On this episode of the Cell Dev Memo podcast, I converse with returning visitor Mikołaj Barczentewicz, an professional on European information privateness legislation, concerning the latest $1.3BN high-quality that the Irish DPC issued to Meta over its transmission of EU resident information to america. We talk about the historical past of knowledge switch frameworks between the EU and the US and why they’ve all been invalidated, the core motivations of EU protectionism associated to information switch, and the implications for all expertise corporations of the Irish DPC’s choice.

Mikolaj has beforehand joined the Cell Dev Memo podcast to debate EU information privateness legislation broadly in addition to the soon-to-be-enforced Digital Markets Act (DMA) and Digital Companies Act (DSA).

The Cell Dev Memo podcast is on the market on:

A transcript of our dialog, which has been frivolously edited for readability, could be discovered under.

Interview Transcript

Eric Seufert:

Mikolaj, completely satisfied Friday. How are you?

Mikolaj Barczentewicz:

I’m high-quality. Good to see you once more.

Eric Seufert:

Loads of stuff has occurred since we final spoke. I’m bringing you again to the podcast for the third time to speak about EU privateness and the EU privateness regime. I very a lot recognize your time, very a lot recognize you being prepared to come back on this podcast and elucidate these very advanced subjects for me, for the viewers. I’ve acquired an amazing quantity of very, very constructive suggestions about these podcasts. Folks actually recognize these subjects being unpacked in a manner {that a} layman can perceive. And so, thanks on your service right here. Possibly earlier than we kick off the dialog, you possibly can type of simply briefly give some background on your self, for individuals who haven’t heard the earlier podcast episodes.

Mikolaj Barczentewicz:

I’m an instructional, I’m a legislation professor within the UK on the College of Surrey. I even have analysis affiliations with Oxford and Stanford. And Oxford is the place I acquired my doctorate. I work on on-line expertise points, each on privateness points, what we speak about at the moment, however I additionally work on some barely much less associated points in monetary regulation. However one factor that for me, brings all of it collectively, is that I do have a little bit of a technical background. As a result of as a young person, I taught myself to code after which I labored for a number of years in advertising and internet design. So I really feel a little bit of affinity to your neighborhood this manner.

Eric Seufert:

So final week, we had a landmark choice, proper? There was a landmark choice.

Mikolaj Barczentewicz:

Sure.

Eric Seufert:

A record-breaking high-quality was issued by the Irish DPC towards Meta.

Mikolaj Barczentewicz:

Sure.

Eric Seufert:

So perhaps to begin, are you able to present us with a high-level overview of what that call was, why the high-quality was issued, and a few background on the method that happened for that call and that high-quality to come back about?

Mikolaj Barczentewicz:

Sure. So one other week, one other Meta choice from Eire. However this time it’s about one thing that perhaps not as a lot of your listeners could have direct expertise with, as a result of right here we’re speaking concerning the lawfulness of knowledge transfers from the EU to the U.S. And beneath the EU Common Knowledge Safety Regulation, the GDPR, you possibly can solely switch private information outdoors the EU if this switch is not going to undermine the safety of private information. After which the GDPR has a listing of potential situations, which might imply that that is okay, that your transfers are okay. However if you happen to don’t fall beneath any of these situations, then what you’re doing is illegitimate.

And what occurred on this choice was that the Irish Knowledge Safety Commissioner (DPC) determined that Meta, the way in which they had been transferring the private information of their customers, didn’t fulfill any of these situations. And their transfers are unlawful, so they should stop. And as well as, they’re meant to pay €1.2 billion euro high-quality, which is the highest-ever GDPR high-quality. However on this case, the high-quality feels extra like only a footnote to a extra critical concern of these transfers.

Eric Seufert:

So, there’s a few factors that I need to make clear right here, after which I need to soar again 10 years. So the primary level is that this was not associated in any manner in anyway to personalised adverts, to promoting, this had nothing to do with Meta’s practices on that time. This was… in a roundabout way, proper? So in fact, they’re gathering that information for that function, I suppose. However that’s not why the info switch is deemed to be non-compliant. Proper? The explanation the info switch is deemed to be non-compliant is…

Mikolaj Barczentewicz:

Simply because it’s being transferred from the EU to the US.

Eric Seufert:

So let me immediate you somewhat bit extra clearly. Why is the U.S. thought-about the form of rogue territory to which EU information will not be transferred?

Mikolaj Barczentewicz:

Effectively, that does deliver us again 10 years to Snowden’s Revelations, to his disclosures of a few of the practices that the U.S. authorities, each domestically and out of doors the U.S., form of engages in when it comes to information assortment. And each instantly from, so far as I can bear in mind, undersea cables and thru orders delivered to corporations like then Fb, now Meta. So these are technically often known as Part 702 of FISA and the Govt Order 12333.

Eric Seufert:

I feel that’s actually fascinating. So we’re beginning with this choice that occurred final week, however the origins of this return to 2013. They return to Snowden disclosures, the PRISM program from the NSA, and the concept being that information from Europeans, when it’s transferred again to america, may very well be pried upon, it may very well be intercepted by the NSA. And that’s thought-about to be a violation of European human rights, primarily. That’s the argument, proper?

Mikolaj Barczentewicz:

The truth that your information could be pried upon in itself is a restriction of your rights, however it doesn’t imply that it’s an infringement. That occurs in Europe on a regular basis, and there’s information assortment for intelligence functions or for prison investigations. It’s simply that the query is whether or not it’s achieved inside a framework that also offers adequate safeguards. So you possibly can say that your proper just isn’t infringed, despite the fact that it’s restricted.

Eric Seufert:

Proper. Okay. So it’s not sending information to america the place that information could also be intercepted or pried upon. It’s not de facto unlawful beneath the GDPR, it’s simply that we don’t actually know the way it’s achieved, to start with. And second, there’s an assumption there, and until it’s clarified, it in all probability is violating European rights. Is that right?

Mikolaj Barczentewicz:

Yeah. So there are a number of points there, we are able to return to this later if you happen to like. So one of many fundamental points is, for instance, judicial redress. So the concept is that in case your information is topic to some form of intelligence assortment and this type of restriction, there ought to a minimum of be some management by an impartial, ideally judicial physique, that might say whether or not this assortment, whether or not this restriction of your rights just isn’t extreme, whether or not it’s proportionate. Proper?

And one of many arguments for earlier European judgments towards these transfers to the U.S. was that there isn’t a such safety or judicial management for Europeans’ information. As a result of we’re not speaking concerning the information collected on U.S. residents. That’s a very separate concern. We’re solely speaking concerning the information that’s the information of European residents.

Eric Seufert:

Okay. So, let me see if I can make clear that. So the concept right here is that, okay, if information are collected on a U.S. citizen in residence, they’ve some type of recourse. They’ve some type of authorized recourse. And if I bear in mind, I imply that is hearkening again to the Bush period and the Patriot Act and stuff, so see if I can bear in mind all this. However a part of that was, properly, perhaps they don’t as a result of quite a lot of these items occurred in FISA courts the place it was all in secret. We don’t actually know what occurred. It was all sealed. However theoretically, a U.S. citizen, they’d have the judicial course of could be accessed by them. But when it’s occurring to a overseas resident, they don’t have the identical type of entry. Is that right?

Mikolaj Barczentewicz:

So I’m not an professional on U.S. nationwide safety legislation, however my understanding is that a minimum of a few of these companies just like the CIA and the NSA, they can not gather information that’s concentrating on U.S. individuals. In fact, you’d have a distinct type of judicial recourse fairly possible. However even the boundaries are totally different as a result of myself as a foreigner, in order an alien beneath U.S. legislation, I’m truthful sport for the CIA and the NSA, however you will not be.

