Welcome to Tech Stuff, a production from I Heart Radio. Hey there, and welcome to tech Stuff. I'm your host Jonathan Strickland. I'm an executive producer with I Heart Radio. And how the tech are you so? Not long ago, David Meyer wrote a piece titled even Facebook's critics don't grasp how much troubled meta is in and he wrote it for Fast Company. And if you've been keeping up with meta slash Facebook, you probably have a long list of things that Meyer could have been referring to. Could it be that various governments, such as the United States are frequently scrutinizing meta and calling company leaders to appear before legislative bodies to answer tough questions. Could it be the fact that TikTok continues to dominate as the social platform favored by younger people, meaning that meta slash Facebook's user base is slowly aging out and it's not replacing it when new younger users. Is it that the company jumped the gun in an effort to be the front runner to define whatever the heck the metaverse is going to be? Well, all of those are factors that should be matters of concern for Facebook executives and for shareholders. But what Meyer was talking about with something else, something involving privacy and the law and a change that happened a couple of years ago that has affected everything. So on July twenty twenty, the European Union's Court of Justice made a decision that would have enormous consequences. It concluded that an earlier data transfer process called the EU US Privacy Shield was not sufficient to protect the private data of EU citizens, and that it would thus be struck down. It would be invalidated. This has massive repercussions for companies like Meta, not just Mata, in fact, as repercussions for any company that operates within the EU, but in fact has it's you know, any kind of data transfers that exit the EU. So Mark Zuckerberg said essentially that unless the EU changes the stance or makes an exception for the company, platforms like Facebook and Instagram will have to pull out of the European Union. That sounds kind of like they're making a threat, right, like somehow you know Zuckerberg saying, Hey, if you don't play by my rules, I'm taking my ball and going home. But really this is more of a plea. It's really more, please, please, please don't do this, because I can't do my thing if you do. So. Today I thought I would talk about what the privacy shield was, why it existed, why the EU decided it wasn't sufficient, what they're planning in its place, and what all this means for come Benese like Meta. To do that, we actually have to look back at the history of the EU and its stands on data privacy and security. Now, depending on how you look at it, the EU really traces its history back to the conclusion of World War Two, but the single market that we would refer to as the European Union would not formally emerge until nine Now. Around that same time, there was a growing general awareness about the Internet, in large part helped by the introduction of something new called the Worldwide Web, and it would take a few years for the Web and the Internet at large to really gain a foothold in the minds of the mainstream public, but some leaders in the EU were already dealing with concepts like data privacy. Data privacy doesn't just require you know, digital transfers, right like, you don't have to have that be part of the process for data privacy to be a concern, and in fact, the countries that made up the European Union had already been concerned about protecting EU citizen privacy when dealing with companies that existed outside the European Union. How can you guarantee that their private data remains safe when it's going into the hands of companies that aren't based in the European Union itself. That had already been a concern, but the EU member states knew that there needed to be put in place laws that could protect citizen data, that there are fundamental rights associated with data that have to be protected. To that end, the EU built upon an earlier, non binding list of guiding principles relating to protecting citizen information. These principles included pretty common stuff like alerting someone as to win their data would be collected, a requesting consent before the disclose that information to some other party. So if you were to collect an e uses and information, you would then have to get their consent before you could share it with someone else, and various other concepts that are pretty common to what we see in in privacy protection laws. They had been around before the rise of the Internet, but because they were non binding, they didn't really have any teeth to them. It was like, it would be nice if everyone agreed to obey these things, but there was no requirement to do so. The EU decided to formally establish data privacy rules, though these would have limitations to which we'll talk about and that. These rules became known as the Data Protection Directive or dp D. This directive set out the parameters for when and how entities would be allowed to collect European Union citizen information and how they could use it. Specifically, you know, how they would be allowed to use it if it required a transfer outside the EU and U, and also how they were to alert citizens of things like collecting their data. Each member's state of the EU was responsible for establishing a supervisory department to make sure that all parties were complying with this directive, and the directive stated that the only time data could be shared with countries outside the European Union is when those countries could adequately protect the data's security. So if a if a country or company was unable to do that, then by this directive, it would not be allowed to transfer information outside the EU now right away. These rules created challenges both within and without the EU and when you really break it all down, all traffic on the Internet is information, and a lot of that information ends up including personal identification information or at least personally identify alable information. So you might argue that personal information should only include stuff like, you know, a legal information like a person's name, or their address, or their birth date or maybe the hospital where they were born. That kind of stuff. You know, information that relates directly to that individual, and when you take this information in a hole, it's more or less unique to that person. I have to say more or less simply because you know, weird stuff. Anyway, that kind of information is absolutely important. It is worthy of being protected, and it's very easy to define. Right. You could say, this information directly corresponds to this individual, therefore we need to protect it. But then there's also other information that, well, not specifically about a particular individual, could collectively identify that person all the same, So an IP address could be part of that. You might argue that's personal information, or you might argue, well, IP addresses aren't fully reliable because you could use something like a VPN which would hide your IP address, so you can't just rely on that to identify a person. However, it falls into this gray area. But then there's stuff like the person's browsing behaviors, you know, what they like, what they don't like, how long they stay on a page. All of these things can actually start to create a digital fingerprint that points to a specific person. And it sounds wild, but it really doesn't take that many points of data to narrow down folks and figure out who created those data points. In the old days, doing that would have been tough simply because you're talking about a lot of data being generated and then trying to suss out what is signaled based on all the noise, you know, to actually analyze that information to get something useful out of it. It was a time consuming process and