The future of EU-US data transfers

In this episode of the Mobile Dev Memo podcast, I speak with returning guest Mikołaj Barczentewicz, an expert on European data privacy law, about the recent $1.3BN fine that the Irish DPC issued to Meta over its transmission of EU resident data to the United States. We discuss the history of data transfer frameworks between the EU and the US and why they’ve all been invalidated, the core motivations of EU protectionism related to data transfer, and the implications for all technology companies of the Irish DPC’s decision.

Mikolaj has previously joined the Mobile Dev Memo podcast to discuss EU data privacy law broadly as well as the soon-to-be-enforced Digital Markets Act (DMA) and Digital Services Act (DSA).

The Mobile Dev Memo podcast is available on:

A transcript of our conversation, which has been lightly edited for clarity, can be found below.

Interview Transcript

Eric Seufert:

Mikolaj, happy Friday. How are you?

Mikolaj Barczentewicz:

I’m fine. Good to see you again.

Eric Seufert:

A lot of stuff has happened since we last spoke. I am bringing you back to the podcast for the third time to talk about EU privacy and the EU privacy regime. I very much appreciate your time, very much appreciate you being willing to come on this podcast and elucidate these very complex topics for me, for the audience. I’ve received a tremendous amount of very, very positive feedback about these podcasts. People really appreciate these topics being unpacked in a way that a layman can understand. And so, thank you for your service here. Maybe before we kick off the conversation, you can kind of just briefly give some background on yourself, for those who haven’t heard the previous podcast episodes.

Mikolaj Barczentewicz:

I’m an academic, I’m a law professor in the UK at the University of Surrey. I also have research affiliations with Oxford and Stanford. And Oxford is where I got my doctorate. I work on online technology issues, both on privacy issues, what we talk about today, but I also work on some slightly less related issues in financial regulation. But one thing that for me, brings it all together, is that I do have a bit of a technical background. Because as a teenager, I taught myself to code and then I worked for several years in marketing and web design. So I feel a bit of affinity to your community this way.

Eric Seufert:

So last week, we had a landmark decision, right? There was a landmark decision.

Mikolaj Barczentewicz:

Yes.

Eric Seufert:

A record-breaking fine was issued by the Irish DPC against Meta.

Mikolaj Barczentewicz:

Yes.

Eric Seufert:

So maybe to start, can you provide us with a high-level overview of what that decision was, why the fine was issued, and some background on the process that took place for that decision and that fine to come about?

Mikolaj Barczentewicz:

Yes. So another week, another Meta decision from Ireland. But this time it’s about something that maybe not as many of your listeners may have direct experience with, because here we’re talking about the lawfulness of data transfers from the EU to the U.S. And under the EU General Data Protection Regulation, the GDPR, you can only transfer personal data outside the EU if this transfer will not undermine the protection of personal data. And then the GDPR has a list of possible scenarios, which could mean that this is okay, that your transfers are okay. But if you don’t fall under any of those scenarios, then what you’re doing is illegal.

And what happened in this decision was that the Irish Data Protection Commissioner (DPC) decided that Meta, the way they were transferring the personal data of their users, did not satisfy any of those scenarios. And their transfers are illegal, so they need to cease. And in addition, they are meant to pay €1.2 billion euro fine, which is the highest-ever GDPR fine. But in this case, the fine feels more like just a footnote to a more serious issue of those transfers.

Eric Seufert:

So, there’s a couple of points that I want to clarify here, and then I want to jump back 10 years. So the first point is that this was not related in any way whatsoever to personalized ads, to advertising, this had nothing to do with Meta’s practices on that point. This was… not directly, right? So of course, they’re collecting that data for that purpose, I suppose. But that’s not why the data transfer is deemed to be non-compliant. Right? The reason the data transfer is deemed to be non-compliant is…

Mikolaj Barczentewicz:

Just because it is being transferred from the EU to the US.

Eric Seufert:

So let me prompt you a little bit more clearly. Why is the U.S. considered the sort of rogue territory to which EU data may not be transferred?

Mikolaj Barczentewicz:

Well, that does bring us back 10 years to Snowden’s Revelations, to his disclosures of some of the practices that the U.S. government, both domestically and outside the U.S., sort of engages in in terms of data collection. And both directly from, as far as I can remember, undersea cables and through orders delivered to companies like then Facebook, now Meta. So those are technically known as Section 702 of FISA and the Executive Order 12333.

Eric Seufert:

I think that’s really fascinating. So we’re starting with this decision that happened last week, but the origins of this go back to 2013. They go back to Snowden disclosures, the PRISM program from the NSA, and the idea being that data from Europeans, when it’s transferred back to the United States, could be pried upon, it could be intercepted by the NSA. And that is considered to be a violation of European human rights, essentially. That’s the argument, right?

Mikolaj Barczentewicz:

The fact that your data can be pried upon in itself is a restriction of your rights, but it doesn’t mean that it’s an infringement. That happens in Europe all the time, and there’s data collection for intelligence purposes or for criminal investigations. It’s just that the question is whether it’s done within a framework that still provides sufficient safeguards. So you can say that your right is not infringed, even though it’s restricted.

Eric Seufert:

Right. Okay. So it’s not sending data to the United States where that data may be intercepted or pried upon. It’s not de facto illegal under the GDPR, it’s just that we don’t really know how it’s done, first of all. And second, there’s an assumption there, and unless it’s clarified, it probably is violating European rights. Is that correct?

Mikolaj Barczentewicz:

Yeah. So there are several issues there, we can go back to this later if you like. So one of the main issues is, for example, judicial redress. So the idea is that if your data is subject to some sort of intelligence collection and this kind of restriction, there should at least be some control by an independent, preferably judicial body, that could say whether this collection, whether this restriction of your rights is not excessive, whether it’s proportionate. Right?

And one of the arguments for previous European judgments against these transfers to the U.S. was that there is no such protection or judicial control for Europeans’ data. Because we’re not talking about the data collected on U.S. citizens. That’s a totally separate issue. We’re only talking about the data that is the data of European residents.

Eric Seufert:

Okay. So, let me see if I can clarify that. So the idea here is that, okay, if data are collected on a U.S. citizen in residence, they have some kind of recourse. They have some kind of legal recourse. And if I remember, I mean this is hearkening back to the Bush era and the Patriot Act and stuff, so see if I can remember all this. But part of that was, well, maybe they don’t because a lot of this stuff happened in FISA courts where it was all in secret. We don’t really know what happened. It was all sealed. But theoretically, a U.S. citizen, they’d have the judicial process can be accessed by them. But if it’s happening to a foreign resident, they don’t have the same kind of access. Is that correct?

Mikolaj Barczentewicz:

So I’m not an expert on U.S. national security law, but my understanding is that at least some of those agencies like the CIA and the NSA, they cannot collect data that is targeting U.S. persons. Of course, you would have a different kind of judicial recourse quite likely. But even the limits are different because myself as a foreigner, so as an alien under U.S. law, I’m fair game for the CIA and the NSA, but you may not be.

