WEBVTT - Why Facebook Might Leave the EU 0:00:04.400 --> 0:00:07.760 Welcome to Tech Stuff, a production from I Heart Radio. 0:00:11.760 --> 0:00:14.240 Hey there, and welcome to tech Stuff. I'm your host 0:00:14.280 --> 0:00:17.120 Jonathan Strickland. I'm an executive producer with I Heart Radio. 0:00:17.160 --> 0:00:20.440 And how the tech are you so? Not long ago, 0:00:21.079 --> 0:00:25.560 David Meyer wrote a piece titled even Facebook's critics don't 0:00:25.600 --> 0:00:29.320 grasp how much troubled meta is in and he wrote 0:00:29.320 --> 0:00:32.239 it for Fast Company. And if you've been keeping up 0:00:32.280 --> 0:00:36.960 with meta slash Facebook, you probably have a long list 0:00:37.000 --> 0:00:39.920 of things that Meyer could have been referring to. Could 0:00:39.920 --> 0:00:43.360 it be that various governments, such as the United States 0:00:43.440 --> 0:00:48.400 are frequently scrutinizing meta and calling company leaders to appear 0:00:48.440 --> 0:00:52.479 before legislative bodies to answer tough questions. Could it be 0:00:52.520 --> 0:00:55.960 the fact that TikTok continues to dominate as the social 0:00:56.000 --> 0:01:00.600 platform favored by younger people, meaning that meta slash Facebook's 0:01:00.640 --> 0:01:04.400 user base is slowly aging out and it's not replacing 0:01:04.400 --> 0:01:08.080 it when new younger users. Is it that the company 0:01:08.160 --> 0:01:10.280 jumped the gun in an effort to be the front 0:01:10.360 --> 0:01:14.039 runner to define whatever the heck the metaverse is going 0:01:14.080 --> 0:01:16.720 to be? Well, all of those are factors that should 0:01:16.760 --> 0:01:20.600 be matters of concern for Facebook executives and for shareholders. 0:01:20.640 --> 0:01:23.880 But what Meyer was talking about with something else, something 0:01:24.000 --> 0:01:27.960 involving privacy and the law and a change that happened 0:01:28.000 --> 0:01:31.600 a couple of years ago that has affected everything. So 0:01:33.160 --> 0:01:38.200 on July twenty twenty, the European Union's Court of Justice 0:01:38.800 --> 0:01:43.679 made a decision that would have enormous consequences. It concluded 0:01:43.800 --> 0:01:49.720 that an earlier data transfer process called the EU US 0:01:49.960 --> 0:01:54.520 Privacy Shield was not sufficient to protect the private data 0:01:54.640 --> 0:01:58.760 of EU citizens, and that it would thus be struck down. 0:01:59.160 --> 0:02:03.680 It would be invalidated. This has massive repercussions for companies 0:02:03.720 --> 0:02:07.160 like Meta, not just Mata, in fact, as repercussions for 0:02:07.200 --> 0:02:11.520 any company that operates within the EU, but in fact 0:02:11.560 --> 0:02:14.040 has it's you know, any kind of data transfers that 0:02:14.160 --> 0:02:19.520 exit the EU. So Mark Zuckerberg said essentially that unless 0:02:19.560 --> 0:02:22.560 the EU changes the stance or makes an exception for 0:02:22.600 --> 0:02:26.240 the company, platforms like Facebook and Instagram will have to 0:02:26.360 --> 0:02:30.280 pull out of the European Union. That sounds kind of 0:02:30.320 --> 0:02:32.520 like they're making a threat, right, like somehow you know 0:02:32.600 --> 0:02:34.680 Zuckerberg saying, Hey, if you don't play by my rules, 0:02:34.680 --> 0:02:39.119 I'm taking my ball and going home. But really this 0:02:39.200 --> 0:02:42.600 is more of a plea. It's really more, please, please, 0:02:42.639 --> 0:02:45.440 please don't do this, because I can't do my thing 0:02:45.880 --> 0:02:49.120 if you do. So. Today I thought I would talk 0:02:49.520 --> 0:02:53.799 about what the privacy shield was, why it existed, why 0:02:53.840 --> 0:02:57.360 the EU decided it wasn't sufficient, what they're planning in 0:02:57.400 --> 0:03:00.440 its place, and what all this means for come Benese 0:03:00.480 --> 0:03:03.679 like Meta. To do that, we actually have to look 0:03:03.720 --> 0:03:06.200 back at the history of the EU and its stands 0:03:06.240 --> 0:03:09.640 on data privacy and security. Now, depending on how you 0:03:09.680 --> 0:03:12.079 look at it, the EU really traces its history back 0:03:12.120 --> 0:03:15.600 to the conclusion of World War Two, but the single 0:03:15.680 --> 0:03:18.440 market that