
Top EU court overturns US data transfer agreement in Facebook case - tpush
https://www.dw.com/en/eu-us-data-transfer-facebook/a-54194377
======
boshomi
Max Schrems[1]: “The Court clarified for a second time now that there is a
clash between EU privacy law and US surveillance law. As the EU will not
change its fundamental rights to please the NSA, the only way to overcome this
clash is for the US to introduce solid privacy rights for all people –
including foreigners. Surveillance reform thereby becomes crucial for the
business interests of Silicon Valley."

"This judgment is not the cause of a limit to data transfers, but the
consequence of US surveillance laws. You can’t blame the Court for saying the
unavoidable - when shit hits the fan, you can’t blame the fan."

[1] [https://noyb.eu/en/cjeu](https://noyb.eu/en/cjeu)

------
hugoroy
The judgment is here:
[https://noyb.eu/files/CJEU/judgment.pdf](https://noyb.eu/files/CJEU/judgment.pdf)

Start at page 28 if you want to skip the recap of EU law, or start at page 35
if you want to skip the details of US law and surveillance programs as recap
by the Irish court who referred the ruling.

~~~
amelius
> MrSchrems, an Austrian national residing in Austria, ...

It's a bit sad that people have to fight this war on personal title.

~~~
the_duke
Schrems has a history of doing this. [1]

It's mainly odd to me that there aren't more privacy / consumer protection
groups doing the same things he does.

[1]
[https://en.wikipedia.org/wiki/Max_Schrems](https://en.wikipedia.org/wiki/Max_Schrems)

~~~
corty
European privacy and consumer support groups are mainly after lawyers' fees.
They mostly make money by notifying misbehaving companies of their
misbehaviour, collecting fees for the (usually unwanted, but enforcedly
payable) notification ("Abmahnung" in German).

Dieselgate was started by such a group.

The system is not all bad, but incentives are against stuff like this being
litigated by the usual privacy or consumer support groups, because you just
can't collect fees from the legislative branch...

~~~
esperent
Which groups are you talking about?

------
arpinum
I work in a sector with a requirement to keep data out of the US. It is VERY
hard to find providers who can promise not to do this. Even when servers exist
in the EU, many provider's contracts have clauses that allow transfer to the
US, as they have staff there who may access the data.

I can see company legal departments taking this ruling to prohibit transfers,
even with a DPA in place, and causing havoc around the EU.

~~~
dgellow
I worked on fintech projects in Europe, with German banks as our main clients.
Their requirements went as far as refusing any service that would have their
support teams (or part of it) located in the US. It was quite challenging to
fulfill their demands, and increased the development and maintenance cost by A
LOT, but definitely possible.

And once you have a working system and solutions in place that becomes a quite
good sale argument.

And yes, the EU is really lacking providers that can follow those
requirements. At some point Microsoft had a German cloud completely distinct
from their other offering and managed by Telekom, but they stopped a few years
ago (and it wasn't really in a production ready state IMHO...).

~~~
nix23
>I worked on fintech projects in Europe

I don't see the problem, buy HP Enterprise Hardware (Support is based in Czech
Republic), install Suse for example (but not RedHat), ask a Data-center of
your wish, place your Hardware there make your own 'cloud'...profit?

~~~
dgellow
As I said, it’s definitely possible. We did create and maintain our own
clusters. That’s way more expensive and time consuming than using existing
offering from public clouds, and you are in your own in case of issues. Your
competitors who don’t have that kind of requirements can build and iterate on
their products way faster.

~~~
terom
This. Worst-case you end up being forced to use some terribly implemented
private cloud solution which ends up being even more expensive and time
consuming than deploying your own hardware.

~~~
smartbit
k8s to the rescue ;-)

~~~
dgellow
I don’t know if you’re joking or not, in the case of those fintech projects
I’ve been part of a migration to k8s. That was already in progress 3 years ago
when I joined the company, and it wasn’t completed when I left beginning of
this year.

