Pros:
For years America has disproportionately benefited from post-hoc enforcements (I mean mostly it was New York DAs suing banks for 2008, money collected from around the globe and then put into a single State)
(sane) Tech regulation is a long time coming and it's not coming out of the Five Eyes nations - good to see EU taking a lead
cons:
I wish this had been for a "harder violation. Yes it's bad. yes they are ignoring EU law. But it's you know drawing a social graph.
This leads to a fundamental issue - global capabilities (drawing a graph between all the people you know) should not be limited to arbitrary geographical boundaries. Social graph is fairly obvious - I have friends in US, where do we process the edge between those two nodes? If we cannot sort that one out we are going to struggle with epidemiology and medical inferences across boundaries.
Where data is processed should not affect the care with which it is processed.
I can conceive of some verifiable processing package that ensures data can be processed wherever and still meet regulations. Can that be part of the future?
> This leads to a fundamental issue - global capabilities (drawing a graph between all the people you know) should not be limited to arbitrary geographical boundaries.
For me, this hits a more fundamental issue: how do we govern global issues without a global government?
Isn't this kind of exactly what the EU is showing us, that a global power isn't needed if countries actually set requirements and regulations.
There has been a lack of desire from law makers worldwide to protect consumer data even though it's very obvious that it should be a fundamental right to control who gets to know your personal information and worse, whether they can sell it.
What I believe is happening here is the EU is setting a new standard that the US and UK and others will have to follow if they want to do business in the EU, unless they invest millions in infrastructure and staff.
I believe the same happens in the US, one state such as California will make progressive law changes that force companies to just apply the same standards across other states as it's less legal and regulatory burden, so effectively one state can actually change the system for everyone, no global super government required.
Likewise you have governments like the UK who are discussing bills that will effectively ban E2E encryption for children’s safety. If passed, companies like WhatsApp would just leave the market.
I believe your comment is somewhat true, but in your examples with the EU and California it’s mostly the case where (one of) the largest market(s) is able to set laws that govern the entire world. Which is great if everyone also happens to agree with the law, but it’s not the most democratic situation.
The problem is, what is a democratic global government? Larger states dominate smaller states in democratic governments all over the world simply because of numbers of votes. Having yet another layer of elections over it doesn't really make much of a difference.
> Larger states dominate smaller states in democratic governments all over the world simply because of numbers of votes.
At what governance level would this be acceptable for you? The existence of political minorities is invitable. The question is where do you draw the line: street, block, postal code, city, metro, region, state, or nation? When is it ok to dominate others because they got less votes? The same issue is reflected in red states grabbing power from blue cities, with the implication that the state-level domination is A-OK.
We're not going to structure a global government, such a thing is never going to exist and we're never going to have to worry about it existing. Fortunately.
It is the most democratic situation. Companies can decide between a leave that market, b treat the whole world by the strictest laws or c only follow those laws for those residents. If the cheapest solution is b, and capitalism demands the cheapest solution, then that’s useful information for the shareholders to choose a path. Just because we know what they will always choose doesn’t make it undemocratic.
I think I’m missing your point here. Let’s say Texas passes a law that all Texans data has to be processed in Texas, and because cowboys don’t give a shit there’s no consideration for the EUs law.
What would the appropriate way for meta to handle a friendship between a Texan and a European be? They can’t process the Texans data outside Texas, and they can’t transfer the Europeans data outside of Europe. Disallow them to be friends?
You are misrepresenting this ruling. Any data that the user gives informed consent to share can be moved wherever the user consents. This ruling is about sending user data without any active informed consent.
Not so simple. Even with consent you arent really allowed to store in america because america is assumed to be an unsafe country (because govt can at any moment force a US company to show the data)
I don't think users can consent to ongoing general-purpose data transfers.
This is from the European Data Protection Board FAQ following the Schrems II ruling. Does the text of the new ruling say something different?
> 8) Can I rely on one of the derogations of Article 49 GDPR to transfer data to the U.S.?
> it should be recalled that when transfers are based on the consent of the data subject, it should be ... specific for the particular data transfer or set of transfers (meaning that the data exporter must make sure to obtain specific consent before the transfer is put in place even if this occurs after the collection of the data has been made)
> With regard to transfers necessary for the performance of a contract between the data subject and the controller, it should be borne in mind that personal data may only be transferred when the transfer is occasional. It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”. In any case, this derogation can only be relied upon when the transfer is objectively necessary for the performance of the contract
The EU isn't saying that personal data has to be processed only in the EU. They're saying it has to be processed somewhere with adequate standards of data protection.
Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom, and Uruguay.
As long as international companies have the option to exclude any local government, they can simply vote by participation. Texas requires something that a Swiss social network cannot abide? Block Texas.
This doesn't work when a law doesn't allow some foreign company to escape, though. Suppose Texas decides that toy makers are liable for toys that hurt children. A Swiss company that makes army knives for kids decides not to sell to Texas, but other people buy some and then resell them in Texas. If the original manufacturer can't avoid the local government, that's more complicated.
Because I don't see anyone downstream agreeing with you, I just wanted to hop in and +1 that I think you're REALLY making good points throughout this thread. I think a lot of folks are having trouble imagining a world beyond "EU laws" and "US laws". If every national or even state/provincial government has its own data laws (we already have 5 states in the US with GDPR-like legislation, and more likely on the way), then we're just accelerating towards a fragmented internet __with no opt-out mechanism for the individual__. When (especially smaller) companies get weighed down by legal interpretations and the fear of violations, they're just gonna start blocking more and more clients from everywhere outside their jurisdiction. (Apologies to the world, but I literally work on software that makes it easier to resolve geolocation for web devs and, among some other reasons, one of the top ones is to block certain georegions.)
Separately, while I'm all for internet privacy and am generally aligned with the _intent_ of GDPR, having had to meet its requirements at the highest level of scale, I have no qualms saying that it's truly a _terrible_ piece of legislation. Clearly whole sections were written without any regard for technical accuracy, and it leaves a number of ambiguities and contradictions within its language that continue to go without clarification. I don't feel like getting in the weeds here, but if you ever want to see people getting in the mud about how to actually comply with it, just go take a peek at the higher-comment threads in /r/GDPR.
Personally, I'd much prefer a cascading set of standards coming from a technically oriented consortium of (ideally OSS) folks that could be enforced from the client side as much as possible, and then independently audited on the server side (like a UL certification, but for your server architecture). Most of us here are probably already using a ton of client extensions to enforce as much privacy as we can without breaking things, and if an OSS auditing standard came along for servers, it'd be sweet if I could e.g. set my browser to "EU data servers only" and have my browser give me an option to explicitly override it if I really need to (like we do today with bad SSL certs).
As for the data export and deletion controls...I get the argument that's only enforceable via regulation and government enforcement. But given the ease of data replication and laundering (made even easier in a post-ML world), I'm not optimistic that you can actually "catch" people violating it except against the absolute largest corps ("yeah, we totallyyyyyy deleted all your data, for sureeee"). Feels like it's enforceable at about the order-of-magnitude of insider trading in the US.
While I like the regulations on who can collect and share your data and preventing all these backdoors to the US Gov I also think these regulations make it impossible for small companies to compete with Meta, Google, etc. You can't hire enough legal and compliance experts to get it 100% right not to mention all the extra code you need to write. Maybe that's OK but my cynical side says Google and Meta lawyers write and practically hand these regs to the legislators with that in mind.
I agree, EU fuels the Corporations and blocks small companies from getting any traction, by increasing the compliance levels, without thinking stuff through.
I dont want to say, that fighting for privacy rights is a bad thing, but as small time entepreneur, they seems to be on same side.
Not to mention if you can't move customer data out of a governance region that means you need a separate data center. Which is prohibitively expensive for a small business, but something a big corporation like Meta or Google would probably do anyway.
> I believe the same happens in the US, one state such as California will make progressive law changes that force companies to just apply the same standards across other states as it's less legal and regulatory burden, so effectively one state can actually change the system for everyone, no global super government required.
I almost bought a car from Carvana. They had all my info: driver's license images, SSN, etc. At the last minute they required a DocuSign signature, which I told them upfront I wouldn't use, so I canceled the deal.
Afterward, I told them I wanted all of my info deleted since we didn't do a transaction. They said they could only do that for CA residents. A CA law is not going to cause companies to follow that law for all US citizens if it's to the company's advantage not to follow it.