it just you know, when you look at it from a return on investment standpoint. In the old days, it just it makes sense, right, unless you were going after someone specific for nefarious purposes. You wouldn't do that for just anybody because it was too much effort. However, we have gotten a lot better at analyzing enormous data sets in a short amount of time using things like artificial intelligence and machine learning and various algorithms, so this has become less of an obstacle. It's not like science fiction level yet, but it's pretty darn close. So now some of the technical restrictions that meant we didn't have to worry about this so much in the past aren't really a thing anymore. Anyway, The euse directive meant that the United States, that the country you know, where the Internet got its start, would need to figure out a way to comply with this set of rules if it wanted to allow information to pass between the US and the EU. Because a lot of these companies, their servers all exist within the United States, so by the nature of their business this any any information that would be coming from the European Union would have to go across the Atlantic to a server in the US. To that end, some EU officials began to piece together what would become known as the International Safe Harbor Privacy Principles. Now we're going to take a quick break, but when we come back, I'll talk a bit about Safe Harbor, what it was meant to do, and why it no longer is a thing. But first, these messages, the International Safe Harbor Privacy Principles. What the heck was this? Well, it was a program that US companies could apply to join. The companies would apply for certification, and that certification essentially said these companies are taking the necessary steps to protect user data so they can be considered to be compliant with the Data Protection Directive that the EU had obviously passed. So ultimately, the goal here was to prevent the accidental disclosure of EU citizen private information that happened to be stored on servers within the United States so it's outside the e use control. This was the system by which companies would guarantee they would make sure that data would remain safe. The Safe Harbor system became effective in two thousand. It took several years for it to formalize and then to be enacted, and US companies that receive certification under Safe Harbor and then registered with the EU would be allowed to operate things that would transfer data between the U S and EU without much trouble. Oh and in order to qualify, those companies would also have to be companies that were regulated by the United States FTC, Federal Trade Commission, or the Department of Transportation. Those were the only companies that could qualify for Safe Harbor. Anything that didn't fall into those categories was an exception, and that actually cuts back on a lot of businesses, believe it or not. Now, something that I'm sure will not surprise many of you out there is that various reviews that were done on this system showed that a lot of the participating US companies were not complying with the program, at least not to the extent that they should. Companies were found to be reluctant to actually enforce the principles defined by the Safe Harbor program, and questions arose as to whether or not the industry could really be self regulating, like can we trust these companies to regulate themselves? And of course we can't. All right, so quick side rant, But this applies directly to the topic. So, the currency of the modern world isn't bitcoin, It's not any other cryptocurrency because it goes a level deeper than that. The currency of the modern world is information. Data is valuable you or data is valuable. If it weren't companies like Meta Slash, Facebook or Google, they wouldn't even exist if your data had no value. These companies depend upon us generating information, which the companies can then leverage in various ways. Now, an obvious way they do this is through advertising, specifically targeted advertising. You know, by analyzing the information I generate, a platform like Facebook or Google can suss out what matters to me and to compare my experience with ads that are more likely to get my attention and my action. That is money right there that is incredibly valuable to these platforms. It's incredibly valuable to the advertisers and to their clients. So my information does have value. Yours does too. But even beyond targeted advertising, this information has incredible value. Through real time analysis of browsing data across millions or hundreds of millions of users, platforms can detect and respond to trends before anyone is even aware that there is a trend there. So I think back to the description of chaos theory that says, imagine the flap of butterflies wings in South America setting into motion the variables that are necessary to generate a typhoon that hits Southeast Asia. That it without that one instigating event, the variables are not in the right place to make that happen. Well, think for a moment about how many people use platforms like Google or Amazon or Facebook individually that users. Data is valuable, right, but collectively across all users, that can drive corporate strategy. So there should be absolutely no surprise that companies are eager to exploit information personal information. It's key to their business model and their success. Which is why it's also not a big surprise that a lot of companies were slacking off when it came to self regulation and complying with the principles of safe harbor. If the companies could get away with it, if they could operate without having to actually worry about complying with these rules, then they do it. And I'm sure there were no shortage of companies that weren't being outright nefarious or flaunting the law or anything like that. But we're falling short of holding up to their end of the bargain, you know, because it's also hard to do. It's hard to pull off and still do business in a way that is cost effective. Right, in order to comply with these rules, you do have to spend some money, honestly, was what it really comes down to. It might not be money money, it might be more assets and resources or time or whatever, but it's ultimately a cost. Whatever the reason, it was clear that this particular approach to protecting information wasn't sufficient if the EU actually wanted to keep EU citizen information secure and servers that weren't even in the European Union all right. Flash forward to two thousand and twelve, the EU decided it needed to take another stab at creating a unified data protection law to replace the Data Protection Directive. So the Director had ultimately been too lucy goosey, and that meant that different member nations had different principles and enforcement strategies. It was two piecemeal and it wasn't unified the way a European Union needed to be. So this new law would resolve the various differences between the different implementations and the member states of the EU and create a more coherent policy that it was EU wide and would protect citizen data privacy. That took four years two actually formalize, but in April fourteen sixteen, the EU approved the new set of rules called the General Data Protection Regulation or g d p R, and this became a truly huge deal for any company outside the EU that wanted to do business inside the EU, particularly for Internet based companies. The rules covered any entity that processed or transmitted data from within the EU to somewhere else. A whole bunch of other stuff was in those rules too, But I've done episodes about g d p R in the past, so we're just gonna say this was a more broad, sweeping, and yet unified approach to data privacy, and it created big old headaches for companies around the world to ensure that they were compliant with g DPR. In fact, to this day, that's still