The (Infinite?) Loop between the EU, the US & Max Schrems with Lisette Meij - EP019

By Rick Dronkers in episode 19 — Nov 29, 2022

Life After GDPR Podcast w/ Rick Dronkers and Lisette Meij (EP019)

In this episode I’m joined by Lisette Meij, director of Privacy Verified, Board Member of the Women Leading Privacy Advisory of IAPP and allround privacy expert who’s made it her mission to help companies navigate the complex world of privacy legislation. Lisette is a Master of Law and has been focussed on IT and Privacy legislation since her studies. Together we explore the infinite loop we’re stuck in right now, and what to think about that.

You can follow Lisette on LinkedIn or have a look at her company Privacy Verified.

Make sure you follow the show:

Follow LifeAfterGDPR on Twitter and on LinkedIn
Follow the host Rick Dronkers on Twitter & LinkedIn
Subscribe to the show on Apple Podcast or Spotify or wherever you listen to podcasts by searching for "Life after GDPR"
If you’d rather get notified by email, subscribe for updates via the lifeaftergdpr.eu website

If you want to help us out, please share the link to this episode page with anyone you think might be interested in learning about Digital Marketing in a Post-GDPR world.

Talk to you next week!

-Rick Dronkers

Transcription Disclaimer PLEASE NOTE LEGAL CONDITIONS: Data to Value B.V. owns the copyright in and to all content in and transcripts of the Life aFTEr GDPR Podcast, with all rights reserved, as well as the right of publicity.

WHAT YOU’RE WELCOME TO DO: You are welcome to share the below transcript (up to 500 words but not more) in media articles, on your personal website, in a non-commercial article or blog post (e.g., Medi), and/or on a personal social media account for non-commercial purposes, provided that you include attribution to “Life After GDPR” and link back to the https://lifeafterGDPR.eu URL. For the sake of clarity, media outlets with advertising models are permitted to use excerpts from the transcript per the above.

WHAT IS NOT ALLOWED: No one is authorized to copy any portion of the podcast content or use the Life after GDPR Podcast name, image or ness for any commercial purpose or use, including without limitation inclusion in any books, e-books, book smaries or synopses, or on a commercial website or social media site (e.g., Facebook, Twitter, Instagram, etc.) that offers or promotes your or another’s products or services without written explicit consent to do so.

Transcripts are based on our best efforts but will contain typos and errors. Enjoy.

[MUSIC SOUND EFFECT BEGINS AND FADES]

[00:00:00] Rick Dronkers: Hey everybody. Thank you for tuning into Live After GDPR, where we discuss digital marketing in a post GDPR world. In today's episode, my guest is Lisette Meij. Lisette is the Director at Privacy Verified. She is a legal professional, a lawyer who has specialized in privacy legislation. So yeah, we find we finally have a true expert on the podcast. [Laughs]

[00:00:27] But she's helping companies, basically trying to make sense of what to do in practice with all the privacy legislation out there and how to, how to navigate. This new landscape. how to make decisions going forward. And that's also what our, what our talk mainly is about, about how to interpret what is going on with the executive order by Biden.

[00:00:51] If you can use American based tools, if you should, why you perhaps shouldn't, or what is the way for you to look at this and how to assess that risk. And it was also very interesting and good for me to see the frustration that she has as a professional who is on top of all of these topics and is really deep into, into this material.

[00:01:19] And that she also sometimes experiences this feeling of powerlessness with regards to. You can advise to a company and what a logical next step is based upon all the uncertainty out there in the market. So it was a really valuable talk to me. I learned a lot, hopefully it will also be to you even though Liz is a lawyer and legal specialist.

[00:01:48] Nothing we say in this podcast should be taken as legal advice. This is just for education, educational purposes, so take that for what it is. Enjoy the podcast. Lisette, welcome to the podcast.

[00:02:02] Lisette Meij: Thank you for having me.

[00:02:04] Rick Dronkers: If you have to explain what your daily job is, how do you explain that to people?

[00:02:10] Lisette Meij: My daily job is, I would probably say I help organizations to be privacy compliant. I work as a legal counsel basically focused on the privacy laws And, how to use data in an efficient and compliant way. For example big data analysis or other tools you can use and make sure that everything you do as an organization is compliant within the privacy laws we have.

[00:02:37] So there can be the use of cookies just collecting personal data, processing it, using third parties for it and I make sure that how you do it. They do comply, but also in a practical way so that you can actually do your job and make sure that you're compliant while doing it.

[00:02:56] Rick Dronkers: I think the listeners of the podcast will like the practical part of it. So probably we’ll dive into that.

[00:03:02] Lisette Meij: Yeah. So do I. Yeah. Yeah.

[00:03:04] Rick Dronkers: But it's so, it's safe to say that you're quite busy. The last couple of years after the introduction of GDPR.

[00:03:11] Lisette Meij: Yeah, well you can see that I started in 2014 and we also had a privacy law, which was practically much alike of the GDPR. But the difference with the GDPR is that you need to document more to show your accountability, to show how you comply with the law. In 2018, we saw a big spike that a lot of companies ask for help to make sure, okay, what do we need to do to be compliant with the GDPR?

