← Previous · All Episodes · Next →
Schrems VII, The Return of Safe Harbor S2E38

Schrems VII, The Return of Safe Harbor

This week the founders talk about their experiences dealing with the wild world of EU privacy laws when operating in the US. Learn about the potential impact on the Schrems II ruling on their business moving forward. Plus, learn some proposed names for future Schrems rulings!

· 31:22

|
Show Notes:
Links:
TechCrunch Schrems II

Full Transcript:
Ben:
Speaking of town meetings though, we had a streamed event from our local school district last night in which they revealed that our school district will not be having school in person for the first semester of the year. They're going to do a wait and see approach and see if they can have school opening and the next semester, in I guess January, but for now, the kids are going to be at home.

Starr:
So how do you feel about that?

Ben:
I think that's the right decision and in the state of Washington and in King County, in which we live, the coronavirus cases are going higher than they were in the initial, back in March. So I don't see how it's a good idea to have a bunch of kids in an enclosed space for an extended period of time in those kind of conditions.

Starr:
The difference this time is that it's over.

Ben:
Yeah.

Josh:
It's-

Starr:
The hurricane's past us.

Josh:
It's a good thing that it fizzled out. You know, the flame was extinguished.

Ben:
My son is not too excited about the idea because he actually likes to leave the house and see his friends and things that we would do in normal world where we had good leadership that helped us keep things under control. But no. So that part's unfortunate, but at least we won't die.

Josh:
Silver linings.

Starr:
Yeah. We try and keep the podcasts pretty nonpolitical, but it's hard to contain the simmering rage sometimes. My new greeting for people when I'm just checking on them. It's like, "How's the apocalypse going?"

Ben:
So I saw a tweet talking about the resurgence in cases. And she said, "well, how am I supposed to open my emails now? Because now it's precedented times."

Josh:
That's good. Yeah.

Starr:
I know. It's kind of weird how, yeah. How precedented this is feeling because it's like, okay. Yeah. I have all this list of things I can't do. That's normal now. I've got all these precautions I take when I leave the house. That's normal now it's just daily life.

Ben:
Yeah. It's like back in March when they were talking about what the new normal is going to be they weren't thinking just March, it's like, Oh.

Josh:
Mm-hmm (affirmative).

Starr:
Yeah, just March, but you're a little more comfortable with all the PPE and I don't know, I stopped spraying down, like all the, the bags of chips with bleach. I've stopped doing that. Because apparently that's not very important to do.

Ben:
I've installed that UVC conveyor belt device in my front room so I can just pass all the groceries through there instead.

Starr:
Oh, that's a great idea.

Josh:
Should we send a precedented times email? Like should we finally get around to sending that COVID email?

Ben:
Yeah. Hope this email finds you well in this precidented time.

Josh:
Yeah. I've completely been ignoring our email marketing lately.

Ben:
Yeah. We should do some of that someday.

Josh:
Probably. I've also been enjoying getting work done.

Star:
So today I think we're going to talk about, about Safe Harbor. 2020 just really sucks. Right? 2020 it's like the pillars that you've built your life on, just sort of crumble out from underneath you. And one of these sort of milder pillars I guess, is Safe Harbor. So what is Safe Harbor-

Ben:
It's funny actually, because it's not Safe Harbor-

Starr:
It's not Safe Harbor.

Ben:
But that goes along well with precedented times because Safe Harbor was the thing that happened five years ago. And now we're dealing with it again because of Privacy Shield.

Starr:
Oh, Privacy Shield! I'm sorry.

Josh:
Was Privacy Shield the thing that was in response to Safe Harbor? I'm trying to remember.

Ben:
Yes.

Josh:
Yeah. Okay.

Ben:
Yeah. When Safe Harbor got torpedoed, then Privacy Shield came around. Yup.

Starr:
I can't keep my bullshit straight.

Ben:
So yes, precedented times, indeed.

Josh:
So yeah. So we're still shielding the Harbor though. Was that the idea? But I do know we no longer now, like the shield is, the shields are down. Is that? I'm losing track of this metaphor.

Ben:
Can't take much more of this captain.

Starr:
Well, they've sort of dropped it though, because it was... Well, which one came first? Safe Harbor?

