Background
As an EU Member State, EU data protection laws including the General Data Protection Regulation (2016/679 – “GDPR”) apply in Malta, in terms of which personal data transfers within the EU can occur without any additional safeguards.
With regards to personal data transfers to third countries, it should be noted that the EU Commission is vested with proposing and (following an opinion from the EU Data Protection Board and approval process by representatives of EU countries) with adopting so-called “adequacy decisions”, a formal decision made by the EU which recognises that a third country provides an equivalent level of protection for personal data as the EU does.
The resulting legal effect of an “adequacy decision” is that personal data can be transferred from the EU to such “adequate countries” without any further safeguards being necessary, like for intra-EU transfers.
To date, Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay have been deemed as “adequate third countries” by the EC. The procedure for the adoption of an adequacy decision with respect to South Korea is currently underway, while adequacy decisions with regards to the UK have recently been adopted, addressing concerns regarding the continued free movement of personal data following Brexit.
With regards to all other third countries (including most notably, the USA), personal data transfers to such third countries are in terms of the GDPR not permitted – that is, unless (i) a derogation for a specific situation applies in terms of GDPR or (ii) the transfer is being made subject to appropriate safeguards, as recognized specifically by the GDPR, which safeguards include Binding Corporate Rules, Approved Code of Conducts, Certification Mechanisms, and Standard Contractual Clauses (the “SCCs”).
The aim of such safeguards is essentially to ensure that the high level of data protection afforded within the EU is not undermined by the cross-border transfer to a third country.
The Standard Contractual Clauses
In practice, the SCCs tend to be the third country personal data transfer safeguard that is most often used to legitimize such transfers.
SCCs are a template contract issued by the EC as a result of which, essentially, obligations are imposed on the data importer (located in a third country) to treat the transferred personal data in accordance with certain principles derived from EU data protection law. Therefore, the SCCs are a legal tool which legitimizes the transfer of data and which aims to ensure that data protection is not undermined as a result of a transfer through a template contract – in other words, through the imposition of standard contractual obligations.
Typically, SCCs tend to be implemented as annexes to principal agreements dedicated to commercial matters or a service or supply relationship.
Before the SCCs’ recent update, the SCCs used to be a static template contract. However, following the issuance of the new version of the SCCs (EC final decision 4 June 2021), they are nowadays a modular template and no longer a static template contract.
This new modular template approach to the SCCs requires that users choose from provided template clauses according to which template clause is deemed most applicable to the situation. This includes making a choice of which clause they deem most relevant with regards to a specified governing law for governing the SCCs.
Governing Law and Third Party Beneficiary Rights
Clause 17 of the SCCs, that is the clause which requires designation of the law governing the SCCs, presents the following choices:
MODULE ONE: Transfer controller to controller
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]
[OPTION 2 (for Modules Two and Three): These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]
MODULE FOUR: Transfer processor to controller
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify country).
All options available effectively require that the laws of a country which recognizes third party beneficiary rights is selected and designated as governing law for the SCCs.
Third party beneficiary rights are essentially the rights to enforcement and compensation held by a party (in this case, a data subject) who would hold the right to sue on the basis of a contract (in this case, the SCCs), despite not being a party to the contract. This is because the third party is the intended beneficiary of the contract’s data protection safeguards sought.
As such, the need to designate the governing law of the SCCs as the law of a country which recognizes the application of third party beneficiary rights needs to also been seen in light of Clause 3 of the new SCCs, whereby the data subjects are granted the right to enforce the majority of the provisions of the SCCs as third parties.
Why is this an Issue?
The requirement to designate, as governing law of the SCCs, a governing law which recognizes the application of third party beneficiary rights effectively conflicts with Maltese legal principles.
Under Maltese law, contracts are presumed to bind and be enforced only by the parties thereto, with third party beneficiary rights only recognized in very limited and specified circumstances (such as in life insurance).
It would also appear that the circumstances covered by Article 1000 of Malta’s Civil Code (Chapter 16 of the Laws of Malta), which deals with when a person may stipulate for the benefit of a third party, would also not apply in the context of SCCs.
Effectively this means that at present, designating Malta as governing law to SCCs could be legally problematic and potentially risky.
Malta appears to not be the only Member State that does not generally allow for the concept of third party beneficiary rights, and similar issues can be observed also in a few other Member States (such as Cyprus and Ireland) that have elements of common law tradition embedded in their legal systems (with Malta, being a legal system with a mix of both civil and common law elements).
As SCCs serve as some of the most commonly used legal basis for the transfer of personal data to third countries, not being able to necessarily rely thereon can be very problematic to businesses and may endanger the overall health and economic viability of various Maltese sectors dependent on continued international cross-border data flows.
Several practical issues are also envisaged in a situation in which a Maltese entity tries to rely on SCCs by designating the law of another country, including for example the practical issue of possibly negotiating a principal agreement subject to Malta’s governing law but requiring SCCs subject to another, almost certainly conflicting, governing law. Further, practical difficulties would also come into play when choosing and negotiating which should be such other governing law.
To address this legally inadequate situation, Ireland for example, has recently introduced a new Statutory Instrument which amends the Irish Data Protection Act 2018 by providing for third party beneficiary rights for data subjects under the SCCs.
Similarly, it would seem that it would be appropriate for legislative intervention in Malta similar in scope to the Irish’s amendment, whereby the issue would be addressed through a new subsidiary legislation to the Data Protection Act (Chapter 586 of the Laws of Malta).
Article written by Senior Associate Dr Terence Cassar with the help of Legal Trainee Clara Sciberras.
For further information on Privacy and Data Protection Law, please contact Dr Ian Gauci and Dr Terence Cassar.