With so many centralized services making up what the average person thinks of as “the Internet”, if the centralized services disappear, isn’t that the same as “turning off the Internet”?
I wonder if there’s a threshold yet to be crossed where “shutting down the Internet” becomes a fad? Where people begin abandoning social media en masse? This idea actually makes me a bit hopeful!
To be fair seems like a backoff, but the problem is - nobody cares. Millions of man-hours saved a day. On a serious note - that market would be filled in a month...
This was fake news since day 1. There was never any source which pointed back to Facebook implying any such thing. Just tech bloggers/clickbait journalists doing what they do best.
Reading Facebook's own reports? "“If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe."
That doesn't mean it's not also a threat. It just means that if it is a threat they can always say "That's not a "threat". It's a legally-required warning in a regulatory filing for investors of a possible negative event which might occur." Facebook knew journalists would see this and may have wanted it to be reported on.
Given that the warning is, as you say yourself, legally required, what do you consider to be the most likely primary reason for it being published? It being legally required (and the consequences of violating that), or "knowing journalists would see this"?
Especially since this wasn't the first report where it was included...
They are telling their shareholders if something becomes illegal they will have to cease doing it. You will find similar "threats" in every financial statement or disclosure by every public company.
Their form 10-k, in listing all the business risks, said something along the lines of "if it becomes illegal to operate in Europe we'll have to stop operating in Europe". Then the clickbait factories were off to the races.
This was not just fake news, this was deliberate misinformation. A title saying 'FB threatens to leave EU' means something very different from 'FB lists EU regulation as a potential threat to business in SEC filings'
This is actually an interesting case study of who is spreading and consuming fake news.
This fake news reached the top of reddit and trended on Twitter. Both are dominated by users who think of themselves as smarter than the fake news consuming boomers on Facebook.
In my country it was reported by both the tabloids and mainstream media. Only the publicly owned Danmarks Radio (Danish BBC) didn't spread this fake news.
It also made it to the top of Hacker News multiple times, a site much worse than Reddit in its users having inflated measures of their group's intelligence.
I don't think that Facebook needs to address the fear in people from leaving Europe.
If nothing else, they've definitely heard feedback that people wouldn't mind at all if they left.
>But the simple reality is that Meta, like many other businesses, organisations and services, relies on data transfers between the EU and the US in order to operate our global services
Yeah.. The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars
Anecdotally, I would love to stop using Messenger and WhatsApp; however, the social friction in doing so is too great. Far too many friends and family are using those services exclusively for me to abandon them.
If those services suddenly closed then I wouldn't have to use them!
It's silly, really; in order to contact specific people I must use all of: SMS, Email, Signal, Telegram, WhatsApp, Messenger, and Discord.
I'm sure a good chunk would be fine with it. Facebook only maintains their social media dominance because the product is sticky: when your friends, family, municipality, favorite businesses, and clubs use Facebook and only Facebook for announcements, you kind of have no choice but to participate unless you're willing to work around inconveniences. Most users barely log in, maybe once or twice a month to check their direct messages and waste a few minutes on the feed.
It's a bit of a prisoner's dilemma: if other people use Facebook, they get to see things you don't and have an advantage in some domains. So a lot of people "use" facebook. But if all of the businesses and groups get forced off of Facebook they'll just find another way to make announcments.
Same thing with car ownership: if everyone stopped owning cars, everyone could happily get around with bikes, feet, and public transit. The world would quickly restructure to accommodate it. Sure, some things would be lost (it would be harder to go to remote places to hike, for instance), but other things, like the ease of getting around your immediate neighborhood, or easy access to stores, or polluting the air with less CO2, would balance that out in many ways.
Offerup, while filled with dark patterns, is something I recently discovered. And it is just as viable, available lots of areas and seemingly less filled with scammers. (By no means empty though)
Having seen how quickly MySpace became irrelevant, I am certain FB is acutely aware of how tenuous the position is as the king of social media. It is no wonder they behave like they do to capture and keep users.
Inherently isn’t the data stored and kept everywhere it’s accessed? If you’re in Germany and are a German your message sent to me just now also now is being stored where I’m located to even read it, no?
I'm sure we'd all benefit from hearing the TurtleCoin guy expound on how one goes about multi-national regulation of terrabits/s of multi-layered write-through caching ranging from extremely cold storage on custom hardware to the POP sitting in a Munich suburb and where exactly the line should be drawn on data custody in that setting.
It’s not semantics, though. If I saved everything I ever read onto a database, indexed uniquely by website schema, how does anything change? The point is the same.
Not on their servers though. If the data is in your browser, it's not trivial for e.g. Facebook to then go an do nefarious things with that data at scale. This is how I understand it.
My understanding was that it's about where the data resides. That assumption may or may not be true. But if it is it's feasible for EU data to be stored in the EU and US users request that data from the EU server. Again, my understanding was that this would be a valid way to handle that data but I might be wrong.
This is where lawyers, regulators, and engineers can reasonably disagree with very serious consequences for governments, shareholders, and ultimately citizens.
If you're in a given geography/regulatory regime, and you read something on your smart phone, technically you were served that via some cell tower or ISP, those bits transited that infrastructure. In the US there's a massive clot of regulatory blockage working it's way slowly through the bowels of government around the term of art: "common carrier".
As with many things that devolve into nitpicking, there is a deeper issue: the EU is increasingly regretting becoming the host to, ironically, European-style colonialism on large-scale consumer Internet platforms. The PRC has its own Google, Twitter, Facebook, etc. The EU has Google, Twitter, Facebook, etc. and doesn't love that US companies and regulators are kind of driving the digital lives of the citizens.
The proximate tussle is about the durability of the storage involved. As a European regulator I might be much more comfortable with a write-through cache like TAO holding messages, or FBIDs of messages, including a German in the chat than I am with all such chats being held on a DFS in Prineville among other places, and having them ground over by a Spark or Hadoop job in Forest City among other places.
They'll kick it around and come up with some compromise that will serve end-users by accident at best. Europe won't develop a homegrown consumer Internet industry in our lifetimes. The odds are both US and EU legislators and regulators will miss a step and it'll be ByteDance everywhere by the time anyone reads this :)
That's one issue. Another more complicated issue is which country's legal authority does the owner of the data have to respond to. If the answer is USA, then the data can be requested by this government regardless of where it's stored...