Eric Seufert:

Proper. And I feel that’s… Usually, I may not be, however there may very well be a warrant that was issued in a closed-door FISA listening to the place my information may very well be collected. However there was nonetheless some type of judicial course of. Wasn’t that the entire concern with Bush? I don’t need to get too spun across the axle right here, however I feel it’s attention-grabbing to consider the genesis of this. Proper?

Mikolaj Barczentewicz:

Yeah. So it began, I imply the saga of these so-called, Schrems instances, it began in 2013 with Snowden disclosures after we discovered about PRISM and UPSTREAM and EO 12333.

Eric Seufert:

So that is 2013, and I don’t need to make this about a person particular person, however Max Schrems on the time, was a legislation pupil. He wasn’t the type of well-known activist that he’s now. He was a pupil, primarily.

Mikolaj Barczentewicz:

Sure.

Eric Seufert:

And he mentioned, “Okay, look. We discovered all these items concerning the U.S. safety equipment and intelligence equipment. And look, I consider this violates my human rights. If my information goes over there and the NSA can spy on it, with none form of authorized recourse.” So, he filed a grievance. And he filed a grievance with the Irish DPC as a result of that’s the place Fb’s headquarters was. After which speak me by means of… In order that was the unique grievance, after which one thing occurred. After which he filed one other grievance, after which one thing else occurred. After which he filed one other grievance, after which right here we’re. Is that roughly right? And perhaps walked us by means of the steps right here.

Mikolaj Barczentewicz:

Proper. It’s. So the procedural historical past of what occurred is kind of advanced, so we are able to attempt to simplify it a bit. However what occurred to this primary grievance, so far as I bear in mind, the Snowden disclosures, they occurred round June 2013. And Schrems filed his grievance very quickly after, inside weeks. So, we’re across the summer season of 2013. And the Irish Knowledge Safety Commissioner acquired that grievance and refused to analyze. As a result of they mentioned that in the event that they examine, it will problem the validity of the EU legislation on which Fb was relying to switch consumer information to the U.S.

As a result of they refused, then Schrems went to the Irish Courts, and the Irish Courts then requested the very best EU Courtroom, the EU Courtroom of Justice to say… That is the process often known as a preliminary reference. So that they requested the EU Courtroom to say what they consider this, whether or not the Irish authority needs to be investigating, and what to consider this entire authorized scenario. And that’s how we ended up with the Schrems I judgment in late 2015.

So, that was the primary of these well-known judgments. And that judgment invalidated that legislation on which Fb was relying to switch consumer information. This was known as the Secure Harbor Determination. So, that was the primary battle within the marketing campaign.

Eric Seufert:

Okay. And so, the legislation was invalidated, proper?

Mikolaj Barczentewicz:

Sure.

Eric Seufert:

Which ought to have blocked the info switch. So what occurred subsequent? What occurred after? So let me simply play this again, as a result of I feel it’s attention-grabbing. So to start with, one level of clarification, the EU Courtroom of Justice, its acronym is CJEU. It’s not EUCJ. That appears like perhaps a rookie mistake that individuals would possibly make, and I’ve made.

Mikolaj Barczentewicz:

Effectively, no. They type of rebranded the court docket within the latest modification to the treaties. So we used to name it the ECJ, the European Courtroom of Justice, and a few individuals nonetheless do. However the official identify modified to the Courtroom of Justice of the European Union, in order that’s why we now have CJEU.

Eric Seufert:

I need to make sure that individuals don’t reveal themselves to be novices on this area, as I’ve achieved.

Mikolaj Barczentewicz:

What makes issues simpler is that we don’t have that many individuals or establishments right here. So we now have the Irish Excessive Courtroom and the one European Courtroom, after which the Irish DPC. So, they’re the principle actors for an extended whereas on this drama.

Eric Seufert:

Effectively, till we get to the form of newer historical past, which is when the EDPB enters the chat. However okay, so we’ve acquired a person, a legislation pupil. He information a grievance, following the Snowden disclosures. He goes to the Irish DPC, they are saying no. He goes one step larger, they are saying, “Okay, properly Irish DPC, you’ve acquired to analyze this.” So then he goes to the CJEU. They are saying, “Hey, really this does violate our legal guidelines. And so this information switch framework that we now have often known as Secure Harbor, is invalidated.” Proper? So then what occurs?

Mikolaj Barczentewicz:

Sure. And the rationale why this information switch framework was invalidated was that the court docket, the EU Courtroom, mentioned that what we now know because of the Snowden revelations exhibits that transferring private information to the U.S. doesn’t give this assure that the basic rights of Europeans will probably be protected. So, that was the rationale in brief. And so as a result of the authorized foundation was invalidated, the Irish DPC opened a brand new investigation. So in the meantime, Fb was transferring consumer information to the U.S. now primarily based on a distinct foundation. So as an alternative of utilizing this Secure Harbor, then they began counting on the so-called, Commonplace Contractual Clauses. Yeah. So, that was the scenario.

And in Could 2016, the Irish DPC ready a draft choice the place they mentioned that Fb’s reliance on these Commonplace Contractual Clauses is illegal, given the circumstances of PRISM and so forth. However the Irish DPC additionally thought that this questions the validity of one other EU legislation, which created this Commonplace Contractual Clause framework. So then it initiated one other excessive court docket case in Eire to get a query out to the EU Courtroom.

So we’re in 2016, and so there’s a draft choice saying that what Fb is doing is illegal. However really, this isn’t efficient as a result of first, we’re again on the courts. So the judgment from the Irish Excessive Courtroom was in 2017, the primary judgment. After which someday in 2018, they did concern this query to the EU Courtroom.

Meta delayed the entire course of a bit as a result of they appealed that call to ask the EU Courtroom they usually made that attraction to the Irish Supreme Courtroom. So, that’s why successfully the EU Courtroom was solely in a position to take a look at it in mid-2019. So, they began this new process round 2015, they’d a draft choice in mid-2016. However solely in mid-2019, the EU Courtroom was in a position to really take care of this due to these procedural points and the appeals and so forth.

Eric Seufert:

And so, that course of was slowed down. However speak to me concerning the Privateness Defend. When did that enter into the dynamic?

Mikolaj Barczentewicz:

So the Privateness Defend was… So, there was one thing that occurred nonetheless earlier than the GDPR. However the thought was to exchange this Secure Harbor choice with a much less flimsy construction that would offer some certainty to companies in transferring their information to the U.S. And that grew to become a brand new authorized foundation that companies had been in a position to depend on. And that call was adopted in July 2016. So, that was after the Irish draft choice saying that what Fb is doing is a minimum of presumptively illegal. So when this entire scenario got here to the Courtroom of Justice in 2019 to take a look at, they had been coping with barely totally different circumstances. As a result of it wasn’t simply the problem of these Commonplace Contractual Clauses, but additionally of this new Privateness Defend that was enacted within the meantime.

Eric Seufert:

And I feel, if I’m not mistaken, and I very properly could also be, the prototype of that scenario might be going to develop into related once more. So that you’ve acquired the legislation… principally the framework being invalidated. You’ve acquired this type of grey zone answer that emerges the place there was a suggestion, I feel at one level, that you possibly can use these Commonplace Contractual Clauses to switch information, however we don’t actually know. Then the Privateness Defend comes into impact after that. And so when the choice hits the CJEU, there really is… properly, there’s a framework, however that framework form of was subsequent to the choice to depend on these SCCs. And so, the CJEU needed to decide concerning the Privateness Defend framework, which was form of then being utilized as an umbrella cowl for utilizing the SCCs. Is that roughly right?