we would refer to as the European Union 0:03:18.919 --> 0:03:24.120 would not formally emerge until nine Now. Around that same time, 0:03:24.760 --> 0:03:28.440 there was a growing general awareness about the Internet, in 0:03:28.520 --> 0:03:31.359 large part helped by the introduction of something new called 0:03:31.520 --> 0:03:34.560 the Worldwide Web, and it would take a few years 0:03:34.600 --> 0:03:37.000 for the Web and the Internet at large to really 0:03:37.040 --> 0:03:39.680 gain a foothold in the minds of the mainstream public, 0:03:40.280 --> 0:03:43.560 but some leaders in the EU were already dealing with 0:03:43.640 --> 0:03:50.000 concepts like data privacy. Data privacy doesn't just require you know, 0:03:50.200 --> 0:03:53.160 digital transfers, right like, you don't have to have that 0:03:53.280 --> 0:03:56.200 be part of the process for data privacy to be 0:03:56.240 --> 0:03:59.280 a concern, and in fact, the countries that made up 0:03:59.280 --> 0:04:05.440 the European Union had already been concerned about protecting EU 0:04:05.600 --> 0:04:09.840 citizen privacy when dealing with companies that existed outside the 0:04:09.840 --> 0:04:14.440 European Union. How can you guarantee that their private data 0:04:14.520 --> 0:04:19.600 remains safe when it's going into the hands of companies 0:04:19.720 --> 0:04:22.560 that aren't based in the European Union itself. That had 0:04:22.640 --> 0:04:29.320 already been a concern, but the EU member states knew 0:04:29.400 --> 0:04:31.160 that there needed to be put in place laws that 0:04:31.200 --> 0:04:35.560 could protect citizen data, that there are fundamental rights associated 0:04:35.560 --> 0:04:39.720 with data that have to be protected. To that end, 0:04:40.160 --> 0:04:44.480 the EU built upon an earlier, non binding list of 0:04:44.520 --> 0:04:51.000 guiding principles relating to protecting citizen information. These principles included 0:04:51.200 --> 0:04:55.600 pretty common stuff like alerting someone as to win their 0:04:55.680 --> 0:05:00.920 data would be collected, a requesting consent before the disclose 0:05:01.040 --> 0:05:04.320 that information to some other party. So if you were 0:05:04.360 --> 0:05:07.120 to collect an e uses and information, you would then 0:05:07.200 --> 0:05:09.040 have to get their consent before you could share it 0:05:09.120 --> 0:05:13.159 with someone else, and various other concepts that are pretty 0:05:13.160 --> 0:05:16.200 common to what we see in in privacy protection laws. 0:05:16.720 --> 0:05:18.960 They had been around before the rise of the Internet, 0:05:19.000 --> 0:05:22.479 but because they were non binding, they didn't really have 0:05:22.520 --> 0:05:25.000 any teeth to them. It was like, it would be 0:05:25.120 --> 0:05:29.640 nice if everyone agreed to obey these things, but there 0:05:29.680 --> 0:05:32.479 was no requirement to do so. The EU decided to 0:05:32.520 --> 0:05:37.960 formally establish data privacy rules, though these would have limitations 0:05:38.000 --> 0:05:41.480 to which we'll talk about and that. These rules became 0:05:41.520 --> 0:05:46.520 known as the Data Protection Directive or dp D. This 0:05:46.640 --> 0:05:50.080 directive set out the parameters for when and how entities 0:05:50.080 --> 0:05:55.120 would be allowed to collect European Union citizen information and 0:05:55.360 --> 0:05:58.480 how they could use it. Specifically, you know, how they 0:05:58.520 --> 0:06:01.120 would be allowed to use it if it required a 0:06:01.160 --> 0:06:05.080 transfer outside the EU and U, and also how they 0:06:05.080 --> 0:06:08.400 were to alert citizens of things like collecting their data. 0:06:08.920 --> 0:06:12.080 Each member's state of the EU was responsible for establishing 0:06:12.080 --> 0:06:15.640 a supervisory department to make sure that all parties were 0:06:15.680 --> 0:06:19.640 complying with this directive, and the directive stated that the 0:06:19.680 --> 0:06:23.120 only time data could be shared with countries outside the 0:06:23.160 --> 0:06:27.440 European Union is when those countries could adequately protect the 0:06:27.560 --> 0:06:33.200 data's security. So if a if a country or company 0:06:33.760 --> 0:06:38.200 was unable to