih.gov/pub/pmc/oa_pdf/11/4d/lsab007.PMC8216070.pdf","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Law and the Biosciences","FirstCategoryId":"3","ListUrlMain":"https://doi.org/10.1093/jlb/lsab007","RegionNum":2,"RegionCategory":"哲学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2021/1/1 0:00:00","PubModel":"eCollection","JCR":"Q1","JCRName":"ETHICS","Score":null,"Total":0}
引用次数: 4
Abstract
Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) placed heavy conditions on their use. The Schrems II Court found that SCCs were valid as 'appropriate safeguards' for data transfers from EU entities to others outside the EU/EEA as long as unspecified 'supplementary measures' were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding Schrems II SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in Schrems II misunderstood the purpose of SCCs and other Article 46 GDPR 'appropriate safeguards'. The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission's new draft SCCs support this analysis.
期刊介绍:
The Journal of Law and the Biosciences (JLB) is the first fully Open Access peer-reviewed legal journal focused on the advances at the intersection of law and the biosciences. A co-venture between Duke University, Harvard University Law School, and Stanford University, and published by Oxford University Press, this open access, online, and interdisciplinary academic journal publishes cutting-edge scholarship in this important new field. The Journal contains original and response articles, essays, and commentaries on a wide range of topics, including bioethics, neuroethics, genetics, reproductive technologies, stem cells, enhancement, patent law, and food and drug regulation. JLB is published as one volume with three issues per year with new articles posted online on an ongoing basis.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