a big thing. Ultimately, that's at the heart of the meta problem we were talking about. It was g d p R that would necessitate things like a pop up message that would alert users to a sites reliance on web cookies, for example, because that's a type of tracking. It would also require foreign services to expressly ask for the consent of users in order to collect their data. And you know, companies tried to find in different creative ways to get around that to maximize the number of people who had quote unquote uh agree to this by making it a difficult thing to opt out of. That doesn't fly very well on the g d PR. There are a lot of regulatory agencies that pounce on that kind of practice. They're also supposed to explain how information is going to be used, and to give people the opportunity to opt out of any data collection and that kind of thing. So the g d p R replaced the Data Protection Directive and became enforceable in all right now in the meantime where that was happening, the Safe Harbor Principles, which remember this was a framework that companies could follow in order to be considered UH safe under g d p R rules that had already been invalidated by the EU in ten They said, well, you know, Data Protection Directive is not sufficient and Safe Harbor, which was designed to work within Data protet Action Directive that by extension, is not sufficient, so it doesn't apply anymore. It was not robust enough to satisfy the requirements of the upcoming g DPR. So the European Commission and the United States government negotiated a new political agreement to codify rules on how commercial transatlantic exchanges of personal information from EU citizens to U S servers could actually happen. Those rules would become known as the EU US Privacy Shield. Like the Safe Harbor Principles, this was really meant to create a framework in which companies could operate legally within the European Union. US companies that gather user data would have to comply with this set of rules in order to make services available to citizens in the EU, Otherwise they would be violating privacy law in Europe. Like the previous system, the Privacy Shield includes guiding principles that all organizations are expected to follow. While it beefed up some other protections incorporated into the previous systems, critics were worried that there were still some big gaps in the Privacy Shield process and that ultimately it would get challenged and struck down by the European Commission, and those concerns likely went into overdrive in twenty seventeen when then President Donald Trump signed an executive order that denied US privacy protections to anyone who is not a US citizen or resident. So, in other words, according to that executive order, US companies would not be held accountable for guaranteeing data privacy and security for any non US citizens or residents. Considering that g DPR demands that any entity that transfers e U citizen data overseas must protect that information, that was a problem. By the way. Joe Biden would later rescind that executive order in one but by then things that already changed in Europe. So we're going to talk about those chain ages and how Privacy Shield would follow in the footsteps of Safe Harbor and get invalidated after we come back from these messages. So, as I was alluding before the break the critics of the Privacy Shield process who said this is not going to be seen as sufficient, that we're absolutely right. The EU Commission reviewed the Privacy Shield policy in twenty and determined that it was not enough to protect EU citizen private data and struck it down. Specifically, there were concerns that the US government would be able to conduct surveillance on EU citizen data and that under EU law that was a violation of of human rights and freedom rights of EU citizens. So there was a need to formulate yet another data privacy framework that would address this issue, and that's kind of where we are now. See, without a framework, it becomes very difficult to do business in the European Union. The framework, you know, it smooths things out, it speeds things up because it's it's one point one system that companies in say, well specifically the United States, can go through in order to qualify to do business in the EU and be considered compliant with the rules of g d p R. So this new framework is still taking shape. It doesn't exist yet, it is in the process of existing, and it will take even longer for the EU to formalize and adopt and enforce that rule once it is finished. In the meantime, we're in an era where things are really unstable now. One way companies have managed to continue to operate in the absence of a formal framework is to file what are called standard contractual clauses or sc c s with the EU. You can think of this as essentially being a legal agreement, and that this legal agreement provides a guarantee that the non EU company is taking pains to conform to g d p R requirements, so it's essentially saying, you know, we're obeying the rules. Securing sccs can be time consuming and it isn't a smooth process, at least not as smooth as being able to just apply to a framework like Privacy Shield or Safe Harbor, so it can be a bit of a headache. And now let's talk about Ireland and its Data Protection Commission or DPC, because this relates directly to the Meta story. The DPC determined back in twenty that two of Meta's platforms, namely face Book and Instagram, relied on a data controller that could not provide a guarantee that data from Irish citizens would be protected from US government surveillance, and so by extension that would violate data privacy laws in the EU. That would also mean that Meta would not qualify for an sc C, at least in terms of Facebook and Instagram. WhatsApp, a totally different platform, uses a completely different data controller and is not part of this like WhatsApp, can operate in the EU find because it is not subject to the same vulnerabilities that Facebook and Instagram are. Then, last month, which for those listening in the future would be July of two thousand twenty two, the DPC, this regulatory agency in Ireland, filed an updated draft order to shut down Instagram and Facebook services in the U and filed that with other regulators within the EU. So the other member states that have regulated Tory agencies, they all received a filing of this updated draft decision. While the contents of that order weren't made entirely public, it did become clear that DPC was telling other regulators that they should halt Facebook and Instagram's ability to transfer EU citizen data to the US because it could not guarantee safety against US surveillance. This would effectively shut down Facebook and Instagram within the European Union and to EU citizens. So let's get into some complicated political stuff now. Under Article sixty of the g d p R, the rest of the EU's data protection agencies have four weeks from that filing to comment on the dpc's conclusion. Uh. Those four weeks are up this week, by the way. So if after four weeks there are no objections to the dpc's decision, which is again to essentially shutter Facebook and Instagram within the EU, that decision then becomes binding YEWSA. Now, if there are objections, which you know likely there are some, then the DPC, the Irish regulatory agency, has two weeks to respond and address any objections, or alternatively, they can choose not to change anything and just submit their decision to the European Data Protection Board or e d p B. This is like the overall regulatory agency the agency of regulatory agencies, and the e d p B would then decide whether or not the decision should apply across the European Union. The e d p B, which by the way is hard to say quickly, would have one month to make that decision, uh, though it could also request a month extension if the board determined that the matter