
Europe's highest court has rejected the 'safe harbor' agreement - noplay
http://uk.businessinsider.com/european-court-of-justice-safe-harbor-ruling-2015-10
======
A_Beer_Clinked
The full ruling is available here: [http://www.politico.eu/wp-
content/uploads/2015/10/schrems-ju...](http://www.politico.eu/wp-
content/uploads/2015/10/schrems-judgment.pdf)

These bit jumped out at me: >Furthermore, national security, public interest
and law enforcement requirements of the United States prevail over the safe
harbour scheme, so that United States undertakings are bound to disregard,
without limitation, the protective rules laid down by that scheme where they
conflict with such requirements. The United States safe harbour scheme thus
enables interference, by United States public authorities, with the
fundamental rights of persons, and the Commission decision does not refer
either to the existence, in the United States, of rules intended to limit any
such interference or to the existence of effective legal protection against
the interference.

>This judgment has the consequence that the Irish supervisory authority is
required to examine Mr Schrems’ complaint with all due diligence and, at the
conclusion of its investigation, is to decide whether, pursuant to the
directive, transfer of the data of Facebook’s European subscribers to the
United States should be suspended on the ground that that country does not
afford an adequate level of protection of personal data.

My reading (not a legal expert) is that data residency is the important bit
here. Which in my view is a small step but not sufficient.

~~~
armada651
I think it means a lot more than just data residency. Without the safe harbor
agreement you can no longer avoid EU privacy regulations by storing the data
in the US.

This means that a lot of US companies are now exposed to EU privacy
regulations where previously they only had to account for US privacy
regulations.

The US privacy regulations are no longer considered compatible with the EU
privacy regulations. That has much more impact than just data residency.

~~~
cm2187
What I am curious about is how do we define "doing business in the EU"? If I
am american, create a blog stored in the US, and allow users to register an
account to comment on the blog, am I doing business in the EU if a EU person
creates an account or are my visitors more akin to foreign tourists visiting a
US shop in the US and therefore outside the reach of EU regulation?

In the financial sector, the extra-territoriality of US laws has been a
problem for decades. Securities issued in the EU, by EU entities and marketed
to EU investors end up having some language referring to which US regulation
they fall under out of fear that a US person will end up buying it, and the US
applying their laws and regulations.

~~~
pjc50
> _In the financial sector, the extra-territoriality of US laws has been a
> problem for decades._

This is a problem for the internet that has long been present but is
increasing: _multiple_ jurisdictions with global reach. Historically the First
Amendment has shielded the internet from a lot of attempts to interfere with
it, but there's no particular reason why only the US should claim that its
laws apply globally. Why not Franco-German laws against Holocaust denial?
English libel law? Saudi blasphemy law? Chinese censorship law?

Sooner or later someone's going to find themselves in a Kafkaesque situation
where two global jurisdictions demand incompatible things.

~~~
mcv
> Sooner or later someone's going to find themselves in a Kafkaesque situation
> where two global jurisdictions demand incompatible things.

That's exactly what we're already talking about here: companies are unable to
obey both EU rules concerning privacy, and US laws concerning law enforcement
access to data.

And that's basically why borders between internet jurisdictions are now being
drawn up.

~~~
pjc50
The sad thing is that Europe also has laws enabling law enforcement access to
data, including (until recently) mandatory retention of certain data by ISPs.
All this is about is mass surveillance without due process. All that would be
required to fix it is interpreting the Fourth Amendment in the same way as
Article 8, and abolishing the whole secret court infrastructure.

> The Court adds that legislation permitting the public authorities to have
> access on a generalised basis to the content of electronic communications
> must be regarded as compromising the essence of the fundamental right to
> respect for private life.

> Likewise, the Court observes that legislation not providing for any
> possibility for an individual to pursue legal remedies in order to have
> access to personal data relating to him, or to obtain the rectification or
> erasure of such data, compromises the essence of the fundamental right to
> effective judicial protection, the existence of such a possibility being
> inherent in the existence of the rule of law.

~~~
kuschku
Actually, data retention was declared illegal several times. No government can
force you to do it.