Ben:
Yeah, Safe Harbor.

Starr:
And then Privacy Shield. And now it's standard contractual clauses or something like that?

Josh:
Right. Yeah.

Ben:
Right, today we're talking about data.

Starr:
Data, okay.

Ben:
And again, not Star Trek.

Josh:
And what to do with it.

Starr:
Ones and zeros.

Josh:
Yeah.

Ben:
So yeah. So a brief history is in order. So back in the olden days in pre 2015, so the whole thing is data transfer from the EU to the US that's what we're talking about. And that's why we care because we have customers in the EU and they want to send us data. In our case, in Honeybadger's case, we have customers who are sending potentially confidential data about their customers, right? Maybe an email address or an address or something that might show up at an exception report. And so they have to be concerned, our customers do, about what data they send us and how we protect that data because there are varying laws around the world about data protection.

Ben:
Like we've seen with GDPR the past few years. So I guess a brief history is back in the early 2000s, the EU started to get concerned about the US not having as good as protections on data as the EU and so they came up with this agreement with the US on how data would be treated. They got transferred to the US from the EU. And that ended up in the Safe Harbor agreement, which basically said that, "Oh, US companies, if you agree to this kind of thing, then you can accept data from the EU because you agree to do these kinds of protections. You're not just going to publish it on a billboard or, or whatever." Right. But then it got kind of blown up from a court case in the European union let's see, that's a Schrems, is that what it's called?

Josh:
Yeah, Schrems one and Schrems two then. Yeah.

Ben:
Well, Schrems one was a case that got decided by the court of justice of the European Union. And that was basically a privacy advocate who said, "Man, the Safe Harbor stuff, it's not really good enough." And so he sued and the court of justice agreed and invalidated Safe Harbor. And that sucked.

Josh:
Yes.

Starr:
Safe Harbor it was kind of weak sauce. Right. It seemed to me more like the pledge of allegiance than a binding sort of contract.

Ben:
True. True. Yeah.

Starr:
It was just like, we hold these data to be protected. We really, really promise.

Ben:
Right, right. Cross my heart, hope to die, it will be protected. Yeah. So the court decided, "Nope, not good enough." And so everybody hustles and put in a valiant effort and came up with the Privacy Shield and that was fine. It still was like, okay, you're going to, as a US company, you're going to pledge to assure that you're going to do these kinds of things with data. But overall, my impression being on the implementation end was that it felt a little more, I don't know, real?

Ben:
I don't know, it was less of just saying you're going to do the system stuff and then more of a, yes, you're actually doing some stuff. I don't know. There really was no Privacy Shield police that came and knocked on your door, but it was more detailed. It felt a little more official, I guess. And I thought it was fine. My only real snag about Privacy Shield... We started it what? 2018 I think is the first time that we actually went through the Privacy Shield process, which is registering with the FTC and saying that you're going to do it basically and paying your fee. And you agree to have a representative that can adjudicate any kind of claims that an eight year resident might make against you for violating their data protection. So we did that and we set that up.

Ben:
So my only real beef was that it costs like 350 bucks a year. And I thought that's kind of ridiculous, but the FTC was saying, "well, we've got to have money to fund this program because we have to have people running it." I'm like, "Oh, okay. But 350 bucks a year, really?"

Starr:
The punchline is how much we're going to pay for our SOC 2 audits.

Josh:
Right? Yeah.

Ben:
Yeah, that's a whole different story.

Josh:
350 bucks sounds pretty good.

Ben:
Yeah. So I don't know. Privacy Shield was fine, it made sense to me. You agree, you pledge it, you get listed in this whole database and you say, "yeah, we're going to do these things." And we did, we lived up to those things, but the return of Schrems. Schrems two. This person did not rest and said, "no, not good enough"

Josh:
I was going to say from your description of Privacy Shield and the Schrems one case, it sounds like one thing that they probably woud throw a wrench into the works would be, I don't know, national governments having policies of surveillance, where they create massive data centers that suck up all the information from basically any source they can find and store it for ever indefinitely. Is that pat of this, why you think there's a Schrems two?

Ben:
Yep. It definitely is.


