70 comments

[ 2.6 ms ] story [ 65.8 ms ] thread
Laws can change. Data is transferred forever.

I'd rather have data NOT transferred (AND laws to protect it, but this is moot if it is not there).

It makes me uncomfortable to see how much tech companies spend lobbying, decentralized data is probably the most appropriate way to protect peoples' data.
In light of this it's fairly suprising that there aren't more laws forcing data to remain inside of the country or guaranteeing continuity of service.

It would make for a pretty big hammer, but countries could theoretically force local corporations to perform arbitrary actions on data hosted in country e.g. Shut FB down for a country, block access to hosted photos, cease providing cloud monitoring/actions for a refinery.

While historically the majority of global tech firms were headquartered in the US and the US had friendly treaty deals with most of the world. Neither of those statements seem like a sure bet in the 2030s.

If you consider that laws tend to be passed to support populism first, business interests second, and national security somewhere well down the hierarchy, and citizens right even lower than that... it's not really that surprising.

Only when populism happens to support issues such as national security or citizens rights do those issues tend to receive any attention. That's how the GDPR got in (and it also explains why it's so problematic for small business but less so much for large businesses). Stuff like privacy shield just don't make sense unless you consider that lobbying and business interests tend to rule the day-to-day decision making in Brussels just as much as in Washington.

Specifically, note that most of the major "US" tech companies are major economic players in the EU too, and will have influence therefore - and I'm using scare quotes because such corporations have legal entities in all kinds of jurisdictions, and revenue and business in all kinds of places. Thinking of them as being from one country exclusively is kind of misleading from the perspective of where they have influence.

>If you consider that laws tend to be passed to support populism first, business interests second [...]

It's been a while since I looked into this, but my understanding is that quantitatively this is almost the opposite of what actually occurs: https://scholar.princeton.edu/sites/default/files/mgilens/fi...

"Multivariate analysis indicates that economic elites and organized groups representing business interests have substantial independent impacts on U.S. government policy, while average citizens and mass-based interest groups have little or no independent influence."

I meant populism in the pejorative political sense, not in the sense of popular with rational, self-interested and well-informed voters, say. As in populism: when various actors tout extremely simplistic (and generally bad faith) solutions to painful, complex, or even misdirected problems via emotional appeals. I was under the impression that's how people usually use the word nowadays, but that might have been my mistake ;-).

Unfortunately, it's just very, very rare to have sufficient unity within the electorate for old-style populism (in the positive sense as in representing the will of the people) to have much active, helpful impact. Maybe it helps sustain well-regarded accomplishments, and thus acts in a harder to see fashion?

In any case, when I ranked citizens everyday rights (not just emotional appeals to concepts) as pretty much dead last in the priorities of the elected leaders, that aligns with the text you quoted.

But the GDPR is also a product of its time, and emotional appeals play a role here too. Peoples mistrust of big tech surely helped bring this to the forefront, even if the actual rules probably help avoid competition by being practically very burdensome for small competitors - and it wouldn't surprise me if corporate lobbying had a hand in ensuring that outcome. And perhaps stuff like NSA's spying on EU leaders helped stiffen their spine against US corporate interests; because the snowden stories would have been breaking around the same time, (IIRC?).

In any case: the point is that I'm quite skeptical that the GDPR somehow managed what most legislation does not, which is to actually place citizens rights first. The emotional appeals combined with the fairly poor result (in practice - the idea is sound) sure seems to suggest that as usual, even here, normal political reality was quite present and that it was drafted and passed while protecting major corporate interests and firing up the emotional appeals of political leaders. It's a little ironic that part of that appeal was likely the fact that they were sticking it to those pesky foreign (american) firms... when in fact those very firms were among the best protected by the legislation.

I think it is more important who is managing the servers and systems hosting the data than actual location.

Even if Google or Facebook was storing my data in their data centers in Sweden or Finland I don’t really think my data would be outside the reach of US agencies.