Mikolaj Barczentewicz:

Sure. So typically, roughly right, that the SCCs, that’s the default backup possibility, if you happen to don’t have one thing like what we now name, adequacy selections.

As a result of in case you have this adequacy choice, this can be a choice by the European Fee that claims it’s high-quality to switch information to this third nation. By the way in which, there is just one adequacy choice that was adopted for the reason that GDPR got here into drive, and that’s for South Korea. And South Korea has a famously extraordinarily strict privateness legislation.

Eric Seufert:

So then we’ve acquired the CJEU deciding in 2020, that the Privateness Defend is invalid. Proper? So, stroll me by means of what occurred subsequent. How does this all join? So, we’ve type of walked by means of seven years up up to now within the dialog of forwards and backwards like cat and mouse kind conduct. How does this all hook up with Max Schrems, as a result of he was nonetheless contributing to this sequence of occasions. So what function did he play in instigating these subsequent selections?

Mikolaj Barczentewicz:

So he and his group, noyb, they tried to take part in any respect phases. They even introduced particular court docket proceedings at sure moments as a result of they felt that their participation was being thwarted, particularly by the Irish DPC. So that they had been making an attempt to be energetic and to be consulted and to have entry to paperwork. So that they reported having many issues with that. So a part of the drive pushing this investigation ahead and making an attempt to make it possible for it’s not conveniently forgotten in some archives someplace. So sure, they had been very concerned in that respect. And we all know this 2020 judgment as Schrems II. So we had Schrems I from the EU court docket in 2015 after which Schrems II in 2020. And Schrems II is in a way the legislation or the newest, most vital interpretation of the related legislation that we now are attempting to know to see what’s going to occur any longer.

Eric Seufert:

I feel the main points are attention-grabbing right here, however I don’t have any form of subjective opinion about Max Schrems or his group, or the background of his work right here. I do assume one piece of context that’s attention-grabbing is noyb. So noyb is the activist group, proper? It stands for “none of what you are promoting.” I get a kick out of that.

Anyway, the rationale I deliver it up is, he’s in all probability not going to cease. I imply, he’s dedicated. He appears very vehement. So I feel this appears like a unending cycle. However let’s transfer ahead. Okay, in 2020, the CJEU mentioned, okay, we’ve acquired the Schrems II choice. The Privateness Defend is invalidated. Effectively, now we’re in 2023. So what occurred within the final three years main as much as this choice that was made final week or printed final week?

Mikolaj Barczentewicz:

So shortly after the Schrems II choice, which invalidated the Privateness Defend, a brand new Irish DPC inquiry began. After which Meta introduced court docket proceedings towards the DPC, which created a year-long keep, so the delay. However then Meta’s case was dismissed. So actually this investigation that now was accomplished, it began in earnest round 2021. And so it took from 2021 till 2022, there was an alternate of paperwork. So Meta, the US authorities I feel even made representations. And that every one concluded roughly in July 2022 with a draft choice from the Irish DPC.

Eric Seufert:

Proper. After which I feel then we soar into the form of last technique of this entire choice. So the Irish DPC had a draft choice. What did they are saying? What was their choice that they printed in July 2022?

Mikolaj Barczentewicz:

So that they didn’t publish, they finalized the draft. I feel if I bear in mind accurately, there have been some first rate leaks as to the substance. The substance being that — surprisingly, given the 2016 choice as properly — they determined even then in that draft choice that what Meta is doing, the authorized foundation on which they’re relying, is inadequate. And so their transfers of consumer information to the US are illegal. In order that was the substantive conclusion. However additionally they determined that there can be no penalty towards Meta. They usually additionally determined that as an alternative of ordering Meta to stop or finish the processing of these transfers of consumer information, they need to solely droop that course of. Which implies that there was a minimum of a risk that perhaps they wouldn’t must delete the transferred information. After which that they may then resume even assuming that they must cease for a while.

Eric Seufert:

So let me play that again. So we’ve had this multi-year course of. By the way in which, did COVID delay this in any respect? Did it take so lengthy partially as a result of COVID or it was only a lengthy course of?

Mikolaj Barczentewicz:

No, I feel it was only a lengthy course of. So COVID occurred earlier than, it doesn’t appear like COVID performed a serious function right here and now.

Eric Seufert:

Okay, so we’ve acquired the choice in 2020, after which the CJEU invalidated the Privateness Defend, the Irish DPC then mentioned, okay, properly, we’re going to make our choice concerning the legality of those transfers provided that the CJEU has invalidated the Privateness Defend, these SCCs, we now have to contemplate whether or not the SCCs are a sound justification for sending this information. And what they mentioned was, no, we don’t consider so. It was the Irish DPC’s choice to make or they had been those that had been tasked with it they usually mentioned, no, we don’t assume these are authorized. So these are unlawful, however we’re simply going to inform you to cease doing it. We’re not going to inform you to delete all the info that you just had beforehand transferred and we don’t really feel that it’s applicable to assign a high-quality right here. We don’t really feel it’s applicable to impose a high-quality. That’s roughly what the choice mentioned.

Mikolaj Barczentewicz:

Sure. So we now discover that that is what they determined in July 2022. And that the way in which this works is that in case you have such an vital choice, which offers with a enterprise that additionally does cross-border processing, it’s clear that another European authorities, privateness authorities could also be desirous about it. So the method is that such a draft choice must be communicated to different European authorities, and people different European authorities, the DPAs, have a while to object to the draft choice. And that is what occurred, I feel for nationwide authorities objected to this draft choice.

Eric Seufert:

Proper. Now, I need to get again to that, however I feel let’s simply pull somewhat extra element right here as a result of I feel it’s vital. And in addition, now we’re really seeing extra of a parallel with what we talked about in our first podcast episode with the Irish DPC’s choice about Meta associated to personalised promoting. So the Irish DPC, they write a draft choice, they flow into it throughout the European privateness equipment. And if nobody objects inside some period of time, is it like a month?

Mikolaj Barczentewicz:

I would wish to verify what’s the precise timing. However maybe a month.

Eric Seufert:

There’s some predefined concrete period of time that they need to articulate an objection. And in the event that they don’t, then that’s the choice. Proper? But when they do, which some did. 4 did. 4 of those privateness organizations did object. So then it goes right into a course of that’s form of regulated or managed by the EDPB. In order that’s known as Article 65, the Article 65 course of. Are you able to speak somewhat bit extra about that?

Mikolaj Barczentewicz:

So this is called the dispute decision process. So we now have these objections from a number of nationwide authorities. And customarily, the concept of this cooperation mechanism is that it’s meant to provide compromise. So ideally, both the lead authorities, so on this case the Irish authority simply on their very own modifications the draft choice to fulfill these objecting authorities, or they handle to persuade the objecting authorities to drop their objections. In order that’s the perfect. However that’s not what occurred right here and that’s not what occurred within the instances we talked about within the earlier podcast. In order that triggers the dispute decision process, which principally results in a vote. And the vote is that if there’s a two-thirds majority at first, or if it takes a bit extra time, then an bizarre majority of EU member state privateness authorities is adequate. If there’s such a majority, then they’ll drive a binding choice on that lead authority — on this case the Irish authority. And once more, that is what occurred on this case and that is what occurred in these earlier instances that we talked about.