------
walterbell
Meanwhile, TPP prohibits countries from having data sovereignty laws,
[http://www.zdnet.com/article/tpp-moves-toward-killing-off-
go...](http://www.zdnet.com/article/tpp-moves-toward-killing-off-government-
mandated-data-sovereignty/), with similar prohibitions sought in TTIP and
TISA, [https://blog.ffii.org/a-license-to-spy-cross-border-data-
flo...](https://blog.ffii.org/a-license-to-spy-cross-border-data-flows-in-
ttip/)

 _" Governments in Australia, the United States, New Zealand, Canada,
Singapore, Vietnam, Malaysia, Japan, Mexico, Peru, Brunei, and Chile will be
unable to force companies from those countries to store government data in
local datacentres ... governments will not only be prevented from mandating
data sovereignty provision, they will also be unable to demand access to
source code from companies incorporated in TPP territories."_

~~~
simonh
Maybe I'm reaching a bit too far, but we're mainly discussing this in the
context of non-US resident's data being transferred to the US, without their
say so, where the NSA then does whatever it likes with it. But surely this
treaty goes both ways? Doesn't it also allow US citizen's data to be
transferred to Vietnam etc, without the person's permission, under their legal
framework and their government and commercial agencies get to do what they
like with it according to their laws? And the US government is ok with that?

Unless I'm missing something, the US government (and NZ, and Australian, etc)
just completely sold out their citizen's privacy to a whole bunch foreign
nations including a communist dictatorship. Wow.

~~~
MichaelGG
I don't think so. What it is saying is that if a Vietnam-based cloud company
sets up shop, the US cannot mandate that it keep US customer data on US
servers. I can see why the US wants this: They want everyone's data in the US.
What I cannot see is why anyone else would agree to this.

My _guess_ is that what it really means is that such companies are allowed to
operate. OK, fine. But no one is forced to use them. So the US might say "Nice
service, Vietnam. But we won't buy it unless you put servers in the US." They
aren't forcing anyone to do anything.

~~~
pjc50
_no one is forced to use them_

The end user doesn't get a choice. The US has no general data protection law.
Customer loyalty cards, credit records, ad tracking data: all of these may
already be kept overseas.

------
a_bonobo
This is good, and a direct result of the Snowden revelations - without those,
the US would still considered to be a safe harbor for your data. I'm hopeful
that this will create the kick that the US needed, now that actual income (and
high income, at that) is becoming threatened by the NSA. Of course this isn't
the end to their data theft. They're likely to get the data from their Five
Eyes European friends instead, but still - a good victory.

Amazing to see what one determined person can do!

~~~
rurban
Sure. The next step would be to demand EU nations which violate the safe
harbor EU rules be either thrown out of the EU (GB, but probably also
Neitherlands, Sweden and Denmark), or fix their privacy laws. It cannot be
that the GHCQ acts on behalf of the US on EU data and allows easy
circumvention of basic privacy principles.

~~~
pjc50
Sadly, the data protection laws have always had "national security"
exemptions.

~~~
lsaferite
Which is funny since US "national security" is what prompted the ECJ to
invalidate the safe harbor provision.

~~~
tormeh
Obviously, data protection laws don't have exceptions for other countries'
national security.

------
protomyth
Its been asked by multiple people in the thread, but I'm not clear on the
answer.

If I host a website that has user accounts in the US, and do not stop people
from the EU from registering, do I, with no offices outside the US, need to do
something different because of this ruling?

~~~
oliwarner
This only applies if you have EU users submitting data to EU servers and then
you want to move that data to another jurisdiction, namely the US.

If your user is submitting their own personal information to servers outside
the EU, that's their lookout. That's what seems to apply to you. Carry on.
Nothing to see here.

But if they're submitting to one of your nodes within the EU, they can
consider that the data will continue to benefit from the protections being in
the EU affords it. Moving it to the US without their permission does not abide
the EU protections.

~~~
kentonv
That's not what my lawyer says. Our servers are only in the US and we were
instructed that if we were to accept European customers we needed to go
through the Safe Harbor process.

------
weddpros
Edit: I'm reacting to "Facebook and Twitter [...] could be forced to host
European user data in Europe"

Border control with data is the worst idea ever.

Think of it: my Facebook friends lists has EU and US people in it. This list
can't reside in EU or US. This webpage can't be served by either a EU or US
web-server. By law. LOL

Plus I'm a EU citizen, and I can choose to give my data to whoever I want...
no more. That's sad.

This ruling only shows the dismal tech knowledge of lawyers and lawmakers.
It's impossible to implement Facebook with data spread between EU and US. Same
for Tweeter and others. Say goodbye to social networks. Because of model
denormalization, because of network latency and intercontinental bandwidth.

Some mention cloud zones, but they're only useful with replication, which IS
data transfer.

OR... social networks will cheat. And one day, they'll be sued for cheating
the impossible regulations (think VW...)