is complicated enough to warrant more consideration, So two months maximum to decide on this matter. At that point, After a month or two months if it's extended, the board would go to a vote. If the vote passes in either direction by two thirds majority, then that's the decision. So you have to have a two thirds majority for there to be a clear decision on the matter. If it doesn't get two thirds, then the whole thing is given another two weeks of debate and then it goes to another vote, and then this one just requires a simple majority. So it does get bureaucratically complicated. If like all of this plays out, now, will that happen? That's hard to say. Let's take a few different scenarios in turn. So Ireland's DPC filed the decision in early July, it's already been four weeks. So if no other data protection agency in the EU has objected to the dpc's conclusion whom the decision becomes binding and will know really soon. If some data protection agency objected, well, then that adds another two weeks for the DPC to respond, at which point, if there are no other objections, boom, decision becomes binding or the DPC might submit this decision to the overall agency, the e d p B. And boy, how do these initialisms are really getting clunky? And the e d p B would have at least one month at most two to come to a vote on the matter. If the vote fails to gain two thirds majority in either direction, then again another two weeks and then it goes to another vote with majority rules. Meta has indicated that it might have to shut down its services of Facebook and Instagram in the EU anyway, at least until the new framework takes effect. The new framework is called the Transatlantic Data Privacy Framework, and even then it's uncertain because, after all, the European Commission has already determined that two seating frameworks, safe Harbor and Privacy Shield, that were meant to be in in compliance with EU law, we're lacking and both of those got struck down, So there's no guarantee that the same thing would not happen yet. Again, this raises the question if it's even possible for a company like Meta to operate these services in the EU, at least the way it has been doing without a massive overhaul and its data handling services. Maybe if Meta were to establish EU centric servers that were separate from everything else, it was not sending EU data to any place outside the European Union. It was like a EU specific version of Facebook and an EU specific version of Instagram. Maybe then it would be fine, but that would be kind of ridiculous. Also, I have a feeling that a lot of users would be upset that they wouldn't be able to access or interact with stuff outside the EU. Or if Meta were able to guarantee that it's, you know, the the agencies that are handling data from the EU to the US were in fact, uh protected against US surveillance, then maybe it would be all right. But it can't, at least not now. Now. It's possible that this new framework, once enacted, would allow METTA to continue operating Facebook and Instagram within the EU through some sort of exception, though again there's no guarantee that this framework will withstand court scrutiny. Over time. This is the situation that Meyer referred to in that article in Fast Company that Meta may have no choice but to stop offering Facebook and Instagram services to EU citizens. Meyer also quotes a Facebook investor named Robert mcnami who snarkily said that this could be a real disaster for Meta because users would soon figure out that they're much better off without access to those platforms. I happen to agree with macnamy as someone who got off of Instagram and Facebook. Um, I feel like I'm better off for doing that. Better off in the larger sense. I do miss being able to interact with my friends in a concentrated, easy way. It does take a little more effort, and you quickly figure out which friends decide you're worth that effort, all right. Obviously, the loss of a market the size of the European Union would be a huge blow to Meta, a company that's already dealing with other crises. Not still too early to say if that's definitely gonna happen, But no matter what the outcome, this ongoing struggle to find ways for non EU companies to comply with EU privacy laws is going to be an enormous challenge it has been and it will continue to be. EU regulators and politicians are exceedingly wary about the sincerity of US companies when it comes to their claims of protecting information, and for good reason. There's lots of evidence to point that we should be suspicious of those kinds of claims. And while I have focused on Meta in this episode, the truth is those requirements apply to all non EU companies. H And I've been really focusing on the US here, but that applies to anything outside the EU. So doing business in the Internet age and doing business within the EU is going to require regular investment to assure the EU that companies are playing by the rules. And uh, that's just gonna be difficult. You have entire companies that exists as consulting firms to help other companies make sure that they are complying by the rules, because the cost of business if you're found by some regulatory agency in the EU too have fallen short, is enormous. That's what Meta is going through now. I don't know if Facebook and and Instagram or are not long for this world in the EU. UM, we will have to keep our eyes on it. It wouldn't surprise me if we see politicians struggle to make sure that there remains access within the EU for these platforms. They're incredibly popular, they're important for things like small businesses within the EU. But you know, you have the regulators and then you have the politicians, and politicians move slowly when it comes to creating these policies that sometimes get overturned later on, regulators move way faster. So it may see that we'll see in eruptions in service, perhaps with a return. I mean there you would have to imagine that Meta would want to return even if it's business is curtailed for you know, some indeterminate length of time, because you don't want to leave money on the table. Anyway, I thought that that was an interesting topic. It relates heavily to technology because ultimately it is very hard to guarantee data security. Uh, it's it's hard to do because often you come up with ways that data is really valuable you want to use it, and sometimes that breaks the rules or sometimes it's it's just hard because creating any secure system is incredibly difficult. If someone's really determined to get access to a secure system, often they can find a way. So yeah, a difficult difficult challenge and uh you know, the European Union has created laws that in many ways have made it difficult to innovate uh in in certain ways and also comply with those laws. That's not necessarily a bad thing, you know. It may be that whatever the innovation was isn't worth the trade off in privacy and security, but it also means that it creates this extra hurdle that innovators and companies and and all sorts of people have to get over in order to make their vision a reality. Um. Yeah, it's a balancing act. Well, that's it for this episode. If you have some sugestions for future episodes of tech Stuff, please reach out to me and let me know. One way to do that is to download the I Heart radio app. It is free to download. You can then search for tech Stuff, navigate over to the podcast page. There's a little microphone icon there. If you click on that, you can leave a voice message up to thirty seconds in length let me know what you would like to hear, or if you prefer, you can reach out on Twitter. The handle for the show is tech Stuff H s W and I'll talk to you again really soon. Tech Stuff is an i heart Radio production. For more podcasts from my heart Radio, visit the i heart Radio app, Apple Podcasts, or wherever you listen to your favorite shows.