do that, then by this directive, it 0:06:38.279 --> 0:06:42.280 would not be allowed to transfer information outside the EU 0:06:42.600 --> 0:06:46.600 now right away. These rules created challenges both within and 0:06:46.720 --> 0:06:49.599 without the EU and when you really break it all down, 0:06:50.080 --> 0:06:53.279 all traffic on the Internet is information, and a lot 0:06:53.320 --> 0:06:57.680 of that information ends up including personal identification information or 0:06:57.720 --> 0:07:03.400 at least personally identify alable information. So you might argue 0:07:03.440 --> 0:07:06.520 that personal information should only include stuff like, you know, 0:07:06.600 --> 0:07:11.040 a legal information like a person's name, or their address, 0:07:11.120 --> 0:07:14.080 or their birth date or maybe the hospital where they 0:07:14.080 --> 0:07:17.200 were born. That kind of stuff. You know, information that 0:07:17.240 --> 0:07:21.440 relates directly to that individual, and when you take this 0:07:21.520 --> 0:07:25.040 information in a hole, it's more or less unique to 0:07:25.120 --> 0:07:27.520 that person. I have to say more or less simply 0:07:27.560 --> 0:07:31.560 because you know, weird stuff. Anyway, that kind of information 0:07:31.640 --> 0:07:35.000 is absolutely important. It is worthy of being protected, and 0:07:35.120 --> 0:07:38.120 it's very easy to define. Right. You could say, this 0:07:38.160 --> 0:07:42.240 information directly corresponds to this individual, therefore we need to 0:07:42.240 --> 0:07:45.320 protect it. But then there's also other information that, well, 0:07:45.360 --> 0:07:51.960 not specifically about a particular individual, could collectively identify that 0:07:52.040 --> 0:07:55.520 person all the same, So an IP address could be 0:07:55.560 --> 0:07:58.480 part of that. You might argue that's personal information, or 0:07:58.520 --> 0:08:04.800 you might argue, well, IP addresses aren't fully reliable because 0:08:04.840 --> 0:08:07.560 you could use something like a VPN which would hide 0:08:07.560 --> 0:08:11.880 your IP address, so you can't just rely on that 0:08:11.920 --> 0:08:16.120 to identify a person. However, it falls into this gray area. 0:08:16.720 --> 0:08:19.520 But then there's stuff like the person's browsing behaviors, you know, 0:08:19.560 --> 0:08:22.400 what they like, what they don't like, how long they 0:08:22.440 --> 0:08:25.080 stay on a page. All of these things can actually 0:08:25.080 --> 0:08:27.480 start to create a digital fingerprint that points to a 0:08:27.520 --> 0:08:31.400 specific person. And it sounds wild, but it really doesn't 0:08:31.440 --> 0:08:34.240 take that many points of data to narrow down folks 0:08:34.320 --> 0:08:37.800 and figure out who created those data points. In the 0:08:37.840 --> 0:08:40.600 old days, doing that would have been tough simply because 0:08:40.600 --> 0:08:43.960 you're talking about a lot of data being generated and 0:08:43.960 --> 0:08:46.920 then trying to suss out what is signaled based on 0:08:46.960 --> 0:08:50.360 all the noise, you know, to actually analyze that information 0:08:50.360 --> 0:08:52.520 to get something useful out of it. It was a 0:08:52.559 --> 0:08:55.720 time consuming process and it just you know, when you 0:08:55.760 --> 0:08:58.560 look at it from a return on investment standpoint. In 0:08:58.600 --> 0:09:01.160 the old days, it just it makes sense, right, unless 0:09:01.160 --> 0:09:05.000 you were going after someone specific for nefarious purposes. You 0:09:05.000 --> 0:09:07.640 wouldn't do that for just anybody because it was too 0:09:07.720 --> 0:09:11.160 much effort. However, we have gotten a lot better at 0:09:11.160 --> 0:09:14.839 analyzing enormous data sets in a short amount of time 0:09:14.960 --> 0:09:19.520 using things like artificial intelligence and machine learning and various algorithms, 0:09:19.559 --> 0:09:22.640 so this has become less of an obstacle. It's not 0:09:23.280 --> 0:09:26.840 like science fiction level yet, but it's pretty darn close. 