One option would be to serve this data directly from the European server. However, it's not the public profile data which most people object to be shared, it's the tracking/user-profile data which FB collects in the background.
Yeah, to the user who requested it. Also, it's just the user's post, not the user's tracking/advertisement data.
So the only thing the US government could get, are the public facing posts/images which the user posted but nothing more. If the profile is private, even less. No messenger data (except when send to users in the US).
You can access EU-served data from all over the world, that's not a problem. What's in question is bringing data from EU residents outside of the EU to process it.
Right, the people at Meta aren't stupid. They understand fully will that users posts aren't the issue, but steering the debate in that direction would make the EU look unreasonable.
Meta could be more accommodating to the wishes of the EU and place a greater focus on privacy, but that would mean changing how they do business. Meta clearly don't believe that it's possibly for their businesses to be profitable without data mining the crap out of their users. I know it's not a popular opinion, but business like Facebook and Instagram are the direct reason why the EU feel the need to step in and regulate.
I'm fairly confident that data encrypted over the wire and only decrypted locally on the user's machine, shared willingly with the intended recipient, would not violate anything of interest (clearly, European companies can serve pages to the US). Of course, there are many more ambiguous cases than that (like, where exactly can metadata about which Europeans are allowed to view an American's posts be stored? Is that PII?), but the specific case of serving a post is not really all that complicated.
For those downvoting me, I'd love to hear why you think it's more complicated than that. Contrary to popular belief, the people who wrote the GDPR are pretty technically sophisticated and understand that data on the internet has to move between countries from time to time.
I live in the US, I have several friends that live in the EU. "Who our friends are" is unquestionably PII. Is this friendship graph something that must reside in the US or EU?
Yes, that was the example I brought up as something more complicated. This does not really have anything to do with the fact that data has to eventually be transferred to the US though, which is what the majority of this thread seems to be about. I suspect that a good answer to this is quite complicated, but it's worth looking at the work Signal has been doing to protect this sort of data in a reasonably privacy-conscious way.
Let's take a more complicated example, that is one of the main things that happens on Facebook:
1. Sam makes a post.
2. FB predicts Pat will comment on this post if they see it.
3. Pat sees the post, and writes a comment.
4. FB predicts Alex will reply to Pat's comment if they see it.
5. Alex sees the comment, and writes a reply.
To show why data transfer is such an issue, assume Sam, Pat, and Alex are all in jurisdictions with EU-style privacy regulations and that don't have data transfer agreements with each other.
How would you build a system that supports 1-5, a user journey that is core to Facebook's usage, in a way compliant with these regulations? For example, where is the discussion stored? Where do the models in (2) and (4) run?
Insofar far as I understand GDPR, models (2) and (4) can run anywhere, provided that the data are ephemeral, encrypted in transit, and their output decision cannot be queried later (e.g. by logging a relationship between the input to the model and the eventual message delivery that includes PII like IP). The question of "where is the discussion stored?" would indeed be problematic if it were not possible for it to be encrypted in such a way that a key from both countries was needed in order to reveal the conversation plaintext, but I don't see a clear reason why that should not be possible (it may not be how Facebook actually stores conversations now, of course, but it is not a technical barrier).
As far as I can tell, the really difficult aspect here is how and where to permanently store the fact that the two users are talking to each other once the comments are actually made, since the mere fact that they are talking to each other demonstrates a relationship between them which may be considered PII in some contexts. Or at least, it would be difficult if the US also had privacy laws like the EU's, and IMO any coherent solution should be able to work if the US adopts something like GDPR. Unlike the message contents, this is quite difficult to store in a privacy-preserving way. I think the discussion would be more interesting and feel less like attacking a strawman if people were to focus on the interesting questions like this one, rather than the extremely uninteresting question of whether Facebook can serve posts to the US at all (which it obviously can).
Just for clarification, GDPR does not prohibit in any way that privat personal data leaves the EU (obviously). However, if you want to transfer privat personal data out of the EU you have to certify it still conforms with GDPR (this can be self certified).
> Yeah.. The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars
Only as long as your users are fine to only talk with people from their "world region cluster". Everyone else would not be able to communicate with, say, family that lives overseas.
"Yeah.. The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars" - nixass
Look, I realize I'm not an elite hacker news hacker, but how can I as a US user look at my friends posts in germany without them transferring data to me in the US?
What makes this so obviously a lie that such strong language is called for?
> Yeah.. The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars
Can you explain to me how would you allow communication between EU and USA users without transferring any data out of EU? Expect for putting all the datacenters in EU?
I'm pretty sure when we talk about "transfers" here, we aren't talking about "user in US requests data from URL that is served from server in EU". We're talking about user-data from/about/on EU citizens that is stored on servers in the US (or transferred there from servers in the EU with the intent to keep it on servers in the US). The former is fine[0], but the latter is not.
[0] Obviously if there is some web forum hosted in Germany that a bunch of Germans living in Germany post to, and I -- in the US -- visit the forum, that involves data leaving Germany and flowing to the US. There's nothing wrong with that.
Very simple example - I'm in EU, and I like and post a comment on a photo of Rihana. How do you do that on the backend, without transferring data or keeping all the data in EU?
Even if you keep data for individual profile in corresponding country, any interaction with a content outside of EU is impossible without data transfer.
> The reality is you don't really have to transfer anything out of EU in order to keep your service running.
Practically speaking, running FB in a way that doesn't transfer anything out of the EU would involve either:
1. Siloing off the EU facebook, with no contact with the US side
or
2. Building a federated facebook, which transfers across e.g. only the timeline entries US friends are granted view access to
The former would not be well-accepted, as it would cut off communication from e.g. international relatives, and would be a rather large project to launch. The latter would be an even bigger rearchitecture, which would likely take, at a minimum, several years to complete, since it's unlikely this was ever anticipated as being a possibility when FB was originally created.
So, I sympathize with them - while in the long term they might be able to find a solution, in the short-to-medium term, FB would have no choice to stop operating.
If that were the case, how would any global communication medium be allowed to operate? Can't you provide the same service while not moving PII out of the EU? As far as I know this is not about a user in the US viewing a EU citizen's facebook page, this is about where the original data resides, is it not? Playing devil's advocate here, can't you just figure out what jurisdiction the user belongs to and route the request to the right server?