Eric Seufert:

Right. And I think that’s… Generally, I might not be, but there could be a warrant that was issued in a closed-door FISA hearing where my data could be collected. But there was still some kind of judicial process. Wasn’t that the whole issue with Bush? I don’t want to get too spun around the axle here, but I think it’s interesting to think about the genesis of this. Right?

Mikolaj Barczentewicz:

Yeah. So it all started, I mean the saga of those so-called, Schrems cases, it all started in 2013 with Snowden disclosures when we learned about PRISM and UPSTREAM and EO 12333.

Eric Seufert:

So this is 2013, and I don’t want to make this about an individual person, but Max Schrems at the time, was a law student. He wasn’t the kind of famous activist that he is now. He was a student, essentially.

Mikolaj Barczentewicz:

Yes.

Eric Seufert:

And he said, “Okay, look. We learned all this stuff about the U.S. security apparatus and intelligence apparatus. And look, I believe this violates my human rights. If my data goes over there and the NSA can spy on it, without any sort of legal recourse.” So, he filed a complaint. And he filed a complaint with the Irish DPC because that’s where Facebook’s headquarters was. And then talk me through… So that was the original complaint, and then something happened. And then he filed another complaint, and then something else happened. And then he filed another complaint, and then here we are. Is that roughly correct? And maybe walked us through the steps here.

Mikolaj Barczentewicz:

Right. It is. So the procedural history of what happened is quite complex, so we can try to simplify it a bit. But what happened to this first complaint, as far as I remember, the Snowden disclosures, they happened around June 2013. And Schrems filed his complaint very soon after, within weeks. So, we’re around the summer of 2013. And the Irish Data Protection Commissioner received that complaint and refused to investigate. Because they said that if they investigate, this will challenge the validity of the EU law on which Facebook was relying to transfer user data to the U.S.

Because they refused, then Schrems went to the Irish Courts, and the Irish Courts then asked the highest EU Court, the EU Court of Justice to say… This is the procedure known as a preliminary reference. So they asked the EU Court to say what they think about this, whether the Irish authority should be investigating, and what to think about this whole legal situation. And that’s how we ended up with the Schrems I judgment in late 2015.

So, that was the first of those famous judgments. And that judgment invalidated that law on which Facebook was relying to transfer user data. This was called the Safe Harbor Decision. So, that was the first battle in the campaign.

Eric Seufert:

Okay. And so, the law was invalidated, right?

Mikolaj Barczentewicz:

Yes.

Eric Seufert:

Which should have blocked the data transfer. So what happened next? What happened after? So let me just play this back, because I think it’s interesting. So first of all, one point of clarification, the EU Court of Justice, its acronym is CJEU. It’s not EUCJ. That feels like maybe a rookie mistake that people might make, and I’ve made.

Mikolaj Barczentewicz:

Well, no. They kind of rebranded the court in the recent amendment to the treaties. So we used to call it the ECJ, the European Court of Justice, and some people still do. But the official name changed to the Court of Justice of the European Union, so that’s why we have CJEU.

Eric Seufert:

I want to make sure people don’t reveal themselves to be novices in this arena, as I’ve done.

Mikolaj Barczentewicz:

What makes things easier is that we don’t have that many persons or institutions here. So we have the Irish High Court and the one European Court, and then the Irish DPC. So, they are the main actors for a long while in this drama.

Eric Seufert:

Well, until we get to the sort of more recent history, which is when the EDPB enters the chat. But okay, so we’ve got an individual, a law student. He files a complaint, following the Snowden disclosures. He goes to the Irish DPC, they say no. He goes one step higher, they say, “Okay, well Irish DPC, you’ve got to investigate this.” So then he goes to the CJEU. They say, “Hey, actually this does violate our laws. And so this data transfer framework that we have known as Safe Harbor, is invalidated.” Right? So then what happens?

Mikolaj Barczentewicz:

Yes. And the reason why this data transfer framework was invalidated was that the court, the EU Court, said that what we now know due to the Snowden revelations shows that transferring personal data to the U.S. does not give this guarantee that the fundamental rights of Europeans will be protected. So, that was the reason in short. And so because the legal basis was invalidated, the Irish DPC opened a new investigation. So meanwhile, Facebook was transferring user data to the U.S. now based on a different basis. So instead of using this Safe Harbor, then they started relying on the so-called, Standard Contractual Clauses. Yeah. So, that was the situation.

And in May 2016, the Irish DPC prepared a draft decision where they said that Facebook’s reliance on those Standard Contractual Clauses is unlawful, given the circumstances of PRISM and so on. But the Irish DPC also thought that this questions the validity of another EU law, which created this Standard Contractual Clause framework. So then it initiated another high court case in Ireland to get a question out to the EU Court.

So we’re in 2016, and so there is a draft decision saying that what Facebook is doing is unlawful. But actually, this is not effective because first, we are back at the courts. So the judgment from the Irish High Court was in 2017, the first judgment. And then sometime in 2018, they did issue this question to the EU Court.

Meta delayed the whole process a bit because they appealed that decision to ask the EU Court and they made that appeal to the Irish Supreme Court. So, that’s why effectively the EU Court was only able to look at it in mid-2019. So, they started this new procedure around 2015, they had a draft decision in mid-2016. But only in mid-2019, the EU Court was able to actually deal with this because of those procedural issues and the appeals and so on.

Eric Seufert:

And so, that process was slowed down. But talk to me about the Privacy Shield. When did that enter into the dynamic?

Mikolaj Barczentewicz:

So the Privacy Shield was… So, there was something that happened still before the GDPR. But the idea was to replace this Safe Harbor decision with a less flimsy structure that would provide some certainty to businesses in transferring their data to the U.S. And that became a new legal basis that businesses were able to rely on. And that decision was adopted in July 2016. So, that was after the Irish draft decision saying that what Facebook is doing is at least presumptively unlawful. So when this whole situation came to the Court of Justice in 2019 to look at, they were dealing with slightly different circumstances. Because it wasn’t just the issue of those Standard Contractual Clauses, but also of this new Privacy Shield that was enacted in the meantime.

Eric Seufert:

And I think, if I’m not mistaken, and I very well may be, the prototype of that situation is probably going to become relevant again. So you’ve got the law… basically the framework being invalidated. You’ve got this kind of gray zone solution that emerges where there was a recommendation, I think at one point, that you could use these Standard Contractual Clauses to transfer data, but we don’t really know. Then the Privacy Shield comes into effect after that. And so when the decision hits the CJEU, there actually is… well, there’s a framework, but that framework sort of was subsequent to the decision to rely on these SCCs. And so, the CJEU had to make a decision about the Privacy Shield framework, which was sort of then being utilized as an umbrella cover for using the SCCs. Is that roughly correct?

