Under GDPR an EU citizen has right to request the details of how their personal data is collected and processed. This and, for example, checking the traffic with your data (eg IP address of sender of an email from CRM) would be enough.
The DPA has powers of subpoena. They can basically raid the place. Usually, companies don't want this to happen and they co-operate. How exactly did the DPA know that Uber processes all data in their central IT department in the US? Uber probably told them and didn't try to pretend they have any local hardware or entity in charge of it. That would be a stupid thing to lie about?
In any event the fine is mostly for not having adequate protections in place. Those protections? Better contracts between wholly-owned subsidiaries of Uber. So, not much protection at all! This is very much Uber shooting themselves in the foot by not doing their homework. Again.
The investigation report isn't included. It may surface if Uber decided to right the fine and take it to court. Or, if some-one takes an interest and tries to get it via the local 'freedom of information act' equivalent, though that might take just as long and will result in a heavily redacted version being made available.
> In other words: the inner workings of a company are by definition a black box and only an insider can leak screenshots or damning data to prove they break a law in the first place.
In reality, no one gets fined based on whims and wishes, but after investigations, just like in this case:
> The DPA said it started the investigation after more than 170 French drivers complained to a French human rights interest group, which then filed a complaint to France's data protection watchdog.
> Under the GDPR, a business that processes data in several EU countries must deal with the data protection authority where its main office is located. Uber's European headquarters are in the Netherlands.
Seems the investigation uncovered that Uber didn't process data in their European headquarters but instead sent the data to the US, otherwise there obviously wouldn't be any basis for the fine.
If a company operates in a country, they have to agree to audits. In this case - and I can't find any details about it - a group of French drivers made a complaint, presumably because they were aware that something fucky was going on with their data. It was enough of a lead to trigger an audit, to which the company has to cooperate with.
> If compliance or braking a law is simply some S3 buckets with a different latency and “zone” then breaking the law becomes trivially easy to do. And devilishly hard to check.
If it is a genuine mistake the fine would be tiny if there would be a fine at all. At least that is how it has been in other cases. A this big fine indicates that the DPA found serious negligence or willfulness.
So, what's your point? The same thing applies to insider trading, forming a cartel, or running a protection racket. Willfully not complying with authorities tends to be quite bad for your business, especially when you've already been investigated for breaking the law before.
The DPA has previously fined Uber €600.000, €10.000.000, and now €290.000.000. Do you really think they won't do a follow-up investigation and issue another fine if they are found to still be in violation?
There are actually many ways to look inside a "black" box, for example: an employee with high moral qualities might leak the info, or a company might send an email containing person's name from an US server, or an mobile app can be reverse egineered, or data might be available via foreign API server, or hackers might publish the leaked data, etc.
> If compliance or braking a law is simply some S3 buckets with a different latency and “zone” then breaking the law becomes trivially easy to do. And devilishly hard to check.
It's always trivially easy to break the law and not get caught for it.
I'm currently in a small village and if I want to break the law right now I can go outside, get in my car, and accelerate to 90mph along the 30mph road running past the house. I'd probably get away with it too.
But I wouldn't be doing it by accident: I'd be doing it because I'd chosen to.
In the same way, whilst I could configure an S3 bucket in a different zone, I'd have to choose to do that. It's not that easy to get it wrong.
I mean, relative to what? Most serious crimes I can think of have a hard-to-crack black box around them.
Is it any easier to investigate violent crimes like murder? Financial crimes? Organized crime? Smuggling? Fraud? Criminal negligence (like food or environmental contamination)?
I do agree though that with current cloud infrastructure and engineering standards it is rather easy to do accidentally.
Love it. Maybe one day U.S companies will learn that while they can steal and sell their own peoples information as they please, and they'll even have their own people brainwashed into such a state of stockholm syndrome that they will defend the corporations ability to do so, that's not the culture EU has, and it won't fly here. Corporations are not the peoples identity here, privacy and safety however are.
China is by basically all accounts running rings around the US, based on current behaviour, whilst being a much more authoritarian regime.
America loves to pretend that no other data points exist so they can attribute whatever good performance they’ve historically seen to whatever supposed cornerstone of American life is advantageous to make whatever point they want to make.
I don’t think this kind of « threat thinking » is true. « We find ways to steal from you and it’s still good for you because otherwise you will be left behind without us ». It’s kinda feels like bullying to me
Well, they are UE citizens (at least a chunk of it).
Following your reasoning, then the whole legislation is moot, and all European citizens data should be sifoned in the US without anyone complaining, because "hey, I'm in the UE so you cannot touch me", no?
If what they do with data is not "theft" then why this there US laws and contracts to regulate and authorize the use of datas every time I use a new US based service, app, game ? As we see from LLMs, data has value, sometimes probably more than a car. And if it’s worthless, why Uber took the risk in the first place ?