A facebook feed doesn't just show data from one user. When I look at my feed, I am seeing posts from 100 people distributed over 7 countries on 3 continents. Stitching that data together from multiple data sources is an extremely difficult thing to accomplish.
Much harder for a large company than a small one, actually. The coordination overhead to get a bunch of disparate teams in a large company to rearchitect the fundamental structure of the service should not be overlooked.
The issue is not your feed, that's what Facebook wants you to believe, you agreed to share that data with other FB users. the issue is they transfer personal data of EU citizens to the US to process them and sell them or use them to improve their adv war machine. Or give it to their US government.
Aside from the difficulties in operating effectively without passing any PII (which includes identifiers) across international/org lines, the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US.
The reality that the EU government has recognized is that a FISA order of the parent company could compel a US organization to pull data from the EU servers to provide to the US government; and it’s a valid critique.
The cloud act allows US agencies to gain access to all data a US Company has access to regardless the physical location. This in turn means that a EU Company can't guarantee that the data isn't transferred out of the EU. To transfer data out of the EU one either needs a legal framework or consent.
Consent has to be given in an informed manner, but since the company does not know for what reasons an US agencie can access the data they can not inform the person correctly under gdpr.
A legal framework has to comply with the EU Charta. Indiscriminate access to information is not in compliance with the EU Charta so a framework cannot exist.
Which the EU will solve by forcing companies to erect a legal firewall; otherwise they would define their laws as being underneath American laws with anything related to a US company operating in Europe.
That wouldn't solve anything. The EU treats all US services as being in the US, regardless of where the physical servers are, as Facebook is still subject to the US subpeonas and they are legally required to give data to the US even if it's on a European server.
You are right that the same logic would make any American communication website illegal. I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.
> regardless of where the physical servers are, as Facebook is still subject to the US subpeonas and they are legally required to give data to the US even if it's on a European server
Is that so? I'd like to know more about this then, I don't see how that would be practical at all then.
> Principally, it asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.
I think that's the difference. Facebook could be forced to keep all PII in the EU for the purpose of protecting peoples data from unlawful (EU) use but still have to surrender it to US law enforcement. Would that violate the EU law?
> I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.
I think their end goal is regulatory convergence. They don't want companies to be able to trivially circumvent laws protecting their citizens simply by operating in a different jurisdiction, which is to say, if you want to play by different rules, barriers are inevitable, or else the rules are meaningless. Over the long run, the hope is that people can converge on similar enough rules that the barriers become unnecessary.
For example, suppose a country passes an air quality law that forces companies to reduce emissions from factories. They might suspect that instead of updating their factories, companies might sell their manufacturing equipment to new companies that mysteriously pop up right across the border and happily sell finished goods back across the border. Anticipating that, the country would want to do something to prevent it. The measures they come up with might be onerous and inefficient in the short run, but in the long run, the two countries would be motivated to converge on regulatory regimes that were mutually acceptable.
(not intending to endorse or criticize this idea, just giving my best understanding of how countries approach questions like this)
There are a lot of edge cases that people don't think about.
A lot of communication data has two people associated, and a lot of it is highly sensitive. If a US person and a French person chat how does each get the messages? Message data is obviously highly sensitive and shouldn't be shared.
Does the US person need to hit the French servers to see new messages, and vice versa? What about quoting?
Message metadata (i.e. the fact that these two people are talking at all) is also pretty valuable -- the classic pen register is just a record of which calls were made to which numbers. Where do you store the metadata of the thread? It arguably belongs to and is private to both people.
Sending data to the US and storing it there, is the very point that is being contested.
People are acting like this is a trivial problem both technically & legally but it’s not. I don’t have sympathy for Facebook but if you are a small company handling data in the EU and other data outside it I have sympathy as it’s going to cost a lot in architectural complexity and compliance costs.
How do SMS/MMS/email/etc. handle this? Are you saying they would all become illegal? Or is this law going to uniquely place requirements on social media that other communication systems do not/would not comply with?
I’m not a lawyer, so take the following with a pinch of salt.
My GDPR compliance training said that data strictly necessary for the provision of a service is something a business can freely use to that end without explicit consent. This is why GitHub doesn’t show cookie popups: https://github.blog/2020-12-17-no-cookie-for-you/
So “User @Alice sent $message to user @Bob” is necessary for a chat platform, but “Notice to advertisers: User @Alice posts a lot about cars, cats, and funny shaped carrots” isn’t even though advertisers pay for the continued existence of the service.
I sincerely doubt that I understand enough about the topic to apply what little I’ve heard through the media about the Schrems judgements and the decision to invalidate the Privacy Shield framework and its predecessor to answer that.
> So you propose to copy the private data of European citizens on US servers?
> What happens when the law makes that illegal?
just follow the Chinese model. complete blackout between the European Union, China and ROW. this is where this thing is headed, so we might as well start thinking about it.
Keep in mind that with other communication mechanisms (e.g. email, SMS) we already send over a copy of the message and keep the original. I'm not saying it's "better" from a privacy perspective, just that it seems like the logical solution here, and I'm not sure how a court might conclude otherwise. The data is being hosted in Europe at that point. It's just that a copy needs to be sent to the recipient only when the message is initially sent (because how else do you communicate?!).
That's true for some kinds of PII data and not others. The social graph (who are your friends) is symmetrical. Shared-edit documents, dropbox-like file sharing, and wikis are often ownership-ambiguous.
If you are sending a message to a person in another country, you are consenting to that communication traveling to the location of that person. See article 6:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
[.. other permissible purposes snipped ..]
Generally, the GDPR issues with sending to another country boil down to whether the EU accepts that the other country's government will allow the company protect the data in ways compatible with the GDPR. When sending that data to another company happens for reasons incidental to the permissible purpose of your data (eg EU-to-EU data processed in the US) this becomes an issue, as you've not consented to that risk. If you are specifically requesting that your data be sent to, say, the US, however, then processing that data in the US becomes necessary and thus much more justified.
From a technical perspective, you can certainly silo your data and transfer only as needed. This is however way more complicated, as you need to now deal with the fact that you're potentially performing joins across high-latency datastores, where you might need to be careful about what query data you're sending across the wire, and where your different silos need to apply access controls against each other. If you didn't engineer for this from the start, it's a big shift in architecture.