Mikolaj Barczentewicz:

Yes. So generally, roughly correct, that the SCCs, that’s the default backup option, if you don’t have something like what we now call, adequacy decisions.

Because if you have this adequacy decision, this is a decision by the European Commission that says it’s fine to transfer data to this third country. By the way, there is only one adequacy decision that was adopted since the GDPR came into force, and that’s for South Korea. And South Korea has a famously extremely strict privacy law.

Eric Seufert:

So then we’ve got the CJEU deciding in 2020, that the Privacy Shield is invalid. Right? So, walk me through what happened next. How does this all connect? So, we’ve kind of walked through seven years up to this point in the conversation of back and forth like cat and mouse type behavior. How does this all connect to Max Schrems, because he was still contributing to this sequence of events. So what role did he play in instigating these subsequent decisions?

Mikolaj Barczentewicz:

So he and his organization, noyb, they tried to participate at all stages. They even brought specific court proceedings at certain moments because they felt that their participation was being thwarted, especially by the Irish DPC. So they were trying to be active and to be consulted and to have access to documents. So they reported having many problems with that. So part of the force pushing this investigation forward and trying to make sure that it’s not conveniently forgotten in some archives somewhere. So yes, they were very involved in that respect. And we know this 2020 judgment as Schrems II. So we had Schrems I from the EU court in 2015 and then Schrems II in 2020. And Schrems II is in a sense the law or the most recent, most important interpretation of the relevant law that we now are trying to understand to see what will happen from now on.

Eric Seufert:

I think the details are interesting here, but I don’t have any sort of subjective opinion about Max Schrems or his organization, or the background of his work here. I do think one piece of context that’s interesting is noyb. So noyb is the activist organization, right? It stands for “none of your business.” I get a kick out of that.

Anyway, the reason I bring it up is, he’s probably not going to stop. I mean, he’s committed. He seems very vehement. So I think this feels like a never-ending cycle. But let’s move forward. Okay, in 2020, the CJEU said, okay, we’ve got the Schrems II decision. The Privacy Shield is invalidated. Well, now we’re in 2023. So what happened in the last three years leading up to this decision that was made last week or published last week?

Mikolaj Barczentewicz:

So shortly after the Schrems II decision, which invalidated the Privacy Shield, a new Irish DPC inquiry started. And then Meta brought court proceedings against the DPC, which created a year-long stay, so the delay. But then Meta’s case was dismissed. So really this investigation that now was completed, it started in earnest around 2021. And so it took from 2021 until 2022, there was an exchange of documents. So Meta, the US government I think even made representations. And that all concluded more or less in July 2022 with a draft decision from the Irish DPC.

Eric Seufert:

Right. And then I think then we jump into the sort of final process of this whole decision. So the Irish DPC had a draft decision. What did they say? What was their decision that they published in July 2022?

Mikolaj Barczentewicz:

So they didn’t publish, they finalized the draft. I think if I remember correctly, there were some decent leaks as to the substance. The substance being that — surprisingly, given the 2016 decision as well — they decided even then in that draft decision that what Meta is doing, the legal basis on which they are relying, is insufficient. And so their transfers of user data to the US are unlawful. So that was the substantive conclusion. But they also decided that there would be no penalty against Meta. And they also decided that instead of ordering Meta to cease or end the processing of those transfers of user data, they should only suspend that process. Which means that there was at least a possibility that maybe they wouldn’t need to delete the transferred data. And then that they could then resume even assuming that they would have to stop for some time.

Eric Seufert:

So let me play that back. So we’ve had this multi-year process. By the way, did COVID delay this at all? Did it take so long partially due to COVID or it was just a long process?

Mikolaj Barczentewicz:

No, I think it was just a long process. So COVID happened before, it doesn’t look like COVID played a major role here and now.

Eric Seufert:

Okay, so we’ve got the decision in 2020, and then the CJEU invalidated the Privacy Shield, the Irish DPC then said, okay, well, we’re going to make our decision about the legality of these transfers given that the CJEU has invalidated the Privacy Shield, these SCCs, we have to consider whether the SCCs are a valid justification for sending this data. And what they said was, no, we don’t believe so. It was the Irish DPC’s decision to make or they were the ones that were tasked with it and they said, no, we don’t think these are legal. So these are illegal, but we’re just going to tell you to stop doing it. We’re not going to tell you to delete all the data that you had previously transferred and we don’t feel that it’s appropriate to assign a fine here. We don’t feel it’s appropriate to impose a fine. That’s roughly what the decision said.

Mikolaj Barczentewicz:

Yes. So we now notice that this is what they decided in July 2022. And that the way this works is that if you have such an important decision, which deals with a business that also does cross-border processing, it’s clear that some other European authorities, privacy authorities may be interested in it. So the process is that such a draft decision needs to be communicated to other European authorities, and those other European authorities, the DPAs, have some time to object to the draft decision. And this is what happened, I think for national authorities objected to this draft decision.

Eric Seufert:

Right. Now, I want to get back to that, but I think let’s just pull a little more detail here because I think it’s important. And also, now we’re actually seeing more of a parallel with what we talked about in our first podcast episode with the Irish DPC’s decision about Meta related to personalized advertising. So the Irish DPC, they write a draft decision, they circulate it within the European privacy apparatus. And if no one objects within some amount of time, is it like a month?

Mikolaj Barczentewicz:

I would need to check what’s the exact timing. But perhaps a month.

Eric Seufert:

There’s some predefined concrete amount of time that they have to articulate an objection. And if they don’t, then that’s the decision. Right? But if they do, which some did. Four did. Four of these privacy organizations did object. So then it goes into a process that is sort of regulated or managed by the EDPB. So that’s called Article 65, the Article 65 process. Can you talk a little bit more about that?

Mikolaj Barczentewicz:

So this is known as the dispute resolution procedure. So we have those objections from several national authorities. And generally, the idea of this cooperation mechanism is that it’s meant to produce compromise. So ideally, either the lead authorities, so in this case the Irish authority just on their own changes the draft decision to satisfy those objecting authorities, or they manage to convince the objecting authorities to drop their objections. So that’s the ideal. But that’s not what happened here and that’s not what happened in the cases we talked about in the previous podcast. So that triggers the dispute resolution procedure, which basically leads to a vote. And the vote is that if there is a two-thirds majority at first, or if it takes a bit more time, then an ordinary majority of EU member state privacy authorities is sufficient. If there is such a majority, then they can force a binding decision on that lead authority — in this case the Irish authority. And again, this is what happened in this case and this is what happened in those previous cases that we talked about.

