These bit jumped out at me:
>Furthermore, national security, public interest and law enforcement
requirements of the United States prevail over the safe harbour scheme, so that United States
undertakings are bound to disregard, without limitation, the protective rules laid down by that
scheme where they conflict with such requirements. The United States safe harbour scheme
thus enables interference, by United States public authorities, with the fundamental rights of
persons, and the Commission decision does not refer either to the existence, in the United States,
of rules intended to limit any such interference or to the existence of effective legal protection
against the interference.
>This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’
complaint with all due diligence and, at the conclusion of its investigation, is to decide
whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers
to the United States should be suspended on the ground that that country does not afford
an adequate level of protection of personal data.
My reading (not a legal expert) is that data residency is the important bit here. Which in my view is a small step but not sufficient.
I think it means a lot more than just data residency. Without the safe harbor agreement you can no longer avoid EU privacy regulations by storing the data in the US.
This means that a lot of US companies are now exposed to EU privacy regulations where previously they only had to account for US privacy regulations.
The US privacy regulations are no longer considered compatible with the EU privacy regulations. That has much more impact than just data residency.
What I am curious about is how do we define "doing business in the EU"? If I am american, create a blog stored in the US, and allow users to register an account to comment on the blog, am I doing business in the EU if a EU person creates an account or are my visitors more akin to foreign tourists visiting a US shop in the US and therefore outside the reach of EU regulation?
In the financial sector, the extra-territoriality of US laws has been a problem for decades. Securities issued in the EU, by EU entities and marketed to EU investors end up having some language referring to which US regulation they fall under out of fear that a US person will end up buying it, and the US applying their laws and regulations.
> In the financial sector, the extra-territoriality of US laws has been a problem for decades.
This is a problem for the internet that has long been present but is increasing: multiple jurisdictions with global reach. Historically the First Amendment has shielded the internet from a lot of attempts to interfere with it, but there's no particular reason why only the US should claim that its laws apply globally. Why not Franco-German laws against Holocaust denial? English libel law? Saudi blasphemy law? Chinese censorship law?
Sooner or later someone's going to find themselves in a Kafkaesque situation where two global jurisdictions demand incompatible things.
> Sooner or later someone's going to find themselves in a Kafkaesque situation where two global jurisdictions demand incompatible things.
That's exactly what we're already talking about here: companies are unable to obey both EU rules concerning privacy, and US laws concerning law enforcement access to data.
And that's basically why borders between internet jurisdictions are now being drawn up.
The sad thing is that Europe also has laws enabling law enforcement access to data, including (until recently) mandatory retention of certain data by ISPs. All this is about is mass surveillance without due process. All that would be required to fix it is interpreting the Fourth Amendment in the same way as Article 8, and abolishing the whole secret court infrastructure.
> The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
> Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
Microsoft was ordered to hand over an Irish citizen's emails stored outside of the US to US government officials in a drug case. The case is still in appeals.
In practical terms your blog would be outside the EU jurisdiction so no direct, effective, sanctions could be levied. However if you do take payments, for anything, from within the EU that is where they can hit you; by simply blocking European banks from making payments to you.
I'm not a bitcoin guy but this is a scenario where I can see the technology becoming popular/useful. They can theoretically block your service (like China firewall) but that's harder to pull off and sell to public.
For example it could let games circumvent online gambling laws.
> What I am curious about is how do we define "doing business in the EU"? If I am american, create a blog stored in the US, and allow users to register an account to comment on the blog, am I doing business in the EU if a EU person creates an account or are my visitors more akin to foreign tourists visiting a US shop in the US and therefore outside the reach of EU regulation?
De facto, it's when you take money from EU customers and/or have an official office in some EU country.
To wit, non-profit doesn't mean "doesn't take in money." IIRC, it means that the organization doesn't distribute surplus income (profit) to shareholders.
So, a non-profit that took monies from EU citizens I think would still possibly be affected, unless there's EU laws that make non-profits a different class of business subject do different laws.
There are non-profits that make millions of dollars in positive cash flow. All that term means (At least in the US) is that it doesn't ever pay dividends to shareholders.
I'll be intentionally vague because I don't want to stray too far afield but there are some large organization that make a lot of money but are classified as non-profit. They can pay excess revenue as bonuses to directors and executives.
Note that I said "de facto", not "de jure". Nobody would bother suing a non profit that doesn't have EU offices unless you were very large and/or very prominent and/or doing something really nefarious about the data you have. And even then, suing an US company with no EU standing in front of an EU court from an EU citizen complaint is far from easy.
The same reason that if, say, Texas introduce a law that says everyone commenting on a texan website needs to be polite and I post a comment with some name calling, suing me as someone not from Texas nor the US would not be very doable, even though I technically infringe on that law.
This is where I think Business Insider is ultimately "wrong", yet it keeps stressing in all related articles how this will create huge bureaucracy.
From what I see in the ruling, it keeps stating "under the directive" (Data Protection Directive).
The current Directive, does indeed give national governments the right to decide how it's implemented. However, the new Directive (or regulation actually, meant to pass this year) will unify the directive for all countries. So I believe this "bureaucracy" issue, at least in regards to having to follow 27 different laws, will not be an issue anymore.
Even the current directive likely doesn't require satisfying all nations separately; since the various schemes are supposed to be compatible (i.e. conceptually safe harbor, though it's not called that, does apply within the EU), if a business hosted its data in one country and served others from there, they'd likely be safe.
There might be some bureaucracy to ensure that you really count as being hosted there (e.g. possibly ensuring that the parent company cannot access said data - which would be problematic for some companies), but AFAIK (IANAL) there's no legal distinction between EU and non-EU companies in this kind of rule.
EU banks also have special rules for US persons. There are special courses on how to properly determine whether someone counts as US person or not. Nobody cares about other countries.
Isn't the US the only country that taxes the foreign income of its citizens, which would probably require that the banks have some paperwork particular to US citizens with accounts?
One of my Dutch banks, a small investment bank, kicked me out because I am on a temp visa in the USA. This means I have to pay taxes here and therefore need to report my Dutch bank accounts with the IRS. They told me the US penalties for not reporting 100 % correctly on my money with them were so outrageous that they preferred to boot me.
U.S. residents, including temporary residents, are considered "U.S. persons" by the IRS and have to report everything. Amusingly this also applies to holders of U.S. Green Cards who aren't actually resident in the U.S.
Canadians working in the U.S. have had fun with IRS because a type of Canadian registered (tax-advantaged) savings account is not recognized by the IRS as a registered savings account but rather a "passive foreign investment company" and IRS loves to make people fill out lots of paperwork. This is apparently because IRS rules haven't been updated in the 10 years since the account type has been created.
Yes. If you're a US person or a US citizen living abroad, you pay income tax in all of your income wherever it is earned. And even most states claim this too. If you live in Colorado and travel one time to earn a consulting fee in New York you must pay New York state income tax on the money earned in New York, and claim it as a credit with Colorado. That means filing IRS forms, Colorado income tax forms, and New York income tax forms.
It's such a bureaucratic clusterfuck for a small business or consultant.
There is this problem in multiple countries I believe.
From what I understand, the US asks you to report what you earn outside of the US but also what you paid as taxes. If the foreign country has a tax treaty with the US you would only pay the difference (in case the US taxes are higher than the foreign).
It might not be the only country, but such taxation practice is definitely not the norm.
Unfortunately, there's little chance of normalizing the laws with international custom, since I can already see the attack ads about tax breaks for the wealthy.
Similar to the Cookie banner, you'll probably have to indicate to your subscribers that their data will be resident outside the EU and will not be subject to the same data protection. Subscriber proceeding will indicate agreement with that.
No, the data protection directives are not something you can opt out of, even if you nicely ask your users with a banner.