This is about data sending without consent, which has to be explicit. E.g. if I, as european, create a Gmail account and my mails reside in an US server, I give explicit permission for all my emails to be transferred between Europe and the US. Namely: I'm informed of the extent of data collection (all my mails incoming our outgoing), the duration (forever), the storage (Google servers) and algorithms used (I consent the scanning of my emails to create adds).
But if I visit a web page hosted in Europe, and that page uses the FB cookies, Google analytics, etc. maybe I'm unaware what and how the data is being collected.
They relied on the cookie banners as explicit consents (i.e. if you click this "OK" button, you give explicit consent to all our data gathering and sending), but that might be not fully compliant with GDPR.
> E.g. if I, as european, create a Gmail account and my mails reside in an US server, I give explicit permission for all my emails to be transferred between Europe and the US.
NOYB has used this as an example of something that would be illegal.
If stop operation is the only alternative to stop collecting and sending out data, then let it be.
An if that happens, if Facebook really gets banned from operating in Europe, I'm pretty sure “good enough” technical solution approved by the EU administration would be found pretty quick.
There are other companies that silo each customer from each other in ways that are very expensive to the platform owner (can't get more specific, sorry).
I'd be amazed if they couldn't come to a medium-term compromise agreement if they wanted to. EU authorities have precedent in giving companies time to fix things up if they show that they're willing to do that.
> 1. Siloing off the EU facebook, with no contact with the US
That's already business as usual with China, but companies like Facebook have absolutely no problem with that silo as it protects them and benefits their bottom line.
But somehow, use cases that protect users, those suddenly pose major blockers.
Can you direct me to the evidence suggesting that Facebook/Meta operates in China? My understanding is that the only FAANG corporation that deals with the CCP is Apple, who has gone beyond siloing content and straight-up relocated a portion of their servers to the country.
About 2010, I realised that siloing the internet is basically the only way for nations to remain fully sovereign — can’t enforce laws on copyright, libel, porn, personal data protection, un-accredited education, scams, hacking, gambling, false or misleading advertising, unregulated political advertising[0], indecent communications, malicious communications, menacing communications, nor treasonous/seditious communications, when the people doing it are in a country you don’t have a treaty with.
This is not to say I “want” this — what I want is for everyone in the world to be one big happy group of friends, but I don’t know how to get there from here, and silos look to me like the next thing that will happen.
Yes, they do silo. Nobody is claiming otherwise. My point is that they'd almost certainly prefer not to; they are siloing to comply with Chinese laws.
What makes you think they have "absolutely no problem with it"? You don't think it would be operationally simpler and more profitable to allow communication between Chinese and non-Chinese accounts?
No, not really. Companies operating in China silo their services because Chinese laws demand access to servers, and by siloing the company ensures that the Chinese regime does keep it's hands off stuff they have no business accessing.
Siloing services in China has zero to do with CCP's demands and everything to do with a company's self-interest.
1) Providing end-to-end encryption on user data travelling from Europe to outside Europe.
2) Your option for number 1, but then allowing users to freely consent with their data to be shared internationally (which they can then revoke later if required).
I'm sure there are others... Also IANAL but a social media post may be covered under the "legitimate interests" scope of GDPR (but facebook's tracking data would certinally not be covered).
Is the purpose of the data transfer necessarytransparent and proportionate? If so, no problem and your far flung relatives can communicate without issue. These principles frustrate the surreptitious core purposes of Facebook however and so it doesn’t make sense for them to facilitate in those terms. If you’re not paying for a service you are the product.
The issue is not having Europeans sharing photos and posts with Americans, but to have unshared personal data like logs, user preferences or non-public PII hosted on European servers without granting the US government access to it since it is outside of their jurisdiction.
Also, if a European citizen shares photos with an American friend, this friend will fetch the image from an European server, so that the US government doesn't have access to the remaining photos, unless they contact European authorities.
I assume the most interesting requirements are about data residency. And that probably 1) can be avoided by just making sure EU data is stored in the EU, US data in the US, and looking up a foreign region profile (which is rare) would need to a a pure API proxy request which is not allowed to store anything in the local region and probably has some kind of per-request authorization to do this.
I certainly have not spent any time to look into the actual legislation - so don't take this as "everything would be fine" - but I feel a solution could be found that governments would be ok with if FB would be willing to spend the engineering effort.
The problem is that US law says that the US can tell a US company to share data with US Intelligence Agencies even if that data exists in a subsidiary outside of the US.
That's why simply storing EU data in the EU isn't enough when there's a US company involved. Our surveillance state isn't just horrible for privacy, it's also bad for business.
I'm not sure that is the case. The data that people are posting themselves on Facebook clearly has consent to be published.
What is not is all of the tracking that they do - not only on the Meta properties, but also all of the other websites who are dumb enough to execute code or otherwise expose their users to Facebook. Lots of them do it unwittingly too.
Erm, 1. doesn't really make sense, because EU isn't really the problem here. It should read "siloing off the US Facebook". And that makes perfect sense.
> Siloing off the EU facebook, with no contact with the US side
That's insufficient as the US CLOUD Act allows the US government to compel a US company to cough up the data even if it is hosted in the EU and subject to EU privacy laws.
The only workaround I could see is one where they would spin out Facebook EU as a legally independent non-US entity (giving shares in it to Meta shareholders) and federate that with FB US.
Large computer systems with baked in assumptions of the fact that data locality regulations wouldn't be as strict as they are in 2022 are... difficult to update
Would be really great to see even more regulation to make these so-called “data businesses” to stop gambling with people’s information.
One example of that would a mandatory paid option which takes you out of all company data sharing stuff.
I dont use any facebook/Meta related platforms such as facebook, instagram or whatsapp. But it makes me sick seeing people around me addicted to it, due to their shady operation patterns.
About 5 years ago, I was told Facebook uses a single global “write” datacenter, which works for their use case of read-mostly.
I’m not sure it this is still the case, but assuming it is, wouldn’t that make for a reasonable argument why it would be “impossible” (a.k.a. possible but non-trivial) to keep the data in the EU?
Yeah I remember something similar. It’s not just about coming up with a compliant architecture, but how to get there from what already exists. Of course authorities could say ”not our problem”.
I live in Mexico and have several friends in different EU countries. Would it be possible for me to follow them , read their feeds and interact normally if I was in the US and Facebook blocked data transfers between EU/US?
