Category: UNCATEGORIZED

Snapchat is the quintessential consumer app: with an array of fun filters, it encourages people to send fun, disappearing messages to friends and has a large base of younger users. But could parent company Snap be eyeing up ways of leveraging its traction in the consumer world — with the app now seeing 249 million daily active users — with an entry into more services for business?

TechCrunch has learned and confirmed that Snap is acquiring a startup called Voca.ai, which builds AI-based voice assistants for customer support services, for $120 million: $70 million in cash plus $50 million in stock.

“7 out of 10 customers still prefer speaking with an agent,” Voca notes on its site. “Voca offers natural, human-like conversations that will leave you wondering if you spoke with a virtual or human agent.” The platform serves as a kind of triage system, which handles simple inbound queries, and then hands over to agents seamlessly for more complex issues.

A spokesperson for Snap declined to comment for this article, and messages sent to Voca’s founders — Einav Itamar and Alan Bekker — have not been returned. But we have confirmed the price and deal with multiple sources close to the transaction.

Israeli publication Calcalist first reported on the transaction (but didn’t get the price right).

Voca.ai’s team of 40 will all be joining Snap, we have been told.

Voca.ai, founded in Israel with offices also in New York — had raised about $6 million — including a strategic round from American Express Ventures in October 2019. Other investors include lool ventures and Flint Capital.

It’s notable that the startup already has a substantial list of customers and says that it powers “millions of conversations.” Specifically in October last year, it noted that it was processing some 2 million calls/conversations per month in verticals that include banking, telecoms, insurance and legal services. Customers include Toshiba, Amdocs, FirstClass Capital, and Boost Health Insurance, among others.

It’s not clear what Snap intends to do with Voca.ai, but the deal comes at a very interesting moment. All virtual services have seen a big boost of activity this year, with the pandemic — and the general public health push to reduce in-person contacts — driving more people to handle business online than ever before.

And that is driving companies building consumer-facing tech apps to diversify and market their platforms as a unique way to interface between businesses and customers. One key example of that has been Facebook, which has added more tools to Messenger, WhatsApp and Instagram to make the apps more useful to businesses that want not just to market themselves to customers, but to use the apps to handle questions from them, and potentially sell things to them.

Although Snap may be interested in Voca.ai simply as a way to build better interactions with its own customers — it registered a 52% growth in revenues this past quarter (Q3), and $679 million in business is nothing to sniff at — it’s a natural and logical move for it to consider how it could build more business services into Snapchat, and diversify its own revenues along with that. 

In its home page for its business services, the company notes that “People use Snapchat to communicate with friends, build relationships, play and learn. Inspire action with full-screen, digital ads that boost awareness, drive conversions, and generate real results for businesses of all sizes.” It’s not a stretch to think that those business imperatives could also extend to “drive conversations.”

Snap has made a number of interesting deals to pick up IP in the area of artificial intelligence, but much of that has been in the area of computer vision, for example to create photo and video filters and other augmented reality applications. They have included the likes of Looksery, AI Factory and Cimagine, which happens to be another startup out of Israel.

Ajay Vashee — who spent the last eight years at Dropbox, rising from the head of finance to CFO over his tenure and helping to take the company public in 2018 — is joining the powerhouse venture firm IVP in January.

It’s the realization of plans established long ago by Vashee, who fell in love with venture years ago and has always known he wanted to return to it, though he wasn’t sure when or where that night happen. Indeed, he says that when he announced that he was leaving Dropbox in early August to join the world of venture capital, he didn’t know where he would land. He instead “wanted my intentions out there.”

It was an effective tactic, from the sounds of things. Vashee hints that he talked with numerous firms, deciding that later-stage IVP was the best fit for a variety of reasons, including experience he’d gained at Dropbox, helping to navigate the company through multiple stages of growth, including both as a private and then a public company.

Vashee also had experience working with IVP, which led Dropbox’s Series B round, and he says he saw firsthand the value the firm brings to a deal. “They helped us build our board, they were a sounding board for so many strategic decisions and always hustled for us.”

As an added bonus, he isn’t starting until January, giving him a little extra time to spend with his extended family in the Bay Area and, most importantly, with his young daughters, ages 4 and 1.