Laws are both slower to enact and slower to change compared to executive action.
I think you have it backwards, unfortunately. Data can always be deleted, but American laws can’t be changed. With an evenly split Senate, where the opposition has declared a “100% focus” on stopping the government’s agenda, and you need 60% to pass anything — let’s just say that all non-spending bills are effectively dead for the next 18 months. And most likely, far beyond that. Laws can’t really change here, so we have to live with the system we have, and hope that courts interpret the laws in better ways.
Laws get undone all the time. Prohibition, slavery, gay marriage, segregation, etc.
Sure, most of your examples are a century old. The new America all legislation happens through the courts, like with gay marriage. We have collectively decided that gridlock is preferable to working with the other team in all cases.
Data can always be deleted but you have no guarantees that it will.

Said otherwise:

- if you want the data to be gone, don't assume it is

- if you want the data to be backed up, don't assume it is

Said otherwise:

- expect data to be there forever, unless you wish so. Then, expect data to be gone just before you want it back.

And, I don't have any guarantee whatsoever that a law protecting something related to me in a remote country will be left untouched. I don't even have any say on it, as a non citizen of this country.

May these laws never be passed.
Why? Wouldn't it be good to have the same high standard of rights an protections in the US?

edit: Unless you mean you'd still don't want any data shared with the US which I can understand.

Not OP, but we keep reading articles about US spy agencies illegally spying on americans so I don't trust them not to break the law to spy on us as well.
That's funny, because the latest news headlines were about European spy agencies illegally spying on Europeans
The difference is that we (both as people and countries) have more tools to deal with governments/european countries that spy on us, but we can't vote american governments out of office. The EU can apply pressure to denmark to stop collaborating with the NSA, but can't realistically pressure the US.
I guess you refer to what happened in Denmark? If so, your summary sounds wrong to me. US leveraging Denmark spying infra to spy on other EU states would be more accurate.

I am not saying the Danes were not aware of the risks when they gave the key of the kingdom to the NSA, but still.

Edit: spelling

Even if new laws don't pass and the data is not shared with the US, what is stopping NSA from farming your data in some other EU country that is willing to cooperate?
Did you mean Europe? Because the laws will likely be the same for all of the EU. If you meant another country in the EU who will break the law for the NSA that would not be easy to stop.

Maybe the NSA can ask Russia. That's part of Europe too!

Danish intelligence allowing the NSA to use one of their facilities? I wouldn't say the US was not involved in this one...
And? That changes that European governments are illegally spying on Europeans... how?
Your argument was a tu quoque fallacy anyway, so there is no need to discuss this further. You merely chose the wrong example to backup your fallacy, but you could have chosen the UK GCHQ instead. It doesn't change the gist of your "argument" anyway.
The whole point of US spy agencies _is_ to spy on non-Americans...
It would be bad intelligence to not spy on Americans considering how easily we are bought by other interests. The soviets had moles in every branch of federal government, and governments like china and russia no doubt still do.
So all the more reason not to send data to the US to not make it easier for them
I don't trust the US to not abuse the data. Laws or no laws.
"Laws don't apply to us."

- Mark Facebook

This is how you get the "Making Europe shut up about it Act of 2021" that has toothless penalties and doesn't provide any funding for enforcement anyway.
The whole reason that this is an issue now is that previous efforts were not deemed adequate. A “we won’t fix it, but we’ll vaguely pretend to fix it” approach probably won’t fly.
In this proposal, after an EU citizen finds out the US has their information (presumably due to an extradition order based on the stolen data, or perhaps a failed extrajudicial killing), they will have the right to sue the US in US court (after flying to the US to be arrested, presumably).

This is thoroughly in the “vaguely pretend to fix it” bucket.

> after flying to the US to be arrested, presumably

Why?