> The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars
Ok you would have to make actual legal guarantees that no PII data will _ever_ be processed outside of the EU. given that this effectively means that if you fly out of the EU, or are _routed_ out of the EU, you won't be able to use those services. This is because PII is anything personal to you, and processing means anything that makes decisions, like routing based on IP or username.
This isn't actually a facebook specific problem S3/azure/google and their customers all have the same problem.
Meta does not want to understand. People are not happy that their data is Meta's business and that, as a result, Meta keeps socially engineering them to milk more of their time.
People are not even mad about ads, they are mad at the waste of time and general sense that FB brings the worst out of you.
They need to shift their business, changing the landscape (metaverse) will not change anything or trying to convince people that what they offer is great is a long term losing proposition, imh.
No one in my circles cares about Facebook leaving Europe. Until they realize that Facebook includes Instagram and WhatsApp and they do actually use those other services.
Point being: to all the commenters saying no one cares, a lot more people care than you think.
Eh. If all three of those left the US I would care exactly not at all. There are better alternatives and if FB et al disappeared suddenly it would just create room for those services to take hold.
In the last 5 years, Whatsapp has basically replaced SMS in many EU countries. The equivalent in the US is probably the combined market share of FB Messenger, Whatsapp, iMessage and Signal.
There was a forerunner of that last year when there was a massive exodus to Signal when FB changed WhatsApp's privacy policy to force users to allow sharing of data with Facebook. If they shut down, even people who were too apathetic to switch would do so overnight. I hope Signal has a contingency plan for scaling up 10x ready...
My understanding of Telegram is that it's big in eastern europe, but here in Ireland at least, it's got a reputation of "that thing you contact your drug dealer on".
if WhatsApp goes people would move to signal or telegram.
Instagram is a bit trickier, but I'm fairly sure people would start making a new one immediately. You could even relatively easily transfer everything and everyone across using the zip you can get thanks to GPDR.
Leaving Whatsapp is hard because everyone is using it. But suppose whatsapp becomes unavailable for whatever reason, people will turn to other apps within hours (actually within a hour). In fact many people already have Telegram/Signal on their phone (although not using it).
As for instagram, things are a bit different. But the way I see it, 1- general population isn't using it. 2- This is not a necessary tool like whatsapp. Something else will fill the void but it will take some considerable time.
> Meta Is Absolutely Not Threatening to Leave Europe
But then in the body of their post...
> EU-US data transfers mechanisms poses a threat to our ability to serve European consumers and operate our business in Europe [and] we have absolutely no desire to withdraw from Europe, of course we don’t, But the simple reality is that Meta relies on data transfers between the EU and the US.
I mean, that sounds like a threat to leave to me? If you can't operate your business in Europe? Talk about mixed messaging and double-speak!
What are you talking about? It's completely clear to someone who isn't coming at this issue with an axe to grind. Meta's ability to serve European customers is under threat. In other words, the regulatory framework is making it hard for them to do their jobs. Meta is not threatening to leave. They couldn't be clearer.
If you're going to interpret every risk disclosed to investors as a threat, that means companies can't be honest about the risks facing them without making threats.
Since public companies get sued for not disclosing risks to investors, there is no winning this.
An international social network where one posts pictures/videos, write posts, has a profile, look at news, communicate through direct messages or group chats should be fully compliant with GDPR. Even across borders. Because consent for those activities is very explicit.
What's not compliant with GDPR: Store cookies on a users computer, then let others look for that cookie and share the users data with them so they can target ads at you. Collect all that data from different site and create a profile of you that you then sell. You can also not move data out of the EU without guaranteeing to not do that.
Came here for this comment. This choice of headline by Meta seems like a bad choice. The language just reeks of double speak even if it isn't (No, I haven't read the article!). Who is running PR at Meta these days? "Dad Is Absolutely Not Threatening to Leave Mom".
Getting in to the article, the language is bizarre: "We have absolutely no desire to withdraw from Europe; of course we don’t." What? Who talks like that.
"we want the internet to continue to operate as it was intended: without friction, in compliance with applicable laws — but not confined by national borders."
We want the internet to be an unrestricted free for all! But also follow the laws ... the ones we like, of course. But not ones from other countries, I mean we all have a line guys.
> To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookies Policy
How am I supposed to read the cookies policy without clicking or navigating?
> International data transfers underpin the global economy and support many of the services that are fundamental to our daily lives. For many years, the legal framework supporting the transfer of data across the Atlantic has faced severe disruption.
Huh, if I were a Facebook investor I'd be pretty disappointed to hear that they've known this was an area of active disruption for years but haven't managed to rework their business model to avoid it.
Their whole function is letting people send data to other people. The EU saying that it's illegal to send data to a US company is a pretty unsolvable problem for them.
is it possible that if they go through with it, it might open up the entire continent to an alternate / competitor, which can then threaten them globally ?
thinking a bit more, it seems that there might be a fine acceptable line of action between the scylla of share everything (which mean no privacy) and charybdis of share nothing (which means no internet), and it might (unfortunately !) be upto the politicians to draw it...
Second paragraph: But if we don't get what we want, we will have to consider blah.
I guess it's time for an update to Betteridge's Law: The more emphatically a press-release headline denies something, the more likely it is to be true.
The EU doesn't care if Meta gets the data of its users but that there is no possibility to prevent that the intelligence services get them too.
That killed Safe Harbour.
Meanwhile Brits needs to confirm your age with your phone operator before accessing certain pages (even if it is just switch).
And how is it going with proposal to ban encryption in UK?
Why does this sound like a series of Tweets? I cannot believe an SVP wrote this and thought it was a professional enough tone to publish. It reflects doubly bad on Meta because not only do Europe’s (or Apple’s or Google’s or whatever enemy du jour) privacy laws limit their ability to execute (as seen from their latest quarterly results), but they don’t even have the maturity to address the situation without more whining about how user privacy means they can’t harvest their data to make billions of dollars. This sort of tone might fly for a start-up but not one of the largest companies in the world. Doubly true since Meta just identified a huge downside in their prospects and this does nothing to assuage investors. Rather than say “we are looking for ways to continue to provide our services while remaining compliant with privacy laws” and a bunch of marketing speak about it, they throw in the towel and say “boo hoo, if Europe wants privacy, we just can’t have Facebook there.”
247 comments
[ 2.6 ms ] story [ 247 ms ] threadWith so many centralized services making up what the average person thinks of as “the Internet”, if the centralized services disappear, isn’t that the same as “turning off the Internet”?
