Christopher Kuner, Reality and Illusion in EU Data Transfer Regulation Post Schrems (February 14, 2016). University of Cambridge Faculty of Law Research Paper No. 14/2016. Available at SSRN
In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union invalidated the EU-US Safe Harbour arrangement allowing personal data to be transferred to the US. The judgment affirms the fundamental right to data protection, defines an adequate level of data protection for international data transfers under EU law, and extends data protection rights to third countries, all based on the EU Charter of Fundamental Rights. The judgment is a landmark in the Court’s data protection case law, and illustrates the tension between the high level of legal protection for data transfers in EU law and the illusion of protection in practice. The judgment has undermined the logical consistency of the other legal bases for data transfer besides the Safe Harbour, and reactions to it have largely been based on formalism or data localization measures that are unlikely to provide real protection. Schrems also illustrates how many legal disagreements concerning data transfers are essentially political arguments in disguise. The EU and the US have since agreed on a replacement for the Safe Harbour (the EU-US Privacy Shield), the validity of which will likely be tested in the Court. It is crucial for data transfer regulation to go beyond formalistic measures and legal fictions, in order to move regulation of data transfers in EU law from illusion to reality.