[00:03:43] What do we need to change? Am I doing it right? And we're doing it and after that you saw that went down a bit because of the supervisory authority. So in the Netherlands we have the Authority (Authoriteit) about Personal Data (Persoonsgegevens). There weren't a lot of fines and organizations didn't really feel the need anymore to use their time and their money to be compliant. So you saw Well, It dropped a bit. The focus, the privacy wasn't really a priority anymore. And now you see it's going up again a bit because we have, there are a lot of things to do, for example, in the news with the data breaches. Also everything around Google Analytics. I think there's a new focus again on privacy use. So not saying that we weren't busy in the meantime, but we are pretty busy again right now.

[00:04:31] Rick Dronkers: Yeah. I can imagine. I remember I worked at a, at an agency in 2018 when a GDPR went into effect. And, there were a lot of people who were really scared of like, how, how to do this. Of course, everybody started too late, which is how those things go. Right.

[00:04:47] Lisette Meij: Yeah.

[00:04:49] Rick Dronkers: But then I do recognize what you said, like after that there was no enforcement. We just went on with what we were doing.

[00:04:56] Lisette Meij: Yeah, that was exactly the thing. So with the start in 2018, in May, you had a lot of organizations that wanted to be compliant from the start indeed they might be a bit scared of what was going to happen and the organizations that didn't do anything yet saw there was indeed no enforcement yet.

[00:05:17] So while the priorities dropped down and you have a lot of other things on your mind, you have to do so well, they didn't really do anything with it. And until you see that some of your competitors is being fines. That's the moment you think, okay, I need to do something myself as well. So yeah, I think it's a natural reaction, but on the other side too bad.

[00:05:38] Because it's not only about you as an organization, but also about the personal data of your customers you're processing. So it's not only about you and spending time and money on it, but also how do you make sure that privacy is safe while you're processing data.

[00:05:56] Rick Dronkers: More the ethical piece of it.

[00:05:58] Lisette Meij: Yeah, exactly. Yeah.

[00:05:59] Rick Dronkers: I've seen a lot of people in the privacy community complain, I would say about enforcement. I think that from this point of view, they are right in the sense of companies that did not do anything with the GDPR when it got introduced actually had a competitive advantage for a longer period of time. if you would argue that, using the data in a non-compliant way could give you a competitive advantage, and they didn't spend the money on becoming compliant, So they had a double competitive advantage in that. So by not being really stringent on the fines that we're giving out, yeah, they were actually rewarding companies that did not comply.

[00:06:40] Lisette Meij: That's probably one way to look at it. I feel like if you look at it more from the ethical perspective, I think if you did comply with it from the start, it shows that you take proxy very seriously. I think that's an advantage you have as an organization and yeah, maybe you did use the data in the wrong way, but from a legal perspective, I would say well, if you did it after 2018, you had a problem because you weren't allowed to do it. So actually maybe you collected a lot of data, but if you did it in a wrong way, you had to for example, delete the data. So what's the advantage you had from that? And you didn't have to spend any money on it, but probably you did have to do that after two years.

[00:07:23] So maybe you had some time to save up your money to do it after two years, but you had to do it anyway. And I think that might have been the perspective in 2018. But I think when we look at it right now, I honestly do think it's an advantage you have as an organization if you can show your customers that you do take privacy seriously.

[00:07:42] I actually think it's a unique selling point for a lot of companies because for example, and also it's not only about the fines, and I think that's a really important point as well, that I want to point out because if you get a fine. Okay, that's bad. And a lot of times your company is able to pay for it, but nobody wants to pay for a fine.

[00:08:03] But it's not only the fine you have to pay. Also think about the damage to your reputation. I think that costs way more than the fine you will get. And that's the advantage other organizations will have. Because, for example, if your competitor has a data breach, you can say well, look at us since 2018, or maybe even way before that, we've taken privacy very seriously.

[00:08:26] So come to us, pick me. I'll make sure that your data is safe. And that's the right way probably to look at it, at least from a legal and ethical perspective. And I think that's well that's what, what's happening right now.

[00:08:41] Rick Dronkers: It's a little bit short term gain versus long term gain.

[00:08:45] Lisette Meij: Exactly. Yeah.

[00:08:47] Rick Dronkers: I think for marketers out there, it's also, I see it increasingly marketers becoming aware of like using privacy as a USP. And I think Apple is probably the biggest example of it. We could go down the rabbit hole of whether they do it to destroy their competitors or, like there's probably two motives for them, but it's definitely working. Like of, a lot of people have at least the feeling that an Apple device will protect their privacy more than another device. So they're using that as a true USP in their marketing.

[00:09:19] Lisette Meij: Yeah, and keep in mind that you have to comply with the law anyway, so make sure that you do it in a way that benefits your organization. So if you have to comply anyway and make sure you can use it as a USP. I think that's the best way to do it. Instead of seeing it as a hurdle and make, I know that a lot of companies probably departments within a company, for example, the marketing department sees it as a hurdle and as something that makes sure we're able to do or things as.

