"This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable - when shit hits the fan, you can’t blame the fan."
Start at page 28 if you want to skip the recap of EU law, or start at page 35 if you want to skip the details of US law and surveillance programs as recap by the Irish court who referred the ruling.
It's a bit sad that people have to fight this war on personal title.
It's mainly odd to me that there aren't more privacy / consumer protection groups doing the same things he does.
There are a lot of smaller groups fighting, but it takes years and years to see results. Hopefully the EU itself will get more into it now that our relationship with the US is deteriorating and China is getting more and more aggressive.
Not that it’ll matter too much with Microsoft being the only real option in non-tech enterprise.
Dieselgate was started by such a group.
The system is not all bad, but incentives are against stuff like this being litigated by the usual privacy or consumer support groups, because you just can't collect fees from the legislative branch...
But the national data protection commissions of each country also do plenty of work. I think they're still swamped, though.
If you donate EUR 100, you get Consultation on private data protection cases (2h/year)
The German DPAs love going after random individual cases they find, often in ways incompatible with reality (e.g. a small company not using GPG when e-mailing employees about HR issues), while ignoring major abuses that happen at scale. The biggest fine they issued was to a real estate management company for not deleting old documents (e.g. proof of income) that tenants had provided.
Not a single fine against adtech companies.
Perhaps this Wikipedia page will be updated soon:
I can see company legal departments taking this ruling to prohibit transfers, even with a DPA in place, and causing havoc around the EU.
And once you have a working system and solutions in place that becomes a quite good sale argument.
And yes, the EU is really lacking providers that can follow those requirements. At some point Microsoft had a German cloud completely distinct from their other offering and managed by Telekom, but they stopped a few years ago (and it wasn't really in a production ready state IMHO...).
Verbal sense 1/2:
> to bring to a successful issue : complete, accomplish
> carried out the assignment
> to put into execution
> carry out a plan
Basically if the contract says "Alice will pay Bob $10 to kill Charlie", then obviously that would be illegal so the contract is void.
There are ways to run operations in a way that comply with the spirit of these rulings. Hetzner, OVH and other cheap mini-clouds are EU based and have only EU datacenters. Guess where banks want to go? "The cloud" because "the cloud" is "the future" and they institutionally suck at running IT departments of any kind. So they ignore those offerings and find workarounds that let them outsource it all to the Americans who for various reasons just seem culturally better at making software companies.
The other problem that discourages people making EU compliant companies is the term is meaningless. EU is famous for rather weak rule of law. The courts have a history of "discovering" entirely new laws in vaguely written rights or regulations, like the famous right to be forgotten that caused and still causes endless operational pain. Not a law written by any lawmaker, not even the unelected opaquely appointed bureaucrats that write laws in the EU. A law literally invented in the courts themselves.
Because these laws are effectively invented by the courts or by a quasi-government that doesn't really have its own police forces or much of an enforcement infrastructure, this means many EU regulations aren't really enforced. Compliance is kind of on the honour system. So if you're selling compliance, but it costs a lot more than a US based solution that basically ignores these rules whilst claiming they don't, then you'll lose out to your competitors.
The final problem is, again, all this stuff is just legal posturing. The EU has a long history of having intelligence agencies just as aggressive as the NSA, and cutting deals with the USA to get access to US intelligence in return for data (see the SWIFT transfer programme). The EU and its fans like to claim there's some sort of deep cultural difference between Europe and America with regards to privacy, but when you strip away the press releases and look at the actions these countries/EU really make, there's virtually no difference. This is another reason why banks and other firms don't take it too seriously at their core.
I don't see the problem, buy HP Enterprise Hardware (Support is based in Czech Republic), install Suse for example (but not RedHat), ask a Data-center of your wish, place your Hardware there make your own 'cloud'...profit?
I had the pure opposite compared to AWS, with own Cloud we safe d around 80% expenses, calculated with additional manpower about 35%...but still 35% is really something.
Then implement it very well, you know like you should do it with the base when you build a House.
Managing your own k8s in production isn’t a simple task at all :(
Its not about where some people work, it's what they do under witch legality, so a US citizen working in Germany or for German Customers "could" be a problem.
That's usually fine (related to the "in Germany" part). I'd say you'll only have an issue if you're doing something really high up the government (same as for example SpaceX - which cannot hire non-citizens)
They can, actually. It's just tons of paperwork and red tape so they won't.
Hopefully this will force more independence and provide a boost to the European providers.