I suspect that's about the best the EU will be able to manage in this situation. It's also foolish to think anything the US does, even if it were to have real teeth, would not be subject to additional requirements should the EU change their mind in the future. This is not really a situation in which the US could make the EU happy without ceding far too much sovereignty than the US is prepared to do. And of course the EU appears to be strangely silent on China in all of this, even as they adopt more Chinese backbone infrastructure which requires the use of Chinese cloud services. And I'm not hearing anything about Japan, either -- maybe they don't care about gaming servers? Who knows what they decide is important.

I often see this type of pattern: We don't like some side effect of X, but we do like that X is distributed around the world so let's make the whole world comply. And the problem is that this never works. You will never make the world comply. You can push around a few small countries and kinda get the illusion that the world is complying because there are a large number of small countries to push around. So you can say "we've gotten 50 countries onboard". But that's like counting Micronesia. You haven't gotten China onboard. You haven't gotten the U.S. onboard. Or India, or Russia, or really any of the big players.

So you have some tough choices about globalization with least common denominator versus national fragmentation but high standards. But people aren't willing to make these tough trade offs because they love both globalization and the high standards and they think if they just keep writing op-eds and sending written notices around to various embassies and hosting international conferences that they will be able to get the big players to change. So what follows is a policy of delusion, delay, and denial. Just like various promises that free trade would take environmental practices into effect, it is all delusion, delay, and denial until people accept that their choice is global de-coupling or giving up the high standards.

They should be part of any trade agreements and have enforcement or recourse behind them.

Data being ‘forever’ is new and we have to find ways to address this.

Obviously we still want ‘bad guys’ caught, do that adds friction, but we also need to be wary of world wide dragnets on people outside that scope.

Is this like how environmental practices, worker rights, and carbon taxes should be part of every trading agreement? And don't forget a global income tax, that should be part of the agreement, too, right?

Problem being, the EU is a net exporter while the US is the world's net importer. So the US calls the shots on the trade agreement front, and everyone lines up, hat in hand, to try to sell their surplus production to the only nation willing and able to absorb it -- the U.S.

Once the EU starts running large persistent trade deficits then it can start insisting on things in trade agreements and other nations will have to give up those juicy surpluses or agree to the EU's demands. But that's not the state of the world at the moment.

> So the US calls the shots on the trade agreement front, and everyone lines up, hat in hand, to try to sell their surplus production to the only nation willing and able to absorb it -- the U.S.

Sorry, but you're wrong[1]! At least when you're talking about relations with the EU.

[1] https://en.wikipedia.org/wiki/Transatlantic_Trade_and_Invest...

This is a non-sequitur. An IP agreement has nothing to do with trade deficits and isn't even really a trade deal so much as an agreement to honor intellectual property across borders with the word "trade" in the title.
The first sentence of the linked article says :

"The Transatlantic Trade and Investment Partnership (TTIP) was a proposed trade agreement between the European Union and the United States, with the aim of promoting trade and multilateral economic growth."

(emphasis mine)

Not sure from were you get the idea that TTIP is an IP agreement.

I feel it should be opt-in, that is I should be allowed to opt-in to data sharing. Why would I want this? Well if I were in a western country, for redundancy.

If I were in a non-Democracy then I might want my data to not only live in another country but only live there to protect me from my own country.

> I feel it should be opt-in

Yes, and "opt-in" as in I send a form with my physical signature, not some EULA that I clicked sometime when I was distracted.

Also, the opt in should expire after a year.

The article says the EU is demanding that the US allow EU citizens to sue in US court after their data has been illegally searched (and after the EU citizen found out; presumably due to suffering irreparable harm).

I can’t imagine an EU citizen actually exercising this “right”.

It would be better if they put minimum penalties in place, and they were decided by EU courts, and anyone in the EU had standing to bring charges.

Concretely, if a human rights group could sue for improper data sharing, and the penalty was a business-ending block of further data transfer, then this law would actually have some teeth.

I wonder, will the US get MEP's?
We didn't get them for passing the EU/Disney copyright term extension back in the 90s and I doubt we'll get any representation from this as well.

That's kind of just how internationalism works. It's inherently undemocratic.