Note that the original point of the cookie banner law was not to ban cookies, but to inform users about it and allow users to avoid websites storing information about them. That consequence of that law is terrible and we all know that with the banners everywhere, but at no point was it "cookie are forbidden, but you can bypass it with user approval", it was "cookie are allowed but require approval".
Storing EU citizen data without respecting the data privacy directive is forbidden, period.
Actually, the fundamental rule of data protection legislation is that an organisation can store data on its subscribers and can not except in limited legally prescribed instances (e.g. lawful intercept, insurance fraud) share it with another organisation.
The issue at the core of the Schrems case is that Facebook for example is not bound to respect this, or any other fundaments of EU data protection law.
However, if you register with a website that is clearly and overtly outside your data protection jurisdiction then it is "you" who is freely providing that data. Just as you might give personal information over a transatlantic phone call.
The EU has no jurisdiction where the company is not in the EU, and cannot prevent an individual from sending their private information outside the jurisdiction if they want to.
But various of these multinationals such as Facebook are in the EU for various operational reasons and as such the EU does have jurisdiction over them.
Perhaps more relevant to the data retention laws, would be a site sharing passport numbers, names and addresses of EU citizens, perhaps collected at stays at motels/hotels across the US? The site might host them for free - but keeping/sharing that data without consent wouldn't be allowed under EU law. The particular example would probably also be illegal according one or more US laws (state or federal) -- but I think it is still more interesting than the rather silly things people get hung up on?
If it's a US organisation (and not a multinational like FB), with data collected in the US, the Data Protection Directive does not apply. The fact it's merely EU citizens is irrelevant.
> The NSA will not stop gathering data on EU citizens
This is precisely the reason for the ruling. US policy will not guarantee that NSA won't snoop on EU citizens, therefore "safe harbour" is null. You're either respecting the other jurisdictions or you're not.
The issue here is not that the "law failed to do what it promised" it's that the "law was not implemented as promised". It can still fail even with the right implementation but at least now such practices facilitating such failures are now understood by everybody to be illegal. It is not "Okay" any more.
As you probably know, you can't comment like this on HN and we ban accounts that do it repeatedly. Please post civilly and substantively or not at all.
> Without the safe harbor agreement you can no longer avoid EU privacy regulations by storing the data in the US.
Maybe I'm missing something here.
My understanding is that the Safe Harbour agreement wasn't a mechanism for US companies to avoid EU data protection regulations... it was a certification that they did comply with EU data protection (particularly in situations where that data was transmitted outside the EU).
Now it's gone, EU customer data held by US companies will be governed by national data protection laws instead, so may end up having to be stored within the EU.
> The US privacy regulations are no longer considered compatible with the EU privacy regulations
I don't think they ever were, which is why the Safe Harbour needed to exist in the first place.
No, you are more or less right. The general rule is that personal data may only be transferred to organizations in third countries such as the US if they comply with the EU rules on data protection. See chapter IV of the data protection directive: http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:319...
In order to avoid that each EU member state would have to approve Google, Microsoft etc. one by one, the safe harbour framework was set up to let US companies self certify that they complied with the rules:
"In order to bridge these differences and provide a streamlined and cost-effective means for U.S. organizations to satisfy the Directive’s “adequacy” requirement, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU in 2000, is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws. Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides "adequate" privacy protection, as defined by the Directive."
That was obviously a broken system, partially because the certified companies didn't live up to the EU standards, partially because the US government violated the rules systematically through CIA, NSA etc.
The fault here is really European as much as American. By relying on the wolf to guard the sheep we very much had it coming.
US privacy regulations where not considered compatible with EU ones before the ruling either.
The agreement was that US companies sign a list with the US Dept. of Commerce that they considered themselves in compliance with EU regulations when handling EU citizen data and that would give legal immunity to them and their subsidiaries in the EU.
This ruling means that EU countries are now allowed to check if they are lying or not.
The end of the article makes it sound like just adding a clause to the terms & conditions saying the user agrees to his data being stored in the US would be enough to bypass this. They just can't assume they have that right under safe harbour.
Hopefully they'll restrict that and require a higher threshold for consent than someone clicking "I agree" to 100 pages of dense legalese.
This is going to be funny. Time to sue every website that includes Google Analytics today.
As, obviously, this ruling means no one – not even your website – may give out my data to US entities, including Google. So any type of tracking like that is now illegal.
Did anyone else notice the following as a distinct bias?
Max Schrems, an Austrian lawyer and privacy activist, has
done everything he can over the last several years to be a
thorn in Facebook’s side.
My alternative perspective:
Max Schrems, an Austrian lawyer and privacy activist, has
done everything he can over the last several years to protect the
rights of European citizens whose privacy has been abused and
invaded by US firms.
"Governments in Australia, the United States, New Zealand, Canada, Singapore, Vietnam, Malaysia, Japan, Mexico, Peru, Brunei, and Chile will be unable to force companies from those countries to store government data in local datacentres ... governments will not only be prevented from mandating data sovereignty provision, they will also be unable to demand access to source code from companies incorporated in TPP territories."
It's incredible how deep the ideological split is, on data protection and surveillance. On one side, you have lawyers saying "hey, this is a problem, this law says you can't do that, we have to find ways to make you comply"; and on the other you have business lobbies and security agencies saying "hey, this is a problem, we need to remove all laws".
Restricting laws are always costly: Environment laws for example -- how costly it is, not to be able to pollute the air, the water, the people. Have filters, have restrictions, use of alternative fuels ... this all costs. And reduces the growth rates of our economies .... Better remove those laws and instead install strict intellectual property laws with unrestricted duration of protection.
That is, how (capitalistic) economy works: Put the costs of the business on the shoulder of many (the people of the country) and the benefits (the profits) on few people.
It isn't 'how' it works. It's something along with other many many things we may like or dislike, that happens in our complicated world. Evidently you can't resist the opportunity to push a political agenda.
Well, in terms of economic theory, he has a point. Markets usually don't take into account so-called externalities such as the environmental impacts of pollution (or individual loss of privacy) when setting prices. Perhaps a better way to view environmental (or data-protection) legistation is not as constraining the untrammelled workings of the free market, but as modifying the market mechanisms themselves to take certain externalities into account, so that they get factored into production costs instead of being passed on to society.
Maybe I'm reaching a bit too far, but we're mainly discussing this in the context of non-US resident's data being transferred to the US, without their say so, where the NSA then does whatever it likes with it. But surely this treaty goes both ways? Doesn't it also allow US citizen's data to be transferred to Vietnam etc, without the person's permission, under their legal framework and their government and commercial agencies get to do what they like with it according to their laws? And the US government is ok with that?
Unless I'm missing something, the US government (and NZ, and Australian, etc) just completely sold out their citizen's privacy to a whole bunch foreign nations including a communist dictatorship. Wow.
This has never been illegal in the US, and in fact has been happening for a while. The US has no general privacy law, and the First Amendment is usually construed against privacy.
(There are some narrowly focused privacy laws like HIPAA)
> "Few legal restrictions exist on financial service companies sending customer data to foreign countries. Financial institution customers may not opt out of these information transfers to nonaffiliated service providers if the transfer is for a purpose described in section 502(e) of the Gramm-Leach-Bliley Act (GLBA). For example, the opportunity to opt out does not apply where the information transfer is to: (1) service or process a financial product or service that the customer requested or authorized; or (2) maintain or service the customer's account."
I don't think so. What it is saying is that if a Vietnam-based cloud company sets up shop, the US cannot mandate that it keep US customer data on US servers. I can see why the US wants this: They want everyone's data in the US. What I cannot see is why anyone else would agree to this.
My guess is that what it really means is that such companies are allowed to operate. OK, fine. But no one is forced to use them. So the US might say "Nice service, Vietnam. But we won't buy it unless you put servers in the US." They aren't forcing anyone to do anything.
