The European Parliament and the protection of privacy and personal data: An institutional analysis of its response to the Schrems judgements

Unlike other regions in the world, the protection of personal data is a fundamental right in the European Union (EU). It is enshrined in Article 8 of the Charter of Fundamental Rights of the EU, which acquired legally binding status and the same legal value as the EU Treaties in 2009, as well as in Article 16(1) of the Treaty on the Functioning of the EU. The Charter also explicitly provides for a right to privacy, contained in Article 7. Both rights are at the heart of the EU General Data Protection Regulation (GDPR), which entered into application in 2018, allowing personal data of EU residents to flow freely among the EU Member States. The same, however, does not apply to cross-border transfers of personal data from the EU to third countries. In these cases, the European Commission (EC) shall assess and ultimately decide whether those countries, or one or more specified sectors within those countries, ensure an adequate level of protection (Article 45 GDPR), by adopting implementing act, known as an ‘adequacy decision’. There are over fifteen adequacy decisions in place at present, including one adopted in relation to the United States (US) in July 2023, so-called ‘EU-US Data Privacy Framework’. This 2023 adequacy decision followed two previous ones, which were invalidated by the Court of Justice of the EU (CJEU), respectively, in the 2015 Schrems I and 2020 Schrems II judgments on the grounds that an adequate level of protection was not ensured by the US. This paper examines the response of the European Parliament (EP) towards these two judgements by the CJEU, including how and to what extent its official institutional position has differed from that followed by the EC when deciding to adopt the 2023 EU-US Data Privacy Framework. Special attention is given to both structural and agency factors shaping the EP’s position across the period under examination, using a case study methodology and an empirical institutionalist approach. The paper contributes to develop the literature on the role played by the EP as a normative actor both within the internal and external policies of the EU, in particular concerning the upholding of the right to privacy and personal data protection.