It’s not from us to explain why would drivers be worse. It’s from the one who took the datas to explain why would drivers be better. Because if they would have been better I guess Uber would have done a marketing campaign around it to talk about the benefits instead of doing it this way without anyone noticing.
I would love it if companies from the U.S.A. left the EU. Not solely for the economic boost it would give local competitors (who have all but shut down when U.S.A. companies came), but also because they clash with our culture in negative ways.
I love the mention of "innovation". What innovation? All the areas of innovation that matter to the EU people, the U.S does not have. 0 federal paid holidays, almost non existent maternity leave, encourages unpaid overtime (something that is illegal in most of EU). Innovation in regards to corporations ability to screw over their own people for monetary gain is not something we're interested in, that's the U.S mindset - money and success before anything else, including personal freedom, employee rights, and so forth.
It's almost funny whenever this argument comes up. In most EU countries Uber isn't even the biggest ride hailing provider. In this space and every other, there's plenty of competition that would celebrate if any company left the market. There is no figurative void that would be left behind.
Maybe there's innovation somewhere, but putting third world migrants behind the wheel of rental cars isn't it. In any case, there are EU companies to pick up the slack (i.e. Bolt).
> Even though the rules are great, I'm just not sure if it will be good or bad long term for EU.
We can speculate this all we want, but I think it's fair to say with confidence that leaving companies unregulated (or poorly regulated) is bad for everyone in the long term. A slightly different example is the poor enforcement of antitrust laws being one of the reasons we have the tech oligopoly we have today with Apple, Google, Amazon and Meta.
What is the actual innovation of Uber outside of trying to push the competitors out of the market with investor money? (this isn't anything new/innovative either)
We had app based ride hailing services before Uber and still have them so it can't be that. Surge pricing also has existed before them.
What price is it worth paying for innovation? Innovation just means "new", not necessarily good or beneficial. If the innovation is for companies to be able to do anything and treat anyone however they like in order to make large profits for very few people then we don't want that innovation.
No, you see US-headquartered multinationals have a God-given right to freedom, including the freedom to smuggle customer data overseas. God bless America.
The following example isn't a tech product, but it demonstrates the outrageous anticompetitive practices some of these monopolies engage in to suffocate people who are just building their own shit:
Fair point; I should have clarified I wasn't really talking about Uber, specifically, but about American products (e.g. Windows and MacOS) in general :)
As a consumer, I can't visit every factory to check if the pasta isn't tainted with lead, if the chicken meat isn't full of antibiotics and hormones and if the webapp I am using isn't selling my data.
We have market regulations for reasons. Companies that won't comply should be punished and if it's a repeatable offence they should lose a license to operate in EU.
I urge you to read "Technofeudalism" by Yanis Varoufakis or "The Internet Con" by Cory Doctorow to appreciate why this is extremely difficult for consumers and entrepreneurs, and not just an inconvenience.
Instances like this really make me feel that capitalism is devoid of any morality. If there's no law guarding it, a company will abuse its power in order to make more money. It could be a morally good thing, a morally bad thing, it doesn't matter: more money is more money.
It feels heartless. I wish there was a better system.
We have tried systems based on some seemingly absolute moral codex. Some parts of the world are still doing it. Unfortunately it always comes with brutal ways to kill arbitrary groups of people.
No. If you go looking, you will find plenty of counter-examples in History. You just made a statement that the top handful of catastrophic examples were representative of the bunch.
You have massive selection bias in your sample. “Morally-based decision ends well” is not exactly something that makes headlines or that is seized upon by historians to explain memorable cataclysmic events.
You don’t need to be an ethics expert to see a difference between moral principles that lead to suffering, and moral principles that don’t.
Waving away all morality in moral nihilism is teenage-level ethical sophistication.
You are carefully trying to stay vague and are avoiding to name even a single counter-example. You are just claiming that my examples are wrong. This is the definition of a "No true Scotsman" fallacy.
Name one non-capitalistic system more moral than the currently existing ones.
All rankings trying to quantify morality and order societies by it, are consistently topped by social market economies, a form of capitalism.
> Waving away all morality in moral nihilism is teenage-level ethical sophistication.
It is also something I have never done. With the edits to your post, its nature became more and more apologetic to dictatorships. I hope this was not what you have intended.
It looked more and more like you wanted to say that morals are not an "all or nothing" thing from where it is easy to leap to being apologetic to just a little bit of (systematic) wrongdoing. But judging from your reaction, this is not what you were trying to set up.
Not at all. The main thread of my comment(s) was that moral value judgments are extremely prevalent. In fact nothing actually happens in society without someone making a value judgment. And most of the time nothing particularly crazy happens.
It’s easy to point to some barbaric act and say “see, this is what morally motivated policies result in”.
But in reality, moral value judgments are all around us in the most mundane of places. It’s moral value judgments that cause us to have anti-monopoly laws. It’s moral value judgments that cause us to configure tax codes one way or another. It’s moral value judgments that cause us to appreciate the things that capitalism gives us. Etc etc. You can’t escape it.