Ben:
Yeah. I think this node thing is what blew up Safe Harbor because once that was revealed it looked like a paper tiger, I guess. It didn't look like it had enough teeth to really fight off the kinds of things that the US government was doing. So thus Privacy Shield, but I don't know enough about the decisions and the cases to say why Privacy Shield was a second victim. I don't-

Josh:
Right.

Ben:
All I know is we have customers knocking on our doors saying, "okay, now that Privacy Shield is dead. What are you going to do?" You know?

Josh:
Yeah. Well, I mean the short version is that there was a second Schrems case, right? And that case is the one that recently decided that Privacy Shield is no longer adequate and I think leaving in place some additional measures like the SCC, the standard, was it?

Ben:
The standard contractual clauses.

Josh:
The standard contractual clauses, which have been around. But those are still in effect and it seems like that's one of the things that have become maybe elevated? Am I understanding that correctly?

Ben:
Yeah. So the standard contractual clauses are what it says on the tin. They are standard in that it's basically boiler plate. They are contract. So they represent a contract between you, the... well, there's actually three different kinds, but in our case, a contract between the data importer, which would be Honeybadger and the data exporter, which would be one of our customers who is sending us some data. And then in clauses, there are this boiler plate has a set number of clauses that they don't change. And they just specify what what fulfills the contract, like what kind of provisions are you operating under that will assure that the data is being treated in a very kindly way. And for now the standard contractual clauses are still fine, but everyone who's talking about this Privacy Shield decision that came down just last week, July 16th, that's last week, right? Yep. There's they're saying, "well, yeah, you got your SCCs now, but I mean, that's next."

Josh:
Yeah right.

Ben:
That's going to be on chopping block next.

Josh:
So do you know what's going on with the US response to this? Because there was a great article, which I think we can link up in TechCrunch that went through the history that you shared with us, Ben, and from what I understood or took from it, it sounds like the US, like on our end, we had these obligations, like you said, to pay our fees and meet these obligations, they're kind of just surface, but you still have to do it. And it said the US is still, that is still active. Our obligations under the US side of this is, are still required. However, we still have to comply with whatever the EU says in order to actually fulfill those responsibilities now. And Privacy Shield is no longer adequate. So this is why we're talking about moving, like creating data centers in Europe, basically to satisfy those requirements. Is that a right way to explain it? Or-

Ben:
So I think there are two things to think about. There's the legal stuff, what you're committing to, and then there's the business to business stuff that you're committing to. So for Privacy Shield, we were pledging in that case to the US to the FTC, that we would take certain concerns and safeguards over data. Right. And then basically that relays to a company in the EU saying, to the FTC saying, "yep. You know, Honeybadger, they promised to do this and we will follow up. If you say they're not, then we will go and knock on their door and find out what's going on there." Right.

Ben:
And, but the invalidation of the Privacy Shield from the EU perspective is if you're an EU company that's not good enough anymore, that assurance isn't good enough to give to your customers saying that we're taking care of data well, with our sub processors, which Honeybadger in this case would be a sub processor. Right. And so, so now these EU companies who have been told through this decision that," Hey, that's not good enough." Now. They're like, "well, okay, well, we'll have to fall back to these standard contractual clauses for that." Basically it's an individual commitment between the subprocessor or Honeybadger and that business. Right.

Josh:
Okay. So we're being affected by our customers in the EU. Because they have to comply with this, which means they have to get us to comply with the EU side of this versus if we didn't have any EU customers and we've for whatever reason still wanted to have Privacy Shield in the US we could still do it. It wouldn't mean anything. But we could still have our, whatever, put it on our website or something like that.

Ben:
Yup, exactly.

Josh:
Okay, makes sense.

Ben:
And yeah, until the last week, if you had that Privacy Shield logo on your site, and that would say, Oh yeah, this company is agreeing to a certain standard of data protection.

Josh:
Yeah. Okay. So it's just the same old compliance spider web, where everyone is affecting everyone else and interconnected. Okay.

Ben:
Right. So to your point, yeah. Privacy Shield is still a thing, right. It's still valid. We're still a member, we've paid our dues for this year, you know?