~~~
simonh
> Think of it: my Facebook friends lists has EU and US people in it. This list
> can't reside in EU or US.

I think you're misunderstanding the ownership of the data, hence the down
votes. If I as an EU citizen create a private friends list like this, that
list belongs to me. If I live in the EU but create the list using a US service
with servers in the US, there is no problem. US privacy laws apply. If I
create the list using an EU service on EU hosted servers there is no problem,
EU privacy laws apply. However in this second case if the internet service
company wants to transfer the list from their EU servers to their US servers
without my explicit permission, that's a problem.

~~~
weddpros
Imagine I'm in the EU, and Facebook wants to store my data in the EU. But I'm
friend with US people. So I'm in their own friend list too, which is stored in
the USA. So my data is needed in the USA too.

When I publish something in Europe, my friends needs to see it too in the USA.
And you can't build a Facebook wall with intercontinental latencies. You need
replication.

It's a social graph, and you can't split it between US and EU: data has to be
replicated across borders (or face massive latency and bandwidth).

~~~
jarek
> And you can't build a Facebook wall with intercontinental latencies.

I have yet to see a Facebook wall in under 0.133 seconds, I'm not sure
intercontinental latencies are the biggest problem in web performance these
days...

~~~
lucian1900
The latency would be incurred several times when loading a single wall. As an
experiment, take a moderately complex web app and deploy it in a different
continent from the database it connects to.

~~~
jarek
If you're at the point of storing data on different continents and being aware
where it is stored, I'm not sure what is stopping you from batching your
trans-continent queries so that you only hit the trans-continent latency once.

------
axx
European citizen here, and as much as i welcome a step like this, it's also
pretty interesting to see, what this means for smaller (online) businesses
outside of europe.

Sure, you want to host customer data from europe in europe (latency-wise)
anyways, but now that this will be more or less required it will be
interesting to see how people will solve this. The good thing is, with "the
cloud" you have a lot of option (locations) to choose from.

~~~
estefan
Yeah good luck setting up a startup now. If other countries follow Russia's
suit, we'll soon end up having to somehow determine where a user is from (what
if they're roaming, etc.?) so we can shard the datastore across multiple
geographic locations. So obviously this = increased costs & complexity which
will slow the speed of iteration :-(

~~~
Majestic121
The easiness of setting up a startup should not be held in higher regard than
people's right to privacy.

~~~
Menge
I'm as much for generating friction as anyone else. But I wouldn't pretend
that keeping data in any country in NATO isn't akin to giving it to five eyes.

Basically the EU is creating a PR stunt that in theory could force them to
enact some minimum veneer of standards and that PR stunt is going to have
higher short term costs for the small private sector players than the large
ones.

It is entirely possible the stunt will instead pay off for the other EU
governments and against the privacy of their population by getting them
invited further into the club.

~~~
Oletros
A ruling from the higher court of the EU is a PR stunt?

~~~
Menge
Germany thought the antennas on their land were just for astronomy?

~~~
Oletros
What has to do some antennas in Germany with a ruling from the ECJ of a case
referred by the Irish High Court about Facebook?

Are you saying that the ECJ ruled without looking at the case merits?

~~~
Menge
I'm saying that no material facts have changed or were unknown by the
governments before the safe haven and that I am skeptical that the case would
have been heard at all without public revelation and interest.

I am also very skeptical that private data in Germany was or is any safer from
the problems with the safe haven as far as data intentionally illegally shared
with institutions in the US, not due purely to issues on the ground when
defending the data in good faith.

------
makeitsuckless
It's interesting how this is described as a potential "bureaucratic
nightmare". Having to follow the law of the country your doing business in has
been standard operating procedure for, well, basically all of human history.

Somehow the tech industry seems to think it should be exempt from that, even
if it means being allowed to piss all over the basic civil rights of citizens
of modern Western democracies.

Yes, this is a problem that needs to be solved given the reality modern cross-
border online services. But it can't be solved by the corrupt political elite
simply selling their citizens hard fought rights to corporations operating
from countries that lack respect for such rights.