Eric Seufert:

That’s actually vital. However let me simply shortly sidetrack us. So 4 of those privateness authorities objected. You’ve acquired this confederation of privateness authorities throughout Europe. 4 of them dissented with the Irish DPC’s choice and that’s what triggered the Article 65 course of, the dispute decision course of. So all 4 of them consider {that a} high-quality needs to be utilized, and two consider that motion needs to be taken to treatment the info that had beforehand been transferred. So these had been the factors of dissent. Proper? Now, after I learn the Irish DPC’s… That’s what kicked off the dispute decision, it went by means of the EDPB dispute decision course of. The votes had been taken and it was decided that Meta ought to need to delete the outdated information and a high-quality needs to be imposed. After which that call was handed to the Irish DPC they usually had been left to execute that call.

However after I learn the Irish DPC’s press launch on this, they made it very clear they didn’t agree with that. So firstly, they don’t agree with this choice, which is just like the case from January with the high-quality associated to privateness. However additionally they mentioned, look, there have been 4 of those privateness authorities that disagreed out of 47. Now, there are 27 EU member states. Are you able to simply speak to me about the way you get 47 privateness authorities out of the EU block of 27 member nations? Are you able to simply clarify that to me? As a result of I don’t perceive.

Mikolaj Barczentewicz:

So this example is because of the truth that there are 4 federal authorities, privateness authorities in Belgium, and there are 18 privateness authorities in Germany. However the Germans don’t get to have 18 votes, they get 1 vote. And it’s the identical with the Belgians, they solely get 1 vote. It’s simply that they’re this collective entity in a way within the EDPB, to allow them to make rather more noise as a result of they’ve quite a lot of stuff and so forth, however they nonetheless get 1 vote.

Eric Seufert:

I see. So that they undergo some form of consensus course of earlier than submitting their singular vote?

Mikolaj Barczentewicz:

Yeah, that’s an excellent query. So I don’t understand how the Belgians and Germans do it, however sure, I’d think about that that is the way it works.

Eric Seufert:

Okay, so that is some form of nationwide court docket, proper? Okay, so that you’ve acquired 4 in Belgium, 18 in Germany, that’s 22, plus 27 is 49. And then you definitely again out Germany and also you again out Belgium, that will get to 47.

Mikolaj Barczentewicz:

Sure.

Eric Seufert:

I see. Okay. No, this isn’t advanced in any respect. It’s very simple to parse.

Mikolaj Barczentewicz:

Very simple.

Eric Seufert:

Okay. So sidebar over. Let’s get again to the choice. So the Irish DPC is form of instructed by the EDPB, that right here’s the choice. What company did they’ve throughout the parameters of that call? May they modify that, did they’ve any enter into that, or are they only form of handed a legally binding choice? So I feel if you learn the individuals’s opinions on the choice, Max Schrems mentioned this high-quality just isn’t adequate. $1.3 billion just isn’t adequate. So did the Irish DPC have some affect on the high-quality or had been they only advised what the high-quality can be? As a result of it might have been as much as 4% of worldwide turnover, which might’ve been in a multi-billion greenback vary, proper?

Mikolaj Barczentewicz:

Sure, that’s true. It’s not the utmost. If I bear in mind accurately, I feel they had been advised, the EDPB determined that the high-quality needs to be between 20% and 100% of the relevant authorized most. And I feel it ended up being simply 20-something p.c. So it’s not the minimal that the EDPB requested for, however it’s additionally removed from the utmost. So the utmost would’ve been — my calculation was one thing like €4.6 billion euro. I could also be a bit off on this, however the thought is that we’re speaking about 4% of Meta’s international turnover for the earlier monetary 12 months. So that they went for barely above the minimal they’d.

Eric Seufert:

Okay, so the Irish DPC did have the company to find out inside that vary what the high-quality needs to be?

Mikolaj Barczentewicz:

The high-quality, sure. Not that a lot when it comes to the opposite parts, which was that they had been advised that they should order the tactic to stop processing. So sure, in order that they did that.

Eric Seufert:

Received it. And the place does that high-quality, who receives that high-quality, the place does that high-quality receives a commission to?

Mikolaj Barczentewicz:

The Irish state as I perceive.

Eric Seufert:

Okay, so we’re speaking single-digit billions right here. So it’s not, when it comes to the Irish GDP, it’s not tremendous significant. However in a way, they’re saying, okay, we’re going to pay ourselves much less. And you possibly can think about that there may very well be somewhat little bit of a battle of curiosity right here in the event that they’re given the latitude to choose the high-quality, they may simply go for the most important high-quality as a result of that’s more cash going into the state coffers. Though then that will work towards their standing because the business-friendly state in Europe, proper?

Mikolaj Barczentewicz:

Sure. That’s one factor. And it could additionally go towards what they are saying about their very own thoughtful view, which was that there shouldn’t be a high-quality. Proper? So provided that they inform us that they assume that there shouldn’t be a high-quality, then it is smart for them to go for the bottom high-quality potential.

Eric Seufert:

Okay. So I feel that’s pretty clear. That’s a extremely nice historical past. That’s an excellent start line to leap into the subsequent a part of the dialogue. However simply briefly, so we’ve acquired 4 of those CSAs dissenting out of 47 as you simply mentioned. There are 4 in Belgium, 18 in Germany, and that’s what makes up 47. The usual right here is that if a single certainly one of them dissented, then it could set off that dispute decision course of, proper? A single dissent would imply that you just undergo the dispute decision?

Mikolaj Barczentewicz:

Sure. In order that appears to comply with from the GDPR. And once more, the concept is with the Irish DPC, and people latest Meta instances, it maybe it’s not working because the GDPR authors hoped as a result of I assume what they hoped was some form of compromise — that you would be able to obtain compromise by means of this technique of objecting, after which discussing the objections. However what has occurred in these latest instances is that all of it goes to the forceful answer. However what’s vital is that it might be sufficient for one authority to object that triggers the dialogue. However you continue to want a majority of authorities to determine on this forceful answer to impose a binding choice.

Eric Seufert:

Proper. And in a brilliant majority within the first vote to cross the vote.

Mikolaj Barczentewicz:

So the primary vote is a brilliant majority, and the second vote is a majority. And we don’t actually know. So we all know which authorities object that’s public, however we don’t understand how they vote. And I’m unsure we additionally know, even when this occurred by means of a supermajority or simply an bizarre majority. So sure, that’s a little bit of a thriller.

Eric Seufert:

I acquired it. So there’s 4 that dissent, however you possibly can have these different DPCs which might be like, properly, we don’t really feel strongly sufficient to dissent. However given what’s put ahead, we’re going to vote with the dissenters’ opinion on what the… And is there any form of, I imply, I don’t need to get conspiratorial right here, however do you assume that they coordinate that? It’s like, “Hey, we don’t really need to dissent right here, however we’ll vote with you if you happen to dissent and you set forth these necessities.”

Mikolaj Barczentewicz:

That’s an excellent query. So there are authorities who nearly by no means appear to object. And if somebody’s desirous about that, and I assume if you happen to’re making an attempt to foretell what privateness authorities could need to do in Europe, it’s an excellent factor to take a look at. Which is, so I’m speaking concerning the Irish DPC’s annual report. And if you happen to take a look at this annual report for final 12 months, they’ve this good desk the place they present all their investigations. And this can be a desk that has names of investigations, it’s like Twitter, Fb, WhatsApp, and so forth. After which it has names of nations after which it exhibits whether or not authorities from these nations object. And you may clearly see that there are authorities just like the German one and the French one which are inclined to object even most of the time. After which there are various authorities that by no means object, however then that doesn’t inform us how they vote.

Eric Seufert:

Positive. Proper. As a result of clearly, if there was both a brilliant majority or majority, there’s lots or extra folks that wished the penalties than didn’t. And we simply don’t understand how the votes broke down. Nevertheless it stands to purpose that a few of these individuals voted towards the Iris DPC’s draft choice, despite the fact that they didn’t dissent.

