Europeiska kommissionens standardavtalsklausulers förenlighet med gällande rätt vid en överföring av personuppgifter till tredje land

Sammanfattning: Today's society is defined by a growing digital character, in which cross-border commercial relationships develop in accordance with the rapidly expanding technology. Such relationships also increase the flow of personal data from the European Union (the Union) to third countries, and are essential for the digital economy. The Member States of the Union are governed by the General Data Protection Regulation (GDPR), whose main purpose is, inter alia, to ensure that the data subjects are adequately protected. In third countries, the same general rules that provide equivalent guarantees, do not exist. Chapter V in the GDPR contains a specific set of rules that enables a third-country transfer. Primarily, such a transfer may take place if the third country ensures an adequate level of protection. If an adequate level of protection is not achieved, the transfer may be based on the decision of the European Commission on standard contractual clauses. Today, there are three sets of standard contractual clauses, all of which are based on the Data Protection Directive. Two out of three of these regulate the relationship when both the transferor and the recipient are a controller. The last set is suitable for the contractual relationship in which the transferor is the controller and the recipient a processor. However, there is a significant risk that the standard contractual clauses do not correspond to the personal data protection provided by today’s applicable law. When transferring personal data from the Union into the United States of America (USA), the contract parties used to apply a specific regulatory framework, the Safe Harbor system. However, in 2015 the system was invalidated by the Court of Justice of the European Union. The Safe Harbor principles aimed to guarantee the data subjects a proper protection of personal data as the Union citizens' information was transferred from the Union into the USA. The generally designed Safe Harbor principles led to the national law to take precedence over the Safe Harbor system if the national law required it. In cases where national law had required a breach of the Safe Harbor principles, it was shown that the breach was not strictly necessary and proportionate. This thesis aims to investigate whether the standard contractual clauses are compatible with today’s applicable law from a business perspective. The thesis finds that the standard contractual clauses demonstrate similar structures to the void Safe Harbor system. The structures give openings to prioritize a third country's national law over the principles of the standard contractual clauses, in a way which can challenge the data protection. With the entry into force of the GDPR, new principles should be taken into account when applying the standard contractual clauses. In conclusion, the thesis finds that the standard contractual clauses should be applied with great caution until they are on trial in the Court of Justice of the European Union.