81 comments

[ 3.0 ms ] story [ 158 ms ] thread
Interesting. Does Facebook already have separate infrastructure for Europe, but just forwards user data to the US mothership? Or is the infrastructure all "mixed together"? I'm curious how hard it would be to comply.
The framework for transfering data is called 'Privacy Shield'. It was ruled to be not effective by the EU recently, so a new framework for data transfer is to be agreed on.

Wiki - https://en.wikipedia.org/wiki/EU-US_Privacy_Shield

News- https://duckduckgo.com/?t=ffab&q=privacy+shield+&iar=news&ia...

Privacy shield was one framework (now invalid, as parent notes) among a few. FB is dependent on standard contractual clauses which are generally valid (per schrems ii) but potentially invalid if the recipient is subject to FISA 702 warrants. Schrems ii put the burden of making that validity determination on member states' data protection authorities.

The Irish DPC didn't want to make this decision (for reasons), kicking the can to the CJEU, which eventually resolved Schrems II and remanded the decision on FB's SCC's back to the DPC.

Yes, it will be interesting to follow the SCC's (Standard Contractual Clauses). But, even though they were upheld, it is still up to the data exporter to guerantee before every transfer, that the SCC will provide an "essentially equivalent" protection to that offerend in the EU with GDPR for instance. It will also be dependant on all circumstances of the SCC whether the protections offered by it is enough, for instance if the receiving end could be compelled by the government, for instance, to hand over the data.

It is hard to imagine a SCC that could provide "essentially equivalent" protection if the other end is an American company, given the authority the US government can exert over it.

I mostly agree- its very hard to imagine any SCC for a communication service/social network surviving this kind of complaint. Not so sure about other kinds of things.
Facebook's infrastructure is one global transparently replicated database. Siloing data by legal jurisdiction is a huge engineering change. Fortunately they have a head start - there was a big project to enable this for when they still had hopes of operating in China. It's kind of sad to think that this is now going to be used for Europe.
I don't see how it's sad for anyone but Facebook.
Some of us still believe in a borderless internet
You see data protection as a border?
Data for people in $country must stay in $country is essentially a border. It’s not about the actual protections but the fact that the EU considers data that would be legal to collect and store in the EU illegal to store in the US.
Well if data wasn't being mishandled, poorly managed and devalued without any legal repercussion we wouldn't have reached this point.

Plus it's not in $country is in $region, if all countries made an effort to adopt GDPR data could be stored anywhere.

EU is looking for their citizens data, since no one else seems to care that much (other than China but for completely different reasons).

Unless you think that the protocol of tech giants to poor data protection is fine, when they are saying:

"Ups, we're sorry :(... it won't happen again!"

In this case, borderless tracking and surveillance.
I mean yes, but also the idea that a company in country X can operate a website usable by people in country Y without having to stand up/rent space in a data center there.
Which would be perfectly fine if only the US had adequate privacy regulation.
IMO it would also be perfectly fine if Facebook wasn't running any EU servers, was solely a US company, all use by EU users intrinsically sent data to the US, and were protected (or not) by US law. That would actually be the "borderless Internet". But that is not how they've set things up.
GDPR applies worldwide to EU citizen data regardless of where the servers are located.
They are free to reduce tracking user data globally, they don't have to apply it only to the EU.
if profits from this borderless internet are not borderless, then there is little incentive for a borderless internet.
They're not insisting on keeping European user data in Europe, though. They've simply concluded that US surveillance laws provide too few protections to non-US citizens living in Europe for their data to be transferable to the US, and that neither Privacy Shield not Standard Contractual Clauses can overcome that.

The EU still allows transfering data to other third countries if suitable protections can be effectively put in place, whether through some governmentally agreed program like what Privacy Shield tried to do or through Standard Contractual Clauses. They simply view the laws in the US as too hostile to most of their residents' data privacy rights. ("Most" instead of "all" because US citizens have more protections under US law even when living in Europe.)

So, while sure it is a kind of border, it's a "privacy-protected vs privacy-dangerous" border rather than a blanket "us vs them" border. Or, phrased another way, it's not a border as a goal, but rather preventing the nature of the internet from overriding their separate privacy goal. I am fine with that attitude.

