Platform
- The Osano Platform Overview
  
  Get an overview of the simple, all-in-one data privacy platform
- Features & Integrations
  
  Key Features & Integrations
Solutions
- By Regulation
- CPRA
  
  Discover how Osano supports CPRA compliance
- CCPA
  
  Learn about the CCPA and how Osano can help
- GDPR
  
  Achieve compliance with one of the world’s most comprehensive data privacy laws
- By Organization Type
- Start-Up
  
  Don’t let data privacy compliance get in the way of growth
- Mid-Sized
  
  Preserve your competitive edge
- Enterprise
  
  Manage data privacy at scale
- By Use Case
- Consent Management
  
  Manage consent without the complexity
- DSAR Automation
  
  Never miss a DSAR deadline again
- Privacy Program Management
  
  Build and grow an end-to-end privacy program
- Vendor Risk Management
  
  Regain insight and control over your customers’ data
Resources
- Resources
  
  Key resources on all things data privacy
- Articles
  
  Expert insights on all things privacy
- Resource Center
  
  Key resources to further your data privacy education
- Customer Stories
  
  Meet some of the 5,000+ leaders using Osano to transform their privacy programs
- U.S. Data Privacy Laws
  
  A guide to data privacy in the U.S.
- Product Updates
  
  What's the latest from Osano?
- Become a Privacy Insider
  
  Data privacy is complex but you're not alone
- The Newsletter
  
  Join our weekly newsletter with over 35,000 subscribers
- The Podcast
  
  Global experts share insights and compelling personal stories about the critical importance of data privacy
- The Book
  
  Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
- Events
  
  Upcoming webinars and in-person events designed for privacy professionals
Latest Blog post

Ch-Ch-Ch-Changes

Hello all, and thanks for reading today.
Read Now
Company
- About Us
  
  The Osano story
- Careers
  
  Become an Osanian and help us build the future of privacy!
- Contact
  
  We’re eager to hear from you
- Our Pledge
  
  No fines, no penalties
- Data Licensing
  
  Add Osano data privacy ratings and recommendations to your application
- Osano Swag Store
  
  Increase Trust. Stay Compliant. Get Cool Swag.
- Press & Media
  
  Inquiries and Osano in the news
- Partners & Resellers
  
  Interested in partnering with us?
Pricing
Sign In Book a Demo

Privacy Insider: August 17, 2021

Osano Staff

Updated: December 6, 2022

Published: August 17, 2021

Sign up for our newsletter

Well, he's back. The man many companies love to hate. Max Schrems.

This time, Schrems is making news because his advocacy group, none of your business (nyob), filed 422 complaints with 10 EU data protection authorities over websites' misleading cookie banners. Earlier this year, nyob sent warning letters to the websites, alleging they were using tricky tactics to get users to agree to their cookie policies.

While 42% of the websites made changes, some didn't go far enough for nyob. It filed formal complaints against 82% of them, alleging violations of the EU Data Protection Regulation's provisions on cookies.

If you don't already know Schrems, he's someone you want on your radar. Because, while businesses have long despised him — or at least the money and work hours his activism incites — he's got a pretty good track record on wins. If I were one of the websites now facing DPA scrutiny, I'd be worried.

When Schrems started wreaking havoc in the data privacy space, he was a sneaker-wearing law student in Austria. As the story goes, during a semester abroad in California, he heard a guest lecturer from Facebook discussing the company's approach to European privacy law. It piqued his interest, and he decided to submit a data subject access request to Facebook.

Dissatisfied with the company's response (Schrems says they "burned a PDF file on a CD after all and sent it off to me"), Schrems and his team began investigating. And that was the beginning of the end of Safe Harbor, a legal tool essential to companies doing cross-transfers. It's a long story and a lot of court documents from there, but in the end, Schrems' allegations of privacy violations at Facebook went all the way to Europe's High Court. Schrems said Safe Harbor, predicated on mutual assurances in U.S. and EU law, was illegal. He said Facebook collected data that U.S. law enforcement ostensibly could access using national security law loopholes, and if the U.S. government could surveil data Facebook collects, Safe Harbor doesn't square with EU citizens' rights by the GDPR. And the court agreed. One gavel strike in October 2015 invalidated Safe Harbor forever.

The EU and U.S. tried again with a replacement mechanism called Privacy Shield. But in what's called the "Schrems II," case, the grown-up Schrems struck again, alleging that agreement was also illegal. In 2020, the court agreed. Privacy Shield died. Schrems was 2-0.

These are simplified explanations of a very nuanced legal procedure, but you get the point. Schrems ... wins.

I feel for my colleagues on the business side of things for the legal uncertainty, and wildly late nights Schrems seems to bring with him wherever he goes. There's been a lot of scrambling after these rulings. But as a pro-privacy journalist working for a company whose mission is to see every person granted their privacy rights, Schrems' work has been admirable.