~~~
davidw
What sucks about it is that the EU, rather than presenting one set of rules
and regulations to follow, and, say, allowing you to host data within the EU
to be compliant, seems to have kicked the question down to individual European
countries, each of which might do something different.

And you wonder why it's tougher to do startups in Europe...

I'm pleased by what the ruling says about the NSA and the pressure it puts on
the need for reform, but less than pleased about the practical implications.

~~~
M2Ys4U
Well the data protection principles are common across the EU - so there's only
limited scope for national DPAs to disagree and there's always the opportunity
to ask the ECJ for a ruling to clarify.

------
julianpye
Does this effectively render any Parse or Firebase application (they only have
US servers) that stores user information (e.g. email account) illegal in the
EU?

~~~
kuschku
_I am not a lawyer, so do not take this as legal advice, please consult a
lawyer if you want actual advice._

This said: Probably yes. EU data laws are mostly about private information,
for example private chat messages, etc.

If you only store email accounts, you might get around the laws, but if you
store anything like payment information, communication between users, etc, you
effectively now have to follow EU data laws, which mean: You can’t give any
third party (not even your government or hoster) access, you can’t store it in
countries where the government might just seize your data (like the US), etc.

------
mhandley
I wonder if there are additional ramifications of this, even for European
companies dealing with European customers. For example, what happens when
personal data from a European datacentre to a European customer transits a US
network on the way (such routing diversions are fairly common)? In the light
of Snowden's revelations, this would seem incompatible with EU privacy
regulations unless the data were encrypted. Of course personal data should
always be encrypted, but where are the CAs located? Is a European company
negligent if they don't use a European CA and do certificate pinning?
Interesting times.

------
rmc
Americans: This is time to get your government to change your laws if you
still want to be the leader in the tech field.

~~~
sarciszewski
Even if we adopted identical laws, the government would just ignore them.
We're a nation of criminals.

------
MichaelGG
This sounds great! Though if the owning company is in the US, then the US
views this as reason to be able to access customer data no matter where its
stored. More fun to come mm?

Question: Why do companies HQ themselves in the US? Why not pick a friendlier
country, then turn their US parts into a simple contractor that supplies
software development and engineering resources? Then the US company would not
have actual ownership of any data. Forcing them to reveal customer records
would be the same as forcing an individual to steal data right?

~~~
saalweachter
[https://xkcd.com/1053/](https://xkcd.com/1053/)

Today you get to learn about: American Exceptionalism!

It is important to realize that, within the US, there is essentially a
universal belief that the US is the best place to live, work, or be in the
entire world. The debate is not so much whether the universe revolves around
the United States, but which city exactly the axis passes through -- New York,
DC, San Francisco, LA. It is very important that a universal axis has a
commonly used two letter acronym, which is why not even a Chicagoan seriously
believes the axis is through Chicago.

When the EU makes privacy complaints against US companies, the common
perception -- even among US citizens who disapprove of domestic spying
programs -- is that _something is wrong with the EU_. The idea that the EU
could be right to hold a US corporation accountable to their laws never even
occurs.

No American could ever conceive of establishing the HQ of a US corporation
outside the US -- except maybe as part of a skeevy tax dodge. The US is the
best place in the world to live, work, and run a business. Why would you want
to go anywhere else? To be fair, most of the US companies that do establish
some sort of off-shore setup _are_ engaging in some sort of skeevy tax dodge.

~~~
MichaelGG
I mean I know a lot of "common" people believe that - I've lived in the US in
the past. But I thought once a lot of money was on the line, reality or
cynicism would set in.

~~~
saalweachter
If money cured bias we'd probably live in a lot nicer world :-)

------
neppo
off topic, but why does the article use a picture of Mark Zuckerberg with lip
stick photoshopped on?

~~~
blisterpeanuts
I was going to ask the same question! Is it some kind of rendering
incompatibility between this jpeg and most browsers, or just a really crappy
photography touch-up job?

------
mtgx
> The average consumer will not see any restrictions in daily use, but will
> hopefully soon be able to use online services without potentially being
> subject to mass surveillance

> However, US companies that obviously aided US mass surveillance (e.g. Apple,
> Google, Facebook, Microsoft and Yahoo) may face serious legal consequences
> from this ruling when data protection authorities of 28 member states review
> their cooperation with US spy agencies.

Can't wait. This is going to be good.

[http://www.europe-v-facebook.org/CJEU_IR.pdf](http://www.europe-v-
facebook.org/CJEU_IR.pdf)

------
jupp0r
So this is what I think will happen: a lot of companies (maybe even the likes
of facebook and google) will move out of europe and just serve everything from
the US. There is not really an alternative to that, how could my EU-hosted
facebook profile not be transferred to the US so my friends can see my book
favourites?