Managing your own k8s in production isn’t a simple task at all :(

~~~
nix23
That is true, i was asked to implement k8s in 6 month, they said so i have
plenty of time to find all problem (i try'd really hard not to start laughing)

------
jeroenhd
Privacy Shield is dead, long live privacy shield.

I wonder how many attempts it will take for this deal to be considered legal
before the US actually has to do something to hold up their end of the deal.
The US government would scream in rage if Germany would ever demand the
ability to order Microsoft or Google to hand over information about US
citizens in complete secret, yet the EU wil gladly take the word of the US
government that it won't happen.

The EU also has plenty of incentive to encourage keeping data within the
boundaries of its member states. Making it difficult to use American tech
giants as a lazy quick fix for data storage instead of looking at local
alternatives only helps limit the amount of money taken from the European
economy. With the scandals and state of the current US government I find it
hard to believe the EU will be able to draft a new agreement like this with
the US without compromising on the rights of their citizens.

~~~
Dobbs
> Privacy Shield is dead, long live privacy shield.

Apologies for being pedantic, but "The king is dead, long live the king" is
referring to two distinct uses of the word king. It is equivalent of "The old
monarch is dead, long live the new monarch".

So for this to work in your case it would need to be:

"Privacy Shield is dead, long live new-replacement-law"

But without a replacement law, the phrase just doesn't work.

~~~
jeroenhd
My point was that there will probably soon be a new, similarly lacking Privacy
Shield with a similarly silly name (Secure Data Exchange Act? Privacy
Protection Plus? Data Protector Agreement?).

We don't know the name of the new law yet, but Privacy Shield was quickly
implemented because the agreement before it was deemed insufficient, and the
same will likely happen again.

------
terom
The idea would be to align the commercial interests of US cloud service
providers with the privacy interests of EU customers.

From the EU citizens perspective, the ideal outcome would be for US cloud
service providers to pressure US authorities to limit their surveillance of EU
citizens and provide some kind of privacy guarantees. Here's to wishful
thinking...

~~~
DaiPlusPlus
Google, of all companies, was a major supporter of California's CCPA (Cali's
GDPR-like legislation) last year.

Cynically I suppose it was to ensure they'd at least have a say in what the
CCPA covered... and to hurt their rivals (Facebook, etc).

~~~
TomMarius
GDPR was supported by the biggest EU corporations as well - not much could
help them more :-)

~~~
dijit
The idea the GDPR as a regulation helps established companies 'who can afford
a gdpr team' more than joe the shoemaker is a weird meme..

GDPR hurts large companies that abuse data; the actual legislature is one of
the most proportional regulations I've ever seen.

You have the right to store peoples personal data if it's used and not
processed for non-implied purposes (IE; generating profiles of people after
sale) and not sold to another company.

So when someone throws up a big "GDPR NOTICE" and you have to press the big "i
agree" button, it behooves to read it; because that's often not required for
the service, it's what's required for the company to sell on your data.

Joe the Shoemaker can take your email address or phone number and call you,
he's not going to have a hard time under GDPR.

If you're abusing data, you're going to have a hard time- and that's good.

~~~
theptip
There are two factors at play here; both you and the GP are making points that
are correct.

1) As you say, "If you're abusing data, you're going to have a hard time- and
that's good." Companies that are built on selling your data (e.g. data brokers
in the marketing / finance industry) or sharing it without your consent (e.g.
Facebook with Cambridge Analytica) will have to stop those practices. GDPR
working as designed, win.

2) For business models that are viable under GDPR, then at the margin GDPR is
going to prevent small companies from entering the space, to the benefit of
larger companies. Your example of Joe the Shoemaker is the trivial case. What
if your business has a need to collect PII, banking information, perform Know
Your Customer checks, and retain that data for 5 years under the US Banking
Secrecy Act? Or collect electronic personal health information? Or submit to
any other conflicting regulatory regime? You're missing the fact that lots of
businesses have a legitimate need to collect more than just an email, and that
other regulations directly conflict (per country) with GDPR. In these cases,
adhering to GDPR is more than just slapping a GDPR dialog onto your email
submission modal; it might require a significant amount of time talking to
expensive lawyers to figure out how to comply with all of the applicable
regulations.

This is the basic dirty truth about regulation; large companies can typically
afford to lobby to make sure the regulation isn't going to ruin them, and then
they can afford to implement the regulations even if they are very complex.
After implementation, regulation like GDPR becomes a moat. Consider how hard
it is to start a company in highly-regulated spaces like finance or
healthcare. Though I don't claim that GDPR is as deep a moat as those
industries' regulation, it's the same idea. The regulations as a whole can
still be net-positive to society, but the risk is that when regulators (and
those commenting on regulation) don't understand the real costs of complexity,
it's easy to pile on rules that have the opposite effect than intended.

Note, a common misconception about Google is that it sells/shares your data;
it does not in general do that. Google sells targeted ads, and your data is
Google's competitive advantage; Google built Gmail, Android, and a host of
other products in order to get data that others cannot; your data is Google's
moat. GDPR just talks about sharing your data with other companies; Google is
fine under the GDPR. Sure, the death of Privacy Shield might make Google's
various international entities less able to share data, but the fundamental
business model they follow of collecting first-party data on users is alive
and well.

