🔒 Dr. Gabriela Zanfir-Fortuna and Emily Hancock Fireside Chat

Hello and welcome to Cloudflare TV on this 2022 Data Privacy Day. I'm Emily Hancock, head of the legal team for product privacy and IP at Cloudflare, and I'm also the data protection officer. And my guest today is Dr. Gabriela Zanfir-Fortuna, who is the VP for global privacy at the Future of Privacy Forum, which is a nonprofit organization that serves as a catalyst for privacy leadership and scholarship and helps advance principled data practices in support of emerging technologies. Thanks so much for being here today, Gabriela. Such a pleasure to be here today with you, Emily, and hello everyone. Yeah, so I initially invited you here, as you know, to talk about privacy trends we're going to see in 2022. But I don't think we can talk about those trends without talking about one of the really big stories in the privacy world right now. And that's the recent decision by the Austrian Data Protection Authority that an Austrian website can't use Google Analytics because the Google Analytics will transfer EU personal data to the United States in a way that violates GDPR, as interpreted by the Schrems 2 decision. And I saw last night that it looks like Norway's data protection authority is going to follow suit in that same decision. And then it looks like Denmark is indicating it's going to take a similar view. So I guess maybe we can start there and then we can back up a little bit and talk more about 2022 generally. So first, I guess, can you just, to help folks watching, can you describe the Austrian DPA's findings and then what the impact is? Because I think the impact is going to be pretty big. The impact is going to be very big, if indeed all of the other data protection authorities that right now are looking at identical complaints, really identical cases that have been submitted by NOIB, the NGO led by Max Schrems, the same complainant who also is part of the Schrems 2 judgment of the Court of Justice of the European Union. What happened after that judgment in July 2020, as we all know, the privacy shield has been invalidated because the Court of Justice of the European Union found that the level of protection ensured by the privacy shield, together with the specific legal acts, laws, and executive orders in the U .S. that regulate national security authorities and agencies and how they can access personal data in telecommunications primarily, were deemed to be insufficient to meet the level of protection required by the GDPR for the transfers of data. Now, after that decision in July 2020, about two weeks after that, thereabouts, NOIB submitted 101 complaints with all data protection authorities across Europe and the European economic area. I saw a complaint also submitted to Liechtenstein's data protection authority, by the way, if you look on that list. It looked like the bulk of those, or something like half, maybe I got this wrong, were actually in Austria. I think that's where he's from. This is where NOIB is registered in Austria. Then about 50 of those complaints went to Austria. Interestingly, though, only a couple of cases are actually of the under the competence of the Austrian data protection authority, because they concern an Austrian complainant and an Austrian website. Therefore, the Austrian authority has competence. The rest of them, though, concern websites that are national and targeted in other countries of the European Union. For example, I can give you the example of Romania, where my family is from. There, there are two websites that were targeted. One of them is the most visited national daily newspapers website, JCP. They submitted it with the Austrian authority, which then forwarded the complaints to the Romanian authority under the one-stop shop mechanism. But this happened to many other cases as well. Through the Austrian authority, these complaints were forwarded to other authorities. In this way, literally, all data protection authorities in Europe are looking right now at the same case. There might be small variations, but all of these cases have in common the fact that the websites are using Google Analytics or Facebook Connect. These are the two pieces of software that were targeted, and all of them have to make a decision on whether this type of cookies process personal data, whether that data is transferred to the U.S. through this processing, and whether the data through the transfer are sufficiently protected here in the U.S. with the safeguards put in place. The Austrian decision gave the first decision in this batch of 101 complaints, clearly setting the tone for the rest of the- Yeah. That's interesting. Really, if you think about it, I guess then, there maybe was a little bit of a race to be first out of the gate. Had the first out of the gate been maybe a less conservative data regulator, we would have a different result. That's- Maybe. It is a possibility. However, and this is where the surprise kicks in, they were not the first out of the gate, because the first one was actually the European Data Protection Supervisor, which is the supervisory authority that oversights how the European Union institutions and bodies, like the European Commission, the European Parliament, comply with data protection rules. The EDPS had a very similar complaint that they had to deal with. It's not part of the 101 batch of complaints, because this one was submitted some months later. It specifically targeted a website that helped with scheduling COVID-19 tests for members of the European Parliament. This is very significant, because some of the complainants that were represented by NOID in this particular complaint are actually members of the European Parliament that complained that through the use of Google Analytics on this website, their data is unlawfully transferred to the US. The EDPS looked into that and indeed concluded that an unlawful transfer of personal data was happening through