Mikolaj Barczentewicz:

Sure. That should be the case.

Eric Seufert:

Proper. Okay. Sure. Very, very attention-grabbing. Okay, so I need soar forward. So okay, we acquired the choice. Are you able to speak to me about what the choice was, the form of, we had the EDPB tribunal course of, the choice was handed to the Irish DPC. However what was the choice?

Mikolaj Barczentewicz:

So we already coated the so-called corrective measures. There’s a high-quality after which there’s this order to stop processing. So, together with probably deleting the info. In order that’s the corrective measures. By way of the substantive content material, there are 4 facets to it. So the primary facet is that because the Irish DPC summarizes it, US legislation doesn’t present a degree of safety that’s primarily equal to that offered by EU legislation. And primarily, equal is the magic phrase right here. And that’s a phrase that we’ll be eager about lots coming ahead once more with future US schemes. In order that’s one query to be requested right here. And a minimum of for that scenario, till this new adequacy choice that has not but occurred, the conclusion of the Irish DPC is that the US legislation doesn’t present this important equivalence. In order that’s one key facet.

The second key facet is that as a result of there isn’t a such important equivalence within the safety of private information, then the query arises whether or not these customary contractual clauses compensate for this insufficient safety. And right here, the conclusion was that, no. So the primary conclusion is type of an indictment of US legislation usually. So saying that US legislation is simply not adequate. And the second is that the measures that Meta has taken to handle this inadequacy of US legislation, that these measures are additionally insufficient. So the US legislation is insufficient, after which what Meta did to compensate for that’s additionally insufficient. So these are the 2 facets.

And there’s a 3rd conclusion about so-called supplemental measures. We are able to speak about that for a second, however in response to the Irish authority, really Meta didn’t have in place any of these supplemental measures, which might compensate for inadequacies. And the ultimate conclusion is that as a result of in precept, even if you happen to can not depend on these customary contractual clauses, there are nonetheless so-called derogations within the GDPR which will permit you to switch private information to 3rd nations which additionally don’t have these adequacy selections. Really, they might sound fairly acquainted to individuals within the promoting neighborhood as a result of you will notice their consent, you will notice contractual necessity, you will notice causes of public curiosity. So that they actually appear like simply basic foundation for lawful processing of knowledge, however the catch right here is that these derogations are interpreted very, very narrowly. So Meta advised the Irish DPC, “Okay, so if we are able to’t use the SCC’s, we’ll simply use public curiosity. If we are able to’t use public curiosity, we’ll use contractual necessity. If we are able to’t use contractual necessity, we’ll use consumer consent.”

And for all these, the Irish DPC mentioned, “No, that’s not going to work. You may’t use that.” As a result of lengthy story quick, the rationale the interpretation appears to be that you would be able to solely use these derogations often. And there’s that massive distinction that right here Meta can be saying, “Oh, properly, we’ll be utilizing them for our day-to-day enterprise operation.” And the Irish DPC says, “No, that’s not occasional, so you possibly can’t use the derogations.” So going by means of the entire listing of what Meta may very well be counting on, the Irish DPC concludes that truly there’s nothing that Meta can depend on given the circumstances, until one thing modifications. So that they need to stop processing.

Eric Seufert:

So clearly they need to pay the high-quality. Though, simply to be clear there, they mentioned they’re interesting all of this. So who is aware of when this will probably be resolved. However they need to pay the high-quality in some unspecified time in the future, proper, until upon appeal-

Mikolaj Barczentewicz:

Sure.

Eric Seufert:

… the high-quality is invalidated.

Mikolaj Barczentewicz:

The high-quality might be not the massive concern right here.

Eric Seufert:

So that they need to pay the high-quality, they need to cease sending information to the US, they usually need to delete all the info that they did ship to the US, which the Irish DPC deemed was despatched unlawfully. That’s type of what their response needs to be, assuming they don’t win an attraction.

Mikolaj Barczentewicz:

So, I’m not an professional in Irish administrative legislation, however my understanding is that there could also be a while once they attraction this choice that they won’t must implement it instantly, that they might have some months ready for this massive factor that we’re all ready for, which is the brand new adequacy choice. Two issues concerning the Irish DPC choice are vital to notice right here. First, the choice itself provides Meta six months to deliver its information processing into compliance with the GDPR by ceasing illegal processing. So from the second that the choice was notified to Meta, Meta has six months. In keeping with press stories, Meta acquired the choice on the twelfth of Could, so by my calculation they’ve till the twelfth of November.

The second factor is that Meta is beneath an obligation to deliver its processing into compliance with the GDPR and solely stop illegal processing of consumer information, together with storage. So a minimum of theoretically, this doesn’t imply that the choice orders Meta to delete consumer information from Meta’s American servers, for instance. The EDPB insisted in its choice that their proposed order doesn’t impose a selected method of learn how to adjust to it, and particularly, that it doesn’t strictly require deletion of knowledge. In response, Meta claimed that given the inherent interconnectedness of the Fb providers social graph, any order to grab the processing of Meta Eire consumer information within the US would in impact be an order to delete such information. That’s from Meta cited by the EDPB.

It’s a minimum of theoretically potential that Meta might give you new options to the issue which might make their processing of EU information within the US compliant with the GDPR, and that’s now not illegal. Nevertheless it’s a distinct query whether or not that’s sensible, similar to Meta mentioned in that assertion. The extra sensible answer possible comes from the brand new EU-US information ePrivacy deal and the brand new EU adequacy choice for the US. And this new adequacy choice would possible make Meta’s transfers of EU information to the US compliant with the GDPR. In different phrases, the adequacy choice would possible put Meta in a scenario wherein it begins complying with the Irish DPC choice with out doing something on itself.

Eric Seufert:

And as I hinted at earlier than, we had this twin course of. We really talked about this within the final podcast as a result of I introduced it up. Like, what’s going to occur with the EU information transfers, as a result of that was an enormous open query. And that had been an enormous open query since final July. Folks had been speaking about this. It’s like, “Hey, wait a second, this draft choice, if it acquired objected to, we don’t assume the adequacy choice for the subsequent information switch framework…” which is named the Trans-Atlantic Knowledge Privateness Framework that’s meant to exchange Privateness Defend, properly, these selections are inclined to take lots longer than the EDPB tribunal course of. And so if the EDPB choice comes down earlier than the brand new framework will get permitted, then there’s going to be a difficulty.

Okay, so let’s say they get a keep of enforcement on the high-quality, deletion of knowledge and cessation of knowledge transfers, after which in the course of the attraction course of, the Trans-Atlantic Knowledge Privateness Framework does get permitted within the adequacy choice, does that invalidate the judgment on this choice? Does that invalidate the choice, they don’t need to do any of these issues? Or do they nonetheless need to do them, however on a go-forward foundation they’ll resume switch?

Mikolaj Barczentewicz:

If you concentrate on it commonsensically, not like a lawyer, then it appears very unusual, this entire scenario. As a result of plainly just about similtaneously this choice that’s prohibiting Meta from transferring private information to the US, we could get a brand new EU authorized foundation for these transfers, which is able to imply that when that new choice is enforced, then it would really be once more lawful for Meta to switch private information. And it’s an attention-grabbing query whether or not the Irish DPC took it into consideration in, for instance, once they had been deciding when exactly to flow into the draft choice. As a result of when you flow into the draft choice, then the timeline is kind of set by the GDPR. So the final second for the Irish DPC to have managed the timing of the method was in deciding when precisely to flow into that draft choice.