~~~
IanCal
> Or submit to any other conflicting regulatory regime?

I'm pretty sure the regulations have a catchall "you are allowed to store the
data if legally required to" for exactly these kinds of issues. Need to store
the data for 7 years for tax purposes? Fine.

~~~
theptip
Sure, Article 6, section 1c ([https://gdpr-
info.eu/art-6-gdpr/);](https://gdpr-info.eu/art-6-gdpr/\);) processing is
lawful if "processing is necessary for compliance with a legal obligation to
which the controller is subject"

I think (like the GP) you're oversimplifying though.

Have you ever had to determine what is considered a "legal obligation"? It's
not fun. Much to the distaste of us engineers, it turns out that most laws are
not written in an unambiguous fashion; many (like HIPAA) are very vague in
places, and rely on precedent or tribal knowledge about how the regulator in
question tends to interpret things.

So yes, if you have a clear, unambiguous requirement to keep Personal Data,
then you don't need to lawyer up. If you work in an industry with complex
regulations, then you're going to need lawyers and/or consultants to tell you
how to resolve the conflict between GDPR and those regulations.

------
Barrin92
As a EU citizen I'm glad about the decision, I don't have any confidence any
more that data stored in the US is secure and that the US can be depended
upon.

Also important to point out how much of this goes back to Max Schrems activism
over the years and noyb ([https://noyb.eu/en](https://noyb.eu/en)). This is a
huge win achieved with relatively few resources. Staying engaged is worth it.

~~~
jjcon
Since many major EU countries share their classified intelligence and
surveillance systems with the US (and the reverse) this seems more like
political speech than reality. The real reason is to preserve what’s left of
tech in the EU but that doesn’t exactly sound as good.

Almost all major countries have surveillance programs. They are perhaps
necessary to preserve national security. The hope of democratic countries is
to have enough checks and balances on those powers to keep them limited to
national security interests and to prevent abuse.

~~~
norenh
There is a difference between sharing information (where you control what is
shared) and letting the other party have all the information and look at it by
their own. The fact that EU shares intelligence with US is less of a problem
as long as EU citizens have a somewhat confidence in their government and
security services. It is a big difference from letting US process all private
information about the EU citizens and by that enable US to rummage around as
they wish without having to obey laws or regulations in EU.

~~~
jjcon
I don’t think you understand - the systems themselves are shared.

This isn’t ‘let’s decide to let X country know Y’. If it is on the eyes
network (and tons of things are) everyone gets it per the multi country
agreement.

~~~
p_l
And there are no more FVEY members in EU with UK dropping out.

~~~
jjcon
Yeah if you arbitrarily limit it to the five eyes agreement for no reason. See
nine eyes and fourteen eyes - EU US intelligence networks.

------
jurschreuder
I'm missing the point of why the USA would not just stop this weird spying on
everybody. From China I'd expect nothing more but the USA? They're supposed to
be a decent country.