Josh:
Yeah. We don't get our 350 back?

Ben:
We don't unfortunately. So we could still say, put that up on our website and say, yeah, we're Privacy Shield. You know, we're good. You're treating your data well, but no one cares anymore because of this ruling. Because no one in the US cares, right. We don't care about privacy at all, except for maybe the state of California. And that's a different kettle of fish, but-

Starr:
and this is just Privacy Shield, but our other badges are still, they're valid. They're unaffected. Like our McAfee, trusted site badge, like our Better Business Bureau badge.They're separate. So don't worry about that.

Josh:
I was worried.

Ben:
We're still working that Angie's list listing, but we'll get there.

Josh:
Yeah.

Starr:
So can I tell you all something about the... so I was reviewing the standard contractual clauses pull requests that Ben asked to see the other day.

Starr:
And I was just, I didn't understand that he was just asking, I think, for me to look at the end of it. So I was like, I was just going to read this whole thing. And so I read it all-

Josh:
I read the whole thing too.

Starr:
Yeah. And I was reading this. I didn't understand what these were about. I just thought these were things that our lawyer told us to put in our thing, and I'm just like, what, what is our lawyer? Like, what are we paying our lawyer for? They're just giving away the farm here. I expect this to be like, here are the conditions in which you can't sue us, which is all the conditions. Right? I mean, not that that's fair, but that's what a lawyer is supposed to do for you. And it's like we understand under these conditions, all these people can sue us.

Starr:
No, no, I don't agree to that. I mean, I do because it's fair and whatever, but it made me a little bit anxious. So yeah. It's really weird because I guess it's not weird, it just shows a difference in sort of perspective, because in the US, corporations, which we kind of are, are privileged in a lot of ways, like the US prefers corporations over people and that sucks. I wish it wasn't the case, but it sucks. Like there's as a corporation and as owner of a corporation, you get a lot of perks. And so it's kind of unusual to have-

Josh:
Yeah, having liability in writing is a little strange for us.

Starr:
It's weird. It's like, this is the US. If you get cancer from using Honeybadger, we're sorry. Like, no, I mean, again, I should say that this is not what I really think, but it's just, I've gotten so used to this mindset.

Josh:
Like the mentality.

Starr:
Yeah. And here's this document coming in saying like, if you get cancer, we will recognize that it's our fault. And yeah. So I don't know what's going to happen if we get sued in Brussels. Like, I guess we would hire a Belgian lawyer?

Josh:
I have the same thought, I mean, yeah, I haven't heard about those cases, definietly not on a small scale. You hear what happens when Facebook, and I think actually that's probably maybe a point to discuss is maybe a lot of theis is a result of large companies like Google and Facebook. But yeah. I don't know, what does happen if... Will small people get pulled into these sort of things? Because that doesn't sound like a great future for small tech businesses, to be honest, you know, even though it's solving an actual problem with the whole privacy issue.

Ben:
Yeah. I mean, I don't know .I don't think that's really something that's new here. Right. Because you always could have been sued by some person in Belguim, right?

Josh:
Well, yeah. And it's not very frequent.

Ben:
Yeah, so I don't know that it really makes that big of a difference. I could be wrong, but I mean, that's why you buy insurance. Right. You know, we have the general policy, we have the errors and omissions policy. We have the cyber policy. Right. Because of things like that, where if there's a breach or some other sort of thing, and we get sued, then that policy steps in and pays for those kind of costs.

Josh:
That's good. That's a really good point. Pro tip, buy insurance.

Ben:
Yeah. Buy insurance.

Josh:
Like in every situation buy insurance.

Ben:
Yeah. And in our case, we've had customers specifically require that we have the cyber, so we have some custom agreements in place. And part of those agreements is that we have the cyber insurance specifically to handle things like breaches and lawsuits and that sort of thing. So, yeah. It's a good idea. It's not terribly expensive and if you're dealing with a bunch of data, like we are, that would be painful if it got breached, like it would be for us then it's good to have that.

Josh:
Well Starr, sorry. I guess you'll have to cancel that Brussels attorney retainer.

Starr:
Well, I am wondering if our insurance will cover stuff in Europe.

