Will there be a Schrems III?

Hello and happy Thursday, everyone! There has been some exciting news in the privacy space this past week — namely, President Biden’s executive order describing the implementation of a Data Privacy Framework to support compliant EU-US data transfers.

Those of you who have been in privacy for a while will know that EU-US data transfers have been a bit of a bugbear.

First, businesses relied on a framework known as the Safe Harbor Privacy Principles to ensure compliant data transfers. This framework was invalidated in 2015 in a court case known as Schrems I, named after lawyer and privacy advocate Max Schrems. Schrems alleged that “the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities,” essentially arguing that US intelligence agencies could collect EU citizens’ data as they wished under the Safe Harbor provisions.

Next, there was the Privacy Shield, which replaced the Safe Harbor provisions. The Privacy Shield lasted until 2020, when it was invalidated by the ​​European Court of Justice in the Schrems II court case, again over insufficient protections against government surveillance of EU citizens’ data.

Now, the Biden Administration has announced an executive order detailing how it will implement the Data Privacy Framework. This framework was agreed to by both President Biden and European Commission President von der Leyen in March 2022. The Data Privacy Framework features explicit safeguards and reviews for US intelligence activities as well as a means for EU citizens to seek redress for privacy violations, which is a good step in the right direction. Even so, one has to wonder whether the framework will stick, given the history of international data transfer frameworks between the EU and the US.

The business community is hoping that there won’t be a Schrems III on the horizon—but that may very well be the case. Max Schrems’s organization, None of Your Business (stylized as noyb), has issued a preliminary statement arguing that the framework is unlikely to satisfy EU law. As of this writing, the organization is working on a more in-depth analysis that may signal its intentions more clearly, but the decision to uphold the Data Privacy Framework ultimately rests with the Court of European Justice. Time will tell.

Best,

Arlo

President Biden signs executive order to implement the European Union-U.S. Data Privacy Framework
President Biden recently signed an executive order designed to protect data transfers between the EU and US and replace the previously invalidated Privacy Shield. Unlike previous international data transfer frameworks, the Data Privacy Framework takes steps to address the EU’s concerns over US intelligence agencies’ access to EU citizens’ data.
Read more

noyb: New US executive order unlikely to satisfy EU law
Responding to President Biden’s recent executive order establishing a new data privacy framework for international data transfers, Max Schrems’s privacy advocacy group noyb (or None of Your Business) published an article describing their initial reactions. noyb, which was responsible for the court case that invalidated the Privacy Shield, indicated that they did not believe the order would meet the standards of EU law and that they would release a deeper analysis in the future.
Read more

Dutch employee fired by U.S. firm for shutting off webcam awarded €75,000 in court
A Dutch employee of a Florida-based software company was awarded €75,000 by a Dutch court for wrongful termination after being fired for refusing to take part in an invasive training program at work. The employee was instructed to leave his web camera on and to share his screen for the entire workday.
Read more

A first look at the Colorado Privacy Act Proposed Rules
The Colorado Attorney General’s Office recently issued its proposed rules for the Colorado Privacy Act, which will go into effect on July 1, 2023. JD Supra analyzes the proposed rules, including rules on consent requirements, data governance, subject rights requests, and more.
Read more

Retailer Easylife fined £1.5m for data protection breaches
The UK’s Information Commissioner’s Office (ICO) has levied a £1.5m fine against Easylife, a catalog retailer. The ICO claimed Easylife was using customers’ purchasing decisions to build up profiles for advertising purposes without first gathering consent from those customers.
Read more

Which Company Has the Worst Online Privacy Policy?
A recent report analyzed various businesses’ online privacy policies, taking into account lexical difficulty, length, and privacy concerns. Among other findings, the report indicated that some businesses’ privacy policies received readability scores of less than 3 out of 100, took hours to read, and described privacy practices that average consumers would likely be surprised by. 
Read more

Osano blog: An analysis of the Sephora enforcement action
Sephora was recently hit with a $1.2 million fine from the California Attorney General’s Office, making it the first enforcement action of the CCPA. The Attorney General’s Office announcement made it clear that this wasn’t the only investigation into CCPA violations that it was conducting, and that businesses can expect further investigations once the CPRA goes into effect on January 1, 2023. We analyze Sephora’s violations, the enforcement action, and major takeaways in our blog.
Read more

Watch: Meet our leadership team
Curious about the people behind Osano? Our new video series features interviews with Osano’s leadership to talk about what makes us different and what we expect to see in the compliance and privacy space in the future. This installment features an interview with Scott Hertel, Osano’s CTO.
Watch now

Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.