0:09:27.559 --> 0:09:32.960 So now some of the technical restrictions that meant we 0:09:32.960 --> 0:09:34.640 didn't have to worry about this so much in the 0:09:34.720 --> 0:09:39.480 past aren't really a thing anymore. Anyway, The euse directive 0:09:39.480 --> 0:09:41.720 meant that the United States, that the country you know, 0:09:41.760 --> 0:09:44.600 where the Internet got its start, would need to figure 0:09:44.640 --> 0:09:47.760 out a way to comply with this set of rules 0:09:48.120 --> 0:09:51.120 if it wanted to allow information to pass between the 0:09:51.200 --> 0:09:54.319 US and the EU. Because a lot of these companies, 0:09:54.559 --> 0:09:58.800 their servers all exist within the United States, so by 0:09:58.840 --> 0:10:01.960 the nature of their business this any any information that 0:10:01.960 --> 0:10:04.120 would be coming from the European Union would have to 0:10:04.120 --> 0:10:07.840 go across the Atlantic to a server in the US. 0:10:08.480 --> 0:10:11.480 To that end, some EU officials began to piece together 0:10:11.520 --> 0:10:16.520 what would become known as the International Safe Harbor Privacy Principles. 0:10:17.200 --> 0:10:19.040 Now we're going to take a quick break, but when 0:10:19.120 --> 0:10:21.680 we come back, I'll talk a bit about Safe Harbor, 0:10:21.720 --> 0:10:24.559 what it was meant to do, and why it no 0:10:24.640 --> 0:10:36.840 longer is a thing. But first, these messages, the International 0:10:37.120 --> 0:10:40.400 Safe Harbor Privacy Principles. What the heck was this? Well, 0:10:40.440 --> 0:10:44.720 it was a program that US companies could apply to join. 0:10:45.559 --> 0:10:49.440 The companies would apply for certification, and that certification essentially 0:10:49.440 --> 0:10:53.000 said these companies are taking the necessary steps to protect 0:10:53.160 --> 0:10:56.520 user data so they can be considered to be compliant 0:10:56.760 --> 0:11:00.880 with the Data Protection Directive that the EU had obviously passed. 0:11:01.200 --> 0:11:05.080 So ultimately, the goal here was to prevent the accidental 0:11:05.120 --> 0:11:10.040 disclosure of EU citizen private information that happened to be 0:11:10.080 --> 0:11:13.080 stored on servers within the United States so it's outside 0:11:13.080 --> 0:11:17.120 the e use control. This was the system by which 0:11:17.120 --> 0:11:21.040 companies would guarantee they would make sure that data would 0:11:21.080 --> 0:11:25.680 remain safe. The Safe Harbor system became effective in two thousand. 0:11:25.720 --> 0:11:29.920 It took several years for it to formalize and then 0:11:29.960 --> 0:11:33.680 to be enacted, and US companies that receive certification under 0:11:33.679 --> 0:11:37.080 Safe Harbor and then registered with the EU would be 0:11:37.120 --> 0:11:40.960 allowed to operate things that would transfer data between the 0:11:41.000 --> 0:11:43.920 U S and EU without much trouble. Oh and in 0:11:44.040 --> 0:11:47.320 order to qualify, those companies would also have to be 0:11:47.360 --> 0:11:51.000 companies that were regulated by the United States FTC, Federal 0:11:51.040 --> 0:11:54.720 Trade Commission, or the Department of Transportation. Those were the 0:11:54.720 --> 0:11:57.560 only companies that could qualify for Safe Harbor. Anything that 0:11:57.720 --> 0:12:01.760 didn't fall into those categories was an exception, and that 0:12:01.800 --> 0:12:04.000 actually cuts back on a lot of businesses, believe it 0:12:04.080 --> 0:12:07.600 or not. Now, something that I'm sure will not surprise 0:12:07.920 --> 0:12:11.000 many of you out there is that various reviews that 0:12:11.040 --> 0:12:13.800 were done on this system showed that a lot of 0:12:13.800 --> 0:12:18.360 the participating US companies were not complying with the program, 0:12:18.400 --> 0:12:21.640 at least not to the extent that they should. Companies 0:12:21.640 --> 0:12:24.840 were found to be reluctant to actually enforce the principles 0:12:24.880 --> 0:12:28.920 defined by the Safe Harbor program, and questions arose as 0:12:28.960 --> 0:12:32.960 to whether or not the industry could really be self regulating, 0:12:33.360 --> 0:12:37.120 like can we trust these companies to regulate themselves? And 0:12:37.240 --> 0:12:40.760 of course we can't. All right, so quick side rant, 0:12:41.120 --> 0:12:46.559 But this applies directly to the topic. So, the currency 0:12:46.800 --> 0:12:50.680 