Your startup isn’t ready for Europe’s privacy shake-up — but here’s how it can be
Privacy isn’t dead, it’s just getting started
A new era of privacy, and the fine print you probably missed
The question of where your data exists and who has access to it is becoming one of the most complex and significant questions in startup land.
On the one hand, the booming SaaS startup ecosystem means that we are now more reliant than ever on the cloud, where servers often reside abroad. On the other, there are ever-changing regional data rights as different jurisdictions embrace data sovereignty and privacy rights for users.
This friction has now made its way to the courts, and just last year the EU issued aruling(dubbed ‘Schrems II’) that invalidated the ‘Privacy Shield,’ or the mechanism that was being used to get data out of Europe and into American data centers for processing. Then came the update to the SSCs.
The basic premise of this update was to bring in new SCCs to govern the transfer of personal data from the EU to third countries, designed to better protect Europeans from mass surveillance, specifically a concern with regard to the US.
If you’re operating in or doing business with European residents, international data flows are probably an essential part of your business in an increasingly digital global economy. You might not even be aware that your digital product relies on microservices from a partner that sees user data processed in a third country.
Let’s take for example our product at Mixpanel. We provide SaaS-based product analytics technology, which by its nature, tracks user behavior within apps so product experts can improve the user experience.
If you use our product, until recently you’d have been sending data to us that was processed in the US, perhaps without fully realizing the implications. We’ve now got full EU data residency to overcome this issue, but we’re very much in the minority.
And this should be the number one issue concerning startups. Has our surface area for liability and risk just been hugely expanded? If I put this in simpler terms: you’re a fintech that has contracts with seven companies providing services via APIs. Those seven companies also contract with a further 10 companies each, which now means your risk surface has expanded from seven companies to 70.
So, what can busy startups do to reduce their risk and ensure they’re delivering on privacy obligations for the people that use their services?
In my view, there are three golden rules that can help a startup navigate this complexity.
There’s simply no avoiding this issue in the long term. People increasingly care about data privacy and with the changes to the SCCs the EU has further signaled the importance it attaches to data residency. With local regulators soon to release their guidance and interpretation within member states, now is the time to act.
The movement for improved privacy isn’t dead, it’s just getting started.
Story byPeter Day
Peter has held numerous privacy and legal roles, including as CPO at the federal reserve bank of San Francisco and as a partner at LeClairRy(show all)Peter has held numerous privacy and legal roles, including as CPO at the federal reserve bank of San Francisco and as a partner at LeClairRyan, one of the top legal firms focused on data privacy.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
