Hello all, and happy Thursday!
Hello all, and happy Thursday!
For those of you who have been in the privacy game for the past few years, you may recall how difficult it’s been to keep EU-U.S. data transfers compliant with the GDPR. First, there were the Safe Harbor Principles (ruled invalid by the European Court of Justice), then the Privacy Shield (also ruled invalid), and now there’s the Data Privacy Framework (still valid... for now).
It’s tempting to say that the reason for all of this back and forth is Max Schrems and his data privacy non-profit noyb (or “none of your business”). It’s true that Schrems is responsible for bringing forward the complaints that led to the downfall of the Safe Harbor Principles and Privacy Shield, and he’s established that he intends to challenge the Data Privacy Framework too.
But the real reason why these mechanisms have failed relates to one of our stories this week: the recent renewal of section 702 of the Foreign Intelligence Surveillance Act (FISA). Section 702 serves as the basis for all sorts of surveillance programs. This includes PRISM, which lay at the center of Edward Snowden’s revelations.
Section 702 gives the U.S. intelligence community the power to demand that U.S. tech companies hand over non-U.S. citizens’ data upon request, sidestepping any kind of judicial review. Fundamentally, this clashes with the GDPR—EU citizens’ data is supposed to be protected from these kinds of secret transfers, even if (or especially if) the recipient is a government agency.
So, Max Schrems may have been the instigator, but he’s not the ultimate reason why these data transfer mechanisms failed. The current Data Privacy Framework at least provides some means of redressing EU citizens’ complaints when their data is accessed by U.S. intelligence agencies, but it hardly addresses this fundamental clash between privacy and surveillance.
In a time when everyone’s attention is monopolized by AI, state data privacy laws, and even a potential U.S. federal data privacy law, it’s worthwhile to recall just how uncertain the future of EU-U.S. data transfers may be.
Best,
Arlo
P.S. Speaking of AI, (you didn’t think I wasn’t going to mention AI, did you?) episode 2 of the Privacy Insider podcast is out! You can listen here, or scroll down to the bottom of this newsletter.
Hundreds of thousands of European schoolchildren are likely being tracked by Microsoft education software widely deployed in schools across the continent, according to the data privacy advocacy group NOYB (“None of Your Business”). NOYB has asked data protection authorities to investigate what data is processed by Microsoft 365 Education as it claims that the software violates transparency provisions of the General Data Protection Regulation (GDPR).
Article 82(1) of the GDPR provides individuals who suffer material or non-material damage as a result of an infringement of the GDPR with the right to receive compensation from the controller or processor for the damage suffered. But many questions about what constitutes non-material damage abound. Here’s how Irish courts have been handling this issue.
The American Privacy Rights Act was announced 7 April 2024 by a bicameral and bipartisan group of congress members. The proposal aims to give Americans enforceable data privacy rights and eliminate the patchwork of comprehensive state privacy laws. This IAPP cheat sheet provides an overview of the discussion draft of the APRA as published on 21 May 2024.
Texas Attorney General Ken Paxton launched a major data privacy and security initiative Tuesday, establishing a team that will focus on enforcing Texas privacy laws. Specifically, the team will be investigating companies that illegally collect and sell consumer data.
The recent renewal of section 702 of the 1978 Foreign Intelligence Surveillance Act (FISA) by President Biden means that intelligence agencies may collect the data of non-Americans interacting with American companies, such as Microsoft, Amazon, and Google. Despite being protected by the GDPR, this includes European citizens, sparking criticism from data privacy advocates.
In this episode of The Privacy Insider Podcast, host Arlo Gilbert and Katharine Tomko, partner at First Ascent Ventures, dive into AI, how it is changing the data privacy landscape, and how its growth presents new challenges for privacy teams and individuals. Listen to the episode with the link below!
If you’re interested in working at Osano, check out our Careers page!