If you want democratic internationalism, then what you're asking for is a federal union with total freedom of movement, no internal borders, and no unilateral exit procedure. In other words, not internationalism.

What is this going to create? The great firewall of Europe?

Delivering threats of ultimatum is not how you work together, and leads me to say -- you aren't someone I want to work with.

If the great firewall keeps my data out of the US I'd be willing to at least listen to the proposed law. Doesn't sound all bad..
Objectively, what would you have against your data going to the US?
The data protection laws are bad enough locally, having to also have the US in the mix would make it impossible to comprehend and try to control what goes where.

I'm both in the "I have nothing to hide but I can't tell the future" and the "my data is pretty useless but fuck no I'm not going to let Apple/Google/Facebook make money from my data without my say so" camps.

Besides that (and suddenly it becomes geopolitical) I dislike the US (not the people, the system) and if this is the only way I can tell the giant bully to F off, even though it will go unnoticed, well so be it.

If I were a Twitter user I'd likely include hashtags like #SnowdenIsAHero, #RememberTheMauritanian, etc. in my tweets but I'm less angry than lazy..

>but I'm less angry than lazy.

Nice. I think that's probably a better approach to the internet than most people take.

Fair points. I see what you're saying about Balkanized regulations.

I guess in a perfect world, data protections rules/practices would have a global standardization.

I'm doubtful that would ever happen, though.

Why would we europeans want to work with the US? It would actually be great if americans kept american interests in America, for once.
Your point of course stands, but the "for once" from a European perspective makes this sound more like a now-satiated lion complaining that the dog kills for food. (EDIT: Changed wording here) Regardless, I hope that the US is able to learn from the mistakes of western European powers.
> learn from the mistakes of western European powers.

By "mistakes" you mean like invading poor countries to steal their natural resources? ;-)

Well, the US has already set that precedent. I was referring to the even more egregious century or two of direct colonialism involving cultural/moral imposition and the rewriting and dismantling of indigenous history (and economies) that the invasions typically resulted in, in the case of these western European powers, followed by another several decades of denying responsibility for the consequences of these events by essentially gaslighting.
And the US would not do that? Let's ask America's native population and see what they have to say about that. I find difficult to believe that you're arguing in good faith.
I'm not sure how this is a response to what I said, quite frankly. It seems like you see an argument that I wasn't making, so I'm a little confused. (EDIT: To clarify, I don't disagree with what you said about the plight of indigenous populations in this comment.)

I simply said that I hope the US (or any other country, for that matter) learns from the mistakes of western European powers, because it hasn't reached that level yet and the world (including perhaps the US in the long term) would be better off if it didn't. It seems rather disingenuous to equate the comprehensive political, economic, and emotional damage these colonial powers did and sometimes continue to do to "poor countries" to what the US has done, so far, even though the paths have stark similarities and the US could readily end up at a similar place if it continues certain practices.

Because unfortunately, the combination of a US absence from the global stage under the previous administration and the pandemic showed how unable Europe is to run its business.

I say this as a US expat who has lived in various parts Europe long enough to have an EU citizenship. I wish it wasn't the case, but it's the sad reality.

>showed how unable Europe is to run its business

Who do you think we are ? Some 19th c. African colony ? Qing China ?

For the most part we don't want you here, and we don't need you here.

a) I have EU nationality so I'm here to stay.

b) Like it or not, the US military still guarantees European security. An EU-wide military force could change that dynamic.

c) Have you not watched Europe as a whole completely shoot themselves in the foot with an artillery rifle during this pandemic?

The continent completely closed in on itself, falling back to national borders while the EU flubbed response after response.

It took months to get a bloc-wide recovery bill which still hasn't been deployed (meanwhile the US have done three rounds, including one within weeks of the pandemic starting).

The vaccine roll-out has been a debacle, starting with Brussels' decision to make group-wide purchases then waste months haggling over a few billion EUR.

We're in June and there still isn't a common policy on inter-EU travel. This vaccine passport might roll out in a month, but even then there's no guarantee it will work.