Less easy if you need to, for example, accept payment by credit card. Even if some of the businesses along the way are based wherever you are, the major card networks are all headquartered in the US.
It would be great if the international community could get its act together on an alternative and render the deeply flawed card payments industry obsolete, but the fact is that right now cards are the only game in town for a lot of situations.
Honest question: from a consumer perspective, what is deeply flawed about it?
I realize this isn't available everywhere, but with my cards I can make payments in virtually any country without ever having to deal with local currencies, currency conversion fees, bank account overdrafts, or having the physical card with me as I use my phone for 90% of transactions where I live. All this while getting 2-5% back on every purchase and (if I want to pay an annual fee and deal with more cards) a whole slew of travel benefits and free flights every year or so.
US don't like someone, like Wikileaks? Card processors block all payments to them, so you consumer cannot get your money to them.
US want to profile all your transactions, to figure out where you eat, where you sleep, and what you do? They get all the data and you'll never even know.
Obviously this is not a problem, as long as you stay on good terms with US interests. The minute you become a target (which might simply be because you work at a competitor of a "strategic" US business), it's not so great, to put it mildly.
You're not necessarily aware of the inherent insecurity until you are on the wrong side of a breach. You might assume you can charge back if anything goes wrong, but you might have absolutely no guarantee in law that you will be able to do so. As with so much about cards, you are then at the mercy of your card issuer and/or the underlying card network, and they will act in their best interests, which might not coincide with yours.
You might think it's useful to have the credit facility, but the rates you're paying will almost always be far higher than you could get on a competitive loan from a bank. (And if you can't get such a loan, you certainly shouldn't be building up credit card debts either. The model becomes predatory and abusive at this point.)
You might think you're getting a good deal with the cashback schemes, but the merchants are getting hit with higher fees on the other side and they will be pricing that into the amount you were paying in the first place. Worse, since various places now limit or prohibit charging extra fees for card transactions, governments have legislated competition out of the payment methods market and anyone who chooses not to pay with a card is now stuck with the same higher prices.
You might find the automatic conversions for foreign payments useful, but you are almost certainly paying a silly exchange rate and maybe extra fees on top for the privilege.
Card payments are comically unreliable at the best of times. In a "good" case, this just causes some embarrassment when your card is unexpectedly declined at the store and you have to try it again or use something else to pay. In a more serious case, perhaps your card gets blocked because of a false positive on the security checks while you're abroad, and you are left with no easy way to pay for anything for potentially several days until it gets sorted out.
On top of this, there are the indirect effects of all the one-sided obligations imposed on credit card providers by governments and on merchants by credit card providers, where a bunch of people are required to take on potentially severe risks that should be entirely unnecessary just to carry out a simple financial transaction. Much of what is wrong with the industry actually comes down to these effects and what happens when the risk gets passed on or priced in.
In short, the people who benefit the most from card payments are the card networks. For everyone else involved, they are likely inferior to other payment methods in one or probably more important ways, and it is their established infrastructure and ubiquity internationally that keeps them relevant more than anything else. There is no good reason we shouldn't all switch to alternatives today, given the ease of doing so with modern mobile devices and Internet access, but again it comes down to momentum more than anything else.
The thing that bugs me is that we're perfectly capable of doing quick, reliable transactions without any need for cards at all today, particularly in Europe with the SEPA infrastructure, or in other areas that have national debit schemes. We just haven't got around to making this easy for both online and in-person payments yet, though things like the payment methods using smartphones and the consolidation of debit schemes that fintech firms like GoCardless are working on seem like obvious steps in the right direction to me.
That's amusing of course because the EU economy is desperately dependent on the US economy. Meanwhile the US economy is far less dependent on the EU economy.
So the plan then must be to do zero business with the US and Chinese economies, the world's two largest. You also can't do business with Canada, Australia or Britain, so there went another $5.7 trillion in economy you can no longer trade with.
The EU would be sent back to third-world living standards within a decade or two. You just lost access to 50% of the world economy. Easy to do, yeah sure.
Europe is still ahead of China. And has a much higher and better educated population than the US, and much more exporting small, independent businesses. Meanwhile the US is at third world standards in infrastructure and democracy. Their only strength is military and having the Dollar. This is not sustainable.
I wonder how many attempts it will take for this deal to be considered legal before the US actually has to do something to hold up their end of the deal. The US government would scream in rage if Germany would ever demand the ability to order Microsoft or Google to hand over information about US citizens in complete secret, yet the EU wil gladly take the word of the US government that it won't happen.