~~~
jarek
Have you ever tried to do ad-selling on Google's scale without local sales
offices?

------
mtgx
Couldn't we get a better source than Business Insider?

~~~
asgard1024
For example: [http://www.theguardian.com/world/2015/oct/06/us-digital-
data...](http://www.theguardian.com/world/2015/oct/06/us-digital-data-storage-
systems-enable-state-interference-eu-court-rules)

------
chaitanya
So we are building a messaging product for organizations. I am wondering how
this can impact us if an org that uses our product has employees in both EU
and US (assuming that national regulators in EU go ahead and bar personal data
transfer to US).

* Will we need to partition user data based on location, even if they are in the same organization?

* What happens when a user in EU sends a message to one in US? So right now the chat history for one-on-one conversation pairs is stored in one place, does this ruling mean that now we have to duplicate this chat history for both the users?

* Even worse, what if multiple EU and US users are part of the same chat group? Is there any way we can store the group's chat history in one place?

~~~
icebraining
Sure, store it all in the EU. The US has no equivalent legislation, after all.

------
JulianMorrison
Good. Hopefully this puts pressure on the USA to rein in its out of control
security state.

------
srj
How is it possible that people don't discuss the GCHQ in the same breath as
the NSA? From news reports it seems they may as well be the same agency.
Keeping data out of the US isn't enough, and it's dangerous for Europeans to
think that their own governments are looking out for their privacy. They
should be looking instead to make encryption ubiquitous. This may be limiting
corporate data storage, but I don't think this impacts intelligence gathering
for the US at all.

~~~
M2Ys4U
Well it's not _just_ about the NSA - although that is what triggered the case
that this judgement is from.

Even if the NSA (and GCHQ) wasn't collecting everything, US law still wouldn't
provide enough protection to comply with EU privacy norms.

------
nabla9
My reading of the judgment is that it just throws the decision back to the
national courts to decide what constitutes safe harbor. Safe Harbour agreement
between US and EU streamlined the process for getting access to EU data. Now
it mus be decided in national level.

[http://www.politico.eu/wp-content/uploads/2015/10/schrems-
ju...](http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf)

------
Aloisius
If I'm a US company that does business in the EU, is there any reason that
personal information collection can't just happen through a US web server?
That way it is the user who is transferring the data to the US, not the
company.

Updating your name, birthday and other personal information would take an
extra 100 ms in order to POST to the US, but it could then be replicated back
out to the EU for reads if necessary for performance.

~~~
AlphaSite
Wouldn't that be the case of you're paying for a service on us soil from out
with the us. Instead of providing a service in a foreign country.

------
erikb
Great success! They should try it the other way around. Looking for the set of
things they can do that are correct in the European countries and then apply
it to the US as well. If the biggest argument is to simplify ruling and
management then this approach would be just as good as allowing US rules to
overwrite European rules, right?

------
IBM
It's interesting that certain bloggers such as Dustin Curtis and Ben Thompson
have claimed that Apple's privacy stance will ultimately hurt them because
they'll be at a disadvantage to competitors, but it seems like they've shown
some real foresight when you take this ruling into consideration.

~~~
Oletros
How this ruling affects differently Apple from Facebook or Google?

~~~
tomp
Apple's business isn't based on exploiting the user's data and shitting all
over their users' privacy (as has been the case with Facebook in the past, and
Google too to some extent), and they've taken explicit steps to safeguard
their users' privacy (e.g. encryption, ad-blocking).

~~~
Oletros
What has to do what you say with the ruling?

What has to do the business model with a ruling that states that user data
can't be transferred?

How is different iCloud than Google Drive?

~~~
tomp
The point is that Google will have to adopt much more than Apple. Sure, iCloud
and gDrive might be equivalent, but there is no Apple equivalent to e.g. G+ or
G-ads.

~~~
buster
As if there would be a difference in motivation between evil corp#1, evil
corp#2 and evil corp#3. You can substitute those names with apple, google,
microsoft, facebook, amazon, whatever you like. If you think for one minute
that Apple is only a fraction better then their competition you're very
misguided by apples great marketing.

Honestly, if you think G+ is bad, or Adwords, but the appstore is not (Or
iCloud, iwatch, Siri, Amazon Echo, Whatsapp, etc.) you will need to do a
reality check. All of those are very privacy intruding and every company will
do it's best to make money of your data. And pretty much all of those services
is _made_ to collect as much information as possible about you.

Use Apple or Google or Facebook and store your private data to be datamined
and monetized but please don't fall for marketing speech and all that "don't
be evil" bullshit every mega corporation is telling you.