of the modern world isn't bitcoin, It's not any other 0:12:50.720 --> 0:12:54.199 cryptocurrency because it goes a level deeper than that. The 0:12:54.240 --> 0:12:59.719 currency of the modern world is information. Data is valuable 0:12:59.840 --> 0:13:04.040 you or data is valuable. If it weren't companies like 0:13:04.120 --> 0:13:08.400 Meta Slash, Facebook or Google, they wouldn't even exist if 0:13:08.440 --> 0:13:12.000 your data had no value. These companies depend upon us 0:13:12.080 --> 0:13:17.280 generating information, which the companies can then leverage in various ways. Now, 0:13:17.320 --> 0:13:21.120 an obvious way they do this is through advertising, specifically 0:13:21.160 --> 0:13:25.280 targeted advertising. You know, by analyzing the information I generate, 0:13:25.400 --> 0:13:29.120 a platform like Facebook or Google can suss out what 0:13:29.240 --> 0:13:32.760 matters to me and to compare my experience with ads 0:13:32.800 --> 0:13:36.120 that are more likely to get my attention and my action. 0:13:36.880 --> 0:13:40.440 That is money right there that is incredibly valuable to 0:13:40.600 --> 0:13:44.200 these platforms. It's incredibly valuable to the advertisers and to 0:13:44.360 --> 0:13:49.720 their clients. So my information does have value. Yours does too. 0:13:50.000 --> 0:13:55.880 But even beyond targeted advertising, this information has incredible value. 0:13:56.400 --> 0:14:01.200 Through real time analysis of browsing data across millions or 0:14:01.400 --> 0:14:05.600 hundreds of millions of users, platforms can detect and respond 0:14:05.640 --> 0:14:08.480 to trends before anyone is even aware that there is 0:14:08.520 --> 0:14:12.120 a trend there. So I think back to the description 0:14:12.160 --> 0:14:16.679 of chaos theory that says, imagine the flap of butterflies 0:14:16.800 --> 0:14:20.000 wings in South America setting into motion the variables that 0:14:20.040 --> 0:14:24.360 are necessary to generate a typhoon that hits Southeast Asia. 0:14:24.640 --> 0:14:29.160 That it without that one instigating event, the variables are 0:14:29.160 --> 0:14:31.640 not in the right place to make that happen. Well, 0:14:31.680 --> 0:14:35.480 think for a moment about how many people use platforms 0:14:35.480 --> 0:14:41.680 like Google or Amazon or Facebook individually that users. Data 0:14:41.840 --> 0:14:46.960 is valuable, right, but collectively across all users, that can 0:14:47.040 --> 0:14:51.040 drive corporate strategy. So there should be absolutely no surprise 0:14:51.080 --> 0:14:56.520 that companies are eager to exploit information personal information. It's 0:14:56.680 --> 0:15:01.280 key to their business model and their success. Which is 0:15:01.320 --> 0:15:03.680 why it's also not a big surprise that a lot 0:15:03.680 --> 0:15:06.080 of companies were slacking off when it came to self 0:15:06.120 --> 0:15:10.800 regulation and complying with the principles of safe harbor. If 0:15:10.840 --> 0:15:12.840 the companies could get away with it, if they could 0:15:12.920 --> 0:15:17.200 operate without having to actually worry about complying with these rules, 0:15:17.480 --> 0:15:19.960 then they do it. And I'm sure there were no 0:15:20.040 --> 0:15:24.320 shortage of companies that weren't being outright nefarious or flaunting 0:15:24.360 --> 0:15:27.800 the law or anything like that. But we're falling short 0:15:27.840 --> 0:15:30.160 of holding up to their end of the bargain, you know, 0:15:30.320 --> 0:15:32.720 because it's also hard to do. It's hard to pull 0:15:32.760 --> 0:15:35.760 off and still do business in a way that is 0:15:35.800 --> 0:15:39.600 cost effective. Right, in order to comply with these rules, 0:15:40.160 --> 0:15:43.880 you do have to spend some money, honestly, was what 0:15:44.000 --> 0:15:46.320 it really comes down to. It might not be money money, 0:15:46.320 --> 0:15:49.360 it might be more assets and resources or time or whatever, 0:15:50.200 --> 0:15:53.720 but it's ultimately a cost. Whatever the reason, it was 0:15:53.720 --> 0:15:57.760 clear that this particular approach to protecting information wasn't sufficient 0:15:57.840 --> 0:16:01.320 if the EU actually wanted to keep EU citizen information 0:16:01.360 --> 0:16:05.120 secure and servers that weren't even in the European Union 0:16:05.600 --> 0:16:07.640 all right. Flash forward to two thousand and twelve, the 0:16:07.680 --> 0:16:10.440 EU decided it needed to take another stab at creating 0:16:10.480 --> 0:16:15.080 a unified data protection law to replace the Data Protection Directive. 