Vashee, who attended to Columbia and headed to Morgan Stanley as an analyst right out of college, first fell in love with venture during his second job, which was a senior associate with NEA where he spent four years. “I absolutely loved investing and wasn’t planning to leave the join a company, but the opportunity to join Dropbox came up, and, knowing that I ultimately wanted to build a career as an investor, it if felt like something I couldn’t pass up.”

Though a generalist at NEA, Vashee says he will be focused on enterprise software — including companies focused on collaboration and finance automation — at IVP.

Vashee has already made some personal bets in the area, including investing in startups Metronome, Mosaic, and Layer.

He’ll suggests that he’ll also be spending a lot more time thinking about the going-public process, now that many choices are on the table in addition to traditional IPOs. Interestingly, he says that if he were taking Dropbox public today, an option like a direct listing is something he’d want to evaluate.

Unsurprisingly, he says a handful of IVP partners serve on the boards of companies that are right now evaluating tie-ups with special purpose acquisition companies or SPACs, too.

In either case, he stresses that companies eyeing the public market need to be prepared, noting that the “operational readiness and rigor” that was instilled at Dropbox has proved “invaluable” to the company. Adds Vashee, “I don’t think the IPO process is broken, but has room for improvement.”

IVP announced its last fund — its biggest to date — in September 2017, closing at the time on $1.5 billion in capital. Given that three years have elapsed and that fund sizes have only continued to balloon, and that new partners are usually brought in just before a new fund closes, the firm appears poised to announce an even bigger vehicle any day now.

One of the firm’s highest-profile investors, Todd Chaffee, has already said that he won’t be actively investing that new fund, following a 20-year run.

Ajay Vashee — who spent the last eight years at Dropbox, rising from the head of finance to CFO over his tenure and helping to take the company public in 2018 — is joining the powerhouse venture firm IVP in January.

It’s the realization of plans established long ago by Vashee, who fell in love with venture years ago and has always known he wanted to return to it, though he wasn’t sure when or where that night happen. Indeed, he says that when he announced that he was leaving Dropbox in early August to join the world of venture capital, he didn’t know where he would land. He instead “wanted my intentions out there.”

It was an effective tactic, from the sounds of things. Vashee hints that he talked with numerous firms, deciding that later-stage IVP was the best fit for a variety of reasons, including experience he’d gained at Dropbox, helping to navigate the company through multiple stages of growth, including both as a private and then a public company.

Vashee also had experience working with IVP, which led Dropbox’s Series B round, and he says he saw firsthand the value the firm brings to a deal. “They helped us build our board, they were a sounding board for so many strategic decisions and always hustled for us.”

As an added bonus, he isn’t starting until January, giving him a little extra time to spend with his extended family in the Bay Area and, most importantly, with his young daughters, ages 4 and 1.

Vashee, who attended to Columbia and headed to Morgan Stanley as an analyst right out of college, first fell in love with venture during his second job, which was a senior associate with NEA where he spent four years. “I absolutely loved investing and wasn’t planning to leave the join a company, but the opportunity to join Dropbox came up, and, knowing that I ultimately wanted to build a career as an investor, it if felt like something I couldn’t pass up.”

Though a generalist at NEA, Vashee says he will be focused on enterprise software — including companies focused on collaboration and finance automation — at IVP.

Vashee has already made some personal bets in the area, including investing in startups Metronome, Mosaic, and Layer.

He’ll suggests that he’ll also be spending a lot more time thinking about the going-public process, now that many choices are on the table in addition to traditional IPOs. Interestingly, he says that if he were taking Dropbox public today, an option like a direct listing is something he’d want to evaluate.

Unsurprisingly, he says a handful of IVP partners serve on the boards of companies that are right now evaluating tie-ups with special purpose acquisition companies or SPACs, too.

In either case, he stresses that companies eyeing the public market need to be prepared, noting that the “operational readiness and rigor” that was instilled at Dropbox has proved “invaluable” to the company. Adds Vashee, “I don’t think the IPO process is broken, but has room for improvement.”