The end user doesn't get a choice. The US has no general data protection law. Customer loyalty cards, credit records, ad tracking data: all of these may already be kept overseas.
But surely there never was any requirement that to sell things to US customers you have to have servers in the US. People in the US have been buying things from Alibaba and other Asian companies based solely in Asia for years. Similarly you could log from the US to Baidu in China and create a personal account full of personal data, and that hasn't changed either. These laws are all about transferring data between jurisdictions, not whether or not you have to operate your services locally.
No it doesn't de facto because the biggest (by user count) internet services are based and operated from USA, e.g. Google, Apple, Microsoft, Ebay, Youtube, Twitter, Uber etc. And it probably will not change in the future. So keeping current situation is good for USA and bad for everyone else.
It is better to have local services so the money and personal data don't go overseas and help local economy. The current situation is obviously wrong. There are customs duties that protect local companies and there is nothing to protect them in the internet. So we have USA taking over this new market. This should be changed.
China is an example of a country that has their own search engine, blogging platforms, video sharing sites and most of people prefer them over USA based websites.
> just completely sold out their citizen's privacy to a whole bunch foreign nations including a communist dictatorship.
No they did not because nobody uses services from those countries.
TPP doesn't apply to EU, but TTIP and TISA do, and indeed they could also be used as a "backdoor" for the US to get the data anyway.
At the very least we may see that the TTIP Tribunal would override ECJ rulings (terrible idea for obvious reasons), but I'm hoping that if such an agreement is passed, the ECJ would also rule it invalid for not being in accordance with EU regulations and the fundamental charter of human rights.
Do we have some sources on this? And aren't the proposed Tribunal for ISDS arbitration (where companies can protest/appeal laws and court rulings that treat foreign companies on an unequal footing to domestic or other special status ones)?
"The 12 parties also agree not to require that TPP companies build datacenters to store data as a condition for operating in a TPP market, and, in addition, that source code of software is not required to be transferred or accessed."
Stated that way, it sounds far more reasonable. Source code, yeah of course. You don't want country X being able to demand country Y's company's source right?
And the data centre requirement also makes sense. You can't lock out online competitors on grounds that they aren't setting up local servers. But I don't see anything that mandates you must buy from such a service. If Mexico starts a cloud hosting company and refuses to run Canadian servers, Canada is under no obligation to buy such service. They just can't ban the service for not having Canada-based servers.
The article states that Russia's law requiring Russian personal info to be stored in Russia would be banned if Russia was in the TPP. But they don't state the language used there. It wouldn't be surprising if all other rules and regulations apply. It wouldn't make sense if, say, HIPAA didn't apply to foreign-country clouds under TPP. And if HIPAA applies, then why wouldn't other privacy regs?
Like the source code for critical systems in cars. There should be a requirement for that to be open. It seems that TPP would preempt any such safety legislation.
> Stated that way, it sounds far more reasonable. Source code, yeah of course. You don't want country X being able to demand country Y's company's source right?
I do. Company X is totally free to not operate. My citizens well being or my ability to oppress my own people - depending on the type of country, trumps Y's company rights to make profit from my people.
People don't belong to the Government, the Government belongs to the people. If people choose to do business with a company based in a different country they should be able to.
This is good, and a direct result of the Snowden revelations - without those, the US would still considered to be a safe harbor for your data. I'm hopeful that this will create the kick that the US needed, now that actual income (and high income, at that) is becoming threatened by the NSA. Of course this isn't the end to their data theft. They're likely to get the data from their Five Eyes European friends instead, but still - a good victory.
Sure. The next step would be to demand EU nations which violate the safe harbor EU rules be either thrown out of the EU (GB, but probably also Neitherlands, Sweden and Denmark), or fix their privacy laws. It cannot be that the GHCQ acts on behalf of the US on EU data and allows easy circumvention of basic privacy principles.
Its been asked by multiple people in the thread, but I'm not clear on the answer.
If I host a website that has user accounts in the US, and do not stop people from the EU from registering, do I, with no offices outside the US, need to do something different because of this ruling?
This only applies if you have EU users submitting data to EU servers and then you want to move that data to another jurisdiction, namely the US.
If your user is submitting their own personal information to servers outside the EU, that's their lookout. That's what seems to apply to you. Carry on. Nothing to see here.
But if they're submitting to one of your nodes within the EU, they can consider that the data will continue to benefit from the protections being in the EU affords it. Moving it to the US without their permission does not abide the EU protections.
That's not what my lawyer says. Our servers are only in the US and we were instructed that if we were to accept European customers we needed to go through the Safe Harbor process.
So wait - if Facebook, Google, etc. just made sure that every time an EU user submitted personal data, it was routed to US servers rather than EU ones, they would not be in violation of EU privacy law? What if they then send that data to the EU servers?
Then (from the company's perspective) I've accomplished the same ends, at a cost to the user (latency), and gone from illegal to legal.
I'm not a lawyer, but I think that if you are a US resident or the company you run is incorporated in the US without any offices or hosting in the EU, then you are not bound by EU data protection law.
You ought to obey EU data protection law for EU registered people.
This would perhaps include deleting data that customers ask you to delete, not storing personal data without direct permission, nor when you no longer need it to provide your service, etc.
> (a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
You may just put in your T&C that nobody from EU can use the site. No one will read it. No one will obey it. But it should be enough for lawyers to chase each other's tails in any case.
Perhaps. AFAIK click-through EULA's are not valid in most (all?) EU/European jurisdictions. Not sure about the presumably free blog -- but at least for things like eg: collecting personal data in an application/operating system (like Windows 10) -- you can't just pretend your users are at fault for clicking through a wall of legalese.
Edit: I'm reacting to "Facebook and Twitter [...] could be forced to host European user data in Europe"
Border control with data is the worst idea ever.
Think of it: my Facebook friends lists has EU and US people in it. This list can't reside in EU or US. This webpage can't be served by either a EU or US web-server. By law. LOL
Plus I'm a EU citizen, and I can choose to give my data to whoever I want... no more. That's sad.
This ruling only shows the dismal tech knowledge of lawyers and lawmakers. It's impossible to implement Facebook with data spread between EU and US. Same for Tweeter and others. Say goodbye to social networks. Because of model denormalization, because of network latency and intercontinental bandwidth.
Some mention cloud zones, but they're only useful with replication, which IS data transfer.
OR... social networks will cheat. And one day, they'll be sued for cheating the impossible regulations (think VW...)
The judgment does not prevent you from storing personal data in the US per se. It only nullifies the blank check of the safe harbor provision. As far as I can tell, there's nothing preventing Facebook from obtaining consent from you using Model Contract Clauses or Binding Corporate Rules, for example. This is already normal for companies from countries that do not enjoy the benefits of a safe harbor provision, after all.
I didn't say that it's just a problem with Facebook's contract. Model Contract Clauses and Binding Corporate Rules are pretty restrictive, and Facebook may not like them and prefer to instead separate their data. But neither does it mean that they cannot do it.
> Think of it: my Facebook friends lists has EU and US people in it. This list can't reside in EU or US.
I think you're misunderstanding the ownership of the data, hence the down votes. If I as an EU citizen create a private friends list like this, that list belongs to me. If I live in the EU but create the list using a US service with servers in the US, there is no problem. US privacy laws apply. If I create the list using an EU service on EU hosted servers there is no problem, EU privacy laws apply. However in this second case if the internet service company wants to transfer the list from their EU servers to their US servers without my explicit permission, that's a problem.
I think the parent is getting at if you're in the EU and your data cannot be transferred to the US, and a friend in the US has data that cannot be transferred to the EU (if they were to follow suit) you wouldn't be able to create a list of friends in both localities because of the restriction to send data around, without incurring intercontinental latencies. Obviously the list itself could reside in either location, but the service provider would need to perform an intercontinental join each time you wanted to view the names of friends in your list.
