What we found, is that only the US State and federal governments can demand US located data from Google. All other economies and agencies can ask for local, but cannot have it a checkbox requirement: Google retain the right to host you wherever they decide, subject to laws they decide.
Somebody else has noted that Microsoft, for all their faults, actually looked at customers in Europe and said "you know what: we can declare hosting in ireland is subject to EU laws and we will (at the right price) guarantee your data is in the EU, subject to EU law" and for that, I salute them.
I think Google got this wrong. I think microsoft got this right.
We didn't go with G Suite. We went another direction with mail and calendar.
I don't understand why you would want a generic Asia/Pacific location. It makes sense that you might want it to be in a particular jurisdiction for legal purposes, so I understand specifying Australia, in the same way other businesses specify EU or US or China. But why would you ever want to say "put our data somewhere in this hemisphere, Australia or Malaysia or Korea are all OK but don't let it be in Ireland or the USA"?
Being told they do "now" is great. 5+ years too late. And, the evidence about this is that Google cave to intercept requests far faster than microsoft do. Microsoft ask for strong evidence you have jurisdiction. Google don't make any public noise about this, and about how they act.
I am not a hater btw. I use a lot of google product.
(to latency: a lot of fiber in Asia goes odd paths. being in Japan or SG wasn't actually a good guarantee it would be faster than from the USA)
Google are getting better, sure. EU feels like they did a reaction to GDPR extra-territoriality issues. The thing is there is either zero selectivity, or there is n+ because nobody codes a two value toggle for this: They clearly have intent to add more. How many more?
They care about addressing the customers need first and foremost, while Google’s #1 priority will always be tracking and ads.
When the EU said processing needed to be done in the EU, Microsoft was fine with that, while Google has been playing nice only on paper.
With rulings like this, guess which one will seem more reliable and dependable (from a business POV) for the EU market?
Not Google. That’s for sure.
> Windows 10 Collects Activity Data Even When Tracking Is Disabled, But You Can Block It
> We also display advertising in some services, and we’d prefer to show you ads you find interesting.
And the numerous steps you have to take to improve your privacy:
Still, let's not overstate this "recordbreaking" fine. It's not large, at all. It's only of a fraction of profits (not revenue) in France alone. Even if google fully expected to take this hit, it might not have bothered to change its behavior. The fine, by itself, has no impact on google's business. The greater risk, really, is that they've got a record now: if they get caught again, they'll be more likely to suffer more punitive measures that really are relevant to its core business.
Also, they come across as slightly incompetent, really: I'm kind of surprised such a huge organization didn't bother to prepare very well. I mean, for some the law might have come as a surprise, but it's not been unannounced, and it sure looks like google - amongst others might even count as the law's raison d'etre. How exactly did they miss that?
Microsoft came from (and continued to focus on) the business market, which is all about big deals and playing ball. The entire concept of Windows was meant to bridge the business market with the home market and they've had split business/home pricing for most of their products forever.
Yes, Microsoft also sucks at privacy and has been evil forever like all of these amorphous businesses that reach their tendrils as far and wide as profitable. But selling ads (and privacy) is just another revenue stream for Microsoft, not their core product. And don't forget that Hacker News' favorite search engine, DDG, is based on Bing. Microsoft doesn't really care about privacy but also doesn't really care about ads - they just want money.
If you really want, you can use your own keys end-to-end.
I'm satisfied that Google treats adwords and advertising areas of the business differently to business services. Apple, Twitter and many large banks use GCP - do you really think they would do that if Google was snooping at the data?
Please back up any claims with evidence.
i cant share the PIA of my own enterprise but specifically we needed certain guarantees about where data would be stored that MS could make and google could not. that's all.
As a business, under GDPR I am responsible for the compliance of my subcontractors (which includes Google Cloud or Azure for instance). I read about this Google blunder and I think that I have other sh*t to worry about than how Google is screwing around with my data. On the other hand, Microsoft has demonstrated time and again that they care about their customers’ data. 2 examples: the fight with the DoJ over access to emails stored in Ireland and the fact they subcontract Azure’s operations in Germany to a German company (to avoid having to hand over the keys to the data center to a 3-letter agency: they literally don’t have them).
The current legal situation does not allow us to use firebase cloud messaging.