> What I believe is happening here is the EU is setting a new standard that the US and UK and others will have to follow if they want to do business in the EU, unless they invest millions in infrastructure and staff.
I just heard Eric Hughes give a talk about this and the non-regulatory solution was pretty simple, flood the field with so much bullshit that the data collected is worthless. Sadly most people happily give away their most personal information for "free" email, chat and search engine. I don't think most people are willing to actually pay for the services provided to them in exchange for their detailed personal information, maybe people's opinions will change but I wouldn't bet on it and meaningful regulation written by lobbyists and voted on by octogenarians probably won't happen either.
Do you have any examples of software that currently accomplishes this for any services that are based around user profiles, often tied to a phone number?
Especially for unilateral users of such software? (if I could convince fellow proprietary service-users to use some obfuscating software that generated/filtered a bunch of fake communications, I could just convince them to use Free software instead of the proprietary service)
Any details on that talk or the venue it was presented in? I don't find any likely recent context from a Web search (and Hughes's name is increasingly colliding with others).
That said, effective chaffing is difficult and does little to mask methods used to surveil or profile. It's also highly ineffective against strong-intent signalling such as purchase behaviours, unless someone is willing to buy items of little interest or purchase-and-return with sufficient aggressiveness to likely provoke not only vendor cancellation but fraud or criminal investigation.
Cory Doctorow from a Reddit AMA a couple of years ago on chaffing's ineffectiveness:
Chaffing turns out to be pretty easy to detect, because people aren't random - generating data that is both plausible and doesn't leak anything is really hard.
The most common solution to this from information theory is to broadcast a steady volume of noise that is sometimes mixed with signal: for example, you start a Twitter feed that tweets out exactly 280 characters of random noise every minute. Sometimes, though, you push ciphertexts into that stream. Your counterparty analyzes EVERYTHING you tweet, looking for data that decrypts with their private key and your public key. Adversaries can't tell who you're talking to, nor can they tell when you're talking.
This is much harder to do with something like your web traffic....
And it's even harder with purchase history, postal mail, or phone-call activity.
In practice, the method would be unavailable to much of the public, and of and by itself a strong indication of surveillance interest, much as use of, say, PGP is long reported to be.
> You didn’t answer the question . How do you have a global graph without sending data to every country where your friends are?
You do not, but that is not what the ruling is about. This ruling is about Meta using standard contracts (SCC) to achieve mass acceptance for personal data transfers of EU citizens out of the EU. Which you are not allowed to do with the GDPR. If Meta had obtained individual permissions from you on your various personal information, then it would not have been illegal for Meta to share your information globally.
This isn’t really about what you share on FB either, it’s about all the data that Meta applications gather about you (often without your knowledge) that they then send outside the EU with a very generalised permission that you probably auto-accepted when you signed up. It’s exactly because the EU regulators know that people auto-accept those general agreements without ever reading them that the law has been made to make such agreements non-GDPR-compliant. The reasoning is that you cannot sign away your rights without understanding what you are signing away, and if corporations don’t want to make sure you know what you are agreeing to then the corporations are in violations of EU law.
> How do you have a global graph without sending data to every country where your friends are?
Why is it important that this can be done? The "social graph" is for the benefit of the likes of Facebook. You already know who your friends are and how to talk with them. You don't need a third-party social graph for that.
So Facebook and no other social media platform should exist? Or are you saying that a messaging platform shouldn’t store messages between a user in the EU and a group of users in the US?
> How do you have a global graph without sending data to every country where your friends are?
On-Demand, i.e., if one of your friends actually visited your "node" (profile or whatever) and also by following the law for the country the data originates from, no need to store anything in the target country – i.e., like most of the internet already works (or worked), it's really not _that_ hard.
> This is another example of clueless EU regulators creating laws with no understanding of the implications
Meh, maybe some are clueless, but one sees also a lot head scratching and scapegoating from people that don't bother to even think on solutions or what the actual laws are about (i.e., are themselves clueless about the actual implications).
It needs to simultaneously accessible to UK law enforcement and not reachable from another country. Come on Meta, can't you solve that really easy one?
If you sent that, it's OK to have the data transferred, like I can already send a letter with a USB pen drive to a friend in America without anyone in the chain being liable for handling that, as long as they don't leak to third parties, i.e., anyone I did not choose to give my data.
Well, a private message sent via Messenger is not personal data (PII), so is not covered by GDPR. This is a very simple concept that critics of GDPR seems to ignore or get wrong over and over again.
It’s not about protecting all data. It’s about protecting personal data.
No, you are misinterpreting what the law is saying. The purpose of the law is to protect from the collection of data points (height, age, political opinions, etc.) about individuals. Sure, a private message between two individuals can contain such information in a way that can be associated with a specific individual. If Facebook would scan all private messages for such data and store it in unencrypted form, then yes, they would violate GDPR. But a simple text message between two individuals does not by default violate GDPR.
A very important aspect of GDPR is a consideration for the purpose of the processing of data. If your company is providing an international messaging service in order to harvest sensitive personal data from private messages, then yes that is very much illegal. But if the purpose is simply to provide a messaging service and you are taking the appropriate steps to secure the data of your users, then it is not illegal.
> your company is providing an international messaging service in order to harvest sensitive personal data from private messages, then yes that is very much illegal
The government hates competition. Only they should have the right to do that and force back doors on encryption standards…
If the message is really private (i.e. end-to-end encrypted) then Facebook can't see it , and if it can't see it, or process it in any way then the GDPR does not apply. And if Facebook does access the message and stores it on their servers in plaintext form then that's their (bad) choice, and they should be held responsible for it.
The message is sent to the EU bureaucrats so they can scan it for X, where X is initially child porno but will surely expand. Your friend just sees a gray box with the text “Displaying this message would violate the GDPR.”
I'll try a coding analogy, as I saw your bio says you've done a lot of coding. The analogy may be off, and I assume you've done a lot more coding than me so I'm curious to hear your reaction.
Imagine coding a program and there are no variables or methods with global scope. If you want to know the number of users in the program, you have to add up all the user variables from each object and each object defines a user in a different way. Also, to access the user variables in each object, you need to use different methods. Now imagine there are 190+ different objects. Some are similar, some different, and they are constantly changing in their structure.
How would you be able to run global functions?
I imagine having standardized ways to access the objects (variables and methods within) could really help improve the program.
If those 190+ objects are not objects but libraries with different developers and different API structures and maybe languages, it can get even more complex without some coordination from a higher-level perspective.
The UN is not a government. It is a mostly voluntary organization that exists purely so we never end up in a situation like we did in 1914 or 1939 where the countries of the world are just not at table talking to each other.
Yes, the UN does lots of things. But it has no power to do those things without the voluntary buy-in of member states.
Kind of have to agree with this sentiment. The UN is toothless and while the idea was good, I believe it has failed in practice. That isn't to say we should just scrap the whole thing as there really isn't an alternative, even though I believe it will eventually be abandoned.
It does seem like the golden age of international co-operation is at an end and more and more countries are becoming insular, entering conflict or creating factions with specific neighbours.
Was the UN meant to be a 'global government' or more of a newer forum for the superpowers to avoid nuclear conflict? If the latter, it's done a pretty reasonable job so far.
Nah the UN does what it should, prevents world wars and nuclear holocaust by keeping superpowers talking in an open forum. That's kind of the only point of it, not to be some kind of world government.
> The United Nations, referred to informally as the UN, is an intergovernmental organization whose stated purposes are to maintain international peace and security, develop friendly relations among nations, achieve international cooperation, and serve as a centre for harmonizing the actions of nations.
A global government isn't really possible. I think the fundamental issue is that a tribe of "everyone" doesn't really work without a counterpart. I think the solution begins by colonizing Mars, a few moons, maybe some asteroids.
I think a better way to frame this is “Is it possible to use the rule of law across national boundaries?” Clearly the answer is currently a qualified “yes”: Laws, treaties, etc do exist and are commonly used. The areas that are addressed are clearly not uniform, nor can we rely on all nations to participate, and the enforcement of laws across national boundaries are extremely tricky and currently limited. However, that should not stop us as a planet from trying to improve global cooperation through the law, rather we should look at it as “more work to do”.