The EU also has plenty of incentive to encourage keeping data within the boundaries of its member states. Making it difficult to use American tech giants as a lazy quick fix for data storage instead of looking at local alternatives only helps limit the amount of money taken from the European economy. With the scandals and state of the current US government I find it hard to believe the EU will be able to draft a new agreement like this with the US without compromising on the rights of their citizens.
Apologies for being pedantic, but "The king is dead, long live the king" is referring to two distinct uses of the word king. It is equivalent of "The old monarch is dead, long live the new monarch".
So for this to work in your case it would need to be:
"Privacy Shield is dead, long live new-replacement-law"
But without a replacement law, the phrase just doesn't work.
We don't know the name of the new law yet, but Privacy Shield was quickly implemented because the agreement before it was deemed insufficient, and the same will likely happen again.
There are some specific justifications that are scoped to government use only, in areas such as law enforcement or collection of statistics. But agencies still need to implement the law, document the specific requirements for any type of data they collect, observe time limits on retention, produce transparency reports, and so on.
From the EU citizens perspective, the ideal outcome would be for US cloud service providers to pressure US authorities to limit their surveillance of EU citizens and provide some kind of privacy guarantees. Here's to wishful thinking...
Cynically I suppose it was to ensure they'd at least have a say in what the CCPA covered... and to hurt their rivals (Facebook, etc).
GDPR hurts large companies that abuse data; the actual legislature is one of the most proportional regulations I've ever seen.
You have the right to store peoples personal data if it's used and not processed for non-implied purposes (IE; generating profiles of people after sale) and not sold to another company.
So when someone throws up a big "GDPR NOTICE" and you have to press the big "i agree" button, it behooves to read it; because that's often not required for the service, it's what's required for the company to sell on your data.
Joe the Shoemaker can take your email address or phone number and call you, he's not going to have a hard time under GDPR.
If you're abusing data, you're going to have a hard time- and that's good.
1) As you say, "If you're abusing data, you're going to have a hard time- and that's good." Companies that are built on selling your data (e.g. data brokers in the marketing / finance industry) or sharing it without your consent (e.g. Facebook with Cambridge Analytica) will have to stop those practices. GDPR working as designed, win.
2) For business models that are viable under GDPR, then at the margin GDPR is going to prevent small companies from entering the space, to the benefit of larger companies. Your example of Joe the Shoemaker is the trivial case. What if your business has a need to collect PII, banking information, perform Know Your Customer checks, and retain that data for 5 years under the US Banking Secrecy Act? Or collect electronic personal health information? Or submit to any other conflicting regulatory regime? You're missing the fact that lots of businesses have a legitimate need to collect more than just an email, and that other regulations directly conflict (per country) with GDPR. In these cases, adhering to GDPR is more than just slapping a GDPR dialog onto your email submission modal; it might require a significant amount of time talking to expensive lawyers to figure out how to comply with all of the applicable regulations.
This is the basic dirty truth about regulation; large companies can typically afford to lobby to make sure the regulation isn't going to ruin them, and then they can afford to implement the regulations even if they are very complex. After implementation, regulation like GDPR becomes a moat. Consider how hard it is to start a company in highly-regulated spaces like finance or healthcare. Though I don't claim that GDPR is as deep a moat as those industries' regulation, it's the same idea. The regulations as a whole can still be net-positive to society, but the risk is that when regulators (and those commenting on regulation) don't understand the real costs of complexity, it's easy to pile on rules that have the opposite effect than intended.
Note, a common misconception about Google is that it sells/shares your data; it does not in general do that. Google sells targeted ads, and your data is Google's competitive advantage; Google built Gmail, Android, and a host of other products in order to get data that others cannot; your data is Google's moat. GDPR just talks about sharing your data with other companies; Google is fine under the GDPR. Sure, the death of Privacy Shield might make Google's various international entities less able to share data, but the fundamental business model they follow of collecting first-party data on users is alive and well.
I'm pretty sure the regulations have a catchall "you are allowed to store the data if legally required to" for exactly these kinds of issues. Need to store the data for 7 years for tax purposes? Fine.
I think (like the GP) you're oversimplifying though.
Have you ever had to determine what is considered a "legal obligation"? It's not fun. Much to the distaste of us engineers, it turns out that most laws are not written in an unambiguous fashion; many (like HIPAA) are very vague in places, and rely on precedent or tribal knowledge about how the regulator in question tends to interpret things.