Even more unfortunately, bureaucracies, including every modern corporation and government, are UnFriendly AIs. You must comply with the letter of the law because not a single agent involved, not the regulators writing the law nor the courts that will interpret the law nor your competitors that will bring complaints against you nor even the users of the products involved, knows or cares what the spirit is. They don't have the correct value systems, experiences, philosophical frameworks, or cognitive architectures to execute the "comprehend human values" step that would be required to interpret the "spirit" of the law. That incapability is why an even minimally functional justice system needs things like checks and balances and case law and jurisprudence and rules of evidence and all of those things. But we do need those things, because history has proven universally that the letter of the law is the only thing that matters.
On the one hand, this means we literally can't trust any organization composed of more than approximately two people. You often can't even trust organizations with one person, simply because bureaucracy is a force-multiplier even for single humans; think about things like bug trackers and source-control systems and apply them to other workflows. On the other hand, this means that it's pretty much worthless to try to do anything about any individual corporation. Up to the point where you entirely obliterate their industry you're stuck. Which is, coincidentally, what an antitrust action really is - antitrust actions happen exactly when a single agent has taken over an entire industry, and making sure that that an identical bad actor doesn't reappear requires not just breaking it up but also obliterating its industry and introducing a new one with similar features but substantially different (non-agglutinative) dynamics.
Standard disclaimers: Views don't represent employer, etc.
Aka, Google would've still likely been violating GDPR if they had a proper DPO in Ireland, but given how favorable Ireland is to the international companies it harbors the EU legal entities for, it's possible Google would've more successfully evaded punishment, had they been set up to ensure the case got handled in Ireland, rather than France.
Always better to be engaged with an enforcement agency in a country that collects revenue from you.
It can be a huge challenge to prevent a situation like the Eastern District of Texas and patent lawsuits, and that sort of situation can harm both sides.
For some context on why: consider those "cookie" notices you see on every site now. The notices are often obtrusive, usually don't have a "no" button, don't make it clear how to withdraw your consent if you do click "yes"... So if every company is in violation, and no one knows how to do it correctly even with millions of reasons why... Then how exactly is it going to protect user privacy in the real world?
EU companies have as much or more stake in being compliant than the few US tech giants active on EU soil.
I see the impact of the GDPR on EU based companies every week and it is definitely moving the needle towards more secure operations and a much better attitude towards stewardship of data-subject related data.
The fines are not what has made things getting more secure, the work done to avoid the fines is.
Before the GDPR pretty much every company I looked at had absolutely terrible security, since the GDPR is in effect most companies at least stopped seeing security as a cost to be avoided, with an associated increase in awareness at the rest of the company and better processes and controls to ensure that data does not leave the servers when it isn't intended that way.
It's 91 fines so far, and a whole pile of warnings and interventions, give it a few years and the cumulative effect will be substantial.
Oh, and that 10K number is only the breaches that the companies are aware of and that have been reported, the real number is likely to be much higher. And without the GDPR it would be much higher still.
I'm European and I barely use anything made by European tech companies in terms of final products. I'm sure there are some networking chips or similar in some of the devices I use, but the major software and hardware I use is made and designed outside of the EU.
Now I would argue that the reason we don't have many major tech companies in the EU is because of a hostile environment for them here. I really can't think of many other reasons. The EU has more people than the US that are about as educated. There's at least a comparable amount of capital around, our internet connectivity is actually better, but we have very few major tech companies, even fewer ones that focus on internet stuff.
Why is this important? Because if eventually we want to build automation to do other jobs then we need a lot if qualified tech workers.
That’s not accurate. One ≠ a few. The only major European tech company is SAP.
Not going to spend more than two minutes on this, by the time you do some more reading you will likely end up with 100+ companies on this list.
I regret I was unclear, using tech instead of software. The top five most valuable companies in the world are all US software companies. The only European software company on that list is SAP. Oracle, Netflix and Salesforce also make the cut. SAP is worth 15% of Apple, 25% of Facebook, just barely less than Netflix. Alibaba and Tencent are in the global top ten.
China has big tech companies like the US does. Europe does not.
China and the US have a huge single language market. The EU has a single market with tons of languages. It's much harder for a British or German startup to spread EU wide equivalent to how a US startup can achieve reach across the US and Canada. The EU single market only partially mitigates the problem. Single language seems to count much more than a single jurisdiction.
The usual pattern is when someone in the EU gets interesting, they get bought by a larger US outfit. I don't think China yet allows full foreign takeovers, or a selection of their majors might now be US owned or shuttered too. The other standout in your list, Samsung, is a typical huge conglomerate - TVs, monitors, phones, cameras, memory, storage etc, and part of the larger conglomerate with fingers in everything from fridges to ship building.
