Interesting. Does Facebook already have separate infrastructure for Europe, but just forwards user data to the US mothership? Or is the infrastructure all "mixed together"? I'm curious how hard it would be to comply.
The framework for transfering data is called 'Privacy Shield'. It was ruled to be not effective by the EU recently, so a new framework for data transfer is to be agreed on.
Privacy shield was one framework (now invalid, as parent notes) among a few. FB is dependent on standard contractual clauses which are generally valid (per schrems ii) but potentially invalid if the recipient is subject to FISA 702 warrants. Schrems ii put the burden of making that validity determination on member states' data protection authorities.
The Irish DPC didn't want to make this decision (for reasons), kicking the can to the CJEU, which eventually resolved Schrems II and remanded the decision on FB's SCC's back to the DPC.
Yes, it will be interesting to follow the SCC's (Standard Contractual Clauses). But, even though they were upheld, it is still up to the data exporter to guerantee before every transfer, that the SCC will provide an "essentially equivalent" protection to that offerend in the EU with GDPR for instance.
It will also be dependant on all circumstances of the SCC whether the protections offered by it is enough, for instance if the receiving end could be compelled by the government, for instance, to hand over the data.
It is hard to imagine a SCC that could provide "essentially equivalent" protection if the other end is an American company, given the authority the US government can exert over it.
I mostly agree- its very hard to imagine any SCC for a communication service/social network surviving this kind of complaint. Not so sure about other kinds of things.
Facebook's infrastructure is one global transparently replicated database. Siloing data by legal jurisdiction is a huge engineering change. Fortunately they have a head start - there was a big project to enable this for when they still had hopes of operating in China. It's kind of sad to think that this is now going to be used for Europe.
Data for people in $country must stay in $country is essentially a border. It’s not about the actual protections but the fact that the EU considers data that would be legal to collect and store in the EU illegal to store in the US.
I mean yes, but also the idea that a company in country X
can operate a website usable by people in country Y without having to stand up/rent space
in a data center there.
IMO it would also be perfectly fine if Facebook wasn't running any EU servers, was solely a US company, all use by EU users intrinsically sent data to the US, and were protected (or not) by US law. That would actually be the "borderless Internet". But that is not how they've set things up.
They're not insisting on keeping European user data in Europe, though. They've simply concluded that US surveillance laws provide too few protections to non-US citizens living in Europe for their data to be transferable to the US, and that neither Privacy Shield not Standard Contractual Clauses can overcome that.
The EU still allows transfering data to other third countries if suitable protections can be effectively put in place, whether through some governmentally agreed program like what Privacy Shield tried to do or through Standard Contractual Clauses. They simply view the laws in the US as too hostile to most of their residents' data privacy rights. ("Most" instead of "all" because US citizens have more protections under US law even when living in Europe.)
So, while sure it is a kind of border, it's a "privacy-protected vs privacy-dangerous" border rather than a blanket "us vs them" border. Or, phrased another way, it's not a border as a goal, but rather preventing the nature of the internet from overriding their separate privacy goal. I am fine with that attitude.
The concept is still worryingly dangerous given the precedent of "Can't move data outside our jurisdiction" could easily be applied to limit security and ensure snooping instead of preventing it. Given the usual habits and hypocrisies trusting them as far as you can throw them remains wise.
Sure, but even now they're not saying "Can't move data outside our jurisdiction". They're just saying "if you move data outside our jurisdiction, you must put in place suitable safeguards to protect our residents' privacy - and this requirement is currently impossible to meet in the US". There are enough third countries worldwide where the laws would allow, for instance, the Standard Contractual Clauses plus suitable due diligence in practice by the parties concerned to make legal transfers outside of the EU.
I still believe in the ideal but also recognize that the dream is most likely over for now, and I think rightly so. Superficially the situation looks like what cattle ranching went through in the American West with free grazing [0]. The internet is no longer a handful of small ranchers that can come to low cost solutions with the people they might impact. Even if there were no Facebook type ranchers, there'd be enough small time guys to warrant fences and collective action.