So yes, if you have a clear, unambiguous requirement to keep Personal Data, then you don't need to lawyer up. If you work in an industry with complex regulations, then you're going to need lawyers and/or consultants to tell you how to resolve the conflict between GDPR and those regulations.
The world really isn't either Facebook or Joe the Shoemaker. There's a lot in between.
Unless the "entry" is doing something nefarious.
I worked at a small company that made software to allow behavioral therapists to collect and analyze data about patients and visualize it more easily. Helped a lot when the patient was a young student and you're working with parents or guardians, and it replaced a lot of time therapists had previously been spending in Excel (or in some situations, hours with pen and paper).
GDPR hit hard. We weren't selling any data at all, but because data was often stored grouped by classroom, or by therapist, or by org/admin, providing an easy way to give a patient a data dump of just their data (rather than the data a clinician was approved to view) was very expensive.
I left for other reasons, but the company is still struggling with the added costs, and last I heard was going to be acquired.
To answer your case (and risk downvotes in doing so, gah):
I think that the situation your company was in was almost exactly the reason GDPR was conceived, data custodians have an obligation to treat that data with the value it actually has, especially in the medical industry.
GDPR was not, actually, invented with google/facebook in mind, it was due to the fact that people were selling data, and _also_ not taking care of it when they had it..
Imagine a world where there was no such thing as, idk, PCI compliance, say.. and while some people were treating card info as something they didn't want or stored very well--- the vast majority of people were instead saving them into text files and passing them around on open windows shares in order to process payments.
For a lot of companies, GDPR just exposed their shortcomings, and yes, it's expensive to fix, but the point is that it's unhealthy in the first place, much like destroying the planet will destroy us all; unless there's a financial impact to the company itself, the company will continue to salt the earth without regard for anything. (contrived example, I know).
That said - I think my point still stands. This company wasn't storing data poorly, it was storing data in a format designed for its primary users - Clinicians/Therapists. It was also complying with all current legislation when the system was designed and implemented. (and I say this knowing full well the company had previously reported clinics where we knew of or suspected HIPAA violations)
When you're tiny (right around the 250 employee limit, mostly non-engineering) having to re-implement a system that's seen 9 years of development/bugfix/features is prohibitively expensive. At best, you're paused entirely on feature work while you do it, at worst you're re-introducing issues/bugs that have been fixed before and adding new ones.
But it's cool, because Google has all that fitbit data now and they totally wouldn't be interested in competing in this space. And we've all seen how effectively this law curbs malicious behavior of these large companies (read: Not at all).
So from my end - the result in this case was that a small company that sold no data at all, had no vested interest in marketing, and was previously complying with regulation went out of business.
Instead it was eaten by a much larger player in the field that was better positioned to absorb those costs (and which does make money by selling data). I'm hard pressed to see that as win.
So, all that said - I still think we agree more than we disagree. I'm not really upset GDPR exists. I'm upset that it's been mostly ineffective at curbing real abuses by large players, but that's not a problem with the law - it's a problem with its enforcement.
I also find it telling when the large players in the industry are in favor of regulation - It almost always means they expect it to reduce competition.
Also important to point out how much of this goes back to Max Schrems activism over the years and noyb (https://noyb.eu/en). This is a huge win achieved with relatively few resources. Staying engaged is worth it.
Almost all major countries have surveillance programs. They are perhaps necessary to preserve national security. The hope of democratic countries is to have enough checks and balances on those powers to keep them limited to national security interests and to prevent abuse.
The EU's treaties explicitly reserve national security for the member states themselves (except for where there is unanimity or opt-in in specific areas).
As such, in most cases, the Commission and Parliament can't legislate to bring MS' own intelligence services under control.
To change the situation the treaties would have to be changed (which is a can of worms in itself) and all 27 members would have to agree to the changes (one or two would require a referendum).
This isn’t ‘let’s decide to let X country know Y’. If it is on the eyes network (and tons of things are) everyone gets it per the multi country agreement.
I hope to see more disincentives put forth against these practices in markets our businesses haven't completely supplanted government oversight. Hopefully, that will result in shifts of practices in the US markets as well, though it's certainly not guaranteed.
Our big Tech FAANG loves gobbling up everything they can get their hands upon in the name of training AIs that shove more personalized creepy ads.