Global government is only the extension of local, national and regional government. The E.U. already is a kind of "international" government in that it creates de facto laws, rules and regulations that supersede the laws of its member states. Similar constructs (though not as advanced) exist i.e. in West and East Africa.
A global government is an entirely logical next step and could be a very valuable asset when dealing with truly global issues.
If I'm living under a dictatorship, at least I can try to escape and move to a better place. If a global government becomes tyrannical, where do we go?
Such an idea is centuries away in the best case scenario.
How about you stay and work towards changing the government? This is literally how every democracy has developed. It is also the reality for several Billion people today. Most can't just up and leave if they disagree with their governments. Borders are not open for most people.
I'm far from convinced that a global government could possibly be a good thing. I think that a large part of the political problems in the US, for instance, is because its trying to govern too many people of very different and often incompatible cultures and values.
The magic word is "subsidiarity": the principle that political decisions should always be made on the most local level that still enables their resolution. Under that principle, a (democratically legitimized) world government would only be tasked with creating laws pertaining to truly global issues (i.e. setting limits for the emissions of CO2). I agree with other comments here that this is unrealistic in the near future. But that doesn't mean that it is not a good idea.
The trick is coming up with a system where the upper layers of government don't try to take over the matters from the lower ones. The problem, fundamentally, is deciding what "pertains to truly global issues" - in a democracy, it's ultimately the people doing that, so if you can convince them that whatever local problem X is really important, it can become "global" all of a sudden.
This kind of stuff is usually set out in constitutions or basic laws which in turn can be enforced by courts – the usual division of power stuff. You could also introduce some sort of check on the power of a global government. In Germany, parliament has to get approval of the majority of state governments for certain laws to enter into force, for example. Same is true for the E.U.: The E.U. parliament and the council of the national governments of E.U. member states both have to agree to new laws and regulations in most cases, which guarantees that either one can't ride roughshod over the core interests of the other.
It usually is, but long-term there's a trend of, shall we say, creatively reinterpreting what's written to the same effect - just look at US. Some would argue that EU shows the same trend, although it's young enough that this doesn't manifest quite so much.
I’d actually argue that the increasing centralization of power in the U.S. is due to the increasing nationalization of political issues and the requirement for nation-wide resolutions to problems. The way it has expressed itself (strong presidential executive instead of parliamentary democracy) is probably due to the way the U.S. constitution was originally framed and some random events asking the way.
But that's the thing - why are these all suddenly "national issues"? Even healthcare can be done state by state (Canada of all places did it that way, and their system is still fundamentally province-centric), never mind all the culture war stuff. Is it really the most local level on which these matters need to be resolved? Or are they deliberately pushed there for political games?
>> how do we govern global issues without a global government?
By consensus. By willing participation of all. By individual countries actively deciding to operate in the agreed best interests of the whole. And when countries act egregiously badly, subsets of the larger group band together to employ military force against them. Government can exist without rigid structures. The enforcement of norms by the collective is a form of government. This is what they mean when diplomats speak of threats to the "international system" even though we lack any official world government.
Well, governments also can declare wars, send chaps off to die in them, and lock people in boxes for not following rules written down by the governments. They can also collect money from people under same threat of box-locking.
Not every "enforcement of norms by the collective" (what's the collective?) can do that.
A government by definition has a monopoly on state violence. If constituent members are going to war against each other then the so-called global government is not actually a government, it's more of a voluntary association similar to the UN that doesn't actually have much real power.
> Where data is processed should not affect the care with which it is processed. I can conceive of some verifiable processing package that ensures data can be processed wherever and still meet regulations. Can that be part of the future?
Not with US laws. The whole problem are US laws essentially allowing government to force any company to disclose whatever they need with little reason. That's the problem. That the moment data are processed by US company (not even neccesarily in US), US government have right to violate privacy
You seem to imply that none of the EU member countries are violating their citizens' internet privacy on a regular basis. I recognize that there are certain countries with _much_ stronger privacy protections in place, and that might not have something on the scale of FISA (from some of the compliance work I've done in the past, Germany comes to mind, but I'm sure there are a strong set of others).
But I'm curious if you explicitly believe that EU/EEA member countries unilaterally _don't_ spy on their citizens. Because I'd be inclined to say that's unlikely (at best) given what we know about the nature of intelligence organizations, namely that they're basically data lake vacuums in the 21st century.
It's frustrating how many people are stuck in this loop, where they think any company can "easily" follow GDPR by just swapping data regions with their cloud provider. It's not that simple and never was.
This is a broader political spat between two of the largest government bodies in the world, not about facebook.
The EU is not the global privacy champion everyone makes them out to be. They just don't like that US companies can access EU citizens data specifically (since most of the internet is run by US companies). Whether they're okay snooping on their own citizens themselves is a separate issue--they've also regularly challenged encryption domestically.
I'm also certain the EU is not upset that certain 3 letter agencies in the US have access to Russian's private data when in the context of the war in the Ukraine. Like all governments, the EU only cares about their own interests, not about the philosophical idea of privacy in general.
Idk if they have the “right” to violate privacy (or whatever) I think that the US government just does it and they don’t care.
It would be great if the US (and Chinese) governments didn’t act in this way (I’m sure the EU would act in the same way if they had tech companies) but it seems to be their nature.
> Idk if they have the “right” to violate privacy (or whatever) I think that the US government just does it and they don’t care.
No, the problem is that the US has specific laws that allows the government to require companies to secretly violate privacy, and punish them if they refuse, or even for just disclosing that the request was made.
I am pretty sure China and Russia have similar laws. Its just if a Chinese company tried putting a canary on their annual report they would find someone explain the difference between "letter" and "spirit" very clearly.
The administrations of china and the USA are different of course, but not so different. The big difference is in the institutions and norms.
So you almost had me there. First of all your points are all valid. Where something felt wierd to me was the edges. What is the exact value for customers in this edgeset being maintained and worse harvested, I mean processed? Today we have edges outside the context of a social network - my contacts in email, phone book etc. And those "edges" (not the target node) belong to - you guessed it - me. Nobody should harvest it without consent and/or maliciously. (There is the whole argument about internet ceasing to exist without ads and nobody would pay yada yada which I felt was too reductionist). If somebody needs to harvest it, get consent and let user decide how, where, when why etc.
> And those "edges" (not the target node) belong to - you guessed it - me.
For a contact in an email adress book, that makes sense. But for a "friend" relationship in Facebook, which side owns that edge? Or how about a message sent from someone in the EU to someone in the US, who owns that, the sender or the recipient? And if it is just one, does that mean that different messages for the same conversation have to be stored in different regions?
In this case the problem can be solved with 2 edges :) I am your friend and your are mine. Keep an edge on each side. Heck I could be your friend you may not chose to be my friend and that is fine. This gets even more fun as now both parties have to consent to only share "their" friend status with FB. Americans are forced to share their friendships, Europeans are not. Again total value for users no?
Now is this technically optimised (for the company) - no and irrelevant (IMO) in the context of how much control/power a user has. You could extend this to messages too. What messages I sent, what messages I received. I didnt send it - I dont own it. What about shared documents you say? Here users are explicitly sharing with other users for collaboration (the contents of said documents totally are of no business to the company).
See providers are providing a service(?). If the services needs to harvest data I still question who is benefiting from that harvesting? If the user is not actually seeing value (apart from subsidizing the cost of the internet) are we then not just using technical/UX complexities to justify a low-value (to the user) solution?
> For a contact in an email adress book, that makes sense. But for a "friend" relationship in Facebook, which side owns that edge?
I don't see where there's any ambiguity on this issue. Each individual has the right to not be subjected to spying and monitoring, which includes collecting personal and private information. A social graph is not a data dump where you are a mere drop in the ocean. A social graph is an ocean of personal and private data collected from you. Therefore, it's quite obvious that individuals have the right to not have all this ocean of personal and private data collected on them, specially without their explicit and informed consent, and they should have the right to force anyone to delete this info, both all or subsets, automatically and reliable and verifiably.
Just because I don't mind hearing what my aunt has to say about what she baked or who she chatted with, that does not grant you the right to get my credit score or where I went to highschool with or who I met years ago or where I lived, just because third parties and other edge nodes in a social graph posted that information and data that enabled you to piece it together. What is there to be discussed?