But user names in e.g. Facebook aren't private information, they are explicitly public. As are messages you publish to people. That's just not an issue. The issue concerns private information associated with your account that you have not chosen to share such as your personal phone number, physical address, date of birth, etc. Of course if you send that information around in public messages that's your problem, but if you keep it in your account, then the company, such as Facebook, transferring that account information to the US it is a problem.
My name is private data and should be treated as such. Companies need to have my permission to gather my name, and they need to tell me what they use it for and how long they store it, they should not gather it if they don't need it, they should store it securely, they should not share it with other people without getting my explicit opt-in.
That doesn't make it impossible for Facebook to do business. It just means Facebook needs to be more careful with what they gather and store.
I don't know. The EU's own website[1] on data protection refers to your name and photographs as private information that is subject to privacy protection laws.
Relevant quote:
> Individuals regularly disclose personal information such as their names, photographs, telephone numbers, birth date and address while engaged in a whole range of everyday activities.This personal data may be collected and processed for a wide variety of legitimate purposes such as business transactions, joining clubs, applying for a job, and so on.
> Nonetheless, the privacy rights of individuals supplying their personal data must be respected by anyone collecting and processing that data.
Where it gets really tricky is caching. Say you do your intercontinental join but then want to cache HTML fragments for performance, well, is that classed as "transferring data" because technically it is...
I think it will be reasonably argued that data in this context is the master record. The source of truth to which queries are sent.
A cache is not that, and you need only look at something like the EU e-commerce directive to find exceptions for caches and networks on the basis of being a "mere conduit" for the communication.
It is not as if the data is now toxic and cannot be cached or communicated outside of the EU, only that the data must be stored in the EU and should not be replicated to any database or storage outside of the EU that would prevent EU privacy law taking effect. That's important as EU privacy law already has enough exceptions to allow reasonable scenarios like caching to function.
And if you are going to say "well I could just query my cache", then I'd suggest that if your cache is able to do much more than a single key|value lookup to retrieve the cached item then it is in fact a database you'd lose the protections of being a cache and you're back in the world of not storing EU data outside of the EU.
Imagine I'm in the EU, and Facebook wants to store my data in the EU.
But I'm friend with US people. So I'm in their own friend list too, which is stored in the USA. So my data is needed in the USA too.
When I publish something in Europe, my friends needs to see it too in the USA. And you can't build a Facebook wall with intercontinental latencies. You need replication.
It's a social graph, and you can't split it between US and EU: data has to be replicated across borders (or face massive latency and bandwidth).
I think this relates more strongly to things like the fb tracking through like-buttons, building a shadow profile of your online activities and such - and moving that data from an EU data centre to an US one. It might also relate to storing archives of private messages you've "sent" to other users - "transferring" a message from you, in the EU to a user in the US isn't part of this -- transferring your entire chat history from the EU to the US might be.
I don't think published messages to people you have chosen to share them with are the kind of information at issue here. Otherwise this would also affect email being sent across the Atlantic.
You're completely missing my point. Your facebook user name isn't personal private data, it's explicitly public. If people in the US have your name in their friends list that list belongs to them, not you. Not even the bit of it with your username.
> And you can't build a Facebook wall with intercontinental latencies.
I have yet to see a Facebook wall in under 0.133 seconds, I'm not sure intercontinental latencies are the biggest problem in web performance these days...
The latency would be incurred several times when loading a single wall. As an experiment, take a moderately complex web app and deploy it in a different continent from the database it connects to.
If you're at the point of storing data on different continents and being aware where it is stored, I'm not sure what is stopping you from batching your trans-continent queries so that you only hit the trans-continent latency once.
For exaqmple
> Think of it: my Facebook friends lists has EU and US people in it. This list can't reside in EU or US. This webpage can't be served by either a EU or US web-server.
This is plainly wrong, a reference tyo an user in a list is not the user data
A reference will not be enough when my friend wants to see my name and photo on the list. And if my friend must fetch it from Europe (and not cache it), expect Facebook to be slower and use more bandwidth than ever.
Without intercontinental replication, you'll be facing latency and bandwidth problems which will make social networks impossible.
note: when I say bandwidth, I mean intercontinental bandwidth, not your local internet bandwidth.
European citizen here, and as much as i welcome a step like this, it's also pretty interesting to see, what this means for smaller (online) businesses outside of europe.
Sure, you want to host customer data from europe in europe (latency-wise) anyways, but now that this will be more or less required it will be interesting to see how people will solve this. The good thing is, with "the cloud" you have a lot of option (locations) to choose from.
It's interesting to see the regional differences in this discussion, because that attitude is pretty foreign to the way I think about the Internet.
I know that if I use Yandex, at least some of my data is going to reside in Russia. If Dailymotion, France. I consider it up to me as a consumer to decide whether that's what I really want. I don't consider it my local government's job to force those companies to change their business models.
I'm from EU and I don't like it. EU should offer standards of data protection that foreign companies could choose to adhere to, then those companies could advertise to EU citizens that they comply with said EU standards. Same penalties that exist or are proposed now could exist under that model. Maybe even incentivize adoption with modest taxes if you feel really statist. Then EU citizens can choose whether they value these protections or not. Personally, I don't care what Facebook does with data I provided them with freely, but for online purchases I would strongly favor companies who protected my data.
> I know that if I use Yandex, at least some of my data is going to reside in Russia. If Dailymotion, France. I consider it up to me as a consumer to decide whether that's what I really want. I don't consider it my local government's job to force those companies to change their business models.
This is a ridiculous position to take, because it requires a humanly impossible amount of research to know whether the privacy of your data is protected. And that's when the information is even available.
Privacy is a basic human right. When corporations collect your data it becomes the responsibility of those corporations to protect your privacy. Individuals simply do not have the resources to enforce this, which is why we elect people to enforce this. This isn't some crazy responsibility for governments: this is the fundamental reason why governments exists: to protect the interests of their citizens collectively when it's infeasible to protect those interests individually.
> This is a ridiculous position to take, because it requires a humanly impossible amount of research to know whether the privacy of your data is protected. And that's when the information is even available.
How about looking at this from another angle? Why the heck should your browser and Internet connection leak anything that allows to single you out as an individual to any corporation or individual in the world?
The focus should IMO be on providing secure tools to end users for browsing the web.
I come across this response quite frequently and I remain mystified why anyone would think that it's important or even a good idea for the millions of people interested in privacy to try to solve privacy issues from the same angle. Skillsets don't even fit for this: as a developer I am well-suited for working on network technologies that don't leak information about their users, but a lawyer for example is much better suited at changing legislation so corporations are responsible for protecting privacy. We don't need a "focus", we need everyone to use their skills to protect our right to privacy.
This is actually very common. Politicians have to care about getting re-elected, and that often means chasing after campaign contributions more so than it does actually being on the side of the people.
Judges usually have tenure, this makes a huge difference to someones impartiality.
> European citizen here, and as much as i welcome a step like this, it's also pretty interesting to see, what this means for smaller (online) businesses outside of europe.
I'm not sure if it means anything for them. If a company does not have a business presence in the EU, it likely isn't subject to EU jurisdiction at all. This case happened because Facebook is a multinational company with a European subsidiary in Ireland and was sued before the Irish courts. Companies that may be affected by this are:
* Multinationals that exchange personal data between their US and their EU branches.
* Companies in the EU that are in a business relationship with companies in the US and as part of that business relationship send personal data to the US.
* Companies in the EU that avail themselves of US data centers and store personal data in those data centers.
Non-European companies that get paid for services rendered to EU citizens or countries.
If found to be violating laws, the ECJ can order banks to block payments made to those companies from within the EU, which harms their bottom lines between nothing and a lot.