Josh:
Yeah. Yeah. That's a good, I don't know. I have no idea.

Starr:
Because I'm pretty sure my car insurance won't work in Europe.

Josh:
Hopefully it does.

Ben:
So the thing though, that makes me a little nervous is what happens when Schrems three happens, right? And these standard contractual clauses are ruled invalid or unenforceable or whatever the legal term would be that basically makes it go away. And the only thing I can think of is like, well, I guess you got to have a data center in the EU so that the data stays there versus coming over to the US.

Starr:
So so it's all about the data. It's not about us as a company really. We can be a US company, but as long as we have our data centers in the EU and the data doesn't leave the EU, then we don't have to do all this stuff.

Ben:
I'm no legal expert. So I will give you an unqualified maybe to that.

Starr:
Okay. I mean, that sounds about like what most legal experts have always told me whenever I asked them a question. So-

Ben:
Maybe I am a legal expert.

Starr:
There you go.

Josh:
But he's not. Sub text.

Starr:
I mean, that's what I always told freelancing clients. Right?

Ben:
I think if you step back, the 40,000 foot view is that the EU wants to protect the privacy of its citizens, right. Including the data that they might leave across the internet. So their name, their birth date and stuff like that. And the concern with Safe Harbor and with Privacy Shield has been okay, well, what if some other entity like the US in this case, has a regime in place that doesn't care about hoovering up all the data about anybody on the planet? Well, then that's in direct conflict with the goal of the EU to protect the privacy of their residents. Right?

Ben:
So how can you protect that if none of these agreements really hold water because the sovereign authority of the United States says, "well, tough. I don't care what you agreed to. We're going to do whatever we want." Right? I think having data and a data center, that's not in the US is step one, helpful there. And then to your point Starr, is that enough? I mean, if you're even operating in the US is that going to be a problem?

Josh:
It might depend which direction you go in the future?

Ben:
Yeah. I don't know. I mean, is that data being transferred at all to the US in the form of somebody using their web browser, hitting our web app that happens to be running in Virginia, which is actually talking to the data that is living in Frankfurt? And I don't know.

Josh:
Yeah.

Starr:
Maybe it's just time to move the whole company to the EU.

Ben:
So that's one option.

Starr:
Yeah. I mean, we could find a little chalet in some Alpine village.

Ben:
The other option is you say, EU residents don't, or companies, you can't do business with us. And that's not a fun idea. I don't like that idea very much.

Josh:
Or move to some kind of self hosted model where we just sell a license to the software. Does that work? Or do you still have a-

Ben:
Yeah. As long as it's not touching data anymore.

Josh:
Yeah. Yeah. I wonder what are longterm future, I guess a different future look like for instance, if a wild idea, if the US decided to change its approach towards privacy, user privacy and data retention? What if Congress had an act that all of a sudden said there's no more Pfizer courts. There's no more NSA can't just like hoover up all the data, we're going to enact some regulation that is more in line with the EUs perspective of things.

Josh:
Which, I mean, to be honest I don't see any other way to protect, I mean, how do you protect user data on the internet or anywhere without regulating it in some way? You end up with what we have, which is the wild West kind of. So yeah. What if the US did create some sort of policy, which is in line with them, could that result in future, maybe Schrems three could be a good thing. Maybe it's like, okay, it's the return of a more cooperative... I'm trying to present an optimistic version of the future. Since we do a lot of doom and gloom, we never speculate on positive outcomes. So, you never know.

Starr:
I think that's true.

Josh:
I mean, maybe it'll be Schrem seven, the return of Safe Harbor.

Ben:
Revenge of the Schrems?

Starr:
I think that's got to be the episode title.

Ben:
Schrem Strikes Back.

Starr:
The great thing is very few people are going to understand it, but I still love it.

Ben:
I think that's totally possible. And there's even some question, like I mentioned California earlier as a wild card because they had the CCC PA-

Josh:
CCPA I think?

Ben:
Which is not a hundred percent like the GDPR, but it has similarities and the goal being to protect data. So yeah, there's actually some question like, Oh, well, I mean, California's policies are better than the USs at large. So maybe companies running in California won't have to deal as much with this kind of pain as companies in other parts of US because they have better protections. I think that's a pretty big open question, but yeah, I think it is possible that we could get to a point where the US has policies that are similar enough to the EUs policies, that it could be a moot point, which I think would be fantastic.

