Hacker News new | past | comments | ask | show | jobs | submit login
Top EU court overturns US data transfer agreement in Facebook case (dw.com)
354 points by tpush on July 16, 2020 | hide | past | favorite | 218 comments

Max Schrems[1]: “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."

"This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable - when shit hits the fan, you can’t blame the fan."

[1] https://noyb.eu/en/cjeu

The judgment is here: https://noyb.eu/files/CJEU/judgment.pdf

Start at page 28 if you want to skip the recap of EU law, or start at page 35 if you want to skip the details of US law and surveillance programs as recap by the Irish court who referred the ruling.

In addition there is a short PR statement available for media use:


This is the press release, edited by the services of the court - this is not written by the judges.

Yes, thanks, I've clarified this.

> MrSchrems, an Austrian national residing in Austria, ...

It's a bit sad that people have to fight this war on personal title.

Schrems has a history of doing this. [1]

It's mainly odd to me that there aren't more privacy / consumer protection groups doing the same things he does.

[1] https://en.wikipedia.org/wiki/Max_Schrems

I think there is a multitude of reasons, most consumer protection NGOs aren’t very tech savvy and it’s hard to raise funding for privacy because the general population doesn’t care enough to donate money to it. It’s also a rather hard battle to enter because EU law is so ridiculous complex, and most privacy advocates aren’t very law savvy.

There are a lot of smaller groups fighting, but it takes years and years to see results. Hopefully the EU itself will get more into it now that our relationship with the US is deteriorating and China is getting more and more aggressive.

Not that it’ll matter too much with Microsoft being the only real option in non-tech enterprise.

European privacy and consumer support groups are mainly after lawyers' fees. They mostly make money by notifying misbehaving companies of their misbehaviour, collecting fees for the (usually unwanted, but enforcedly payable) notification ("Abmahnung" in German).

Dieselgate was started by such a group.

The system is not all bad, but incentives are against stuff like this being litigated by the usual privacy or consumer support groups, because you just can't collect fees from the legislative branch...

Which groups are you talking about?

He created an NGO for this purpose, after having successfully sued Facebook: https://noyb.eu/en

But the national data protection commissions of each country also do plenty of work. I think they're still swamped, though.

nyob is in need of financial support https://noyb.eu/en/support-us. No need to leave you address unless you want to receive the goodies. No Credit Card required either, an EU bank account for SEPA transfers is sufficient.

If you donate EUR 100, you get Consultation on private data protection cases (2h/year)

The Irish DPA seems to focus on not doing their work, and actively fighting back against having to do their work.

The German DPAs love going after random individual cases they find, often in ways incompatible with reality (e.g. a small company not using GPG when e-mailing employees about HR issues), while ignoring major abuses that happen at scale. The biggest fine they issued was to a real estate management company for not deleting old documents (e.g. proof of income) that tenants had provided.

Not a single fine against adtech companies.

Start at page 61 if you just want the ruling.

Perhaps this Wikipedia page will be updated soon:


I work in a sector with a requirement to keep data out of the US. It is VERY hard to find providers who can promise not to do this. Even when servers exist in the EU, many provider's contracts have clauses that allow transfer to the US, as they have staff there who may access the data.

I can see company legal departments taking this ruling to prohibit transfers, even with a DPA in place, and causing havoc around the EU.

I worked on fintech projects in Europe, with German banks as our main clients. Their requirements went as far as refusing any service that would have their support teams (or part of it) located in the US. It was quite challenging to fulfill their demands, and increased the development and maintenance cost by A LOT, but definitely possible.

And once you have a working system and solutions in place that becomes a quite good sale argument.

And yes, the EU is really lacking providers that can follow those requirements. At some point Microsoft had a German cloud completely distinct from their other offering and managed by Telekom, but they stopped a few years ago (and it wasn't really in a production ready state IMHO...).

And if they want to keep data completely out of US Gov hands, as some clients do, it's almost impossible due to the Patriot and Cloud acts.

I'd be surprised and saddened if it were legal for a company to offer a contract that they couldn't legally commit to, like saying they'd keep the data out of the U.S. but also give it to the U.S. gov if asked. I guess the legality of offering a contract that they can't commit to is a local legal question, but I'd hope that it's an uncommon thing to allow.

In the US a contract is voidable if it would be illegal to carry it out, and it might open you up to liability if you knew that at the time of signing, but it's not a crime.

What do you mean "carry it out?"


Verbal sense 1/2:

> to bring to a successful issue : complete, accomplish

> carried out the assignment

> to put into execution

> carry out a plan

Sorry, "perform" would be the legal term.

Basically if the contract says "Alice will pay Bob $10 to kill Charlie", then obviously that would be illegal so the contract is void.

You will never know if that contract is broken, since requests under the Patriot Act are kept secret.

Sounds like a golden opportunity for someone to set up an EU company that is EU law compliant and start marketing themselves to banks and bodies that need this.

Problem is banks and similar institutions that "need" this don't really believe they need it, and see such rulings as more anti-American BS. So they find ways to comply that are absurdly minimal, like using Azure datacenters that are only in the EU. This achieves nothing, it's all still a software stack written in the USA, but it lets them tick the box that says "data resident in <European jurisdiction>".

There are ways to run operations in a way that comply with the spirit of these rulings. Hetzner, OVH and other cheap mini-clouds are EU based and have only EU datacenters. Guess where banks want to go? "The cloud" because "the cloud" is "the future" and they institutionally suck at running IT departments of any kind. So they ignore those offerings and find workarounds that let them outsource it all to the Americans who for various reasons just seem culturally better at making software companies.

The other problem that discourages people making EU compliant companies is the term is meaningless. EU is famous for rather weak rule of law. The courts have a history of "discovering" entirely new laws in vaguely written rights or regulations, like the famous right to be forgotten that caused and still causes endless operational pain. Not a law written by any lawmaker, not even the unelected opaquely appointed bureaucrats that write laws in the EU. A law literally invented in the courts themselves.

Because these laws are effectively invented by the courts or by a quasi-government that doesn't really have its own police forces or much of an enforcement infrastructure, this means many EU regulations aren't really enforced. Compliance is kind of on the honour system. So if you're selling compliance, but it costs a lot more than a US based solution that basically ignores these rules whilst claiming they don't, then you'll lose out to your competitors.

The final problem is, again, all this stuff is just legal posturing. The EU has a long history of having intelligence agencies just as aggressive as the NSA, and cutting deals with the USA to get access to US intelligence in return for data (see the SWIFT transfer programme). The EU and its fans like to claim there's some sort of deep cultural difference between Europe and America with regards to privacy, but when you strip away the press releases and look at the actions these countries/EU really make, there's virtually no difference. This is another reason why banks and other firms don't take it too seriously at their core.

>I worked on fintech projects in Europe

I don't see the problem, buy HP Enterprise Hardware (Support is based in Czech Republic), install Suse for example (but not RedHat), ask a Data-center of your wish, place your Hardware there make your own 'cloud'...profit?

As I said, it’s definitely possible. We did create and maintain our own clusters. That’s way more expensive and time consuming than using existing offering from public clouds, and you are in your own in case of issues. Your competitors who don’t have that kind of requirements can build and iterate on their products way faster.

>That’s way more expensive

I had the pure opposite compared to AWS, with own Cloud we safe d around 80% expenses, calculated with additional manpower about 35%...but still 35% is really something.

This. Worst-case you end up being forced to use some terribly implemented private cloud solution which ends up being even more expensive and time consuming than deploying your own hardware.


Then implement it very well, you know like you should do it with the base when you build a House.

k8s to the rescue ;-)

I don’t know if you’re joking or not, in the case of those fintech projects I’ve been part of a migration to k8s. That was already in progress 3 years ago when I joined the company, and it wasn’t completed when I left beginning of this year.

