Understanding the data privacy divide between the European Union and the United States

Sammanfattning: This Thesis seeks to give its reader the tools to understand the data privacy divide between the EU and the US. It explains the crucial notions, historical and jurisprudential factors and regulatory frameworks underlying and constituting it. First, it answers why regulating data privacy is paramount to our democratic societies on both sides of the Atlantic. The growing importance of the data driven economy, whose raw material is our personal data, creates challenges to basic democratic values, for example privacy and the freedom of speech. This Thesis explores the darker side of the digital economy, sometimes referred to as a form of surveillance capitalism. It describes how the advertisement-based business model of some of the most successful internet companies may, if left unregulated, render citizens vulnerable to enhanced forms of influence and manipulation, and weaken essential counter-powers such as dissidents, whistle-blowers and the press. Second, it answers how the EU and US approaches to regulating data privacy differ. In essence, different historical roots and economic incentives on both sides of the Atlantic explain the difference. The EU has had a painful experience with government surveillance and invasions of privacy, in particular in the former German Democratic Republic. On the contrary, the US does not have such history and its economy has enormously benefited from lax data privacy regulations, allowing it to grow internet giants. As a result, the EU regulates privacy and data protection tightly and enshrines them as fundamental rights, while the US takes a more market-based and light-touch approach by treating data privacy essentially as a subset of consumer protection law. Third, it answers why the CJEU decided to invalidate the adequacy decision concerning the first attempt at bridging the divide, the Safe Harbor. In summary, this Thesis argues that the Court was trying to give leverage to the EU as the negotiation of the Safe Harbor 2.0 (now Privacy Shield) were nearing their end, in order for the US to make concessions and agree on a more protective framework than would have otherwise been possible. Fourth, it synthesizes the current avenues for transferring personal data from the EU to US, that is to say, primarily, the Privacy Shield, and other vehicles such as consent and contracts, the SCCs, the BCRs, codes of conducts and certifications.