Then we would not need all these super unpractical counter measures.

~~~
veeti
Did people already forget all about the 2013 leaks? Do you actually think that
the EU is not complicit in the same surveillance practiced by the US?

> For example, Der Spiegel revealed how the German Foreign Intelligence
> Service transfers "massive amounts of intercepted data to the NSA", while
> Swedish Television revealed the National Defence Radio Establishment (FRA)
> provided the NSA with data from its cable collection, under a secret treaty
> signed in 1954 for bilateral cooperation on surveillance...

How is my data any more secure on a German server than an American server?
Some asshole is snooping on it anyway, and the NSA gets access by extension.

~~~
leeter
People forget that the reason this happens is that most countries have laws
against spying domestically. They usually don't have laws prohibiting them
from taking data from other spy agencies spying on their own country. So the
cheap and easy workaround is you let your friends spy on you for you. It's
usually pretty critical for counterintelligence anyway. As the first place an
enemy tries to get into is the counterintelligence department.

~~~
bitxbitxbitcoin
This is the important part that is glanced over. It's very much a situation of
tit for tat but we can be hopeful that rulings like these aren't just lip
service. Schrems has been a positive force for privacy in the EU.

~~~
leeter
From corporate spying yes. However GDPR contains specific carve outs for
national security, Police, etc.

------
lukejduncan
Dumb question: can someone explain to me the implications on startups and side
projects? Does data mean, any data? If I’m reading that correctly it’s illegal
to allow EU users to use any website with a DB that isn’t hosted in the EU.
That can’t be correct, can it?

~~~
M2Ys4U
It's _personal data_. Which is defined in the GDPR as:

any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person

~~~
lukejduncan
I’m sure the true answer is ambiguous, but “personal data” by that definition
seems to imply almost any form of account creation. For sure, that seems to
imply you can’t use email addresses as identifiers. Maybe it implies that so
long as the data isn’t de facto joinable with side data (phone numbers, email
addresses) it may be ok.

------
secfirstmd
Worth also remembering that at the moment the UK is still negotiating with the
EU and hasn't got a data protection adequacy agreement in place. At the same
time it is domestically pushing for increased surveillance laws and powers for
GCHQ etc. That issue in many ways is going to be just, if not more, tricky.

------
the_duke
Already on the front page, with more comments:
[https://news.ycombinator.com/item?id=23856988](https://news.ycombinator.com/item?id=23856988)

Both submissions are very shallow articles though.

------
Krasnol
This was long overdue.

Let's hope they won't come up with a new name just as they did last time when
Safe Harbour was abolished.

This thing was an insult to EU privacy laws.

~~~
killerpopiller
after "Safe-Harbor"and it's successor "EU-US Privacy-Shield" I suggest..

the "Trust-PACT"

P - privacy A - acknowledged C - confidentiality T - treaty

It's not only an insult of EU data protection laws and the EU basic rights
charta.

Not only are the big US cloud providers evading taxes and stiffling
competition in the EU, they are also instrumental to US hegemonial ambitions.
All your data (and taxes) belongs to us. That's whats going on.

I wonder how long the standard contractual clauses will hold, I don't see how
they are doing better.

~~~
di4na
This judgement also validated SCC. Basically they are ok because they are
underpinned by "the receiver country need to have proper privacy protections".

So the SCC is legit. You just can't use it with the US.

------
tdrp
Is there some kind of "we are in the EU and understand our data will be stored
in the US and can be surveilled" consent box?

What about platforms that connect people from all over the world? Yeah you can
store EU users' data on an EU server but what if a US user checks out a EU
user's profile. Or are we supposed to completely disconnect each continent?

~~~
Dobbs
You work to the most restrictive set of rules. EU users data is stored in
places that comply with the rules in question, that could be the US, if the US
complies with EU rules.

If US user wants to interact with EU content, then they need to comply with
relevant EU rules. They might not have to give the same level of enthusiastic
consent, but the data of their interaction should still stored in EU compliant
manner.

~~~
adventured
That's not quite correct. It depends entirely on what jurisdiction/s you fall
under, where you do business.

If you're a US entity you can freely store EU data on US servers entirely
without EU permission or consent, and do anything with it that you want to
(within US law), so long as you don't operate within the EU. For exactly the
same reason that you can safely ignore GDPR if you don't operate in the EU.