> Where data is processed should not affect the care with which it is processed. I can conceive of some verifiable processing package that ensures data can be processed wherever and still meet regulations. Can that be part of the future?
To an extent GDPR already allows this. The fines are only occurring because Facebook is transferring data into a jurisdiction which doesn’t have strong enough data protection laws to satisfy GDPR.
In the U.S. case specifically, it’s issues around laws that allow the U.S. government to force U.S. companies to handover data arbitrarily with very little (if any) due process. If the U.S. modified their draconian laws to ensure that everyone was afforded due process before their data was scooped up by the U.S. government, then there wouldn’t be an issue.
Unfortunately verifiable processes packages don’t solve the fundamental problem that the various three letter U.S. agencies can send a secret order, with effectively zero judicial oversight, to Facebook and compel them to handover data, plus gag Facebook from telling the individuals about the demand.
There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines. Its possible this fine was intended to pre-empt the passing of any new frameworks and cash in on the uncertainty in the interim.
Fining foreign big tech over EU privacy nuances is like taking candy from a baby. The narrative zeitgeist on both sides of the pond is in support (stories of rigged elections for 4 years turned public opinion brilliantly).
While protecting your citizens rights is a noble cause, its hard not to see the moral hazard inherent in this approach.
Abusing your position as a desirable market to impose post-hoc tariffs via an endless stream of fines is questionable IMO. Especially while the US provides Europe with its extremely expensive military support blanket (NATO) against the angry bear at its door.
> Abusing your position as a desirable market to impose post-hoc tariffs via an endless stream of fines is questionable IMO.
There's a simple scenario in which Meta wouldn't have had to pay these fines: Don't break the law. And don't continue breaking the law after being told to stop it. It's not abusive to remind companies that actions have consequences in the language they understand and respect.
Do you honestly believe that Meta's hundreds (possibly thousands) of both full-time and contracted out lawyers would collectively advise them to break the law? Knowing full well the outcome would be $Billions in fines?
EU to US data transfers used to be okay for years, then there was a single ruling that brought that into question. Because government moves slow, there hasn't been a new framework implemented. Ruling for Billions in fines during the interim, while the US government and EU are still negotiating the details of the new framework is not an environment conducive to full compliance. US companies would essentially need to stop operating in the EU altogether if they wanted to be fully compliant.
Combine this with giant companies which also are slow moving (albeit faster than government) and you have a recipe for never-ending fines no matter how much you try to comply in good faith.
Corporate lawyering is basically about finding ways to break the spirit or letter of the law without being punished for it. Or to limit the punishment so that it is exceeded by the likely profit of breaking the law. So yes, Meta's thousands of lawyers probably recommend breaking (or "interpreting" certain laws in certain ways all the time because the cost/benefit analysis makes it worth it. And sometimes they miscalculate and the fines are larger than the profit or result in some unexpected political blowback. See also Apple's approach to its App Store and payment policies.
EU to US data transfers were questionable for years, until a whole string of rulings through several levels of national and E.U. courts made clear that they weren't under some circumstances. Other companies have found ways to deal with that, Meta obviously could have, but chose not to (because profits). One obvious way would be for Meta to save E.U. customer data on E.U. servers exclusively, splitting the social graph (and advertising shadow profiles, which likely is what they really care about). Good faith does not enter into the equation, would be my guess.
There was also a grace period during which time Meta made no substantive efforts to come into compliance. If Meta had even a half-baked EU solution they would not be so thoroughly and repeatedly punished.
Yeah, standing up a data center is not trivial, but Meta also hires the best in the world. Move fast and break things. In this case they didn’t even move at a medium speed, so they get no sympathy from me.
> Do you honestly believe that Meta's hundreds (possibly thousands) of both full-time and contracted out lawyers would collectively advise them to break the law? Knowing full well the outcome would be $Billions in fines?
Yes, absolutely. Laws are never clear and require human beings to interpret.
Lawyers jobs are about assessing risk. While they might not have explicitly said "you will get fined $B", they will definitely say "here is the likelihood that the EU fines you" and then meta management would make a strategic (e.g. do we want to risk this based on how much money we can profit) decision based on that.
I believe they can still at any point stop operating in the EU and not pay the fine? How would the EU implement the fine if Meta pulled out? I thought their leverage was just the threat of blocking the service in the EU.
Meta has plenty of EU-based assets which are not liquid enough to just pull out in a matter of months. The EU and national governments would also likely have options under insolvency laws and criminal statutes to freeze some of Meta's assets in the EU if the company made an attempt to pull out to avoid some fines. Of course Meta won't. The EU is a valuable market and even if Meta would stop making any profit (they won't), it can't just leave that market to the competition.
Does this apply to foreign companies? I’ve never heard of such a thing.
If it was a domestic company, of course, assets could just be seized to pay the fine plus whatever non payment penalty. Is there a criminal charge after asset seizure? Or does this just never happen because there is no incentive to do it domestically?
Not a lawyer, but shutting down a subsidiary to avoid overwhelming fines is de facto messing with the insolvency laws, isn't it? At least in Germany that is a criminal offense for which the executives of the (parent) company are ultimately liable.
Plus, Meta actually is a domestic company in the E.U. They handle all their E.U. business through an Irish subsidiary (which is why the Irish data protection agency is responsible for all of this) and they also have subsidiaries to manage political and customer relations in many other E.U. countries, as well as presumably data centers, etc. Removing all of this would be a big project and would give government agencies plenty of time to seize assets. These assets could also include non-tangibles, i.e. the .de/.fr domains for their websites.
The law is almost a moving target, based on the whims of the current political zeitgeist and public opinion.
And law isn't binary, yes/no. Much US law is very murky and ambiguous. It takes litigation and court action to actually figure out what the poorly worded laws mean. Congress is really bad at creating law for some reason.
The cost of setting up additional data centers in Europe and re-architecting your application with a different replication strategy is probably 10x-50x the fine. It would also take years and a sizable fraction of the engineering team to make it happen and there will be significant performance and reliability issues throughout the process. Easier to pay the fine and lobby for rules changes for a decade.
> There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines.
this will likely be found to be unlawful too in the way the last two were
the EU commission shouldn't be creating frameworks that it knows are unlawful (definition of malfeasance?)
Most likely even that, if and when it will be done will have flaws that sooner or later will cause the fall
Purely from a logical perspective, preventing the data of a company operating in the United States and Europe from contaminating or coming into contact is a pure utopia no matter how much effort it puts into goal or any other company operating in the same or similar field.
There will always be a point of contact and a way for European data to be under the lens of some American agency or body.
In addition to Facebook is not really famous for its transparency in data management so any commitment to the contrary I see it as a paper promise
NATO's excuse that because the US finances then anything is allowed is a fallacious argument.
> There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines.
There’s already been two attempts at this, both of which were ratified, then struck down by the ECJ.
There’s already clear indications that attempt there isn’t much better than attempt one and two, and the smart money is betting on it not being ratified, or being struck down if it is.
In the meantime it’s been illegal for a years to transfer EU data to the U.S. So even if it did suddenly become legal, those laws aren’t going to retrospect, and Facebook still engaged in blatantly illegal behaviour.
>"Especially while the US provides Europe with its extremely expensive military support blanket"
1) I think it is more than compensating by Europe agreeing to use USD as the reserve currency. The US gets enormous benefits as the result.
2) Angry bear seems not to be able to win over a single country. Beside the US does it for self serving reasons. It is not a charity. And if it did not I think the Europe is quite capable to create and maintain their own army and weapons.
> There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines.
Black Books (S01E01) put it best:
> NICK VOLEUR: This new system, it's very closely modelled on the old system, isn't it?
> BERNARD BLACK: I'd go further than that, Nick, I'd say it was more or less exactly the same[.]
Given the US side of said framework is established by executive order[1] and the “court” it creates is part of the executive (much like the “ombudsperson” office that the CJEU struck down Privacy Shield over), it’s unclear if it will work, or if the Commission (an executive body who can establish these things but is subject to judicial review) is setting itself up for a Schrems III another ten years down the line for foreign-relations reasons. The EU privacy regulator very politely said it was dubious[2], while the relevant parliamentary committee[3] and later the full parliament[4] expressed open scorn.