One can have a borderless internet without having borderless companies.
Let's take Facebook. We could have Facebook.US, Facebook.EU, Facebook.UK, Facebook.CN, etc.
In a borderless internet, you'd still be allowed to use the one that you wanted, but each would be subject to the laws of its "country". (I realize that the EU isn't a country.)
I find it hard to believe that the inherent risks of this engineering choice (one globally transparently replicated database) weren't discussed.
States coming to a variety of conclusions and making a variety of decisions about how to treat a private US company holding an unimaginably large amount of social data and metadata... was an eminently knowable and completely obvious set of risks going in, so I have little sympathy for Facebook "failing" to plan a mitigation for those risks. It's hard to see it as anything but a deliberate choice.
Unfortunately, given their past history I suspect the hope was that the company would be able to have its cake and eat it too, by playing on legislators' and citizens' lack of technological literacy and adhering to a "better to ask forgiveness than permission" policy. Throwing up engineering hurdles to compliance just benefits Facebook in this case, because they're banking on states' inability to simply ban Facebook. Facebook can force them to the table, with the deck stacked against them.
"Won't your citizens be angry if you make Facebook inaccessible to them?"
"Everyone uses it! That could be seen as censorship!"
"Let's work together to find a solution that benefits everyone."
Uber was forced into compliance and AirBnB just lost a court case against them in Germany if I recall correctly that forces them to reveal some landlords to the local authorities.
One thing EU can do is to fine FB, you don't need to censor FB, but until FB does not cooperate just charge 10% of revenue. (and increase 1% every year)
GDPR allows fines up to 4% of global(?) revenue (not profit). That’s a pretty significant chunk of change for companies the size of Facebook and Alphabet.
It depends on the failure modes you're trying to guard against. Most of the distributed systems I've seen built are within a single AWS region and they do pretty well.
There's more nuance to it, but IMO this is a good thing for consumers. We've been collectively pretty horrible w/ the security of user data even when we're not sharing it w/ third-parties intentionally.
Storing user data should be difficult, otherwise there's no incentive to really think about how you store it and how securely.
I publish a message on my Facebook wall, can it then be kept on Facebook US database? It just like an e-mail, any recipient should be able to keep it, isn't it?
Okay now I send my age, can they keep it? Why not? I send you my birth date by email, you can keep it, can't you?
What's the limit, and how does it works? When I send an email, it's clear who's my recipient, so is that the limit? Recipients has to be clear? Then can a corporation be the recipient too?
1) Is a US resident permitted to declare on their Facebook page that they are friends with [ARBITRARY STRING OF CHARACTERS HERE]?
2) Is US Facebook allowed to record a user-provided and recipient-approved statement of metadata association that references a “Person/Entity” that could potentially be in the EU?
3) Is US Facebook allowed to benefit from processing of metadata without receiving GDPR-compliant permission from the “person/entity” referenced?
I believe the answer will end up being Yes, Yes, No; Facebook EU/US can permit two world citizens to intentionally declare their friendship each other, and the cross-site link is user-specified and passes a “judgment call” opt-in test — but Facebook US cannot make use of that data record in any way that benefits Facebook (such as training models, tracking via social network data, or targeting advertising) other than to exclusively deliver minimum functionality. For example, not okay: “automatic face recognition tagging”; okay: “instant messaging”, “wall posting”.
Disclaimer: I am not your lawyer, I have not prepared citations for your review, please seek legal counsel if you’re considering actions based on my opinion, etc etc.
> Disclaimer: I am not your lawyer, I have not prepared citations for your review, please seek legal counsel if you’re considering actions based on my opinion, etc etc.