Starr:
Yeah. When you say policies like that, that makes me think of the current state of the federal government and the response to the COVID crisis, which has been essentially, every state is doing its own thing. And so it's like, I'm wondering if we may end up with, 30 different data protection systems and then 20 States without them. And we're trying to like lure companies, they're being like, see, we don't protect data. And yeah. So-

Josh:
Yeah, that definitely seems like a problem to solve on the federal level.

Ben:
It's, it's not like we would have done something like that with syntax.

Starr:
So many things seem like a problem to solve on the federal level Josh, so many things do. but, we don't believe in that in this country. it's morally wrong to solve problems on the federal level. Don't you understand?

Josh:
Yeah. Yeah. More people should go back and read the Federalist. They go through point by point a lot of the things that make sense to solve on the federal level.

Starr:
So here's an interesting twist. If the EU is more cohesive than the United States, what does that say? Because EU isn't even really a country.

Ben:
That is an interesting conversation to have, I think.

Starr:
Yeah.

Josh:
Mm-hmm (affirmative).

Starr:
We'll have to start our own politics podcast.

Ben:
Yes.

Josh:
I'm down.

Starr:
Honeypundit. I don't know.

Ben:
So as you alluded to, we did have a change to our website this week where we pulled down the Privacy Shield text and put up the standard contractual clauses text. And now that's part of our data processing addendum, which we did awhile back for the GDPR. So all of our European customers who send us data are now covered under via our standard terms, both the data processing addendum and the standard contractual clauses, so that they can be assured that we are treating their data with the utmost respect and trying to be good netizens. And of course, we're also going through that SOC compliance process to prove it that way too. But, yes, we run a tight ship here at Honeybadger and hopefully we will be able to continue serving our EU customers for many years to come.

Starr:
Please, please don't sue us. Like, just talk to us. We're nice. We'll help you out, but just, yeah, just don't sue us in Belgium. Because I don't want to figure out if our insurance works over there.

Josh:
Yeah.

Starr:
Well, do we have anything more to say on this topic? Or should we ride into the sunset?

Ben:
I think we nailed it.

Starr:
Nailed it. All right.

Josh:
This is a good podcast. I think this is going to be a good one.

Starr:
It is, yeah.

Ben:
How long will it take for someone to write us and say you got it all wrong and here's how.

Starr:
I mean, this is the internet.

Josh:
It doesn't matter, because we just won't retweet them.

Starr:
I saw something on Twitter that somebody was like, "so in pandemic I've started making flower bouquets every day for my wife and it's pretty easy and here's how you can do it." And then somebody wrote underneath is like, "these are garbage. You don't know what you're doing."

Ben:
That's rough.

Starr:
But yeah, it was-

Josh:
I owned a flower shop before the pandemic.

Starr:
Yeah. So I mean, fortunately not too many people, like when we started Honeybadger, I expected way more of that and we haven't really gotten a lot of it yet. So-

Josh:
People seem nice to us.

Star:
Yeah. For a while we thought maybe all the people from Sweden were being like that to us, but really they're actually really nice people, but there's just a bluntness that sort of is lost in translation a little bit. And yeah. So, anyway, we have come to understand that and love all of our Swedish friends.

Josh:
Yeah. I actually think that I've come to appreciate bluntness a little bit more. Especially if both parties can drop the personal offense to the blunt comment, you can communicate a lot more effectively if you just get right to the point.

Starr:
Yeah. That's true. That's true. All right. So yeah. Well, okay. We're done. Get out of here. This has been FounderQuest so leave us a review if you want to. Be blunt if you want to. Yeah. Whatever. And if you want to write for a blog, come to our blog at Honeybadger.io and go click on blog. And there's a link at the top, it'll say write for us. So that's it. All right. Catch you all later.



Subscribe

Listen to FounderQuest using one of many popular podcasting apps or directories.

Apple Podcasts Spotify Overcast Pocket Casts Amazon Music YouTube
← Previous · All Episodes · Next →