
Ireland to Order Facebook to Stop Sending User Data to U.S. - bigpumpkin
https://www.wsj.com/articles/ireland-to-order-facebook-to-stop-sending-user-data-to-u-s-11599671980
======
mesofile
This has been a long time in coming, and is significant for the EU as a whole
because of Ireland is the designated lead regulator for data privacy issues.
This Politico article [0] from last year has a great overview of the history
including background on how Ireland wound up taking a lead role on tech
regulation in Europe.

[0] [https://www.politico.com/story/2019/04/24/ireland-data-
priva...](https://www.politico.com/story/2019/04/24/ireland-data-
privacy-1270123)

~~~
tgsovlerkhgsel
"Designated lead regulator" \- isn't it just that most companies picked
Ireland simply because their privacy authority was the one least willing to
take any action?

Them finally doing something would be huge.

~~~
semicolonandson
These companies came to Ireland not because of this but because of lower
corporate taxes and an English speaking population; they arrived long before
privacy regulation was on the table in Europe.

~~~
gerbler
As well as being the only English-speaking country in the eurozone

------
thefj
When Russia did it it was reported as "Move Seen as Part of Drive to Curtail
Freedom of Information"

[https://www.wsj.com/articles/russia-steps-up-new-law-to-
cont...](https://www.wsj.com/articles/russia-steps-up-new-law-to-control-
foreign-internet-companies-1411574920)

~~~
Spivak
British Columbia also has a similar law which has been reasonably well
received.

~~~
londons_explore
If I make a Google Doc from British Columbia, it is transferred to and stored
on 15 servers in 5 datacenters, all outside British Columbia.

An image in the same document ends up in (kinda, depends how you measure) 4
servers in 3 locations - also none of them in BC.

Is Google breaking the law here, or is there some exception?

------
AndyMcConachie
Just to be clear, this isn't about data on Irish persons, it's about data on
EU persons.

------
hengri
Regulations like this only widen Facebook's moat. Compliance is a huge
challenge for resource starved startups.

~~~
52-6F-62
Surely only if their model involves imitating Facebook's practices surrounding
user data?

~~~
ch4s3
I think the parent means that having to partition data by region is
difficult/expensive and hard to do if you're a small company.

~~~
rusk
Is it? Really? It’s only when you get to data centre scale that this kind of
policy becomes harder to implement... sure even when I create storage
instances “in the cloud” I can say where I want the data located.

~~~
dwild
And you won't have to build one storage instances for the US, one for the EU,
one for China, and one for every single country that decide that their privacy
regulation are superior than others countries...?

Facebook can have a pretty big team to engineer that kind of infrastructure,
while the startup won't have that luxury. It's even worse when you need to go
through a lawyer to make sure every single regulations are followed to the
letter.

~~~
rusk
So what? Like I said, it’s literally zero hassle to create new instances. What
makes you think you’re entitled to mix all your users into one database
anyway. If you’ve a hundred users in one country it’s worth your while having
an instance just for them.

Lawyers will oversubscribe for _everything_ it is up to you to familiarise
yourself with the legal aspects and get your engineers to design within these
constraints. You didn’t think engineering was just programming did you?

~~~
dwild
And you still fail to see how all of this make this much more easier to apply
for Facebook than any startup?

> If you’ve a hundred users in one country it’s worth your while having an
> instance just for them.

What? No. We are on the web, you forgot that what made Facebook a billion
dollar industry was that they could get pennies out of billions of users every
month?

If you can get hundred of paying users, sure, but then to me that has nothing
to do with the web, that's simply selling a product. The web is more than
selling, it's about allowing access, which sadly, is more than selling.

------
ponker
Is a Facebook friendship between an Irish resident and a US resident US user
data or Irish user data?

~~~
floatingatoll
1) Is a US resident permitted to declare on their Facebook page that they are
friends with [ARBITRARY STRING OF CHARACTERS HERE]?

2) Is US Facebook allowed to record a user-provided and recipient-approved
statement of metadata association that references a “Person/Entity” that could
potentially be in the EU?

3) Is US Facebook allowed to benefit from processing of metadata without
receiving GDPR-compliant permission from the “person/entity” referenced?