1) IANYL is not widely-recognized, so I have to spell it out. The unusual phrasing, versus the typical IANAL, is because "I am not a lawyer" is inappropriate to use. If you are perceived as having given legal advice, it isn't necessarily relevant whether you're a lawyer, and if you are a lawyer you might not be allowed to 'practice law' in the jurisdiction of every reader, and find yourself subject to enforcement actions if you are found to have failed to highlight this distinction. Specifying clearly "I am not your lawyer" clearly indicates that you are not acting in any capacity as lawyer with respect to the reader, denying any opportunity for misinterpretation otherwise. It also clearly highlights that no duty to clarify, followup, or respond exists as a result of the comment, which is frequently misunderstood by Internet forum participants (see also following).
2) HN users frequently seek citations for opinions. Whatever their motivations, I have none to offer here. Clearly stating so helps them correctly perceive this as an opinion posted on an Internet forum, rather than misconstruing it as legal advice provided by a lawyer. They may choose to reject the opinion as it is insufficiently supported, which is of course their right. See also above.
3) Finally, "seek legal counsel" reminds the reader that a profession exists to make judgement calls about these things, and recommends consulting formally with such a professional rather than depending solely on an Internet forum comment. It also reiterates the "this is not legal advice" sentiment that the above try to convey, offering an additional layer of defense again people somehow misunderstanding the degree of legal advice that an Internet forum comment can provide and then suing for recompense when they don't like the outcomes of their actions.
If you can think of a shorter way to say it, I'm open to considering it, but IANAL certainly isn't enough.
Is it? Really? It’s only when you get to data centre scale that this kind of policy becomes harder to implement... sure even when I create storage instances “in the cloud” I can say where I want the data located.
And you won't have to build one storage instances for the US, one for the EU, one for China, and one for every single country that decide that their privacy regulation are superior than others countries...?
Facebook can have a pretty big team to engineer that kind of infrastructure, while the startup won't have that luxury. It's even worse when you need to go through a lawyer to make sure every single regulations are followed to the letter.
So what? Like I said, it’s literally zero hassle to create new instances. What makes you think you’re entitled to mix all your users into one database anyway. If you’ve a hundred users in one country it’s worth your while having an instance just for them.
Lawyers will oversubscribe for everything it is up to you to familiarise yourself with the legal aspects and get your engineers to design within these constraints. You didn’t think engineering was just programming did you?
And you still fail to see how all of this make this much more easier to apply for Facebook than any startup?
> If you’ve a hundred users in one country it’s worth your while having an instance just for them.
What? No. We are on the web, you forgot that what made Facebook a billion dollar industry was that they could get pennies out of billions of users every month?
If you can get hundred of paying users, sure, but then to me that has nothing to do with the web, that's simply selling a product. The web is more than selling, it's about allowing access, which sadly, is more than selling.
Not necessarily. Even if you comply with the law, doing so and demonstrating that you're complying costs money. This cost doesn't scale much with usage (it's not O(1), but probably closer to O(log(n)) than to O(n)), i.e. it costs the big players much less in terms of "percentage of revenue".
A lot of bushy-tailed entrepreneurs don't realize that you don't need to give one flying fuck about compliance until you're in the billion dollar valuation territory.
Semi true. Most GDPR regulators are extremely understaffed, and so they only act reactively, when either a company's practices become part of a large public debate or when there is a complaint filed.
It is logistically impossible for them to go and proactively inspect other cases
Startups aren't going to be targeted for regulatory action unless they are doing something particularly egregious. If you look at what other companies in the industry are doing and do something no worse than what the average company is doing, then you're going to be fine.
Facebook is a juicy enough target that they need to worry about regulations even if they are doing exactly what every other company in the industry is doing.
Rules, Letters to enforce those rules, Strongly worded letters to enforce those rules.
Announced and unannounced audits to ensure compliance.
In the extreme case and only if needed, fines, warrants and searches or revocation of access to customers (EU companies wanting to advertise) and resources (FB users in Europe).
FB knows that and they also know this particular case is very public so they will either comply (probably hesitantly and last minute) or withdraw from the EU market if the bean counters say it's not worth the effort.