~~~
tomp
Could you explain to me again, please, how does Apple make money from my data?

~~~
mcintyre1994
Can we agree that Apple make more money as a result of having "targeting
groups" for iAds compared to if they didn't use any targeting? If so, by
targeting iAds using data disclosed here: [https://support.apple.com/en-
us/HT205223](https://support.apple.com/en-us/HT205223)

~~~
tomp
Thanks, I didn't know about that. Still, much better than the rest of them,
IMO.

------
copsarebastards
This is good for everyone's privacy. By making it difficult for businesses to
centralize the storage of US and European data, the European court has
incentivized businesses to pressure the US government toward laws that respect
our privacy better.

------
cmurf
I wonder if some companies have sufficiently complex operations globally, that
they end up with mutually incompatible laws and would have to either stop
doing business in a country or split itself in two to continue to operate?

------
AndrewKemendo
While this is a win for individual privacy, it does truly make scaling web
services significantly harder and more costly.

Being in compliance is fairly easy for large companies, but it's going to be a
challenge for startups.

------
kornakiewicz
Prohibition of storing behavioral data would be great next step.

~~~
Oletros
Why?

~~~
kornakiewicz
Because storing and processing data that about user who is unconscious that
such are even collected is de facto spying?

~~~
Oletros
Can you give an example of a company storing and processing data without
telling it in the service policies?

And you have said that ALL the behavioral data collection must be forbidden.
Even if the user agrees with that?

By the way, spying is already illegal. If you know about that behavior you can
sue those companies

~~~
kuschku
Any ToS that contain "unexpected" or "surprising" clauses are automatically
null and void under EU law. Even if the user agrees with them.

~~~
Oletros
Perhaps the clauses are void, but what the OP said is that there is no
information about data being collected.

This is what I´m asking, an example of one of those companies "spying"

------
codedokode
Hosting data locally in EU doesn't solve privacy problem because the servers
are still operated by USA companies that can (and obviously will) share the
data with NSA. The solution is to create more local services so the data never
leave the country. It is also better economy-wise so the money stay in the
country too.

~~~
M2Ys4U
That's one thing that the GDPR (General Data Protection Regulation)[0] which
is in the legislative pipeline at the moment is looking to fix.

The proposals include being able to levy a fine up to €1,000,000 or up to 5%
of the annual worldwide turnover (whichever is _greater_ ) if they fail to
comply with EU data protection rules.

[0]
[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)

~~~
codedokode
Such violation would be extremely hard to prove if the data were exported to
US via secure channels.

------
SimplyUseless
While this is a massive ruling, there are valid exceptions that allow
companies who have agreed with their clients to transmit their data from EU to
US while keeping data separation and with respect to the data protection law.

This is not a blanket-panic for all US/EU companies as the media are
projecting.

~~~
chopin
The difference to Safe Harbour is that the client can revoke their consent at
any time. After that the data must be pulled off US servers.

If I ask Facebook to delete my data, they are absolutely bound by this. There
is no legal way anymore to just hide the data from me.

------
karavelov
This is just small victory. AFAIK, US government can still ask without a court
order Facebook or MS or any other US company to handle them the data of/for
european citizens that hosted in Europe.

~~~
M2Ys4U
That's one thing that the GDPR (General Data Protection Regulation)[0] which
is in the legislative pipeline at the moment is looking to fix.

The proposals include being able to levy a fine up to €1,000,000 or up to 5%
of the annual worldwide turnover (whichever is greater) if they fail to comply
with EU data protection rules.

[0]
[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regula..).

------
finnjohnsen2
Perhaps it's time to p2p everything.

------
pinaceae
well, I guess LinkedIn is hosed. and AWS which does global replication. and
and and.

this ruling ignores the decentralized nature of the internet.

worst case is Europe being shut off from any tech advances, while the Pacific
region from Cali to China takes off.

------
_of
I wish the title was "EU's highest court". Europe != EU.

------
VikingCoder
No, this is terrible.

These countries are demanding we run our services in their countries. This is
a money grab.

Note that these same countries expect the United States to act as World
Police, and do not contribute as much money as they should. They want the US
to know about attacks ahead of time. I wonder how the US could possibly know
about attacks ahead of time?

I deplore mass surveillance. I really do. But I think wiretapping with a
warrant is a necessary tool for fighting crime, and terror, and bad state
actors.

There's a part of me that desperately hopes all major internet services just
shut off Europe entirely. Welcome back to the Stone Age.