IVP announced its last fund — its biggest to date — in September 2017, closing at the time on $1.5 billion in capital. Given that three years have elapsed and that fund sizes have only continued to balloon, and that new partners are usually brought in just before a new fund closes, the firm appears poised to announce an even bigger vehicle any day now.

One of the firm’s highest-profile investors, Todd Chaffee, has already said that he won’t be actively investing that new fund, following a 20-year run.

Niantic is continuing to bet heavily on the idea that it knows where consumer computing is headed, namely augmented reality. The game development startup behind Pokémon Go has some good company with companies like Apple, Facebook and Snap making similar bets, but stakes are high for the studio which hopes it can build an early advantage in foundational AR infrastructure and bring third-party developers on board, edging out efforts from companies that are quite a bit larger.

Niantic’s experiments are still being bankrolled by their 2016 first-party hit Pokémon Go, which SensorTower estimates is having its best year ever in 2020. A report from the firm suggests that the title has pulled in more than $1 billion in revenue since the start of the year, a marked increase since 2019 that might be surprising given the social effects of a global pandemic. Those revenues have allowed Niantic to be one of the more active acquirers in the AR infrastructure space, buying up small buzzy AR startups like Escher Reality, Matrix Mill and, most recently, 6D.ai.

That latest purchase in particular has acted as a signal for what the company’s next plans are for its augmented reality platform. 6D.ai was building cloud AR mapping software with companies like Airbnb among its early customers. The tech allowed users to quickly gather 3D information of a space just by holding up their phone to the world. Since the acquisition, Niantic has been integrating the tech into their developer platform and have been aiming to juice the technology with their own advances in semantic understanding so that they can not only quickly gather what the geometry of a space looks like, but also peer into the context of what the objects are that makes up that 3D mesh.

“We ultimately have this vision that for an AR experience, everything has to come together for it to be really magical,” Joel Hesch, Niantic’s Senior Director of Engineering, told TechCrunch. “You want precise location information so that you can see content in the right location and experience things together with others who are in the same location. You want the geometric information for things like occlusion or physics interactions. And you want to know about what things mean from a semantic perspective so that your characters can interact with the world in an intelligible way.”

While they’ve been building out the tech, they’ve also been pushing users to try it out. Niantic has been urging Pokémon Go players to actively capture videos of certain landmarks and destinations, visual data from which is fed back into bulking up models and improving experiences for subsequent users. As users gain access to more advanced tech like the LiDAR sensor inside the new iPhone 12 Pro, it’s likely that Niantic will gain access to more quality data themselves.

The ultimate goal of this data collection, the startup says, is to build an ever-updating 3D map of the world. Their latest tech allows them to peer into this map and distinguish what types of objects and scenes are in these scans, distinguishing buildings from water from the sky. The real question is how useful all of this data will actually prove to be in practice, compared to more high-level geographic insights like the Google Maps API .

Though the company has been talking about their Real World Platform since 2018, they’ve been slow to officially expand it as the enthusiasm behind phone-based AR has seemed to recede since Apple’s initial unveil of ARKit in 2017 prompted a groundswell of attention in the space. “We’ve primarily been focused on first party games and applications, but we are very excited about extending the platform to be something that more people can use,” Hesch says.

For Niantic and other companies that are bullish on an AR future, their best bet seem to be quietly building and hoping that their R&D will give them a years-long advantage when the technology potentially starts landing more consumer hits.

Here’s another edition of “Dear Sophie,” the advice column that answers immigration-related questions about working at technology companies.

“Your questions are vital to the spread of knowledge that allows people all over the world to rise above borders and pursue their dreams,” says Sophie Alcorn, a Silicon Valley immigration attorney. “Whether you’re in people ops, a founder or seeking a job in Silicon Valley, I would love to answer your questions in my next column.”

Extra Crunch members receive access to weekly “Dear Sophie” columns; use promo code ALCORN to purchase a one- or two-year subscription for 50% off.

Dear Sophie:

What does President-elect Biden’s victory mean for U.S. immigration and immigration reform?

I’m in tech in SF and have a lot of friends who are immigrant founders, along with many international teammates at my tech company. What can we look forward to?

