If you hear a whirring sound, that’s privacy activist and lawyer Max Schrems sharpening his pencil.
On Monday, roughly three years after the Schrems II case invalidated Privacy Shield overnight – and with it the legal basis for data transfers between Europe and the US – the European Commission adopted its “adequacy decision” for the EU-US Data Privacy Framework.
“Adequacy” is a concept under GDPR that allows for the free flow of personal data between the EU and countries that the European Commission deems to have an adequate (hence the name) level of data protection.
Schrems had argued – successfully – that there could be no adequacy between the EU and the US because the US doesn’t offer legal privacy protections that are on par with those in Europe. There was no guarantee, for example, that a US intelligence agency wouldn’t get access to European data stored in US servers. The Snowden case proved as much.
Trading a shield for a framework
That is why the European Commission’s decision that data protection in the US is “comparable to that of the European Union” is a little surprising, considering the US still doesn’t have a consistent federal privacy framework.
Although there were a few newish elements introduced to the Data Privacy Framework, including a redress system for people who believe their data has been handled improperly by US companies, if you squint, you could easily mistake the framework for a reskinned Privacy Shield.
And the issue of potential US surveillance “overreach still persists,” said Elena Turtureanu, VP of legal and privacy compliance at Adform.
Although the framework puts limits on US intelligence agencies so they’re only able to access EU data when it’s “necessary and proportionate,” such as for specific national security purposes and criminal law enforcement, the fact remains that those purposes are “incompatible” with EU laws, Turtureanu said.
‘A quick fix’
Which begs the question of why the EU pushed this through while knowing it’s going to be challenged in court.
Though it’s not surprising given the immense political pressure the commission has been under to prevent and avoid business disruption, said Turtureanu.
The legality of Google Analytics 4 (GA4) in Europe was being questioned, and Meta was hit with a $1.3 billion fine recently for exporting EU user data to the US for processing. Meta was also ordered to stop transferring data collected from Facebook users in Europe to the US.
“There was a desperate need for a quick fix,” she said.
Schrems and his nonprofit organization NYOB (which stands for “none of your business”) have already indicated that they’re planning to mount a challenge. In the meantime, the framework stands.
“The framework is a valid and legal data transfer mechanism for EU to US transfers unless, and until, it’s declared invalid by the EU Court of Justice,” said Joe Jones, research and insights director at the International Association of Privacy Professionals.
In other words, looks like GA4, which replaced Universal Analytics on July 1, can operate legally in Europe, at least for now.
“Data transfers, especially between popular and mature economies, are critical to the sustaining and growth of the ad tech industry,” Jones said.
Certainty (for now)
No doubt. But what about Meta?
The Irish order to stop transferring data to the US seems moot now that the EU has made its adequacy decision. The fine, however, still stands, although it’ll likely get significantly reduced.
“I am positive there will be a fine,” Turtureanu said, but she expects it to be lower now that there’s a framework for legal data transfers.
Meta will fight the fine in court, but even if it does have to pay the full $1.3 billion, that’s not much skin off its nose.
In the interim between now and the inevitable Schrems III case to come, companies have a legal framework for their transatlantic data transfers. But will there ever be total legal certainty for businesses on both sides of the Atlantic?
“That is the million-dollar question,” said Wim Nauwelaerts, a partner at Alston & Bird.
You know what couldn’t hurt, though? A national privacy law in the US.
“It might help if, one day, the US were to adopt comprehensive privacy legislation at the federal level,” Nauwelaerts said.
From your lips to the ears of Congress.
This cat video feels appropriate to the topic at hand. (It’s not paranoia if your cat really is watching you.) Also, Schrems isn’t a bad name for a cat. Let me know what you think. Drop me a line at allison@adexchanger.com.