~~~
flatline
The US finds out about attacks ahead of time the same way we always have:
through intelligence operations, not data mining. I don't think anyone is
saying that targeted, legal wire tapping is somehow off-limits now. I don't
see how this would impact the ability of a company to assist the authorities
in monitoring individuals' communications, either - it will, _possibly_ , make
it more difficult for the NSA to do a blanket gathering of foreign
communications, which I believe is the point.

Large service providers like Google and Amazon can and will comply with the
laws. It is possible that social media start-ups will be unable to operate
across borders due to regulations, but this will hardly be a staggering
setback to the European populace's ability to share photos of their food. I
doubt there are any real implications for things like freedom of
speech/expression: these types of services are already effectively illegal in
places with heavily authoritarian governments.

~~~
VikingCoder
Congratulations. We just broke the INTERNET part of the internet.

Only large service providers will be able to comply with all of the laws. Why
are we patting ourselves on the backs for this?

~~~
icebraining
_Only large service providers will be able to comply with all of the laws._

Why, exactly? And what are "all of the laws"? The data protection directive is
not that complicated or onerous, and besides, you can avoid it wholesale: just
don't store personal data.

------
peter303
The Euros are jelly they did not invent profitable Big Data. So they will be
putting every roadblock possible against those who did.

~~~
icebraining
By retroactively passing a Directive? I'd take time travel over big data any
day!

------
unfamiliar
>That could be a bureaucratic nightmare: In theory, American companies with
European customers could now end up trying to follow 20 or more different sets
of national data privacy regulations.

Good. If you want to be a multinational company, then you should have to obey
the laws of each country.

~~~
coldcode
> Good. If you want to be a multinational company, then you should have to
> obey the laws of each country

Good luck with that. If the US mandates you do X and EU mandates you do !X.

~~~
unfamiliar
So, lets say for example that the US requires that you keep data on customers
so that law enforcement can use it, but the EU requires that you _don 't_ so
that privacy is protected.

Are you are suggesting that one of those laws should be changed to make it
easier for multinational companies to operate, even though there was a good
reason for the law in the first place? Because I would say that if the company
absolutely has to keep customer data then they shouldn't operate in a country
where that is illegal, and if they refuse to keep customer data then they
shouldn't be operating in the country where it is required.

------
jsudhams
This is good and I see no reason why this cannot be done easily for most corps
(except the ones who mine personal data). For why would you not have critical
personal data in the specific country table/database that is in that specific
country. If you do not provide the service in that country and some one signs
up then inform that the data is not safe and give visible warning. Is that
really difficult. I used to have DB library layer earlier where based employee
location it will direct their data to that location.

~~~
mcintyre1994
Are you allowed to breach these rules if you provide a visible warning?

------
UserRights
The "good" companies should relocate their business central away from USA and
come to Europe!

Some big companies should finally stop talking and start acting, this is the
only chance for a real change.

Cut the NSA-Brotherhood ties! These little Hitlers from all the affiliated
"Clubs of Distopians" and the War-Industry completely destroyed the most
important association of "USA == Freedom" in the world. Face it. Deal with it.
Act accordingly.

For people interested in history: it might be interesting to look at the post-
ww-2 de-Nazification process in germany to understand how hard it is to remove
established circles of anti-democratic bureaucrats from power structures. This
will take a very long time (if it happens at all).

The better immediate reaction would be to support progressive and freedom-
oriented societies with your technical powers until "good old USA" is
restored. Europe is not perfect, but what happens in USA nowadays is pure
distopia, a very unhealthy development that will lead to a negative outcome
for all of us.

Once people came to The USA because of suppression and lack of freedom in
their home countries. Just a few generations later if you have the same sense
and longing for freedom like these ancestors of you, it is now time to leave
that continent as the suppressors followed your trails - come home to Europe
and together we can build a better future!