Welcome to Tech Stuff, a production from I Heart Radio. Hey there, and welcome to tech Stuff. I'm your host Jonathan Strickland. I'm an executive producer with I Heart Radio. And how the tech are you so? Not long ago, David Meyer wrote a piece titled even Facebook's critics don't grasp how much troubled meta is in and he wrote it for Fast Company. And if you've been keeping up with meta slash Facebook, you probably have a long list of things that Meyer could have been referring to. Could it be that various governments, such as the United States are frequently scrutinizing meta and calling company leaders to appear before legislative bodies to answer tough questions. Could it be the fact that TikTok continues to dominate as the social platform favored by younger people, meaning that meta slash Facebook's user base is slowly aging out and it's not replacing it when new younger users. Is it that the company jumped the gun in an effort to be the front runner to define whatever the heck the metaverse is going to be? Well, all of those are factors that should be matters of concern for Facebook executives and for shareholders. But what Meyer was talking about with something else, something involving privacy and the law and a change that happened a couple of years ago that has affected everything. So on July twenty twenty, the European Union's Court of Justice made a decision that would have enormous consequences. It concluded that an earlier data transfer process called the EU US Privacy Shield was not sufficient to protect the private data of EU citizens, and that it would thus be struck down. It would be invalidated. This has massive repercussions for companies like Meta, not just Mata, in fact, as repercussions for any company that operates within the EU, but in fact has it's you know, any kind of data transfers that exit the EU. So Mark Zuckerberg said essentially that unless the EU changes the stance or makes an exception for the company, platforms like Facebook and Instagram will have to pull out of the European Union. That sounds kind of like they're making a threat, right, like somehow you know Zuckerberg saying, Hey, if you don't play by my rules, I'm taking my ball and going home. But really this is more of a plea. It's really more, please, please, please don't do this, because I can't do my thing if you do. So. Today I thought I would talk about what the privacy shield was, why it existed, why the EU decided it wasn't sufficient, what they're planning in its place, and what all this means for come Benese like Meta. To do that, we actually have to look back at the history of the EU and its stands on data privacy and security. Now, depending on how you look at it, the EU really traces its history back to the conclusion of World War Two, but the single market that we would refer to as the European Union would not formally emerge until nine Now. Around that same time, there was a growing general awareness about the Internet, in large part helped by the introduction of something new called the Worldwide Web, and it would take a few years for the Web and the Internet at large to really gain a foothold in the minds of the mainstream public, but some leaders in the EU were already dealing with concepts like data privacy. Data privacy doesn't just require you know, digital transfers, right like, you don't have to have that be part of the process for data privacy to be a concern, and in fact, the countries that made up the European Union had already been concerned about protecting EU citizen privacy when dealing with companies that existed outside the European Union. How can you guarantee that their private data remains safe when it's going into the hands of companies that aren't based in the European Union itself. That had already been a concern, but the EU member states knew that there needed to be put in place laws that could protect citizen data, that there are fundamental rights associated with data that have to be protected. To that end, the EU built upon an earlier, non binding list of guiding principles relating to protecting citizen information. These principles included pretty common stuff like alerting someone as to win their data would be collected, a requesting consent before the disclose that information to some other party. So if you were to collect an e uses and information, you would then have to get their consent before you could share it with someone else, and various other concepts that are pretty common to what we see in in privacy protection laws. They had been around before the rise of the Internet, but because they were non binding, they didn't really have any teeth to them. It was like, it would be nice if everyone agreed to obey these things, but there was no requirement to do so. The EU decided to formally establish data privacy rules, though these would have limitations to which we'll talk about and that. These rules became known as the Data Protection Directive or dp D. This directive set out the parameters for when and how entities would be allowed to collect European Union citizen information and how they could use it. Specifically, you know, how they would be allowed to use it if it required a transfer outside the EU and U, and also how they were to alert citizens of things like collecting their data. Each member's state of the EU was responsible for establishing a supervisory department to make sure that all parties were complying with this directive, and the directive stated that the only time data could be shared with countries outside the European Union is when those countries could adequately protect the data's security. So if a if a country or company was unable to do that, then by this directive, it would not be allowed to transfer information outside the EU now right away. These rules created challenges both within and without the EU and when you really break it all down, all traffic on the Internet is information, and a lot of that information ends up including personal identification information or at least personally identify alable information. So you might argue that personal information should only include stuff like, you know, a legal information like a person's name, or their address, or their birth date or maybe the hospital where they were born. That kind of stuff. You know, information that relates directly to that individual, and when you take this information in a hole, it's more or less unique to that person. I have to say more or less simply because you know, weird stuff. Anyway, that kind of information is absolutely important. It is worthy of being protected, and it's very easy to define. Right. You could say, this information directly corresponds to this individual, therefore we need to protect it. But then there's also other information that, well, not specifically about a particular individual, could collectively identify that person all the same, So an IP address could be part of that. You might argue that's personal information, or you might argue, well, IP addresses aren't fully reliable because you could use something like a VPN which would hide your IP address, so you can't just rely on that to identify a person. However, it falls into this gray area. But then there's stuff like the person's browsing behaviors, you know, what they like, what they don't like, how long they stay on a page. All of these things can actually start to create a digital fingerprint that points to a specific person. And it sounds wild, but it really doesn't take that many points of data to narrow down folks and figure out who created those data points. In the old days, doing that would have been tough simply because you're talking about a lot of data being generated and then trying to suss out what is signaled based on all the noise, you know, to actually analyze that information to get something useful out of it. It was a time consuming process and