The concept is still worryingly dangerous given the precedent of "Can't move data outside our jurisdiction" could easily be applied to limit security and ensure snooping instead of preventing it. Given the usual habits and hypocrisies trusting them as far as you can throw them remains wise.
Sure, but even now they're not saying "Can't move data outside our jurisdiction". They're just saying "if you move data outside our jurisdiction, you must put in place suitable safeguards to protect our residents' privacy - and this requirement is currently impossible to meet in the US". There are enough third countries worldwide where the laws would allow, for instance, the Standard Contractual Clauses plus suitable due diligence in practice by the parties concerned to make legal transfers outside of the EU.
I still believe in the ideal but also recognize that the dream is most likely over for now, and I think rightly so. Superficially the situation looks like what cattle ranching went through in the American West with free grazing [0]. The internet is no longer a handful of small ranchers that can come to low cost solutions with the people they might impact. Even if there were no Facebook type ranchers, there'd be enough small time guys to warrant fences and collective action.

[0] https://en.wikipedia.org/wiki/Open_range

Borderless with users behind a walled garden where their personal data is mined like gold.

Yeah that’s part of the original vision of the Internet.

One can have a borderless internet without having borderless companies.

Let's take Facebook. We could have Facebook.US, Facebook.EU, Facebook.UK, Facebook.CN, etc.

In a borderless internet, you'd still be allowed to use the one that you wanted, but each would be subject to the laws of its "country". (I realize that the EU isn't a country.)

So what laws is the interaction between users in different countries governed by?
I find it hard to believe that the inherent risks of this engineering choice (one globally transparently replicated database) weren't discussed.

States coming to a variety of conclusions and making a variety of decisions about how to treat a private US company holding an unimaginably large amount of social data and metadata... was an eminently knowable and completely obvious set of risks going in, so I have little sympathy for Facebook "failing" to plan a mitigation for those risks. It's hard to see it as anything but a deliberate choice.

Unfortunately, given their past history I suspect the hope was that the company would be able to have its cake and eat it too, by playing on legislators' and citizens' lack of technological literacy and adhering to a "better to ask forgiveness than permission" policy. Throwing up engineering hurdles to compliance just benefits Facebook in this case, because they're banking on states' inability to simply ban Facebook. Facebook can force them to the table, with the deck stacked against them.

"Won't your citizens be angry if you make Facebook inaccessible to them?"

"Everyone uses it! That could be seen as censorship!"

"Let's work together to find a solution that benefits everyone."

It's the same story as with Uber and AirBnB.

Uber was forced into compliance and AirBnB just lost a court case against them in Germany if I recall correctly that forces them to reveal some landlords to the local authorities.
One thing EU can do is to fine FB, you don't need to censor FB, but until FB does not cooperate just charge 10% of revenue. (and increase 1% every year)

Problem solved

GDPR allows fines up to 4% of global(?) revenue (not profit). That’s a pretty significant chunk of change for companies the size of Facebook and Alphabet.
Anyone know what this means for U.S.-Irish dual citizens living in the U.S.?

I've never heard a clear answer about how GDPR applies in dual-citizenship or non-EU-residence situations.

(comment deleted)
How do you get the benefits of using distributed architectures when you have to keep data within a single region? Seems so annoying
It depends on the failure modes you're trying to guard against. Most of the distributed systems I've seen built are within a single AWS region and they do pretty well.
Probably not a big deal if your business model doesn’t revolve around harvesting user data.
Implement a messaging system where people in two countries communicate but each person’s data must remain in their own country.

Now search for users in your “add friend” dialog. Are you now querying a database per country?

So you're saying email beyond one's border can't exist under GDPR?
No, it just makes it more complicated to stitch together since each country can’t have a full replicated copy of the data.
There's more nuance to it, but IMO this is a good thing for consumers. We've been collectively pretty horrible w/ the security of user data even when we're not sharing it w/ third-parties intentionally.

Storing user data should be difficult, otherwise there's no incentive to really think about how you store it and how securely.

Well that do bring a pretty interesting question.

I publish a message on my Facebook wall, can it then be kept on Facebook US database? It just like an e-mail, any recipient should be able to keep it, isn't it?

Okay now I send my age, can they keep it? Why not? I send you my birth date by email, you can keep it, can't you?

What's the limit, and how does it works? When I send an email, it's clear who's my recipient, so is that the limit? Recipients has to be clear? Then can a corporation be the recipient too?

Is a Facebook friendship between an Irish resident and a US resident US user data or Irish user data?
I would imagine it’s both, but it’s an interesting corner case. How much information about the EU friend is “too much”.
1) Is a US resident permitted to declare on their Facebook page that they are friends with [ARBITRARY STRING OF CHARACTERS HERE]?

2) Is US Facebook allowed to record a user-provided and recipient-approved statement of metadata association that references a “Person/Entity” that could potentially be in the EU?

3) Is US Facebook allowed to benefit from processing of metadata without receiving GDPR-compliant permission from the “person/entity” referenced?

