The field of privacy and data protection is probably the one where the most interesting moves occurred in the European Union's legal system over the last decades, leading to remarkable political externalities, most notably in the relationship with the United States. If a “Balkanization” of cyberspace did take place, the protection of privacy and personal data offers a privileged standpoint from which to look at how the European Union institutions, and above all the Court of Justice, contributed to such a result.
The “Privacy Shield”, as it is known, came into force after the Court of Justice invalidated the “Safe Harbour” agreement between the European Union and the United States. By handing down its decision in the Schrems case, the Court of Justice marked a point of no return, finding that it was no longer allowed to transfer personal data from the EU to the US in the absence of safeguards ensuring that European citizens’ privacy received an adequate degree of protection. The Court of Justice, in fact, found that the mechanism provided in the Safe Harbour agreement, ratified by the European Commission in 2000, did not secure a level playing field in terms of personal data protection.
The reasons behind this failure lie especially in the unprecedented consequences of the digital revolution, which led to new challenges for the right to privacy. Additionally, the Court of Justice stance was not immune, perhaps, to the influence of the NSA scandal, which had just then brought to light the controversial attitude of the US government and its respective agencies towards the personal information of non-American citizens. Last but not least, the Court of Justice handed down the Schrems judgment amidst the long-awaited passing of the GDPR (which came only a few months later, in May 2016), which marked a Copernican paradigm shift in Europe.
In light of this, the legal consequences of the Schrems judgment were definitely significant, but its political implications were probably even more momentous, for a variety of reasons.
The US government was de facto forced to enter into negotiations with the European Union to revisit its own legislation and practice on the processing of personal data (including of non-American citizens). Indeed, the judgment of the Court of Justice formally concerned the European Commission decision, which green-lighted the Safe Harbour agreement, i.e., an act of EU law. Nonetheless, the reasons why said decision was struck down have to do with US law and practice concerning data protection, which the Court of Justice deemed inadequate for safeguarding the fundamental rights of European citizens to privacy and data protection.
On the other hand, this outcome could not be avoided by the US government. In fact, most Internet service providers (e.g., cloud computing service providers, search engine service providers, social media networks) are based in California, and the data processing activities (including of data of European residents) they carry out take place in the US, so that they can benefit from the more lenient approach of that legal system. Since the most prominent market players of the digital economy are American companies, the adoption of a new scheme governing the transfer of data from the EU was an inevitable choice. From the US perspective, building a new “transatlantic bridge” became a priority to allow data flows from the European Union and thus ensure the continuity of those services which, albeit operated by American companies, targeted European residents. Likewise, from the EU perspective, entering a new agreement was essential to avoid a substantial shutdown of the services made available by digital and tech companies.
The Privacy Shield came therefore into force with high expectations, substantially strengthening the safeguards for European citizens. But was the lesson actually learned? Now, whether the level of protection granted to the personal data of European citizens is actually fit for its purpose is something that must be assessed on a regular basis. This requires the US Department of Commerce and the European Commission to carry out an annual review of the Privacy Shield to confirm the effectiveness of the important measures that have been undertaken. At the same time, it also implies that the Privacy Shield is equally affected by “downward” and “upward” fluctuations in the degree of protection of personal data occurring on both sides of the Atlantic. Since the European Union attaches a greater significance to privacy, it should not come as a surprise that (also as result of the GDPR) the EU nowadays stands out as a modern flag-bearer of data protection, thus being able to largely influence even US-based players. It is not by coincidence that some scholars (e.g, Oreste Pollicino) correctly argue that, the EU being such a privacy “fortress”, it should be able to develop flexible mechanisms for a transatlantic dialogue — mechanisms that appear more and more necessary in an interconnected world, at least to avoid a “Cold War” 2.0 based on the governance of personal data.