Managing your own k8s in production isn’t a simple task at all :(

That is true, i was asked to implement k8s in 6 month, they said so i have plenty of time to find all problem (i try'd really hard not to start laughing)

I don't know how much access they have, but SUSE has quite a few people working from the US.

Yes but HQ is in Nürnberg Germany, and so is the DPO:


Its not about where some people work, it's what they do under witch legality, so a US citizen working in Germany or for German Customers "could" be a problem.

> so a US citizen working in Germany or for German Customers "could" be a problem.

That's usually fine (related to the "in Germany" part). I'd say you'll only have an issue if you're doing something really high up the government (same as for example SpaceX - which cannot hire non-citizens)

> for example SpaceX - which cannot hire non-citizens

They can, actually. It's just tons of paperwork and red tape so they won't.

Or Finance... ;)

Thanks for the clarification!

The EU depends too much on the US in this area.

Hopefully this will force more independence and provide a boost to the European providers.

Which area? Hetzner, Leaseweb, OVH and dozens of smaller hosting providers can fill the needs. The only thing US hosting providers have is marketing and easy money.

Hosted Microsoft products mostly, which is what tons of smaller companies want from "the cloud". And some AWS workalike, which usually means AWS, because the stackoverflow answer they found doesn't tell them about the rest.

Haha you are so right!! That i think is the biggest problem with Europe, Microsoft an Apple is just everywhere...probably even more Windows installations on servers than the US.

Managed service offerings are the main difficulty. Bare servers aren't a problem.

FWIW, this may also mean avoiding US companies altogether -- the CLOUD act (hey, I don't come up with these names...) requires them to surrender data to US authorities on subpoena, even if it's hosted on facilities they own outside US territorial boundaries. https://en.wikipedia.org/wiki/CLOUD_Act

It's easy to do, just don't do business with the US at all. Any company that touches it is tainted and should therefore not be trusted. I work in a sector with a similar requirement and it really hasn't been difficult to comply with this requirement, given that you keep this in mind.

It's easy to do, just don't do business with the US at all.

Less easy if you need to, for example, accept payment by credit card. Even if some of the businesses along the way are based wherever you are, the major card networks are all headquartered in the US.

It would be great if the international community could get its act together on an alternative and render the deeply flawed card payments industry obsolete, but the fact is that right now cards are the only game in town for a lot of situations.

And SWIFT. Any time you're doing a non-SEPA, non-domestic bank transfer, likelyhood is the payment data is seen by the US.

> render the deeply flawed card payments industry obsolete

Honest question: from a consumer perspective, what is deeply flawed about it?

I realize this isn't available everywhere, but with my cards I can make payments in virtually any country without ever having to deal with local currencies, currency conversion fees, bank account overdrafts, or having the physical card with me as I use my phone for 90% of transactions where I live. All this while getting 2-5% back on every purchase and (if I want to pay an annual fee and deal with more cards) a whole slew of travel benefits and free flights every year or so.

> what is deeply flawed about it?

US don't like someone, like Wikileaks? Card processors block all payments to them, so you consumer cannot get your money to them.

US want to profile all your transactions, to figure out where you eat, where you sleep, and what you do? They get all the data and you'll never even know.

Obviously this is not a problem, as long as you stay on good terms with US interests. The minute you become a target (which might simply be because you work at a competitor of a "strategic" US business), it's not so great, to put it mildly.

Honest question: from a consumer perspective, what is deeply flawed about it?

You're not necessarily aware of the inherent insecurity until you are on the wrong side of a breach. You might assume you can charge back if anything goes wrong, but you might have absolutely no guarantee in law that you will be able to do so. As with so much about cards, you are then at the mercy of your card issuer and/or the underlying card network, and they will act in their best interests, which might not coincide with yours.

You might think it's useful to have the credit facility, but the rates you're paying will almost always be far higher than you could get on a competitive loan from a bank. (And if you can't get such a loan, you certainly shouldn't be building up credit card debts either. The model becomes predatory and abusive at this point.)

You might think you're getting a good deal with the cashback schemes, but the merchants are getting hit with higher fees on the other side and they will be pricing that into the amount you were paying in the first place. Worse, since various places now limit or prohibit charging extra fees for card transactions, governments have legislated competition out of the payment methods market and anyone who chooses not to pay with a card is now stuck with the same higher prices.

You might find the automatic conversions for foreign payments useful, but you are almost certainly paying a silly exchange rate and maybe extra fees on top for the privilege.

Card payments are comically unreliable at the best of times. In a "good" case, this just causes some embarrassment when your card is unexpectedly declined at the store and you have to try it again or use something else to pay. In a more serious case, perhaps your card gets blocked because of a false positive on the security checks while you're abroad, and you are left with no easy way to pay for anything for potentially several days until it gets sorted out.

On top of this, there are the indirect effects of all the one-sided obligations imposed on credit card providers by governments and on merchants by credit card providers, where a bunch of people are required to take on potentially severe risks that should be entirely unnecessary just to carry out a simple financial transaction. Much of what is wrong with the industry actually comes down to these effects and what happens when the risk gets passed on or priced in.

In short, the people who benefit the most from card payments are the card networks. For everyone else involved, they are likely inferior to other payment methods in one or probably more important ways, and it is their established infrastructure and ubiquity internationally that keeps them relevant more than anything else. There is no good reason we shouldn't all switch to alternatives today, given the ease of doing so with modern mobile devices and Internet access, but again it comes down to momentum more than anything else.

Instant online payments are also possible with debit cards in Europe. It’s probably more used than credit cards since not every European has one.

Debit cards are definitely better than credit cards in several situations, but most of them outside of various national schemes are still using the networks run by VISA, MC, etc.

The thing that bugs me is that we're perfectly capable of doing quick, reliable transactions without any need for cards at all today, particularly in Europe with the SEPA infrastructure, or in other areas that have national debit schemes. We just haven't got around to making this easy for both online and in-person payments yet, though things like the payment methods using smartphones and the consolidation of debit schemes that fintech firms like GoCardless are working on seem like obvious steps in the right direction to me.

> It's easy to do, just don't do business with the US at all.

That's amusing of course because the EU economy is desperately dependent on the US economy. Meanwhile the US economy is far less dependent on the EU economy.

So the plan then must be to do zero business with the US and Chinese economies, the world's two largest. You also can't do business with Canada, Australia or Britain, so there went another $5.7 trillion in economy you can no longer trade with.

The EU would be sent back to third-world living standards within a decade or two. You just lost access to 50% of the world economy. Easy to do, yeah sure.

I missed the point the US and China being the largest economy.

Europe is still ahead of China. And has a much higher and better educated population than the US, and much more exporting small, independent businesses. Meanwhile the US is at third world standards in infrastructure and democracy. Their only strength is military and having the Dollar. This is not sustainable.

How do you consider transient data or CDNs like Cloudfront/Cloudflare?

Providers of what? SaaS or servers? As far as I know, none of the budget server providers like OVH, Hetzner and Online.net/Scaleway have a US presence.

OVH has two datacenters in the US now: https://us.ovhcloud.com/

OVH lets you chose the location of your servers even in the most basic offers.

Privacy Shield is dead, long live privacy shield.

I wonder how many attempts it will take for this deal to be considered legal before the US actually has to do something to hold up their end of the deal. The US government would scream in rage if Germany would ever demand the ability to order Microsoft or Google to hand over information about US citizens in complete secret, yet the EU wil gladly take the word of the US government that it won't happen.

The EU also has plenty of incentive to encourage keeping data within the boundaries of its member states. Making it difficult to use American tech giants as a lazy quick fix for data storage instead of looking at local alternatives only helps limit the amount of money taken from the European economy. With the scandals and state of the current US government I find it hard to believe the EU will be able to draft a new agreement like this with the US without compromising on the rights of their citizens.

