Research project

Investigator:
Nikolaos Theodorakis

Abstract:
The Court of Justice of the European Union (CJEU) recently invalidated the EU-U.S. Privacy Shield Framework in its ruling in the Schrems 2 case. The CJEU found that (i) the Privacy Shield does not offer adequate protection to individuals’ privacy rights due to potential broad disclosure of personal data to the U.S. intelligence services/public authorities; and ii) the Ombudsperson created by the Privacy Shield framework to address complaints by EU citizens lacks the independence and authority to adopt decisions that bind U.S. intelligence services.
The Privacy Shield was relied on by thousands of companies to transfer personal data from the EU to the U.S. under the General Data Protection
Regulation (GDPR). Hence, the Privacy Shield’s invalidation, in combination with the recent guidance by the European Data Protection
Board on supplemental measures to guarantee cross-border transfers, means that companies on both sides of the Atlantic need to carefully
reconsider their data transfer strategy. This research will investigate the background that led to the Privacy Shield invalidation, successor of the also invalidated Safe Harbor, the options available to transfer data between the EU and the U.S., the supplemental measures that need to be in place and whether these latest developments will in effect lead to data localization.