44 comments

[ 2.9 ms ] story [ 99.3 ms ] thread
Could someone explain to me how this should work? For example, if user A living in France makes a post and a user B living in America comments on it. Where should the data of this post + comment reside, ideally?

What if it’s cached by a CDN close to users in a third country, say Japan? Is that illegal?

Data is stored on servers, connected by networks, in various jurisdictions all over the world. If a company wants to operate in a jurisdiction it _must_ comply with the laws of said jurisdiction. If the company chooses not to comply the jurisdiction can impose fines, seek injunctions, pursue criminal trials, etc. That's how it works.

As a scientist I find regulatory over-reach tedious. As a citizen I find corporate illegality unjustifiable. This is not regulatory over-reach this is corporate illegality.

How can a corporation "protect European data from US access" when a European intentionally requests the corporation to publish the data to a US audience?

How can anyone be legal, when the laws of different countries are in conflict?

If you ask specific data to be transferred to the US it can be transferred to the US.

But the profile a companies creates about you, your phone number for 2FA, (group) chats local to the EU, etc. do not fall under this.

Though I'm not sure about public profiles, probably you also should probably be able to select to not share you public profile with the US.

In the case of a thick client app:

> if user A living in France makes a post

The post data would be stored on a server in France.

> a user B living in America comments on it

The user B's thick client app would have to query all servers all over the world that might hold data they're allowed to see, and then render it. It's up to the servers in each country to decide whether the post should be sent to the viewer in question.

When User B comments, their comment would be stored on a server in the US.

For User A to see the comment, like User B, they would need to connect to all servers in all countries to fetch what data they're allowed to see.

Is this cheap and practical? Of course not. But it's possible, just not in the sense we've come to know social media apps.

    When User B comments, their comment would be
    stored on a server in the US.

    For User A to see the comment, like User B,
    they would need to connect to all servers
    in all countries to fetch what data they're
    allowed to see.
Since A is in France, how would the server of User B - who is in the USA - know what A is allowed to see? If no data about user A is allowed to be stored in the USA, the server in the USA can not know who A is and what they are allowed to see.
> If no data about user A is allowed to be stored in the USA, the server in the USA can not know who A is

IANAL, but to my best knowledge, holding one-off data in memory is repeatedly defended in European courts as not storing data. This is from the top of my head, so treat it as "probably wrong".

All in all, the whole thing is a bit of a circus, really.

How does "one-off data in memory" come into play here?
It doesn't need to be nearly that complicated. You never need to query every server. The post stays on the server for the poster's country. Every comment attached to that post gets an anonymous number/tag (this already exists). So each post is stored as a post and an associated list of numbers/tags for comments. When rendering, the user's system fetches the post, gets the list of comment numbers, and pulls the comments from the various country-specific servers. The servers in each country take the incoming request and decide whether the data can be sent to the requesting country according to their own local rules/laws. This need not be complicated. It can all be handled as basic HTML stuff.
I don't think this passes. Anonymized post IDs still are information about a person. You can piece together posts & likes and conclude with good accuracy that a specific person is making the post. As an example, if me, My Mom, and my brother's girlfriend all like a post it's likely that my brother made it. That makes those anonymized IDs personal information based on the GPRD definition:

“any information” “relating to” “an identified or identifiable” “natural person”

https://gdpr.eu/eu-gdpr-personal-data/

Ultimately the problem is that the GDPR is written broadly enough to encompass basically everything.

> Anonymized post IDs still are information about a person.

I don't disagree with your general thrust, but I think there's some imprecise terminology here. No, anonymized post IDs are not, themselves, personal identifiers. A simple list of all UUIDs of posts in your table, for example, is not personal data. It can't be used to determine who made a post, there's no time data encoded there. It's just a list of handles to go get data somewhere else.

If you store a user identifier, then it's personal data. Even an anonymized user identifier could be used to perform network analysis if it is used more than once. Using it only once is fine, but at that point it's just a post UUID with extra steps.