I wonder if there’s a threshold yet to be crossed where “shutting down the Internet” becomes a fad? Where people begin abandoning social media en masse? This idea actually makes me a bit hopeful!
Especially since this wasn't the first report where it was included...
This fake news reached the top of reddit and trended on Twitter. Both are dominated by users who think of themselves as smarter than the fake news consuming boomers on Facebook.
In my country it was reported by both the tabloids and mainstream media. Only the publicly owned Danmarks Radio (Danish BBC) didn't spread this fake news.
https://news.ycombinator.com/item?id=30241635
https://news.ycombinator.com/item?id=30207734
https://news.ycombinator.com/item?id=30234026
https://news.ycombinator.com/item?id=30234444
>But the simple reality is that Meta, like many other businesses, organisations and services, relies on data transfers between the EU and the US in order to operate our global services
Yeah.. The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars
> WHAT IS THE MATTER WITH THAT, IF IT IS WHAT YOU WANT TO DO?
> "But nobody wants it! Everybody hates it."
> OH. WELL, THEN STOP.
If those services suddenly closed then I wouldn't have to use them!
It's silly, really; in order to contact specific people I must use all of: SMS, Email, Signal, Telegram, WhatsApp, Messenger, and Discord.
It's a bit of a prisoner's dilemma: if other people use Facebook, they get to see things you don't and have an advantage in some domains. So a lot of people "use" facebook. But if all of the businesses and groups get forced off of Facebook they'll just find another way to make announcments.
Same thing with car ownership: if everyone stopped owning cars, everyone could happily get around with bikes, feet, and public transit. The world would quickly restructure to accommodate it. Sure, some things would be lost (it would be harder to go to remote places to hike, for instance), but other things, like the ease of getting around your immediate neighborhood, or easy access to stores, or polluting the air with less CO2, would balance that out in many ways.
This is clearly wrong.
> Facebook led the way, where Americans spent an average 58 minutes a day on the app.
> Instagram was the second most used service, and it remained most popular among Gen-Z users, who spent almost 53 minutes per day, or 297 hours year;
With DAU of >2b people, I think you're drastically underestimating the scope of damage from a FB withdrawal from the EU.
https://www.forbes.com/sites/petersuciu/2021/06/24/americans...
Having seen how quickly MySpace became irrelevant, I am certain FB is acutely aware of how tenuous the position is as the king of social media. It is no wonder they behave like they do to capture and keep users.
If a user in Florida tries to view a post by a user in Germany, doesn't the German user's data have to leave the EU?
It's where the data is stored and kept that is at issue.
Enlighten us?
You guys are just playing with semantics.
In terms of this context, easiest way would be to shard db infrastructure. Not even a remotely big deal for Facebook, with their size.
Hell, they should already want this, to avoid costly, and high ping time, intercontinental links.
But oh nooos, so hard to do. Absurd.
Think about internet archive, BitTorrent dumps of Facebook, etc.
Wouldn’t the true solution simply be for those who don’t want other regions to save to simply not have access, e.g firewall?
It would then been trivial for someone to crawl EU pages and rebuild the corpus of data.
The only real solution is to firewall off regions and prevent those users from accessing anything other than their own.
This is already what some countries like China do, for instance
If you're in a given geography/regulatory regime, and you read something on your smart phone, technically you were served that via some cell tower or ISP, those bits transited that infrastructure. In the US there's a massive clot of regulatory blockage working it's way slowly through the bowels of government around the term of art: "common carrier".
As with many things that devolve into nitpicking, there is a deeper issue: the EU is increasingly regretting becoming the host to, ironically, European-style colonialism on large-scale consumer Internet platforms. The PRC has its own Google, Twitter, Facebook, etc. The EU has Google, Twitter, Facebook, etc. and doesn't love that US companies and regulators are kind of driving the digital lives of the citizens.
The proximate tussle is about the durability of the storage involved. As a European regulator I might be much more comfortable with a write-through cache like TAO holding messages, or FBIDs of messages, including a German in the chat than I am with all such chats being held on a DFS in Prineville among other places, and having them ground over by a Spark or Hadoop job in Forest City among other places.
They'll kick it around and come up with some compromise that will serve end-users by accident at best. Europe won't develop a homegrown consumer Internet industry in our lifetimes. The odds are both US and EU legislators and regulators will miss a step and it'll be ByteDance everywhere by the time anyone reads this :)
> One option would be to serve this data directly from the European server.
What do you think happens with the data when you "serve it directly from the European server" to a user in Florida?
Exactly, it leaves the EU to go to Florida. ;-)
So the only thing the US government could get, are the public facing posts/images which the user posted but nothing more. If the profile is private, even less. No messenger data (except when send to users in the US).
Meta could be more accommodating to the wishes of the EU and place a greater focus on privacy, but that would mean changing how they do business. Meta clearly don't believe that it's possibly for their businesses to be profitable without data mining the crap out of their users. I know it's not a popular opinion, but business like Facebook and Instagram are the direct reason why the EU feel the need to step in and regulate.
For those downvoting me, I'd love to hear why you think it's more complicated than that. Contrary to popular belief, the people who wrote the GDPR are pretty technically sophisticated and understand that data on the internet has to move between countries from time to time.
1. Sam makes a post.
2. FB predicts Pat will comment on this post if they see it.
3. Pat sees the post, and writes a comment.
4. FB predicts Alex will reply to Pat's comment if they see it.
5. Alex sees the comment, and writes a reply.
To show why data transfer is such an issue, assume Sam, Pat, and Alex are all in jurisdictions with EU-style privacy regulations and that don't have data transfer agreements with each other.
How would you build a system that supports 1-5, a user journey that is core to Facebook's usage, in a way compliant with these regulations? For example, where is the discussion stored? Where do the models in (2) and (4) run?
As far as I can tell, the really difficult aspect here is how and where to permanently store the fact that the two users are talking to each other once the comments are actually made, since the mere fact that they are talking to each other demonstrates a relationship between them which may be considered PII in some contexts. Or at least, it would be difficult if the US also had privacy laws like the EU's, and IMO any coherent solution should be able to work if the US adopts something like GDPR. Unlike the message contents, this is quite difficult to store in a privacy-preserving way. I think the discussion would be more interesting and feel less like attacking a strawman if people were to focus on the interesting questions like this one, rather than the extremely uninteresting question of whether Facebook can serve posts to the US at all (which it obviously can).