This is not the case - almost all major countries have surveillance agencies. It’s not the fact that China has surveilance that is looked down upon, it’s the lack of checks and balances. Most democratic countries have surveillance to ensure national security interests and they have strict checks and balances to minimize abuse and ensure that intel is used only for national security reasons.
China’s surveillance has no such checks and balances and does little to prevent abuse and that is worth criticizing. Perhaps this may change someday but the current party does not seem to be heading in that direction.
Then we would not need all these super unpractical counter measures.
> For example, Der Spiegel revealed how the German Foreign Intelligence Service transfers "massive amounts of intercepted data to the NSA", while Swedish Television revealed the National Defence Radio Establishment (FRA) provided the NSA with data from its cable collection, under a secret treaty signed in 1954 for bilateral cooperation on surveillance...
How is my data any more secure on a German server than an American server? Some asshole is snooping on it anyway, and the NSA gets access by extension.
Yes, GDPR provides greater protection for privacy than US laws and hats off to the EU courts for trying to maintain that protection.
That said, the US and EU are so closely intertwined when it comes to intelligence that I doubt this provides much protection from Western state level actors.
what? since when?
USA was, and still is corrupt. There are plenty of news of USA covering up war crimes, spying on everyone, PATRIOT act itself, drone assasination etc.
and prime example from the past:
Plus quite honestly if any country behaved like USA in Europe(Allegiance to the flag in schools, "patriotism" etc) they would be under EXTREME scrutiny from their neighbors.
It is still a lesser evil on the world stage to be honest.
The difference is not that a country surveils but if they have processes in place to protect that information from abuse and keep it to use only for national security interests.
But they are not; they're dropping fast on the world scheme when it comes to human rights and common decency. In many ways it's as bad as China is when it comes to that.
It's interesting that they managed to keep the ICE concentration camps out of the media. Will the >100K of covid-19 related deaths (that have been officially reported) someday be considered genocide / eugenics?
US residents do not.
EU allows export of their residents' personal data to the US under different sets of rules or methods, one of which is (was?) Privacy Shield. Another is Contractual Clauses. The crucial fact for Privacy Shield is it was supposed to provide "equivalent" protections (ie protection for EU data hosted in the US equivalent to that data being entirely in the EU). It did not.
My take is that Privacy Shield was a sop to the fact that the US never had anything like equivalent privacy laws, but we are (were?) too big a trading partner to apply the law to. This realpolitik appears now to be in question.
So yes, one of the ways to legally allow a US-based company to process EU resident data has now been removed.
As a heuristic: a website such as HN that is available in the EU but doesn't specifically target EU "customers", and that isn't itself or via some subsidiary registered within in the EU is perfectly fine.
I believe the same is also true if you allow EU customers to buy in your online store as long as it's implemented as just a "country" form field and, again, you are not registered in the EU/have no distribution warehouse there, and so on.
I've seen the New York Times being cited as a sort of goalpost of what's still ok: even though they have journalists in Europe, they have no sales presence, and are clearly aimed at the US market.
No idea about Amazon, though.
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Both submissions are very shallow articles though.
Let's hope they won't come up with a new name just as they did last time when Safe Harbour was abolished.
This thing was an insult to EU privacy laws.
P - privacy
A - acknowledged
C - confidentiality
T - treaty
It's not only an insult of EU data protection laws and the EU basic rights charta.
Not only are the big US cloud providers evading taxes and stiffling competition in the EU, they are also instrumental to US hegemonial ambitions.
All your data (and taxes) belongs to us. That's whats going on.
I wonder how long the standard contractual clauses will hold, I don't see how they are doing better.
So the SCC is legit. You just can't use it with the US.
What about platforms that connect people from all over the world? Yeah you can store EU users' data on an EU server but what if a US user checks out a EU user's profile. Or are we supposed to completely disconnect each continent?
If US user wants to interact with EU content, then they need to comply with relevant EU rules. They might not have to give the same level of enthusiastic consent, but the data of their interaction should still stored in EU compliant manner.
If you're a US entity you can freely store EU data on US servers entirely without EU permission or consent, and do anything with it that you want to (within US law), so long as you don't operate within the EU. For exactly the same reason that you can safely ignore GDPR if you don't operate in the EU.
If I build a service that runs its servers only in the US, in nearly all cases I don't need to concern myself with EU laws. I'll be operating by US laws. I can allow EU users to sign up and use my service and store their data in the US. There's nothing the EU can do about that.