0:16:15.760 --> 0:16:19.320 So the Director had ultimately been too lucy goosey, and 0:16:19.360 --> 0:16:22.440 that meant that different member nations had different principles and 0:16:22.600 --> 0:16:27.640 enforcement strategies. It was two piecemeal and it wasn't unified 0:16:27.720 --> 0:16:31.160 the way a European Union needed to be. So this 0:16:31.360 --> 0:16:35.080 new law would resolve the various differences between the different 0:16:35.280 --> 0:16:38.520 implementations and the member states of the EU and create 0:16:38.520 --> 0:16:42.120 a more coherent policy that it was EU wide and 0:16:42.160 --> 0:16:47.320 would protect citizen data privacy. That took four years two 0:16:47.640 --> 0:16:52.040 actually formalize, but in April fourteen sixteen, the EU approved 0:16:52.320 --> 0:16:55.160 the new set of rules called the General Data Protection 0:16:55.200 --> 0:16:59.120 Regulation or g d p R, and this became a 0:16:59.200 --> 0:17:02.480 truly huge deal for any company outside the EU that 0:17:02.600 --> 0:17:06.560 wanted to do business inside the EU, particularly for Internet 0:17:06.560 --> 0:17:11.000 based companies. The rules covered any entity that processed or 0:17:11.040 --> 0:17:15.480 transmitted data from within the EU to somewhere else. A 0:17:15.560 --> 0:17:18.440 whole bunch of other stuff was in those rules too, 0:17:18.480 --> 0:17:20.359 But I've done episodes about g d p R in 0:17:20.359 --> 0:17:23.000 the past, so we're just gonna say this was a 0:17:23.040 --> 0:17:28.160 more broad, sweeping, and yet unified approach to data privacy, 0:17:28.200 --> 0:17:30.960 and it created big old headaches for companies around the 0:17:30.960 --> 0:17:33.680 world to ensure that they were compliant with g DPR. 0:17:34.080 --> 0:17:37.480 In fact, to this day, that's still a big thing. Ultimately, 0:17:38.040 --> 0:17:40.119 that's at the heart of the meta problem we were 0:17:40.160 --> 0:17:43.000 talking about. It was g d p R that would 0:17:43.040 --> 0:17:45.760 necessitate things like a pop up message that would alert 0:17:45.840 --> 0:17:49.200 users to a sites reliance on web cookies, for example, 0:17:49.240 --> 0:17:53.040 because that's a type of tracking. It would also require 0:17:53.119 --> 0:17:56.719 foreign services to expressly ask for the consent of users 0:17:56.720 --> 0:17:59.479 in order to collect their data. And you know, companies 0:17:59.520 --> 0:18:01.800 tried to find in different creative ways to get around 0:18:01.840 --> 0:18:05.440 that to maximize the number of people who had quote 0:18:05.520 --> 0:18:09.960 unquote uh agree to this by making it a difficult 0:18:09.960 --> 0:18:13.520 thing to opt out of. That doesn't fly very well 0:18:13.520 --> 0:18:14.840 on the g d PR. There are a lot of 0:18:14.840 --> 0:18:18.920 regulatory agencies that pounce on that kind of practice. They're 0:18:18.920 --> 0:18:21.840 also supposed to explain how information is going to be used, 0:18:21.880 --> 0:18:24.159 and to give people the opportunity to opt out of 0:18:24.200 --> 0:18:26.960 any data collection and that kind of thing. So the 0:18:27.040 --> 0:18:30.359 g d p R replaced the Data Protection Directive and 0:18:30.400 --> 0:18:35.320 became enforceable in all right now in the meantime where 0:18:35.560 --> 0:18:38.639 that was happening, the Safe Harbor Principles, which remember this 0:18:38.720 --> 0:18:42.720 was a framework that companies could follow in order to 0:18:42.720 --> 0:18:47.119 be considered UH safe under g d p R rules 0:18:48.119 --> 0:18:52.919 that had already been invalidated by the EU in ten 0:18:53.520 --> 0:18:55.720 They said, well, you know, Data Protection Directive is not 0:18:55.840 --> 0:18:59.400 sufficient and Safe Harbor, which was designed to work within 0:18:59.520 --> 0:19:03.600 Data protet Action Directive that by extension, is not sufficient, 0:19:03.680 --> 0:19:07.040 