the Google Analytics cookie and through a Stripe cookie, which was not even actively used, because the code of the Stripe cookie was there. The cookie existed apparently, and it actually was transferred to the devices of visitors, but it was not active because no payments were being done for the scheduling of the tests. It existed there just because the code was copied from another website built by the same people, or something like that. It's all in the decision. Both decisions take the same approach. Sorry to interrupt, but the EDPS decision, and I remember that, but that didn't get the same attention, or it got attention. I think when I remember seeing that, it was, okay, well, this is an action against European governmental institution, so maybe the lens, maybe the application here is a little different. Do you agree, or maybe you have a different take on it, but I feel like the Austrian decision is more earth shattering. That's a little extreme, but has more of an impact on the industry, because we're now talking about private companies, websites, right? Yes, and I think actually it is more earth shattering, but from another reason. Okay, go for it. And this is because the Austrian DPA actually goes into a very detailed analysis of what constitutes personal data, and then they have some interesting findings there that just unique identification numbers in cookies are personal data by themselves. You wouldn't normally even need to look further to see whether the IP addresses and what other data are collected around that unique identification number is personal data or not. So that's one part of it, but why I think it's really earth shattering, it's because it deems all supplementary measures implemented in the case on top of the standard contractual clauses as being ineffective, because they do not eliminate the possibility of access by the American national security authorities to data that's coming from Europe. So because of the nature of the case, the Austrian DPA had to decide on this particular issue, whereas the EDPS did not, because in the other case, the European parliament did not argue during the case that they put supplementary measures in place together with Google or Stripe. Right, because Google had their whole technological measures that they were talking about, they talked about their transparency report, and all their kind of measures for encryption, where data addressed was actually analyzed in the Austrian case. So we really had the entire, I mean, we had a very complete set of supplementary measures, honestly, you know, enhanced security clauses that say all requests from government authorities are going to be challenged. And this is another point where the Austrian DPA is quite categorical, because it says, well, according to the Court of Justice of the European Union, even when there is a lawful request for accessing data, that's still not, like a lawful request is not good enough for the European standard of protection, because the requests, I mean, the entire framework lacks independent oversight, individual redress, and lacks proportionality, and the necessity. This is what the court said. So the Austrian DPA says, oh, even if you have transparency reports, even if you, you know, you can fight all of the requests in court that you receive, and those requests are all lawful, that's still not good enough for the standard to be reached. So this is where, this is the conundrum, you know, where we're in, because there's really not much that companies can do, right? I think most of this is really about what governments can agree among themselves, and between themselves, for some level of protection, and some proportionality measures, and when it comes to government access to personal data. Yeah, that's, and that is something that's completely out of all the company's control. I mean, obviously, especially the big companies are lobbying, and they're trying to get the U.S. government to do something with its legislation. I know there are ongoing talks between the EU Commission and the Commerce Department to try to get some kind of new cross-border data transfer agreement in place that would make up for the deficiencies that the court found in the privacy shield. But as far as I can tell, well, one side of the ocean is optimistic, and one side of the ocean is not, from what I can understand from the latest discussions. And it's really, it really is pretty jarring, because so now, what are companies supposed to do? I mean, Google Analytics is pretty ubiquitous, and so do websites all across Europe have to stop using them? And I think it's also interesting that the European Commission, when they set out the new standard contractual clauses after the Shrems case, you know, they really took this risk-based approach, right, and said, you as a data controller, so you EU website, you can make a risk-based decision about whether this data processor you're engaging with has the right controls in place. And it almost seems like the Austrian decision is now saying there isn't, like, that risk -based approach is almost out the window, because there seems to be no mitigation efforts that they can take, which, you know, for a company like us, where, you know, one defining characteristic that I like to kind of see in the decision is, you know, Google has a lot of different types of data, clearly very different than Cloudflare, and, you know, we have not provided a lot of the data, and we have warrant canaries that say that we don't provide, you know, feeds of our content and things like that. Yeah, so I would like to think that the finding would be a bit different on the supplementary measures, and that we have some very strong supplementary measures in place, but, you know, it does make it seem like, no matter what, we're still going to have to focus and figure out ways to keep that data in Europe. So it's, yeah, so it's really, it is a conundrum, indeed, and I would