I believe the answer will end up being Yes, Yes, No; Facebook EU/US can permit
two world citizens to intentionally declare their friendship each other, and
the cross-site link is user-specified and passes a “judgment call” opt-in test
— but Facebook US cannot make use of that data record in any way that benefits
Facebook (such as training models, tracking via social network data, or
targeting advertising) _other than_ to exclusively deliver minimum
functionality. For example, not okay: “automatic face recognition tagging”;
okay: “instant messaging”, “wall posting”.

Disclaimer: I am not your lawyer, I have not prepared citations for your
review, please seek legal counsel if you’re considering actions based on my
opinion, etc etc.

~~~
dwild
> Disclaimer: I am not your lawyer, I have not prepared citations for your
> review, please seek legal counsel if you’re considering actions based on my
> opinion, etc etc.

That say a lot....

~~~
floatingatoll
It does, yes.

1) IANYL is not widely-recognized, so I have to spell it out. The unusual
phrasing, versus the typical IANAL, is because "I am not a lawyer" is
inappropriate to use. If you are perceived as having given legal advice, it
isn't necessarily relevant _whether_ you're a lawyer, and if you _are_ a
lawyer you might not be allowed to 'practice law' in the jurisdiction of every
reader, and find yourself subject to enforcement actions if you are found to
have failed to highlight this distinction. Specifying clearly "I am not your
lawyer" clearly indicates that you are not acting in any capacity as lawyer
with respect to the reader, denying any opportunity for misinterpretation
otherwise. It also clearly highlights that no duty to clarify, followup, or
respond exists as a result of the comment, which is frequently misunderstood
by Internet forum participants (see also following).

2) HN users frequently seek citations for opinions. Whatever their
motivations, I have none to offer here. Clearly stating so helps them
correctly perceive this as an opinion posted on an Internet forum, rather than
misconstruing it as legal advice provided by a lawyer. They may choose to
reject the opinion as it is insufficiently supported, which is of course their
right. See also above.

3) Finally, "seek legal counsel" reminds the reader that a profession exists
to make judgement calls about these things, and recommends consulting formally
with such a professional rather than depending solely on an Internet forum
comment. It also reiterates the "this is not legal advice" sentiment that the
above try to convey, offering an additional layer of defense again people
somehow misunderstanding the degree of legal advice that an Internet forum
comment can provide and then suing for recompense when they don't like the
outcomes of their actions.

If you can think of a shorter way to say it, I'm open to considering it, but
IANAL certainly isn't enough.

~~~
dwild
Sure but my point is that it's so complex that you need to seek a lawyer or
else you may not be able to do it.

That's what I always like about software development. It was simple, it was
accessible... but now, you need a lawyer for each individual jurisdiction.

------
fjni
This seems like an impossible task unless you have a European Facebook and a
US Facebook and a user of one can’t interact with the other.

If a US-based user interacts with data posted by the European user, is that
not considered “Sending data to the US?”

~~~
PeterStuer
An analogy: it is not because I occasionally send and receive email to and
from US citizens that my mail provider needs to send my complete mailbox, user
credentials, profile and interaction data to the US.

~~~
dwild
Sure but the interactions aren't occasional over Facebook, they are pretty
regular, in fact it's the whole concept of the platform to constantly share
that data to your friend group.

Sure it could be only accessed when you friend request it, but then it goes
over a whole lot of performance issue and complex infrastructure, all that
over something you voluntarily decided to publish... while not having any
advantage. Facebook still has access to that data either way. You still have
to believe their pinky sweare they won't do anything bad with it.

I would agree with anything sensitive, like banks information, medical
information, etc... Things that make sense to pay for an actual regular audit,
but for a social network like Facebook... that become completely absurd.

~~~
PeterStuer
There is a clear distinction between data I share publicly, data I share
explicitly with US Facebook users, and data that I share in a limited setting
not involving any US users.

Unless caught red handed, we generally trust companies to comply, but
sometimes verify.