The US diplomats, for their part, are trying for a “you too” defence[5]—which might well be factually true to some extent, just does not change anything about EU law.
> Its possible this fine was intended to pre-empt the passing of any new frameworks and cash in on the uncertainty in the interim.
As the legal basis for a transfer is fixed at the time it’s performed, a framework cannot be retroactive (but “the Commission was wrong, the transfers weren’t lawful after all” decisions can be). So while the FUD may be real, the case could just as well have been decided after the new framework had been passed.
How do you process data about an international social graph only in the EU? When a friend in the EU posts something, should their post not be seen in the US? What happens when I have a group conversation between friends in the US and EU?
Well, if the US and other countries don't have equivalent laws, you can move everything to the EU.
Of course, this doesn't work if another country has such a law. But if it's a smaller country, then it doesn't have as much leverage (e.g. Facebook could accept the smaller fine or pull out).
I don’t know, maybe let adults make their own informed decisions and weigh the tradeoffs versus benefits based on their own priorities instead of depending on the government?
You seem to have picked " Or anything goes, no law" which as stated above, is not acceptable to the EU.
Naïve libertarian takes like "let adults make their own informed decisions" are all fine and well, but when there's a track record of their harm that can be pointed to already, it is, as stated, a non-starter.
So should we now pass laws that outlaw everything that can cause you harm - cigarettes? Alcohol? Gambling? Sugar? Do you also support the “war on drugs”?
How much power do you want to give the government because you are incapable of making your own decisions?
How so? The contention was that the government should protect intelligent adults because they are too dumb to use their own judgment. But adults are intelligent enough to use alcohol in responsible way (which statistically is clearly not the case), but not intelligent enough to use a social media platform?
>There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines.
Until it's struck down by the court again.
The agreement will not - it cannot - satisfy the requirements of the GDPR and CFR unless and until the US changes its law.
No. For one, even taken literally the way I wrote it it's about two different sets of people -- the EU must defend their citizens (and residents, BTW), of course!
For another, if one looks past my vague wording, the EU (or at least Germany, which I'm most familiar with) doesn't have the dogma that it's required to set up a world spanning total surveillance state, no compromises beyond the ones absolutely necessary with their own constitution (and even those are followed within a rather "liberal" framework for the three-letter-agencies: they do have all possible data they can get their hands on, just pinky-promise to not abuse it, if US citizens are impacted, in the eyes of secret courts).
EU does no require a warrant for taking of data from residents [0] by LE. There is little legal protection from LE in Europe, "law enforcement agencies can access the personal data of citizens of any country as long as they are involved in investigating crimes related to the European Union."
GDPR (and the national laws it replaced) does not exist in a vacuum, but is an implementation of ECHR art. 8, and CFREU art. 7 and 8. If it is changed, odds are it will become stronger, not weaker. And it is quite foolish to think the CFR will be changed to accommodate companies like Meta.
1. Hitting the big companies for the minor violations is a bit like arresting the mob boss for tax evasion. It's a lot more black and white than arguing whether they performed the right balancing test for legitimate interests (though actually they have previously been hammered for that one too).
2.
> Where data is processed should not affect the care with which it is processed.
This is true, but it does affect the conflicting requirements it may be subject to. After all the Snowden revelations, it's clear the US data privacy regime is not sufficient, as the US government will take what it wants, and that's why transfers regimes to the US are repeatedly struck down.
The difference is that everybody agrees what the crime of the mob boss is, even if they can't prove it, whereas on Facebook people critique but there does not appear to be a consistent critique that makes sense to me.
Data privacy? That is definitely not what most people are talking about when they critique facebook. The free speech & misinformation lines of thought are directly in conflict.
> That is definitely not what most people are talking about when they critique facebook.
A whole lot of people are talking more about data privacy than free speech on Facebook, though. Is one discussed more than the other? I don't know -- but I suspect most are talking about neither, and which group appears to be the majority depends on which group you tend to hang around more.
Schrems I was 2013, which you'll note is 3 years before the US 2016 election and the covid-19 pandemic which are the two factors that really raised the tempo around the misinformation discussion. It's also 3 years before GDPR was passed, relying on earlier european privacy law and being largely driven by private citizen campaigns (including Europe vs Facebook).
So while the contemporary US discussion is far more dominated by elderly consuming political content, that doesn't mean nobody cared about privacy. You just need to see the furor about Cambridge Analytica or the Snowden leaks to see that that is a concern.
Data privacy is linked to misinformation however in that by tricking you to give up all your data, they know you down to a t. They then sell that info on to propaganda/misinformation outfits and ad firms who can then target too much more efficiently.
Most of the misinformation concerns have to do with what other people are posting, but then people try to contort it into a critique of the platform without saying the quiet part out loud ("we should have a mechanism for deciding on 'truths' and have platforms censor things outside of those 'truths'") because the quiet part is actually unpopular.
I'm not fan of barriers but this is coming down to "ban or regulate".
Whatever TikTok is to the USA, Meta and the rest is the same for EU. TikTok has known links to the Chinese Communist Party and the American social media and tech in general has proven links to US intelligence and mass surveillance programs. You may say that CCP is adversary and US-EU are ally but then again the US has proven to be able to elect anti European government, so EU can't afford to rely on not having Trump or similar once again in power.
The Americans are considering to ban TikTok, do you want EU to adopt the same approach and ban TikTok along with Meta and the rest?
I like the EU approach better, even if it's not ideal its better than complete ban. Honestly, I'm terrified from banning becoming the norm because this will mean completely fragmented internet and this will mean the end of global society because the countries will be able to shape their society the way it suits them for internal politics.
The big and critical difference between TikTok connections to CCP and Meta connections to three letter agencies is that US and EU are military allies while US and China are strategic adversaries with chance of real hot war in the next 5 years.
Military umbrella that US provides to EU that includes military bases, transfer of military technology and freedom of navigation for middle east oil forces all parties to play much nicer. Fines to tech companies are fine (and often are supported by US regulators) but drastic steps like even seriously proposing banning big US tech companies are obviously over the line and are unacceptable.
Even beyond alliance, EU can start trade war but do not be surprised if then BMW and Mercedes cars surprising develop safety issues that requires full recall and compensation to all car buyers for harm.
The argument is that the EU cannot and should not even attempt to prevent unaccountable spying on its citizens by foreign states, or it will have its legs broken?
I'm assuming "having its legs" broken refers to having german car companies treated by the US like silicon valley tech companies are treated by the EU?
Are the German car companies spying in the United States?
(OK, that's snarky, but the car companies did actually have to pay out .. because they defrauded US consumers! Not all "crime" committed by companies is made up to sell trade restrictions!)
So... like they already do? EU car and airplane manufacturers already produce their US models in the US due to tariffs rendering importing EU models uncompetitive.
That's how European leaders saw IRA. They didn't retaliate because of the current context, but I find it surprising that US technologists are so oblivious to this kind of context, while resenting so acutely when US companies are asked to respect EU law.
> Military umbrella that US provides to EU that includes […]
…and also includes spying on EU citizens on EU (and the Five Eyes) leaders' behalf (aka "sharing intelligence"). Don't forget that data transfer to the US also provides European leaders a way to circumvent their own privacy regulations, which is unacceptable.
The trade wars have already begun with the Inflation Reduction Act - the US is already turning protectionist and subsidising its own industry to the detriment of its allies' industry. I wouldn't put it past a future government to take more drastic action, whether or not the EU takes a hard stance on US tech.
The US is still a vital ally of Europe and I'm optimistic that this relationship will continue. But Trump and the alignment of factions of the Republican Party with Russian interests have demonstrated that this relationship is no longer rock-solid. Even the Democrats are shakier than they used to be, and orienting for a more self-reliant US.
The US is preparing itself for the end of the post-Cold War liberal global order. The European-American alliance may survive this shift or it may not. Drastic action against US tech is absolutely still premature, but we should be prepared for European interests to no longer necessarily be the same as American interests.
>>But Trump and the alignment of factions of the Republican Party with Russian interests
hmmm
>>> already begun with the Inflation Reduction Act - the US is already turning protectionist
you do know that was a Democratic supported, passed and celebrated law right? Not republican.
I have no love loss for the republicans, but this idea that all the problems with US politics are because of Republicans (or worse the Trump bogey man) is moronic and ignorant.
>The European-American alliance may survive this shift or it may not.