Only as long as your users are fine to only talk with people from their "world region cluster". Everyone else would not be able to communicate with, say, family that lives overseas.
Look, I realize I'm not an elite hacker news hacker, but how can I as a US user look at my friends posts in germany without them transferring data to me in the US?
What makes this so obviously a lie that such strong language is called for?
Can you explain to me how would you allow communication between EU and USA users without transferring any data out of EU? Expect for putting all the datacenters in EU?
[0] Obviously if there is some web forum hosted in Germany that a bunch of Germans living in Germany post to, and I -- in the US -- visit the forum, that involves data leaving Germany and flowing to the US. There's nothing wrong with that.
Even if you keep data for individual profile in corresponding country, any interaction with a content outside of EU is impossible without data transfer.
Practically speaking, running FB in a way that doesn't transfer anything out of the EU would involve either:
1. Siloing off the EU facebook, with no contact with the US side
or
2. Building a federated facebook, which transfers across e.g. only the timeline entries US friends are granted view access to
The former would not be well-accepted, as it would cut off communication from e.g. international relatives, and would be a rather large project to launch. The latter would be an even bigger rearchitecture, which would likely take, at a minimum, several years to complete, since it's unlikely this was ever anticipated as being a possibility when FB was originally created.
So, I sympathize with them - while in the long term they might be able to find a solution, in the short-to-medium term, FB would have no choice to stop operating.
The issue is not your feed, that's what Facebook wants you to believe, you agreed to share that data with other FB users. the issue is they transfer personal data of EU citizens to the US to process them and sell them or use them to improve their adv war machine. Or give it to their US government.
The reality that the EU government has recognized is that a FISA order of the parent company could compel a US organization to pull data from the EU servers to provide to the US government; and it’s a valid critique.
My understanding was that it's not about that.
> the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US
Interesting, do you have any source on this particular aspect? I haven't heard this before.
It's a legal deadlock.
IF [thing] be used to identify [person] from any arbitrary set of [persons] THEN [thing] is PII.
You are right that the same logic would make any American communication website illegal. I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.
Is that so? I'd like to know more about this then, I don't see how that would be practical at all then.
> Principally, it asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.
https://en.wikipedia.org/wiki/CLOUD_Act.
I think that's the difference. Facebook could be forced to keep all PII in the EU for the purpose of protecting peoples data from unlawful (EU) use but still have to surrender it to US law enforcement. Would that violate the EU law?
I think their end goal is regulatory convergence. They don't want companies to be able to trivially circumvent laws protecting their citizens simply by operating in a different jurisdiction, which is to say, if you want to play by different rules, barriers are inevitable, or else the rules are meaningless. Over the long run, the hope is that people can converge on similar enough rules that the barriers become unnecessary.
For example, suppose a country passes an air quality law that forces companies to reduce emissions from factories. They might suspect that instead of updating their factories, companies might sell their manufacturing equipment to new companies that mysteriously pop up right across the border and happily sell finished goods back across the border. Anticipating that, the country would want to do something to prevent it. The measures they come up with might be onerous and inefficient in the short run, but in the long run, the two countries would be motivated to converge on regulatory regimes that were mutually acceptable.
(not intending to endorse or criticize this idea, just giving my best understanding of how countries approach questions like this)
A lot of communication data has two people associated, and a lot of it is highly sensitive. If a US person and a French person chat how does each get the messages? Message data is obviously highly sensitive and shouldn't be shared.
Does the US person need to hit the French servers to see new messages, and vice versa? What about quoting?
Message metadata (i.e. the fact that these two people are talking at all) is also pretty valuable -- the classic pen register is just a record of which calls were made to which numbers. Where do you store the metadata of the thread? It arguably belongs to and is private to both people.
I would imagine each user has a copy of the other's messages in their own account, and that's what they would be hitting.
People are acting like this is a trivial problem both technically & legally but it’s not. I don’t have sympathy for Facebook but if you are a small company handling data in the EU and other data outside it I have sympathy as it’s going to cost a lot in architectural complexity and compliance costs.
My GDPR compliance training said that data strictly necessary for the provision of a service is something a business can freely use to that end without explicit consent. This is why GitHub doesn’t show cookie popups: https://github.blog/2020-12-17-no-cookie-for-you/
So “User @Alice sent $message to user @Bob” is necessary for a chat platform, but “Notice to advertisers: User @Alice posts a lot about cars, cats, and funny shaped carrots” isn’t even though advertisers pay for the continued existence of the service.
What happens when the law makes that illegal?
> What happens when the law makes that illegal?
just follow the Chinese model. complete blackout between the European Union, China and ROW. this is where this thing is headed, so we might as well start thinking about it.
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
[.. other permissible purposes snipped ..]
Generally, the GDPR issues with sending to another country boil down to whether the EU accepts that the other country's government will allow the company protect the data in ways compatible with the GDPR. When sending that data to another company happens for reasons incidental to the permissible purpose of your data (eg EU-to-EU data processed in the US) this becomes an issue, as you've not consented to that risk. If you are specifically requesting that your data be sent to, say, the US, however, then processing that data in the US becomes necessary and thus much more justified.
From a technical perspective, you can certainly silo your data and transfer only as needed. This is however way more complicated, as you need to now deal with the fact that you're potentially performing joins across high-latency datastores, where you might need to be careful about what query data you're sending across the wire, and where your different silos need to apply access controls against each other. If you didn't engineer for this from the start, it's a big shift in architecture.
But if I visit a web page hosted in Europe, and that page uses the FB cookies, Google analytics, etc. maybe I'm unaware what and how the data is being collected.
They relied on the cookie banners as explicit consents (i.e. if you click this "OK" button, you give explicit consent to all our data gathering and sending), but that might be not fully compliant with GDPR.
NOYB has used this as an example of something that would be illegal.
The main issue is differences between EU and US law.
An if that happens, if Facebook really gets banned from operating in Europe, I'm pretty sure “good enough” technical solution approved by the EU administration would be found pretty quick.
That's already business as usual with China, but companies like Facebook have absolutely no problem with that silo as it protects them and benefits their bottom line.
But somehow, use cases that protect users, those suddenly pose major blockers.
It's less that they don't have a problem with the silo and more that they don't have a choice.