This has been a long time in coming, and is significant for the EU as a whole because of Ireland is the designated lead regulator for data privacy issues. This Politico article [0] from last year has a great overview of the history including background on how Ireland wound up taking a lead role on tech regulation in Europe.
"Designated lead regulator" - isn't it just that most companies picked Ireland simply because their privacy authority was the one least willing to take any action?
These companies came to Ireland not because of this but because of lower corporate taxes and an English speaking population; they arrived long before privacy regulation was on the table in Europe.
Yeah but Ireland does everything to not lose them over privacy regulations. The delegation of authority to national regulators is a big weakness in GDPR.
An analogy: it is not because I occasionally send and receive email to and from US citizens that my mail provider needs to send my complete mailbox, user credentials, profile and interaction data to the US.
Sure but the interactions aren't occasional over Facebook, they are pretty regular, in fact it's the whole concept of the platform to constantly share that data to your friend group.
Sure it could be only accessed when you friend request it, but then it goes over a whole lot of performance issue and complex infrastructure, all that over something you voluntarily decided to publish... while not having any advantage. Facebook still has access to that data either way. You still have to believe their pinky sweare they won't do anything bad with it.
I would agree with anything sensitive, like banks information, medical information, etc... Things that make sense to pay for an actual regular audit, but for a social network like Facebook... that become completely absurd.
There is a clear distinction between data I share publicly, data I share explicitly with US Facebook users, and data that I share in a limited setting not involving any US users.
Unless caught red handed, we generally trust companies to comply, but sometimes verify.
The technical argument, that it is too inconvenient to comply with the regulation. has little merit in this case.
"There is a clear distinction between data I share publicly, data I share explicitly with US Facebook users, and data that I share in a limited setting not involving any US users."
can you cite where the european laws and/or relevant rulings make this distinction?
> There is a clear distinction between data I share publicly, data I share explicitly with US Facebook users, and data that I share in a limited setting not involving any US users.
You lost me there. You shared it with Facebook users, which are worldwide. Are you from Canada? Well look at you reading my comment I voluntarily pushed over HN, a website accessible worldwide while I'm Canadian. Isn't it absurd that because I'm in Canada I wouldn't expect you to be able to read it? You and everyone else that are on HN? This is not something I send specifically to YOU, this is not something
> Unless caught red handed, we generally trust companies to comply, but sometimes verify.
Isn't it what we complains about here though? We do not expect Facebook US to handle the data correctly. Yet they do expect them to do it in Europe? I can see your point, Europe can't verify what Facebook do in the US. It's a good point, but I would have been less against their idea if that was the solution, requiring them to allow Europe to verify or else they wouldn't let them hold that data.
81 comments
[ 3.0 ms ] story [ 158 ms ] threadWiki - https://en.wikipedia.org/wiki/EU-US_Privacy_Shield
News- https://duckduckgo.com/?t=ffab&q=privacy+shield+&iar=news&ia...
The Irish DPC didn't want to make this decision (for reasons), kicking the can to the CJEU, which eventually resolved Schrems II and remanded the decision on FB's SCC's back to the DPC.
It is hard to imagine a SCC that could provide "essentially equivalent" protection if the other end is an American company, given the authority the US government can exert over it.
Plus it's not in $country is in $region, if all countries made an effort to adopt GDPR data could be stored anywhere.
EU is looking for their citizens data, since no one else seems to care that much (other than China but for completely different reasons).
Unless you think that the protocol of tech giants to poor data protection is fine, when they are saying:
"Ups, we're sorry :(... it won't happen again!"
The EU still allows transfering data to other third countries if suitable protections can be effectively put in place, whether through some governmentally agreed program like what Privacy Shield tried to do or through Standard Contractual Clauses. They simply view the laws in the US as too hostile to most of their residents' data privacy rights. ("Most" instead of "all" because US citizens have more protections under US law even when living in Europe.)
So, while sure it is a kind of border, it's a "privacy-protected vs privacy-dangerous" border rather than a blanket "us vs them" border. Or, phrased another way, it's not a border as a goal, but rather preventing the nature of the internet from overriding their separate privacy goal. I am fine with that attitude.