Under article 4 of the Data Protection Directive, such companies should not be subject to its jurisdiction unless they have an establishment or equipment in an EU member state where they carry out data processing operations.
Actually they were sued before the European courts. Specially the European Court of Justice, which is in Luxembourg. I don't believe there was any case in the Irish courts.
The EU is not a state and therefore typically you cannot directly sue in its courts.
In most cases (such as this) a national court refers the case to a european level if european directives and interests are involved.
Fun fact: the EU commission/parliament has also not the power to pass any binding laws. They pass directives which are than implemented into national laws by the legislative bodies of it's member states and can also be overthrown by courts of each state individually (e.g. happened in germany with EU data preservation directives)
Yeah good luck setting up a startup now. If other countries follow Russia's suit, we'll soon end up having to somehow determine where a user is from (what if they're roaming, etc.?) so we can shard the datastore across multiple geographic locations. So obviously this = increased costs & complexity which will slow the speed of iteration :-(
European privacy laws are very consumer-friendly and usually very reasonable. US companies should look at those laws as a guidebook on how to get your customer's privacy right in the US as well.
You build houses - think of it like fire safety rules. "What do you mean I have to keep track of all the fire safety rules for the country I build the houses in? Can't I just keep track of a set of rules of my choosing instead?" -- well, no, for one and even if you could, that'd be a bad idea. Almost universally, there's good reasons behind specific rules in the fire code. (And in the rarer cases the rules really are broken, that's a problem with the law, but not one that can't be fixed).
Unfortunately, most companies don't give a rat about their customers' privacy (we care deeply about it we swear). What really should happen instead is that US customers demand laws like the ones we have in Europe.
But the situation prior to this ruling is basically what you described: that there's a particular set of rules that you have to follow. Now you potentially have to follow everyone's rules for every house you build, but which rules you had to follow depends on who buys it.
The situation prior to this ruling is "There's a particular set of rules which you have to follow... unless you're an american company, in which case, we trust you".
In the end we ended up with a requirement to ensure more and more prominent information. Do you think it's bad that more consumers are aware of the potential privacy impact of their actions?
Basically every website in the world except basic static sites use cookies. So the EU wants every website in the world to have a warning message about the dangers of cookies. That will show up every single time you visit every single website. Unless you accept the cookie that allows the site to see the fact that you saw a warning about cookies. So, websites have to use cookies to display a warning about cookies and if you don't accept the cookie, you get a warning about it on every single subsequent visit.
It screams laws written by politicians for special interest groups none of whom have the first clue about technology or how it works.
You could just have the web browser show an alert when a site wants to set a cookie and the user can click that alert or always allow it. Which is what we used to have in every web browser. Until users got sick of seeing the stupid warning because every single website uses cookies. And they got blind to the warning and paid no attention to it. Which made any other warning a browser shows more likely to just be clicked through.
So browsers removed the warning because we all realized it was stupid and pointless and ineffective and served no purpose any longer. But politicians with no idea how the technology works and no understanding of the fact that we already went through all this decide that everyone should see the dumb, stupid, ineffective warning on every single website and have it show up every single time for the people who understand how to manage their cookies and only show up once for the people who have no idea how to use their cookies. Just brilliant. It serves no purpose and everyone just clicks it away just like any other popup ad.
You're incorrectly thinking the EU cookie law applies to all cookies. It only applies to tracking data, including tracking cookies. Don't use Google Analytics -> No cookie law for you.
Actually, I do. There's a fallacy that displaying information before requesting consent necessarily leads to informed consent. Many users have insufficient background to understand what they're consenting to, particularly since such info-dumps tend to not mention what the consequences of various choices would be. With no context for their decision other than "Accept makes things work," all you're doing is training users to sign away their rights without knowing that they are
Don't conflate people's privacy and random laws that say they are about privacy.
With prevalent encryption on-the-wire, fibre tapping is less useful. So the way people get their privacy leaked is via hacking or other compromises. Saving to disks in a person's country of origin is probably rather far down on threats to their privacy. (Yeah, I know, if you host it all on disks in the US, then the FBI can come steal those disks. But that's less a risk than a hacking group dumping your DB on pastebin.) And a compromise to the company will compromise the data no matter where the disk are.
If countries were really concerned, they'd mandate strong security for personal info. Not like PCI where technical details are spec'd, but somehow offload it so that companies must make reasonable steps. Then have enforcement to fine companies that misbehave. Perhaps make it something where companies will want to get insurance.
That way, a startup, instead of grabbing everything, they'll ask themselves: "Hey, do we really wanna capture this info?" Just like PCI shot a lot of plans to store card numbers and CVV, a strong law could make companies think twice and plan around handling private info.
Location of storage devices might end up on the list of requirements, somewhere. Like once you store info on more than X people, you're required to address how you handle differing jurisdictions or something.
The two are not incompatible; EU countries are already fining companies that leak private data, and talking about increasing those fines (the EP suggests a max of 5% of global revenue or €100M, whichever is higher).
I'm as much for generating friction as anyone else. But I wouldn't pretend that keeping data in any country in NATO isn't akin to giving it to five eyes.
Basically the EU is creating a PR stunt that in theory could force them to enact some minimum veneer of standards and that PR stunt is going to have higher short term costs for the small private sector players than the large ones.
It is entirely possible the stunt will instead pay off for the other EU governments and against the privacy of their population by getting them invited further into the club.
>But I wouldn't pretend that keeping data in any country in NATO isn't akin to giving it to five eyes.
Collecting data which is routed internationally is a well documented method that NSA et al have used to skirt domestic law and grab/share the data. If you already live in country "C", and by statute your data must never leave country "C", then your data are more protected than if it had been sent outside the legal jurisdiction of country "C"'s courts.
I'm saying that no material facts have changed or were unknown by the governments before the safe haven and that I am skeptical that the case would have been heard at all without public revelation and interest.
I am also very skeptical that private data in Germany was or is any safer from the problems with the safe haven as far as data intentionally illegally shared with institutions in the US, not due purely to issues on the ground when defending the data in good faith.
While this is true, it's interesting to see what kind of effect this will have on the market.
I also didn't talk about startups, i mean small business in general.
This could be a reason not to launch your business in europe, if the cost of "deployment" is to high. Sure, someone else will fill that hole for you, but that's less money in your bank account. :)
Exactly. There's a bit of "pulling up the ladder" here. The guys who got in when the Internet was still the wild west got established without all this overhead.
There will be an enormous burden on new businesses satisfying these laws - previously we've got away with privacy policies but could still code the same. If we need to maintain N servers for N countries customers could be from, that's a massive operational overhead that is bound to do nothing other than stifle innovation.
Now, I'm all for privacy, but if each country starts fragmenting the internet on country boundaries - to the level of physical servers and data storage locations, bringing a new idea to market is going to much much harder. This is different to, e.g. different tax regulations, etc, because you can still benefit from centralised computation while processing orders for different localities.
And while today this might be just about Europe, it sets a trend. Before it was just Russia and China. How long before all countries want to see the code a la the Chinese?
So the NSA has screwed things up for all of us now who are trying to start businesses.
If my costs go from: developer -> developer + global devops team + legal, etc., that's a massive burden that will affect the "bedroom/garage" startups.
From my experience, majority of "bedroom/garage" startups self-limit geographically - whether it's expecting a phone number or a bank account in a given country, or assuming everyone has a U.S. state and zipcode (90210). Data regulation is hardly the deal-breaker when their own dataschemes don't support internationalization.
I guess it all comes down to how you're meant to determine where someone's data should be stored. Is it by their nationality? What if your app gains popularity outside your launch country? Are you suddenly on the hook for not having sharded your data geographically?
