I wouldn’t go as far as saying that leaders at startups hold such a strong disregard for privacy, but I do find many taking the stance that the world’s strictest data privacy laws don’t apply to them. If you fall into this category, you ought to know that privacy isn’t dead, and a new era of privacy is being quietly ushered in across Europe. Earlier this year the European Commission (EC) issued its long-awaited update to ‘Standard Contractual Clauses’ (SCCs), which represents the most frequently used mechanism to transfer your customers’ personal data out of the EU, including to the US. If you’re a business that operates in or with Europe, these new updates – and the constantly shifting privacy landscape more generally – matter. If followed incorrectly or not taken seriously at all, it can be extremely costly. So, let’s look at some of these new privacy updates in more detail and I’ll then share some lessons I learned while working on privacy issues at a startup that processes vast amounts of user data.
A new era of privacy, and the fine print you probably missed
The question of where your data exists and who has access to it is becoming one of the most complex and significant questions in startup land. On the one hand, the booming SaaS startup ecosystem means that we are now more reliant than ever on the cloud, where servers often reside abroad. On the other, there are ever-changing regional data rights as different jurisdictions embrace data sovereignty and privacy rights for users. This friction has now made its way to the courts, and just last year the EU issued a ruling (dubbed ‘Schrems II’) that invalidated the ‘Privacy Shield,’ or the mechanism that was being used to get data out of Europe and into American data centers for processing. Then came the update to the SSCs. The basic premise of this update was to bring in new SCCs to govern the transfer of personal data from the EU to third countries, designed to better protect Europeans from mass surveillance, specifically a concern with regard to the US. If you’re operating in or doing business with European residents, international data flows are probably an essential part of your business in an increasingly digital global economy. You might not even be aware that your digital product relies on microservices from a partner that sees user data processed in a third country. Let’s take for example our product at Mixpanel. We provide SaaS-based product analytics technology, which by its nature, tracks user behavior within apps so product experts can improve the user experience. If you use our product, until recently you’d have been sending data to us that was processed in the US, perhaps without fully realizing the implications. We’ve now got full EU data residency to overcome this issue, but we’re very much in the minority. And this should be the number one issue concerning startups. Has our surface area for liability and risk just been hugely expanded? If I put this in simpler terms: you’re a fintech that has contracts with seven companies providing services via APIs. Those seven companies also contract with a further 10 companies each, which now means your risk surface has expanded from seven companies to 70. So, what can busy startups do to reduce their risk and ensure they’re delivering on privacy obligations for the people that use their services? In my view, there are three golden rules that can help a startup navigate this complexity. There’s simply no avoiding this issue in the long term. People increasingly care about data privacy and with the changes to the SCCs the EU has further signaled the importance it attaches to data residency. With local regulators soon to release their guidance and interpretation within member states, now is the time to act. The movement for improved privacy isn’t dead, it’s just getting started.