If I build a service that runs its servers only in the US, in nearly all cases
I don't need to concern myself with EU laws. I'll be operating by US laws. I
can allow EU users to sign up and use my service and store their data in the
US. There's nothing the EU can do about that.

The EU will have to enable a draconian Chinese firewall to stop this. They
have no power or influence to dictate to the world such rules, so the only
thing they can potentially do is put their own people in a safety box and lock
them off from the rest of the world.

~~~
HatchedLake721
This is wrong?

It doesn't matter where your servers are, if you offer a service to people in
the EU and you store their personal data, you need to safeguard that data and
comply with GDPR.

It's a law, so it can be enforced through mutual international treaties.

However, common sense prevails in the EU and especially with GDPR, so no one
will go after you because you use Google Analytics and didn't give an option
to opt-out. But if you start collecting personal addresses, emails and phones
disguised as a charity doubling their contributions and then sell that
information to callcenters abroad for tax scams and upload it to 4chan, then
yes, EU's reach will be tested.

[https://gdpr.eu/compliance-checklist-us-
companies/](https://gdpr.eu/compliance-checklist-us-companies/)

[https://gdpr.eu/companies-outside-of-europe/](https://gdpr.eu/companies-
outside-of-europe/)

~~~
greggman3
This doesn't make any sense to me. So I'm German, I go to Thailand. I buy a
Jet Ski to be used solely in Thailand? Is that Jet Ski under EU law now? Why
is it different if I virtually go to Thailand?

or don't like the purchase aspect? Okay I go to Thailand and rent a car. To
rent the car I need to give them my personal info. A copy of my passport, a
copy of my international drivers license. If we follow the same logic that
Thai car rental company somehow has to treat the PII under EU laws.

The EU has no jurisdiction is Thailand and the Thailand car rental company
should not have to do things differently just because the person renting is
from a different country. That they happen to be online, like say I reserved
the car while in Germany before my travel, seems like it would have zero
barring on this.

Can a restaurant in SE Asia take a reservation from an EU citizen? They need
to store PII to do it. How does the EU send their enforcers over to that mom
and pop restaurant to make sure their reservation system is protecting that EU
citizen's PII?

I'm not trying to argue it's okay to use PII. I'm instead trying to understand
how these laws actually work because they seem basically impossible to enforce
or even implement.

I see the link above tries to cover this. Unfortunately it covers it in
nonsense and doublespeak.

> Suppose you run a golf course in Manitoba focused exclusively on your local
> area, but sometimes people in France stumble across your site. Would you
> find yourself in the crosshairs of European regulators? It’s not likely.
> _But technically you could be held accountable for tracking these data._

~~~
corty
The law applies to your non-EU company when you target EU citizens and people
currently physically in the EU. E.g. if you sell goods and offer shipping to
the EU, GDPR applies to you. If you do not ship to the EU and do not offer
services to EU residents, GDPR doesn't apply to you.

There are some areas in need of examples:

For your restaurant in Bangkok that takes a reservation from the EU: not
covered by the GDPR because they don't target EU residents, that a resident
used their reservation page is incidental and an exception.

For some purely-online service, if you somehow target world-wide or all
speakers of an official EU language, GDPR applies. That means your french
language online newspaper in New Orleans is affected, if they have an
international section. If it is chinese language, you are fine. Geoblocking
helps.

~~~
greggman3
That's not what the EU guideline says above. See the Manitoba example

~~~
corty
Yes, there is a grey area as the guideline says, and "targeting EU residents"
is interpreted very widely. We will have to wait for the courts for an exact
interpretation there.

------
eitland
Hmmmmm. If Apple can get away with providing a less secure version for China
they could probably get away with creating a more secure version for Europe..?

------
geewee
This is bad news for everyone in the EU who has data in the US and uses the
Privacy Shield act as the protection guarantee. We do that currently for some
data processors, and I'm a little intrigued about what we'll do with all of
our US-based data now.