also want to point out that you mentioned what are European websites and companies to do, and this is exactly right. What are European entities going to do? One interesting aspect of the case that I think merits some attention as well was that the Austrian EPA found that the data importer in a data transfer situation, so Google in this case, is not actually responsible or liable for the transfer. So this particular finding, as far as I understood from media reports, might be subject to a challenge from NYB, because the NGO, the NYB, claims that both the exporter and the importer are responsible to different degrees. However, the DPA said no, it's just the exporter that's responsible, but this puts a lot of pressure on European companies that need to make decisions about what services they use, and not only about companies, this is a challenge. However, I go back to an earlier point on the EDPS decision and that, you know, we're concerned just to the European Parliament and so on. But think about it this way. I think all of the public administration in Europe, at EU level and at national level, uses some sort of cloud service, right? That's provided by a US-based cloud service provider. I mean, this could have really big consequences for government and public authorities as well, for schools, right? Because the GDPR covers under scope, everything, it's not only businesses, hospitals, schools, everything. Yeah, so the impact can be really earth shattering, as we nicely put it earlier. And now we're looking towards the rest of the data protection authorities and see their decisions in the rest of the 100 complaints. One last note, and I'll be done with the subject. Also, we need to keep in mind that all of the DPAs that were involved in this series of complaints created a task force to talk to each other and exchange enforcement experience, let's say, under the head of the European Data Protection Board. So they're not acting completely in silo, right? Now, there might be some outlier, but I don't think even if we will see outliers among all of these authorities, I don't think they will be at the complete opposite end of the spectrum, you know? Yeah, that's a great point. There might be some differences, but yeah. So this is how we kick off the year, right, with this very, very significant development. Yeah, and well, for a technology company like ours, I think we're kind of looking at like, okay, cool, so how do we solve it? And so that kind of sets us up for 2022 to kind of really brainstorm about what are the solutions that we can come up with to help our customers avoid that kind of risk. It'll also be very interesting, I'm thinking on a contracting basis, because there will be a lot more customers who will want to push that liability through to their data processors. So we'll have to watch that. Well, so let's see, we've got about maybe 10 or so minutes left. What else? What else do we think we're going to see in 2022? I mean, I know I'm keeping an eye on India, right? There's a new bill that we've been expecting for forever coming out of India. And I think that one could be very interesting, because India is such a huge market and just so many people in India. But tell me a little bit about some of the things you're hoping to see or expecting to see or things that you think that we'll be talking a lot about in the coming year. Yeah, so I'm going to address some of the things that I expect to see. You're absolutely right, India is a huge deal. It looks like things might be finally moving, I would say finally there, because as a data protection geek, I like seeing data protection laws. And I think it's truly significant that such a big country, right, would bring 1.2 billion people under the protection of a data protection law. But then, of course, it also matters how that data protection law will be set in place and whether it will make sense to allow for the two purposes of data protection, which are protecting the rights and fundamental rights of individuals, but also responsible uses of data. Data protection law is not supposed to block data being used. It's actually supposed to allow for the use of data, but in such a way that the rights of the individuals are protected. Which, by the way, sorry to interrupt, but that's such an interesting, because there's a lot of people when we're doing product counseling who will say, well GDPR means I can't use the data, right? And it's like, no, you can, you just have to use it the right way. But it's really good to remember to point that out, because it does, especially when we just come off talking about a decision that seems to shut some doors on things. It is good to remember that's actually not the point. But anyway, so sorry to interrupt. Exactly, that is exactly right. So in India, it's an absolutely big deal. I'm following it closely. And then in terms of new laws or modernization of laws, we pay attention to Australia, which is now in full process of modernizing their privacy act. They've published a very, very broad public consultation, and the modifications to the law might actually be significant compared to what they have now. So I would say that, in fact, the Asia-Pacific region is actually the most engaging and productive in terms of giving us things to do for following new data protection laws. Vietnam is actually debating the publication and the adoption of a data protection law as well. Sri Lanka as well. And I know that Sri Lanka, thanks to our friend in Singapore and managing director of the FPF office there, Clarice Giraud, we know that Sri Lanka is actually quite significant, because it's a very big outsourcing hub as well. And it's setting up their own data protection framework. So a lot of activity happening there in the area, I would say. Yeah. Well, that's one of the things that we've been looking at too. So I guess this means I'm going to have to shift my schedule. I'm in California, so I spend so much of my