—Anticipation in Albany

Dear Anticipation,

Glimpsing into my crystal ball, I see opportunity ahead. President-elect Biden and Vice President-elect Harris have long stood committed to important immigration changes that will directly affect the Silicon Valley tech ecosystem.

Dream with ambition, lead with conviction, and see yourself in a way that others might not see you, simply because they’ve never seen it before.

— Kamala Harris

We’re appreciative of what’s to come. As my firm’s mission is to transcend borders, expand opportunity and connect the world by practicing compassionate, visionary and expert immigration law in service of the betterment of humanity, we’re looking forward to a deluge of immigration changes that will support our clients as well as innovation and entrepreneurship in Silicon Valley and beyond. Please join me tomorrow for a free webinar as we take a look at what’s ahead for U.S. immigration in 2020, what these important developments mean for Silicon Valley, for startup founder immigration, and for recruiting, hiring and retaining top talent.

I’m confident we’ll see meaningful changes in immigration for startups, founders, investors, researchers, highly skilled professionals, students, Dreamers and families under the Biden administration. Check out my Immigration Law for Tech Startups podcast for my take on some of the highlights. Of top priority, Biden and Harris plan to unravel recent executive orders and regulations, modernize our immigration system, and perhaps most importantly, welcome immigrants.

President-elect Biden’s six-point plan for building a fair and humane immigration system includes promises to:

• Rescind Trump immigration policies, regulations and executive orders.
• Modernize the immigration system.
  
  

Come June 1, 2021, Google will change its storage policies for free accounts — and not for the better. Basically, if you’re on a free account and a semi-regular Google Photos user, get ready to pay up next year and subscribe to Google One.

Currently, every free Google Account comes with 15 GB of online storage for all your Gmail, Drive and Photos needs. Email and the files you store in Drive already counted against those 15 GB, but come June 1, all Docs, Sheets, Slides, Drawings, Forms or Jamboard files will count against the free storage as well. Those tend to be small files, but what’s maybe most important here, virtually all of your Photos uploads will now count against those 15 GB as well.

That’s a bid deal because today, Google Photos lets you store unlimited images (and unlimited video, if it’s in HD) for free as long as they are under 16MP in resolution or you opt to have Google degrade the quality. Come June of 2021, any new photo or video uploaded in high quality, which currently wouldn’t count against your allocation, will count against those free 15 GB.

Image Credits: Google

As people take more photos every year, that free allotment won’t last very long. Google argues that 80 percent of its users will have at least three years to reach those 15 GB. Given that you’re reading TechCrunch, though, chances are you’re in those 20 percent that will run out of space much faster (or you’re already on a Google One plan).

Some good news: to make this transition a bit easier, photos and videos uploaded in high quality before June 1, 2021 will not count toward the 15 GB of free storage. As usual, original quality images will continue to count against it, though. And if you own a Pixel device, even after June 1, you can still upload an unlimited number of high-quality images from those.

To let you see how long your current storage will last, Google will now show you personalized estimates, too, and come next June, the company will release a new free tool for Photos that lets you more easily manage your storage. It’ll also show you dark and blurry photos you may want to delete — but then, for a long time Google’s promise was you didn’t have to worry about storage (remember Google’s old Gmail motto? ‘Archive, don’t delete!’)

In addition to these storage updates, there’s a few additional changes worth knowing about. If your account is inactive in Gmail, Drive or Photos for more than two years, Google ‘may’ delete the content in that product. So if you use Gmail but don’t use Photos for two years because you use another service, Google may delete any old photos you had stored there. And if you stay over your storage limit for two years, Google “may delete your content across Gmail, Drive and Photos.”

Cutting back a free and (in some cases) unlimited service is never a great move. Google argues that it needs to make these changes to “continue to provide everyone with a great storage experience and to keep pace with the growing demand.”

People now upload more than 4.3 million GB to Gmail, Drive and Photos every day. That’s not cheap, I’m sure, but Google also controls every aspect of this and must have had some internal projections of how this would evolve when it first set those policies.