Eric Seufert:

That’s really important. But let me just quickly sidetrack us. So four of these privacy authorities objected. You’ve got this confederation of privacy authorities across Europe. Four of them dissented with the Irish DPC’s decision and that’s what triggered the Article 65 process, the dispute resolution process. So all four of them believe that a fine should be applied, and two believe that action should be taken to remedy the data that had previously been transferred. So those were the points of dissent. Right? Now, when I read the Irish DPC’s… That’s what kicked off the dispute resolution, it went through the EDPB dispute resolution process. The votes were taken and it was determined that Meta should have to delete the old data and a fine should be imposed. And then that decision was handed to the Irish DPC and they were left to execute that decision.

But when I read the Irish DPC’s press release on this, they made it very clear they didn’t agree with that. So firstly, they don’t agree with this decision, which is similar to the case from January with the fine related to privacy. But they also said, look, there were four of these privacy authorities that disagreed out of 47. Now, there are 27 EU member states. Can you just talk to me about how you get 47 privacy authorities out of the EU block of 27 member countries? Can you just explain that to me? Because I don’t understand.

Mikolaj Barczentewicz:

So this situation is due to the fact that there are four federal authorities, privacy authorities in Belgium, and there are 18 privacy authorities in Germany. But the Germans don’t get to have 18 votes, they get 1 vote. And it’s the same with the Belgians, they only get 1 vote. It’s just that they are this collective entity in a sense in the EDPB, so they can make much more noise because they have a lot of stuff and so on, but they still get 1 vote.

Eric Seufert:

I see. So they go through some sort of consensus process before submitting their singular vote?

Mikolaj Barczentewicz:

Yeah, that’s a good question. So I don’t know how the Belgians and Germans do it, but yes, I would imagine that this is how it works.

Eric Seufert:

Okay, so this is some sort of national court, right? Okay, so you’ve got 4 in Belgium, 18 in Germany, that’s 22, plus 27 is 49. And then you back out Germany and you back out Belgium, that gets to 47.

Mikolaj Barczentewicz:

Yes.

Eric Seufert:

I see. Okay. No, this is not complex at all. It’s very easy to parse.

Mikolaj Barczentewicz:

Very easy.

Eric Seufert:

Okay. So sidebar over. Let’s get back to the decision. So the Irish DPC is sort of instructed by the EDPB, that here’s the decision. What agency did they have within the parameters of that decision? Could they modify that, did they have any input into that, or are they just sort of handed a legally binding decision? So I think when you read the people’s opinions on the decision, Max Schrems said this fine is not sufficient. $1.3 billion is not sufficient. So did the Irish DPC have some influence on the fine or were they just told what the fine would be? Because it could have been up to 4% of worldwide turnover, which would’ve been in a multi-billion dollar range, right?

Mikolaj Barczentewicz:

Yes, that’s true. It’s not the maximum. If I remember correctly, I think they were told, the EDPB decided that the fine should be between 20% and 100% of the applicable legal maximum. And I think it ended up being just 20-something percent. So it’s not the minimum that the EDPB asked for, but it’s also far from the maximum. So the maximum would’ve been — my calculation was something like €4.6 billion euro. I may be a bit off on this, but the idea is that we’re talking about 4% of Meta’s global turnover for the previous financial year. So they went for slightly above the minimum they had.

Eric Seufert:

Okay, so the Irish DPC did have the agency to determine within that range what the fine should be?

Mikolaj Barczentewicz:

The fine, yes. Not that much in terms of the other elements, which was that they were told that they need to order the method to cease processing. So yes, so they did that.

Eric Seufert:

Got it. And where does that fine, who receives that fine, where does that fine get paid to?

Mikolaj Barczentewicz:

The Irish state as I understand.

Eric Seufert:

Okay, so we’re talking single-digit billions here. So it’s not, in terms of the Irish GDP, it’s not super meaningful. But in a sense, they’re saying, okay, we’re going to pay ourselves less. And you could imagine that there could be a little bit of a conflict of interest here if they’re given the latitude to pick the fine, they could just opt for the biggest fine because that’s more money going into the state coffers. Although then that would work against their status as the business-friendly state in Europe, right?

Mikolaj Barczentewicz:

Yes. That’s one thing. And it would also go against what they say about their own considerate view, which was that there shouldn’t be a fine. Right? So given that they tell us that they think that there shouldn’t be a fine, then it makes sense for them to go for the lowest fine possible.

Eric Seufert:

Okay. So I think that’s fairly clear. That’s a really great history. That’s a good starting point to jump into the next part of the discussion. But just briefly, so we’ve got four of these CSAs dissenting out of 47 as you just discussed. There are 4 in Belgium, 18 in Germany, and that’s what makes up 47. The standard here is that if a single one of them dissented, then it would trigger that dispute resolution process, right? A single dissent would mean that you go through the dispute resolution?

Mikolaj Barczentewicz:

Yes. So that seems to follow from the GDPR. And again, the idea is with the Irish DPC, and those recent Meta cases, it perhaps it’s not working as the GDPR authors hoped because I guess what they hoped was some sort of compromise — that you can achieve compromise through this process of objecting, and then discussing the objections. But what has happened in those recent cases is that it all goes to the forceful solution. But what’s important is that it may be enough for one authority to object that triggers the discussion. But you still need a majority of authorities to decide on this forceful solution to impose a binding decision.

Eric Seufert:

Right. And in a super majority in the first vote to pass the vote.

Mikolaj Barczentewicz:

So the first vote is a super majority, and the second vote is a majority. And we don’t really know. So we know which authorities object that’s public, but we don’t know how they vote. And I’m not sure we also know, even if this happened through a supermajority or just an ordinary majority. So yes, that’s a bit of a mystery.

Eric Seufert:

I got it. So there’s four that dissent, but you could have these other DPCs that are like, well, we don’t feel strongly enough to dissent. But given what is put forward, we’re going to vote with the dissenters’ opinion on what the… And is there any sort of, I mean, I don’t want to get conspiratorial here, but do you think that they coordinate that? It’s like, “Hey, we don’t actually want to dissent here, but we’ll vote with you if you dissent and you put forth these requirements.”

Mikolaj Barczentewicz:

That’s a good question. So there are authorities who almost never seem to object. And if someone’s interested in that, and I guess if you’re trying to predict what privacy authorities may want to do in Europe, it’s a good thing to look at. Which is, so I’m talking about the Irish DPC’s annual report. And if you look at this annual report for last year, they have this nice table where they show all their investigations. And this is a table that has names of investigations, it’s like Twitter, Facebook, WhatsApp, and so on. And then it has names of countries and then it shows whether authorities from those countries object. And you can clearly see that there are authorities like the German one and the French one that tend to object even more often than not. And then there are many authorities that never object, but then that doesn’t tell us how they vote.

Eric Seufert:

Sure. Right. Because obviously, if there was either a super majority or majority, there’s a lot or more people that wanted the penalties than didn’t. And we just don’t know how the votes broke down. But it stands to reason that some of these people voted against the Iris DPC’s draft decision, even though they didn’t dissent.