~~~
dx034
It might be good news for EU consumers. There's no technical reason for most
vendors why customer data of EU customers has to be stored in US data centers.

~~~
tdrp
I mean you can store EU users' data on an EU server but if any US users are
allowed to communicate/look at EU users then obviously the data is going to
travel across the ocean. Maybe I'm reading too much into what constitutes as
"personal-data" but last I checked they had broadened that a lot. What happens
if I view a EU user's linkedin profile from the US - isn't that all personal
data? I hope there's at least an informed consent opt-out for this.

If not, it's not super clear to me what the work-around is other than
completely isolating the continents.

~~~
simion314
>What happens if I view a EU user's linkedin profile from the US

How can you see a private profile if it is private?

------
adamcharnock
Hum. I’m in the process of starting up a Wireless ISP in Europe. I was looking
at using a large piece of management software provided by a Canadian company,
hosted in the US. This is starting to feel like a bit of a bad idea.

I was already unimpressed with their “no one has ever asked us about GDPR”
response.

I can totally see an ISP getting heavier regulation in this regard too, given
it is providing infrastructure.

Maybe I’ll code it all up myself while I wait for the dedicated fibre to come
through.

~~~
dx034
Any reason why it has to be hosted in the US? Hosting is so standardized, it's
hard to argue why it can't be moved to the EU.

~~~
adamcharnock
It is a SaaS product and I guess that was just what made sense to them at the
time.

They say they have a lot of EU customers, but something doesn't add up. Either
they don't have a lot of EU customers, or their EU customers are ignoring
GDPR, hosting locations, and (in my case) regulations on invoicing software.

Maybe those customers are just saying, "ah, it'll be fine, let's not worry
about it." Which probably isn't a bad approach for small companies.

I suppose my choice comes down to: Do I want something off the shelf, slick, a
bit expensive, and may or may not screw me in known ways. Or do I want
something custom, slow to build, a bit clunkly, can adapt to my needs at the
cost of my time, and won't screw me in known ways.

Of course, both may screw me in unknown ways :-)

Anyway, thanks for listening. This is mostly me just thinking this though.

~~~
m4rtink
SaaS management system for WISP seems weird to me. From what I know from the
local WISPs their internal systems need to be very robust and independent from
internet connectivity, so when the network or Internet connectivity goes down,
they are still available to quickly resolve the issue.

~~~
adamcharnock
Yes, I can totally see how that makes a lot of sense.

------
_the_inflator
At the political level this is going to fuel the conflict between USA and EU.
Gas pipeline, data privacy - times have changed forever it seems between USA
and EU.

~~~
bad_user
I don't see a conflict. European countries have had consumer protection laws
that are different from those in the US and US companies have had to comply.
This situation is no different.

The EU wants privacy & security guarantees that US companies can't deliver and
special deals with the US government can't really fix that. But I'm sure US
companies will adapt eventually.

And this goes in both directions of course. For example European banks have to
be really careful in dealing with US citizens due to laws like FATCA.

~~~
allendoerfer
> For example European banks have to be really careful in dealing with US
> citizens due to laws like FATCA.

Their fix is of course to require you to check the "I am not a US citizen"
box.

~~~
the_svd_doctor
I don’t know if that’s sarcastic, but banks are scared to hell to deal with US
citizens. They won’t ask you to fill the other box, they just won’t deal with
you.

~~~
sebazzz
It is not sarcastic - my bank (ING) has these in the forms, for instance when
getting started with their stock buying program.

~~~
lokedhs
Many banks will not allow US citizens to open accounts for that reason. If
they have any US account holders, they will have to report to their tax
authority.

------
fmajid
I don’t know why the article claims the decision was “surprising”. I work for
a US company that is subject to GDPR and we’ve been expecting this for over 2
years, the only unknown was when the ruling would happen, not if.

------
Aachen
This has been going back and forth for a long time now. Perhaps I'm being
naive, but given light delay, companies already host data about and data
accessed by citizens from <insert continent> on said continent, so why don't
companies just store EU data in the EU and be done with it? Wouldn't that
solve the whole issue, years in court, ambiguous rules, companies/agencies
that require local storage, etc.?

------
rydre
Good job Euros! Now you need to level up tech sector, get rid of the shackles
of Google, Apple, Facebook. Your startups deserve better then the current,
anti competitive and worse environment! Your companies could do much better,
now is the time and make it happen.