[00:09:49] We're used to or use the data as we want to. But I think if you turn it the other way around and be transparent about what you do and make sure you comply, it's actually a USP. if you look at it, in that way. That's probably the most positive way, but also a realistic way because actually you can do a lot with data if you do it in the right way.

[00:10:09] If you're just transparent, if you make sure who your suppliers are, what data is being exported, you can comply with a lot. Process the data the way you would like to while regarding the GDPR. Using it as a USP for your customer. So I think actually that's possible and that's the way we should go for it and make sure we are doing the right thing.

[00:10:33] Rick Dronkers: I agree. I saw somebody on Twitter, I forget who it was, but there was this news article about the people at Facebook actually didn't understand how their algorithms were working, and also where certain pieces of data came from. And there was like a leak somehow. that that leaked

[00:10:51] out, that they actually weren't sure internally of how, how the structure actually worked. And I think if you take a privacy by design approach, which I get, it's hard for Facebook to do after the fact, right? Because they started when probably this , Wasn't top of mind at all. But if you would start over right now with the privacy by design approach, it doesn't only help you from a privacy perspective. it also helps you from like, Building a solid product and having documented basically all the inputs and how you're handling the data And then how the outputs are generated of whatever, whatever data product you're building. So it's actually not only for privacy, but also for just your work as a data practitioner. Those privacy by design principles are really helpful.

[00:11:35] Lisette Meij: I agree, obviously, but I also think it is what happens, if you have self-learning algorithms you might not know every detail on how it works, but you need to stay in control. And that's not only from a legal perspective, but also probably from, I'm not sure. I think you can answer that question better than I can, but also probably from a marketing perspective, you want to know what kind of data do we have?

[00:11:58] When did we collect it? What can we do with it if we want to do more? What do I need to ask the legal department to do so? And if you know all these things, it's also easier for the legal department if you have one to help you with it because I feel that's probably also an issue we're dealing with.

[00:12:17] I see that with a lot of clients. If you have two different departments, for example, marketing and legal, They don't always work perfectly together. And the legal department feels like the marketing department wants to do a lot with data, and they only inform the legal department at the end of the idea of when it's already running.

[00:12:36] And the marketing department always says no. But if you are in control of data from a marketing side, it's also easier for the legal side to help you with it and say what's possible or what's not.

[00:12:51] Rick Dronkers: Cooperation.

[00:12:52] Lisette Meij: Exactly. Yeah.

[00:12:53] Rick Dronkers: I wanna move the conversation a bit to the international data transfer side of things. So In our little world, almost every tool we use or have used in the past is made in the United States, a lot of the big digital analytics, digital marketing tools, and a lot of the big digital advertising platforms are based out of the us.

[00:13:17] There is a change in that, but it's still, I would argue, 80% of the tools that any, any anybody wants to use are still from the and that's an issue. Do you maybe wanna walk us through how we got to where we are right now in a helicopter view? And then, we can dive into the details.

[00:13:40] Lisette Meij: So we have our privacy law, the GDPR that states that if personal data's being processed an organization have to comply with the GDPR. But some organizations, if you go outside of the European Union, they don't have the GDPR. So if you want to use a third party supply, so if you want to use supply outside of the European Union or a lot of states that they have to make sure that the same principles as we have in the GDPR are being reached while using that supply.

[00:14:11] So, how can you do that? You can have an adequacy decision that says if you use a supply from this country, it's okay. You can use standard contractual clauses, but for the US specifically, we had a different adequacy decision that said that suppliers in the US through a self certification made sure they will comply at the same level as the GDPR.

[00:14:37] At first we had Safe Harbor, it was before the GDPR. It was decided by the Court of Justice, and you probably all heard of the name, and if not, this is the first time you’re hear of it because Max Schrems made a complaint that Facebook sent his data outside of the EU. when that happened, his privacy wasn't Being safeguarded the same way as it would've been in the European Union while, or law states that it has to be the Court of Justice said that the Safe Harbor agreement we had with the US was invented because indeed, and that's the main issue that's there well processing data in the US.

[00:15:14] We have the US Intelligence Services that have, can't have access to our data, and that doesn't comply with the law we have in Europe because Well, you have the right to privacy and books for, to us services do doesn't comply with, the basic for privacy we have in the eu. Okay? So that happened and there was a problem because without the Safe Harbor Agreement or the safe harbor framework.

[00:15:41] We weren't really able to use the US suppliers. So what did we do? We searched for a different way in the meantime, and we went to the standard contractual clauses until we had a solution for it. The solution that was being made was the privacy shield framework. Maybe that rings a bell for the people that listen to the podcast, but actually the Privacy shield framework.

[00:16:03] Didn't solve any of the problems because the US was still able to use the books or surveillance by the US Intelligence Services and still we didn't have the level of privacy we want for our European citizens. So again, Max Schrems went to the Court of Justice of the European Union and the privacy shield was being invalidated.

[00:16:24] We had the same issue. What do we need to do now with all the US suppliers we have because now there's no privacy shield anymore, which was the basic of our agreement, while using the US suppliers. So we need to find a solution again. So we went to the standard contractual clause, which were actually called during the safe harbor period.