Mikolaj Barczentewicz:

Yes. That must be the case.

Eric Seufert:

Right. Okay. Yes. Very, very interesting. Okay, so I want jump ahead. So okay, we got the decision. Can you talk to me about what the decision was, the sort of, we had the EDPB tribunal process, the decision was handed to the Irish DPC. But what was the decision?

Mikolaj Barczentewicz:

So we already covered the so-called corrective measures. There is a fine and then there is this order to cease processing. So, including potentially deleting the data. So that’s the corrective measures. In terms of the substantive content, there are four aspects to it. So the first aspect is that as the Irish DPC summarizes it, US law does not provide a level of protection that is essentially equivalent to that provided by EU law. And essentially, equivalent is the magic phrase here. And that’s a phrase that we’ll be thinking about a lot coming forward again with future US schemes. So that’s one question to be asked here. And at least for that situation, until this new adequacy decision that has not yet happened, the conclusion of the Irish DPC is that the US law does not provide this essential equivalence. So that’s one key aspect.

The second key aspect is that because there is no such essential equivalence in the protection of personal data, then the question arises whether those standard contractual clauses compensate for this inadequate protection. And here, the conclusion was that, no. So the first conclusion is kind of an indictment of US law in general. So saying that US law is just not good enough. And the second one is that the measures that Meta has taken to address this inadequacy of US law, that those measures are also inadequate. So the US law is inadequate, and then what Meta did to compensate for that is also inadequate. So these are the two aspects.

And there’s a third conclusion about so-called supplemental measures. We can talk about that for a second, but according to the Irish authority, actually Meta did not have in place any of those supplemental measures, which could compensate for inadequacies. And the final conclusion is that because in principle, even if you cannot rely on those standard contractual clauses, there are still so-called derogations in the GDPR that may allow you to transfer personal data to third countries which also don’t have those adequacy decisions. Actually, they may sound quite familiar to people in the advertising community because you will see their consent, you will see contractual necessity, you will see reasons of public interest. So they really look like just general basis for lawful processing of data, but the catch here is that those derogations are interpreted very, very narrowly. So Meta told the Irish DPC, “Okay, so if we can’t use the SCC’s, we’ll just use public interest. If we can’t use public interest, we’ll use contractual necessity. If we can’t use contractual necessity, we’ll use user consent.”

And for all those, the Irish DPC said, “No, that’s not going to work. You can’t use that.” Because long story short, the reason the interpretation seems to be that you can only use those derogations occasionally. And there is that big difference that here Meta would be saying, “Oh, well, we’ll be using them for our day-to-day business operation.” And the Irish DPC says, “No, that’s not occasional, so you can’t use the derogations.” So going through the whole list of what Meta could be relying on, the Irish DPC concludes that actually there is nothing that Meta can rely on given the circumstances, unless something changes. So they have to cease processing.

Eric Seufert:

So obviously they have to pay the fine. Although, just to be clear there, they said they’re appealing all of this. So who knows when this will be resolved. But they have to pay the fine at some point, right, unless upon appeal-

Mikolaj Barczentewicz:

Yes.

Eric Seufert:

… the fine is invalidated.

Mikolaj Barczentewicz:

The fine is probably not the big issue here.

Eric Seufert:

So they have to pay the fine, they have to stop sending data to the US, and they have to delete all the data that they did send to the US, which the Irish DPC deemed was sent unlawfully. That’s kind of what their reaction has to be, assuming they don’t win an appeal.

Mikolaj Barczentewicz:

So, I’m not an expert in Irish administrative law, but my understanding is that there may be some time when they appeal this decision that they will not need to implement it immediately, that they may have some months waiting for this big thing that we are all waiting for, which is the new adequacy decision. Two things about the Irish DPC decision are important to note here. First, the decision itself gives Meta six months to bring its data processing into compliance with the GDPR by ceasing unlawful processing. So from the moment that the decision was notified to Meta, Meta has six months. According to press reports, Meta received the decision on the 12th of May, so by my calculation they have until the 12th of November.

The second thing is that Meta is under an obligation to bring its processing into compliance with the GDPR and only cease unlawful processing of user data, including storage. So at least theoretically, this does not mean that the decision orders Meta to delete user data from Meta’s American servers, for example. The EDPB insisted in its decision that their proposed order does not impose a specific manner of how to comply with it, and in particular, that it does not strictly require deletion of data. In response, Meta claimed that given the inherent interconnectedness of the Facebook services social graph, any order to seize the processing of Meta Ireland user data in the US would in effect be an order to delete such data. That’s from Meta cited by the EDPB.

It is at least theoretically possible that Meta could come up with new solutions to the problem which would make their processing of EU data in the US compliant with the GDPR, and that’s no longer unlawful. But it’s a different question whether that is realistic, just like Meta said in that statement. The more realistic solution likely comes from the new EU-US data ePrivacy deal and the new EU adequacy decision for the US. And this new adequacy decision would likely make Meta’s transfers of EU data to the US compliant with the GDPR. In other words, the adequacy decision would likely put Meta in a situation in which it starts complying with the Irish DPC decision without doing anything on itself.

Eric Seufert:

And as I hinted at before, we had this dual process. We actually talked about this in the last podcast because I brought it up. Like, what’s going to happen with the EU data transfers, because that was a big open question. And that had been a big open question since last July. People were talking about this. It’s like, “Hey, wait a second, this draft decision, if it got objected to, we don’t think the adequacy decision for the next data transfer framework…” which is called the Trans-Atlantic Data Privacy Framework that’s meant to replace Privacy Shield, well, those decisions tend to take a lot longer than the EDPB tribunal process. And so if the EDPB decision comes down before the new framework gets approved, then there’s going to be an issue.

Okay, so let’s say they get a stay of enforcement on the fine, deletion of data and cessation of data transfers, and then during the appeal process, the Trans-Atlantic Data Privacy Framework does get approved in the adequacy decision, does that invalidate the judgment in this decision? Does that invalidate the decision, they don’t have to do any of those things? Or do they still have to do them, but on a go-forward basis they can resume transfer?

Mikolaj Barczentewicz:

If you think about it commonsensically, not like a lawyer, then it seems very strange, this whole situation. Because it seems that pretty much at the same time as this decision that is prohibiting Meta from transferring personal data to the US, we may get a new EU legal basis for those transfers, which will mean that once that new decision is enforced, then it will actually be again lawful for Meta to transfer personal data. And it’s an interesting question whether the Irish DPC took it into account in, for example, when they were deciding when precisely to circulate the draft decision. Because once you circulate the draft decision, then the timeline is more or less set by the GDPR. So the last moment for the Irish DPC to have controlled the timing of the process was in deciding when exactly to circulate that draft decision.