time on calls early in my day with Europe. I'm going to have to shift my day to start paying attention to calls later in the day. But there's the APAC, the CBREs, the cross-border data transfer clauses for APAC, which is something I personally haven't spent a ton of time diving into. But it will be interesting to see how those continue to evolve and whether we're going to take any lessons from Europe or whether they'll kind of maintain their own path. Yes, you are absolutely right in paying attention to that. I've actually listened to a keynote by Bruno Gencarelli, the head of International Data Transfers Unit at the European Commission at the Global Privacy Assembly Conference earlier this fall. And he was saying that the European Commission is actively looking at regional solutions out there, like this particular set of clauses in APAC, and trying to build some convergence or trying to have the systems at least communicate with each other. So this focus on regional approaches to international data transfers and then how they can communicate among regions, it's actually something that's going to be relevant moving forward, as is in the matter of international data transfers, looking at what the intergovernmental organizations will achieve. Probably those of you that are following this space closely already know that the OECD has been working on a set of principles commonly agreed among democracies on government access to personal data that are supposed to help with the efforts of allowing data flows in the commercial area. So hopefully that effort will lead to a good result. But we're also seeing organizations like the G7 and the G20 actively putting on their agendas initiatives like data free flow with trust that have been started by Japan, by the government of Japan a couple of years back, and that also aim at bringing trust into cross-border data flows at the highest possible level of government and under their agreement. So this is another dimension that we should be following in this space. That's really interesting. So that's, I mean, that's a lot about data transfers. And it's interesting because then, it's funny because we're talking about data privacy day. And I think there's always a little bit of a debate about whether jurisdictional boundaries or jurisdictional restrictions and cross -border data transfer arrangements actually have anything to do with privacy. I mean, certainly they have something to do with kind of responsible data management and making sure the right laws are in place and the right protections and that citizens who expect that their data is going to be protected under a given set of laws, that that protection follows them. So I don't mean to say that it's not important, but I do find it's kind of interesting that when we've been talking about privacy, the localization and the cross-border data transfer issue gets wrapped into it so deeply. Is there anything, so setting aside all the cross -border data transfer issues, is there anything that you're kind of looking for in terms of maybe pure privacy plays? You know, I think like Apple's private relay last year was a big, big change and big advancement. Anything that you're looking at from that perspective in terms of maybe technologies or other kinds of privacy protections? There's also so much to mention here answering that question. It's a whole other segment. Yes, there's three different things to say, and I would start with saying that you are so right in identifying this kind of not working together of privacy and what we're talking about, you know, data transfers. It's really, they're kind of two different things, and this is why it's more difficult to tackle this subject here in the U.S. where privacy captures everything, whereas in Europe and in other jurisdictions like Brazil, it's already clear that privacy is a different thing than data protection, and all of this international data transfers conversations that we're having are actually data protection focused rather than privacy focused. So that would be the first comment there, and I think it's a very important distinction because I might, you know, throw off the audience by saying that one interesting trend that I'm seeing in new laws, new data governance laws, is actually the blurring of lines between personal data and non-personal data, and, you know, when we're talking about non -personal data, this goes even further away from privacy than when we're talking about how we deal with personal data, and this is not something that's immediately impactful to businesses, but this is something you want to keep your eyes on because in five years time, this is going to be it, and the best example is, well, the Data Governance Act in the European Union, which actually applies to both personal and non-personal data, and the Future Data Act, which will be proposed as well in the European Union, which will create data, easy data pools, something like that, in specific areas, and which wants to promote data portability more aggressively than what the GDPR is doing and applies to data, it's the Data Act, not the personal or non-personal Data Act, and India was publishing a personal data protection bill in 2019, and now when we saw the report of the Joint Parliamentary Committee, we saw a data protection bill. Right, yeah, I saw that, yeah, and so, unfortunately, I think we're about out of time, we only have a few seconds left, but yeah, I think that is flagging just a whole big other issue, and it kind of brings us right back around to the first topic we were talking about, which is what is personal data, and these unique identifiers now, whether they're data or personal data, and maybe they're all going to be regulated in the same way someday. Thank you so much, Gabriella, it was amazing to talk to you, and we could talk for hours, but I really appreciate your time today, and have a great privacy day. Thank you so much, Emily. Take care, thanks.