Table of Contents: I. Introduction. – II. From Safe Harbour to Privacy Shield: EU-US data transfer as a feedback loop. – II.1. Action: Safe Harbour and the first agreement on EU-US data transfer. – II.2. Effect: Safe Harbour invalidated by the CJEU in Schrems. – II.3. Feedback: Safe Harbour replaced by Privacy Shield. – III. Privacy Shield: non compliance, full or partial compliance? – III.1. Slightly improved protection of personal data. – III.2. Persistent shortcomings. – IV. Why only partial compliance? – IV.1. Reasons why non-compliance was not an option. – IV.2. Reasons why full compliance was not possible. – V. Conclusion.
Abstract: This Article focuses on data transfer from the European Union to the United States, and compares the new EU-US legal framework (Privacy Shield) with the former one (Safe Harbour), which was invalidated by the CJEU in the case of Schrems (judgement of 6 October 2015, case C-362/14). It combines legal analysis with a more political perspective taking into account the wider context in which these decisions were taken. This allows us to see whether the CJEU is able to ensure compliance with EU law, and EU fundamental rights in particular, in a sensitive area of external relations. It also brings some insights to bear on normative change, or the lack thereof, in fields where external relations and EU politics are intertwined. The conceptual model of the feedback loop is used to analyse the evolution from the Safe Harbour to the Privacy Shield regime. The action (adoption of Safe Harbour in 2000) has provoked an effect (the Schrems ruling adopted by the Court in response to the demands of data protection activists), which has finally led to feedback (adoption of Privacy Field in 2016). A legal analysis of this feedback effect shows that Privacy Shield only partially complies with the Schrems ruling. This partial compliance can be explained both by normative constraints and actors’ preferences.
Keywords: Safe Harbour – Privacy Shield – data protection – EU-US relations – data transfer –compliance.
* Senior Lecturer in Public Law and European Studies, Sciences po Grenoble, Univ. Grenoble Alpes, Centre for the study of international security and European cooperation (CESICE), Jean Monnet Chair, email@example.com.