[0] https://en.wikipedia.org/wiki/Open_range
Yeah that’s part of the original vision of the Internet.
Let's take Facebook. We could have Facebook.US, Facebook.EU, Facebook.UK, Facebook.CN, etc.
In a borderless internet, you'd still be allowed to use the one that you wanted, but each would be subject to the laws of its "country". (I realize that the EU isn't a country.)
States coming to a variety of conclusions and making a variety of decisions about how to treat a private US company holding an unimaginably large amount of social data and metadata... was an eminently knowable and completely obvious set of risks going in, so I have little sympathy for Facebook "failing" to plan a mitigation for those risks. It's hard to see it as anything but a deliberate choice.
Unfortunately, given their past history I suspect the hope was that the company would be able to have its cake and eat it too, by playing on legislators' and citizens' lack of technological literacy and adhering to a "better to ask forgiveness than permission" policy. Throwing up engineering hurdles to compliance just benefits Facebook in this case, because they're banking on states' inability to simply ban Facebook. Facebook can force them to the table, with the deck stacked against them.
"Won't your citizens be angry if you make Facebook inaccessible to them?"
"Everyone uses it! That could be seen as censorship!"
"Let's work together to find a solution that benefits everyone."
It's the same story as with Uber and AirBnB.
Problem solved
I've never heard a clear answer about how GDPR applies in dual-citizenship or non-EU-residence situations.
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Now search for users in your “add friend” dialog. Are you now querying a database per country?
Storing user data should be difficult, otherwise there's no incentive to really think about how you store it and how securely.
I publish a message on my Facebook wall, can it then be kept on Facebook US database? It just like an e-mail, any recipient should be able to keep it, isn't it?
Okay now I send my age, can they keep it? Why not? I send you my birth date by email, you can keep it, can't you?
What's the limit, and how does it works? When I send an email, it's clear who's my recipient, so is that the limit? Recipients has to be clear? Then can a corporation be the recipient too?
2) Is US Facebook allowed to record a user-provided and recipient-approved statement of metadata association that references a “Person/Entity” that could potentially be in the EU?
3) Is US Facebook allowed to benefit from processing of metadata without receiving GDPR-compliant permission from the “person/entity” referenced?
I believe the answer will end up being Yes, Yes, No; Facebook EU/US can permit two world citizens to intentionally declare their friendship each other, and the cross-site link is user-specified and passes a “judgment call” opt-in test — but Facebook US cannot make use of that data record in any way that benefits Facebook (such as training models, tracking via social network data, or targeting advertising) other than to exclusively deliver minimum functionality. For example, not okay: “automatic face recognition tagging”; okay: “instant messaging”, “wall posting”.
Disclaimer: I am not your lawyer, I have not prepared citations for your review, please seek legal counsel if you’re considering actions based on my opinion, etc etc.
That say a lot....
1) IANYL is not widely-recognized, so I have to spell it out. The unusual phrasing, versus the typical IANAL, is because "I am not a lawyer" is inappropriate to use. If you are perceived as having given legal advice, it isn't necessarily relevant whether you're a lawyer, and if you are a lawyer you might not be allowed to 'practice law' in the jurisdiction of every reader, and find yourself subject to enforcement actions if you are found to have failed to highlight this distinction. Specifying clearly "I am not your lawyer" clearly indicates that you are not acting in any capacity as lawyer with respect to the reader, denying any opportunity for misinterpretation otherwise. It also clearly highlights that no duty to clarify, followup, or respond exists as a result of the comment, which is frequently misunderstood by Internet forum participants (see also following).
2) HN users frequently seek citations for opinions. Whatever their motivations, I have none to offer here. Clearly stating so helps them correctly perceive this as an opinion posted on an Internet forum, rather than misconstruing it as legal advice provided by a lawyer. They may choose to reject the opinion as it is insufficiently supported, which is of course their right. See also above.