The EU will have to enable a draconian Chinese firewall to stop this. They have no power or influence to dictate to the world such rules, so the only thing they can potentially do is put their own people in a safety box and lock them off from the rest of the world.
No, this was what was invalidated; Privacy Shield enabled this behavior
>The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. 
With Privacy Shield being invalidated, and nothing else to currently take its place, EU data will technically have to sit within EU (as I understand it). Enforcement of this law will take sometime and won't impact a little startup that's breaking all sorts of rules, as you won't have enough valuable assets for a legal team to go after.
If you are a large multi-national corporation though this is trouble..especially if you aren't using informed consent to notify EU users on what's happening with their data.
>Despite the invalidations made by the judgment, absolutely "necessary" data flows can continue to flow under Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user, which can be withdrawn at any time. Equally the law allows data flows for what is "necessary" to fulfil a contract. 
I think you missed the point. They're arguing they don't care what the EU thinks. If some EU court invalidates some EU specific thing they didn't care about previously, they still don't care about it afterwards.
Enforcement of this law will take sometime
Like, forever? How many US firms has the EU taken to court in the USA and won, over their cookie law?
EU cannot enforce these laws on US firms, only EU firms, but even then, such things are basically never actually enforced except for political reasons. So they might try and cause trouble to Google and Facebook or Apple, because they're big sources of money. Everyone else will just ignore it or go through some compliance motions if they feel like it.
As always with the EU there are regulations everywhere and they don't mean anything. As you state yourself, "necessary" data can continue to move. This is the same as saying "we'll make it up as we go along".
It doesn't matter where your servers are, if you offer a service to people in the EU and you store their personal data, you need to safeguard that data and comply with GDPR.
It's a law, so it can be enforced through mutual international treaties.
However, common sense prevails in the EU and especially with GDPR, so no one will go after you because you use Google Analytics and didn't give an option to opt-out. But if you start collecting personal addresses, emails and phones disguised as a charity doubling their contributions and then sell that information to callcenters abroad for tax scams and upload it to 4chan, then yes, EU's reach will be tested.
or don't like the purchase aspect? Okay I go to Thailand and rent a car. To rent the car I need to give them my personal info. A copy of my passport, a copy of my international drivers license. If we follow the same logic that Thai car rental company somehow has to treat the PII under EU laws.
The EU has no jurisdiction is Thailand and the Thailand car rental company should not have to do things differently just because the person renting is from a different country. That they happen to be online, like say I reserved the car while in Germany before my travel, seems like it would have zero barring on this.
Can a restaurant in SE Asia take a reservation from an EU citizen? They need to store PII to do it. How does the EU send their enforcers over to that mom and pop restaurant to make sure their reservation system is protecting that EU citizen's PII?
I'm not trying to argue it's okay to use PII. I'm instead trying to understand how these laws actually work because they seem basically impossible to enforce or even implement.
I see the link above tries to cover this. Unfortunately it covers it in nonsense and doublespeak.
> Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.
No, not until you bring the Jet Ski though German customs.
Why is it different if I virtually go to Thailand?
Because now, the Jet Ski operator is operating in the EU, and the EU could always choose to null-route said website. There's plenty of precedent for that, even in the US (DHS seizing torrent sites under counterfeit regulation, ISP's de-listing pirate bay DNS entries).
Okay I go to Thailand and rent a car. To rent the car I need to give them my personal info. A copy of my passport, a copy of my international drivers license. If we follow the same logic that Thai car rental company somehow has to treat the PII under EU laws.
Perhaps, but as you say, the EU currently has no way to enforce its GDPR outside its jurisdiction.
How do you think the US enforces its take on copyright and patent law outside its borders? Through treaties and trade deals. If the EU wanted to, it could do the same with the GDPR.
There are some areas in need of examples:
For your restaurant in Bangkok that takes a reservation from the EU: not covered by the GDPR because they don't target EU residents, that a resident used their reservation page is incidental and an exception.
For some purely-online service, if you somehow target world-wide or all speakers of an official EU language, GDPR applies. That means your french language online newspaper in New Orleans is affected, if they have an international section. If it is chinese language, you are fine. Geoblocking helps.
In the end if part of the world refuses to implement even the most basic working privacy protection laws what choice does the EU have.
I'm certain companies and governments alike would be thrilled to put in place the next iteration of this agreement, however the US refuses to move even an inch.