This shift has to take place with Europe advancing more of it national defense itself, America simply can not afford to be the world police anymore. The American People are demanding ever increasing social programs, EU Style Social programs, which the EU has been able to have due to the protection umbrella the US as provided at great cost since WWII, to date almost none of the NATO Nations have ever honored their miniscule treaty requirements of 3% GDP defense spending, when they should be closer to 10-15%, but most are at 1-2% (or less)
@32 Trillion Dollars in debt, the US Bank is collapsing, and closed...
>"but this idea that all the problems with US politics are because of Republicans"
Maybe the problem is for people not realizing that they are dealing with 2 buttocks of the same butt. And it does not look like said butt is by the people / for the people. Instead of fighting between each other people could be better off doing something productive about it.
How is this possibly the case when there are vastly different laws and rhetoric from both sides? I get you are implying that both are there are too benefit the wealthy, which is true, but they also do other things that affect people. Abortion, gay rights, spending, taxation, gun laws. How are they the same???
Then you ask people to do something productive, what? Revolution? That will likely destroy the US economy and possibly the global economy for years. It will also lead to a large loss of life. There's also no guarantee what happens after will be positive. Look at France, post revolution they had a bunch of shitty governments/dictators and then the king came back.
The whole point of "both sides the same" rhetoric is to discourage people from doing anything political, that's why it never has any actionable suggestions. The only option to get something done in the US is to shack up with one of the political parties and hope you can get enough altruistic people elected to dismantle the broken two party system. "Both sides the same" wants to preempt you from thinking there is a "less bad" side to choose, so that you don't choose a side, so that nothing ever happens.
Both sides are OBJECTIVELY not the same. You can easily look at voting history and see that, even if you don't believe anything you hear on the news.
Think long and hard whenever someone tells you this fallacy.
"The whole point of "both sides the same" rhetoric is to discourage people from doing anything political, that's why it never has any actionable suggestions. "
I also believe this is the goal of many of the "both sides" people. Since not voting benefits Republicans[1] I believe those people have an ulterior motive to help them win
Your link is completely different argument to the one being made here about "non-voters"
Non-voters are people disgruntled with the current 2 party system, the largest voting block in that group are libertarian leaning people who do not break democrat.
Your link it talking about various voting laws, which largely impact densely populated cities, things like ballot harvesting, out-of-precinct ballot disqualification, and other such rules that have an outside impact on voters in urban cities which are largely democrat.
"things like ballot harvesting, out-of-precinct ballot disqualification, and other such rules that have an outside impact on voters in urban cities which are largely democrat."
What about local elections, most elections are isolated to a particular area? The reason the Republican lawyer made that statement was to show standing. Meaning , why would the Republican party be effected by the various voter restriction laws. They said because it benefits them if voting rights are restricted.
If you are saying that the laws in question reduce the ability of democrats to vote vs republican (as in reduces the numbers more in cities vs rural?) What's the difference? I'm connecting turnout to their success.
Here's a more clear analysis though it is an opinion piece showing that young voter turnout is important for the democrats.
> Then you ask people to do something productive, what?
Use direct democracy at the state level, where state constitutions provide for this, to replace single-member FPTP systems with multimember proportional systems, creating multiparty democracy, and then advance it state by state until it becomes a national norm.
Since when productive means Revolution? Productive in my book means forming new party with the proper platform and winning the election. Meanwhile protests against most egregious actions will do.
>"It will also lead to a large loss of life. There's also no guarantee what happens after will be positive."
That had never stopped the US from instigating and supporting numerous revolutions and coups.
As for your last comment first - that's something the US government has done in the past and I'm talking about what the population might do. Completely unrelated.
I mentioned revolution as an example. Forming a third party will cause one of the main parties, probably the one whose voters are least fundamentalist, to lose. That's what happened in the past.
> you do know that was a Democratic supported, passed and celebrated law right? Not republican.
I addressed this - the Democrats are also orienting towards a more protectionist, isolated US. The European-American relationship is also deteriorating under the current administration. But it's not Democrats that are arguing for abandoning Ukraine and acquiescing to Russia, it's factions of the Republican Party.
The reality of which party does what is frankly irrelevant though - the perception of people and governments of Europe is that the US is not as reliably staunch of an ally as they once were, and this kicked off under the Trump administration. Europeans believe that a Republican administration is less supportive of a strong alliance, and this perception of flakiness is driving a push for European self-reliance.
> to date almost none of the NATO Nations have ever honored their miniscule treaty requirements of 3% GDP
This is already happening. Several of the biggest freeloading countries have promised massive increases in spending in response to the Russian invasion of Ukraine, most notably Germany. They haven't met their targets yet, but an era of European self-reliance in defence is coming, in spite of current struggles with inflation and supply issues. Things are moving slowly, but European governments largely no longer believe they are safe without playing an active role in their defence.
> when they should be closer to 10-15%
That'd be an insane spending on defence - for reference the US spends 3.5% and Russia spends 4.1%. Ukraine spends 34% and they're currently locked in a desperate struggle for survival.
>>the perception of people and governments of Europe is that the US is not as reliably staunch of an ally as they once were,
It is not a perception, it is reality and people need to understand that. The US can not afford it any more.
>>But it's not Democrats that are arguing for abandoning Ukraine and acquiescing to Russia,
I dont know about "acquiescing to Russia" but some member of the republican party have long understood the fiscal reality, where the Democrats, (and other members of the Republican party) live in the fantasy land where money, and debt do not matter and the government can just spend spend spend, with no limit.
>>most notably Germany
I will believe it when they actually do it, they have been promising that for almost a decade now. They still have not promised 3%, only 2%, and they will IMO never get there.
I hope Poland emerges in EU leadership taking it from Germany
>> Russia spends 4.1%. Ukraine spends 34%
Now lets talk about corruption...
>That'd be an insane spending on defence
Maybe, but the US has been spending between 3-6% for decades building up the military to what is today, while the EU has been spending sub1% for those same decades, just matching US Spending is not going to cut it IMO.
Current US Military spending is at a all time low since WWII in % of GDP numbers, largely because the growth in the US Economy, in real numbers we still spend an INSANE amount of money.
Saying Republicans understand fiscal reality when Bush pissed away unimaginable amounts of wealth in the middle east is ludicrous. I'd like some of what you're smoking.
There's currently some noise about costs because the president isn't Republican and it's an easy way to score asinine political points. None of that is coming from any sort of principled belief system, though.
>>*some* members of the republican party have long understood the fiscal reality, where the Democrats, (and other members of the Republican party) live in the fantasy land where money
See that second part, where "other members of the republican party" i.e the Bush "republicans"... the ones many refer to as "RINO's" in common political rhetoric today...
Or they do not care about ethnic war on periphery of Europe that affects none of US vital interests? Making irrelevant war in far remote country existential good vs evil struggle is how US got into Vietnam. The fact that there were zero negative consequences for US after fall of South Vietnam tells you that it was bullshit from beginning.
The same with Afghanistan. I disagree with Biden on many points but getting out of that country was the best possible course. Same situation as with Vietnam - with Taliban in power in Afghanistan there are zero negative consequences for US. What's more Taliban is apparently better than US or former "Afghan" government in suppressing actual terrorist activities that can threaten US.
Not every war is WW2 and struggle for world domination.
Thanks for reminding me of the book “War is a racket”. American farm boys being brainwashed into Americana,and send off to die to prop up American Businesses.
From the Banana Wars for the American Standard Fruit company, to getting PTSD in Iraq to make Dick Cheney wealthier, to who knows where next to defend Meta.
Nothing has changed in America. The military umbrella is watered with blood of lower and middle class boys and girls, but only to project Tycoons and Billionaires.
They could repel NATO, but if Europe slides with China then things will look very shitty for the Western Hemisphere.
I don't know of good solutions. I'm deep in the "ban on regulate" camp, but I don't know what those bans or regulations should be. Honestly, I'm less concerned about Chinese and Russian agents than simple, capitalist free market forces.
Web sites which grab eyeballs grab dollars. There is no connection to truth, integrity, or honesty there. Right now, even with humans and Facebook-grade algorithms, that's leading to polarizing hatred. Things will get worse once LLM-style algorithms start generating content to optimize engagement.