[00:16:43] So before the price shield, the mono clauses. And we feel like that's the solution. But the problem is that the US has the possibility to use us intended services and the bill are paying. So access to your data and also probably no need to say it, but while using the standard contractual clause, that problem isn't solved.

[00:17:03] So it's just a legal way that's still valid because it hasn't been validated yet to use the standard contractual clause. So instead of saying we had the privacy shield and for example, Facebook or Google or Amazon said they were self-certified by privacy sheild. We now just have standard contractual clauses as part of the agreement while, for example, we use Microsoft Azure or Amazon or whatever. But the issue still remains because the issue is that the US has a possibility to access our data, the European data

[00:17:39] when we use US suppliers. So in the meantime, from the safe harbor to privacy shield, to the standard contractual clause, we sell all kind of solutions. For example, the US suppliers saying, okay, you can use the services, but then we host the data within the eu. But still there's a US mother on top of the supplier. So the US can still say, I don't care where your data is stored, if it's in Berlin, or if it's in US or whatever. I can have access to the data because that's our law. I don't care about the GDPR. Our law states that we can have access to the data.

[00:18:15] Whatever standard contractual clauses you agreed on whatever price shield you agreed on, I can have access to the law because it's a part of a US company. And that's an issue. So now we're working to a new framework and we call it the Transatlantic Data Privacy Framework. But Max Schrems, the guy that made sure Safe Harbor and Pro Seal was invalidated by the Court of Justice of the European Union, stated that new plan, the Transatlantic Data Proxy Framework, and Biden signed an executive order for it in the beginning of October of this year, 2022.

[00:18:51] We still have the same issues because since the US law isn't being changed with that framework, and since the European Union still doesn't say, okay, we're fine with us being part of Bill surveillance we will have the same issue. So if they're going to agree on this new framework, it just is a matter of time that Max Schrems will go to the Court of Justice again and make sure it's invalidated.

[00:19:16] So this gives organizations, also a major issue because what are we going to do in the meantime? Are we just going to wait until the standard contractual clause maybe are invalidated or are we going to wait for the new framework and in the meantime still use the supplies well, we know actually we're not complying with the GDPR, not sure if it's a helicopter view, but this is the issue we're dealing with and actually we just don't have a solution for it, not a legal one.

[00:19:44] Rick Dronkers: So that's a lot of information but very well summarized, I think. we've touched upon this in the podcast with previous guests as well, that it's, if you don't have a legal background, it almost feels like we're being scammed. There's like these standard contractual clauses, contracts. But actually they don't actually solve an issue. It’s the same issue, but just because there hasn't been a judge that ruled on it, makes it a….

[00:20:10] Lisette Meij: Some sort of solution. Yeah, and that's exactly what I have to tell my clients because we know it's not a real solution, but we know it's a legal solution because it hasn't been validated yet, but,

[00:20:23] Rick Dronkers: So it's a little bit of duct tape to keep us going.

[00:20:26] Lisette Meij: Yeah, if you could even call it duct tape or just bit of glue, my daughter would use. [Laughs] I dunno, it's just, I actually feel bad when I have to advise my clients on it. And that maybe sounds weird because a lot of people say well, this is great for lawyers because they can earn a lot of money with it.

[00:20:48] But I don't feel like it's great at all because what is it you can advise your client because you can advise? Well, Legal solution for now is to use standard contractual clauses. The big US suppliers will offer you themselves because they're just part of the agreement. They just make sure that for example, the standard contractual clause is appendix one, for example, so you don't have to worry about it.

[00:21:12] If you have the smallest suppliers in the US you can, well send the standard contractual clauses yourself, and then it's just. Some time to wait until we have more information, while we know it isn't a solution. And so if you ask me, oh well, would you from a legal perspective use a US supplier? My answer would be no. And obviously depending on what kind of data you send to the supplier, what kind of safeguards are taken. But the answer would be no, because the real answer would be that they don't comply with the GDPR because of the uS intelligence services.

[00:21:47] Rick Dronkers: If we take the fact that it is unlikely that the United States will ever comply with that fact, right? That they will ever refrain the NSA and the CIA and whoever from accessing the data. And I think looking at the history of the United States and how they approach this, I don't think that's likely, I don't think they will do that. I don't think it's in their way they look at things, right? They probably value privacy, but the NSA and the CIA are above that, so to say. if you take that as a given there is no structural solution ever to this problem.

[00:22:20] Lisette Meij: And I think that's something Mark Schrems said as well that there will be a solution if they change their laws. So if they actually make sure that access to the data isn't possible. Or if we just accept the fact as the Europeans that access to the data by the US is possible. And in the meantime we try to make some solutions that we honestly know are really a solution for EX And to give you a bit of feeling like how it's being approached right now with, with the new framework, for example.

[00:22:50] Access to the data or just to start with, privacy is important for the eu. We have the GDPR, which is pretty strict, and I think a really good example for a lot of countries. But the US also has privacy law, but it values privacy for the US citizens and not for the non-US citizens. So privacy is important, but if you're not from the US you're not as important.