To some degree, though, this was maybe to be expected. This isn’t the freewheeling Google of 2010 anymore, after all. We’ve already seen some indications that Google may reserve some advanced features for Google One subscribers in Photos, for example. This new move will obviously push more people to pay for Google One and more money from Google One means a little bit less dependence on advertising for the company.

The election is settled, but the nation is far from it.

Before Election Day in the U.S., Facebook hit pause on all political and social issue ads. At the time, the company made it clear that the precautionary measure designed to turn off one potential faucet of misinformation would be temporary, but it couldn’t say how long the policy would remain in effect.

Now, Facebook says the temporary ban will continue for at least another month. The decision to extend the special policy was implemented Wednesday, four days after Joe Biden’s election victory — and four days after it became clear that Trump had no intention of conceding a lost election.

“The temporary pause for ads about politics and social issues in the US continues to be in place as part of our ongoing efforts to protect the election,” the company wrote in an update to its previous announcement. “Advertisers can expect this to last another month, though there may be an opportunity to resume these ads sooner.”

Facebook’s ongoing political ad pause throws a wrench into things in Georgia, where two January runoff elections will decide which party will control the Senate heading into President-Elect Biden’s administration. A friendly Senate is essential for many of Biden’s biggest proposals, including a $2 trillion climate package that could reshape the American economy and push the country toward an electrified future that doesn’t rely on fossil fuels.

Over the last few days, a shocking number of Republicans have “humored” the president’s refusal to transfer power in spite of an unambiguous election call and Biden’s decisive win in Pennsylvania, which cut off any potential paths to victory for his opponent. The Trump campaign’s last-ditch flurry of legal challenges have presented little of substance so far, and they might ultimately be more about dividing a nation and sowing doubt than prevailing in court.

The election is settled, but the nation is far from it.

Before Election Day in the U.S., Facebook hit pause on all political and social issue ads. At the time, the company made it clear that the precautionary measure designed to turn off one potential faucet of misinformation would be temporary, but it couldn’t say how long the policy would remain in effect.

Now, Facebook says the temporary ban will continue for at least another month. The decision to extend the special policy was implemented Wednesday, four days after Joe Biden’s election victory — and four days after it became clear that Trump had no intention of conceding a lost election.

“The temporary pause for ads about politics and social issues in the US continues to be in place as part of our ongoing efforts to protect the election,” the company wrote in an update to its previous announcement. “Advertisers can expect this to last another month, though there may be an opportunity to resume these ads sooner.”

Facebook’s ongoing political ad pause throws a wrench into things in Georgia, where two January runoff elections will decide which party will control the Senate heading into President-Elect Biden’s administration. A friendly Senate is essential for many of Biden’s biggest proposals, including a $2 trillion climate package that could reshape the American economy and push the country toward an electrified future that doesn’t rely on fossil fuels.

Over the last few days, a shocking number of Republicans have “humored” the president’s refusal to transfer power in spite of an unambiguous election call and Biden’s decisive win in Pennsylvania, which cut off any potential paths to victory for his opponent. The Trump campaign’s last-ditch flurry of legal challenges have presented little of substance so far, and they might ultimately be more about dividing a nation and sowing doubt than prevailing in court.

Following the landmark CJEU ‘Schrems II’ ruling in July, which invalidated the four-year-old EU-US Privacy Shield, European data protection regulators have today published 38-pages of guidance for businesses stuck trying to navigate the uncertainty around how to (legally) transfer personal data out of the European Union.

The European Data Protection Board’s (EDPB) recommendations focus on measures data controllers might be able to put in place to supplement the use of another transfer mechanism: so-called Standard Contractual Clauses (SCCs) to ensure they are complying with the bloc’s General Data Protection Regulation (GDPR) .

Unlike Privacy Shield, SCCs were not struck down by the court but their use remains clouded with legal uncertainty. The court made it clear SCCs can only be relied upon for international transfers if the safety of EU citizens’ data can be guaranteed. It also said EU regulators have a duty to intervene when they suspect data is flowing to a location where it will not be safe — meaning options for data transfers out of the EU have both reduced in number and increased in complexity.

