For decades, people have proclaimed the now-common refrain that “privacy is dead.” I often think back to Scott McNealy, then CEO at Sun Microsystems, claiming in 1999 that “you have zero privacy anyway… get over it.”
I wouldn’t go as far as saying that leaders at startups hold such a strong disregard for privacy, but I do find many taking the stance that the world’s strictest data privacy laws don’t apply to them. If you fall into this category, you ought to know that privacy isn’t dead, and a new era of privacy is being quietly ushered in across Europe.
Earlier this year the European Commission (EC) issued its long-awaited update to ‘Standard Contractual Clauses’ (SCCs), which represents the most frequently used mechanism to transfer your customers’ personal data out of the EU, including to the US.
If you’re a business that operates in or with Europe, these new updates – and the constantly shifting privacy landscape more generally – matter. If followed incorrectly or not taken seriously at all, it can be extremely costly.
So, let’s look at some of these new privacy updates in more detail and I’ll then share some lessons I learned while working on privacy issues at a startup that processes vast amounts of user data.
A new era of privacy, and the fine print you probably missed
The question of where your data exists and who has access to it is becoming one of the most complex and significant questions in startup land.
On the one hand, the booming SaaS startup ecosystem means that we are now more reliant than ever on the cloud, where servers often reside abroad. On the other, there are ever-changing regional data rights as different jurisdictions embrace data sovereignty and privacy rights for users.
This friction has now made its way to the courts, and just last year the EU issued a ruling(dubbed ‘Schrems II’) that invalidated the ‘Privacy Shield,’ or the mechanism that was being used to get data out of Europe and into American data centers for processing. Then came the update to the SSCs.
The basic premise of this update was to bring in new SCCs to govern the transfer of personal data from the EU to third countries, designed to better protect Europeans from mass surveillance, specifically a concern with regard to the US.
If you’re operating in or doing business with European residents, international data flows are probably an essential part of your business in an increasingly digital global economy. You might not even be aware that your digital product relies on microservices from a partner that sees user data processed in a third country.
Let’s take for example our product at Mixpanel. We provide SaaS-based product analytics technology, which by its nature, tracks user behavior within apps so product experts can improve the user experience.
If you use our product, until recently you’d have been sending data to us that was processed in the US, perhaps without fully realizing the implications. We’ve now got full EU data residency to overcome this issue, but we’re very much in the minority.
And this should be the number one issue concerning startups. Has our surface area for liability and risk just been hugely expanded? If I put this in simpler terms: you’re a fintech that has contracts with seven companies providing services via APIs. Those seven companies also contract with a further 10 companies each, which now means your risk surface has expanded from seven companies to 70.
So, what can busy startups do to reduce their risk and ensure they’re delivering on privacy obligations for the people that use their services?
In my view, there are three golden rules that can help a startup navigate this complexity.
- Locate user data in Europe whenever possible: Depending on your infrastructure and ability to invest, you’ll need to form a judgment as to whether you can ensure your user’s data is stored and processed exclusively in Europe.
- Always maintain a ‘data map’: It is vital to take an “audit” of the microservices and ancillary support services that underpin your main products. In doing so, you can better understand that data ecosystem and your risk surface across third-party suppliers.
- Seek European legal entities as partners: It’s possible authorities in the US could access data that was in the Netherlands, but was operated by a US-based company. The contracting party matters, so it’s important to partner with legal entities across different regional operations based in the EU.
There’s simply no avoiding this issue in the long term. People increasingly care about data privacy and with the changes to the SCCs the EU has further signaled the importance it attaches to data residency. With local regulators soon to release their guidance and interpretation within member states, now is the time to act.
The movement for improved privacy isn’t dead, it’s just getting started.