Document Type


Publication Date

Summer 8-1-2021

Publication Citation

28 Indiana J. Global Legal Studies 205 (2021)


In July 2016, the EU-US (European Union-United States) Privacy Shield came into force, replacing the EU-US Safe Harbour, to address the concerns around data collection and privacy that arose in the case of Schrems v. European Data Commissioner (C-362/14). The Court of Justice of the European Union (CJEU) in its ruling known as Schrems I took a position in defence of privacy in the context of Edward Snowden's revelations on the National Security Agency's (NSA) surveillance programs. This context had already spurred the development of several instruments and enforcement regimes, such as the General Data Protection Regulation (GDPR), adopted in April 2016, and an agreement known as the EU-US Umbrella Agreement, concluded in December 2016. These two acts, as well as the Privacy Shield, were significant global data transfer instruments on account of their enormous regulatory reach across the Atlantic, at least until July 2020 when the Privacy Shield was struck down. Most commentators agreed that the implementation of the EU-US Privacy Shield raised serious legal concerns insofar as it did not offer sufficient privacy protection. Not surprisingly, actions for annulment5 were brought before the General Court of the Court of Justice of the European Union against the EU-US Privacy Shield (T-670/16 and T-738/16), and preliminary references 6 were initiated, culminating in a recent CJEU judgment (Grand Chamber) (C-311/18) invalidating it.

This article analyses the implementation and eventual demise of the Privacy Shield through a framework that combines two concepts at the heart of the evolution of the EU legal order: institutionalisation and judicialisation. This conceptual framework allows us to capture the relationship between EU and US legal orders and better understand why it is sometimes disharmonious.

Available for download on Saturday, August 01, 2026