Plenty of popular apps don't require anything like bank account/post code, etc. that could be assumed to prove which country someone is from.
If your app gains popularity in Italy, you have to care about Italy. That means supporting the Italian language always, it means supporting the odd Italian phone numbers if your app happens to deal with phone numbers, and it means complying with Italian law.
Now, if your app does not become popular in Italy, you just have five users there, do you still have to comply? No you don't, because de minimis non curat lex.
What kind of services or small businesses do you have in mind that a) have offices in different data jurisdictions and b) do not require any localization for these jurisdictions?
The fragmentation might be good when we talk about pricacy. It gives motivation to create more local services and not depend on foreign ones.
China is good example of how that works: they have their own search engine, blog platforms, website analytics software, video sharing sites, IM software. So Chinese users do not send their data (and money) to USA and goverment can protect personal data from NSA while EU cannot.
Of course I do not approve other things like censorship in China but having local services is a good thing both economy-wise and privacy-wise.
I don't know why you are downvoted. This is going to become a real concern indeed: should I have one deployment per country of sale, ultimately, etc? This is getting tricky.
How many times a day is this phrase written in Hacker News?
How many times is it found on reddit?
The poster, in this specific case is not being downvoted.
The issue I think is understanding about how commenters and viewers use HN and reddit and upvote and downvote over time. If you understand this process you will no longer want to write "I don't know why" because you will understand the process.
I hope more people would understand the voting processes of these various discussion forums.
The poster was actually heavily downvoted, until I mentioned this, and now it isn't anymore.
I almost never complain about downvotes (as mentioned in HN guidelines), yet felt that there was a misunderstanding and a lack of full perception of the implications of what the downvoted message conveyed.
Truth is (again, as someone who is privacy-sensitive, and running a EU SaaS) this is going to be complicated to run an international SaaS, as a bootstrapper.
So was the actual comment "I do understand why you are being downvoted, and I disagree with the reasons" or "I do not understand why you are being downvoted?"
Ah - I didn't read like "it's a bit of pain" (easy or not) but rather like the extra friction brought by this issue is going to stop many people from starting businesses, at all.
(for some context, I'm a French SaaS bootstrapper; I am as careful with my customers data as I can be, and found that starting a SaaS has been a major pain already - VAT rules, finding a SafeHarbor provider which doesn't suck at security, too etc).
> (for some context, I'm a French SaaS bootstrapper; I am as careful with my customers data as I can be, and found that starting a SaaS has been a major pain already - VAT rules, finding a SafeHarbor provider which doesn't suck at security, too etc).
I was talking about this to someone just now and it strikes me that all these regulations are very much wasted on startups during their creation. Maybe what we need is a way for startups to be able to playtest their idea and only have to worry about all the extra responsibilities once they're more certain about the results.
> Yeah good luck setting up a startup now. If other countries follow Russia's suit, we'll soon end up having to somehow determine where a user is from (what if they're roaming, etc.?) so we can shard the datastore across multiple geographic locations.
Or just host everything in Europe.
Or lobby Congress to stop shitting all over privacy so that the US can be considered a safe harbour again.
Hosting in Europe wouldn't fix the issue that Russian law wants to have Russian persons' info stored in Russia. It could very easily end up with several countries requiring this, and needing to store data differently depending on user's selected country.
And think about it: is there a really huge increase to privacy? What exact attack scenarios does this defeat, and how likely are such scenarios compared to run-of-the-mill privacy breaches (lax security)?
It's obviously about regulatory requirements rather than a random hacker. If I host my data in the US, then I am subject to the whims of the US government, and as such they have jurisdiction over European data (which of course, is not protected in any way in the US, even by the meagre data protection laws that the US affords its own citizens).
> And think about it: is there a really huge increase to privacy? What exact attack scenarios does this defeat, and how likely are such scenarios compared to run-of-the-mill privacy breaches (lax security)?
Those are two entirely different scenarios. There's no reason both couldn't (and shouldn't) be handled in parallel. For example starting next year companies within the EU are held liable for data loss, with up to IIRC 3% of their global revenue. That policy handles the lax security concerns; no reason to not tackle other problems, like the one described on this thread.
Or you could work on starting a startup that helps to 'store stuff in their geographic region' as a service. And let all the other startups leverage your service.
What I see here is just a simple data center service which offers to store company data and ensures in complies with EU requirements for these countries. If each country has different laws that require data to store physically in that country's location, then it's just a matter of setting up at least one such data center in each country and provide storage for any company willing to do business. Then you can make service order in bundles with multiple countries and that's it.
You can replicate within groups of datacenters which fall under the same privacy rules. Thats more than enough to run a centralized global social network, even though I'd love it for making it impossible.
I'm not talking about replication for disaster recovery, but replication to avoid intercontinental round trips.
If my actual name is stored in Europe, my US friend must request the data from the USA just to show his friends list on an HTLM page... (is that a transfer too? is it forbidden too?)
This seems less about privacy and doing what's right for EU citizens and more about European countries enacting some kind of protection scheme to give American companies a disadvantage when doing business there.
In a more cynical light, maybe build up some 'value' that can then be 'traded' in a US/EU TTIP deal?
"Look, the EU is reasonable and wants to get rid of the cookie ruling and the high bar for startups on geographical server requirements - TTIP would allow all this to happen!"
It's interesting how this is described as a potential "bureaucratic nightmare". Having to follow the law of the country your doing business in has been standard operating procedure for, well, basically all of human history.
Somehow the tech industry seems to think it should be exempt from that, even if it means being allowed to piss all over the basic civil rights of citizens of modern Western democracies.
Yes, this is a problem that needs to be solved given the reality modern cross-border online services. But it can't be solved by the corrupt political elite simply selling their citizens hard fought rights to corporations operating from countries that lack respect for such rights.
What sucks about it is that the EU, rather than presenting one set of rules and regulations to follow, and, say, allowing you to host data within the EU to be compliant, seems to have kicked the question down to individual European countries, each of which might do something different.
And you wonder why it's tougher to do startups in Europe...
I'm pleased by what the ruling says about the NSA and the pressure it puts on the need for reform, but less than pleased about the practical implications.
Well the data protection principles are common across the EU - so there's only limited scope for national DPAs to disagree and there's always the opportunity to ask the ECJ for a ruling to clarify.
Does this effectively render any Parse or Firebase application (they only have US servers) that stores user information (e.g. email account) illegal in the EU?
I am not a lawyer, so do not take this as legal advice, please consult a lawyer if you want actual advice.
This said: Probably yes. EU data laws are mostly about private information, for example private chat messages, etc.
If you only store email accounts, you might get around the laws, but if you store anything like payment information, communication between users, etc, you effectively now have to follow EU data laws, which mean: You can’t give any third party (not even your government or hoster) access, you can’t store it in countries where the government might just seize your data (like the US), etc.
I wonder if there are additional ramifications of this, even for European companies dealing with European customers. For example, what happens when personal data from a European datacentre to a European customer transits a US network on the way (such routing diversions are fairly common)? In the light of Snowden's revelations, this would seem incompatible with EU privacy regulations unless the data were encrypted. Of course personal data should always be encrypted, but where are the CAs located? Is a European company negligent if they don't use a European CA and do certificate pinning? Interesting times.
This sounds great! Though if the owning company is in the US, then the US views this as reason to be able to access customer data no matter where its stored. More fun to come mm?
Question: Why do companies HQ themselves in the US? Why not pick a friendlier country, then turn their US parts into a simple contractor that supplies software development and engineering resources? Then the US company would not have actual ownership of any data. Forcing them to reveal customer records would be the same as forcing an individual to steal data right?
Today you get to learn about: American Exceptionalism!