it just you know, when you look at it from a return on investment standpoint. In the old days, it just it makes sense, right, unless you were going after someone specific for nefarious purposes. You wouldn't do that for just anybody because it was too much effort. However, we have gotten a lot better at analyzing enormous data sets in a short amount of time using things like artificial intelligence and machine learning and various algorithms, so this has become less of an obstacle. It's not like science fiction level yet, but it's pretty darn close. So now some of the technical restrictions that meant we didn't have to worry about this so much in the past aren't really a thing anymore. Anyway, The euse directive meant that the United States, that the country you know, where the Internet got its start, would need to figure out a way to comply with this set of rules if it wanted to allow information to pass between the US and the EU. Because a lot of these companies, their servers all exist within the United States, so by the nature of their business this any any information that would be coming from the European Union would have to go across the Atlantic to a server in the US. To that end, some EU officials began to piece together what would become known as the International Safe Harbor Privacy Principles. Now we're going to take a quick break, but when we come back, I'll talk a bit about Safe Harbor, what it was meant to do, and why it no longer is a thing. But first, these messages, the International Safe Harbor Privacy Principles. What the heck was this? Well, it was a program that US companies could apply to join. The companies would apply for certification, and that certification essentially said these companies are taking the necessary steps to protect user data so they can be considered to be compliant with the Data Protection Directive that the EU had obviously passed. So ultimately, the goal here was to prevent the accidental disclosure of EU citizen private information that happened to be stored on servers within the United States so it's outside the e use control. This was the system by which companies would guarantee they would make sure that data would remain safe. The Safe Harbor system became effective in two thousand. It took several years for it to formalize and then to be enacted, and US companies that receive certification under Safe Harbor and then registered with the EU would be allowed to operate things that would transfer data between the U S and EU without much trouble. Oh and in order to qualify, those companies would also have to be companies that were regulated by the United States FTC, Federal Trade Commission, or the Department of Transportation. Those were the only companies that could qualify for Safe Harbor. Anything that didn't fall into those categories was an exception, and that actually cuts back on a lot of businesses, believe it or not. Now, something that I'm sure will not surprise many of you out there is that various reviews that were done on this system showed that a lot of the participating US companies were not complying with the program, at least not to the extent that they should. Companies were found to be reluctant to actually enforce the principles defined by the Safe Harbor program, and questions arose as to whether or not the industry could really be self regulating, like can we trust these companies to regulate themselves? And of course we can't. All right, so quick side rant, But this applies directly to the topic. So, the currency of the modern world isn't bitcoin, It's not any other cryptocurrency because it goes a level deeper than that. The currency of the modern world is information. Data is valuable you or data is valuable. If it weren't companies like Meta Slash, Facebook or Google, they wouldn't even exist if your data had no value. These companies depend upon us generating information, which the companies can then leverage in various ways. Now, an obvious way they do this is through advertising, specifically targeted advertising. You know, by analyzing the information I generate, a platform like Facebook or Google can suss out what matters to me and to compare my experience with ads that are more likely to get my attention and my action. That is money right there that is incredibly valuable to these platforms. It's incredibly valuable to the advertisers and to their clients. So my information does have value. Yours does too. But even beyond targeted advertising, this information has incredible value. Through real time analysis of browsing data across millions or hundreds of millions of users, platforms can detect and respond to trends before anyone is even aware that there is a trend there. So I think back to the description of chaos theory that says, imagine the flap of butterflies wings in South America setting into motion the variables that are necessary to generate a typhoon that hits Southeast Asia. That it without that one instigating event, the variables are not in the right place to make that happen. Well, think for a moment about how many people use platforms like Google or Amazon or Facebook individually that users. Data is valuable, right, but collectively across all users, that can drive corporate strategy. So there should be absolutely no surprise that companies are eager to exploit information personal information. It's key to their business model and their success. Which is why it's also not a big surprise that a lot of companies were slacking off when it came to self regulation and complying with the principles of safe harbor. If the companies could get away with it, if they could operate without having to actually worry about complying with these rules, then they do it. And I'm sure there were no shortage of companies that weren't being outright nefarious or flaunting the law or anything like that. But we're falling short of holding up to their end of the bargain, you know, because it's also hard to do. It's hard to pull off and still do business in a way that is cost effective. Right, in order to comply with these rules, you do have to spend some money, honestly, was what it really comes down to. It might not be money money, it might be more assets and resources or time or whatever, but it's ultimately a cost. Whatever the reason, it was clear that this particular approach to protecting information wasn't sufficient if the EU actually wanted to keep EU citizen information secure and servers that weren't even in the European Union all right. Flash forward to two thousand and twelve, the EU decided it needed to take another stab at creating a unified data protection law to replace the Data Protection Directive. So the Director had ultimately been too lucy goosey, and that meant that different member nations had different principles and enforcement strategies. It was two piecemeal and it wasn't unified the way a European Union needed to be. So this new law would resolve the various differences between the different implementations and the member states of the EU and create a more coherent policy that it was EU wide and would protect citizen data privacy. That took four years two actually formalize, but in April fourteen sixteen, the EU approved the new set of rules called the General Data Protection Regulation or g d p R, and this became a truly huge deal for any company outside the EU that wanted to do business inside the EU, particularly for Internet based companies. The rules covered any entity that processed or transmitted data from within the EU to somewhere else. A whole bunch of other stuff was in those rules too, But I've done episodes about g d p R in the past, so we're just gonna say this was a more broad, sweeping, and yet unified approach to data privacy, and it created big old headaches for companies around the world to ensure that they were compliant with g DPR. In fact, to this day, that's still