> Privacy Shield is dead, long live privacy shield.

Apologies for being pedantic, but "The king is dead, long live the king" is referring to two distinct uses of the word king. It is equivalent of "The old monarch is dead, long live the new monarch".

So for this to work in your case it would need to be:

"Privacy Shield is dead, long live new-replacement-law"

But without a replacement law, the phrase just doesn't work.

My point was that there will probably soon be a new, similarly lacking Privacy Shield with a similarly silly name (Secure Data Exchange Act? Privacy Protection Plus? Data Protector Agreement?).

We don't know the name of the new law yet, but Privacy Shield was quickly implemented because the agreement before it was deemed insufficient, and the same will likely happen again.

That's probably why the first Privacy Shield was capitalized, but the second was not.

The US never will.

Well, I guess the truth is, personal data of EU and US citizens is sent in secret to european agencies all the time. Such institutions are all exempt from GDPR.

EU and member state institutions and agencies are not universally exempt.

There are some specific justifications that are scoped to government use only, in areas such as law enforcement or collection of statistics. But agencies still need to implement the law, document the specific requirements for any type of data they collect, observe time limits on retention, produce transparency reports, and so on.

We can't trust the intelligence agencies in the U.S., China, Russia, Australia, or Britain but of course the EU's agencies are trustworthy. After all, everyone knows there's nothing more effective than a European court and nobody more honest than European bureaucrats.

The idea would be to align the commercial interests of US cloud service providers with the privacy interests of EU customers.

From the EU citizens perspective, the ideal outcome would be for US cloud service providers to pressure US authorities to limit their surveillance of EU citizens and provide some kind of privacy guarantees. Here's to wishful thinking...

Google, of all companies, was a major supporter of California's CCPA (Cali's GDPR-like legislation) last year.

Cynically I suppose it was to ensure they'd at least have a say in what the CCPA covered... and to hurt their rivals (Facebook, etc).

Big companies just like legislation that is clear, won't be challenged and doesn't change (too) much. Allows them to commit resources without the goalposts changing.

GDPR was supported by the biggest EU corporations as well - not much could help them more :-)

The idea the GDPR as a regulation helps established companies 'who can afford a gdpr team' more than joe the shoemaker is a weird meme..

GDPR hurts large companies that abuse data; the actual legislature is one of the most proportional regulations I've ever seen.

You have the right to store peoples personal data if it's used and not processed for non-implied purposes (IE; generating profiles of people after sale) and not sold to another company.

So when someone throws up a big "GDPR NOTICE" and you have to press the big "i agree" button, it behooves to read it; because that's often not required for the service, it's what's required for the company to sell on your data.

Joe the Shoemaker can take your email address or phone number and call you, he's not going to have a hard time under GDPR.

If you're abusing data, you're going to have a hard time- and that's good.

There are two factors at play here; both you and the GP are making points that are correct.

1) As you say, "If you're abusing data, you're going to have a hard time- and that's good." Companies that are built on selling your data (e.g. data brokers in the marketing / finance industry) or sharing it without your consent (e.g. Facebook with Cambridge Analytica) will have to stop those practices. GDPR working as designed, win.

2) For business models that are viable under GDPR, then at the margin GDPR is going to prevent small companies from entering the space, to the benefit of larger companies. Your example of Joe the Shoemaker is the trivial case. What if your business has a need to collect PII, banking information, perform Know Your Customer checks, and retain that data for 5 years under the US Banking Secrecy Act? Or collect electronic personal health information? Or submit to any other conflicting regulatory regime? You're missing the fact that lots of businesses have a legitimate need to collect more than just an email, and that other regulations directly conflict (per country) with GDPR. In these cases, adhering to GDPR is more than just slapping a GDPR dialog onto your email submission modal; it might require a significant amount of time talking to expensive lawyers to figure out how to comply with all of the applicable regulations.

This is the basic dirty truth about regulation; large companies can typically afford to lobby to make sure the regulation isn't going to ruin them, and then they can afford to implement the regulations even if they are very complex. After implementation, regulation like GDPR becomes a moat. Consider how hard it is to start a company in highly-regulated spaces like finance or healthcare. Though I don't claim that GDPR is as deep a moat as those industries' regulation, it's the same idea. The regulations as a whole can still be net-positive to society, but the risk is that when regulators (and those commenting on regulation) don't understand the real costs of complexity, it's easy to pile on rules that have the opposite effect than intended.

Note, a common misconception about Google is that it sells/shares your data; it does not in general do that. Google sells targeted ads, and your data is Google's competitive advantage; Google built Gmail, Android, and a host of other products in order to get data that others cannot; your data is Google's moat. GDPR just talks about sharing your data with other companies; Google is fine under the GDPR. Sure, the death of Privacy Shield might make Google's various international entities less able to share data, but the fundamental business model they follow of collecting first-party data on users is alive and well.

> Or submit to any other conflicting regulatory regime?

I'm pretty sure the regulations have a catchall "you are allowed to store the data if legally required to" for exactly these kinds of issues. Need to store the data for 7 years for tax purposes? Fine.

Sure, Article 6, section 1c (https://gdpr-info.eu/art-6-gdpr/); processing is lawful if "processing is necessary for compliance with a legal obligation to which the controller is subject"

I think (like the GP) you're oversimplifying though.

Have you ever had to determine what is considered a "legal obligation"? It's not fun. Much to the distaste of us engineers, it turns out that most laws are not written in an unambiguous fashion; many (like HIPAA) are very vague in places, and rely on precedent or tribal knowledge about how the regulator in question tends to interpret things.

So yes, if you have a clear, unambiguous requirement to keep Personal Data, then you don't need to lawyer up. If you work in an industry with complex regulations, then you're going to need lawyers and/or consultants to tell you how to resolve the conflict between GDPR and those regulations.

Most companies don't (and never did nor are or were in position to) abuse data, but all companies now must adhere to GDPR. ;-)

The world really isn't either Facebook or Joe the Shoemaker. There's a lot in between.

Sure, but after dragging the lawyers in and figuring out how we were impacted; (hint: we were barely impacted other than allowing people to download their data which was trivial) I am now truly skeptical of anyone who says that GDPR is a barrier to entry.

Unless the "entry" is doing something nefarious.

I think this is pretty case specific

I worked at a small company that made software to allow behavioral therapists to collect and analyze data about patients and visualize it more easily. Helped a lot when the patient was a young student and you're working with parents or guardians, and it replaced a lot of time therapists had previously been spending in Excel (or in some situations, hours with pen and paper).

GDPR hit hard. We weren't selling any data at all, but because data was often stored grouped by classroom, or by therapist, or by org/admin, providing an easy way to give a patient a data dump of just their data (rather than the data a clinician was approved to view) was very expensive.

I left for other reasons, but the company is still struggling with the added costs, and last I heard was going to be acquired.

Everyone in this comment chain is being downvoted hard, I have no idea why; I can only assume trolls have finally hit the karma threshold for downvoting:

To answer your case (and risk downvotes in doing so, gah):

I think that the situation your company was in was almost exactly the reason GDPR was conceived, data custodians have an obligation to treat that data with the value it actually has, especially in the medical industry.

GDPR was not, actually, invented with google/facebook in mind, it was due to the fact that people were selling data, and _also_ not taking care of it when they had it..

Imagine a world where there was no such thing as, idk, PCI compliance, say.. and while some people were treating card info as something they didn't want or stored very well--- the vast majority of people were instead saving them into text files and passing them around on open windows shares in order to process payments.

