International Data Transfers: The Effect of Divergent Cultural Views in Privacy Causes Déjà Vu
Volume 68, Issue 5, 1111-1134
Whether operating globally or simply integrating services on the Internet, many business functions inevitably subject companies to a web of complicated international regulatory and legal requirements. For example, collecting customer information worldwide, working with suppliers abroad, or operating a foreign subsidiary each trigger an obligation to protect the personal data of the individuals involved with those transactions adequately, and in accordance with various jurisdictional specific. Because thousands of American companies are affected by Europe’s strict requirements, the Department of Commerce, along with the European Commission, implemented the International Safe Harbor agreement (“Safe Harbor”) to assist companies in complying with European data protection laws.
An interesting turn of events ignited significant discourse about whether the Safe Harbor provided satisfactory protection for European data transferred to the United States. One European national’s challenge of the Safe Harbor provision led the European Court of Justice to review its adequacy, ultimately leading to the data transfer mechanism’s invalidation. Soon thereafter, a new framework, the U.S.-E.U. Privacy Shield (“Privacy Shield”) replaced the Safe Harbor. However, this new replacement mechanism has drawn equally harsh criticism.
This Note seeks to understand the disapproval of the two regulatory frameworks governing overseas data transfers, and begins by undertaking a brief analysis of the social forces shaping the vastly different regulatory approaches to privacy protection that exist in the United States and the European Union. The Author suggest that such disapproval stems from different cultural notions in the United States and Europe about privacy that are deeply rooted in those nations’ respective histories. The result? Déjà vu for the European Court of Justice as they prepare for another challenge to the validity of the existing international data transfer framework less than one year after its adoption and the date it took effect.