We need individual free speech, but I'm much less sold on corporate free speech (or speech from algorithms optimized to a capitalist markets).
i think the worse part of all this is that it won't be a real ban. you will immediately see the news apparatus telling stories about how teenagers get long prison sentences for downloading tiktok illegally. Real people will be punished for the theatrics of global politics.
Imagine the countries as a set of microservices, each exposing the data they want to. You can get all kinds of dystopian with this, and from technical perspective (although being a cool solution) somewhat twitchy eye inducing. Unless you make an OpenCountryAI standard that everyone confirms to - it'll get NASTY.
Now imagine micromonoliths with shared data. Much more soothing IMO.
I want microservices where appropriate, and I want my world global. Geographic boundires outlived themselves.
Has to be meaningfully informed consent, IIRC, and a set of T&C the length of a Shakespeare play isn't that, not even when it's the shortest Shakespeare.
Let the service do what it does with least permissions. If something doesn't work there should be a settings where you opt-in. Don't block my view, hoping I will click the dark pattern as you want me to, believing I don't get anything if I say no.
That's not informed consent. That's consent under duress.
There will be some cases where you need to explain what's going on to a customer before they should be allowed to do stuff — medical, financial, probably some others too — but I think the whole thing is getting abused so much it can't stand, and the exceptions probably need a specific license already anyway, and that license can just also say "and you not only get to have the popup, you are required to".
IMO anything more than one page of A4 in 12 point Times New Roman, is too much for a website where you connect with people and groups, chat with them, and share status updates and pictures.
Preferably half that.
(Advertisers are allowed longer agreements because they can be expected to hire a lawyer to explain stuff to them).
No. You also have to take adequate technical and organisational steps to protect data privacy.
In particular, the EU believes that by transferring personal data to the US, it could potentially be accessed by law enforcement/three-letter agencies without 'adequate' process.
you _are_ aware that you can pretty easily tell sexual orientation, political positions and other personal, private and non-obvious personality traits from an individual's interaction in FB (likes, shares, comments)?
and you are aware the NSA has far reaching access into the FB data pool?
this possibility to filter out "the gays" or "the trans" mixes very poorly with say, DeSantis or Trump concepts of a clean and neat and ordered country.
_that_ is the concern of the EU.
the perfectly legal processing of personal data in the US, which is meeting all US regulations. "Kleinman. ls that with an ''ei'' or an ''ie''?"
we may agree to disagree but I think this is orders of magnitude more concerning than microtargeting political campaigns (brexit & co)
The EU bureaucrats have a solution: If you are in the EU then all your friends outside the EU see a generic icon representation of you. If they click the icon a window with the text “Displaying personal data related to this individual would violate the GDPR” appears. Your name is also redacted.
While I don't disagree with you, if you are going to say something like you should really at least give the right number. Or at very least include a disclaimer that 12 hours is not the right number.
2022 Meta revenue was 116 billion USD [1]. So the fine was 1.1% of yearly or revenue, or pretty close to 4 days of revenue.
In terms of yearly net income, it is 5.6% or 20 days of income. Don't think this is a trivial fine.
Also to add, this fine is concerned with the EU. I'm not sure why we care how much money Meta makes in other regions. EU accounts for about 25% of their revenue [1]. So in terms of yearly net income it then gets closer to about 15%. Again, the job of EU is to regulate businesses in the EU and not the rest of the world.
They broke a law that violates basic human rights. Privacy is important to EU citizens, and unlike the US they largely enjoy that right thanks to laws which are enforced.
Facebook is not the government so even if what you say is true, it's really off-topic. Being protected from businesses violating your privacy is a good thing.
The reason why Facebook transferring data to the US is illegal in the EU is because its spy agencies and law enforcement can force them to turn over data.
And the United States can't? Facebook is part of PRISM, and they are incorporated in America. They are arguably in a more compromised state when operating domestically than abroad.
That's not the argument I would go with, but you could. I would argue that the EU has more oversight into its spy agencies and can reign them in if wrongdoing comes to light, whereas they have little to no control over those in the US.
This isn't about protecting users from spying. This is about managing user data and privacy in accordance with the laws that privately-owned businesses must abide by. You can claim that it's a double-standard, but it's still wrongdoing and needed to be sorted out either way.
The data that Facebook collects about people goes far beyond what is explicitly shared and visible in their profile. E.g. which sites they visit (and when) with Facebook widgets on them, on-site browsing habits, private conversations, their phone contacts, location data, etc.
I imagine that a number of features are built on top of these. I remember that you could easily see what friends where nearby you when you were traveling (I ran into a friend who was visiting Milan at the same time as me a few years back!) but the feature doesn't exist anymore. I'm wondering if it's because of regulations that they had to cut down on these features.
You're moving the goal posts. Your claim was that all posts are globally public. That's wrong.
But to play along, what happens to the data depends on where it is stored. If the data center is in the US then the government can get a court order to seize that data. Which is not the same as in some other countries, is it?
That's entirely untrue. Countries in the EU had strong privacy laws before the EU existed. And before the internet existed. Mostly around phone companies, but not only. Having lived in a few countries in the EU I can also anecdotely say that privacy laws are generally liked.
GDPR laws are so popular that 17 countries outside the EU already have similar laws.
For example now random security camera operator can't just take some scenes and post it on youtube, as that would violate GDPR in several ways and few companies paid tens to hundreds of thousands in fines for that.
It also cut sooo much bullshit when it comes to PII management. Because there is actual teeth behind it very little companies will try the old trick of "oh you wrote email to us ? Let's just send marketing stuff on that", as that would require separate consent.
They got 5 months to fix the issues. So after 5 months they can collect a bigger fine ... and then 5 months later again, with three increasing charges within 12 months it's more notable.
Ok, realistically it's unlikely to happen exactly that way, ...
Sometimes I wonder why there are so many people advocating three strike and out laws, but never against corporations. Would be interesting if the third fine would be so large that shareholders are wiped out and debt holders are left with scraps.
Bit off topic, but how on earth did Meta gross 116 billion USD ? lol
Of course we all find tech valuable, but that is absolutely stupid money for what I get out of their services, which is almost nothing hence I've not opened FB for weeks and I open Instagram for 2-3 minutes every day and turn it off, lately maybe every other day.
Even with more engaged users it's hard to believe it's worth that much money. Is the advertising really this effective ? Insane.
> that is absolutely stupid money for what I get out of their services, which is almost nothing
That's why it's a free product! Revenue is from the value they deliver to advertisers. Meta's average revenue per user is significantly higher than other ad platforms (except Google).
For someone selling to a particular group of people, getting ads to that specific group, and ONLY that group, is really valuable.
Your guess is wildly mistaken. They did not intend to sell data to CA; and the CA events happened in 2014-2015 and the program CA abused was subsequently shut down.
To my mind that could be explained as CA exploiting Facebook users' data and Facebook shut down that program so that it could instead explicitly sell similar datasets.
Selling data erodes Facebook's ability to make money selling ads (because then other people will be able to target users just as well). It's never been something they did intentionally.
Seems likely to me. I can't recall Facebook acting in good faith at any point in time. If there's a bunch of money to be made assisting well-funded politicians, then I'd fully expect Facebook to be wanting a piece of that pie when their business model is generally to act against the users of the site by selling their data to manipulators.
Given that you are on HN, you are likely salaried employee. This means you are also generating income 24/7. If you were fined for 20 days of your income, would you still argue that this is "the definition of a trivial fine" for you? I certainly wouldn't.
I mean given the context we’re talking about? That’s absolutely trivial. A 20-operating-days fine wouldn’t touch my day-to-day life, I wouldn’t have to alter my behavior going forward at all, there would be almost 0 repercussions.
Would I enjoy it? Certainly not.
Would I change my behavior if it was generating billions in revenue? Certainly not.
1.1% seems like slap on the wrist or cost of doing shady business. 20% would be more appropriate, then again this seems like political discussion between US and EU.
Reminder that this is revenue, not profit AND it is a fine from the EU so really only EU revenue should be counted when discussing how hard this hits Meta.
Even if the calculations for how to attribute income from different places would be difficult to decide upon precisely, and doubly so if the calculations are used to determine a penalty fine thanks to the possibility of being gamed, it can probably be guessed at without too much error in cases where Goodhart's Law doesn't bite.