I believe the answer will end up being Yes, Yes, No; Facebook EU/US can permit two world citizens to intentionally declare their friendship each other, and the cross-site link is user-specified and passes a “judgment call” opt-in test — but Facebook US cannot make use of that data record in any way that benefits Facebook (such as training models, tracking via social network data, or targeting advertising) other than to exclusively deliver minimum functionality. For example, not okay: “automatic face recognition tagging”; okay: “instant messaging”, “wall posting”.

Disclaimer: I am not your lawyer, I have not prepared citations for your review, please seek legal counsel if you’re considering actions based on my opinion, etc etc.

> Disclaimer: I am not your lawyer, I have not prepared citations for your review, please seek legal counsel if you’re considering actions based on my opinion, etc etc.

That say a lot....

It does, yes.

1) IANYL is not widely-recognized, so I have to spell it out. The unusual phrasing, versus the typical IANAL, is because "I am not a lawyer" is inappropriate to use. If you are perceived as having given legal advice, it isn't necessarily relevant whether you're a lawyer, and if you are a lawyer you might not be allowed to 'practice law' in the jurisdiction of every reader, and find yourself subject to enforcement actions if you are found to have failed to highlight this distinction. Specifying clearly "I am not your lawyer" clearly indicates that you are not acting in any capacity as lawyer with respect to the reader, denying any opportunity for misinterpretation otherwise. It also clearly highlights that no duty to clarify, followup, or respond exists as a result of the comment, which is frequently misunderstood by Internet forum participants (see also following).

2) HN users frequently seek citations for opinions. Whatever their motivations, I have none to offer here. Clearly stating so helps them correctly perceive this as an opinion posted on an Internet forum, rather than misconstruing it as legal advice provided by a lawyer. They may choose to reject the opinion as it is insufficiently supported, which is of course their right. See also above.

3) Finally, "seek legal counsel" reminds the reader that a profession exists to make judgement calls about these things, and recommends consulting formally with such a professional rather than depending solely on an Internet forum comment. It also reiterates the "this is not legal advice" sentiment that the above try to convey, offering an additional layer of defense again people somehow misunderstanding the degree of legal advice that an Internet forum comment can provide and then suing for recompense when they don't like the outcomes of their actions.

If you can think of a shorter way to say it, I'm open to considering it, but IANAL certainly isn't enough.

Sure but my point is that it's so complex that you need to seek a lawyer or else you may not be able to do it.

That's what I always like about software development. It was simple, it was accessible... but now, you need a lawyer for each individual jurisdiction.

It's both, and therefore covered in the Irish user data capacity.
Just to be clear, this isn't about data on Irish persons, it's about data on EU persons.
Regulations like this only widen Facebook's moat. Compliance is a huge challenge for resource starved startups.
Surely only if their model involves imitating Facebook's practices surrounding user data?
I think the parent means that having to partition data by region is difficult/expensive and hard to do if you're a small company.
Is it? Really? It’s only when you get to data centre scale that this kind of policy becomes harder to implement... sure even when I create storage instances “in the cloud” I can say where I want the data located.
(comment deleted)
And you won't have to build one storage instances for the US, one for the EU, one for China, and one for every single country that decide that their privacy regulation are superior than others countries...?

Facebook can have a pretty big team to engineer that kind of infrastructure, while the startup won't have that luxury. It's even worse when you need to go through a lawyer to make sure every single regulations are followed to the letter.

So what? Like I said, it’s literally zero hassle to create new instances. What makes you think you’re entitled to mix all your users into one database anyway. If you’ve a hundred users in one country it’s worth your while having an instance just for them.

Lawyers will oversubscribe for everything it is up to you to familiarise yourself with the legal aspects and get your engineers to design within these constraints. You didn’t think engineering was just programming did you?

And you still fail to see how all of this make this much more easier to apply for Facebook than any startup?

> If you’ve a hundred users in one country it’s worth your while having an instance just for them.

What? No. We are on the web, you forgot that what made Facebook a billion dollar industry was that they could get pennies out of billions of users every month?

If you can get hundred of paying users, sure, but then to me that has nothing to do with the web, that's simply selling a product. The web is more than selling, it's about allowing access, which sadly, is more than selling.

Wouldn't it be a lot less difficult to not collect the user data governed by privacy laws at all?

I think that's the message being encouraged by laws like that of the EU

Not necessarily. Even if you comply with the law, doing so and demonstrating that you're complying costs money. This cost doesn't scale much with usage (it's not O(1), but probably closer to O(log(n)) than to O(n)), i.e. it costs the big players much less in terms of "percentage of revenue".
A lot of bushy-tailed entrepreneurs don't realize that you don't need to give one flying fuck about compliance until you're in the billion dollar valuation territory.
Semi true. Most GDPR regulators are extremely understaffed, and so they only act reactively, when either a company's practices become part of a large public debate or when there is a complaint filed.