So that they determined to flow into it in July 2022. And in July 2022, and I adopted this concern fairly intently, it appeared that the brand new US-EU information safety framework could also be in place… I used to be fairly optimistic. I assumed that by now it was going to be all achieved. The draft choice occurred earlier than Joe Biden’s govt order 14086 that was in October, however nonetheless, there have been some leaks and knowledge that the negotiations are being finalized. So it actually regarded like this was going to be completed. So if I had been to invest about assuming that the Irish DPC didn’t actually need to derail EU-US transfers and relationships, and I assume they didn’t, maybe they only miscalculated barely. They could have moderately assumed that this new choice will probably be in place by now, however really, it’s nonetheless not in place. We all know we solely have a draft adequacy choice. We’ve the US govt order and the brand new rules that occurred final fall, however we don’t have the EU response but.

Eric Seufert:

And I feel I’ve heard the timeline of September being thrown round. Is that simply, what, a guess? Or do you assume that’s credible?

Mikolaj Barczentewicz:

Effectively, it’s a guess that I’m going with for now.

Eric Seufert:

Okay. However what occurs if the Trans-Atlantic Knowledge Privateness Framework does get the adequacy choice? What occurs to Meta? Is the choice principally irrelevant? Have they got to undergo the method of deleting the info however then they’ll resume information transference, so they only bulk delete a bunch of knowledge, however on a go-forward foundation they proceed to gather it?

Mikolaj Barczentewicz:

Based mostly on the choice, the choice really tells us that there was a dialog between Meta and the Irish DPC on this level. Meta tried to persuade the Irish DPC that truly due to these modifications in US legislation in follow in 2022, it ought to a minimum of trigger a delay to the investigation or they need to wait till this new scenario, or perhaps even simply determine that truly the US legislation has already modified, so take this variation scenario into consideration. However all these arguments had been rejected by the Irish DPC as a result of they mentioned, “Our authorized responsibility is simply to take the authorized scenario as it’s proper now.” They usually additionally mentioned that truly if you happen to take a look at US legislation in follow, despite the fact that these new rules are enforced, they aren’t operational but.

And that’s a considerably enjoyable facet of the brand new US framework, which is that beneath the US framework, the US authorities has to designate overseas nations as so-called qualifying states. So in a way, there’s a new US model of adequacy selections and they’re but to designate any a part of the EU as a qualifying state. In order that’s one purpose to say that truly it’s nonetheless not defending Europeans. So the US doesn’t have this European adequacy choice, however Europe doesn’t have the American adequacy choice. So as a result of all that hasn’t occurred but, you possibly can say that, a minimum of that’s the Irish DPC’s argument, that Meta is now in breach. Which means even when the scenario modifications in two, or three months, a minimum of the high-quality will nonetheless be applicable as a result of it is going to be a high-quality for doing one thing unlawful when it was unlawful. However the different facet of the choice, the order to stop processing, I feel will probably be irrelevant if the method will get prolonged, till the second when we now have this new privateness framework absolutely in place.

Eric Seufert:

Received it. So we simply don’t know, however they could keep away from having to delete the info. They’re going to need to pay the high-quality it doesn’t matter what, which once more, it’s trivial to them.

Mikolaj Barczentewicz:

Who is aware of if they’re going to pay the high-quality, I assume that… I feel they’ve some good arguments. I’m really not absolutely completely satisfied as a lawyer with these selections from the EDPB and from the Irish DPC, and I’m wanting ahead to Meta having their day in court docket earlier than the EU Courtroom of Justice. As a result of it may very well be that, on the very least they’ll get a little bit of a reduction on the high-quality, if not even some settlement on substantive factors. So this will get very advanced, however I feel that it’s actually not such a clear-cut case because the authorities are making it. However it’s potential, assuming that they don’t go to court docket or they don’t win, that they might nonetheless pay the high-quality. However I assume the situation that everybody is hoping for is that they won’t must delete and it is going to be, in a way, enterprise as ordinary.

Eric Seufert:

Okay, so we’ve talked lots about Meta, we’ve talked lots concerning the US, however this doesn’t solely apply to Meta and it doesn’t solely apply to the US. So what are the broader implications of this choice? Let’s speak about simply US-based corporations. Let’s speak about Amazon AWS. Any scaled US firm and even European firm. This isn’t particular to US-based corporations, that is particular to any firm that transfers information between the EU and the US. What are the broader implications for this throughout all the expertise ecosystem? How do corporations react to this? What have they got to do in response to this choice, to conform?

Mikolaj Barczentewicz:

That’s the actual drawback right here. Technically this choice solely applies to Meta, however additionally it is true that the reasoning on this choice applies extra broadly. And really, there’s already a sequence of Google Analytics instances from Austria and from France which need to do with transfers, or the legality of transfers of knowledge by utilizing Google Analytics and Google Analytics cookies. And in these instances, the reasoning that these nationwide DPAs undertake is that right here you principally can’t actually use Google Analytics until you employ some form of proxy the place you make it possible for Google doesn’t even get the IPs of the customers, and so forth. So you might want to have these supplemental measures which can really make you employ the Google Analytics framework… Which I bear in mind utilizing a very long time in the past. Really, it was in all probability the very best product for internet site visitors analytics at the moment. I don’t know if it nonetheless is. So it’s possible you’ll want to make use of these proxies, which can additionally negate, to a big extent, the advantages of utilizing Google Analytics.

So it really isn’t simply Meta. There’s a entire line of enforcement selections growing the place it seems like it might develop into very troublesome for a corporation to lawfully switch information, and even… As a result of we speak about transferring information. In a way, in lots of circumstances it’s simply counting on providers offered to you, particularly SaaS offered to you by an American firm.

Eric Seufert:

I like speaking by means of the background right here as a result of I simply assume it’s actually fascinating. However that is the guts of the dialogue. It’s like, properly, how do individuals transfer ahead? And everytime you come to a scenario like this… Let’s say that Trans-Atlantic Knowledge Privateness Framework, there’s an adequacy choice in favor. That’s the legislation of the land. That’s going to get attacked. You’re going to have Schrems III and Schrems IV and Schrems V, and no matter. That is by no means going to cease. And so the way in which I’m eager about now with focused promoting, and once more, this doesn’t relate to that however it looks like a parallel level, I feel corporations ought to put together for the eventuality that you just can not do it within the EU with out consent. That appears like a sturdy long-term answer or only a path ahead.

And yeah, positive, there are in all probability methods to scratch on the margins right here till that occurs and interesting all these items and altering to professional curiosity or no matter, however my sense is… And proper me if you happen to assume I’m unsuitable right here, however my sense is that’s the top state, and so I’d slightly put together for that finish state than work by means of a bunch of loopholes and workarounds within the interim. Though, there are in all probability billions to be made there. You may quantify that. However on this level, it appears like… And Max Schrems mentioned this in July. He mentioned, “Okay, properly, right here’s the way you take care of this, is you arrange servers in Europe for European customers. And that information by no means will get despatched to the US. You might not commingle that information. You’ve acquired US information, you’ve acquired EU information. You’ve acquired two separate information infrastructures that service these native customers, and that’s the way you comply.”

Effectively, okay, that looks like, in probably the most excessive interpretation of no matter, learn how to shield these human rights, properly, that looks like what you in all probability need to do. And that looks like it’d be very costly to do. So if I’m a startup and I’ve acquired to construct separate infrastructure in Europe and the US and I can’t commingle that information, so I can’t take into consideration my customers as a worldwide cohort, however they’re really very siloed cohorts, that’s going to introduce an amazing quantity of complexity into my operations. So is that what you assume, and be happy to inform me, “I don’t need to speculate on this,” however is that what you assume we’re heading in direction of? Is that the fact that you just assume we’re heading in direction of?