That's why this news that he's put 422 companies on notice feels significant. The writing has been on the regulatory walls for a long time now: Improve your cookie practices, or you're stepping outside the lines. But nothing scares industry like the threat of losing money because of a regulatory fine and the complementary PR nightmare.

These 422 complaints don't mean anything yet. But, given Schrems' track record, it's probably time to pay attention.

This week, we're going to take a break from Twitter Spaces — which I have loved doing with y'all — because your girl is taking a couple days of vacation. Tomorrow, at this time, I'll be cruising up the highway to my hometown in Maine. Miles, my puppy dog, will serve as co-pilot.

Enjoy reading, and I'll see you next week!

Schrems and company file 422 official complaints on websites’ cookie practices

Privacy activist Max Schrems and his group, nyob, have filed 422 complaints with data protection authorities over alleged EU General Data Protection violations. Earlier this year, nyob sent warning letters to 516 websites across Europe over their use of “deceptive practices and dark patterns to trick visitors into agreeing to cookies,” Enterprise Times reports. The group warned the websites to fix the problem or face official complaints. While 42% made changes, nyob filed complaints against 82% of them. Schrems said many of the websites “only stopped the most problematic practices.”
Read Story

China to pass ‘GDPR-like’ law this week

China will likely pass a strict privacy law this week, The Wall Street Journal reports. The Personal Information Protection Act would look similar to the EU General Data Protection Regulation (GDPR). However, the Chinese government is to maintain broad access to data, unlike the GDPR. The new law aims to minimize data collection and obtain consent from users, and it applies to both the public and private sectors.
Read Story

Apple’s plan to fight child sex abuse online: explained

Recently, Apple announced a new plan to help it detect child pornography online, or what's called Child Sexual Abuse Media (CSAM). The announcement triggered an onslaught of criticism, partly because of the significant privacy implications posed and partly because Apple fumbled the reveal, as the company would later admit. Here's an explainer of what's happening; things got really confusing for a bit.
Read Story

Hacker claims to have stolen 100 million T-Mobile customers’ sensitive data

T-Mobile is investigating a data breach, NBC News reports. An anonymous hacker online claimed they had gained access to sensitive customer data, but T-Mobile said it’s not sure if that’s true. On Sunday, the self-proclaimed hacker said on social media and in a hacker forum that the sweep included sensitive data from 100 million T-Mobile customers. The information allegedly includes driver’s license and Social Security numbers.
Read Story

Hamburg privacy authority tells gov’t agencies to stop using Zoom

In the German state of Hamburg, the data protection agency (DPA) issued a public warning yesterday that government officials are not to use Zoom for video conferencing due to data protection concerns, TechCrunch reports. The DPA said doing so violates EU privacy law. The warning comes as EU DPAs investigate U.S.-based digital services, and it follows the landmark “Schrems II” ruling by Europe’s highest court last year. That ruling invalidated the Privacy Shield, a data-transfer agreement between the EU and U.S., finding U.S. surveillance law incompatible with EU privacy rights.
Read Story

Kerry: Now’s not the time to abandon efforts toward US privacy law

It’s been more than a year since the European Union shattered a widely used data-transfer mechanism, and there’s never been a greater need for a U.S. privacy law. That’s according to Cam Kerry at Brookings Institution, who writes that without baseline legislation, “the United States remains an outlier compared to the over 100 countries that have baseline privacy laws.” With no hearings this legislative session so far and none on the books, this is “not the time to abandon the effort,” Kerry writes.
Read Story

Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now

Osano Staff

Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.

Blog

Check out some of our latest articles

Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.

View All Blog Posts View All Resources

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.

Book a Demo

The Osano Platform Overview

Cookie Consent

Subject Rights Management

Assessments

Unified Consent & Preference Hub

Data Mapping

Vendor Privacy Risk Management

Features & Integrations

Privacy Templates

GDPR Representative

Consult Privacy Team

Regulatory Guidance

Integrations

CPRA

CCPA

GDPR

Start-Up

Mid-Sized

Enterprise

Consent Management

DSAR Automation

Privacy Program Management

Vendor Risk Management

Articles

Resource Center

Customer Stories

U.S. Data Privacy Laws

Product Updates

The Newsletter

The Podcast

The Book

Events

Ch-Ch-Ch-Changes

About Us

Careers

Contact

Our Pledge

Data Licensing

Osano Swag Store

Press & Media

Partners & Resellers

Privacy Insider: August 17, 2021

Osano Staff

In this article

Sign up for our newsletter

Share this article

Privacy Policy Checklist

Osano Staff

Osano Staff

Share this article

Blog

Check out some of our latest articles

Ch-Ch-Ch-Changes

What a Week. Lots to Unpack.

No Data Protections for Employees?

Simplify Data Privacy Compliance