For a lot of companies, GDPR just exposed their shortcomings, and yes, it's expensive to fix, but the point is that it's unhealthy in the first place, much like destroying the planet will destroy us all; unless there's a financial impact to the company itself, the company will continue to salt the earth without regard for anything. (contrived example, I know).

Sure, and in a lot of ways, I agree with you.

That said - I think my point still stands. This company wasn't storing data poorly, it was storing data in a format designed for its primary users - Clinicians/Therapists. It was also complying with all current legislation when the system was designed and implemented. (and I say this knowing full well the company had previously reported clinics where we knew of or suspected HIPAA violations)

When you're tiny (right around the 250 employee limit, mostly non-engineering) having to re-implement a system that's seen 9 years of development/bugfix/features is prohibitively expensive. At best, you're paused entirely on feature work while you do it, at worst you're re-introducing issues/bugs that have been fixed before and adding new ones.

But it's cool, because Google has all that fitbit data now and they totally wouldn't be interested in competing in this space. And we've all seen how effectively this law curbs malicious behavior of these large companies (read: Not at all).

So from my end - the result in this case was that a small company that sold no data at all, had no vested interest in marketing, and was previously complying with regulation went out of business.

Instead it was eaten by a much larger player in the field that was better positioned to absorb those costs (and which does make money by selling data). I'm hard pressed to see that as win.


So, all that said - I still think we agree more than we disagree. I'm not really upset GDPR exists. I'm upset that it's been mostly ineffective at curbing real abuses by large players, but that's not a problem with the law - it's a problem with its enforcement.

I also find it telling when the large players in the industry are in favor of regulation - It almost always means they expect it to reduce competition.

As a EU citizen I'm glad about the decision, I don't have any confidence any more that data stored in the US is secure and that the US can be depended upon.

Also important to point out how much of this goes back to Max Schrems activism over the years and noyb (https://noyb.eu/en). This is a huge win achieved with relatively few resources. Staying engaged is worth it.

Since many major EU countries share their classified intelligence and surveillance systems with the US (and the reverse) this seems more like political speech than reality. The real reason is to preserve what’s left of tech in the EU but that doesn’t exactly sound as good.

Almost all major countries have surveillance programs. They are perhaps necessary to preserve national security. The hope of democratic countries is to have enough checks and balances on those powers to keep them limited to national security interests and to prevent abuse.

This is one area where you have to separate the EU from its constituent member states.

The EU's treaties explicitly reserve national security for the member states themselves (except for where there is unanimity or opt-in in specific areas).

As such, in most cases, the Commission and Parliament can't legislate to bring MS' own intelligence services under control.

To change the situation the treaties would have to be changed (which is a can of worms in itself) and all 27 members would have to agree to the changes (one or two would require a referendum).

There is a difference between sharing information (where you control what is shared) and letting the other party have all the information and look at it by their own. The fact that EU shares intelligence with US is less of a problem as long as EU citizens have a somewhat confidence in their government and security services. It is a big difference from letting US process all private information about the EU citizens and by that enable US to rummage around as they wish without having to obey laws or regulations in EU.

I don’t think you understand - the systems themselves are shared.

This isn’t ‘let’s decide to let X country know Y’. If it is on the eyes network (and tons of things are) everyone gets it per the multi country agreement.

And there are no more FVEY members in EU with UK dropping out.

Yeah if you arbitrarily limit it to the five eyes agreement for no reason. See nine eyes and fourteen eyes - EU US intelligence networks.

I was thinking the same thing. It seems that we have passed 'peak globalization' and we're seeking a sweet spot that balances concerns. This could be a good thing.

As a US citizen, I'm personally glad to see other nations push back against data privacy exploitation by US businesses on the general public. It's evident our own (US) government will do very little to curb those business's overreach.

I hope to see more disincentives put forth against these practices in markets our businesses haven't completely supplanted government oversight. Hopefully, that will result in shifts of practices in the US markets as well, though it's certainly not guaranteed.

China is looked down for its draconian surveillance. However US is just another side of the same coin.

Our big Tech FAANG loves gobbling up everything they can get their hands upon in the name of training AIs that shove more personalized creepy ads.

> China is looked down for its draconian surveillance. However US is just another side of the same coin.

This is not the case - almost all major countries have surveillance agencies. It’s not the fact that China has surveilance that is looked down upon, it’s the lack of checks and balances. Most democratic countries have surveillance to ensure national security interests and they have strict checks and balances to minimize abuse and ensure that intel is used only for national security reasons.

China’s surveillance has no such checks and balances and does little to prevent abuse and that is worth criticizing. Perhaps this may change someday but the current party does not seem to be heading in that direction.

I'm missing the point of why the USA would not just stop this weird spying on everybody. From China I'd expect nothing more but the USA? They're supposed to be a decent country.

Then we would not need all these super unpractical counter measures.

Did people already forget all about the 2013 leaks? Do you actually think that the EU is not complicit in the same surveillance practiced by the US?

> For example, Der Spiegel revealed how the German Foreign Intelligence Service transfers "massive amounts of intercepted data to the NSA", while Swedish Television revealed the National Defence Radio Establishment (FRA) provided the NSA with data from its cable collection, under a secret treaty signed in 1954 for bilateral cooperation on surveillance...

How is my data any more secure on a German server than an American server? Some asshole is snooping on it anyway, and the NSA gets access by extension.

People forget that the reason this happens is that most countries have laws against spying domestically. They usually don't have laws prohibiting them from taking data from other spy agencies spying on their own country. So the cheap and easy workaround is you let your friends spy on you for you. It's usually pretty critical for counterintelligence anyway. As the first place an enemy tries to get into is the counterintelligence department.

This is the important part that is glanced over. It's very much a situation of tit for tat but we can be hopeful that rulings like these aren't just lip service. Schrems has been a positive force for privacy in the EU.

From corporate spying yes. However GDPR contains specific carve outs for national security, Police, etc.

Perhaps it isn't, but if that's the case the ruling is about giving you legal redress to fix it.

I was looking for a comment like this.

Yes, GDPR provides greater protection for privacy than US laws and hats off to the EU courts for trying to maintain that protection.

That said, the US and EU are so closely intertwined when it comes to intelligence that I doubt this provides much protection from Western state level actors.

The main problem GDPR solves is companies, not state actors (which are likely to ignore laws anyway).

>They're supposed to be a decent country.

what? since when?

USA was, and still is corrupt. There are plenty of news of USA covering up war crimes, spying on everyone, PATRIOT act itself, drone assasination etc.

and prime example from the past: https://en.wikipedia.org/wiki/1954_Guatemalan_coup_d%27%C3%A...

Plus quite honestly if any country behaved like USA in Europe(Allegiance to the flag in schools, "patriotism" etc) they would be under EXTREME scrutiny from their neighbors.

It is still a lesser evil on the world stage to be honest.

Almost all countries have surveillance programs - from the EU to the US to China. They are arguable necessary to maintain national security.

The difference is not that a country surveils but if they have processes in place to protect that information from abuse and keep it to use only for national security interests.

I tend to agree. Just a nit, though: the EU is not a country and does not have intelligence agencies. Member states are and do.

Quite true - my language was not precise

The US intelligence community has had access to privileged information so long that the organizational structure reflects this. Taking that away would be a massive change, which is why they fight it with all they've got.

> They're supposed to be a decent country.

But they are not; they're dropping fast on the world scheme when it comes to human rights and common decency. In many ways it's as bad as China is when it comes to that.

It's interesting that they managed to keep the ICE concentration camps out of the media. Will the >100K of covid-19 related deaths (that have been officially reported) someday be considered genocide / eugenics?

This is certainly a romantic take on the matter but for once the liberal arts students are actually ahead of the curve since for many of them this reading is a part of their standard curriculum (followed by an exercise where some defend the practice and some condemn it): https://www.wsj.com/articles/SB95326824311657269

Spying is fair game. So is using obvious spying as a PR or political weapon. Dragnet surveillance is something else, though.