Where I will go farther than great-grandparent is that GP is right and you don't have to run a full-scan of everything every time. It would be legally permissible for Facebook to store, in the US, "if you can see post 227, you should lookup the following: comment 383, like 398, comment 442, like 721". As long as there's no association (even anonymized) back to users, knowing that an event happened is not, itself, personal data. Even knowing times is fine, as long as you don't know who did it. That of course has a much broader sense than just storing user ID, you can't store IP address or anonymized user IDs or anything else either, but a list of object UUIDs and relational data between them is not, itself, personal data.

The implication of this is that it would be generally permissible to store what are essentially post-to-comment and post-to-like indexes in the US, meaning you don't have to full-scan everything every time. You can't attach user info to them, and you very obviously cannot just store everything in the US anymore, but storing relational data between non-identifiable objects is legal - of course "non-identifiable" is doing a lot of work in that sentence, but if I tell you "post 227 exists, and has comment 383 and like 398 in my database" that declaration does not, itself, mean that the EU is coming after me for GDPR violations. You don't have the content, and you don't have any metadata other than a completely unidentifiable object tag that cannot be correlated to any user by any means.

It does mean that you'd probably want to partition your data according to some reasonable shape, like localizing comments/likes/etc to the same server, but you don't have to scan everything just to find out if there exists any match ever.

It would also be permissible to store a place where you could go to look up that identifier, as long as it can't be correlated. So it would be fine to say "post 227 exists on shard A123X", as long as that can't be correlated back to something like geolocation. If you can backreference from shard A123X to that post being made by someone in Paris France, that's a problem. If your user-to-server mappings are randomized such that a French user's comments might end up in a server in Belgium, that's probably permissible to store the shard location even inside a US server. If you don't randomize like that, the lookup data would probably have to live in the EU as well.

There is, unfortunately, a huge amount of "don't wanna!" around this issue in the programmer community and on HN in particular. The GDPR is perceived as onerous because it outlaws some data collection practices that generate a lot of revenue (directly or indirectly - such as providing insight to guide decisions), and programmers have decided that means it's impossible to comply. It's not, it's just impossible to comply while doing the things you were doing before, because they were socially harmful and were specifically outlawed by these regulations.

It would be a lot better for industrial businesses if they could just dump their toxic waste in the river too. Their business model doesn't work if they can...

>No, anonymized post IDs are not, themselves, personal identifiers

It's the set of users acting on a post that can be used to identify the poster.

(comment deleted)
You can't tell the users that acted on a post from the mere UUID of the post itself.

Knowing that this is HN thread 30427711 doesn't give you a set of users who acted on that. For example, a hyperlink to this thread, or posts within it, is not personal data.

You'd have to go to the HN server and ask them for the data - which is personal data, but the post ID itself is not, it's just a handle.

Assigning UUIDs randomly instead of sequentially strengthens this further because there is no way to pull out even a time component from the post ID.

>Every comment attached to that post gets an anonymous number/tag (this already exists).

In GDPR parlance, that's called "de-identification", not anonymization. Basically, if there's a risk you could piece together someone's identity from abstract IDs, even by combining various abstract IDs and doing some deduction, it's "de-identification". Recent GDPR decisions basically treat de-identified data as a form of personal information and subject it to many/most of the same requirements, including the prohibition on transfers to the US.

(I'm not saying this approach is wise from a policy or technical perspective, but that's the way it is.)

The id is unique to the post, not the person who makes the post. It is no more personal than an entry in a FAT or a pointer to a variable somewhere else in a system. Each entry on HN has one. This post's id is 30435822.
> Could someone explain to me how this should work?

I think the general idea is that Facebook and co. will need to spend their lobbying influence and dollars on getting FISA and the CLOUD act changed to allow them to make the necessary privacy and integrity guarantees for the European user data. And/or for the US to make those changes to get or keep the same kind of market access.