One company that’s said it’s waiting for the EDPB guidance is Facebook. It’s already faced a preliminary order to stop transferring EU users data to the US. It petitioned the Irish courts to obtain a stay as it seeks a judicial review of its data protection regulator’s process. It has also brought out its lobbying big guns — former UK deputy PM and ex-MEP Nick Clegg — to try to pressure EU lawmakers over the issue.

Most likely the tech giant is hoping for a ‘Privacy Shield 2.0‘ to be cobbled together and slapped into place to paper over the gap between EU fundamental rights and US surveillance law.

But the Commission has warned there won’t be a quick fix this time.

Changes to US surveillance law are slated as necessary — which means zero chance of anything happening before the Biden administration takes the reins next year. So the legal uncertainty around EU-US transfers is set to stretch well into next year at a minimum. (Politico suggests a new data deal isn’t likely in the first half of 2021.)

In the meanwhile, legal challenges to ongoing EU-US transfers are stacking up — at the same time as EU regulators know they have a legal duty to intervene when data is at risk.

“Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum,” the EDPB warns in an executive summary. “The Court states that controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools.

“In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data.”

The EDPB’s recommendations set out a series of steps for data exporters to take as they go through the complex task of determining whether their particular transfer can play nice with EU data protection law.

Six steps but no one-size-fits-all fix

The basic overview of the process it’s advising is: Step 1) map all intended international transfers; step 2) verify the transfer tools you want to use; step 3) assess whether there’s anything in the law/practice of the destination third country which “may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer”, as it puts it; step 4) identify and adopt supplementary measure/s to bring the level of protection up to ‘essential equivalent’ with EU law; step 5) take any formal procedural steps required to adopt the supplementary measure/s; step 6) periodically re-evaluate the level of data protection and monitor any relevant developments.

In short, this is going to involve both a lot of work — and ongoing work. tl;dr: Your duty to watch over the safety of European users’ data is never done.

Moreover, the EDPB makes it clear that there very well may not be any supplementary measures to cover a particular transfer in legal glory.

“You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer,” it warns. “In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it.”

In instances where supplementary measures could suffice the EDPB says they may have “a contractual, technical or organisational nature” — or, indeed, a combination of some or all of those.

“Combining diverse measures in a way that they support and build on each other may enhance the level of protection and may therefore contribute to reaching EU standards,” it suggests.

However it also goes on to state fairly plainly that technical measures are likely to be the most robust tool against the threat posed by foreign surveillance. But that in turn means there are necessarily limits on the business models that can tap in — anyone wanting to decrypt and process data for themselves in the US, for instance, (hi Facebook!) isn’t going to find much comfort here.

The guidance goes on to include some sample scenarios where it suggests supplementary measures might suffice to render an international transfer legal.

Such as data storage in a third country where there’s no access to decrypted data at the destination and keys are held by the data exporter (or by a trusted entity in the EEA or in a third country that’s considered to have an adequate level of protection for data); or the transfer of pseudonymised data — so individuals can no longer be identified (which means ensuring data cannot be reidentified); or end-to-end encrypted data transiting third countries via encrypted transfer (again data must not be able to be decrypted in a jurisdiction that lacks adequate protection; the EDPB also specifies that the existence of any ‘backdoors’ in hardware or software must have been ruled out, although it’s not clear how that could be done).

Another section of the document discusses scenarios in which no effective supplementary measures could be found — such as transfers to cloud service providers (or similar) which require access to the data in the clear and where “the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society”.

Again, this is a bit of the document that looks very bad for Facebook.

“The EDPB is, considering the current state of the art, incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights,” it writes on that, adding that it “does not rule out that further technological development may offer measures that achieve the intended business purposes, without requiring access in the clear”.

“In the given scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys,” the EDPB further notes.

It also makes it clear that supplementary contractual clauses aren’t any kind of get-out on this front — so, no, Facebook can’t stick a clause in its SCCs that defuses FISA 702 — with the EDPB writing: “Contractual measures will not be able to rule out the application of the legislation of a third country which does not meet the EDPB European Essential Guarantees standard in those cases in which the legislation obliges importers to comply with the orders to disclose data they receive from public authorities.”

