Differences towards Data Privacy between the EU and US Legal System
The case of C-362/14 Schrems (case Schrems) was a landmark case in the development of data protection laws and motivated both the EU and the US to seek a new mechanism for guaranteeing safe data transfers between each other. This article will compare distinctions of data privacy between the EU and US legal system (the EU-US system).
Firstly, dfferent starting points is a key factor between the EU-US systems. Privacy is a fundamental right which was adopted by the Charter of Human Rights in the EU over other interests. In contrast, privacy is not protected as a fundamental right under constitutional law in the US. US traditionally strikes a balance in favour of national security. In accordance with this concept, personal data can be collected and processed, except for that forbiddance by law in the US. This issue was highlighted in the case Schrems and was one of the reasons of failing to offer the adequate level of protection by the US.
Moreover, protecting individuals’ privacy is also the responsibility of the government in the EU.  Therefore, the EU has established a high-level protection for data privacy. Conversely, the US is unwilling to interfere with the freedom of the financial markets and enables privacy to be traded for economic benefits. The US federal government strongly believes that the market can regulate itself and governments usually regulate when there is a demand to create a market. Hence, the US regime emphasises business needs and encourages self-regulatory, which is also the defining characteristics of its regime governing data privacy.
Furthermore, the EU and US models represent two typical methods of data privacy. The EU applies an omnibus privacy structure, which emphasises uniformity and enforcement, providing the same protection for all data according to sets of rules. For example, the Data Protection Directive was established in 1995 which considered data privacy as a key issue from an early age. Subsequently, the E-Privacy Directive was enforced in 2002. The principal legal document is General Data Protection Regulation (GDPR) which will be enforced from 25 May 2018.
In contrast, the US has implemented a sectoral privacy structure in the protection of data privacy. Self-regulation is the key feature of the US legal system governing data privacy. It varies according to different industries, setting different protection standards depending on specific circumstances, purposes and approaches. This approach is extremely flexible and conductive to the development of industries. In terms of legislation of privacy protection in the US, privacy is only found explicitly in the Bill of Rights rather than in the Constitution. Although Congress has passed several statutes towards privacy protection, the statutes merely cover some specific industries and sectors, such as the Fair Credit Reporting Act and Health Insurance Portability and Accountability Act. Thus, the protection of data privacy remain decentralised.
Finally, the EU establish several institutions to protect personal data, including the European Court of Justice, Data Protection Officer, European Data Protection Supervisor and European Data Protection Board. Conversely, governmental oversight is much weaker in the US. Most supervisory responsibilities are undertaken by Federal Trade Commission (FTC), but FTC only has limited power. From these respective, both the US’s domestic law and its supervisory authority are unable to meet the requirement of ‘adequate level of protection’. This issue was also demonstrated in the case Schrems.