[00:23:11] That the US wants the US suppliers to be able to deliver their services to the EU because that's a good thing for commercial purposes. So what they did, for example, is first they had words like they would get access to the data as tailored, as feasible. So they would have, they would have to think about what they want or where they're going to search is, and now they're using words in a framework.

[00:23:38] Proportionate and necessary, which are words we know from our legal text because we use, we say, for example, you can only use the data that's necessary, which means you really need to use the data, and if you can work without it, you shouldn't use it. But the words proportionate and necessary don't have the same legal meaning in the framework as they do for us.

[00:24:00] So it seems like a solution, but in reality it doesn’t mean anything different from a standard feasible. I think duct tape is a pretty good reference to it. So we try to make a look from the outside as if we have a solution, but since it doesn't have the same legal meaning as it does for us it isn't a solution.

[00:24:20] Rick Dronkers: How much do you think of this is like protectionism from a European point of view? Because if I take this to its extremes, right? The executive order also gets invalidated and everybody will learn from this and instead of repeating the mistakes they will all migrate to European software for all their things.

[00:24:44] Even though in the short term, that will be a big downfall because of your competitive advantage, the gap between what Amazon, Google, and Microsoft are offering in the cloud services compared to any European cloud is really wide. So you're gonna take a hit, but you have no other solution. Then eventually you could see a future where that benefits the European economy. Do you think that's part of what's going on?

[00:25:12] Lisette Meij: I don't think so because I feel like if that would've been the case why try for a third time why not say, okay, well just change your law. We're not going to accept the fact that you can have access to the data. US citizens don't have your digital redress. You don't have the same rights as you need to have from EU perspective as a EU citizen.

[00:25:37] So we're not going to do this where you can just fix it. Or in the meantime, we're going to fix it yourself in another way. That could have been an option. Honestly, I think they do feel the need to the opposite do feel the need to keep the connection with the US and get a solution some way as to EU with the US, but they just have to deal with the court of justice. Isn't able to say well, indeed it complies with the law because it just doesn't. So they, the Court of Justice can't keep their eyes closed and just Say it's okay. But at the same time, I do feel like for example, from a Dutch perspective, we had, it's a little bit of sidestep, but The Chief Supervisory Authority, the Data Protection Authority, we have a new cloud policy for using public cloud providers, so outside of the EU for government to use.

[00:26:29] And at first we stated that the government wasn't allowed to use public cloud providers because of all the risks that were there and safety of the data that we're going to use. Now we have a new cloud policy, which states that we can use public cloud services, for example, the US cloud services.

[00:26:48] And now we have our Dutch data protection authority that says, whoa, hold on. Maybe think about the risks that are there before you do it as a government, because we're talking about data from the Dutch citizens. And make sure what kind of risks are there and if you can take the measurements to mitigate those risks. And they also stated, and how about looking more at the European suppliers before saying you can use every public cloud supplier that's there, but maybe look at the European suppliers because then we have. Less risks while doing that, doing that because we know there's an issue, for example, with the US supplies.

[00:27:26] So I feel like maybe from EU level, probably I feel like we need the US for several reasons, and not only from a privacy perspective, but probably from other perspectives. And I do feel like some countries do feel the need to keep the data safe and have a more EU based and invest more in EU suppliers to fix the issue we have right now.

[00:27:55] Rick Dronkers: I'm obviously biased, not working in government and working in the commercial space, but I have a couple of clients who operate worldwide. And I've also some clients that are based out of the US and then obviously some clients based out of the EU that only market to the EU. And I can clearly see the impact this is having for EU companies and then especially on the marketing advertising side, on the accuracy of data. The ability to save cost on advertising spend by being able to exclude people that have already visited your website, stuff like that.

[00:28:32] So like there's, the impact is becoming more significant. If everybody had the same impact, I feel like it would be a level playing field but for government, I would say it's probably smart if, the Dutch government, if they decide not to put all their communication on Microsoft or Google on that suite simply because of the fact we don't know how the future looks.

[00:28:57] Maybe we get into a conflict with the US we get spied on. So I could see that there's an obvious thing. But from a commercial point of view, we have the internet, we sell to everybody worldwide. And now. we're gonna create these walled gardens of what is allowed here, what is not allowed there. I could see companies moving their jurisdiction to where more is allowed.

[00:29:22] Lisette Meij: Yeah, I get that. I do feel it's important to say that not being a government organization doesn't mean that the impact can be high when something happens with the data. A lot of companies have a lot of data that say a lot about a person. You don't have to be a government organization for that.

[00:29:41] Think about more commercial apps like dating apps or maybe more in healthcare apps. The impact can be really high at the same time, I want to say I feel like the risks sometimes is made bigger than it actually is because it's not being said that all the data's being spied on when you use US suppliers.

[00:30:00] And at the same time, I think that other countries also use several techniques to spy on data for whatever reason they have for any case they're working on or whatever. But okay, that's a side step, but I agree. I feel, and it's not my feeling. I think that's just a thing. As an organization, you're responsible for the data.

