The Safe Harbor 2.0 - An EU-U.S. Study of the Fundamental Right to Privacy with regard to Transatlantic Transfers of Personal Data

Sammanfattning: The emergence of Big Data presents the EU legislator with new challenges of how to protect EU citizens’ fundamental right to privacy as the Internet allows for massive amounts of personal data to easily cross borders. To meet the new challenges created by the borderless Internet, new privacy legislation is on its way in order to provide EU citizens with an adequate and sufficient protection for their fundamental right to privacy. The EU privacy protection provides its citizens with a broad protection for their fundamental right to privacy and personal data. This is considered as a general principle in EU law. In contrast, the U.S. does not have any comprehensive unanimous data protection laws. Rather it has chosen a sectorial approach, which renders data protection decentralized, fragmented, industry-specific, and largely uncoordinated among varying levels of government. This discrepancy between the EU and the U.S. presents challenges for a uniform international privacy standard that can facilitate for transatlantic transfers of personal data. In the Schrems ruling, the Court of Justice of the European Union held that an adequacy decision under article 25(6) of Directive 95/46/EC requires an investigation of the privacy protection offered by a third country. In addition, the Court concluded that the protection in the third country must offer a privacy protection that is “essentially equivalent” to the EU privacy protection. In the case, the Court invalidated the EU-U.S. Safe Harbor Program and concluded that the U.S. legal order did not amount to a privacy protection that is “essentially equivalent”. The Schrems ruling has left EU and U.S. companies that transfer EU citizens’ personal data to the U.S. with few lawful instruments for such transfers. Moreover, the discrepancy between the two privacy regimes will make it difficult to negotiate a Safe Harbor 2.0, especially because the U.S. does not recognize the right to erasure, which is a key provision in the EU privacy protection. The emergence of Big Data, the discrepancy between the EU and the U.S. privacy protection, the Schrems ruling, and the proposed GDPR have resulted in challenges for both legislators and companies with regard to transatlantic transfers of personal data. I contend in this thesis that the U.S. legal order does not amount to a protection that is “essentially equivalent” to the EU privacy protection. However, the discrepancy cannot result in a suspension of transatlantic transfers of personal data. Therefore, a reasonable compromise would be that EU citizens are provided with actionable privacy rights and a workable enforcement in a Safe Harbor 2.0. Consequently, regardless whether or not the data cross borders, EU citizens’ fundamental right to privacy is an offline right that also need to apply online.