The EDPB does discuss examples of potential clauses data exporters could use to supplement SCCs, depending on the specifics of their data flow situation — alongside specifying “conditions for effectiveness” (or ineffectiveness in many cases, really). And, again, there’s cold comfort here for those wanting to process personal data in the US (or another third country) while it remains at risk from state surveillance.

“The exporter could add annexes to the contract with information that the importer would provide, based on its best efforts, on the access to data by public authorities, including in the field of intelligence provided the legislation complies with the EDPB European Essential Guarantees, in the destination country. This might help the data exporter to meet its obligation to document its assessment of the level of protection in the third country,” the EDPB suggests in a section of the guidance discussing transparency obligations.

However the point of such a clause would be for the data exporter to put up-front conditions on an importer to make it easier for them to avoid getting into a risky contract in the first place — or help with suspending/terminating a contract if a risk is determined — rather than providing any kind of legal sticking plaster for mass surveillance.

“This obligation can however neither justify the importer’s disclosure of personal data nor give rise to the expectation that there will be no further access requests,” the EDPB warns.

Another example the document discusses is the viability of adding clauses to try to get the importer to certify there’s no backdoors in their systems which could put the data at risk.

However it warns this may just be useless, writing: “The existence of legislation or government policies preventing importers from disclosing this information may render this clause ineffective.” So it could just be trying to kneecap dubious legal advice that tries to push contract clauses as a panacea for US surveillance overreach.

The full guidance can be found here.

We’ve reached out to Facebook to ask what next steps it’ll be taking over its EU-US data transfers in light of the EDPB guidance and will update this report with any response.

Following the landmark CJEU ‘Schrems II’ ruling in July, which invalidated the four-year-old EU-US Privacy Shield, European data protection regulators have today published 38-pages of guidance for businesses stuck trying to navigate the uncertainty around how to (legally) transfer personal data out of the European Union.

The European Data Protection Board’s (EDPB) recommendations focus on measures data controllers might be able to put in place to supplement the use of another transfer mechanism: so-called Standard Contractual Clauses (SCCs) to ensure they are complying with the bloc’s General Data Protection Regulation (GDPR) .

Unlike Privacy Shield, SCCs were not struck down by the court but their use remains clouded with legal uncertainty. The court made it clear SCCs can only be relied upon for international transfers if the safety of EU citizens’ data can be guaranteed. It also said EU regulators have a duty to intervene when they suspect data is flowing to a location where it will not be safe — meaning options for data transfers out of the EU have both reduced in number and increased in complexity.

One company that’s said it’s waiting for the EDPB guidance is Facebook. It’s already faced a preliminary order to stop transferring EU users data to the US. It petitioned the Irish courts to obtain a stay as it seeks a judicial review of its data protection regulator’s process. It has also brought out its lobbying big guns — former UK deputy PM and ex-MEP Nick Clegg — to try to pressure EU lawmakers over the issue.

Most likely the tech giant is hoping for a ‘Privacy Shield 2.0‘ to be cobbled together and slapped into place to paper over the gap between EU fundamental rights and US surveillance law.

But the Commission has warned there won’t be a quick fix this time.

Changes to US surveillance law are slated as necessary — which means zero chance of anything happening before the Biden administration takes the reins next year. So the legal uncertainty around EU-US transfers is set to stretch well into next year at a minimum. (Politico suggests a new data deal isn’t likely in the first half of 2021.)

In the meanwhile, legal challenges to ongoing EU-US transfers are stacking up — at the same time as EU regulators know they have a legal duty to intervene when data is at risk.

“Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum,” the EDPB warns in an executive summary. “The Court states that controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools.

“In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data.”

The EDPB’s recommendations set out a series of steps for data exporters to take as they go through the complex task of determining whether their particular transfer can play nice with EU data protection law.

Six steps but no one-size-fits-all fix

The basic overview of the process it’s advising is: Step 1) map all intended international transfers; step 2) verify the transfer tools you want to use; step 3) assess whether there’s anything in the law/practice of the destination third country which “may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer”, as it puts it; step 4) identify and adopt supplementary measure/s to bring the level of protection up to ‘essential equivalent’ with EU law; step 5) take any formal procedural steps required to adopt the supplementary measure/s; step 6) periodically re-evaluate the level of data protection and monitor any relevant developments.