Dumb question: can someone explain to me the implications on startups and side projects? Does data mean, any data? If I’m reading that correctly it’s illegal to allow EU users to use any website with a DB that isn’t hosted in the EU. That can’t be correct, can it?

EU residents enjoy a right to data protection.

US residents do not.

EU allows export of their residents' personal data to the US under different sets of rules or methods, one of which is (was?) Privacy Shield. Another is Contractual Clauses. The crucial fact for Privacy Shield is it was supposed to provide "equivalent" protections (ie protection for EU data hosted in the US equivalent to that data being entirely in the EU). It did not.

My take is that Privacy Shield was a sop to the fact that the US never had anything like equivalent privacy laws, but we are (were?) too big a trading partner to apply the law to. This realpolitik appears now to be in question.

So yes, one of the ways to legally allow a US-based company to process EU resident data has now been removed.

It's never illegal for the user to create an account. It can be for the company.

As a heuristic: a website such as HN that is available in the EU but doesn't specifically target EU "customers", and that isn't itself or via some subsidiary registered within in the EU is perfectly fine.

I believe the same is also true if you allow EU customers to buy in your online store as long as it's implemented as just a "country" form field and, again, you are not registered in the EU/have no distribution warehouse there, and so on.

I've seen the New York Times being cited as a sort of goalpost of what's still ok: even though they have journalists in Europe, they have no sales presence, and are clearly aimed at the US market.

No idea about Amazon, though.

It's personal data. Which is defined in the GDPR as:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

I’m sure the true answer is ambiguous, but “personal data” by that definition seems to imply almost any form of account creation. For sure, that seems to imply you can’t use email addresses as identifiers. Maybe it implies that so long as the data isn’t de facto joinable with side data (phone numbers, email addresses) it may be ok.

Worth also remembering that at the moment the UK is still negotiating with the EU and hasn't got a data protection adequacy agreement in place. At the same time it is domestically pushing for increased surveillance laws and powers for GCHQ etc. That issue in many ways is going to be just, if not more, tricky.

Already on the front page, with more comments: https://news.ycombinator.com/item?id=23856988

Both submissions are very shallow articles though.

This was long overdue.

Let's hope they won't come up with a new name just as they did last time when Safe Harbour was abolished.

This thing was an insult to EU privacy laws.

after "Safe-Harbor"and it's successor "EU-US Privacy-Shield" I suggest..

the "Trust-PACT"

P - privacy A - acknowledged C - confidentiality T - treaty

It's not only an insult of EU data protection laws and the EU basic rights charta.

Not only are the big US cloud providers evading taxes and stiffling competition in the EU, they are also instrumental to US hegemonial ambitions. All your data (and taxes) belongs to us. That's whats going on.

I wonder how long the standard contractual clauses will hold, I don't see how they are doing better.

This judgement also validated SCC. Basically they are ok because they are underpinned by "the receiver country need to have proper privacy protections".

So the SCC is legit. You just can't use it with the US.

Is there some kind of "we are in the EU and understand our data will be stored in the US and can be surveilled" consent box?

What about platforms that connect people from all over the world? Yeah you can store EU users' data on an EU server but what if a US user checks out a EU user's profile. Or are we supposed to completely disconnect each continent?

You work to the most restrictive set of rules. EU users data is stored in places that comply with the rules in question, that could be the US, if the US complies with EU rules.

If US user wants to interact with EU content, then they need to comply with relevant EU rules. They might not have to give the same level of enthusiastic consent, but the data of their interaction should still stored in EU compliant manner.

That's not quite correct. It depends entirely on what jurisdiction/s you fall under, where you do business.

If you're a US entity you can freely store EU data on US servers entirely without EU permission or consent, and do anything with it that you want to (within US law), so long as you don't operate within the EU. For exactly the same reason that you can safely ignore GDPR if you don't operate in the EU.

If I build a service that runs its servers only in the US, in nearly all cases I don't need to concern myself with EU laws. I'll be operating by US laws. I can allow EU users to sign up and use my service and store their data in the US. There's nothing the EU can do about that.

The EU will have to enable a draconian Chinese firewall to stop this. They have no power or influence to dictate to the world such rules, so the only thing they can potentially do is put their own people in a safety box and lock them off from the rest of the world.

>If you're a US entity you can freely store EU data on US servers entirely without EU permission or consent, and do anything with it that you want to (within US law), so long as you don't operate within the EU.

No, this was what was invalidated; Privacy Shield enabled this behavior

>The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. [1]

With Privacy Shield being invalidated, and nothing else to currently take its place, EU data will technically have to sit within EU (as I understand it). Enforcement of this law will take sometime and won't impact a little startup that's breaking all sorts of rules, as you won't have enough valuable assets for a legal team to go after.

If you are a large multi-national corporation though this is trouble..especially if you aren't using informed consent to notify EU users on what's happening with their data.

>Despite the invalidations made by the judgment, absolutely "necessary" data flows can continue to flow under Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user, which can be withdrawn at any time. Equally the law allows data flows for what is "necessary" to fulfil a contract. [2]

[1] https://www.privacyshield.gov/welcome

[2] https://noyb.eu/en/cjeu

No, this was what was invalidated

I think you missed the point. They're arguing they don't care what the EU thinks. If some EU court invalidates some EU specific thing they didn't care about previously, they still don't care about it afterwards.

Enforcement of this law will take sometime

Like, forever? How many US firms has the EU taken to court in the USA and won, over their cookie law?

EU cannot enforce these laws on US firms, only EU firms, but even then, such things are basically never actually enforced except for political reasons. So they might try and cause trouble to Google and Facebook or Apple, because they're big sources of money. Everyone else will just ignore it or go through some compliance motions if they feel like it.

As always with the EU there are regulations everywhere and they don't mean anything. As you state yourself, "necessary" data can continue to move. This is the same as saying "we'll make it up as we go along".

This is wrong?

It doesn't matter where your servers are, if you offer a service to people in the EU and you store their personal data, you need to safeguard that data and comply with GDPR.

It's a law, so it can be enforced through mutual international treaties.

However, common sense prevails in the EU and especially with GDPR, so no one will go after you because you use Google Analytics and didn't give an option to opt-out. But if you start collecting personal addresses, emails and phones disguised as a charity doubling their contributions and then sell that information to callcenters abroad for tax scams and upload it to 4chan, then yes, EU's reach will be tested.



This doesn't make any sense to me. So I'm German, I go to Thailand. I buy a Jet Ski to be used solely in Thailand? Is that Jet Ski under EU law now? Why is it different if I virtually go to Thailand?

or don't like the purchase aspect? Okay I go to Thailand and rent a car. To rent the car I need to give them my personal info. A copy of my passport, a copy of my international drivers license. If we follow the same logic that Thai car rental company somehow has to treat the PII under EU laws.

The EU has no jurisdiction is Thailand and the Thailand car rental company should not have to do things differently just because the person renting is from a different country. That they happen to be online, like say I reserved the car while in Germany before my travel, seems like it would have zero barring on this.

Can a restaurant in SE Asia take a reservation from an EU citizen? They need to store PII to do it. How does the EU send their enforcers over to that mom and pop restaurant to make sure their reservation system is protecting that EU citizen's PII?

I'm not trying to argue it's okay to use PII. I'm instead trying to understand how these laws actually work because they seem basically impossible to enforce or even implement.

I see the link above tries to cover this. Unfortunately it covers it in nonsense and doublespeak.

> Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.

So I'm German, I go to Thailand. I buy a Jet Ski to be used solely in Thailand? Is that Jet Ski under EU law now?

No, not until you bring the Jet Ski though German customs.

Why is it different if I virtually go to Thailand?