Exceptions to all this apply for special kinds of data (minors, medical, biometric,...) and invasive processing (AI decisions, scoring). In those cases you might need special consent or you might not be able to export the data at all, even with consent.
In sense of the GDPR, a European User Account does not need to synced to the US but only the communicated exchange between a European and a US user.
There are a lot of reasonable usage and solutions. They just cost money, time and are annoying architecturally.
On the positive side this might give startups based in the EU a small edge over US competitors (I know, protectionism is evil, free market rules, Europe tech startups are not competitive...).
US companies can still do business in the EU btw, they will just need to structure their services so that data from EU citizens stays within the EU. For the larger players this shouldn't be an issue really, I think, smaller startups with limited resources might forgo the expansion into the EU though.
Most of these regulations are just anti-US protectionism in disguise. Regardless of the underlying merits of any such regulation, they’re used as trade barriers to give EU companies an edge over US ones, without doing anything as controversial as tariffs. I mean is there any material difference for a German citizen if their surveilled French intelligence over US intelligence? Sure, they have the EU courts to rely on, but if you’re caught up in a foreign (or even domestic) surveillance dragnet the outcome is going to be exactly the same, and there’s nothing you can do about it. All these agencies share huge amounts of data anyway, so the difference becomes quite academic.
> US companies can still do business in the EU btw, they will just need to structure their services so that data from EU citizens stays within the EU
I’d suggest people look at all of the privacy enforcement action in the EU, and ask themselves whether they think the actual outcome is protecting the privacy interest of EU citizens, or just the economic interests of member states.
BTW, I have to guess that your logic doesn't apply when the US refuse its data to go to China. Are you also saying that this is also pure US protectionism in disguise?
> BTW, I have to guess that your logic doesn't apply when the US refuse its data to go to China.
This is the more hilarious aspect of this. EU and US intelligence agencies share huge amounts of information. If an EU citizen is spied on by say, France. Not only are they not going to know it’s happening, not only is there essentially nothing they can do about it, but the French government are more than happy to share anything they find with the NSA . If the EU actually had a legitimate concern about US intelligence gaining access to EU citizen data, then these intelligence sharing arrangements would be illegal.
This ruling doesn’t prevent US agencies from spying on EU citizens. The only thing it achieves is forcing US companies to do more business in the EU.
If not, it's not super clear to me what the work-around is other than completely isolating the continents.
How can you see a private profile if it is private?
The trouble is that as a small business we can't afford to have two separate operations teams for the US instance vs. the EU instance. We're all based in North America too and it is not practical for us to hire a whole separate devops team for Europe.
Our US based engineers could in theory be compelled to hand over the data stored at rest in the EU. They could also in theory see PII like names or email addresses in the course of administering the application on their laptops in the US which counts as data export, so would still need Privacy Shield or now SCC to allow engineers to do their everyday work keeping the product up and working.
> In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.
> [...] that
decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.
This ruling was in no way surprising, though. Anyone doing due diligence should have easily seen that Privacy Shield was going to be struck down by the CJEU eventually.
I was already unimpressed with their “no one has ever asked us about GDPR” response.
I can totally see an ISP getting heavier regulation in this regard too, given it is providing infrastructure.
Maybe I’ll code it all up myself while I wait for the dedicated fibre to come through.
They say they have a lot of EU customers, but something doesn't add up. Either they don't have a lot of EU customers, or their EU customers are ignoring GDPR, hosting locations, and (in my case) regulations on invoicing software.
Maybe those customers are just saying, "ah, it'll be fine, let's not worry about it." Which probably isn't a bad approach for small companies.
I suppose my choice comes down to: Do I want something off the shelf, slick, a bit expensive, and may or may not screw me in known ways. Or do I want something custom, slow to build, a bit clunkly, can adapt to my needs at the cost of my time, and won't screw me in known ways.
Of course, both may screw me in unknown ways :-)
Anyway, thanks for listening. This is mostly me just thinking this though.
The upgrade path I would use is to grab what ever old gaming pc that the founder already owns. Once everything is up and working, money is coming in, you have customers, then start considering upgrading to an actually dedicated server with redundant power supply and ups. Once that is starting to get old or the company management software has outgrown such setup you have enough data to know what kind of demands you want to apply to a cloud company in terms of reliability, scaling, support and legal.
The EU wants privacy & security guarantees that US companies can't deliver and special deals with the US government can't really fix that. But I'm sure US companies will adapt eventually.
