Repository logo
 

Standard contractual clauses for cross-border transfers of health data after Schrems II.

Published version
Peer-reviewed

Type

Article

Change log

Authors

Bradford, Laura 
Aboy, Mateo 
Liddell, Kathleen 

Abstract

Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) placed heavy conditions on their use. The Schrems II Court found that SCCs were valid as 'appropriate safeguards' for data transfers from EU entities to others outside the EU/EEA as long as unspecified 'supplementary measures' were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding Schrems II SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in Schrems II misunderstood the purpose of SCCs and other Article 46 GDPR 'appropriate safeguards'. The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission's new draft SCCs support this analysis.

Description

Keywords

EU-US Privacy Shield, GDPR, appropriate safeguards, cross-border transfers, health data, medical research, privacy and data protection, standard contractual clauses

Journal Title

J Law Biosci

Conference Name

Journal ISSN

2053-9711
2053-9711

Volume Title

8

Publisher

Oxford University Press (OUP)
Sponsorship
Novo Nordisk Foundation (via University of Copenhagen) (NNF17SA0027784)
Novo Nordisk Foundation for the scienti!cally independent Collaborative Research Program for Biomedical Innovation Law (grant NNF17SA0027784)