Because now, the Jet Ski operator is operating in the EU, and the EU could always choose to null-route said website. There's plenty of precedent for that, even in the US (DHS seizing torrent sites under counterfeit regulation, ISP's de-listing pirate bay DNS entries).

Okay I go to Thailand and rent a car. To rent the car I need to give them my personal info. A copy of my passport, a copy of my international drivers license. If we follow the same logic that Thai car rental company somehow has to treat the PII under EU laws.

Perhaps, but as you say, the EU currently has no way to enforce its GDPR outside its jurisdiction.

How do you think the US enforces its take on copyright and patent law outside its borders? Through treaties and trade deals. If the EU wanted to, it could do the same with the GDPR.

The law applies to your non-EU company when you target EU citizens and people currently physically in the EU. E.g. if you sell goods and offer shipping to the EU, GDPR applies to you. If you do not ship to the EU and do not offer services to EU residents, GDPR doesn't apply to you.

There are some areas in need of examples:

For your restaurant in Bangkok that takes a reservation from the EU: not covered by the GDPR because they don't target EU residents, that a resident used their reservation page is incidental and an exception.

For some purely-online service, if you somehow target world-wide or all speakers of an official EU language, GDPR applies. That means your french language online newspaper in New Orleans is affected, if they have an international section. If it is chinese language, you are fine. Geoblocking helps.

That's not what the EU guideline says above. See the Manitoba example

Yes, there is a grey area as the guideline says, and "targeting EU residents" is interpreted very widely. We will have to wait for the courts for an exact interpretation there.

To add to this: while EU law might not be able to reach you in the US and extradition over such issues might not happen, travelling to Europe for you or your subordinates might be "interesting", at least after a successful court decision. Also, freezing assets and payments is possible, as well as forbidding doing business with you. But that all depends on the kind of exposure you have there.

There are no mutual international treaties that enforce GDPR.

As far as I know that is not allowed as it would just be used to override any data protection laws.

In the end if part of the world refuses to implement even the most basic working privacy protection laws what choice does the EU have.

I'm certain companies and governments alike would be thrilled to put in place the next iteration of this agreement, however the US refuses to move even an inch.

US could solve this by granting all humans same rights and not have the ability to read private data of all non-US citizens with no restrictions.

That would be obviously the right thing to do in quite a lot of cases. Immigration and elections are about the only cases where being a citizen should matter. And conscription, if we keep digging.

Consent might not be necessary or might not be possible, depending on the situation. You need a legal basis for processing of data, one possible (but the worst possible) is consent. A popular better one is "fulfilment of a contract". All that is largely (but not completely) independent from how and where the data processing is done. You usually do not need consent to have data processed by a third party or abroad, if you have a legal basis for processing said data. You just need to keep your customer informed.

Exceptions to all this apply for special kinds of data (minors, medical, biometric,...) and invasive processing (AI decisions, scoring). In those cases you might need special consent or you might not be able to export the data at all, even with consent.

I think the expectation is that data of a European citizen remains in the European union except otherwise needed and consented.

In sense of the GDPR, a European User Account does not need to synced to the US but only the communicated exchange between a European and a US user.

There are a lot of reasonable usage and solutions. They just cost money, time and are annoying architecturally.

No, the data can be held anywhere that has enforceable protections equivalent to the EU’s. Japan was explicitly ruled to be. The UK will almost certainly be found not to be because it’s intelligence services are even more out of control than the US’.

Agree. I think my statement of "within the European Union" is indeed a bit too restrictive. Your comment is indeed pointing the right thing: enforceable and equivalent protection. That is exactly what Privacy Shield and the predecessor was aiming for.

Under the GDPR, consent boxes cannot be mandatory. The service must work even if you don't consent.

Hmmmmm. If Apple can get away with providing a less secure version for China they could probably get away with creating a more secure version for Europe..?

This is bad news for everyone in the EU who has data in the US and uses the Privacy Shield act as the protection guarantee. We do that currently for some data processors, and I'm a little intrigued about what we'll do with all of our US-based data now.

I can understand it's bad for companies relying on US services, but honestly this decision is not very surprising and has been looming over EU companies for several years now, so there has been ample time to prepare for it.

On the positive side this might give startups based in the EU a small edge over US competitors (I know, protectionism is evil, free market rules, Europe tech startups are not competitive...).

US companies can still do business in the EU btw, they will just need to structure their services so that data from EU citizens stays within the EU. For the larger players this shouldn't be an issue really, I think, smaller startups with limited resources might forgo the expansion into the EU though.

Worth noting is that the standard contractual clauses don't necessarily specify that the data has to remain within the EU - it just mandates that the company has to provide adequate protections.

Yes, but I'm not sure if that would work for data stored in the US as the problem is that intelligence agencies can request access to the data without the data subjects ever being notified about this. If the clauses cannot be effectively enforced (which I don't think they can in the US) it's not possible to rely on them.

The press release seems to suggest that the standard contractual clauses are still good enough - It'd be weird to suggest that if it isn't true in practice. But I'm unsure, and you have some valid points.

Yes relying on standard contractual clauses is a valid approach in general, but not necessarily for transferring data to the US. You can use them e.g. when transferring data to countries that provide effective and enforceable privacy guarantees, as e.g. Switzerland, South Korea or Singapore do.

> On the positive side this might give startups based in the EU a small edge over US competitors (I know, protectionism is evil, free market rules, Europe tech startups are not competitive...)

Most of these regulations are just anti-US protectionism in disguise. Regardless of the underlying merits of any such regulation, they’re used as trade barriers to give EU companies an edge over US ones, without doing anything as controversial as tariffs. I mean is there any material difference for a German citizen if their surveilled French intelligence over US intelligence? Sure, they have the EU courts to rely on, but if you’re caught up in a foreign (or even domestic) surveillance dragnet the outcome is going to be exactly the same, and there’s nothing you can do about it. All these agencies share huge amounts of data anyway, so the difference becomes quite academic.

> US companies can still do business in the EU btw, they will just need to structure their services so that data from EU citizens stays within the EU

I’d suggest people look at all of the privacy enforcement action in the EU, and ask themselves whether they think the actual outcome is protecting the privacy interest of EU citizens, or just the economic interests of member states.

I think that you are kidding yourself. US has a massive surveillance/spying program of EU citizen data, as demonstrated by the different leaks, this is not speculation but hard facts. US judiciary system with secret courts and gag order is a joke from a European point of view (Justice is rendered in the name of the people not secretly). Surveillance by EU spying agency can really rely on EU court to make them stop (and yes having worked for legal interception system in Europe, people really take into account judiciary decision), and ISP are fighting back without the threat of gag order.

BTW, I have to guess that your logic doesn't apply when the US refuse its data to go to China. Are you also saying that this is also pure US protectionism in disguise?

All the EU states have mass surveillance programs too. EU member states do very little to regulate dragnet surveillance, and processes around targeted surveillance are mostly equivalent to the US processes. Do you really think the target of an EU counter terrorism investigation is going to be notified that somebody is seeking a warrant to spy on them? Or do you think that would all be handled be secret processes and secret court orders?

> BTW, I have to guess that your logic doesn't apply when the US refuse its data to go to China.

This is the more hilarious aspect of this. EU and US intelligence agencies share huge amounts of information. If an EU citizen is spied on by say, France. Not only are they not going to know it’s happening, not only is there essentially nothing they can do about it, but the French government are more than happy to share anything they find with the NSA [0]. If the EU actually had a legitimate concern about US intelligence gaining access to EU citizen data, then these intelligence sharing arrangements would be illegal.

This ruling doesn’t prevent US agencies from spying on EU citizens. The only thing it achieves is forcing US companies to do more business in the EU.