~~~
leadingthenet
It’s never going to happen. We’re a completely decadent society, and we’re
essentially out of the IT race at this point.

~~~
pjc50
People keep saying this while ignoring the local huge boring IT companies and
local subsidiaries of US IT companies.

Does it really matter where the nameplate that indicates where the HQ is? Or
does it matter where the profits are taken for tax purposes (Apple appears to
be an Irish company, by that measure)? Or where the CEO and board members are
domiciled? Where the actual staff sit when they work?

~~~
d1zzy
So what you're saying is, that as long as there are other places in the world,
outside of Europe, that still have a regulatory/financial/mentality/etc
framework where new large software corporations can appear and flourish (and
then open offices in Europe), then it's all good for Europe. If so, doesn't
that seem a bit hypocritical? To have tighter privacy regulations locally but
then be happy to accept business/jobs from companies that exist _because_ of
no such regulations in other places (or at the time they were established)?

------
brownbat
Will this have implications for Chinese and Russian services as well? Will the
EU go fully local?

~~~
M2Ys4U
Not really, because the European Commission has not issued an adequacy
decision in relation to China and Russia as far as I'm aware.

Russia is an interesting case, though.

They are bound by the European Convention on Human Rights (although
enforcement is... let's say tricky), and they are also signatories to
Convention 108 (the Council of Europe "Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data") and they
have signed (but not ratified) the protocol to update the convention (223,
combined known as Convention 108+).

This - in theory - puts them at an advantage over countries like the US which
lack any real privacy legislation.

However 1) Theory and practice aren't the same; and 2) I think it would be an
impossibly hard sell for the Commission to issue an adequacy decision for
Russia purely for political reasons, let alone practical ones.

~~~
brownbat
Oh interesting:

[https://ec.europa.eu/info/law/law-topic/data-
protection/inte...](https://ec.europa.eu/info/law/law-topic/data-
protection/international-dimension-data-protection/adequacy-decisions_en)

So Russia/China are already in the "further safeguards needed" camp, along
with... almost all of the world?

I studied a bit of EU law in law school, but haven't kept up as much as I
should. This is a helpful start to dig back in, thanks!

------
plandis
This just seems protectionist to me.

I imagine anything the US is doing is being done by spy/sigint agencies within
the EU

------
poorman
They are really making it impossible to start a small SaaS product. People
already don’t want to pay $4/mo. for even some of the most popular SaaS
products. I’m afraid all this is going to do is cause these small SaaS
businesses to run twice as much infrastructure, and then transfer the costs
onto the consumers by substantially increasing their prices.

~~~
Cthulhu_
As it should be; I want to pay with money, not my data. And I want my spending
to stay in my local economy, not to the bottomless pit that is the US.

------
idkwhoiam
Imagine every country comes up with a similar law restricting personal data
transfers. This will render Internet useless.

~~~
danarmak
An Internet with no _personal_ data is a far cry from useless.

~~~
perpetualpatzer
But surely, you'd concede it's far less useful. No international email, social
media. No access to foreign websites: IP addresses are personal data [0].

Possibly, service _delivery_ is feasible if you set up a warehouse in both
locations to freight forward, but any vendor without the means to operate in
each country.

While I expect my EU pals will say "but of course we will never _apply_ the
law that way," if this was the intent of the legislation, the legislation
looks an awful lot like a nationalist tariff.

[0][https://www.alstonprivacy.com/ecj-declares-ip-addresses-
pers...](https://www.alstonprivacy.com/ecj-declares-ip-addresses-personal-
data/?cn-reloaded=1)

~~~
danarmak
> No access to foreign websites: IP addresses are personal data

The OP talks about not _storing_ personal data, which would mean e.g. not
keeping logs of client IP addresses; that does not forbid the Internet.

I agree that a law that literally says or is interpreted to say that my IP
address must not cross international borders, forbids the international
Internet. But there is no such law.

It's possible to put together an argument to interpret laws in an undesirable
or unexpected way. That's what lawyers are for. We have to have some measure
of confidence in court rulings, that's part of the system, law interpretation
is always being challenged.