The former is unlikely at best and the latter would require the kind of "giving in" that the US gov does not like to do. I think continual can kicking or eventual EU capitulation is more likely.

How do you think the EU can give in here? They've tried it twice and European courts have decided twice that it's impossible.
I mean, the courts have decided it's impossible in the context of current EU laws. The EU could always change those laws. But I think the likelihood of that is low, both because they're for relatively popular (in Europe) goals, even if the malicious compliance outcomes themselves are somewhat unpopular, and just the EU's makeup in general makes it a very slow moving body and it'd be relatively hard to get the agreement to reverse here.
Schrems II is based on the argument that there is no due process for EU citizens to even check if data collection in the US is legal. That's a constitutional argument, it doesn't help to change laws. Or, well, as "constitutional" as it can get with the EU.
FB needs to find a reputable country with privacy laws that are valid in EU and that does not have data funnels into state agencies or giant companies, then FB can move everyone data there including US citizens to be always protected.

I think Microsoft, Apple and others have done similar think to obtain approval for some of their products so is not something new but FB can decide they can pull out or try to work with the other giants to demand that non-US citizens deserve privacy and basic rights.

That country is the UK. The EU has an "Adequacy Decision" for the UK, meaning that GDPR does not restrict data transfers to the UK. And the UK's Adequacy Decision for the United States still exists (Schrems II happened after Brexit).
EU and other non EU countries will have to check if there is no loophold, I personally don't trust UK , the last shitty thing that comes to mind is their illegal treatment of Assange - it shows to me that UK gov loves(or maybe needs) to sucking up to US.
If the UK company leaks all user data to the US, the EU is going to revoke the Adequacy Decision in a couple of years.
This depends on how things in UK will develop. There are some powerful actors in the UK who want to weaken those laws. The current legal framework between EU and UK won't work forever (see especially Ireland) and will need changes, one direction or the other.
There is no "should" work. Law is full of contradictions, because law is not science.
Within the EU would be the safest bet.

That being said, GDPR isn't purely a data localization law - that's merely an implication of broader data export rules. If a court were to interpret public posts as private information under GDPR, then the solution would be that the user in America doesn't even see the post, because retrieval would count as a data export.

However, I'm not sure if this interpretation would fly in court. Most of the Schrems II cases focus around analytics, CDNs, and ad-tracking - i.e. the sort of things that just happen automatically and users don't get a say in[0]. Presumably, if a French user wanted to DM an American[1], whatever data transfers are necessary to send that message along would be legal, but nothing further. So we wouldn't be banning Americans off of Facebook, but Facebook couldn't use US/EU messaging as an excuse to ignore GDPR entirely.

GDPR data export rules are not specifically targeted at Americans. They apply to all third countries, America just being one of them. If you pass GDPR in your local law, then unlimited data exports are permitted[4]. However, that would probably require you also have the same data export rules, which would also mean you can't export data to other third countries that don't have them. Furthermore, while I postulated scenarios in which a data export would be necessary in order for the service to work at all, you probably couldn't use those justifications to ship data to arbitrary non-GDPR third-countries. i.e. DMs can flow between America and the EU, but the CDNs probably need to remain in the GDPR-o-sphere or America.

That being said, there is the potential for further legal hijinx. If the US absolutely insisted on "privacy is for US citizens only"[2], they could pass contradictory privacy rules that made compliance with GDPR illegal. This would cut the Internet[3] in half, and make it illegal to offer any sort of service in which Americans and Europeans interact. And the US is the king of making economic sanctions watertight - it's our primary engine of soft imperialism. We don't roll tanks, we just make it very painful for any country to trade with you.

[0] Unless you maintain a really, really victim-blamey definition of the word "User-Agent"

[1] Despite France's stereotypical anglohostility, such people do exist!

[2] This is the current operating mode of most intelligence agencies and trade representatives. Internationalism without international citizenship is a recipe for the erosion of democracy.

