Standard contractual clauses for cross-border transfers of health data after <i>Schrems II</i>.
Journal of law and the biosciences
Oxford University Press (OUP)
MetadataShow full item record
Bradford, L., Aboy, M., & Liddell, K. (2021). Standard contractual clauses for cross-border transfers of health data after <i>Schrems II</i>.. Journal of law and the biosciences, 8 (1), lsab007. https://doi.org/10.1093/jlb/lsab007
Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) placed heavy conditions on their use. The Schrems II Court found that SCCs were valid as ‘appropriate safeguards’ for data transfers from EU entities to others outside the EU/EEA as long as unspecified ’supplementary measures’ were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding Schrems II SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in Schrems II misunderstood the purpose of SCCs and other Article 46 GDPR “appropriate safeguards.” The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission’s new draft SCCs support this analysis.
Novo Nordisk Foundation for the scienti!cally independent Collaborative Research Program for Biomedical Innovation Law (grant NNF17SA0027784)
Novo Nordisk Foundation (via University of Copenhagen) (NNF17SA0027784)
External DOI: https://doi.org/10.1093/jlb/lsab007
This record's URL: https://www.repository.cam.ac.uk/handle/1810/324501
Attribution-NonCommercial-NoDerivatives 4.0 International
Licence URL: https://creativecommons.org/licenses/by-nc-nd/4.0/