So they decided to circulate it in July 2022. And in July 2022, and I followed this issue quite closely, it seemed that the new US-EU data protection framework may be in place… I was quite optimistic. I thought that by now it was going to be all done. The draft decision happened before Joe Biden’s executive order 14086 that was in October, but still, there were some leaks and information that the negotiations are being finalized. So it really looked like this was going to be finished. So if I were to speculate about assuming that the Irish DPC didn’t really want to derail EU-US transfers and relationships, and I guess they didn’t, perhaps they just miscalculated slightly. They may have reasonably assumed that this new decision will be in place by now, but actually, it’s still not in place. We know we only have a draft adequacy decision. We have the US executive order and the new regulations that happened last fall, but we don’t have the EU response yet.

Eric Seufert:

And I think I’ve heard the timeline of September being thrown around. Is that just, what, a guess? Or do you think that’s credible?

Mikolaj Barczentewicz:

Well, it’s a guess that I’m going with for now.

Eric Seufert:

Okay. But what happens if the Trans-Atlantic Data Privacy Framework does get the adequacy decision? What happens to Meta? Is the decision basically irrelevant? Do they have to go through the process of deleting the data but then they can resume data transference, so they just bulk delete a bunch of data, but on a go-forward basis they continue to collect it?

Mikolaj Barczentewicz:

Based on the decision, the decision actually tells us that there was a conversation between Meta and the Irish DPC on this point. Meta tried to convince the Irish DPC that actually because of those changes in US law in practice in 2022, it should at least cause a delay to the investigation or they should wait until this new situation, or maybe even just decide that actually the US law has already changed, so take this change situation into account. But all those arguments were rejected by the Irish DPC because they said, “Our legal duty is only to take the legal situation as it is right now.” And they also said that actually if you look at US law in practice, even though those new regulations are enforced, they are not operational yet.

And that’s a somewhat fun aspect of the new US framework, which is that under the US framework, the US government has to designate foreign countries as so-called qualifying states. So in a sense, there is a new US version of adequacy decisions and they are yet to designate any part of the EU as a qualifying state. So that’s one reason to say that actually it’s still not protecting Europeans. So the US doesn’t have this European adequacy decision, but Europe doesn’t have the American adequacy decision. So because all that hasn’t happened yet, you could say that, at least that’s the Irish DPC’s argument, that Meta is now in breach. This means that even if the situation changes in two, or three months, at least the fine will still be appropriate because it will be a fine for doing something illegal when it was illegal. But the other aspect of the decision, the order to cease processing, I think will be irrelevant if the process gets extended, until the moment when we have this new privacy framework fully in place.

Eric Seufert:

Got it. So we just don’t know, but they might avoid having to delete the data. They’re going to have to pay the fine no matter what, which again, it’s trivial to them.

Mikolaj Barczentewicz:

Who knows if they are going to pay the fine, I assume that… I think they have some good arguments. I am actually not fully happy as a lawyer with those decisions from the EDPB and from the Irish DPC, and I’m looking forward to Meta having their day in court before the EU Court of Justice. Because it could be that, at the very least they will get a bit of a discount on the fine, if not even some agreement on substantive points. So this can get very complex, but I think that it’s really not such a clear-cut case as the authorities are making it. But it is possible, assuming that they don’t go to court or they don’t win, that they may still pay the fine. But I guess the scenario that everyone is hoping for is that they will not need to delete and it will be, in a sense, business as usual.

Eric Seufert:

Okay, so we’ve talked a lot about Meta, we’ve talked a lot about the US, but this doesn’t only apply to Meta and it doesn’t only apply to the US. So what are the broader implications of this decision? Let’s talk about just US-based companies. Let’s talk about Amazon AWS. Any scaled US company or even European company. This is not specific to US-based companies, this is specific to any company that transfers data between the EU and the US. What are the broader implications for this across all of the technology ecosystem? How do companies react to this? What do they have to do in response to this decision, to comply?

Mikolaj Barczentewicz:

That is the real problem here. Technically this decision only applies to Meta, but it is also true that the reasoning in this decision applies more broadly. And actually, there’s already a series of Google Analytics cases from Austria and from France which have to do with transfers, or the legality of transfers of data by using Google Analytics and Google Analytics cookies. And in those cases, the reasoning that those national DPAs adopt is that here you basically can’t really use Google Analytics unless you use some sort of proxy where you make sure that Google doesn’t even get the IPs of the users, and so on. So you need to have those supplemental measures which may actually make you use the Google Analytics framework… Which I remember using a long time ago. Actually, it was probably the best product for web traffic analytics at that time. I don’t know if it still is. So you may need to use those proxies, which may also negate, to a large extent, the benefits of using Google Analytics.

So it really is not just Meta. There is a whole line of enforcement decisions developing where it looks like it may become very difficult for a company to lawfully transfer data, or even… Because we talk about transferring data. In a sense, in many circumstances it’s just relying on services provided to you, especially SaaS provided to you by an American company.

Eric Seufert:

I love talking through the background here because I just think it’s really fascinating. But this is the heart of the discussion. It’s like, well, how do people move forward? And whenever you come to a situation like this… Let’s say that Trans-Atlantic Data Privacy Framework, there’s an adequacy decision in favor. That’s the law of the land. That’s going to get attacked. You’re going to have Schrems III and Schrems IV and Schrems V, and whatever. This is never going to stop. And so the way I’m thinking about now with targeted advertising, and again, this doesn’t relate to that but it seems like a parallel point, I think companies should prepare for the eventuality that you cannot do it in the EU without consent. That feels like a durable long-term solution or just a path forward.

And yeah, sure, there are probably ways to scratch at the margins here until that happens and appealing all this stuff and changing to legitimate interest or whatever, but my sense is… And correct me if you think I’m wrong here, but my sense is that’s the end state, and so I’d rather prepare for that end state than work through a bunch of loopholes and workarounds in the interim. Although, there are probably billions to be made there. You can quantify that. But on this point, it feels like… And Max Schrems said this in July. He said, “Okay, well, here’s how you deal with this, is you set up servers in Europe for European users. And that data never gets sent to the US. You may not commingle that data. You’ve got US data, you’ve got EU data. You’ve got two separate data infrastructures that service those local users, and that’s how you comply.”

Well, okay, that seems like, in the most extreme interpretation of whatever, how to protect these human rights, well, that seems like what you probably have to do. And that seems like it’d be very expensive to do. So if I’m a startup and I’ve got to build separate infrastructure in Europe and the US and I can’t commingle that data, so I can’t think about my users as a global cohort, but they’re actually very siloed cohorts, that’s going to introduce a tremendous amount of complexity into my operations. So is that what you think, and feel free to tell me, “I don’t want to speculate on this,” but is that what you think we’re heading towards? Is that the reality that you think we’re heading towards?