In short, this is going to involve both a lot of work — and ongoing work. tl;dr: Your duty to watch over the safety of European users’ data is never done.

Moreover, the EDPB makes it clear that there very well may not be any supplementary measures to cover a particular transfer in legal glory.

“You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer,” it warns. “In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it.”

In instances where supplementary measures could suffice the EDPB says they may have “a contractual, technical or organisational nature” — or, indeed, a combination of some or all of those.

“Combining diverse measures in a way that they support and build on each other may enhance the level of protection and may therefore contribute to reaching EU standards,” it suggests.

However it also goes on to state fairly plainly that technical measures are likely to be the most robust tool against the threat posed by foreign surveillance. But that in turn means there are necessarily limits on the business models that can tap in — anyone wanting to decrypt and process data for themselves in the US, for instance, (hi Facebook!) isn’t going to find much comfort here.

The guidance goes on to include some sample scenarios where it suggests supplementary measures might suffice to render an international transfer legal.

Such as data storage in a third country where there’s no access to decrypted data at the destination and keys are held by the data exporter (or by a trusted entity in the EEA or in a third country that’s considered to have an adequate level of protection for data); or the transfer of pseudonymised data — so individuals can no longer be identified (which means ensuring data cannot be reidentified); or end-to-end encrypted data transiting third countries via encrypted transfer (again data must not be able to be decrypted in a jurisdiction that lacks adequate protection; the EDPB also specifies that the existence of any ‘backdoors’ in hardware or software must have been ruled out, although it’s not clear how that could be done).

Another section of the document discusses scenarios in which no effective supplementary measures could be found — such as transfers to cloud service providers (or similar) which require access to the data in the clear and where “the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society”.

Again, this is a bit of the document that looks very bad for Facebook.

“The EDPB is, considering the current state of the art, incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights,” it writes on that, adding that it “does not rule out that further technological development may offer measures that achieve the intended business purposes, without requiring access in the clear”.

“In the given scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys,” the EDPB further notes.

It also makes it clear that supplementary contractual clauses aren’t any kind of get-out on this front — so, no, Facebook can’t stick a clause in its SCCs that defuses FISA 702 — with the EDPB writing: “Contractual measures will not be able to rule out the application of the legislation of a third country which does not meet the EDPB European Essential Guarantees standard in those cases in which the legislation obliges importers to comply with the orders to disclose data they receive from public authorities.”

The EDPB does discuss examples of potential clauses data exporters could use to supplement SCCs, depending on the specifics of their data flow situation — alongside specifying “conditions for effectiveness” (or ineffectiveness in many cases, really). And, again, there’s cold comfort here for those wanting to process personal data in the US (or another third country) while it remains at risk from state surveillance.

“The exporter could add annexes to the contract with information that the importer would provide, based on its best efforts, on the access to data by public authorities, including in the field of intelligence provided the legislation complies with the EDPB European Essential Guarantees, in the destination country. This might help the data exporter to meet its obligation to document its assessment of the level of protection in the third country,” the EDPB suggests in a section of the guidance discussing transparency obligations.

However the point of such a clause would be for the data exporter to put up-front conditions on an importer to make it easier for them to avoid getting into a risky contract in the first place — or help with suspending/terminating a contract if a risk is determined — rather than providing any kind of legal sticking plaster for mass surveillance.

“This obligation can however neither justify the importer’s disclosure of personal data nor give rise to the expectation that there will be no further access requests,” the EDPB warns.

Another example the document discusses is the viability of adding clauses to try to get the importer to certify there’s no backdoors in their systems which could put the data at risk.

However it warns this may just be useless, writing: “The existence of legislation or government policies preventing importers from disclosing this information may render this clause ineffective.” So it could just be trying to kneecap dubious legal advice that tries to push contract clauses as a panacea for US surveillance overreach.

The full guidance can be found here.

We’ve reached out to Facebook to ask what next steps it’ll be taking over its EU-US data transfers in light of the EDPB guidance and will update this report with any response.