As a member state of the EU, EU data protection laws, including the General Data Protection Regulation (2016/679 – “GDPR“) apply to Malta, with regard to transfers of personal data within the EU without any additional guarantees.
With regard to transfers of personal data to third countries, it should be noted that the European Commission is responsible for proposing and (following the opinion of the EU Data Protection Committee and the process of approval of representatives of EU countries) to adopt adequacy decisions ”, a formal decision taken by the EU which recognizes that a third country offers a level of protection of personal data equivalent to that of the EU .
The legal effect resulting from an “adequacy decision” is that personal data can be transferred from the EU to these “suitable countries” without any further guarantees being necessary, as with intra-EU transfers.
Nowadays, Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of man, Japan, Jersey, New Zealand, Switzerland and Uruguay were considered “suitable third countries” by the EC. The procedure for adopting an adequacy decision concerning South Korea is currently underway, while adequacy decisions concerning the United Kingdom have recently been adopted, addressing concerns about the continued free flow of personal data after Brexit.
With regard to all other third countries (including more particularly the United States), transfers of personal data to these third countries are not authorized in terms of GDPR, i.e. unless (i ) a derogation for a specific situation applies in terms of GDPR or (ii) the transfer is subject to appropriate safeguards, as specifically recognized by the GDPR, which safeguards include binding corporate rules, an approved code of conduct , certification mechanisms and standard contractual clauses (the “CSC“).
The objective of these guarantees is essentially to ensure that the high level of data protection offered within the EU is not compromised by the cross-border transfer to a third country.
Standard contractual clauses
In practice, SCCs tend to be the guarantee of transfer of personal data from third countries which is most often used to legitimize such transfers.
NCCs are a model contract issued by the EC following which, essentially, obligations are imposed on the data importer (located in a third country) to process the personal data transferred in accordance with certain principles derived from the legislation of EU on data protection. Therefore, CSCs are a legal tool that legitimizes the transfer of data and aims to ensure that data protection is not compromised as a result of a transfer through a model contract – en d ‘ other words, by the imposition of standard contractual obligations.
In general, CSCs tend to be implemented as annexes to major agreements devoted to trade matters or to a service or supply relationship.
Prior to the recent CCS update, CCS was a static contract model. However, following the publication of the new version of the CCAPs (final decision EC June 4, 2021), they are today a modular model and no longer a static contract model.
This new CSC modular model approach requires users to choose from the model clauses provided based on the model clause deemed most applicable to the situation. This includes choosing the clause they deem most relevant with respect to a specified applicable law to govern SCCs.
Applicable law and rights of third party beneficiaries
Article 17 of the CCPs, i.e. the clause requiring the designation of the law governing CCPs, presents the following choices:
MODULE ONE: Controller-to-controller transfer
MODULE TWO: Transfer the controller to the processor
MODULE THREE: Processor-to-processor transfer
[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]
[OPTION 2 (for Modules Two and Three): These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]
MODULE FOUR: Transfer the processor to the controller
These Clauses are governed by the law of a country authorizing the rights of third party beneficiaries. The Parties agree that this will be the law of _______ (specify country).
All available options effectively require that the laws of a country that recognizes the rights of third party beneficiaries be selected and designated as the applicable law for CCS.
The rights of third party beneficiaries are essentially the rights of performance and compensation held by a party (in this case, a data subject) who would have the right to institute legal proceedings on the basis of a contract (in the case, the CCS), although it is not a party to the contract. Indeed, the third party is the intended beneficiary of the data protection guarantees of the contract sought.
As such, the need to designate the law applicable to CCPs as being the law of a country which recognizes the application of the rights of third party beneficiaries must also be considered in light of Clause 3 of the new CCPs, according to which Data subjects are granted the right to assert the majority of the provisions of the CCPs as a third party.
Why is this a problem?
The requirement to designate, as the applicable law of the CCS, an applicable law which recognizes the application of the rights of third party beneficiaries is effectively contrary to Maltese legal principles.
Under Maltese law, contracts are presumed to be binding and to be performed only by the parties, with the rights of third party beneficiaries recognized only in very limited and specified circumstances (such as in life insurance).
It would also appear that the circumstances covered by Article 1000 of the Maltese Civil Code (Chapter 16 of the Laws of Malta), which deals with when a person can stipulate for the benefit of a third party, would also not apply in the context of CPS.
In fact, this means that at present, designating Malta as the law applicable to SCCs could be legally problematic and potentially risky.
Malta does not appear to be the only Member State which does not generally allow the concept of third party beneficiary rights, and similar problems can also be observed in a few other Member States (such as Cyprus and Ireland) which have elements of tradition. common law systems integrated into their legal systems (with Malta being a legal system with a mixture of civil law and common law elements).
Since CSCs are one of the most commonly used legal bases for the transfer of personal data to third countries, not necessarily being able to rely on them can be very problematic for businesses and can endanger the overall health and economic viability of various Maltese sectors dependent on continued international cross-border data flows.
Several practical issues are also considered in a situation where a Maltese entity tries to rely on CCPs by designating the law of another country, including for example the practical issue of possibly negotiating a main agreement subject to applicable law. of Malta but requiring CCPs subject to another, almost certainly contradictory, applicable law. In addition, practical difficulties would also come into play when choosing and negotiating the other applicable law.
To address this legally inadequate situation, Ireland, for example, recently introduced a new statutory instrument which amends the Irish Data Protection Act 2018 by providing for third party beneficiary rights for data subjects under the SCCs.
Likewise, it would appear that legislative intervention in Malta would have a similar scope to that of the Irish amendment, according to which the issue would be dealt with through new subsidiary legislation to the Data Protection Act (Chapter 586 of the laws of Malta).