Mikolaj Barczentewicz:

I think you’re being insufficiently pessimistic. Actually, this scenario of when you do this data localization in that sense is still manageable. But there is a scenario that I’m concerned about, which is a scenario that is really not manageable. I actually wrote about this two years ago for this website called Lawfare, and I called it Technical Measures Radical Interpretation of EU Law. Because there is one interpretation of the GDPR which I think is actually quite strong in those decisions on Google Analytics and in this decision on Meta transfers, which is that actually it doesn’t matter if the risk that the US authorities will access user data in a way that’s not protecting fundamental rights if this risk is minuscule, it’s really low. What matters is the theoretical possibility that something nefarious will happen.

And when you start thinking in this somewhat paranoid framework of theoretical possibilities, then you realize that actually, it’s not really full protection that, for example, Meta would have, or Google or anyone else would have servers, data stores just in the EU. Because as long as they have administrative access to their own data centers, they can still be forced or infiltrated by the US intelligence authorities to provide access to those things. Or even you could think about any developer. If you have control of the source code, you can always be forced to install back doors to give access to the NSA and the CIA. So if you think in those terms of theoretical possibility, then there is no limiting principle where to stop from saying simply you just cannot deal with foreigners. And to me, this seems absurd, this seems disproportionate. This also seems to violate some other fundamental rights. So it’s a problem of just the wrong way to balance rights in EU law.

But really it’s not something I made up. It’s a view you see from some privacy activists and academics. And they think that, yeah, that’s just, if we have to just totally Balkanize the internet and put just a new sort of iron curtain between on the Atlantic, that’s fine if that’s what it takes to make us comfortable with this kind of, I would say, one small sphere of potential restrictions of fundamental rights.

Eric Seufert:

Right. I pulled up this article, I’ll link it in the show notes, but yeah, I’m just reading it now. So, just let me quote from it. And this is the article you mentioned. “Among the biggest benefits of using the kinds of cloud services offered by the major providers or that customers have access to state-of-the-art authentication solutions without having to develop them or source them elsewhere, which may come with its own security risks. Such solutions, however, rely on storing encryption keys within the cloud provider’s control.” So, the argument here is like, okay, well, if you take this to the most extreme interpretation, it’s like, well, having those, having access to the encryption keys undermines any segmentation because well, there’s always going to be the option to just access the encryption keys, decrypt the data, and send it right back over.

Mikolaj Barczentewicz:

Yeah. It doesn’t matter where the data is stored.

Eric Seufert:

Yeah. Okay. So, that’s scary.

Mikolaj Barczentewicz:

So, then, if you talk about those, okay, so then, we’re told, so you can adopt supplemental measures. And what are the supplemental measures, those safeguards that can be adopted? Well, you can process, so for example, store or make available the data to someone located in the US only in a way that is fully encrypted. In a sense, so then, you can’t really provide any services. You can only provide really called backup services. That’s the only thing. But anything that we think of services where data is being processed, that’s very difficult to do. Of course, you can think about some sort of zero knowledge prove solutions and so on, but those things are currently very difficult, computationally intense, and so on. And that’s not going to be a full solution.

I think a real solution really needs to be a political solution that we just find a way to be serious that, well, there is intelligence gathering in the US. There is intelligence gathering in Europe. And there is a community of democratic jurisdictions that more or less share a vision and this nitpicking about some procedural issues. I think there is an argument that the US government keeps making, which is an argument that there are double standards. For example, if you apply the same rules to Germany, or France, or Poland, then you would have to say, “Oh, you can’t transfer data to Germany, France, or Poland.” But because they are in the EU, then we don’t apply those rules, and kind of is the case. What I’m hoping for is, and a realization that we need some sort of an accommodation.

Eric Seufert:

Right. Yeah. Yeah. And can you talk to me about what that would look like? Because it just feels like these data privacy frameworks, they’re going to be challenged every single time. There certainly is a contingent of people who… And this again from my layman’s view. There’s a contingent of people that are not going to be happy until we have, as you said, totally Balkanized the internet. Or I wrote about this recently, called de-globalization of the internet, which is de-globalization essentially of the economy. And there there’s a community of people that are never going to be happy until that has happened in its absolute most extreme form where there is… So, US companies may not operate in the EU and vice versa. So, there’s just a breakdown of global digital trade. So, where’s the reason for hope? Because I would love to have that optimistic message in this podcast.

Mikolaj Barczentewicz:

So, it’s really hard to speculate. Some reasons for hope, you can see that there is political will for accommodation. There is this transatlantic process. We do have a draft adequacy decision. The European Commission is, and I think most of the member states of the European Union, at least the governments, they do want this deal and just kind of this problem to go away. But it’s also true that in a sense, I don’t want to say that they created a monster that they can’t control anymore with the GDPR. But I think there is a problem in the core of the GDPR right now, or at least how it’s being interpreted, that I think in a sense, it lost its soul, I would say. And the soul is that there needs to be some sort of recognition that privacy is not the only important thing. That’s not the only important that we, for example, have rights to free expression, to conduct business. That all those things should be balanced.

So, how naive I am in that, but I am hoping that such arguments may still win before the European courts. So, even if we have all those national data protection authorities with this sort of approach that just knows no limiting principle, then there may still be a hope that the courts will see a need to actually have some sort of a Solomonic solution. Because what’s coming from the DPA is that’s not a Solomonic solution. That’s in a sense, that’s a very strong fundamentalism.

Eric Seufert:

But all the arguments that you outlined about, with the more radical interpretation and the more radical solution, which is to say no, that even if you had servers based here, that’s not the real issue, right? Because there’s always a back door. There’s always access, there’s always some way to access that data. Those have been used against TikTok, right? TikTok’s CEO of TikTok was in front of the congressional hearing, said, “Look, do you know how much money we’ve spent on Project Texas to move the data centers to the US?” And that’s the exact same arguments that you’ve heard. Well, sure, you did that, but you’re going to build a back door. There’s no way to avoid that. And I guess that’s fair. Sure, that’s true. And yeah, there are theoretical harms that seem like not real practical concerns, but nonetheless, they’re theoretically possible.

And so, how much of this boils down to jingoism and politics versus credible risk? I don’t have a fully formed opinion on the TikTok thing. I think just banning it’s the wrong way to approach it. But I think we should encourage these solutions that do make a credible effort to ensure that these safeguards exist. Because I don’t use TikTok. I won’t use TikTok. I just won’t. I won’t have it on my phone. If someone sends me a TikTok link that’ll even open the browser, I won’t open it. So, I have that concern. That’s a real genuine concern in my mind. And that’s a personal opinion of mine. I don’t advocate for that, but that’s a personal decision I’ve made. So, I’m sensitive to those risks. I just feel like this, when you think about the broader economic implications of this, it feels very, very risky to take these very Draconian radical positions.