And this goes in both directions of course. For example European banks have to be really careful in dealing with US citizens due to laws like FATCA.
Their fix is of course to require you to check the "I am not a US citizen" box.
Oceans rise Empires fall
We have seen each other through it all
And when push comes to shove
I will stalk all your communication
To remind you of my love
What you point to is probably more a question of finance and ownership.
Does it really matter where the nameplate that indicates where the HQ is? Or does it matter where the profits are taken for tax purposes (Apple appears to be an Irish company, by that measure)? Or where the CEO and board members are domiciled? Where the actual staff sit when they work?
Russia is an interesting case, though.
They are bound by the European Convention on Human Rights (although enforcement is... let's say tricky), and they are also signatories to Convention 108 (the Council of Europe "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data") and they have signed (but not ratified) the protocol to update the convention (223, combined known as Convention 108+).
This - in theory - puts them at an advantage over countries like the US which lack any real privacy legislation.
However 1) Theory and practice aren't the same; and 2) I think it would be an impossibly hard sell for the Commission to issue an adequacy decision for Russia purely for political reasons, let alone practical ones.
So Russia/China are already in the "further safeguards needed" camp, along with... almost all of the world?
I studied a bit of EU law in law school, but haven't kept up as much as I should. This is a helpful start to dig back in, thanks!
I imagine anything the US is doing is being done by spy/sigint agencies within the EU
No it will render the internet back to what it once was, and not a personal data market platform for the big company's.
Remember it about Personal Data.
For example Switzerland, Japan, South Korea etc
Possibly, service delivery is feasible if you set up a warehouse in both locations to freight forward, but any vendor without the means to operate in each country.
While I expect my EU pals will say "but of course we will never apply the law that way," if this was the intent of the legislation, the legislation looks an awful lot like a nationalist tariff.
The OP talks about not storing personal data, which would mean e.g. not keeping logs of client IP addresses; that does not forbid the Internet.
I agree that a law that literally says or is interpreted to say that my IP address must not cross international borders, forbids the international Internet. But there is no such law.
It's possible to put together an argument to interpret laws in an undesirable or unexpected way. That's what lawyers are for. We have to have some measure of confidence in court rulings, that's part of the system, law interpretation is always being challenged.
> No international email, social media.
To the best of my understanding, the GDPR allows people to opt-in to send personal data. If I send an email to someone in the US, I deliberately share e.g. my name with them; that's legal. If I send an email to someone in Europe, and my and their email providers are companies operating in Europe, they should not transmit or store the email through US servers. That's not impossible. At least that's my understanding.
The problem with social networks is legitimate, and a real problem, but it's vastly smaller than "the Internet".
The other part the Internet, ie the decentralized part will likely continue to be unaffected. The big threat to that part is national firewalls and when infrastructure become centralized such as current trends in DNS resolving.
by the US government. Plenty of people are screaming in rage about China, for example.
And now US citizens from HN spin this as protectionism or over regulation and just ignore that there was a such a contract and it was not respected, it would make sense then that US guys won't complain if someone else would do the same, but you notice if an app related to China is only suspected of doing something like that the mob demands it getting banned if an US entity has the power to just search and read anyone's private stuff that is not from US then is fine.
I mean US could pretend they won't spy , and then work a bit harder to get the data they need instead of having 100% full access to everything.
That said, there are geopolitical consequences of Black Lives Matter that are fairly obvious, as far as who comes to power in the US.
This wasn't a surprise at all. It was very predictable from the beginning for one simple reason: the US doesn't have strong privacy laws and the US government's surveillance apparatus doesn't account for whatever privacy laws exist either. All the gag orders (up to half of all total order requests according to Microsoft 2 years ago), all the tapping of internet cables and "partnerships" with the carriers, all the "fusion centers" with all agencies getting people's data, and so on.
Oh, and best of all, the Privacy Shield said that it was up to the US DOJ to ensure US companies followed EU law. What a joke.
The EU Charter of Fundamental rights prohibits data from being stored in countries that don't provide equivalent privacy protections as in the EU. If you follow this logic, it's obvious Privacy Shield was bound to fail.
An article from 2018: https://www.hrw.org/news/2017/07/26/us-surveillance-makes-pr...
Certainly this is more about protection from corporations with the added benefit of preserving what’s left of tech in the EU.
Considering the US and most major EU countries share intelligence information with each other and all have surveillance programs I don’t know that it would be very effective at doing that no matter where the data is.