[0]: https://theintercept.com/2018/03/01/nsa-global-surveillance-...

It might be good news for EU consumers. There's no technical reason for most vendors why customer data of EU customers has to be stored in US data centers.

I mean you can store EU users' data on an EU server but if any US users are allowed to communicate/look at EU users then obviously the data is going to travel across the ocean. Maybe I'm reading too much into what constitutes as "personal-data" but last I checked they had broadened that a lot. What happens if I view a EU user's linkedin profile from the US - isn't that all personal data? I hope there's at least an informed consent opt-out for this.

If not, it's not super clear to me what the work-around is other than completely isolating the continents.

>What happens if I view a EU user's linkedin profile from the US

How can you see a private profile if it is private?

We're already running separate US/EU points of presence on AWS.

The trouble is that as a small business we can't afford to have two separate operations teams for the US instance vs. the EU instance. We're all based in North America too and it is not practical for us to hire a whole separate devops team for Europe.

Our US based engineers could in theory be compelled to hand over the data stored at rest in the EU. They could also in theory see PII like names or email addresses in the course of administering the application on their laptops in the US which counts as data export, so would still need Privacy Shield or now SCC to allow engineers to do their everyday work keeping the product up and working.

But you do see that the problem is US law? Just a little privacy and this wouldn't have happened.

As a consumer I'm all for it - but as a vendor it does make things a little more difficult

The ruling notes that standard contractual clauses are still available. Most providers offer a Data Processing Agreement that can be signed and amended to the standard contract for businesses in the EU. It then gets muddy though as a DPA needs to be considered against possible legal demands of the US Gov and whether the processor will be forced to comply, assuming the data is stored unencrypted and it is possible to comply.

Quoting from the press release, the data exporter must take into account both the contractual clauses AND the surveillance laws of the target country. It is not sufficient to rely on a contract with a US data processor where the US surveillance laws do not make it possible for the recipient to comply with that contract.

> In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.

> [...] that decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

You cannot rely on these clauses if they can't be effectively enforced, so I'm doubtful whether they will allow you transferring personal data to the US.

Yes hopefully it'll just be some extra paperwork.

>This is bad news for everyone in the EU who has data in the US and uses the Privacy Shield act as the protection guarantee.

This ruling was in no way surprising, though. Anyone doing due diligence should have easily seen that Privacy Shield was going to be struck down by the CJEU eventually.

Hum. I’m in the process of starting up a Wireless ISP in Europe. I was looking at using a large piece of management software provided by a Canadian company, hosted in the US. This is starting to feel like a bit of a bad idea.

I was already unimpressed with their “no one has ever asked us about GDPR” response.

I can totally see an ISP getting heavier regulation in this regard too, given it is providing infrastructure.

Maybe I’ll code it all up myself while I wait for the dedicated fibre to come through.

Any reason why it has to be hosted in the US? Hosting is so standardized, it's hard to argue why it can't be moved to the EU.

It is a SaaS product and I guess that was just what made sense to them at the time.

They say they have a lot of EU customers, but something doesn't add up. Either they don't have a lot of EU customers, or their EU customers are ignoring GDPR, hosting locations, and (in my case) regulations on invoicing software.

Maybe those customers are just saying, "ah, it'll be fine, let's not worry about it." Which probably isn't a bad approach for small companies.

I suppose my choice comes down to: Do I want something off the shelf, slick, a bit expensive, and may or may not screw me in known ways. Or do I want something custom, slow to build, a bit clunkly, can adapt to my needs at the cost of my time, and won't screw me in known ways.

Of course, both may screw me in unknown ways :-)

Anyway, thanks for listening. This is mostly me just thinking this though.

SaaS management system for WISP seems weird to me. From what I know from the local WISPs their internal systems need to be very robust and independent from internet connectivity, so when the network or Internet connectivity goes down, they are still available to quickly resolve the issue.

Yes, I can totally see how that makes a lot of sense.

If you are coding it up yourself I would just host it on any old hardware laying around.

The upgrade path I would use is to grab what ever old gaming pc that the founder already owns. Once everything is up and working, money is coming in, you have customers, then start considering upgrading to an actually dedicated server with redundant power supply and ups. Once that is starting to get old or the company management software has outgrown such setup you have enough data to know what kind of demands you want to apply to a cloud company in terms of reliability, scaling, support and legal.

I'm sure that if you ask nicely you can get a hosted version of said management software; software is not bound to a country of residence.

At the political level this is going to fuel the conflict between USA and EU. Gas pipeline, data privacy - times have changed forever it seems between USA and EU.

I don't see a conflict. European countries have had consumer protection laws that are different from those in the US and US companies have had to comply. This situation is no different.

The EU wants privacy & security guarantees that US companies can't deliver and special deals with the US government can't really fix that. But I'm sure US companies will adapt eventually.

And this goes in both directions of course. For example European banks have to be really careful in dealing with US citizens due to laws like FATCA.

> For example European banks have to be really careful in dealing with US citizens due to laws like FATCA.

Their fix is of course to require you to check the "I am not a US citizen" box.

I don’t know if that’s sarcastic, but banks are scared to hell to deal with US citizens. They won’t ask you to fill the other box, they just won’t deal with you.

It is not sarcastic - my bank (ING) has these in the forms, for instance when getting started with their stock buying program.

Many banks will not allow US citizens to open accounts for that reason. If they have any US account holders, they will have to report to their tax authority.

Sounds similar to GDPR.

allies but different interests, very different. Example: Why We Must Spy on Our Allies https://nationalinterest.org/commentary/why-we-must-spy-our-...

    Oceans rise Empires fall
    We have seen each other through it all
    And when push comes to shove
    I will stalk all your communication
    To remind you of my love

I don’t know why the article claims the decision was “surprising”. I work for a US company that is subject to GDPR and we’ve been expecting this for over 2 years, the only unknown was when the ruling would happen, not if.

This has been going back and forth for a long time now. Perhaps I'm being naive, but given light delay, companies already host data about and data accessed by citizens from <insert continent> on said continent, so why don't companies just store EU data in the EU and be done with it? Wouldn't that solve the whole issue, years in court, ambiguous rules, companies/agencies that require local storage, etc.?

Good job Euros! Now you need to level up tech sector, get rid of the shackles of Google, Apple, Facebook. Your startups deserve better then the current, anti competitive and worse environment! Your companies could do much better, now is the time and make it happen.

It’s never going to happen. We’re a completely decadent society, and we’re essentially out of the IT race at this point.

Well it's not even the right point to discuss. A lot of great software is developed in Europe (not necessarily by companies with European headquarters). But why should software companies be tied to a specific region. Great software can come from the US, Australia, Asia, Europe, ... Because in the end it comes from people and the entrance barrier gets lower and lower.

What you point to is probably more a question of finance and ownership.

People keep saying this while ignoring the local huge boring IT companies and local subsidiaries of US IT companies.

Does it really matter where the nameplate that indicates where the HQ is? Or does it matter where the profits are taken for tax purposes (Apple appears to be an Irish company, by that measure)? Or where the CEO and board members are domiciled? Where the actual staff sit when they work?

So what you're saying is, that as long as there are other places in the world, outside of Europe, that still have a regulatory/financial/mentality/etc framework where new large software corporations can appear and flourish (and then open offices in Europe), then it's all good for Europe. If so, doesn't that seem a bit hypocritical? To have tighter privacy regulations locally but then be happy to accept business/jobs from companies that exist _because_ of no such regulations in other places (or at the time they were established)?

Err some of us actually like Apple as at least they actually pretend to give a shit. Google and Facebook not so much.

Will this have implications for Chinese and Russian services as well? Will the EU go fully local?

Not really, because the European Commission has not issued an adequacy decision in relation to China and Russia as far as I'm aware.

Russia is an interesting case, though.