a big thing. Ultimately, that's at the heart of the meta problem we were talking about. It was g d p R that would necessitate things like a pop up message that would alert users to a sites reliance on web cookies, for example, because that's a type of tracking. It would also require foreign services to expressly ask for the consent of users in order to collect their data. And you know, companies tried to find in different creative ways to get around that to maximize the number of people who had quote unquote uh agree to this by making it a difficult thing to opt out of. That doesn't fly very well on the g d PR. There are a lot of regulatory agencies that pounce on that kind of practice. They're also supposed to explain how information is going to be used, and to give people the opportunity to opt out of any data collection and that kind of thing. So the g d p R replaced the Data Protection Directive and became enforceable in all right now in the meantime where that was happening, the Safe Harbor Principles, which remember this was a framework that companies could follow in order to be considered UH safe under g d p R rules that had already been invalidated by the EU in ten They said, well, you know, Data Protection Directive is not sufficient and Safe Harbor, which was designed to work within Data protet Action Directive that by extension, is not sufficient, so it doesn't apply anymore. It was not robust enough to satisfy the requirements of the upcoming g DPR. So the European Commission and the United States government negotiated a new political agreement to codify rules on how commercial transatlantic exchanges of personal information from EU citizens to U S servers could actually happen. Those rules would become known as the EU US Privacy Shield. Like the Safe Harbor Principles, this was really meant to create a framework in which companies could operate legally within the European Union. US companies that gather user data would have to comply with this set of rules in order to make services available to citizens in the EU, Otherwise they would be violating privacy law in Europe. Like the previous system, the Privacy Shield includes guiding principles that all organizations are expected to follow. While it beefed up some other protections incorporated into the previous systems, critics were worried that there were still some big gaps in the Privacy Shield process and that ultimately it would get challenged and struck down by the European Commission, and those concerns likely went into overdrive in twenty seventeen when then President Donald Trump signed an executive order that denied US privacy protections to anyone who is not a US citizen or resident. So, in other words, according to that executive order, US companies would not be held accountable for guaranteeing data privacy and security for any non US citizens or residents. Considering that g DPR demands that any entity that transfers e U citizen data overseas must protect that information, that was a problem. By the way. Joe Biden would later rescind that executive order in one but by then things that already changed in Europe. So we're going to talk about those chain ages and how Privacy Shield would follow in the footsteps of Safe Harbor and get invalidated after we come back from these messages. So, as I was alluding before the break the critics of the Privacy Shield process who said this is not going to be seen as sufficient, that we're absolutely right. The EU Commission reviewed the Privacy Shield policy in twenty and determined that it was not enough to protect EU citizen private data and struck it down. Specifically, there were concerns that the US government would be able to conduct surveillance on EU citizen data and that under EU law that was a violation of of human rights and freedom rights of EU citizens. So there was a need to formulate yet another data privacy framework that would address this issue, and that's kind of where we are now. See, without a framework, it becomes very difficult to do business in the European Union. The framework, you know, it smooths things out, it speeds things up because it's it's one point one system that companies in say, well specifically the United States, can go through in order to qualify to do business in the EU and be considered compliant with the rules of g d p R. So this new framework is still taking shape. It doesn't exist yet, it is in the process of existing, and it will take even longer for the EU to formalize and adopt and enforce that rule once it is finished. In the meantime, we're in an era where things are really unstable now. One way companies have managed to continue to operate in the absence of a formal framework is to file what are called standard contractual clauses or sc c s with the EU. You can think of this as essentially being a legal agreement, and that this legal agreement provides a guarantee that the non EU company is taking pains to conform to g d p R requirements, so it's essentially saying, you know, we're obeying the rules. Securing sccs can be time consuming and it isn't a smooth process, at least not as smooth as being able to just apply to a framework like Privacy Shield or Safe Harbor, so it can be a bit of a headache. And now let's talk about Ireland and its Data Protection Commission or DPC, because this relates directly to the Meta story. The DPC determined back in twenty that two of Meta's platforms, namely face Book and Instagram, relied on a data controller that could not provide a guarantee that data from Irish citizens would be protected from US government surveillance, and so by extension that would violate data privacy laws in the EU. That would also mean that Meta would not qualify for an sc C, at least in terms of Facebook and Instagram. WhatsApp, a totally different platform, uses a completely different data controller and is not part of this like WhatsApp, can operate in the EU find because it is not subject to the same vulnerabilities that Facebook and Instagram are. Then, last month, which for those listening in the future would be July of two thousand twenty two, the DPC, this regulatory agency in Ireland, filed an updated draft order to shut down Instagram and Facebook services in the U and filed that with other regulators within the EU. So the other member states that have regulated Tory agencies, they all received a filing of this updated draft decision. While the contents of that order weren't made entirely public, it did become clear that DPC was telling other regulators that they should halt Facebook and Instagram's ability to transfer EU citizen data to the US because it could not guarantee safety against US surveillance. This would effectively shut down Facebook and Instagram within the European Union and to EU citizens. So let's get into some complicated political stuff now. Under Article sixty of the g d p R, the rest of the EU's data protection agencies have four weeks from that filing to comment on the dpc's conclusion. Uh. Those four weeks are up this week, by the way. So if after four weeks there are no objections to the dpc's decision, which is again to essentially shutter Facebook and Instagram within the EU, that decision then becomes binding YEWSA. Now, if there are objections, which you know likely there are some, then the DPC, the Irish regulatory agency, has two weeks to respond and address any objections, or alternatively, they can choose not to change anything and just submit their decision to the European Data Protection Board or e d p B. This is like the overall regulatory agency the agency of regulatory agencies, and the e d p B would then decide whether or not the decision should apply across the European Union. The e d p B, which by the way is hard to say quickly, would have one month to make that decision, uh, though it could also request a month extension if the board determined that the matter