And even with the EU data transfer stuff, again, last July, Politico came out with this piece, which is what clued me into this risk, which was like, hey, the Irish DPC issued this decision. It’s going into the process. This might not get resolved before the adequacy decision. So, there may actually be this blackout period, and there may be this decision that’s extreme. And I remember thinking, ah, no one wants that. No one really wants that. And it turns out, well, no, they did. They made the decision. So, how much of this is just down to politics versus a credible interpretation or just almost like an accounting of the risks?

Mikolaj Barczentewicz:

So, I’m not sure it’s even really good politics. I really don’t see… Maybe I just talk to the wrong people in Europe. I’m European, I live in Europe, and I just don’t see how this interpretation that we just decouple our internet and American internet would have any serious support. The reason why the DPAs, the data protection authorities can do what they do is that, well, for now, it’s mostly just issuing fines, and it still doesn’t have that much effect on people’s capacity to use the services like. But I’m not sure there would be that much support for it if people were told, “Oh, okay, you can’t use Facebook.” There may be a slightly different consideration regarding TikTok because perhaps there is a stronger and there are some political points also to be made on, given that this is a, at least China affiliated, China-adjacent company. I think they claim to be international-based in Singapore if I’m not mistaken. So, it’s a bit different.

For the US, I think it’s really an issue of trust. And I think this sort of accommodation based on trust and common values is really the way to go. With China, my personal approach would be to at least allow the solutions we can do in a zero-trust environment. Zero trust is a popular term in cybersecurity, but that generally denotes the idea that at least sometimes, you can operate with respect to other services and other protocols, you operate with as if you always assume that they are compromised or trying to attack you. So, there are methods and frameworks to deal in that situation. And if we can implement that, I think it may work. Whether we should have this broader trust arrangement with China, I think that’s more difficult. And I also probably need to think about it more just as you said.

Eric Seufert:

Yeah. These are complex circumstances. This is not any sort of easy solution. To my mind, I would out-of-hand dismiss an easy solution because the easy solution is probably not going to be what best navigates these trade-offs. It’s why I get a little irritated with… You just have to split up into a multitude of different internets. Well, you could take that to an extreme. Okay, well, then what happens? Let’s say we do that, and there’s an American internet and EU internet. How long is there an EU internet? Then, you say, “Well, no, there shouldn’t be an EU internet. It should be a Polish internet, a German internet, and a French internet.” You could take that to an extreme, and they can’t talk to each other. Okay. Talk to me about the last point here: what are we waiting on to fully interpret the gravity of this decision? Is it the appeals process? Is it the adequacy decision or are we waiting on anything? We recognize, okay, the asteroid has impacted.

Mikolaj Barczentewicz:

So, first, we are waiting for the adequacy decision, and I will be surprised if it doesn’t come soon. And I think I will still be surprised if it doesn’t come soon enough to render this kind of irrelevant other than the fine issue. But the second thing that we will be waiting for is what happens with the adequacy decision. So, assuming that it’ll be challenged, and we will get something like a Schrems III case and judgment from the EU Court of Justice, then that’s a big question. What will the court say? Some people seem very convinced that obviously, the court will invalidate this adequacy decision. I both hope, and I think I have some good arguments why the court should not do that and may decide not to do it. And if the court decides not to do it, then we may get some guidance, a slightly different approach to understanding the GDPR in the context of exchanging data with other democratic countries. So, that’s one important aspect.

But in this less likely or I think unlikely scenario that the adequacy decision does not come soon enough, then we would need clarity on, for example, what it would mean for Meta to cease processing of this transfer data. It’s not even that clear what it would mean for them to delete the data. Do they have to delete user accounts or do they just delete data from American servers? Is that enough? It seems easy, but actually, it’s not at all. And then, of course, in the absence of an adequacy decision, then I think we would see a massive attack along the lines of the Google Analytics cases and the Meta case on all sorts of transfers of data to the US. In some countries, the national authorities will be a bit more reasonable, I would say. But in some countries, they would probably go full-on with even this very radical interpretation that I mentioned before. So, a lot can happen. I’m still optimistic that reason can prevail, but so watch this space.

Eric Seufert:

So, just to underscore that point. I don’t want to get stuck here, but every American company was essentially using SCCs to transfer data from the EU to the US. So, yeah, it’s this decision related to Meta, but ultimately, the consequences will apply to essentially every big-scaled American tech company. So, they all kind of have to figure out how to respond. So, it’s not just a Meta issue, it’s everybody’s issue because they were all using SCCs.

Mikolaj Barczentewicz:

I think so. So, some people may have this hope that there is one kind of, not small print, but one paragraph in one of the EDPB guidelines that say that actually, well, it’s still, you may be able to transfer data even without those supplementary measures, like full on encryption. If you have reasons to document those reasons that you believe that your users will not be subject to, for example, something like PRISM. So, Meta, I think trying to make that argument. That’s what the Irish decision tells us. But then, the Irish DPC said, “Well, but you told us that actually, you did receive FISA 702 orders or requests and that you had to comply.” And the Irish DPC was then not really, didn’t seem that much interested in how common this was. Even if it was like 0.0000 of a percent of users that were ever affected, that did not matter. So, some companies who have not yet received those requests may feel like, okay, so that doesn’t touch us. But I’m not sure that this window will actually be that wide. So, I wouldn’t put my trust in that too much.

Eric Seufert:

And then, just about the encryption point, there’s been resistance by, well, not in continental Europe that I know of, but by the UK to having these companies adopt end-to-end encryption because then, they can’t see what people are doing.

Mikolaj Barczentewicz:

But that’s just beautiful.

Eric Seufert:

So, it’s like, well, you can’t end-to-end encrypt this because, if you send it to the US, it would be out of the prying eyes of the NSA, but then, we couldn’t see it on your device here. So, there’s like the resistance domestically to say, “No, don’t do end-to-end encryptions. We don’t want the Americans spying on your data, but we want to spy on it.”

Well, Mikolaj, this is a fantastic discussion. Thank you so much for coming on again and explaining this complex, very, very complex situation to the listeners. Can you just tell people where they can find you? How can people follow you?

Mikolaj Barczentewicz:

So, I have my website, which is my surname dot com. I guess you can link that, and I do have my Twitter profile where I tweet about these sorts of issues. So, if anyone’s interested, please follow.

Eric Seufert:

Yeah, and I can say that Mikolaj’s Twitter was a must-follow around the time of this decision being announced. It helped to clarify my thinking a lot. Mikolaj, thank you so much. I hope you enjoy your weekend.

Mikolaj Barczentewicz:

Thank you.

Photo by NASA on Unsplash

Next Post

How To Use POV Architecture To Create Trust

Misinformation spreads like wildfire on social media, and their parent companies have little interest in fact-checking. Meta CEO Mark Zuckerberg once said in an interview about political speech, “I don’t think that Facebook or internet platforms, in general, should be arbiters of truth.” New generative AI engines such as OpenAI’s […]
How To Use POV Architecture To Create Trust