3) Finally, "seek legal counsel" reminds the reader that a profession exists to make judgement calls about these things, and recommends consulting formally with such a professional rather than depending solely on an Internet forum comment. It also reiterates the "this is not legal advice" sentiment that the above try to convey, offering an additional layer of defense again people somehow misunderstanding the degree of legal advice that an Internet forum comment can provide and then suing for recompense when they don't like the outcomes of their actions.
If you can think of a shorter way to say it, I'm open to considering it, but IANAL certainly isn't enough.
That's what I always like about software development. It was simple, it was accessible... but now, you need a lawyer for each individual jurisdiction.
Facebook can have a pretty big team to engineer that kind of infrastructure, while the startup won't have that luxury. It's even worse when you need to go through a lawyer to make sure every single regulations are followed to the letter.
Lawyers will oversubscribe for everything it is up to you to familiarise yourself with the legal aspects and get your engineers to design within these constraints. You didn’t think engineering was just programming did you?
> If you’ve a hundred users in one country it’s worth your while having an instance just for them.
What? No. We are on the web, you forgot that what made Facebook a billion dollar industry was that they could get pennies out of billions of users every month?
If you can get hundred of paying users, sure, but then to me that has nothing to do with the web, that's simply selling a product. The web is more than selling, it's about allowing access, which sadly, is more than selling.
I think that's the message being encouraged by laws like that of the EU
It is logistically impossible for them to go and proactively inspect other cases
Startups aren't going to be targeted for regulatory action unless they are doing something particularly egregious. If you look at what other companies in the industry are doing and do something no worse than what the average company is doing, then you're going to be fine.
Facebook is a juicy enough target that they need to worry about regulations even if they are doing exactly what every other company in the industry is doing.
Rules, Letters to enforce those rules, Strongly worded letters to enforce those rules.
Announced and unannounced audits to ensure compliance.
In the extreme case and only if needed, fines, warrants and searches or revocation of access to customers (EU companies wanting to advertise) and resources (FB users in Europe).
FB knows that and they also know this particular case is very public so they will either comply (probably hesitantly and last minute) or withdraw from the EU market if the bean counters say it's not worth the effort.
[0] https://www.politico.com/story/2019/04/24/ireland-data-priva...
Them finally doing something would be huge.
https://www.wsj.com/articles/russia-steps-up-new-law-to-cont...
An image in the same document ends up in (kinda, depends how you measure) 4 servers in 3 locations - also none of them in BC.
Is Google breaking the law here, or is there some exception?
If a US-based user interacts with data posted by the European user, is that not considered “Sending data to the US?”
Sure it could be only accessed when you friend request it, but then it goes over a whole lot of performance issue and complex infrastructure, all that over something you voluntarily decided to publish... while not having any advantage. Facebook still has access to that data either way. You still have to believe their pinky sweare they won't do anything bad with it.
I would agree with anything sensitive, like banks information, medical information, etc... Things that make sense to pay for an actual regular audit, but for a social network like Facebook... that become completely absurd.
Unless caught red handed, we generally trust companies to comply, but sometimes verify.
The technical argument, that it is too inconvenient to comply with the regulation. has little merit in this case.
can you cite where the european laws and/or relevant rulings make this distinction?
You lost me there. You shared it with Facebook users, which are worldwide. Are you from Canada? Well look at you reading my comment I voluntarily pushed over HN, a website accessible worldwide while I'm Canadian. Isn't it absurd that because I'm in Canada I wouldn't expect you to be able to read it? You and everyone else that are on HN? This is not something I send specifically to YOU, this is not something
> Unless caught red handed, we generally trust companies to comply, but sometimes verify.
Isn't it what we complains about here though? We do not expect Facebook US to handle the data correctly. Yet they do expect them to do it in Europe? I can see your point, Europe can't verify what Facebook do in the US. It's a good point, but I would have been less against their idea if that was the solution, requiring them to allow Europe to verify or else they wouldn't let them hold that data.