The new Standard Contractual Clauses (SCCs) issued by the European Commission came into force on 27 June 2021. The SCCs allow parties to choose the governing law of one of the EU Member States, provided that such law allows for third party beneficiary rights. As privity of contract rules apply in Ireland, there had been short-lived concerns about whether Irish law adequately recognised third-party beneficiary rights.

To address these concerns, the Irish government has passed S.I. No. 297 of 2021, the European Union (Enforcement of Data Subjects’ Rights on Transfer of Personal Data Outside the European Union) Regulations 2021 (the Regulation). This Regulation amends the Irish Data Protection Act 2018 (IDPA) by providing an express right on the part of individuals to enforce third party beneficiary rights conferred on data subjects under Binding Corporate Rules, SCCs and any standard data protection clauses adopted by a supervisory authority and subsequently approved by the European Commission.

This Regulation has resolved all ambiguity around the selection of Irish law as the governing law for the SCCs and other relevant transfer tools. Data subjects will now be able to rely on provisions of the IDPA in order to enforce any rights, benefits and additional safeguards contained in the SCCs as third parties.