> No international email, social media.

To the best of my understanding, the GDPR allows people to opt-in to send
personal data. If I send an email to someone in the US, I deliberately share
e.g. my name with them; that's legal. If I send an email to someone in Europe,
and my and their email providers are companies operating in Europe, they
should not transmit or store the email through US servers. That's not
impossible. At least that's my understanding.

The problem with social networks is legitimate, and a real problem, but it's
vastly smaller than "the Internet".

------
mlang23
Finally! There is hope for EU, they apparently found some of their balls. Hope
they keep 'em.

------
34679
Nobody in the US government is going to scream in rage over the violation of
your privacy. The last person who came close is hiding in Russia.

~~~
StavrosK
> Nobody in the US government is going to scream in rage over the violation of
> your privacy.

 _by the US government_. Plenty of people are screaming in rage about China,
for example.

~~~
simion314
That is not even close related with privacy or human rights and more about
geo-politics.

~~~
tobessebot
US-EU data agreements are also about geopolitics.

~~~
simion314
Maybe, but there was some agreement and one party is not respecting it, so
let's say is not nice not to respect your contracts. Star Trek fans are
probably reminded by this rule of acquisitions; "A contract is a contract is a
contract… but only between Ferengi."

~~~
normalnorm
The EU is not some weird hive-mind, it has separation of powers just like the
US. It is the European Court of Justice's job to overturn executive decisions
that trample on the constitutional rights of its citizens, same as the Supreme
Court in the US.

~~~
simion314
I am not sure how your comment related to mine, maybe I was not clar, EU and
US had a contract, US is not respecting it and this judges looked at teh facts
and said, yeah the contract is invalid so you can't store private data in US
using this contract as a base, find something else.

And now US citizens from HN spin this as protectionism or over regulation and
just ignore that there was a such a contract and it was not respected, it
would make sense then that US guys won't complain if someone else would do the
same, but you notice if an app related to China is only suspected of doing
something like that the mob demands it getting banned if an US entity has the
power to just search and read anyone's private stuff that is not from US then
is fine.

I mean US could pretend they won't spy , and then work a bit harder to get the
data they need instead of having 100% full access to everything.

------
mtgx
WSJ: Surprise ruling is a victory for privacy activists

This wasn't a surprise at all. It was very predictable from the beginning for
one simple reason: the US doesn't have strong privacy laws and the US
government's surveillance apparatus doesn't account for whatever privacy laws
exist either. All the gag orders (up to half of all total order requests
according to Microsoft 2 years ago), all the tapping of internet cables and
"partnerships" with the carriers, all the "fusion centers" with all agencies
getting people's data, and so on.

Oh, and best of all, the Privacy Shield said that it was up to the US DOJ to
ensure US companies followed EU law. What a joke.

The EU Charter of Fundamental rights prohibits data from being stored in
countries that don't provide equivalent privacy protections as in the EU. If
you follow this logic, it's obvious Privacy Shield was bound to fail.

An article from 2018: [https://www.hrw.org/news/2017/07/26/us-surveillance-
makes-pr...](https://www.hrw.org/news/2017/07/26/us-surveillance-makes-
privacy-shield-invalid)

------
KingOfCoders
Noone in the EU now can sell on Amazon or eBay.

------
jjcon
> to adequately protect Europeans' data from US surveillance and security laws
> and was therefore invalid

Certainly this is more about protection from corporations with the added
benefit of preserving what’s left of tech in the EU.

Considering the US and most major EU countries share intelligence information
with each other and all have surveillance programs I don’t know that it would
be very effective at doing that no matter where the data is.

------
KingOfCoders
This means noone in the EU can sell on Amazon or eBay. Noone can use services
like WebFlow and other hosting solutions. We'll see what future court
decisions say about AWS hosted inside the EU.

~~~
KingOfCoders
Everyone who sells on Amazon and eBay has a data protection policy which
mentions Privacy Shield to legally work with Amazon. The court says only DPAs
work where you make sure that the other party protects data on a GDPR level,
which Amazon doesn't do and can't do.