so it doesn't apply anymore. It was not robust enough 0:19:07.440 --> 0:19:10.920 to satisfy the requirements of the upcoming g DPR. So 0:19:11.200 --> 0:19:14.520 the European Commission and the United States government negotiated a 0:19:14.560 --> 0:19:19.760 new political agreement to codify rules on how commercial transatlantic 0:19:19.800 --> 0:19:23.479 exchanges of personal information from EU citizens to U S 0:19:23.480 --> 0:19:28.040 servers could actually happen. Those rules would become known as 0:19:28.080 --> 0:19:33.359 the EU US Privacy Shield. Like the Safe Harbor Principles, 0:19:33.400 --> 0:19:35.720 this was really meant to create a framework in which 0:19:35.760 --> 0:19:41.040 companies could operate legally within the European Union. US companies 0:19:41.080 --> 0:19:43.440 that gather user data would have to comply with this 0:19:43.600 --> 0:19:46.159 set of rules in order to make services available to 0:19:46.200 --> 0:19:49.960 citizens in the EU, Otherwise they would be violating privacy 0:19:50.040 --> 0:19:54.000 law in Europe. Like the previous system, the Privacy Shield 0:19:54.040 --> 0:19:57.840 includes guiding principles that all organizations are expected to follow. 0:19:58.400 --> 0:20:02.320 While it beefed up some other protections incorporated into the 0:20:02.400 --> 0:20:06.399 previous systems, critics were worried that there were still some 0:20:06.480 --> 0:20:10.959 big gaps in the Privacy Shield process and that ultimately 0:20:11.600 --> 0:20:14.800 it would get challenged and struck down by the European Commission, 0:20:15.400 --> 0:20:18.639 and those concerns likely went into overdrive in twenty seventeen 0:20:19.080 --> 0:20:22.480 when then President Donald Trump signed an executive order that 0:20:22.600 --> 0:20:26.520 denied US privacy protections to anyone who is not a 0:20:26.640 --> 0:20:30.159 US citizen or resident. So, in other words, according to 0:20:30.200 --> 0:20:34.159 that executive order, US companies would not be held accountable 0:20:34.720 --> 0:20:38.280 for guaranteeing data privacy and security for any non US 0:20:38.359 --> 0:20:42.440 citizens or residents. Considering that g DPR demands that any 0:20:42.600 --> 0:20:47.040 entity that transfers e U citizen data overseas must protect 0:20:47.040 --> 0:20:50.480 that information, that was a problem. By the way. Joe 0:20:50.520 --> 0:20:54.560 Biden would later rescind that executive order in one but 0:20:54.600 --> 0:20:58.880 by then things that already changed in Europe. So we're 0:20:58.920 --> 0:21:02.320 going to talk about those chain ages and how Privacy 0:21:02.320 --> 0:21:05.399 Shield would follow in the footsteps of Safe Harbor and 0:21:05.480 --> 0:21:17.560 get invalidated after we come back from these messages. So, 0:21:17.680 --> 0:21:20.800 as I was alluding before the break the critics of 0:21:20.840 --> 0:21:25.680 the Privacy Shield process who said this is not going 0:21:25.760 --> 0:21:28.679 to be seen as sufficient, that we're absolutely right. The 0:21:28.720 --> 0:21:32.800 EU Commission reviewed the Privacy Shield policy in twenty and 0:21:32.840 --> 0:21:36.280 determined that it was not enough to protect EU citizen 0:21:36.560 --> 0:21:40.800 private data and struck it down. Specifically, there were concerns 0:21:40.840 --> 0:21:44.200 that the US government would be able to conduct surveillance 0:21:44.320 --> 0:21:48.479 on EU citizen data and that under EU law that 0:21:48.520 --> 0:21:51.880 was a violation of of human rights and freedom rights 0:21:51.880 --> 0:21:56.000 of EU citizens. So there was a need to formulate 0:21:56.160 --> 0:22:00.639 yet another data privacy framework that would address this issue, 0:22:01.080 --> 0:22:04.240 and that's kind of where we are now. See, without 0:22:04.240 --> 0:22:07.800 a framework, it becomes very difficult to do business in 0:22:07.840 --> 0:22:11.440 the European Union. The framework, you know, it smooths things out, 0:22:11.520 --> 0:22:15.680 it speeds things up because it's it's one point one 0:22:15.720 --> 0:22:19.879 system that companies in say, well specifically the United States, 0:22:20.160 --> 0:22:24.760 can go through in order to qualify to do business 0:22:24.800 --> 0:22:29.320 in