> a fine from the EU so really only EU revenue should be counted
You can't really fully seperaten EU revenue. I as a European write very intelligent and relevant posts on Facebook, thus people from other regions go there to read them. (well, I don't post anything on Facebook these days, but the point stands)
Meta revenue is from showing an ad. "Is the ad shown in the EU?" seems like a pretty clear line. IFRS rules already require tracking the action that recognizes revenue so seems hard to play games with it.
Yes the fine should be based on global revenue, but when discussing if this fine actually hurts Meta, you should try to estimate the EU revenue, because it is about if it Meta cares about the fine. If it is a significant part of EU revenue then Meta should want to comply or leave the EU. If it is not then Meta doesn't care.
The fines can be up to 4% of global yearly turnover. I think they don't go for the full amount immediately, because you always want to have room to increase the penalty if the don't comply after this fine.
Not really. The EU isn't trying to kill Meta, it's trying to get it to follow GDPR where it applies. For most people, fining them an equivalent of their monthly salary, is a blow painful enough the person won't forget it soon, and will try to avoid getting fined again.
Yeah agreed. They will simply continue to violate the GDPR. If the last years global revenue was 116 Billion USD, the fine should be at least 200 Billion. Otherwise companies just will see the fine as cost of doing business.
I am getting tired of always reading this same old tune. It's damned if you, damned if you don't.
- EU fines a company a small percentage of its annual revenue. "Laughably small", "cost of doing business", EU has no fangs, blablabla.
- EU fines a company a large percentage of its annual revenue. Damn EU bureaucrats, trying to make money on the back of hardworking US multinationals, zero innovation over there so they steal from America, blablabla.
What do you want? For the EU to impose such large fines that they put every tech company out of business? No one wins at that game.
"Fundamental human right" is a pretty high bar and it's lazy to just throw it out there without any evidence. The UDHR (https://www.un.org/en/about-us/universal-declaration-of-huma...) has it stated as "[n]o one shall be subjected to arbitrary interference with his privacy". Is signing up for an American company's service and being surprised they send information to the US really arbitrary?
Maybe it is (or maybe folks disagree with the UN on privacy) but people should actually make that case instead of treating it as self-evident.
There are two aspect to this, the message to the company and the message to the users:
Yes, the fines are small enough that they are normalized by the violating corporate as just as small additional cost of doing business. A dramatic negative externality gets trivialized. The signal to other corporates is: go ahead feasting on the corpse of user privacy, just do a proper cost-benefit analysis.
But, these fines are legal events, in jurisdictions that are relevant to large numbers of people.
The common argument "people don't care about privacy" is more truthfully "people assume that widely popular online businesses are legal and ok, since services that are not ok are generally not allowed to operate". In fact, when all sort of public institutions are actually on facebook (and other adtech platforms) and even encourage people to join and interact there, they actually endorse that implied legal status. This has been a fiasco that has cut to size any "proud" democracy out there.
News headlines of legal fines help puncture that implied institutional endorsement. The average user doesn't know that the fine is just 12 hours of revenue. They actually have no clue what sort of lucrative business is running behind their backs and against their interests. Using these legal events, provided they get some press, does help the argument of those pushing to use (where available) privacy-respecting alternatives.
Of course such is the ability of the public to get desensitized to any uncomfortable truths that eventually that effect will wear out too.
> Yes, the fines are small enough that they are normalized by the violating corporate as just as small additional cost of doing business. A dramatic negative externality gets trivialized. The signal to other corporates is: go ahead feasting on the corpse of user privacy, just do a proper cost-benefit analysis.
Non-compliance just causes another fine. So they could be up to 8% of turnover (not income) a year
Not sure net income would tell you that much either. Many companies deliberately keep net income low by reinvesting in further growth. Think of Amazon's model. At least revenue gives you a sense of the upper limit.
But revenue has even more issues. You’ll end up hurting low margin companies the most.
If my company transacted $1T in some boring business model that netted a few million to the company coffers and employee pay then fining me on the $1T would simply wipe the company out many times over
Agreed, fine on net income is meaningless it just mean it won't hurt. Should be at least 10% of revenue like antitrust tend to do, this would make anyone think twice.
I don’t think GP is suggesting that the fines should be calculated based on net income. Just that you should evaluate the _impact_ by comparing to net income.
So in Amazons case you absolutely see a fine greater than their net income, but still only 1% of their revenue, and obviously such a fine would have a greater impact on Amazon than the equivalent 1% fine applied to Facebook.
Well, one could say that that is a problem about how Amazon is allowed to use some shady accounting tricks to declare low net income, and therefore that problem is the one that should be addressed directly.
So when you're having a bad year because you over-hired, or because some upstream service you depend on too much is abusing their power to squeeze you you should be entitled to break any law?
What if your company is set up with the usual tax tweaks where all net income is zeroed out by some licencing agreement about hand-wavy IP from a sibling company in the corporate family?
Taking it a step further, will you get a fine-back as a reward for breaking the law if your accountants manage to declare negative income?
Taking it a step further, will you get a fine-back as a reward for breaking the law if your accountants manage to declare negative income?
I think the GP meant that you should see the fine in relation to the net income, rather than that the fine should be computed in terms of the net income.
E.g. if a company has 100b revenue and a net income of 4b, then a 1.3b fine has a large impact. If a company has a net income of 50b, then 1.3b is peanuts.
(I don't necessarily agree, but just elaborating what they probably meant.)
An interesting way to look at it, the impact of a given percentage of revenue will certainly differ a lot between some tight margin reseller and a business that is basically market printing once established. But I can't parse the wording of the last sentence in GP post as "should be seen", it's to "should be". If there is ambiguity I fail to see it.
Neither revenue or net income will really represent the value of a company. Company evaluation would be more fitting, especially if the company is publicly traded.
It's amazing to me how many otherwise intelligent people on HN inevitably make this same comment, when in fact, this is a substantial fine even to a company the size of Meta. Much higher would be borderline extortion, and Meta would seriously start to consider whether doing business in the EU is worth it.
Sure, but let's also add a reminder that the point of the fine isn't to torture or kill the company - it's to incentivize it to comply with the law.
Whatever ills people may ascribe to Meta, EU DPAs aren't in the business of social activism, or taking their annoyance out on multinational corporations. The job is to get Meta to comply with GDPR. If that fine will do the trick, mission accomplished. If it won't, the next one will be bigger, and then fining will continue until compliance improves.
(There's a sub-story here about Irish DPC, but that's orthogonal to the size of GDPR fines issued.)
You realize how silly this would be right? If you got a parking ticket, how would you feel about being fined some % of your monthly paycheck instead of a flat $50?
Like it is more fair. Why should a poor person pay nearly a day's wages for a violation when other people don't have to have such a harsh punishment?
Does it seem ridiculous at the edges? Sure, but it also makes the fine an actual punishment for all rather than a rule that the better off can afford to ignore. This is true even in the case of driving laws. Sure, you might lose your license regardless of finances - but only one of them can fairly easily afford the reinstatement fees and the extra costs of not driving.
Moving the datacenter to the EU makes it a crime; we can at least impose diplomatic sanctions as and when we catch foreign spies doing crimes in the EU. If the datacenter is in the US then there's no recourse.
The EU member states are responsible for protecting various rights of their citizens and they can't do that if the private data is placed in a uncooperating jurisdiction.
Given the creativity in accounting possible for multinationals and the difficulty in capturing value added to other areas from activities in an area that's a number with very little actual value.
The accounting is not what matters. What matters is using your brain to to figure out if a fine is actually meaningful.
Comparing to revenue is a stupid way to think about things. Profit is the incentive to conduct business. Not revenue. And not global profit, but in this case Ireland/EU profits only, because that is the location fining them.
People are so eager. Every. Single. Time. To say that a fine does not matter even if it clearly outpaces multiple years of profits for the area given.
> Comparing to revenue is a stupid way to think about things. Profit is the incentive to conduct business
Because it is and it isn't. Companies can make people filthy rich while not making a single dollar of profit thanks to the stock market where the price does grow, broadly, in terms of revenue.
You’re right in that it ought to be compared to the scale of profits, not a percentage, as many run on a loss during growth. But profit is still what matters. Including the promise of future profits.
Talking of the future doesn’t help much because both numbers will change. And punishing a company based on its future state is… not possible