Mikolaj Barczentewicz:

I feel you’re being insufficiently pessimistic. Really, this situation of if you do that information localization in that sense continues to be manageable. However there’s a situation that I’m involved about, which is a situation that’s actually not manageable. I really wrote about this two years in the past for this web site known as Lawfare, and I known as it Technical Measures Radical Interpretation of EU Legislation. As a result of there’s one interpretation of the GDPR which I feel is definitely fairly robust in these selections on Google Analytics and on this choice on Meta transfers, which is that truly it doesn’t matter if the danger that the US authorities will entry consumer information in a manner that’s not defending elementary rights if this threat is minuscule, it’s actually low. What issues is the theoretical risk that one thing nefarious will occur.

And if you begin considering on this considerably paranoid framework of theoretical potentialities, then you definitely understand that truly, it’s probably not full safety that, for instance, Meta would have, or Google or anybody else would have servers, information shops simply within the EU. As a result of so long as they’ve administrative entry to their very own information facilities, they’ll nonetheless be pressured or infiltrated by the US intelligence authorities to offer entry to these issues. And even you possibly can take into consideration any developer. When you have management of the supply code, you possibly can all the time be pressured to put in again doorways to provide entry to the NSA and the CIA. So if you happen to assume in these phrases of theoretical risk, then there isn’t a limiting precept the place to cease from saying merely you simply can not take care of foreigners. And to me, this appears absurd, this appears disproportionate. This additionally appears to violate another elementary rights. So it’s an issue of simply the unsuitable solution to steadiness rights in EU legislation.

However actually it’s not one thing I made up. It’s a view you see from some privateness activists and lecturers. They usually assume that, yeah, that’s simply, if we now have to simply completely Balkanize the web and put only a new form of iron curtain between on the Atlantic, that’s high-quality if that’s what it takes to make us snug with this type of, I’d say, one small sphere of potential restrictions of elementary rights.

Eric Seufert:

Proper. I pulled up this text, I’ll hyperlink it within the present notes, however yeah, I’m simply studying it now. So, simply let me quote from it. And that is the article you talked about. “Among the many largest advantages of utilizing the sorts of cloud providers provided by the main suppliers or that prospects have entry to state-of-the-art authentication options with out having to develop them or supply them elsewhere, which can include its personal safety dangers. Such options, nonetheless, depend on storing encryption keys throughout the cloud supplier’s management.” So, the argument right here is like, okay, properly, if you happen to take this to probably the most excessive interpretation, it’s like, properly, having these, getting access to the encryption keys undermines any segmentation as a result of properly, there’s all the time going to be the choice to simply entry the encryption keys, decrypt the info, and ship it proper again over.

Mikolaj Barczentewicz:

Yeah. It doesn’t matter the place the info is saved.

Eric Seufert:

Yeah. Okay. So, that’s scary.

Mikolaj Barczentewicz:

So, then, if you happen to speak about these, okay, so then, we’re advised, so you possibly can undertake supplemental measures. And what are the supplemental measures, these safeguards that may be adopted? Effectively, you possibly can course of, so for instance, retailer or make accessible the info to somebody positioned within the US solely in a manner that’s absolutely encrypted. In a way, so then, you possibly can’t actually present any providers. You may solely present actually known as backup providers. That’s the one factor. However something that we consider providers the place information is being processed, that’s very troublesome to do. In fact, you possibly can take into consideration some form of zero data show options and so forth, however these issues are presently very troublesome, computationally intense, and so forth. And that’s not going to be a full answer.

I feel an actual answer actually must be a political answer that we simply discover a solution to be critical that, properly, there’s intelligence gathering within the US. There may be intelligence gathering in Europe. And there’s a neighborhood of democratic jurisdictions that roughly share a imaginative and prescient and this nitpicking about some procedural points. I feel there’s an argument that the US authorities retains making, which is an argument that there are double requirements. For instance, if you happen to apply the identical guidelines to Germany, or France, or Poland, then you would need to say, “Oh, you possibly can’t switch information to Germany, France, or Poland.” However as a result of they’re within the EU, then we don’t apply these guidelines, and type of is the case. What I’m hoping for is, and a realization that we’d like some form of an lodging.

Eric Seufert:

Proper. Yeah. Yeah. And might you speak to me about what that will appear like? As a result of it simply appears like these information privateness frameworks, they’re going to be challenged each single time. There actually is a contingent of people that… And this once more from my layman’s view. There’s a contingent of individuals that aren’t going to be completely satisfied till we now have, as you mentioned, completely Balkanized the web. Or I wrote about this lately, known as de-globalization of the web, which is de-globalization primarily of the financial system. And there there’s a neighborhood of individuals which might be by no means going to be completely satisfied till that has occurred in its absolute most excessive type the place there’s… So, US corporations could not function within the EU and vice versa. So, there’s only a breakdown of worldwide digital commerce. So, the place’s the rationale for hope? As a result of I’d like to have that optimistic message on this podcast.

Mikolaj Barczentewicz:

So, it’s actually laborious to invest. Some causes for hope, you possibly can see that there’s political will for lodging. There may be this transatlantic course of. We do have a draft adequacy choice. The European Fee is, and I feel many of the member states of the European Union, a minimum of the governments, they do need this deal and simply type of this drawback to go away. Nevertheless it’s additionally true that in a way, I don’t need to say that they created a monster that they’ll’t management anymore with the GDPR. However I feel there’s a drawback within the core of the GDPR proper now, or a minimum of the way it’s being interpreted, that I feel in a way, it misplaced its soul, I’d say. And the soul is that there must be some form of recognition that privateness just isn’t the one vital factor. That’s not the one vital that we, for instance, have rights to free expression, to conduct enterprise. That every one these issues needs to be balanced.

So, how naive I’m in that, however I’m hoping that such arguments should win earlier than the European courts. So, even when we now have all these nationwide information safety authorities with this form of method that simply is aware of no limiting precept, then there should be a hope that the courts will see a necessity to truly have some form of a Solomonic answer. As a result of what’s coming from the DPA is that’s not a Solomonic answer. That’s in a way, that’s a really robust fundamentalism.

Eric Seufert:

However all of the arguments that you just outlined about, with the extra radical interpretation and the extra radical answer, which is to say no, that even if you happen to had servers primarily based right here, that’s not the actual concern, proper? As a result of there’s all the time a again door. There’s all the time entry, there’s all the time some solution to entry that information. These have been used towards TikTok, proper? TikTok’s CEO of TikTok was in entrance of the congressional listening to, mentioned, “Look, are you aware how a lot cash we’ve spent on Undertaking Texas to maneuver the info facilities to the US?” And that’s the very same arguments that you just’ve heard. Effectively, positive, you probably did that, however you’re going to construct a again door. There’s no solution to keep away from that. And I assume that’s truthful. Positive, that’s true. And yeah, there are theoretical harms that appear like not actual sensible issues, however nonetheless, they’re theoretically potential.

And so, how a lot of this boils right down to jingoism and politics versus credible threat? I don’t have a completely shaped opinion on the TikTok factor. I feel simply banning it’s the unsuitable solution to method it. However I feel we must always encourage these options that do make a reputable effort to make sure that these safeguards exist. As a result of I don’t use TikTok. I received’t use TikTok. I simply received’t. I received’t have it on my telephone. If somebody sends me a TikTok hyperlink that’ll even open the browser, I received’t open it. So, I’ve that concern. That’s an actual real concern in my thoughts. And that’s a private opinion of mine. I don’t advocate for that, however that’s a private choice I’ve made. So, I’m delicate to these dangers. I simply really feel like this, when you concentrate on the broader financial implications of this, it feels very, very dangerous to take these very Draconian radical positions.

