Cargando…
Standard contractual clauses for cross-border transfers of health data after Schrems II
Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) plac...
| Autores principales: | , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
Oxford University Press
2021
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8216070/ https://www.ncbi.nlm.nih.gov/pubmed/34164131 http://dx.doi.org/10.1093/jlb/lsab007 |
| _version_ | 1783710349130727424 |
|---|---|
| author | Bradford, Laura Aboy, Mateo Liddell, Kathleen |
| author_facet | Bradford, Laura Aboy, Mateo Liddell, Kathleen |
| author_sort | Bradford, Laura |
| collection | PubMed |
| description | Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) placed heavy conditions on their use. The Schrems II Court found that SCCs were valid as ‘appropriate safeguards’ for data transfers from EU entities to others outside the EU/EEA as long as unspecified ‘supplementary measures’ were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding Schrems II SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in Schrems II misunderstood the purpose of SCCs and other Article 46 GDPR ‘appropriate safeguards’. The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission’s new draft SCCs support this analysis. |
| format | Online Article Text |
| id | pubmed-8216070 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2021 |
| publisher | Oxford University Press |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-82160702021-06-22 Standard contractual clauses for cross-border transfers of health data after Schrems II Bradford, Laura Aboy, Mateo Liddell, Kathleen J Law Biosci Original Article Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) placed heavy conditions on their use. The Schrems II Court found that SCCs were valid as ‘appropriate safeguards’ for data transfers from EU entities to others outside the EU/EEA as long as unspecified ‘supplementary measures’ were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding Schrems II SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in Schrems II misunderstood the purpose of SCCs and other Article 46 GDPR ‘appropriate safeguards’. The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission’s new draft SCCs support this analysis. Oxford University Press 2021-06-21 /pmc/articles/PMC8216070/ /pubmed/34164131 http://dx.doi.org/10.1093/jlb/lsab007 Text en © The Author(s) 2021. Published by Oxford University Press on behalf of Duke University School of Law, Harvard Law School, Oxford University Press, and Stanford Law School. https://creativecommons.org/licenses/by-nc-nd/4.0/This is an Open Access article distributed under the terms of the Creative Commons Attribution NonCommercial-NoDerivs licence (http://creativecommons.org/licenses/by-nc-nd/4.0/ (https://creativecommons.org/licenses/by-nc-nd/4.0/) ), which permits non-commercial reproduction and distribution of the work, in any medium, provided the original work is not altered or transformed in any way, and that the work properly cited. For commercial re-use, please contact journals.permissions@oup.com |
| spellingShingle | Original Article Bradford, Laura Aboy, Mateo Liddell, Kathleen Standard contractual clauses for cross-border transfers of health data after Schrems II |
| title | Standard contractual clauses for cross-border transfers of health data after Schrems II |
| title_full | Standard contractual clauses for cross-border transfers of health data after Schrems II |
| title_fullStr | Standard contractual clauses for cross-border transfers of health data after Schrems II |
| title_full_unstemmed | Standard contractual clauses for cross-border transfers of health data after Schrems II |
| title_short | Standard contractual clauses for cross-border transfers of health data after Schrems II |
| title_sort | standard contractual clauses for cross-border transfers of health data after schrems ii |
| topic | Original Article |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8216070/ https://www.ncbi.nlm.nih.gov/pubmed/34164131 http://dx.doi.org/10.1093/jlb/lsab007 |
| work_keys_str_mv | AT bradfordlaura standardcontractualclausesforcrossbordertransfersofhealthdataafterschremsii AT aboymateo standardcontractualclausesforcrossbordertransfersofhealthdataafterschremsii AT liddellkathleen standardcontractualclausesforcrossbordertransfersofhealthdataafterschremsii |