In many ways, Europe's inability to effectively govern got the worst of both worlds of the pandemic. We had strict lockdowns like in parts of APAC but w/o the contact tracing (didn't want to sacrifice GDPR for that), while at the same time, it didn't invest seriously in vaccines.

The result? All of the deaths of the United States, with the economic carnage of strict lockdowns, while still lagging other parts of the developed world.

There's a large disconnect here with many people trying to still hold onto an outdated and nationalistic way of thinking. That mentality conflicts with the modern reality of a global world where capital and innovation flows freely and competitively with little regard towards nationalist quirks.

The only response to American tech superiority is to "tax and regulate it," yet policymakers here are still stunned as to why the continents most talented people and startups flock to the United States.

I really hope this continent gets it together because there is too much potential and pressing issues to continue on the current trajectory.

Rangers, lead the way! :-p
welp

> "On the commercial side, we don't see such a big issue," she told POLITICO. "But of course, there is the issue of access to data from the national security agencies, and we have to be absolutely sure that there is no mass surveillance of data of Europeans when it travels to the U.S."

That's the exact opposite of my understanding of the status quo - mass surveillance of data of Europeans when it travels to the U.S.

I'd start with clear guarantees protecting EU data stored and processed in the EU by US companies/subsidiaries against (legal) US government/military access. I think that's the status quo assumption that companies are operating on, but it's far from clear how it actually works.

> Many in Washington, though, grumble that European national security agencies are still able to access U.S. citizens' data via bulk data collection, while Europe now wants U.S. federal authorities to limit similar practices.

Don't ask us to pass something you're not even willing to.

(comment deleted)
(comment deleted)
The Foreign Account Tax Compliance Act (FATCA) might serve as a foreshadow of how these discussions might play out.

If you're not familiar, FATCA came out of the financial crisis as a way to uncover the undeclared assets held in foreign banks by wealthy Americans.

To get foreign governments to go along, the US more or less forced their parliaments to sign agreements with the US and pass local enforcement laws.

In short, these rules compelled domestic banks to share the bank account data of any US person in their system. If the bank didn't comply, the US could seize 30% of their US-based assets.

The results have been mostly catastrophic.

For one, FATCA didn't capture a lot of revenue for the IRS as most wealthy Americans shelter their assets domestically in trusts and LLCs.

Second, it had the effect of ruining the lives of ordinary Americans living abroad who, while by no means wealthy, were working middle class. People like myself had our bank accounts closed and were subject to being presumed money launders and tax evaders. Many expats -- including accidental Americans who only gained US nationality because they were born on US soil while their parents were on short-term work assignments -- lost their retirement accounts and mortgages.

More damningly, the US continues to refuse sharing bank account data of foreigners living in America back to their home countries, as per the agreement.

The reason for this refusal? The US government cites American banking privacy laws.

In other words, FATCA turned the US into the world's largest tax haven.

I have no doubt that the US will leverage its position as global tech leader in any data sharing deal to create a similar useless structure abound with unintended negative consequences.

> In other words, FATCA turned the US into the world's largest tax haven.

Was this unintended though? Every government wants rich foreigners to park money in their shores, whether legally obtained or not. Bonus points if it is an easily seizable asset like bank accounts and property.

No, in fact many nations make it illegal to park money in their shores, and if they don't want to make it illegal (because they are afraid of angering the IMF or other international organization), they tax it, penalize it, and go to great lengths to discourage it.

That's the most common situation in export-led economies, for example, which are trying to reduce demand for their currencies in order to run trade surpluses. The IMF and other organizations whose charter is to enable global capital flows have had to exert great pressure on these countries to allow foreigners to park money there. This is often called "opening up your economy" and is viewed as a shibboleth for the global capitalism movement. It's still an ongoing battle.