It is important to realize that, within the US, there is essentially a universal belief that the US is the best place to live, work, or be in the entire world. The debate is not so much whether the universe revolves around the United States, but which city exactly the axis passes through -- New York, DC, San Francisco, LA. It is very important that a universal axis has a commonly used two letter acronym, which is why not even a Chicagoan seriously believes the axis is through Chicago.
When the EU makes privacy complaints against US companies, the common perception -- even among US citizens who disapprove of domestic spying programs -- is that something is wrong with the EU. The idea that the EU could be right to hold a US corporation accountable to their laws never even occurs.
No American could ever conceive of establishing the HQ of a US corporation outside the US -- except maybe as part of a skeevy tax dodge. The US is the best place in the world to live, work, and run a business. Why would you want to go anywhere else? To be fair, most of the US companies that do establish some sort of off-shore setup are engaging in some sort of skeevy tax dodge.
> No American could ever conceive of establishing the HQ of a US corporation outside the US
Maybe incorporation in US really is better, at least for US citizens. It's easier to deal with local courts than foreign courts. If your European subsidy runs afoul of some regulation in a major way then they probably can't take your assets from your US based parent company. Then US is arguably more business friendly in many ways.
I mean I know a lot of "common" people believe that - I've lived in the US in the past. But I thought once a lot of money was on the line, reality or cynicism would set in.
Because the bigger companies were established long ago, when the US had the much bigger market.
Nowadays that's not true but the US startup VC is a lot stronger in the US for a bunch of reasons, so new startups tend to be established there much more often (with the financial tech field being the exception I believe). If you're making a new company you're going to make it where you live just out of sheer convenience.
But what stops them from a: switching HQ, or b: starting in another country? It's not like the US has serious currency export restrictions, right? And little stops a company overseas to do business in the US, right?
I think the answer to both of your questions is, technically nothing. Once you have built infrastructure and a base however those kinds of moves are very costly in time, effort and money.
And little stops a company overseas to do business in the US, right?
I think legally, no, but for better or worse, there are a ton of tools that are U.S. only - an example from today: Microsoft Hololens developer edition is available only to the US and Canada.
I was going to ask the same question! Is it some kind of rendering incompatibility between this jpeg and most browsers, or just a really crappy photography touch-up job?
> The average consumer will not see any restrictions in daily use, but will hopefully soon be able to use
online services without potentially being subject to mass surveillance
> However, US companies that obviously aided US mass surveillance (e.g. Apple, Google, Facebook,
Microsoft and Yahoo) may face serious legal consequences from this ruling when data protection
authorities of 28 member states review their cooperation with US spy agencies.
So this is what I think will happen: a lot of companies (maybe even the likes of facebook and google) will move out of europe and just serve everything from the US. There is not really an alternative to that, how could my EU-hosted facebook profile not be transferred to the US so my friends can see my book favourites?
So we are building a messaging product for organizations. I am wondering how this can impact us if an org that uses our product has employees in both EU and US (assuming that national regulators in EU go ahead and bar personal data transfer to US).
* Will we need to partition user data based on location, even if they are in the same organization?
* What happens when a user in EU sends a message to one in US? So right now the chat history for one-on-one conversation pairs is stored in one place, does this ruling mean that now we have to duplicate this chat history for both the users?
* Even worse, what if multiple EU and US users are part of the same chat group? Is there any way we can store the group's chat history in one place?
How is it possible that people don't discuss the GCHQ in the same breath as the NSA? From news reports it seems they may as well be the same agency. Keeping data out of the US isn't enough, and it's dangerous for Europeans to think that their own governments are looking out for their privacy. They should be looking instead to make encryption ubiquitous. This may be limiting corporate data storage, but I don't think this impacts intelligence gathering for the US at all.
My reading of the judgment is that it just throws the decision back to the national courts to decide what constitutes safe harbor. Safe Harbour agreement between US and EU streamlined the process for getting access to EU data. Now it mus be decided in national level.
If I'm a US company that does business in the EU, is there any reason that personal information collection can't just happen through a US web server? That way it is the user who is transferring the data to the US, not the company.
Updating your name, birthday and other personal information would take an extra 100 ms in order to POST to the US, but it could then be replicated back out to the EU for reads if necessary for performance.
Great success! They should try it the other way around. Looking for the set of things they can do that are correct in the European countries and then apply it to the US as well. If the biggest argument is to simplify ruling and management then this approach would be just as good as allowing US rules to overwrite European rules, right?
It's interesting that certain bloggers such as Dustin Curtis and Ben Thompson have claimed that Apple's privacy stance will ultimately hurt them because they'll be at a disadvantage to competitors, but it seems like they've shown some real foresight when you take this ruling into consideration.
Apple's business isn't based on exploiting the user's data and shitting all over their users' privacy (as has been the case with Facebook in the past, and Google too to some extent), and they've taken explicit steps to safeguard their users' privacy (e.g. encryption, ad-blocking).
The point is that Google will have to adopt much more than Apple. Sure, iCloud and gDrive might be equivalent, but there is no Apple equivalent to e.g. G+ or G-ads.
As if there would be a difference in motivation between evil corp#1, evil corp#2 and evil corp#3. You can substitute those names with apple, google, microsoft, facebook, amazon, whatever you like. If you think for one minute that Apple is only a fraction better then their competition you're very misguided by apples great marketing.
Honestly, if you think G+ is bad, or Adwords, but the appstore is not (Or iCloud, iwatch, Siri, Amazon Echo, Whatsapp, etc.) you will need to do a reality check.
All of those are very privacy intruding and every company will do it's best to make money of your data. And pretty much all of those services is made to collect as much information as possible about you.
Use Apple or Google or Facebook and store your private data to be datamined and monetized but please don't fall for marketing speech and all that "don't be evil" bullshit every mega corporation is telling you.
Can we agree that Apple make more money as a result of having "targeting groups" for iAds compared to if they didn't use any targeting? If so, by targeting iAds using data disclosed here: https://support.apple.com/en-us/HT205223
This is good for everyone's privacy. By making it difficult for businesses to centralize the storage of US and European data, the European court has incentivized businesses to pressure the US government toward laws that respect our privacy better.
I wonder if some companies have sufficiently complex operations globally, that they end up with mutually incompatible laws and would have to either stop doing business in a country or split itself in two to continue to operate?
Hosting data locally in EU doesn't solve privacy problem because the servers are still operated by USA companies that can (and obviously will) share the data with NSA. The solution is to create more local services so the data never leave the country. It is also better economy-wise so the money stay in the country too.
That's one thing that the GDPR (General Data Protection Regulation)[0] which is in the legislative pipeline at the moment is looking to fix.
The proposals include being able to levy a fine up to €1,000,000 or up to 5% of the annual worldwide turnover (whichever is greater) if they fail to comply with EU data protection rules.
While this is a massive ruling, there are valid exceptions that allow companies who have agreed with their clients to transmit their data from EU to US while keeping data separation and with respect to the data protection law.
This is not a blanket-panic for all US/EU companies as the media are projecting.
This is just small victory. AFAIK, US government can still ask without a court order Facebook or MS or any other US company to handle them the data of/for european citizens that hosted in Europe.
That's one thing that the GDPR (General Data Protection Regulation)[0] which is in the legislative pipeline at the moment is looking to fix.
The proposals include being able to levy a fine up to €1,000,000 or up to 5% of the annual worldwide turnover (whichever is greater) if they fail to comply with EU data protection rules.
These countries are demanding we run our services in their countries. This is a money grab.
Note that these same countries expect the United States to act as World Police, and do not contribute as much money as they should. They want the US to know about attacks ahead of time. I wonder how the US could possibly know about attacks ahead of time?
I deplore mass surveillance. I really do. But I think wiretapping with a warrant is a necessary tool for fighting crime, and terror, and bad state actors.
There's a part of me that desperately hopes all major internet services just shut off Europe entirely. Welcome back to the Stone Age.