[00:30:24] You, you're processing, so you're responsible for picking your suppliers. You want to have a US supplier, not because it's based in the US, but because you have a lot more options for probably less money. And you can stay at top and above your competitors because you have all the suppliers in place and you can use the services you need to to make sure you're on top. If you're not able to do that, that's probably a big loss for your company and that's what annoys me the most about this situation because as an organization, you're responsible for the data. You're responsible for making sure your supplier is doing the right thing and complying with the GDPR. You're dependent on your supplier, but there's no legal solution to make sure to use a US supplier. So that's an issue. But at the same time, if you say, okay, for example, at this moment my. companies based in the Netherlands and all this, this big discussion about if you can use the US suppliers or not.

[00:31:21] I can't work with this. I need to use the US suppliers to do so what? I'm going to move. I'm going to have my company being based in US. You have to keep in mind that if you process data from citizens in the EU, you still have to comply with the GDPR. So actually it's not a legal solution to just say, I'm going to move my company.

[00:31:41] Because if you're still going to process the same data, you still have to comply with the GDPR. So that's not really a solution to do that. I understand that companies do that because they feel like they can use more and maybe it takes more time for someone to issue a complaint, to say well, you're processing my data.

[00:32:00] You're based in the US but you have to comply with the GDPR and you're not doing that because whatever reason. I do get that, these kind of decisions are being made. the government should give the right example if you ask me and commercial organization are getting a big hit if we say you can't use the US supplies anymore, but I end up saying the same thing because there isn’t really a solution. So I also understand the hard time companies are having right now because they are being kept responsible for it. But from a legal perspective, you're not giving any solution for it. So how can you be responsible for it if you don't have a legal solution to do this?

[00:32:41] Rick Dronkers: A little bit in limbo, so to say. [Laughs] Yeah, Maybe. Maybe move the company to Panama. Or something.

[00:32:44] Lisette Meij: Like that, and just only process data from the people that live in Panama. Probably that's not a…

[00:32:52] Rick Dronkers: Yeah.

[00:32:52] Lisette Meij: I'm not sure if it works for every company, but we will help. Yeah.

[00:32:57] Rick Dronkers: I'm in conversations my clients and, a lot of them are looking at migrating from Google Analytics, tree Universal Analytics to Google Analytics for, because if they want to continue to use Google Analytics that I have to before summer next year.

[00:33:12] The timing is a bit unfortunate for Google with that respect because the whole privacy thing and the migration come at the same time. So a lot of people are evaluating their options and I think that's a good thing for several reasons and privacy being one of them. But the conversations I'm in right now, So one thing you could do is you could migrate and you could fight it right? You could go to you could migrate to Google Analytics 4 and implement it in a way that you feel is as privacy preserving as possible.

[00:33:42] And then hope that the executive order that Max Shrems loses in the future. Or, or just accept that you can use it for a couple of years. Cause I would argue. If Max Shrems files a complaint, then it also won't be tomorrow. Right?

[00:33:57] Lisette Meij: Yeah.

[00:33:58] Rick Dronkers: In order will be in place for, I don't know, what's your guesstimate two years?

[00:34:02] Lisette Meij: I'm guessing that the new framework will be there probably next year, somewhere next year. Then he has to fight it. The Court of Justice has to say something about it. So it'll take at least maybe two to three years to say something about it. Yeah.

[00:34:17] Rick Dronkers: So let's go with three years. So you could, you could migrate, you could assume that this executive order is approved and it's valid for let's say three years. So that's an investment you make. You have three years of analytics data to run your business with. But if you read the materials, if you listen to podcasts like these, then you're probably aware, like this is a never ending game, and, and it's unlikely to stop. So you're always gonna will be in this this limbo state. Then the other options are European based solutions that have the stamp of approval from, I think the French DPA did.

[00:34:50] Lisette Meij: Yeah. Yeah, they did. yeah.

[00:34:52] Rick Dronkers: On giving their approval like Piwik Pro and Matomo and all these.

[00:34:57] Lisette Meij: Yeah. All the privacy proof solutions you could use. yeah. What? And also think they stated even what kind of settings you have to use to make sure it's privacy proof. So yeah.

[00:35:05] Rick Dronkers: Exactly. So they made a solution list for you. I think what you will lose as a company is the integration of your analytics tool and your advertising suite. Most of that, yeah, for obvious reasons, because once you do that, then it's no longer a statistical analytics tool. It becomes more of an advertising tool and, and, and different rules apply but at least you will have a tool where you can be fairly certain, like I would argue that because the French DPA gave their seal of approval, you're on the safe side of things. But I feel for a lot of the clients that I talk to have a feeling like that's a little bit downgrading. And so they're also looking at the other solution. And the other solution is in my opinion is, going the first party route where you take it in house. So this, this used to be something that enterprises did, right? They would build their own analytics solutions. They had enough people to do that. And because of some a lot of open source frameworks, it has become easier and easier to do it with less and less people. And I feel like we're at this point where it's feasible if you have like a three person team, right? If you have a data engineer and analytics engineer and somebody architecting it. You could run your own first party analytics suite using something like snowplow, but then the

[00:36:24] next issue that's around the corner is the cloud environment, because most of these don't run on on premise servers. They run on Google Cloud, Amazon Cloud or Azure Cloud. And a lot of companies, business intelligence tech, so I'm talking about the marketing and analytics side of things, but a lot of their business intelligence and their other data sources are already on one of these three US based clouds. What are your thoughts of this solution, like migrating to a fully owned first party solution, even though it runs on Google Clouds you have the keys to encrypt it and decrypt it, but yeah, it's still a US based cloud? Is it a fake solution in the sense of it's still, the modern company is still in the US or is it an improvement compared to using something like Google Analytics?