The technical argument, that it is too inconvenient to comply with the
regulation. has little merit in this case.

~~~
dwild
> There is a clear distinction between data I share publicly, data I share
> explicitly with US Facebook users, and data that I share in a limited
> setting not involving any US users.

You lost me there. You shared it with Facebook users, which are worldwide. Are
you from Canada? Well look at you reading my comment I voluntarily pushed over
HN, a website accessible worldwide while I'm Canadian. Isn't it absurd that
because I'm in Canada I wouldn't expect you to be able to read it? You and
everyone else that are on HN? This is not something I send specifically to
YOU, this is not something

> Unless caught red handed, we generally trust companies to comply, but
> sometimes verify.

Isn't it what we complains about here though? We do not expect Facebook US to
handle the data correctly. Yet they do expect them to do it in Europe? I can
see your point, Europe can't verify what Facebook do in the US. It's a good
point, but I would have been less against their idea if that was the solution,
requiring them to allow Europe to verify or else they wouldn't let them hold
that data.

------
tyingq
Interesting. Does Facebook already have separate infrastructure for Europe,
but just forwards user data to the US mothership? Or is the infrastructure all
"mixed together"? I'm curious how hard it would be to comply.

~~~
saddlerustle
Facebook's infrastructure is one global transparently replicated database.
Siloing data by legal jurisdiction is a huge engineering change. Fortunately
they have a head start - there was a big project to enable this for when they
still had hopes of operating in China. It's kind of sad to think that this is
now going to be used for Europe.

~~~
1propionyl
I find it hard to believe that the inherent risks of this engineering choice
(one globally transparently replicated database) weren't discussed.

States coming to a variety of conclusions and making a variety of decisions
about how to treat a private US company holding an unimaginably large amount
of social data and metadata... was an eminently knowable and completely
obvious set of risks going in, so I have little sympathy for Facebook
"failing" to plan a mitigation for those risks. It's hard to see it as
anything but a deliberate choice.

Unfortunately, given their past history I suspect the hope was that the
company would be able to have its cake and eat it too, by playing on
legislators' and citizens' lack of technological literacy and adhering to a
"better to ask forgiveness than permission" policy. Throwing up engineering
hurdles to compliance just benefits Facebook in this case, because they're
banking on states' inability to simply ban Facebook. Facebook can force them
to the table, with the deck stacked against them.

"Won't your citizens be angry if you make Facebook inaccessible to them?"

"Everyone uses it! That could be seen as censorship!"

"Let's work together to find a solution that benefits everyone."

It's the same story as with Uber and AirBnB.

~~~
throwawayoo1
One thing EU can do is to fine FB, you don't need to censor FB, but until FB
does not cooperate just charge 10% of revenue. (and increase 1% every year)

Problem solved

~~~
colejohnson66
GDPR allows fines up to 4% of global(?) revenue (not profit). That’s a pretty
significant chunk of change for companies the size of Facebook and Alphabet.

------
msla
How is anyone going to enforce this?

~~~
Vespasian
Like any other regulation?

Rules, Letters to enforce those rules, Strongly worded letters to enforce
those rules.

Announced and unannounced audits to ensure compliance.

In the extreme case and only if needed, fines, warrants and searches or
revocation of access to customers (EU companies wanting to advertise) and
resources (FB users in Europe).

FB knows that and they also know this particular case is very public so they
will either comply (probably hesitantly and last minute) or withdraw from the
EU market if the bean counters say it's not worth the effort.

------
DoofusOfDeath
Anyone know what this means for U.S.-Irish dual citizens living in the U.S.?

I've never heard a clear answer about how GDPR applies in dual-citizenship or
non-EU-residence situations.

~~~
smnrchrds
All official wordings suggest it is based on residence, not citizenship:

[https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/application-regulation/who-
does-data-protection-law-apply_en)

~~~
Vespasian
One might thing that the territorial principle based on the users (possibly
long term) or companies location applies here.

------
ffggvv
that's cute. fb market cap is double their gdp. they should just acquire
ireland

------
arthurcolle
How do you get the benefits of using distributed architectures when you have
to keep data within a single region? Seems so annoying

~~~
rapind
Probably not a big deal if your business model doesn’t revolve around
harvesting user data.

~~~
Spivak
Implement a messaging system where people in two countries communicate but
each person’s data must remain in their own country.

Now search for users in your “add friend” dialog. Are you now querying a
database per country?

~~~
rapind
So you're saying email beyond one's border can't exist under GDPR?

~~~
Spivak
No, it just makes it more complicated to stitch together since each country
can’t have a full replicated copy of the data.

~~~
rapind
There's more nuance to it, but IMO this is a good thing for consumers. We've
been collectively pretty horrible w/ the security of user data even when we're
not sharing it w/ third-parties intentionally.

Storing user data _should_ be difficult, otherwise there's no incentive to
really think about how you store it and how securely.