It can still be expressed, of course. It's just that it wasn't particularly a reply to its parent and took the discussion on a generic tangent (U.S. = world police) that is also a classic flamewar topic. We don't kill such subthreads, but we do move them.
I can understand why you don't see it that way and wouldn't claim that our decisions are all obvious or all correct. They're imprecise judgment calls.
The US finds out about attacks ahead of time the same way we always have: through intelligence operations, not data mining. I don't think anyone is saying that targeted, legal wire tapping is somehow off-limits now. I don't see how this would impact the ability of a company to assist the authorities in monitoring individuals' communications, either - it will, possibly, make it more difficult for the NSA to do a blanket gathering of foreign communications, which I believe is the point.
Large service providers like Google and Amazon can and will comply with the laws. It is possible that social media start-ups will be unable to operate across borders due to regulations, but this will hardly be a staggering setback to the European populace's ability to share photos of their food. I doubt there are any real implications for things like freedom of speech/expression: these types of services are already effectively illegal in places with heavily authoritarian governments.
> It is possible that social media start-ups will be unable to operate across borders due to regulations, but this will hardly be a staggering setback to the European populace's ability to share photos of their food.
There will be services that have not yet been invented. We cannot presume to know what they'll look like, but there's a big chance the startups that invent them will be harmed by this ruling. No, big services run by established players will not die, but that's hardly the point.
Only large service providers will be able to comply with all of the laws.
Why, exactly? And what are "all of the laws"? The data protection directive is not that complicated or onerous, and besides, you can avoid it wholesale: just don't store personal data.
Wiretapping with a warrant is not obstructed by this, of course: it might require a bit of crossborder co-operation to get an EU warrant for the data of an EU national, but it's still possible to tap a specific user for law enforcement purposes.
What's not legal is warantless universal wiretapping.
(Also, I don't want the US to be "world police"! Like US domestic police they are far too trigger-happy. And the US is one of the few countries not signed up to the International Criminal Court. Would you want a police without a court?)
They hand over Roman Polanski, and we're off to a good start.
> What's not legal is warantless universal wiretapping.
So punish the government of the United States - not the businesses.
> Would you want a police without a court?
That's called "a military." And yes, I want a military. And since our enemies don't bother to dress up in bright-colored uniforms, and stand in a row in a field anymore, our military needs to be a lot more nimble. And since our international efforts (the UN) are often blocked by one or two security council members, I'm not impressed with the UN's ability to keep the peace.
Move fast, blow up hospitals? But I'm glad you accepted that the US is not a police service (ie legally accountable to the policed, following due process) but a military (ie an occupying force that executes people at will).
The wars in Iraq and Afghanistan are wars of choice by the US, and the end result has been a total destabilisation and millions of people killed or made refugees.
Intervention in Ukraine would have meant shooting at the Russians and starting WW3. Not invading Iraq would have left the region as-is without sacking the whole Iraqi army, leaving them and their weapon s to become ISIS.
No, it really isn't. It won't be effective but the judge here is not aiming for EU companies to earn more money.
> There's a part of me that desperately hopes all major internet services just shut off Europe entirely. Welcome back to the Stone Age.
Economies have becomes so intertwined that shutting Europe 'off the internet' by any other party (presumably the US or the rest of the world) is no longer feasible. It will backfire tremendously on those doing the shutting off.
Besides that, you wouldn't really shut the internet down, merely split it. Even North Korea has internet access.
Have you looked at prices for data centers in Europe versus the US? Or their incompetence?
> Economies have becomes so intertwined that shutting Europe 'off the internet' by any other party
BS. Google shut off China. Independent companies are free to not do business anywhere the laws are stifling. I think it would be awesome if they did it all at once. Internet Blackout for Europe.
> Have you looked at prices for data centers in Europe versus the US? Or their incompetence?
Yes, I'm quite aware of the price differences between data centers in Europe and the US. It all depends on who you want to serve, if latency is important then paying a (small) premium is usually not a problem. Also, plenty of EU data centers (maybe not the ones that you are familiar with) are extremely competitive with their US counterparts when it comes to pricing.
As for 'their incompetence', that would need some data to back it up, I have extensive experience with both and I'd be hard pressed to say which of the two groups are the more competent ones. Both are pretty good.
> Independent companies are free to not do business anywhere the laws are stifling.
You are dangerously mis-informed about where the balance of power lies - for now.
Google, Facebook, YouTube, Yahoo, Amazon, Wikipedia, Twitter, LinkedIn, Ebay, Bing use HTTP. Which as I'm sure you are aware was created by a European, working at a European institute.
Unless by Internet Blackout you meant blocking NNTP and Gopher?
They also use TCP/IP. Remember where that was created?
Neither of which is relevant AT ALL to the fact that they are being hit with ridiculous laws that hurt companies - small ones in particular - and therefore hurt consumers.
Ah yes, TCP/IP, the technology that spurred founding of Ebay just 4 years after it was created ;)
Non-EU small companies will not be hurt. Companies not collecting personal data won't be hurt. Companies that don't have an office in the EU won't be hurt. EU companies won't be hurt as long as they don't mix personal data between EU and US - and knowing what we do now, why would you?
If you want to talk about things that hurt companies, you could start with NSA severely handicapping US datacentre industry.
"Note that these same countries expect the United States to act as World Police".
Nobody (except some Americans) want this.
"I deplore mass surveillance. I really do. But I think wiretapping with a warrant is a necessary tool for fighting crime, and terror, and bad state actors."
I hate X but Y is necessary (because I said so) so let's do X anyway.
"There's a part of me that desperately hopes all major internet services just shut off Europe entirely. Welcome back to the Stone Age."
>That could be a bureaucratic nightmare: In theory, American companies with European customers could now end up trying to follow 20 or more different sets of national data privacy regulations.
Good. If you want to be a multinational company, then you should have to obey the laws of each country.
So, lets say for example that the US requires that you keep data on customers so that law enforcement can use it, but the EU requires that you don't so that privacy is protected.
Are you are suggesting that one of those laws should be changed to make it easier for multinational companies to operate, even though there was a good reason for the law in the first place? Because I would say that if the company absolutely has to keep customer data then they shouldn't operate in a country where that is illegal, and if they refuse to keep customer data then they shouldn't be operating in the country where it is required.
This is good and I see no reason why this cannot be done easily for most corps (except the ones who mine personal data). For why would you not have critical personal data in the specific country table/database that is in that specific country. If you do not provide the service in that country and some one signs up then inform that the data is not safe and give visible warning. Is that really difficult. I used to have DB library layer earlier where based employee location it will direct their data to that location.
The "good" companies should relocate their business central away from USA and come to Europe!
Some big companies should finally stop talking and start acting, this is the only chance for a real change.
Cut the NSA-Brotherhood ties! These little Hitlers from all the affiliated "Clubs of Distopians" and the War-Industry completely destroyed the most important association of "USA == Freedom" in the world. Face it. Deal with it. Act accordingly.
For people interested in history: it might be interesting to look at the post-ww-2 de-Nazification process in germany to understand how hard it is to remove established circles of anti-democratic bureaucrats from power structures. This will take a very long time (if it happens at all).
The better immediate reaction would be to support progressive and freedom-oriented societies with your technical powers until "good old USA" is restored. Europe is not perfect, but what happens in USA nowadays is pure distopia, a very unhealthy development that will lead to a negative outcome for all of us.
Once people came to The USA because of suppression and lack of freedom in their home countries. Just a few generations later if you have the same sense and longing for freedom like these ancestors of you, it is now time to leave that continent as the suppressors followed your trails - come home to Europe and together we can build a better future!
These bit jumped out at me: >Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
>This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.
My reading (not a legal expert) is that data residency is the important bit here. Which in my view is a small step but not sufficient.