The reason for this is we do not live in a world of specie flow where a nation that wants to build a bridge needs a few tons of gold to pay for it, and then they have to lure foreigners to ship their gold over to the country so the bridge can be built. In such a specie flow world, nations are at the mercy of foreigners to give them gold so they can use it.

But in the modern world of sovereign fiat currencies, nations make their own fiat currency and it is impossible for a foreigner to provide money to a government even if they wanted to. Instead the foreigner has to go to the forex market and switch their dollars for Won/Yen and then they have an account in Korea or Japan. They are effectively buying Yen for dollars with a local who wants to buy dollars and sell Yen. By bidding up the exchange rate, this can make yen a bit higher valued vis-a-vis the global basket. That makes exports more expensive and import cheaper.

Sometimes that is welcome, but in exporting nations it is very much unwelcome and so those nations discourage capital inflows. There is a funny story when it was illegal for foreigners to hold any assets in South Korea with the exception of golf courses. For some reason, they allowed foreigners to own those. So a hedge fund bought a golf course in Korea and then used that ownership structure to go on a spending spree of purchasing bonds, land, equities, basically anything Korean they could get their hands on. It was the most well capitalized golf course in the history of the world. Other hedge funds followed and Korean golf courses became an asset class in and of themselves. That was a while ago, so I'm not sure what the status is of Korean investment.

Those are the great lengths that foreign investors had to go to in order to park their money in foreign nations that had an economic policy of export led growth. This was also what the IMF went to war to prevent, with a combination of threats, bribes, and international pressure to try to force nations to allow capital inflows in a more or less unrestricted manner. It is rewriting history to say that every nation wanted this. Many do not want it. Malaysia is the most famous example of recently telling the IMF to go screw themselves.

Of course if you are the Bahamas or some other place that has nothing to export and requires imports, then it is welcome. But it's certainly not true that every nation wants their currency to be bid up.

I was just today thinking the same about FED policy. It is beneficial to not increase interests because otherwise people will do business elsewhere. In the worst case, these policies bring about a financial crisis, but as long as that will hit all the countries, no one gets better of than the US.
> Second, it had the effect of ruining the lives of ordinary Americans living abroad who, while by no means wealthy, were working middle class. People like myself had our bank accounts closed...

Yup. Many banks in the EU simply said: "Screw that, we're not complying. We just kick all the US citizens out and close their account and refuse to ever deal with any US citizen now". I've had several bankers at different banks tell me the same. Now none of them told me they were consider these accounts as belonging to tax evaders: it's just that the complexity of complying was crazy.

You see the same on some website: some sites in the US simply don't want to bother complying with EU laws, so they just give the fingers to anyone coming to the site from an IP address in the EU.

That's the thing: a state or supranational entity like the EU can come up with any law it wants, private companies in other states aren't forced to comply. They can just give the middle finger and say: "if that's how you want to play it, then your citizens are out".

It’s not just FATCA either, if you’re an ordinary US citizen living abroad, and you want to start even a trivially small business in a foreign country, the IRS will fuck you. You have reams and reams of compliance paperwork to do, 5471s etc, aimed at multimillion dollar multinationals, even if your annual turnover is less than $1000. It’s hugely chilling to Americans living abroad
As an expat myself with a business, this is true 100%. It has been a complete nightmare for me. GILTI / transition tax was another mess - with exemptions that were lobbied for US based businesses with foreign holdings, while the expat community got screwed over. And the main purpose of this law, apparently, was to go after mega corporations with lots of overseas wealth. But why didn't they exempt small businesses? It is a complete clusterf*ck for Americans abroad.

The problem I think is it is a really easy sell. Legislators can say "we taxed the wealthy", and everyone thinks it's great, yes the wealthy must pay and those damn corporations. Meanwhile the reality is the wealthy can lobby Washington to lessen the pain, and expats are an easy target with virtually no influence.

The icing on the cake is Obama raising the expatriation fee to $2350, and all expatriations closed for the last year. Surely it should be a basic human right to give up your citizenship?

As if they wouldn't spy on it anyway.

Spys can't be trusted.