Schrems II之后跨境转移卫生数据的标准合同条款。

IF 2.5 2区哲学 Q1 ETHICS

Journal of Law and the Biosciences Pub Date : 2021-06-21 eCollection Date: 2021-01-01 DOI:10.1093/jlb/lsab007

Laura Bradford, Mateo Aboy, Kathleen Liddell

{"title":"Schrems II之后跨境转移卫生数据的标准合同条款。","authors":"Laura Bradford, Mateo Aboy, Kathleen Liddell","doi":"10.1093/jlb/lsab007","DOIUrl":null,"url":null,"abstract":"Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) placed heavy conditions on their use. The Schrems II Court found that SCCs were valid as 'appropriate safeguards' for data transfers from EU entities to others outside the EU/EEA as long as unspecified 'supplementary measures' were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding Schrems II SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in Schrems II misunderstood the purpose of SCCs and other Article 46 GDPR 'appropriate safeguards'. The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission's new draft SCCs support this analysis.","PeriodicalId":56266,"journal":{"name":"Journal of Law and the Biosciences","volume":"8 1","pages":"lsab007"},"PeriodicalIF":2.5000,"publicationDate":"2021-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ftp.ncbi.nlm.nih.gov/pub/pmc/oa_pdf/11/4d/lsab007.PMC8216070.pdf","citationCount":"4","resultStr":"{\"title\":\"Standard contractual clauses for cross-border transfers of health data after Schrems II.\",\"authors\":\"Laura Bradford, Mateo Aboy, Kathleen Liddell\",\"doi\":\"10.1093/jlb/lsab007\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) placed heavy conditions on their use. The Schrems II Court found that SCCs were valid as 'appropriate safeguards' for data transfers from EU entities to others outside the EU/EEA as long as unspecified 'supplementary measures' were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding Schrems II SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in Schrems II misunderstood the purpose of SCCs and other Article 46 GDPR 'appropriate safeguards'. The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission's new draft SCCs support this analysis.\",\"PeriodicalId\":56266,\"journal\":{\"name\":\"Journal of Law and the Biosciences\",\"volume\":\"8 1\",\"pages\":\"lsab007\"},\"PeriodicalIF\":2.5000,\"publicationDate\":\"2021-06-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://ftp.ncbi.nlm.nih.gov/pub/pmc/oa_pdf/11/4d/lsab007.PMC8216070.pdf\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Law and the Biosciences\",\"FirstCategoryId\":\"3\",\"ListUrlMain\":\"https://doi.org/10.1093/jlb/lsab007\",\"RegionNum\":2,\"RegionCategory\":\"哲学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"2021/1/1 0:00:00\",\"PubModel\":\"eCollection\",\"JCR\":\"Q1\",\"JCRName\":\"ETHICS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Law and the Biosciences","FirstCategoryId":"3","ListUrlMain":"https://doi.org/10.1093/jlb/lsab007","RegionNum":2,"RegionCategory":"哲学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2021/1/1 0:00:00","PubModel":"eCollection","JCR":"Q1","JCRName":"ETHICS","Score":null,"Total":0}

引用次数: 4

摘要

标准合同条款(SCCs)长期以来一直被认为是最容易获得的合法跨境传输个人数据的方法。2020年7月，欧盟法院(CJEU)在数据保护专员诉Facebook爱尔兰有限公司一案中，maximilian Schrems (Schrems II)对其使用设置了严格的条件。Schrems II法院发现，SCCs作为从欧盟实体到欧盟/欧洲经济区以外的其他实体的数据传输的“适当保障”是有效的，只要未指明的“补充措施”到位，以弥补第三国缺乏数据保护。数据保护官员承受着巨大的压力，要求他们解释这些措施，并允许日常的数据转移继续进行。一些当局将这一决定解释为阻止使用scc将个人数据转移到欧盟以外，因为私人合同无法全面弥补国家法律的空白。本文认为这些当局是错误的，尽管施雷姆斯II SCCs仍然可以成为跨境转移的有用工具。在医学研究等高度管制的环境中尤其如此。本文追溯了通用数据保护条例(GDPR)下scc的历史，并展示了CJEU在Schrems II中如何误解scc和其他第46条GDPR“适当保障”的目的。欧洲法院错误地将第46条的保障措施(如scc)视为类似于第45条GDPR下针对特定国家的充分性裁决。但与第45条充分性裁决不同的是，scc并不打算提供一种依赖进口国法律的独立转让机制。相反，scc为数据保护提供了另一种多层标准，包括法律、技术和组织承诺。其目的是在仅靠立法不足以保护数据主体权利的情况下使用。欧盟委员会的新SCCs草案支持这一分析。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Standard contractual clauses for cross-border transfers of health data after Schrems II.

Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) placed heavy conditions on their use. The Schrems II Court found that SCCs were valid as 'appropriate safeguards' for data transfers from EU entities to others outside the EU/EEA as long as unspecified 'supplementary measures' were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding Schrems II SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in Schrems II misunderstood the purpose of SCCs and other Article 46 GDPR 'appropriate safeguards'. The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission's new draft SCCs support this analysis.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Law and the Biosciences Medicine-Medicine (miscellaneous)

CiteScore

7.40

自引率

5.90%

发文量

审稿时长

13 weeks

期刊介绍： The Journal of Law and the Biosciences (JLB) is the first fully Open Access peer-reviewed legal journal focused on the advances at the intersection of law and the biosciences. A co-venture between Duke University, Harvard University Law School, and Stanford University, and published by Oxford University Press, this open access, online, and interdisciplinary academic journal publishes cutting-edge scholarship in this important new field. The Journal contains original and response articles, essays, and commentaries on a wide range of topics, including bioethics, neuroethics, genetics, reproductive technologies, stem cells, enhancement, patent law, and food and drug regulation. JLB is published as one volume with three issues per year with new articles posted online on an ongoing basis.