Home Data Privacy Roundup If There’s Anything Certain In Life, It’s That Schrems III Is Coming

If There’s Anything Certain In Life, It’s That Schrems III Is Coming

Comic: Schrems III

If you hear a whirring sound, that’s privacy activist and lawyer Max Schrems sharpening his pencil.

On Monday, roughly three years after the Schrems II case invalidated Privacy Shield overnight – and with it the legal basis for data transfers between Europe and the US – the European Commission adopted its “adequacy decision” for the EU-US Data Privacy Framework.

“Adequacy” is a concept under GDPR that allows for the free flow of personal data between the EU and countries that the European Commission deems to have an adequate (hence the name) level of data protection.

Schrems had argued – successfully – that there could be no adequacy between the EU and the US because the US doesn’t offer legal privacy protections that are on par with those in Europe. There was no guarantee, for example, that a US intelligence agency wouldn’t get access to European data stored in US servers. The Snowden case proved as much.

Trading a shield for a framework

That is why the European Commission’s decision that data protection in the US is “comparable to that of the European Union” is a little surprising, considering the US still doesn’t have a consistent federal privacy framework.

Although there were a few newish elements introduced to the Data Privacy Framework, including a redress system for people who believe their data has been handled improperly by US companies, if you squint, you could easily mistake the framework for a reskinned Privacy Shield.

And the issue of potential US surveillance “overreach still persists,” said Elena Turtureanu, VP of legal and privacy compliance at Adform.

Although the framework puts limits on US intelligence agencies so they’re only able to access EU data when it’s “necessary and proportionate,” such as for specific national security purposes and criminal law enforcement, the fact remains that those purposes are “incompatible” with EU laws, Turtureanu said.

‘A quick fix’

Which begs the question of why the EU pushed this through while knowing it’s going to be challenged in court.


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Though it’s not surprising given the immense political pressure the commission has been under to prevent and avoid business disruption, said Turtureanu.

The legality of Google Analytics 4 (GA4) in Europe was being questioned, and Meta was hit with a $1.3 billion fine recently for exporting EU user data to the US for processing. Meta was also ordered to stop transferring data collected from Facebook users in Europe to the US.

“There was a desperate need for a quick fix,” she said.

Schrems and his nonprofit organization NYOB (which stands for “none of your business”) have already indicated that they’re planning to mount a challenge. In the meantime, the framework stands.

“The framework is a valid and legal data transfer mechanism for EU to US transfers unless, and until, it’s declared invalid by the EU Court of Justice,” said Joe Jones, research and insights director at the International Association of Privacy Professionals.

In other words, looks like GA4, which replaced Universal Analytics on July 1, can operate legally in Europe, at least for now.

“Data transfers, especially between popular and mature economies, are critical to the sustaining and growth of the ad tech industry,” Jones said.

Comic: The Great Online Privacy BattleCertainty (for now)

No doubt. But what about Meta?

The Irish order to stop transferring data to the US seems moot now that the EU has made its adequacy decision. The fine, however, still stands, although it’ll likely get significantly reduced.

“I am positive there will be a fine,” Turtureanu said, but she expects it to be lower now that there’s a framework for legal data transfers.

Meta will fight the fine in court, but even if it does have to pay the full $1.3 billion, that’s not much skin off its nose.

In the interim between now and the inevitable Schrems III case to come, companies have a legal framework for their transatlantic data transfers. But will there ever be total legal certainty for businesses on both sides of the Atlantic?

“That is the million-dollar question,” said Wim Nauwelaerts, a partner at Alston & Bird.

You know what couldn’t hurt, though? A national privacy law in the US.

“It might help if, one day, the US were to adopt comprehensive privacy legislation at the federal level,” Nauwelaerts said.

From your lips to the ears of Congress.

This cat video feels appropriate to the topic at hand. (It’s not paranoia if your cat really is watching you.) Also, Schrems isn’t a bad name for a cat. Let me know what you think. Drop me a line at [email protected].

Must Read

Comic: TFW Disney+ Goes AVOD

Disney Expands Its Audience Graph And Clean Room Tech Beyond The US

Disney expands its audience graph and clean room tech to Latin America, marking the first time it will be available outside the US. The announcement precedes this week’s launch of Disney+ with ads in Latin America.

Advertible Makes Its Case To SSPs For Running Native Channel Extensions

Companies like TripleLift that created the programmatic native category are now in their awkward tween years. Cue Advertible, a “native-as-a-service” programmatic vendor, as put by co-founder and CEO Tom Anderson.

Mozilla acquires Anonym

Mozilla Acquires Anonym, A Privacy Tech Startup Founded By Two Top Former Meta Execs

Two years after leaving Meta to launch their own privacy-focused ad measurement startup in 2022, Graham Mudd and Brad Smallwood have sold their company to Mozilla.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Nope, We Haven’t Hit Peak Retail Media Yet

The move from in-store to digital shopper marketing continues, as United Airlines, Costco, PayPal, Chase and Expedia make new retail media plays. Plus: what the DSP Madhive saw in advertising sales software company Frequence.

Comic: Ad-ception

The New York Times And Instacart Integrate For Shoppable Recipes

The New York Times and Instacart are partnering for shoppable recipe videos.

Experian Enters The Third-Party Data Onboarding Business

Experian entered the third-party data onboarder market on Tuesday with a new product based on its Tapad acquisition.