They are bound by the European Convention on Human Rights (although enforcement is... let's say tricky), and they are also signatories to Convention 108 (the Council of Europe "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data") and they have signed (but not ratified) the protocol to update the convention (223, combined known as Convention 108+).

This - in theory - puts them at an advantage over countries like the US which lack any real privacy legislation.

However 1) Theory and practice aren't the same; and 2) I think it would be an impossibly hard sell for the Commission to issue an adequacy decision for Russia purely for political reasons, let alone practical ones.

Oh interesting:


So Russia/China are already in the "further safeguards needed" camp, along with... almost all of the world?

I studied a bit of EU law in law school, but haven't kept up as much as I should. This is a helpful start to dig back in, thanks!

This just seems protectionist to me.

I imagine anything the US is doing is being done by spy/sigint agencies within the EU

They are really making it impossible to start a small SaaS product. People already don’t want to pay $4/mo. for even some of the most popular SaaS products. I’m afraid all this is going to do is cause these small SaaS businesses to run twice as much infrastructure, and then transfer the costs onto the consumers by substantially increasing their prices.

As it should be; I want to pay with money, not my data. And I want my spending to stay in my local economy, not to the bottomless pit that is the US.

We're happily running a small SaaS with 4 servers using a small provider near Frankfurt for less than 50 Euro/Month. In fact, this provider is massively cheaper than AWS for bare metal and we had no service problems so far. It's maybe not five nines, but the limit is really not the service provider ATM.

Yes, privacy has a cost.

Imagine every country comes up with a similar law restricting personal data transfers. This will render Internet useless.

>This will render Internet useless

No it will render the internet back to what it once was, and not a personal data market platform for the big company's.

Remember it about Personal Data.

In fact if others come up with similar laws (even vaguely), the EU laws, as they are now, would allow the the transfer.

For example Switzerland, Japan, South Korea etc

The law allows data transfers but with some conditions. So if US or China don't want to respect privacy then the data can't be transferred there but if Canada would accept this agreemnts then you could transfer data there. The barriers are raised by the countries that do not respect privacy laws You don't want EU to read your private emails but US should be able to read them, so you agree that you won't read the emails but you don't respect this agreement, what else can be done?

An Internet with no personal data is a far cry from useless.

But surely, you'd concede it's far less useful. No international email, social media. No access to foreign websites: IP addresses are personal data [0].

Possibly, service delivery is feasible if you set up a warehouse in both locations to freight forward, but any vendor without the means to operate in each country.

While I expect my EU pals will say "but of course we will never apply the law that way," if this was the intent of the legislation, the legislation looks an awful lot like a nationalist tariff.


> No access to foreign websites: IP addresses are personal data

The OP talks about not storing personal data, which would mean e.g. not keeping logs of client IP addresses; that does not forbid the Internet.

I agree that a law that literally says or is interpreted to say that my IP address must not cross international borders, forbids the international Internet. But there is no such law.

It's possible to put together an argument to interpret laws in an undesirable or unexpected way. That's what lawyers are for. We have to have some measure of confidence in court rulings, that's part of the system, law interpretation is always being challenged.

> No international email, social media.

To the best of my understanding, the GDPR allows people to opt-in to send personal data. If I send an email to someone in the US, I deliberately share e.g. my name with them; that's legal. If I send an email to someone in Europe, and my and their email providers are companies operating in Europe, they should not transmit or store the email through US servers. That's not impossible. At least that's my understanding.

The problem with social networks is legitimate, and a real problem, but it's vastly smaller than "the Internet".

How so? Thanks to technology nowadays, it's easy to set up a local copy of your stack in a random datacenter, and to do your statistical analysis and optimization there as well. There is no reason to ship all that data off to the US other than cost optimization and data hoarding.

Why would it? This just means that people would be in control of when and where their personal data is transferred. If you choose to, say, make your profile public to the world, I don't see how that would be affected.

We can already see some of the result from the trade conflict between China and US. Centralized services, ie search, video hosting, social networks, cloud services and so on will likely be copied for each nation and exist as national or regional versions.

The other part the Internet, ie the decentralized part will likely continue to be unaffected. The big threat to that part is national firewalls and when infrastructure become centralized such as current trends in DNS resolving.

Finally! There is hope for EU, they apparently found some of their balls. Hope they keep 'em.

Nobody in the US government is going to scream in rage over the violation of your privacy. The last person who came close is hiding in Russia.

> Nobody in the US government is going to scream in rage over the violation of your privacy.

by the US government. Plenty of people are screaming in rage about China, for example.

That is not even close related with privacy or human rights and more about geo-politics.

US-EU data agreements are also about geopolitics.

Maybe, but there was some agreement and one party is not respecting it, so let's say is not nice not to respect your contracts. Star Trek fans are probably reminded by this rule of acquisitions; "A contract is a contract is a contract… but only between Ferengi."

The EU is not some weird hive-mind, it has separation of powers just like the US. It is the European Court of Justice's job to overturn executive decisions that trample on the constitutional rights of its citizens, same as the Supreme Court in the US.

I am not sure how your comment related to mine, maybe I was not clar, EU and US had a contract, US is not respecting it and this judges looked at teh facts and said, yeah the contract is invalid so you can't store private data in US using this contract as a base, find something else.

And now US citizens from HN spin this as protectionism or over regulation and just ignore that there was a such a contract and it was not respected, it would make sense then that US guys won't complain if someone else would do the same, but you notice if an app related to China is only suspected of doing something like that the mob demands it getting banned if an US entity has the power to just search and read anyone's private stuff that is not from US then is fine.

I mean US could pretend they won't spy , and then work a bit harder to get the data they need instead of having 100% full access to everything.

Sadly in this world human rights are almost always a question of geopolitics. It's the only explanation for why we only seem to really care about human rights when they happen to coincidentally align with our geopolitical goals.

What are the geopolitical consequences of black lives matter?

Human rights within one's own country are one thing. Caring about human rights in another country is essentially nothing but geopolitics.

That said, there are geopolitical consequences of Black Lives Matter that are fairly obvious, as far as who comes to power in the US.

(We detached this subthread from https://news.ycombinator.com/item?id=23857574)

WSJ: Surprise ruling is a victory for privacy activists

This wasn't a surprise at all. It was very predictable from the beginning for one simple reason: the US doesn't have strong privacy laws and the US government's surveillance apparatus doesn't account for whatever privacy laws exist either. All the gag orders (up to half of all total order requests according to Microsoft 2 years ago), all the tapping of internet cables and "partnerships" with the carriers, all the "fusion centers" with all agencies getting people's data, and so on.

Oh, and best of all, the Privacy Shield said that it was up to the US DOJ to ensure US companies followed EU law. What a joke.

The EU Charter of Fundamental rights prohibits data from being stored in countries that don't provide equivalent privacy protections as in the EU. If you follow this logic, it's obvious Privacy Shield was bound to fail.

An article from 2018: https://www.hrw.org/news/2017/07/26/us-surveillance-makes-pr...

Noone in the EU now can sell on Amazon or eBay.

> to adequately protect Europeans' data from US surveillance and security laws and was therefore invalid

Certainly this is more about protection from corporations with the added benefit of preserving what’s left of tech in the EU.

Considering the US and most major EU countries share intelligence information with each other and all have surveillance programs I don’t know that it would be very effective at doing that no matter where the data is.

This means noone in the EU can sell on Amazon or eBay. Noone can use services like WebFlow and other hosting solutions. We'll see what future court decisions say about AWS hosted inside the EU.

Everyone who sells on Amazon and eBay has a data protection policy which mentions Privacy Shield to legally work with Amazon. The court says only DPAs work where you make sure that the other party protects data on a GDPR level, which Amazon doesn't do and can't do.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact