All about privacy, Europe’s GDPR and Digital Services Act

Hello, everyone, and welcome to This Week in Net. It's the February the 23rd, 2024 edition.

And yesterday, there was an AT&T outage in the US. Also, Google suspended the image generator part of its chatbot, Gemini.

But we're here to discuss privacy. I'm João Tomé, based in Lisbon, Portugal.

And with me, I have our Chief Privacy Officer, Emily Hancock.

Hello, Emily. How are you? I'm great. I'm really excited to be here.

Thanks. Where does this show or podcast find you? Where are you based? I am in San Francisco.

San Francisco. So Pacific time. Yes. Eight hours difference from where I'm at at the moment.

Exactly. In what used to be Cloudflare's headquarters, although we've expanded a lot since I first started six years ago.

And so I don't know that we're officially calling it headquarters anymore.

But yeah, near one of our flagship offices.

True. Austin, a big one, too. London, Lisbon. Lisbon.

There's a lot, yeah. Yeah. So you joined Cloudflare in 2018, right? Yes, just one month before the GDPR went into effect.

In Europe. Fortunately, the company had done a lot of work to get ready for GDPR.

So I didn't just have to ramp it all up in a month.

For those who don't know, can you give us a little bit of your background, where you started?

Sure. So after law school, I worked in private practice at a couple of law firms in Washington, D.C.

And then I moved out to the West Coast to take a job at Yahoo, where I handled a lot of issues around data disclosure to law enforcement and issues around cross-border data transfers.

Then I moved to a company called Evernote, which some people may have heard of.

It's just a note-taking company, note-taking app.

And I handled privacy, employment law, law enforcement disclosure issues, a little bit of everything.

And I led that privacy team for several years before coming to Cloudflare and focusing solely on privacy.

And in terms of your job, you deal with privacy all day long, privacy issues.

There's a lot on that regard. And Cloudflare is a big company with different products.

What would be a sum-up of your job at Cloudflare? Yeah. So a couple of different things.

One of the big parts of the job is working with our product counsel.

So my team is the product counsel team and the privacy team, as well as privacy operations.

And so our privacy lawyers and product counsel work a lot with our product teams to make sure we're doing privacy by design so that we're building products that are privacy -oriented and that have privacy front of mind whenever possible.

And then the other part is working on our privacy program to make sure we have the right policies and procedures in place to comply with the various data protection laws around the globe, chiefly the US and the EU General Data Protection Regulation, the GDPR, because that one requires a lot of recordkeeping around how data is processed, like records of processing activities and data protection impact assessments.

So our privacy operation team oversees that as well as training for all of our employees and maintaining information about our data retention and things like that.

And then there's a lot of other privacy-focused areas, thinking about how we do data transfers.

So a lot of times our customers are very curious to know where their data is being processed and they want to make sure that they're complying with whatever local laws they have to deal with to make sure that the data is being processed in the right way.

So I work with our commercial team on some of those issues.

And then on the flip side, the vendors, so to make sure we know where our vendors are processing data and how our data is being handled.

So a lot of data governance along with kind of strict privacy law interpretation and privacy guidance.

You spoke there on a few relevant, interesting things.

And before we go to the blog post you wrote in late January, a couple of weeks ago, reflecting on the GDPR to celebrate at the time, Privacy Day 2024.

Before we go there, I was curious to, in a very high level perspective, what today excites you the most in terms of privacy?

So when you try to explain to someone that really doesn't know a lot on this topic, why does privacy matter for the everyday user, but also for companies, as you were saying, companies, they want to comply with laws for sure, but they also want to know what's there, what this company is helping them, the way it deals with data, what are those elements there?

Yeah, I mean, it's really two different audiences. And I think Cloudflare speaks to both of those audiences.

So from a purely consumer standpoint, just as if I'm talking to friends and family or neighbors, whatever, I hear a lot, and this comes up in the United States frequently and has come up since the Edward Snowden disclosures about wiretapping.

I hear a lot of people say, well, my life isn't interesting.

Nobody cares where I'm going on the Internet. It doesn't matter.

And then we saw with the repeal of the Roe v. Wade decision here, for example, suddenly a lot of women saying, oh, wait a minute.

Actually, it may very much matter what I'm doing on the Internet if I'm searching for certain kinds of healthcare in the United States as a woman.

That could put me on the radar of law enforcement in particular states.

So I think over the last several years, there's been a rising awareness of privacy.

And then I know there's a lot of cookie fatigue that people have, but in the United States also, there's been a spate of new laws requiring cookie consent the way there has been in Europe for years.

And I think those two things together have really raised the awareness in the United States.

I think in Europe, that awareness has been raised for a long time around just what is happening to my data when I'm online.

And so one of the things that I encourage people to do is use things like Cloudflare's 1.1 public resolver.

So you can put that on your phone, you can put that on your computer. And what happens is the link between you as a user and your device and your IP address, which is the routing piece of information that routes all the traffic across the Internet, that gets broken.

So the websites you go to don't know anything about who you are or what device you're coming from.

And those kinds of measures help reduce the amount of your personal data that's out there floating on the Internet.

I'm also the person who will tell you to take the time to actually click out on the cookies as much as you can.

And you realize how when somebody does it really well and somebody does it really poorly and makes your experience really frustrating, how hard it is to opt out.

So those are some steps that I talk to consumers about.

And I think it is important to pay attention to what's happening to your data because there's a lot of things that you may not think are a big deal now, but depending on politics, depending on the ways laws change, wherever you are in the world, that could very quickly shift.

And so this idea of, oh, I'm not doing anything wrong, it's fine, I don't care if people track me, that might shift very, very quickly on a dime, depending on a war, an invasion, an election.

I mean, we're seeing all of these kinds of things happening globally. Then on the customer side, where we're talking about the B2B side of Cloudflare, I think the concerns of those customers are quite different.

So our customers care about making sure that they are complying with the data protection laws in whatever jurisdiction they're in.

And what they want to know about Cloudflare is, when we use you, will we still be able to comply with those regulations?

And so what I end up spending a lot of time thinking about there, because this is what's been front and center on a lot of customers' minds, are data transfers.

They want to know where their data is going.

In Europe, it's been a big, big issue. There's been a lot of legal developments.

There was the Friends 2 case, and the idea that European data shouldn't leave Europe.

Now we have an EU-US data privacy framework that actually allows for that free flow of data, which makes all this easier.

But countries like Japan, India, China, Korea, there's a number of countries that have regulations that put restrictions around data transfers outside of those countries.

So that's what I think our customers focus on the most.

Then very close behind is, well, exactly what data are you processing and how long are you keeping it?

And we want to make sure that you're not keeping our data any longer than you need to.

And so those are the things that I think our customers worry about the most.

And the good news there is that we don't really store much personal data.

That's not really our function unless you're using one of our storage products.

So those are the chief areas that I focus on when it comes to the customers.

It's quite interesting, especially the changes.

This is an area in constant change. You mentioned there SRAM 2, a legal case that changed the landscape in Europe in terms of the communication part with the US.

And the recent update there with a better relation with the Biden administration in terms of Europe came to make it simple, that communication.

Although change is constant in this area, I would say, because of lawsuits, because of all the things.

So you must keep an eye on what's happening at all times.

And when you do that, the way you're approaching, you're putting all of that regulation into different parts of the company.

You're updating all of those.

At the moment, something changes for us to be dealing with regulators in the right way, but also making customers at ease in a sense.

Right, exactly.

In terms of, for example, there's products like data localization. Is that still important in this situation?

You mentioned different countries. How does that work?

Yeah, it is and it isn't. So for Europe right now, you don't need the data localization suite to comply with GDPR.

But we have a lot of customers who feel that they have legal obligations, whether stemming from GDPR as it was interpreted in the past, or maybe their own contractual commitments to their customers.

We have a lot of customers who still feel strongly that because of their legal obligations, they need to be able to control where the data goes.

And so that's why data localization suite is so important for a lot of our European customers.

Data localization suite is also important for certain customers in India, for example, because there's some banking guidelines that have been interpreted by our customers as requiring certain banking data to only transit India.

And then there's a number of countries where maybe it's not all the data, but maybe it's certain regulated industries like healthcare, banking, public sector entities.

We see a number of countries where those more regulated industries are really looking for more guarantees to control where their data goes.

So data localization suite is still something that we're very much invested in and actually looking to grow and expand.

Because unfortunately, I'll explain why I say unfortunately, but unfortunately, data localization isn't going away.

We think that data localization should not be a proxy for privacy.

Really, privacy around personal data comes from having great security in place, really good organizational and administrative protocols in place.

And those are the things that actually help personal data stay private.

But for a lot of other reasons, including national security, including national competitiveness, concern about what's happening to their own citizens' data, a lot of governments have talked about data localization as a data protection mechanism when really what they want is they want to be able to continue to have access to the data.

Or they believe that their national security means that the data shouldn't leave their own country.

So data protection and privacy get talked about a lot as this is why we have to have localization.

And really, it's much more complicated than that.

Exactly. Because there's not, and I think we have some use cases there, this situation where data that goes to the US because the Internet is all about connecting everyone with everyone in the world.

But it's not like there is the possibility of the US government going to look at that specific country's data specifically, right?

The protection should be there regardless of the data localization suite.

Exactly. We mentioned before the blog post you wrote about GDPR specifically.

We can go into that one. It's about also celebrating Privacy Day 2024.

What is this reflection about? Yeah, so I always kind of say Privacy Day feels like Valentine's Day.

So you know, Valentine's Day, you're supposed to tell the people you love that you love them and demonstrate that this show of love, right?

Even though really, you should be telling the people you love that you love them all the time.

And I feel the same way about Privacy Day. For some reason, Privacy Day is a day that we have to shout about how much we care about privacy, even though we talk about privacy all the time.

I was a journalist for a number of years, so it's usually good for journalists to go back to that topic once every year.

Yeah, exactly. So this privacy year, it's kind of hard to figure out what do we want to write about?

What do we want to highlight?

And it coincided with the European Commission asking for comments on how the GDPR has been implemented.

So we decided, well, we're going to submit comments to the European Commission anyway.

So let's write about what we're saying to the European Commission, but let's do it publicly too.

And that was the genesis of this blog post.

And I think the two things that we really wanted to highlight are, again, this idea that while the GDPR has done a lot of really good things for privacy, and has really kind of upped the ante globally for the privacy rights that people have and the control people should have over their data, GDPR also has really promoted what I think is this fallacy of localization means privacy.

And if data stays in Europe or falls under the jurisdiction of European laws, it will be more private.

And as I said before, we disagree with that.

And I think there are a lot of good reasons for why having free flows of international data are important for improving the security measures that keep data private.

So we write about some of that. And just kind of encouraging the EU Commission to think about implementing the GDPR in a way that allows for that free flow of data.

The other thing that we have been talking about in recent years are IP addresses.

So again, I imagine most of the audience here knows what an IP address is, but it's kind of like an address on the Internet that helps you navigate to where you're going.

IP addresses are assigned by whoever your Internet service provider is, maybe Orange or Deutsche Telekom, or if you're in the United States, Verizon, somebody like that.

They maybe can figure out that IP address was assigned to Emily at this specific time.

But when that IP address goes out into the wild, we as a company don't know and don't have the ability to figure out who actually has that IP address.

Now that's especially true if somebody is using the 1.1 public resolver, or they're using Tor or some other VPN that further obscures that connection between IP address and person.

And so we've been arguing that IP addresses should not always be treated as personal information.

And if that's the case, if it's the case that we can't ever connect an IP address with a person, IP addresses shouldn't be personal information for us.

And if that's the case, then all of the GDPR's requirements about personal data and what you need to transfer personal data, those requirements should not apply to IP addresses.

Because the argument we've been seeing from some regulators, and it's by far not all, but for some regulators, is this idea that because an IP address might be personal data, you can't have an IP address leave the boundary of a country.

And as we all know, the way the Internet works, there's not a lot of control you can have over where those IP addresses go.

They bounce from pop to pop to pop all over to make sure that the data gets from point A to point B.

And unless you were to build balkanized Internets, and so there would be a European Internet, and South Korean Internet, and US Internet, unless you were to build closed loop Internets, which would pretty much break a lot of the things that we really enjoy about the Internet right now, and it's really the kind of the China approach, unless you build sort of that China approach for various regions around the world, you have to let IP addresses cross jurisdictions.

But if you think that IP addresses are personal data, and you take the GDPR implementation to its extreme, suddenly IP addresses can't leave Europe.

And we don't think that's really the result that the GDPR was looking for.

And so that's the argument that we're making in our blog posts about the IP addresses and data localization.

Makes sense. And you mentioned there before something that I was in the conference a few weeks ago, and I mentioned that specifically in terms of our 1.1.1 app, and public resolver, in a sense, and it's private, and it's used in some countries, people use it to avoid governments looking to their data.

There's countries like there's war going on.

And that's really important. And that's happening right now in different countries in the world.

So if that works for those that are using those types of apps to make their use of the Internet private, then this should also be a use case showing that this is private, people are depending on this to be private.

So IP addresses, there are a little bit dumb, anonymous, we know the country, we don't know the person in a sense, right?

Dumb in a good way. Before we go, what do we expect in 2024 in this privacy part of the Internet?

Yeah, well, I would love to tell you that the regulators are going to say, you know what, you're right, IP addresses should not be personal data.

There's a court case right now before the European Court of Justice that is on that very question.

So I would love to see that kind of result.

I'm not super optimistic, though, given what we saw from the Court of Justice in the Shrems 2 case.

And then I think, you know, I can't go without saying AI, because everything's about AI right now.

And so the privacy regulators are really looking at what does AI mean?

Do we need to regulate it?

And I think the answer is, yes, we're regulating it. We have the AI Act in Europe, the United States is looking at different AI Acts, a lot of countries are looking at this.

So I think the intersection between privacy and AI is the one that's the most obvious, even though intellectual property and other legal regime areas are impacted by AI.

But I think privacy is the one that hits people in the gut a bit more, because you mentioned the Google thing, this idea that somebody can type a command in and a video could be produced with a person who doesn't exist, and or worse, maybe, you know, your image, and your voice saying and doing things that you have never done.

And those things, I think, really concern people.

And privacy is kind of the closest intersection to that, because it feels like an invasion of privacy, to make you look like you're doing something that you never did.

And so I think that's where we're going to see privacy really pivot. But the issue of cross-border data transfers isn't going away, the issue of localization isn't going away.

In the EU, we also have a certification scheme that the EU is considering for public sector.

And the idea there is that at the highest levels for national security, data may have to stay within a country or within a region.

Those kinds of things aren't going away either. So I think in the new year, it's going to be these twin things of AI and cross-border data transfers.

And how are we dealing with all of it?

So I, you know, I've always said, I think there's a lot of good job security in the privacy profession.

Because the issues just keep getting more complicated and more interesting as we go.

True. And it's an evolving topic.

Even recently, there were lawsuits regarding the New York Times and OpenAI.

And so things are being discussed, the crawlers, AI going around the Internet.

Could they go to specific sites? Now sites can say, hey, please don't crawl our data.

So now that's possible. So things are evolving, even in terms of sometimes the things, oh, they will take everything in terms of the Internet, but there's guardrails in place.

Yeah. Yeah. And I think it's important to think, you know, to know that there's companies like Kloepfer that are developing technologies that are aimed at sort of preventing a lot of that personal data from getting into AI tools.

And as much as the regulators want to do something, I think we've seen just across the spectrum and regulation generally, regulation usually can't keep up with the technology.

So I'm not saying there shouldn't be regulation, but I think it's also really important that any kinds of regulation takes into account the fact that technology is going to move faster and that technology solutions really can help protect privacy and security of data in a way that serve regulations, but that are much more nimble and responsive to the problems that we have than strict kind of decrees from governments.

So I think that's an important area to watch too, is how the industry responds to the challenges, because I think there's going to be a lot of really innovative solutions coming out.

And if companies are worried and know that the regulation is coming, they can, even before regulation, they can act and actually influence the regulation, as you were saying.

Is there one thing regarding Kloepfer and privacy that most people probably don't realize then they should?

I mean, I think the thing that I think a lot of people don't realize is, yes, there's a lot of data flowing across our network, but we don't retain that data.

And I think it makes people or customers feel nervous when they think about how much data is going to go across our network.

But the privacy commitments we have made from the day the company was founded about not monetizing that end user data for advertising or behavioral tracking, those things are critically important to the company.

And so I think this idea that, yes, there's a lot of data, but the creepy stuff isn't happening.

I think that's one of the things that I want to make sure people know.

And that, so I guess there's not just one, but I think then the other thing is that we are developing products with privacy in mind.

And so all of the security services we offer are services that are privacy first security.

So we really want to make sure that there's a lot of control over what is and isn't gathered when it comes to personal data for our customers and making sure that people know that security is a way to really protect personal data.

Makes sense. It's a good ending note for sure. And you were mentioning specifically the fact that I usually say this a lot and I work with data, our data a lot.

Our data is really dumb and that's good in terms of the Internet.

Sometimes it's not great for those who are dealing with data. Just now an AT&T in the US outage.

Hey, we can see that in Chicago, in Los Angeles, there's a drop in traffic, but that's what we can see.

There's a drop in traffic regarding that ASM is specific.

Our data is, I think, more dumb than most people realize the way we can see.

Yeah, yeah, exactly. And that's a wrap. Hope you enjoyed it. Yeah, I did.

Thank you so much. Hi, I'm Petra.

I'm a senior manager in the public policy team at Cloudflare. I was born in the Netherlands and I'm now based in Brussels, Belgium.

I recently wrote a blog post on the EU Digital Services Act.

And this is an important topic because it is a major piece of legislation that sets out regulatory requirements for a number of Internet companies, specifically large online platforms.

So it affects a lot of players in the ecosystem.

Secondly, it is very important because it sets out important rules on intermediate liability, which at Cloudflare we find very important.

So I encourage everybody to read my blog, to learn more about it. People should learn more about the EU Digital Services Act because it is a very major piece of legislation that affects a lot of different services on the Internet.

And in particular, at Cloudflare, we find this piece of legislation important for the intermediate liability framework, as I already mentioned.

And also because it sets out very proportionate rules that are different for larger providers that are closer to the content and different for technical services like Cloudflare services that are very far removed from the content and are only acting as intermediaries.

So we think the law is very much in proportion of what different players can do to content and how close they are interacting with content that is uploaded by users of services.

For those of you who are interested in policy, of course, personally recommend looking at our blog posts that the policy team writes about all the various interesting policy topics that are being discussed globally, specifically for Europe.

If you're interested in policy and what is going on in Brussels, specifically at the EU level, I would recommend, first of all, reading the Political Europe website, which has a lot of interesting articles, as well as Euroactive, which is a free news site as well, that has a number of articles specifically also on tech policy, which I also read with interest every week.

So those two would be my recommendations.

So we've talked about privacy and policy with Emily and Petra from San Francisco to Brussels.

But we're going to leave the policy sector now. And last but not least, travel to Maryland in the US to give also a big thank you to our VP of Engineering, Olafur Gudjonsson.

He's retiring after decades as a DNS guru and almost 10 years at Kaufler.

I will be interviewing Olafur in a segment that we'll publish soon about his experience and also DNS standardization.

But here's a small teaser that sums up his lessons learned with engineering teams, but I would say also a good word and life advice.

Any final thoughts before we go on your experience, your amazing experience over the years, like the biggest lesson learned you want to share possibly with the audience?

It's all about the humans. It's all about that everybody has a voice. What I tell my teams, whenever you're working on a problem, you never know where the good idea is going to come from.

So it is the process of talking things through, listening to each other, that makes the difference, allows us to build the best possible thing.

Today, I am fearful that lots of people are starting to tune out anything that is not within their agreement and becoming more and more narrow-minded.

And that is a bad thing.

You have to keep an open mind at all times. Yeah, I've been very fortunate and I've really liked the experience that I've had over the years and being able to work with and talk to amazing people and getting people to work towards common missions.

It has been a total privilege.