PROBABLY PRIVATE

Meta's Mega-GDPR-Fine and Data Sovereignty

Last week, the Irish data protection authorities issued Meta a 1B£ / 1.2B€ / $1.3B fine for violation of GDPR for transferring large quantities of personal data from European residents to the US. This is in direct violation of the invalidation of the US-EU Privacy Shield, which I covered in my first ever newsletter.

This fine sets a new precedent for both GDPR enforcement as well as thinking through problems of data sovereignty. Let's break down why this fine occurred and how to think about it as a technologist.

You probably already know how the internet is architected, with cables and data centers, many of which we rename "the cloud", but that have actual physical servers running in a large, secure, cooled room. These data centers are run by an increasingly smaller number of companies and persons, which is causing some interesting new problems for privacy, including the fact that "migrating to the cloud" means "migrating to someone else's servers".

A high concentration of leading cloud providers have large capacity in the US, and US-linked data or account redundancy (i.e. account backup, storage details), which are literally baked into the network design and cannot be changed without significant effort. This means that massive quantities of data from around the world flow into the US, with some exceptions largely built to comply with data sovereignty laws.

What is data sovereignty? It's a political and legal mandate for data to remain in the country (or region in the case of the EU) where it was created. There's been an increasing push from many politicians for creating data sovereignty laws, and reducing the reliance of foreign-based compute power. Part of this push increased after the Snowden leaked information about the NSA surveillance of US internet traffic (yes, even HTTPS). (See: PRISM or the IAPP's Summary of the Schrems II Court Ruling)

Max Schrems, who leads noyb (my data is none of your business), brought and won two cases against the US-EU data transfers, invalidating the previously allowed legal agreements. These legal agreements provided justification for data transfer and were first invalidated by the so-called Schrems I ruling in 2015 and again by Schrems II in 2020. Schrems and his team supported the current Meta fine with testimonials and evidence explaining the NSA surveillance mechanisms as well as the large transfers of European resident personal data to Facebook, Whatsapp and Instagram servers in the US. Other privacy groups, legal representatives and Meta also submitted significant evidence to the court. The court ruled in favor of halting unprotected personal data flows to the US, based on this evidence.

Zooming back out: what does the ruling mean for you? First off, you probably need to learn more about how internet flows work and how to imagine a world where EU data stays in the EU. And how you might extend this to other nations as well, as data sovereignty is also a measure of China's privacy law passed in 2021. In fact, thinking through localization of data is a good idea to build a forward-thinking way of managing distributed architecture. If thinking about data centers and internet backbones is new to you, stay tuned as I have an upcoming article series on how the internet works and what it means for individual privacy!

This ruling also highlights the importance of end-to-end (e2e) encryption, where users control their keys using advanced protocols, like the Signal protocol, as that could have been an example of offering better protections for those data flows. Sadly, e2e encryption has been under attack in Europe and the US recently, bringing up the privacy and security conversation. Many privacy and security experts do not believe that these goals are a zero-sum game, and that there are better ways to fight child abuse and terrorism than by breaking encryption guarantees.

Given that your architecture is likely not built with data sovereignty in mind, what can you do now, practically?

1. If you collect data in Europe and send it to the US, run a risk analysis with your team on the sensitivity of the data and flows. Determine if you'd like to mitigate risks now and how to prioritize the found risks. If you cannot yet answer these questions, it's time to invest in your data governance plan to appropriately document your current data and more easily identify risk.

2. If you are mainly based in a particular region, investigate cloud providers that operate locally. Can the data stay local? How would it affect current running systems? What would the providers need to offer? Start conversations with those operators with an idea that feature requests now might take 1-2 years to fulfill. Note that some large cloud providers are also starting to offer localization options.

3. Diagram your architecture with regards to actual physical data centers. This can be a fun team exercise to begin thinking through things like latency, compute cost and redundancy! It will also help you determine if your architecture is already private by design or if you might need to make some shifts due to the underlying systems and services. If you are willing to share your results, feel free to ping me with them, or post them and tag me!

A final note: regulation is not going away, and rulings like these will not stop. Preparing yourself now and starting conversations early can set you, your team and your organization up for lower risk as the regulatory environment continues to shift.

Ask: Would you be interested in short video summaries of data protection rulings, explained for technologists? I am thinking of starting a small series to help folks navigate these questions and share some of the great judicial zingers found if you read through the 100 page decisions... 😉

Ethical E-Commerce Summit: Finding Inspiration and New Pathways

I recently attended the ethical e-commerce summit in London, which was such an enlightening and inspiring experience, I thought I'd share it here. It sometimes can feel like working in privacy is only focusing on the negative or risk side, so I want to make sure y'all also see the deeply inspiring and motivating parts of this work.

The conference attendees and speakers were a mix of data ethicists, folks from ethical and sustainable design and e-commerce, including new advertising and e-commerce platforms which focus on privacy-first advertising. Let me summarize a few of my takeaways from the conversations there.

1. Privacy-first ads: What if we empowered customers to find what they want AND offered better privacy and consent controls? One of the things I touched upon in my talk was ephemeral intent-based advertising, where user profiles are no longer the core of the "personalization" of ads. Imagine an experience where based on the actions of a particular session, we were able to predict and show better content or purchasing choices. Imagine that these were not stored and saved forever in order to recommend similar content later.

2. Exploring new patterns in search: I had a chance to speak with several folks at the conference who referenced the personalization paradox, explaining how what we show directly influences the behavior of a user and can create a self-reinforcing feedback system. A talk that stuck with me on breaking out of this loop was Andreas Wagner's talk on exploitative and exploratory search patterns — applying reinforcement learning ideas to search, which offers more privacy and playful exploration based on the actual search space (here: product catalog).

3. Diversifying the ad landscape: Being surrounded by folks who are directly impacted by negative effects of the current ad landscape (i.e. lack of ad platform transparency, centralization of small business data on ad platforms and inability to reach potential customers except through these platforms) is an important reminder of the centralization of user experience on the internet. Diversifying this experience could create more privacy, better outcomes for small- and mid-sized businesses and empower customers to more easily find what they actually want.

These conversations were quite inspiring; I want to thank the organizers at Ethical Alliance and Empathy. If you've never attended a conference focused on ethics or privacy, I can recommend it! It's wonderful to start the conversation from a shared understanding and set of values, and see where it goes from there.

Upcoming Speaking Events: May and June 2023

Conferences are back in full-effect! 🎊 Here's where I'll be in the next few weeks.

• Flower Federated Learning Summit on May 30-31 in Cambridge, UK.
• EU Privacy Forum on June 1-2 in Lyon, France.
• Online O'Reilly Webinar: Using Privacy Technologies as Competitive Edge online on June 7th.
• Book signings in Berlin on June 9th and at GOTO Amsterdam on June 29th
• Coming Soon: "What is Privacy Engineering?" Video Series with privacy engineers, stay tuned!

Please drop me a line or come say hi if you'll be in attendance. I'll be sending updates in future newsletters and on social media, in case you want to follow along.

I hope to see you at an upcoming event (online or in-person), and am excited to hear any and all feedback about the book. If you want to post a review on LinkedIn or other socials and tag me, I will be happy to re-share. 🎉

In terms of upcoming newsletters, here is a backlog:

• Building a personalized RSS reader & recommender
• Internet Privacy Primer
• How does encrypted computation work?

If you have a strong preference on the order, ping me and I'll try to prioritize. If there's a pressing topic or question you have related to the book or my work, please reply and let me know.

Cheers from Flower Summit in Cambridge 🎓