the EU and be considered compliant with the rules 0:22:29.320 --> 0:22:34.639 of g d p R. So this new framework is 0:22:34.680 --> 0:22:38.000 still taking shape. It doesn't exist yet, it is in 0:22:38.080 --> 0:22:41.800 the process of existing, and it will take even longer 0:22:41.840 --> 0:22:45.160 for the EU to formalize and adopt and enforce that 0:22:45.280 --> 0:22:49.239 rule once it is finished. In the meantime, we're in 0:22:49.280 --> 0:22:53.040 an era where things are really unstable now. One way 0:22:53.080 --> 0:22:56.679 companies have managed to continue to operate in the absence 0:22:56.840 --> 0:23:00.320 of a formal framework is to file what are called 0:23:00.560 --> 0:23:05.240 standard contractual clauses or sc c s with the EU. 0:23:06.480 --> 0:23:09.200 You can think of this as essentially being a legal agreement, 0:23:10.160 --> 0:23:14.680 and that this legal agreement provides a guarantee that the 0:23:14.760 --> 0:23:20.600 non EU company is taking pains to conform to g 0:23:20.680 --> 0:23:25.239 d p R requirements, so it's essentially saying, you know, 0:23:25.600 --> 0:23:30.600 we're obeying the rules. Securing sccs can be time consuming 0:23:30.680 --> 0:23:34.240 and it isn't a smooth process, at least not as 0:23:34.240 --> 0:23:38.840 smooth as being able to just apply to a framework 0:23:39.119 --> 0:23:43.159 like Privacy Shield or Safe Harbor, so it can be 0:23:43.200 --> 0:23:46.200 a bit of a headache. And now let's talk about 0:23:46.200 --> 0:23:50.320 Ireland and its Data Protection Commission or DPC, because this 0:23:50.359 --> 0:23:55.000 relates directly to the Meta story. The DPC determined back 0:23:55.080 --> 0:24:00.440 in twenty that two of Meta's platforms, namely face Book 0:24:00.680 --> 0:24:04.560 and Instagram, relied on a data controller that could not 0:24:04.800 --> 0:24:09.280 provide a guarantee that data from Irish citizens would be 0:24:09.280 --> 0:24:14.280 protected from US government surveillance, and so by extension that 0:24:14.320 --> 0:24:18.280 would violate data privacy laws in the EU. That would 0:24:18.320 --> 0:24:22.720 also mean that Meta would not qualify for an sc C, 0:24:23.080 --> 0:24:27.199 at least in terms of Facebook and Instagram. WhatsApp, a 0:24:27.240 --> 0:24:30.960 totally different platform, uses a completely different data controller and 0:24:31.240 --> 0:24:34.359 is not part of this like WhatsApp, can operate in 0:24:34.400 --> 0:24:37.679 the EU find because it is not subject to the 0:24:37.800 --> 0:24:43.720 same vulnerabilities that Facebook and Instagram are. Then, last month, 0:24:43.760 --> 0:24:46.600 which for those listening in the future would be July 0:24:46.880 --> 0:24:52.360 of two thousand twenty two, the DPC, this regulatory agency 0:24:52.359 --> 0:24:57.639 in Ireland, filed an updated draft order to shut down 0:24:57.720 --> 0:25:01.560 Instagram and Facebook services in the U and filed that 0:25:01.640 --> 0:25:05.920 with other regulators within the EU. So the other member 0:25:06.000 --> 0:25:09.960 states that have regulated Tory agencies, they all received a 0:25:10.040 --> 0:25:14.359 filing of this updated draft decision. While the contents of 0:25:14.359 --> 0:25:17.440 that order weren't made entirely public, it did become clear 0:25:17.560 --> 0:25:21.840 that DPC was telling other regulators that they should halt 0:25:22.000 --> 0:25:25.600 Facebook and Instagram's ability to transfer EU citizen data to 0:25:25.640 --> 0:25:30.480 the US because it could not guarantee safety against US surveillance. 0:25:30.920 --> 0:25:35.320 This would effectively shut down Facebook and Instagram within the 0:25:35.359 --> 0:25:41.160 European Union and to EU citizens. So let's get into 0:25:41.240 --> 0:25:45.600 some complicated political stuff now. Under Article sixty of the 0:25:45.680 --> 0:25:48.600 g d p R, the rest of the EU's data 0:25:48.640 --> 0:25:53.240 protection agencies have four weeks from that filing to comment 0:25:53.400 --> 0:25:57.640 on the dpc's conclusion. Uh. Those four weeks are up 0:25:57.680 --> 0:26:01.160 this week, by the way. So if after four weeks 0:26:01.200 --> 0:26:05.679 there are no objections to the dpc's decision, which is 0:26:05.840 --> 0:26:09.880