[00:37:15] Lisette Meij: Well, I think what's also important to keep in mind from a legal side is that if a solution is legally allowed to use or not, does depend on For example, how it's set up. So that's why I said the French DPA indeed said you could use some suppliers and also the settings you have to use.

[00:37:34] And that also goes for example solutions that you can use. For example, the cloud solutions or all the solutions you can use from the us. It's not being said. Every use of US supplier is in the lab. Cause for example, if you have if you anonymize the data or take other measurements to make sure that access is being restricted in some way.

[00:37:56] For example, you encrypt the data, only you have the key. These are kind of measurements and make sure that safeguards are, are taken and are in place to make sure that Privacy is being protected of the data subjects. So if you move to Google Analytics 4 you also see some solutions that say well, okay, but the IP address being used, and to make sure they know what location it is, and then it's being removed again, but before it's being removed, access might be possible for the US.

[00:38:27] So that's an issue. Pretty sure they're going to say something about this. So you could go to Google Analytics 4, invest in it, make sure your company runs in it for a few years, and just wait for the judgment that says you can't use anymore. Also, small sidestep important to mention, it's not a guarantee that until for example, the Transatlantic Data Privacy Framework is invalidated and, I'm moving ahead pretty fast because I'm already talking about it being invalidated while it's not even really there. But if that happens that's not the only way to say you're not comply with the GDPR because if you look at Google Analytics the Privacy Shield was already being invalidated. We had the standard contractual classes and Max Shrems, he's part of None Of Your Business (NOYB).

[00:39:17] He filed I think 100. More than 100 complaints at different DPAs in, in the EU to say that companies were using Google Analytics and they were not complying with the GDPR and also not with the standard contract clause because the US can't take the same safeguards if we do it in the eu. So we didn't have a privacy shield anymore.

[00:39:37] We had the standard contractual clauses, which were still legal, but still were saying the use of Google Analytics is not complying with the GDPR because data's being. Could possibly be accessed by the US because data’s being stored in US. So it's not a fact that you have to wait until something's being evaluated because the DPAs can state after complaint or after their own research that certain tools you're using are compliant with the GDPR.

[00:40:07] So for example, if we have the new framework and you're using Google Analytics for, if there are a lot of complaints about it because. We feel like it's not complying with, and I say we, and then I mean the legal part of the world or the maxims or whatever, or the data subjects feel like it's not complying with the GDPR. There's a possibility that the local DPAs of the different countries will say, Okay. We say that Google Analytics isn't compliant with the GDPR. If you still use Google Analytics and then we can find you for that. So it's not a guarantee that we can use it for three years until something is invalidated.

[00:40:43] In the meantime, something can happen as well. Okay, back to your question, if I feel like if you make sure you do it as a first party, you also see the solutions for Google analytics. the server side tracking, for example. Well, You could say that if you you run it yourself, but you do host it in a US cloud, for example Amazon If you, for example, can encrypt it in such a way that only you have access to it and you have the key, then you could say that if the US government gets access, so if they go to Google and they say, I want to have access to the data, they won't be able to use the data also have to state that encryption isn't anonymizing the data because we feel like if you use the key, it can be decrypted again.

[00:41:31] So you could relate it to a data subject if you have the key. So it's not we only call data anonymous if it's not ever being able to be de-anonymized again. So encryption is more of a safety measure you can take. But these are kind of measures you can take to make sure you can work that way. Because it's being said, it's not a fact that you. Ever use any supplier in the us you just have to make sure the same safeguards are being taken as we have in the eu. So if you're if you do that and you have different measurements or measures you take and you make sure the risks are mitigated or maybe removed completely, yeah.

[00:42:13] Then that's a solution to do. But I do think, to be honest, that probably isn't a solution for every company because you say you need three people. If you're a small company, you're not going to hire three people to make sure the analytics work well. You're also not going to hire a lawyer so, yeah.

[00:42:31] Rick Dronkers: A hundred percent. I've said this before on the podcast, but Google Analytics being free, got a lot of people using it and it got a lot of people accustomed to data, but free doesn't exist. We, we've, we've been learning that since, since the internet grew up. So we're now coming to the point where there's a threshold you have to go over if you, if you wanna use data, you have To use it properly, so you also have to invest in it. And that might mean having those three people to do it first party. Or it might mean that you have to go with a european Solution that has a that you pay for that has a better solution that's privacy safe. But, the free period is over, so to say.