And even with the EU information switch stuff, once more, final July, Politico got here out with this piece, which is what clued me into this threat, which was like, hey, the Irish DPC issued this choice. It’s going into the method. This may not get resolved earlier than the adequacy choice. So, there may very well be this blackout interval, and there could also be this choice that’s excessive. And I bear in mind considering, ah, nobody desires that. Nobody actually desires that. And it seems, properly, no, they did. They made the choice. So, how a lot of that is simply right down to politics versus a reputable interpretation or simply nearly like an accounting of the dangers?

Mikolaj Barczentewicz:

So, I’m unsure it’s even actually good politics. I actually don’t see… Possibly I simply speak to the unsuitable individuals in Europe. I’m European, I dwell in Europe, and I simply don’t see how this interpretation that we simply decouple our web and American web would have any critical assist. The explanation why the DPAs, the info safety authorities can do what they do is that, properly, for now, it’s largely simply issuing fines, and it nonetheless doesn’t have that a lot impact on individuals’s capability to make use of the providers like. However I’m unsure there can be that a lot assist for it if individuals had been advised, “Oh, okay, you possibly can’t use Fb.” There could also be a barely totally different consideration concerning TikTok as a result of maybe there’s a stronger and there are some political factors additionally to be made on, provided that this can be a, a minimum of China affiliated, China-adjacent firm. I feel they declare to be international-based in Singapore if I’m not mistaken. So, it’s a bit totally different.

For the US, I feel it’s actually a difficulty of belief. And I feel this form of lodging primarily based on belief and customary values is absolutely the way in which to go. With China, my private method can be to a minimum of permit the options we are able to do in a zero-trust atmosphere. Zero belief is a well-liked time period in cybersecurity, however that typically denotes the concept that a minimum of typically, you possibly can function with respect to different providers and different protocols, you use with as if you happen to all the time assume that they’re compromised or making an attempt to assault you. So, there are strategies and frameworks to deal in that scenario. And if we are able to implement that, I feel it might work. Whether or not we must always have this broader belief association with China, I feel that’s tougher. And I additionally in all probability want to consider it extra simply as you mentioned.

Eric Seufert:

Yeah. These are advanced circumstances. This isn’t any form of simple answer. To my thoughts, I’d out-of-hand dismiss a straightforward answer as a result of the simple answer might be not going to be what greatest navigates these trade-offs. It’s why I get somewhat irritated with… You simply have to separate up into a mess of various internets. Effectively, you possibly can take that to an excessive. Okay, properly, then what occurs? Let’s say we do this, and there’s an American web and EU web. How lengthy is there an EU web? Then, you say, “Effectively, no, there shouldn’t be an EU web. It needs to be a Polish web, a German web, and a French web.” You could possibly take that to an excessive, they usually can’t speak to one another. Okay. Speak to me concerning the final level right here: what are we ready on to completely interpret the gravity of this choice? Is it the appeals course of? Is it the adequacy choice or are we ready on something? We acknowledge, okay, the asteroid has impacted.

Mikolaj Barczentewicz:

So, first, we’re ready for the adequacy choice, and I will probably be stunned if it doesn’t come quickly. And I feel I’ll nonetheless be stunned if it doesn’t come quickly sufficient to render this type of irrelevant aside from the high-quality concern. However the second factor that we are going to be ready for is what occurs with the adequacy choice. So, assuming that it’ll be challenged, and we’ll get one thing like a Schrems III case and judgment from the EU Courtroom of Justice, then that’s an enormous query. What is going to the court docket say? Some individuals appear very satisfied that clearly, the court docket will invalidate this adequacy choice. I each hope, and I feel I’ve some good arguments why the court docket mustn’t do this and should determine to not do it. And if the court docket decides to not do it, then we could get some steerage, a barely totally different method to understanding the GDPR within the context of exchanging information with different democratic nations. So, that’s one vital facet.

However on this much less possible or I feel unlikely situation that the adequacy choice doesn’t come quickly sufficient, then we would wish readability on, for instance, what it could imply for Meta to stop processing of this switch information. It’s not even that clear what it could imply for them to delete the info. Have they got to delete consumer accounts or do they only delete information from American servers? Is that sufficient? It appears simple, however really, it’s in no way. After which, in fact, within the absence of an adequacy choice, then I feel we might see a large assault alongside the traces of the Google Analytics instances and the Meta case on all kinds of transfers of knowledge to the US. In some nations, the nationwide authorities will probably be a bit extra cheap, I’d say. However in some nations, they’d in all probability go full-on with even this very radical interpretation that I discussed earlier than. So, lots can occur. I’m nonetheless optimistic that purpose can prevail, however so watch this area.

Eric Seufert:

So, simply to underscore that time. I don’t need to get caught right here, however each American firm was primarily utilizing SCCs to switch information from the EU to the US. So, yeah, it’s this choice associated to Meta, however in the end, the implications will apply to primarily each big-scaled American tech firm. So, all of them type of have to determine learn how to reply. So, it’s not only a Meta concern, it’s all people’s concern as a result of they had been all utilizing SCCs.

Mikolaj Barczentewicz:

I feel so. So, some individuals could have this hope that there’s one type of, not small print, however one paragraph in one of many EDPB pointers that say that truly, properly, it’s nonetheless, you could possibly switch information even with out these supplementary measures, like full on encryption. When you have causes to doc these causes that you just consider that your customers is not going to be topic to, for instance, one thing like PRISM. So, Meta, I feel making an attempt to make that argument. That’s what the Irish choice tells us. However then, the Irish DPC mentioned, “Effectively, however you advised us that truly, you probably did obtain FISA 702 orders or requests and that you just needed to comply.” And the Irish DPC was then probably not, didn’t appear that a lot desirous about how widespread this was. Even when it was like 0.0000 of a p.c of customers that had been ever affected, that didn’t matter. So, some corporations who haven’t but acquired these requests could really feel like, okay, in order that doesn’t contact us. However I’m unsure that this window will really be that huge. So, I wouldn’t put my belief in that an excessive amount of.

Eric Seufert:

After which, simply concerning the encryption level, there’s been resistance by, properly, not in continental Europe that I do know of, however by the UK to having these corporations undertake end-to-end encryption as a result of then, they’ll’t see what persons are doing.

Mikolaj Barczentewicz:

However that’s simply stunning.

Eric Seufert:

So, it’s like, properly, you possibly can’t end-to-end encrypt this as a result of, if you happen to ship it to the US, it could be out of the prying eyes of the NSA, however then, we couldn’t see it in your gadget right here. So, there’s just like the resistance domestically to say, “No, don’t do end-to-end encryptions. We don’t need the People spying in your information, however we need to spy on it.”

Effectively, Mikolaj, this can be a improbable dialogue. Thanks a lot for approaching once more and explaining this advanced, very, very advanced scenario to the listeners. Are you able to simply inform individuals the place they’ll discover you? How can individuals comply with you?

Mikolaj Barczentewicz:

So, I’ve my web site, which is my surname dot com. I assume you possibly can hyperlink that, and I do have my Twitter profile the place I tweet about these kinds of points. So, if anybody’s , please comply with.

Eric Seufert:

Yeah, and I can say that Mikolaj’s Twitter was a must-follow across the time of this choice being introduced. It helped to make clear my considering lots. Mikolaj, thanks a lot. I hope you get pleasure from your weekend.

Mikolaj Barczentewicz:

Thanks.

Photograph by NASA on Unsplash