[3] Or, at least, the Internet of countries that don't have restrictive national censorship policies

[4] In your specific example, the EU Commission ruled that Japan's data protection law is adequate... but it's not entirely GDPR. And the EU Commission are the same people who thought US Privacy Shield was OK. So at this point I'm going to say get a bunch of lawyers if you really need to know the answer to the question of "can I export data here".

What if an American is traveling in Europe and makes a post? Or a European is in America? What if they actually moved and aren't just traveling?
Facenook, Meta, Google and others will slowly but surely get the squeeze in any way possible. They did EVERYTHING they could to get away from privacy laws. Their sleazy attitude, they contempt for regulators "we have more money than your own country and we will litigate until you run out of money" has worked. Arrogance paid off. Until now. The Feds did not catch the mob bosses killing or stealing but they eventually caught them and indicted them on tax evasion. You see the same thing here. Countries will use any tool they can, and there are plenty: store the data on servers located in our country, etc... It will never end. On the top of the Apple squeeze...
correct me if im wrong but this is not about privacy laws, this is about the US govt being able to force US based companies to share data on non US-citizens.
yes, that's the main point why the US doesn't count as safe harbor and any "contractual agreements" are not worth much as US companies can't "opt. out" of US law.
And you wouldn't call that privacy?
its because of their national security interest though, which I respect in principle, and the parent post was talking about the companies themselves tracking the users virtually without consent. to me those aspects are very different
The ruling is focused on Meta, but the order establishes a precedent that applies to ALL American companies. I'm sure Facebook, Google, and Twitter can eventually re-architect their systems and data centers in some way to comply with this, but this is going to be an expensive and technically complex piece of regulation for your standard American company to comply with if they want to operate in the EU.
It's also not surprising.

More or less the same curt decisions where already decided 2 or 3 years ago.

It was just that due to legal shenanigans the legal consequences of this decisions where delayed by a few years.

> led to threats from the social media giant to pull its websites from Europe.

Please do. And also from the rest of the world, while you're at it.

That’s easy to say when is the service you don’t use or care about. GitHub is as much a social network as Facebook so what if they just became immediately inaccessible to EU countries?
I'd fully switch to gitlab.
I don't understand. US "agencies" can have dedicated access to run queries on "meta" data from the US, namely where that data is stored does not matter.

For instance when microsoft "teams" want some professional network of people information for a "prospect" (competition sabotage, ppl to flood with money to get "what" they want, etc, you know: "business"), they just need a dedicated access to "linkedin" data, whereever it is stored (and "linkedin" data servers are theirs). Ofc, if they "partener" with "meta" to cross-share their data, they could also get extra-professional network of people info to be more "effective", or have better corelation. Let's push it a bit further: with "uber eat" (which they own) they could intercept some food delivery for "prospects"... ok, I am going too far now :)

Your use of scare-quotes makes it impossible to get anything of actual value from your post.
If Facebook has physical servers / datacenters in the EU, they're clearly subject to EU regulations: If they get fined by European courts, that stuff could be seized / sold to pay the fines, or employees on European soil could be arrested.

How does it play out if Facebook thumbs their nose at EU regulators and just says "We'll do what we want anyway"?

What if they just shut down their servers / datacenters on EU soil, lay off all Europe-based employees, and set Facebook's DNS to IP's of US-based servers (or otherwise non-EU)?

Could EU courts order European ISP's to block Facebook at the DNS level or blackhole traffic to Facebook IP addresses?

Could the situation reach a point where Facebook executives -- or even rank-and-file employees -- risk being handcuffed and sent to a European jail if they go on vacation to Europe?

To begin with, it would be prohibitly expensive, as in fines at the level of 4% of Meta's global revenue. Further consequences could be repeat fines.

Not paying the fines would most likely result in actions like preventing European advertisers from paying for Meta's services.

I suspect it would also open up for outright censorship in some individual member states. There's a lot of politicians who would be happy about limiting their more SoMe-savvy colleagues from using Meta's services to reach voters, or to stop fake news as well as legitimate opposition media.