[00:43:11] Lisette Meij: I think that's a pretty important point you mentioning because that's something, I'm looking at it from a different side. I look at it from a legal perspective. You're looking at it from a marketing perspective, and if I tell clients, for example, just don't use Google analytics. It's obvious and clear that by several dPAs is being said that it doesn't comply with the GDPR and you can have a serious issue if you're still using it while knowing this because we all, we all heard this and we can't say, okay, well I'm just going to wait.

[00:43:42] For the DPA to send me a letter and will just hope that I can say well, I'm so sorry. I'm just going to change it right now. Okay, now you already knew this was coming. But what I hear as a reaction a lot is that, for example, I say, okay, take a look at European alternative because there are European alternatives that work well. But that's the issue. You have to pay for it. And Google Analytics was free. So a lot of companies say well, how expensive that is? Because when something is free and if you have to pay, even if it's just 50 euro a month, we feel like that's a lot more. And also the lock in google created while using Google analytics with all the, all the kinds of service. It's also really important because that makes it harder for companies to move away. And probably, and again, I think that's a question you're, you can answer. You also have to invest more because it's not only using a new tool, but also the steps you have to take to get to use the new tools.

[00:44:42] So it's not only turning off Google Analytics and turning on, for example, European alternative, but also the way of getting there and implementing. and probably that also costs too a certain amount of money.

[00:44:55] Rick Dronkers: No, a hundred percent Google. Google did a great job of getting everybody hooked on their system. [Laughs] It will make it really interesting in the next couple of years because I do think it's a good thing for companies to force them to think about this, right? Because as long as something is free, you're not forcing that decision, from a business point of view, if you have a free alternative, then if it's really cheap to implement and it's free to run, then you'll, you're almost dumb if you don't do it right, if there's no downsides to it because from a business perspective, it would be negligent to not do it, cuz you might be have, that data might be valuable to you in the future, even if you don't use it.

[00:45:36] And now we're being forced to, hey, there's a cost to collecting data. And that cost is, like you said, it could be if, if you don't do it properly, it could be bad pr could be fines that you, it could eventually get. So you have to actually think about, okay, what use case do I want this data for? And then the whole privacy by design things starts because you can actually think before you start okay, what do we want to use it for? And then figure out a way how to do it in a privacy compliant manner. Realize that there's cost to it and you have to figure out if it's worth it, if

[00:46:07] Lisette Meij: Yeah.

[00:46:08] Rick Dronkers: On investment, and that's a healthy business practice, I think.

[00:46:11] Lisette Meij: Yeah. And also I feel like we were all using google Analytics and the basic reaction is well, I'm not stopping well with using Google Analytics because other tools don't. Give me the capability of doing what I'm doing right now, but also it gives you a moment to step back for just for a while when you think, okay, what am I using Google Analytics for?

[00:46:34] And what kind of opportunities does it give me? And what do I want? What do I want another tool to do? And that gives you the capability to decide what tool fits best for me because a lot of companies are using Google Analytics and not even if they don't have a marketing department, don't even really know what it does exactly for them.

[00:46:56] And also feel like if you're going for Google Analytics four, you will also have some calls to implement it because it works different from what we're doing right now. So that's also a good moment to think, okay, am I going to invest in Google Analytics four with the risks that, during the next couple of years, something might happen.

[00:47:15] Also, I feel like if you go back to the first subject, we talked about how about going for a European supplier and say, okay, We value your privacy. So we decide to stop with Google Analytics and to decide to go for a European supplier. That's also a possibility if they can offer you the same, as, for example, Google did.

[00:47:36] Maybe look at it from a different perspective a bit and see how it can benefit your organization when you transfer to another tool or to another supplier. And also another less state I want to make. It's also pretty hard for all the US suppliers because they do try to change every time we have a new framework and to give you the new contracts, for example, the standard contract clause.

[00:48:01] But at the same time, I'm not saying that all the US suppliers are great and they value your privacy because that wouldn't be realistic, but they're in a hard position as well because the EU just says you have to comply with the GDPR. They at the same time have the US law they have to comply with, so they're a bit in a struggle as well. They can't do it Right. Even if they want to. So you should give them maybe just a little bit of credit for that as well.

[00:48:29] Rick Dronkers: Yeah, yeah, for sure. It's one of the difficulties when we have when we have this beautiful global internet and then we have our national local laws. It doesn't really match. We'll get there eventually.

[00:48:42] Lisette Meij: I'm sure we have to, we have to. Yeah.

[00:48:45] Rick Dronkers: Thank you so much for sharing your knowledge with us. If people wanna reach out to you or learn more, where, where can you go? Where can they follow you online?

[00:48:53] Lisette Meij: They can always add me on LinkedIn. It's just my name, Lisette Meij. They can reach out anytime if they want to, or if it's the website, which is privacyverified.nl. If they need help, to be compliant or have any Google analytics questions or about the EU suppliers, I'm happy to help.

[00:49:12] Rick Dronkers: Cool. Thank you so much.

[00:49:14] Lisette Meij: Thank you.

[00:49:15] [MUSIC SOUND EFFECT BEGINS AND FADES]