Are you really advocating for siloing European and North American internet?
This is not to say I “want” this — what I want is for everyone in the world to be one big happy group of friends, but I don’t know how to get there from here, and silos look to me like the next thing that will happen.
[0] I don’t know how it works in most places, but in the UK there are Rules: https://commonslibrary.parliament.uk/who-regulates-political...
Do you honestly think that's true? I bet they'd move mountains to remove that silo if they could.
Think? I know for a fact it's true. In fact, do you know a single company operating in China that doesn't silo away their China operations?
What makes you think they have "absolutely no problem with it"? You don't think it would be operationally simpler and more profitable to allow communication between Chinese and non-Chinese accounts?
No, not really. Companies operating in China silo their services because Chinese laws demand access to servers, and by siloing the company ensures that the Chinese regime does keep it's hands off stuff they have no business accessing.
Siloing services in China has zero to do with CCP's demands and everything to do with a company's self-interest.
CCIP demands access to servers -> companys silo to protect data from CCP
But then claim siloing has "zero to do with CCP's demands". Having trouble understanding this logic.
1) Providing end-to-end encryption on user data travelling from Europe to outside Europe.
2) Your option for number 1, but then allowing users to freely consent with their data to be shared internationally (which they can then revoke later if required).
I'm sure there are others... Also IANAL but a social media post may be covered under the "legitimate interests" scope of GDPR (but facebook's tracking data would certinally not be covered).
Also, if a European citizen shares photos with an American friend, this friend will fetch the image from an European server, so that the US government doesn't have access to the remaining photos, unless they contact European authorities.
I certainly have not spent any time to look into the actual legislation - so don't take this as "everything would be fine" - but I feel a solution could be found that governments would be ok with if FB would be willing to spend the engineering effort.
That's why simply storing EU data in the EU isn't enough when there's a US company involved. Our surveillance state isn't just horrible for privacy, it's also bad for business.
What is not is all of the tracking that they do - not only on the Meta properties, but also all of the other websites who are dumb enough to execute code or otherwise expose their users to Facebook. Lots of them do it unwittingly too.
That's insufficient as the US CLOUD Act allows the US government to compel a US company to cough up the data even if it is hosted in the EU and subject to EU privacy laws.
The only workaround I could see is one where they would spin out Facebook EU as a legally independent non-US entity (giving shares in it to Meta shareholders) and federate that with FB US.
One example of that would a mandatory paid option which takes you out of all company data sharing stuff.
I dont use any facebook/Meta related platforms such as facebook, instagram or whatsapp. But it makes me sick seeing people around me addicted to it, due to their shady operation patterns.
I’m not sure it this is still the case, but assuming it is, wouldn’t that make for a reasonable argument why it would be “impossible” (a.k.a. possible but non-trivial) to keep the data in the EU?
Ok you would have to make actual legal guarantees that no PII data will _ever_ be processed outside of the EU. given that this effectively means that if you fly out of the EU, or are _routed_ out of the EU, you won't be able to use those services. This is because PII is anything personal to you, and processing means anything that makes decisions, like routing based on IP or username.
This isn't actually a facebook specific problem S3/azure/google and their customers all have the same problem.
but of course yah boo facebook.
the reaction in my circles has been almost universally "don't let the door hit your ass on the way out"
People are not even mad about ads, they are mad at the waste of time and general sense that FB brings the worst out of you.
They need to shift their business, changing the landscape (metaverse) will not change anything or trying to convince people that what they offer is great is a long term losing proposition, imh.
Point being: to all the commenters saying no one cares, a lot more people care than you think.
I still avoid having any meaningful/private conversations on FB products.
Instagram is a bit trickier, but I'm fairly sure people would start making a new one immediately. You could even relatively easily transfer everything and everyone across using the zip you can get thanks to GPDR.
It's the normal folk that care.
As for instagram, things are a bit different. But the way I see it, 1- general population isn't using it. 2- This is not a necessary tool like whatsapp. Something else will fill the void but it will take some considerable time.
But then in the body of their post...
> EU-US data transfers mechanisms poses a threat to our ability to serve European consumers and operate our business in Europe [and] we have absolutely no desire to withdraw from Europe, of course we don’t, But the simple reality is that Meta relies on data transfers between the EU and the US.
I mean, that sounds like a threat to leave to me? If you can't operate your business in Europe? Talk about mixed messaging and double-speak!
If it is a threat or not is a matter of perspective and opinion, but they are implying that they will leave if legislation isn't revoked.
Since public companies get sued for not disclosing risks to investors, there is no winning this.
What's not compliant with GDPR: Store cookies on a users computer, then let others look for that cookie and share the users data with them so they can target ads at you. Collect all that data from different site and create a profile of you that you then sell. You can also not move data out of the EU without guaranteeing to not do that.
Getting in to the article, the language is bizarre: "We have absolutely no desire to withdraw from Europe; of course we don’t." What? Who talks like that.
Exactly - "Dad is absolutely not threatening to leave Mom, it's just that Mom has done something that gives Dad no choice but to leave".
A threat implies an intent which is not here, they are saying they won't be allowed to operate because they can only operate this way.
It's like: "my car can only go to N km/h", it's not a threat they can't go at N+1, but a statement.
(I doubt it's true, anyway)
"we want the internet to continue to operate as it was intended: without friction, in compliance with applicable laws — but not confined by national borders."
We want the internet to be an unrestricted free for all! But also follow the laws ... the ones we like, of course. But not ones from other countries, I mean we all have a line guys.
How am I supposed to read the cookies policy without clicking or navigating?
Huh, if I were a Facebook investor I'd be pretty disappointed to hear that they've known this was an area of active disruption for years but haven't managed to rework their business model to avoid it.
Funny how they try to spin it like there's some "uncertainty", the regulations are very clear, they just need to apply them.
First paragraph: We don't want to blah.
Second paragraph: But if we don't get what we want, we will have to consider blah.
I guess it's time for an update to Betteridge's Law: The more emphatically a press-release headline denies something, the more likely it is to be true.
The EU doesn't care if Meta gets the data of its users but that there is no possibility to prevent that the intelligence services get them too. That killed Safe Harbour.
So blame Patriot Act and Cloud Act not GDPR.
Store everyone's data in Europe then and do your data transfers in the other direction.
In six months, the stock might have recovered (I sure don't think so, though) and we'll see then.