I’m sure there are many, many reasons the EU only has one software company to compare with the US or China’s behemoths but the fact remains that it does only have one. There are 16 European companies (including Swiss) in the world top 100, minimum, so I don’t see any special reason Europe couldn’t have software companies that are a really big deal outside SAP but compared to the US they don’t.
As to standouts Toyota is also an enormous conglomerate though you need to expand the list to get to 32. Taiwan Semiconductor is pretty impressive, worth more than Toyota and no one knows it exists.
That's the 'cookie law', not the GDPR. As I understand it, you don't have to provide a way to say no. You just have to notify people before doing it.
 Privacy and Electronic Communications Directive 2002
Not even that, the "cookie law" is grossly misunderstood, since it already allowed things like "session cookies" and other account related settings/preferences without any sort of banner. What it banned/didn't allow (at least not without warning) is 3rd party/ad tracking cookies. Some companies just added blanket warnings "to be safe", everyone started mimicing that and now we have the insanity that is modern web publishing...
This is what I think as well. The attitude EU politicians (especially German and French) have taken against foreign tech companies is incredibly hostile. I assume they do this because we don't have many large tech companies in the EU. If they hurt foreign tech companies enough then perhaps there's a chance we might get some in the EU ourselves. What they don't understand is that the reason the EU doesn't have many major tech companies is because the environment is hostile towards them.
Think back on when Zuckerberg was at the EU Parliament and he was asked to name an EU competitor to Facebook to show that they're not a monopoly.
Seriously, I hope EU can do better than that. We could really use some real privacy protections, especially from the likes of Google, Facebook, Microsoft, Apple, Amazon,...
Also, this isn't a fine as "cost of doing business". Google still has to address the issues. If they don't, you can be sure the next fine will be 10x.
The next GDPR violation Google is accused of, they will now be a repeat offender and more likely to get a higher fine, until they either become compliant or end up at the 4% of revenue fine.
To clarify, the fine is due to the consent mechanism in Android. The fact that the action was led by the French regulator rather than the Irish one is due to this technicality and others (no DPO in Google Ireland for instance)
But this is how it's done because it's standard practice, not because the law stops them from doing it.
That's quite apart from it already being well established in national laws of many member states.
But what's the point of setting upper limits to fines at all then? GDPR says that the maximum penalty is 4% of global revenue or 20 million euros, whichever is greater.
If proportionality is a concept that's followed so well, then why have upper limits at all? Why word it in a way that clearly hurts smaller businesses more?
I think it was Germany first introduced proportionality into sentencing, in the later 19th century. They still have maximum penalties for offences. The maximum allows a regulator or judge to frame the seriousness of offence within those limits, with fewer surprises, and across the range of legislated offences, as intended by the legislature.
A proportionate fine for a first offence, technical breach by a multinational like Nestle or Google, who should have plenty of people in legal, might be a gentle €50 million slap on the wrist. As we can see from this very discussion, there's been a couple of comments along the lines of "...but that's too small to hurt, why bother?". A proportionate penalty for a Google or Facebook on a fifth offence, showing a wilful attempt to dark pattern around the law, might well turn out to be €4% of global. It's no different to setting criminal offences with a maximum of ten years in jail and finding most get a fine, and just a few get jail, let alone a maximum term.
A proportionate first offence penalty for a 5 person early startup, who made a minor breach, might receive a helpful, but sternly worded letter to help them comply. The same 5 person startup showing a wilful, habitual pattern of breach might get (plucks number out of the air) a €20k fine for their fifth offence. Probably levied after providing proof of their revenue and profit.
The point is supposed to balance the need to a) enough to encourage them to not do it again, and b) not nuke them from orbit. It doesn't clearly hurt a smaller business more. It's meant to hurt each about the same: "enough to achieve compliance". Intent and extent will affect what is enough too. The aim is compliance, not revenue, or remaking some sort of financial equivalent of the Bloody Code. A bankrupt business cannot comply and generates no revenue.
Mistakes, disappointingly large or small penalties and the subsequent appeals will happen, such is the nature of all law, everywhere. IANAL or I might have explained that better. :)
Morals work by adjusting to the expectations of your peers, laws simply codify the expectations and serve primarily to regulate which infractions can be punished.