It is logistically impossible for them to go and proactively inspect other cases

Not really.

Startups aren't going to be targeted for regulatory action unless they are doing something particularly egregious. If you look at what other companies in the industry are doing and do something no worse than what the average company is doing, then you're going to be fine.

Facebook is a juicy enough target that they need to worry about regulations even if they are doing exactly what every other company in the industry is doing.

How is anyone going to enforce this?
Like any other regulation?

Rules, Letters to enforce those rules, Strongly worded letters to enforce those rules.

Announced and unannounced audits to ensure compliance.

In the extreme case and only if needed, fines, warrants and searches or revocation of access to customers (EU companies wanting to advertise) and resources (FB users in Europe).

FB knows that and they also know this particular case is very public so they will either comply (probably hesitantly and last minute) or withdraw from the EU market if the bean counters say it's not worth the effort.

Massive fines, and the threat of losing the ability to collect ad revenue from the EU (sell ad space to EU companies).
This has been a long time in coming, and is significant for the EU as a whole because of Ireland is the designated lead regulator for data privacy issues. This Politico article [0] from last year has a great overview of the history including background on how Ireland wound up taking a lead role on tech regulation in Europe.

[0] https://www.politico.com/story/2019/04/24/ireland-data-priva...

"Designated lead regulator" - isn't it just that most companies picked Ireland simply because their privacy authority was the one least willing to take any action?

Them finally doing something would be huge.

These companies came to Ireland not because of this but because of lower corporate taxes and an English speaking population; they arrived long before privacy regulation was on the table in Europe.
Yeah but Ireland does everything to not lose them over privacy regulations. The delegation of authority to national regulators is a big weakness in GDPR.
As well as being the only English-speaking country in the eurozone
When Russia did it it was reported as "Move Seen as Part of Drive to Curtail Freedom of Information"

https://www.wsj.com/articles/russia-steps-up-new-law-to-cont...

British Columbia also has a similar law which has been reasonably well received.
If I make a Google Doc from British Columbia, it is transferred to and stored on 15 servers in 5 datacenters, all outside British Columbia.

An image in the same document ends up in (kinda, depends how you measure) 4 servers in 3 locations - also none of them in BC.

Is Google breaking the law here, or is there some exception?

Russia is a dictatorship, the EU isn't. Two can do the same thing for different reasons.
This seems like an impossible task unless you have a European Facebook and a US Facebook and a user of one can’t interact with the other.

If a US-based user interacts with data posted by the European user, is that not considered “Sending data to the US?”

An analogy: it is not because I occasionally send and receive email to and from US citizens that my mail provider needs to send my complete mailbox, user credentials, profile and interaction data to the US.
Sure but the interactions aren't occasional over Facebook, they are pretty regular, in fact it's the whole concept of the platform to constantly share that data to your friend group.

Sure it could be only accessed when you friend request it, but then it goes over a whole lot of performance issue and complex infrastructure, all that over something you voluntarily decided to publish... while not having any advantage. Facebook still has access to that data either way. You still have to believe their pinky sweare they won't do anything bad with it.

I would agree with anything sensitive, like banks information, medical information, etc... Things that make sense to pay for an actual regular audit, but for a social network like Facebook... that become completely absurd.

There is a clear distinction between data I share publicly, data I share explicitly with US Facebook users, and data that I share in a limited setting not involving any US users.

Unless caught red handed, we generally trust companies to comply, but sometimes verify.

The technical argument, that it is too inconvenient to comply with the regulation. has little merit in this case.

"There is a clear distinction between data I share publicly, data I share explicitly with US Facebook users, and data that I share in a limited setting not involving any US users."

can you cite where the european laws and/or relevant rulings make this distinction?

> There is a clear distinction between data I share publicly, data I share explicitly with US Facebook users, and data that I share in a limited setting not involving any US users.

You lost me there. You shared it with Facebook users, which are worldwide. Are you from Canada? Well look at you reading my comment I voluntarily pushed over HN, a website accessible worldwide while I'm Canadian. Isn't it absurd that because I'm in Canada I wouldn't expect you to be able to read it? You and everyone else that are on HN? This is not something I send specifically to YOU, this is not something

> Unless caught red handed, we generally trust companies to comply, but sometimes verify.

Isn't it what we complains about here though? We do not expect Facebook US to handle the data correctly. Yet they do expect them to do it in Europe? I can see your point, Europe can't verify what Facebook do in the US. It's a good point, but I would have been less against their idea if that was the solution, requiring them to allow Europe to verify or else they wouldn't let them hold that data.

that's cute. fb market cap is double their gdp. they should just acquire ireland