is complicated enough to warrant more consideration, So two months maximum to decide on this matter. At that point, After a month or two months if it's extended, the board would go to a vote. If the vote passes in either direction by two thirds majority, then that's the decision. So you have to have a two thirds majority for there to be a clear decision on the matter. If it doesn't get two thirds, then the whole thing is given another two weeks of debate and then it goes to another vote, and then this one just requires a simple majority. So it does get bureaucratically complicated. If like all of this plays out, now, will that happen? That's hard to say. Let's take a few different scenarios in turn. So Ireland's DPC filed the decision in early July, it's already been four weeks. So if no other data protection agency in the EU has objected to the dpc's conclusion whom the decision becomes binding and will know really soon. If some data protection agency objected, well, then that adds another two weeks for the DPC to respond, at which point, if there are no other objections, boom, decision becomes binding or the DPC might submit this decision to the overall agency, the e d p B. And boy, how do these initialisms are really getting clunky? And the e d p B would have at least one month at most two to come to a vote on the matter. If the vote fails to gain two thirds majority in either direction, then again another two weeks and then it goes to another vote with majority rules. Meta has indicated that it might have to shut down its services of Facebook and Instagram in the EU anyway, at least until the new framework takes effect. The new framework is called the Transatlantic Data Privacy Framework, and even then it's uncertain because, after all, the European Commission has already determined that two seating frameworks, safe Harbor and Privacy Shield, that were meant to be in in compliance with EU law, we're lacking and both of those got struck down, So there's no guarantee that the same thing would not happen yet. Again, this raises the question if it's even possible for a company like Meta to operate these services in the EU, at least the way it has been doing without a massive overhaul and its data handling services. Maybe if Meta were to establish EU centric servers that were separate from everything else, it was not sending EU data to any place outside the European Union. It was like a EU specific version of Facebook and an EU specific version of Instagram. Maybe then it would be fine, but that would be kind of ridiculous. Also, I have a feeling that a lot of users would be upset that they wouldn't be able to access or interact with stuff outside the EU. Or if Meta were able to guarantee that it's, you know, the the agencies that are handling data from the EU to the US were in fact, uh protected against US surveillance, then maybe it would be all right. But it can't, at least not now. Now. It's possible that this new framework, once enacted, would allow METTA to continue operating Facebook and Instagram within the EU through some sort of exception, though again there's no guarantee that this framework will withstand court scrutiny. Over time. This is the situation that Meyer referred to in that article in Fast Company that Meta may have no choice but to stop offering Facebook and Instagram services to EU citizens. Meyer also quotes a Facebook investor named Robert mcnami who snarkily said that this could be a real disaster for Meta because users would soon figure out that they're much better off without access to those platforms. I happen to agree with macnamy as someone who got off of Instagram and Facebook. Um, I feel like I'm better off for doing that. Better off in the larger sense. I do miss being able to interact with my friends in a concentrated, easy way. It does take a little more effort, and you quickly figure out which friends decide you're worth that effort, all right. Obviously, the loss of a market the size of the European Union would be a huge blow to Meta, a company that's already dealing with other crises. Not still too early to say if that's definitely gonna happen, But no matter what the outcome, this ongoing struggle to find ways for non EU companies to comply with EU privacy laws is going to be an enormous challenge it has been and it will continue to be. EU regulators and politicians are exceedingly wary about the sincerity of US companies when it comes to their claims of protecting information, and for good reason. There's lots of evidence to point that we should be suspicious of those kinds of claims. And while I have focused on Meta in this episode, the truth is those requirements apply to all non EU companies. H And I've been really focusing on the US here, but that applies to anything outside the EU. So doing business in the Internet age and doing business within the EU is going to require regular investment to assure the EU that companies are playing by the rules. And uh, that's just gonna be difficult. You have entire companies that exists as consulting firms to help other companies make sure that they are complying by the rules, because the cost of business if you're found by some regulatory agency in the EU too have fallen short, is enormous. That's what Meta is going through now. I don't know if Facebook and and Instagram or are not long for this world in the EU. UM, we will have to keep our eyes on it. It wouldn't surprise me if we see politicians struggle to make sure that there remains access within the EU for these platforms. They're incredibly popular, they're important for things like small businesses within the EU. But you know, you have the regulators and then you have the politicians, and politicians move slowly when it comes to creating these policies that sometimes get overturned later on, regulators move way faster. So it may see that we'll see in eruptions in service, perhaps with a return. I mean there you would have to imagine that Meta would want to return even if it's business is curtailed for you know, some indeterminate length of time, because you don't want to leave money on the table. Anyway, I thought that that was an interesting topic. It relates heavily to technology because ultimately it is very hard to guarantee data security. Uh, it's it's hard to do because often you come up with ways that data is really valuable you want to use it, and sometimes that breaks the rules or sometimes it's it's just hard because creating any secure system is incredibly difficult. If someone's really determined to get access to a secure system, often they can find a way. So yeah, a difficult difficult challenge and uh you know, the European Union has created laws that in many ways have made it difficult to innovate uh in in certain ways and also comply with those laws. That's not necessarily a bad thing, you know. It may be that whatever the innovation was isn't worth the trade off in privacy and security, but it also means that it creates this extra hurdle that innovators and companies and and all sorts of people have to get over in order to make their vision a reality. Um. Yeah, it's a balancing act. Well, that's it for this episode. If you have some sugestions for future episodes of tech Stuff, please reach out to me and let me know. One way to do that is to download the I Heart radio app. It is free to download. You can then search for tech Stuff, navigate over to the podcast page. There's a little microphone icon there. If you click on that, you can leave a voice message up to thirty seconds in length let me know what you would like to hear, or if you prefer, you can reach out on Twitter. The handle for the show is tech Stuff H s W and I'll talk to you again really soon. Tech Stuff is an i heart Radio production. For more podcasts from my heart Radio, visit the i heart Radio app, Apple Podcasts, or wherever you listen to your favorite shows.