Home Data Privacy Roundup If There’s Anything Certain In Life, It’s That Schrems III Is Coming

If There’s Anything Certain In Life, It’s That Schrems III Is Coming

SHARE:
Comic: Schrems III

If you hear a whirring sound, that’s privacy activist and lawyer Max Schrems sharpening his pencil.

On Monday, roughly three years after the Schrems II case invalidated Privacy Shield overnight – and with it the legal basis for data transfers between Europe and the US – the European Commission adopted its “adequacy decision” for the EU-US Data Privacy Framework.

“Adequacy” is a concept under GDPR that allows for the free flow of personal data between the EU and countries that the European Commission deems to have an adequate (hence the name) level of data protection.

Schrems had argued – successfully – that there could be no adequacy between the EU and the US because the US doesn’t offer legal privacy protections that are on par with those in Europe. There was no guarantee, for example, that a US intelligence agency wouldn’t get access to European data stored in US servers. The Snowden case proved as much.

Trading a shield for a framework

That is why the European Commission’s decision that data protection in the US is “comparable to that of the European Union” is a little surprising, considering the US still doesn’t have a consistent federal privacy framework.

Although there were a few newish elements introduced to the Data Privacy Framework, including a redress system for people who believe their data has been handled improperly by US companies, if you squint, you could easily mistake the framework for a reskinned Privacy Shield.

And the issue of potential US surveillance “overreach still persists,” said Elena Turtureanu, VP of legal and privacy compliance at Adform.

Although the framework puts limits on US intelligence agencies so they’re only able to access EU data when it’s “necessary and proportionate,” such as for specific national security purposes and criminal law enforcement, the fact remains that those purposes are “incompatible” with EU laws, Turtureanu said.

‘A quick fix’

Which begs the question of why the EU pushed this through while knowing it’s going to be challenged in court.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Though it’s not surprising given the immense political pressure the commission has been under to prevent and avoid business disruption, said Turtureanu.

The legality of Google Analytics 4 (GA4) in Europe was being questioned, and Meta was hit with a $1.3 billion fine recently for exporting EU user data to the US for processing. Meta was also ordered to stop transferring data collected from Facebook users in Europe to the US.

“There was a desperate need for a quick fix,” she said.

Schrems and his nonprofit organization NYOB (which stands for “none of your business”) have already indicated that they’re planning to mount a challenge. In the meantime, the framework stands.

“The framework is a valid and legal data transfer mechanism for EU to US transfers unless, and until, it’s declared invalid by the EU Court of Justice,” said Joe Jones, research and insights director at the International Association of Privacy Professionals.

In other words, looks like GA4, which replaced Universal Analytics on July 1, can operate legally in Europe, at least for now.

“Data transfers, especially between popular and mature economies, are critical to the sustaining and growth of the ad tech industry,” Jones said.

Comic: The Great Online Privacy BattleCertainty (for now)

No doubt. But what about Meta?

The Irish order to stop transferring data to the US seems moot now that the EU has made its adequacy decision. The fine, however, still stands, although it’ll likely get significantly reduced.

“I am positive there will be a fine,” Turtureanu said, but she expects it to be lower now that there’s a framework for legal data transfers.

Meta will fight the fine in court, but even if it does have to pay the full $1.3 billion, that’s not much skin off its nose.

In the interim between now and the inevitable Schrems III case to come, companies have a legal framework for their transatlantic data transfers. But will there ever be total legal certainty for businesses on both sides of the Atlantic?

“That is the million-dollar question,” said Wim Nauwelaerts, a partner at Alston & Bird.

You know what couldn’t hurt, though? A national privacy law in the US.

“It might help if, one day, the US were to adopt comprehensive privacy legislation at the federal level,” Nauwelaerts said.

From your lips to the ears of Congress.

This cat video feels appropriate to the topic at hand. (It’s not paranoia if your cat really is watching you.) Also, Schrems isn’t a bad name for a cat. Let me know what you think. Drop me a line at [email protected].

Must Read

To Reduce The Ad Tech Tax, Sovrn Expands Its SaaS Pricing Model

Sovrn is now offering its header bidding managed service, dubbed Ad Management, as self-serve software for a flat CPM fee.

play button with many coins isolated on blue background. The concept of monetization of the video. Making money on video content. minimal style. 3d rendering

Exclusive: Connatix And JW Player Merge To Create A One-Stop Shop For Video Monetization

On Wednesday, video monetization platforms Connatix and JW Player announced plans to merge into a new entity called JWP Connatix. The deal was first rumored in July.

Buyers Can Now Target High-Attention Inventory In The Trade Desk

By applying Adelaide’s Attention Unit scoring, buyers can target low-, medium- and high-attention inventory via TTD’s self-serve platform.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

How Should Advertisers Navigate A TikTok Ban Or Google Breakup? Just Ask Brian Wieser

The online advertising industry is staring down the barrel of not one but two potential shutdowns that could radically change where brands put their ad dollars in 2025, according to Madison and Wall’s Brian Weiser and Olivia Morley.

Intent IQ Has Patents For Ad Tech’s Most Basic Functions – And It’s Not Afraid To Use Them

An unusual dilemma has programmatic vendors and ad tech platforms worried about a flurry of potential patent infringement suits.

TikTok Video For Open Web Publishers? Outbrain Built It.

Outbrain is trying to shed its chumbox rep by bringing social media-style vertical video to mobile publishers on the open web.