30 Nov 2021
Written by: Tatiana Soteriou
Third-party beneficiary Rights
On 4 June 2021, the European Commission (EC) has adopted the new International Standard Contractual Clauses (SCCs) for international transfers which became effective as of 27 June 2021. These new SCCs are giving the option to parties who make international transfers of personal data to choose for themselves which EU Member State law will govern their SCCs, provided that the Member State’s laws allow for third-party beneficiary rights (Clause 17 of the new SCC). Therefore, if a Member State’s laws do not allow for third-party beneficiary rights, then the SCCs would have to be governed by the law of another Member State that recognises third party beneficiary rights.
The issue with Cyprus Contract Law
Under Cyprus contract law third party beneficiary rights are not allowed as the privity of contract doctrine still prevails with certain exceptions and particularly when a contract is concluded by a third party’s agent or in cases of assignment of contract or in cases of insurance claims. Hence, a third party who has suffered loss from the breach of contract has no right under Cyprus law for a claim based on that contract and thus is not allowed to seek remedy. A specific legislative instrument has not been adopted in the Cypriot legal system to provide for third party beneficiary rights for data subjects and therefore, controllers in Cyprus (or elsewhere) are justifiably concerned that they would not be able to choose Cyprus law to govern their data transfers under the new SCCs. As a result of this issue, companies will be refrained from using Cyprus Law to govern their SCCs, and if a data subjects attempt to exercise his or her third-party beneficiary rights under current SCCs that are governed by Cyprus law they will run into difficulty.
Ultimately, this all suggests that unless Cyprus changes its laws to clearly allow third party beneficiary rights in favour of data subjects under SCCs, or the European Commission rewords this governing law provision, Cyprus data exporting companies may end up having to specify another EU Member State's laws to govern their SCCs.
Irish Legislative Amendment
The Irish government has moved swiftly to plug a similar gap in protection under Irish data protection law that had raised doubts about whether Irish law was fit for purpose as a governing law under EU approved standard contractual clauses (SCCs). A new Statutory Instrument came into force on the 24th of June—just days before the SCCs became effective- which amended the Irish Data Protection Act 2018 (the DPA) by providing third party beneficiary rights for data subjects under SCCs (including the old SCCs), as well as BCRs (binding corporate rules).
Prospective amendment of Cyprus Law
This legal gap between SCCs and Cyprus Contract Law, has not gone unnoticed from the office of the Commissioner for Personal Data Protection in Cyprus and an amendment of the Cyprus Contract Law and/or Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018) is forthcoming.