I'd agree, hence that's why I said I wish there was a better system. I don't know it either. Although it might be an uncomfortable truth for me, capitalism isn't great either, but I do think it's the best system we have.
I'm currently reading a book called "Technofeudalism" by Yanis Varoufakis that investigates things along the lines you've said. My main takeaway so far is "Capitalism" hasn't always been one thing and it has evolved over the years. Capitalism of today isn't the same as the capitalism we had before the oligopolies and cloud giants, and that makes me thing differently about the statement "capitalism isn't great either, but I do think it's the best system we have."
I'd agree. It's hard though, political landscapes change. Well intended companies can also change as they get bigger. I guess in that sense it's all in flux, including capitalism (as it's only enabled through laws and regulations).
Capitalism is absolutely amoral, and has always been.
I'm honestly curious (and adding this as a disclaimer to be clear it's not an attack): why would you think there was any shard of imbued morality when the whole point of the system is based on greed?
Of course it is! What system has a heart? Systems are systems, not something that's capable to develop and cultivate and apply empathy. And even then, it could probably be gamed, like any other system. The need for checks and balances in a system is normal. In fact, I use this to judge how humane a system is. Is there a way to express feedback, to enact changes, to revise decisions, to compensate for damages? If so, then it might be not such a bad system. If not really, then that's most likely not a good system.
The surveillance systems in the EU are just as invasive, and frequently moreso, than in the US.
This is largely a false meme, an urban legend. There is no meaningful privacy difference between Europe and the US.
This is simply a money grab; it won’t move the needle on privacy one bit. You’ll still be surveilled everywhere you go in Europe by the state, the mobile operators, and most of the other apps on your phone.
Furthermore, it doesn’t matter if the data stays inside the EU or not. Google collects the same data and the US intelligence agencies can compel them to access the data on EU citizens, stored on EU-located Google servers just the same as if it were in Mountain View.
In Germany they're Schufa, Rundfunkbeitrag collection service, copyright predators. In Poland I don't even know the names, but if you ever leave your phone number at any doctor, dentist, or blood test lab, starting from next day you'll receive tons of phone calls offering "free products", invitations to "product presentations". Especially if your age is > 50.
> In Poland I don't even know the names, but if you ever leave your phone number at any doctor, dentist, or blood test lab, starting from next day you'll receive tons of phone calls offering "free products", invitations to "product presentations"
I don't know where you are getting your information from but that's not true.
Personal experience of mine and within circle of my acquaintances. Most of the times there is some "GDPR form" you have to sing to receive any service. The blood test results leak from time to time as well. We might be living in different Polands though.
So, it’s anecdotal to your circle. Maybe you're just using some shady providers? Because that’s not my experience or the experience of those in my circle. You should be more careful when buying stuff online; this is where these things happen, not in doctors' offices.
Nope, it's the healthcare service providers. What do you mean by "shady" how do I recognize them? The blood test lab where local legit doctor sends blood is shady?
> careful when buying stuff online
I know what I'm doing online. You sound like communication from most of retail banks.
If my experience differs from yours, where you claim that something illegal is happening, it obviously suggests that you might be using some kind of shady services. The only time I've had experiences like the one you’re describing is when I was using online shopping or other non-medical services.
If you are so certain that you are right and that you 'know what you are doing online,' have you reported this incident to law enforcement? It would benefit everybody. Could you also specify which healthcare service providers you believe sold your data? This information could help others avoid using them.
If that's really the case I recommend what I've done on the few instances I had my contact details shared between 3rd parties for marketing without my consent here in Sweden, contact them explicitly stating you want them to:
1. provide details about how the data was collected according to GDPR's Article 14 paragraph 1, I also request the information they should provide as delineated by paragraph 2.
2. send you all the data related to your person according to GDPR's Article 15.
3. complete erasure of all personal data they have collected in accordance with GDPR's Article 17.
So far I have not had to contact the Swedish DPA since the few times it happened the companies actually followed my GDPR request.
Edit: and even if you have given consent through some GDPR form you can withdraw it at any time, contacting the company with a GDPR request and explicitly stating you withdraw all consent to their processing of personal data should be enough.
I think you’re reaching and acting like Americans don't understand the implication, we just don’t consider it something that’s bad. We are allies on a global market and therefore treat you no differently. This is why the US is concerned about data islands with China, but has no problem with European countries and companies with US data.
Clearly the American capitalist strategy is working since all the products you keep regulating are made in the US. I’d welcome
Europe to make some alternatives to what the US is providing before you just unilaterally say we’re immoral and wrong, because currently if all the US companies got fed up enough with the regulation and for some reason pulled out of the market it would cripple the digital life you’re used to in Europe.
Revenue has to come from somewhere otherwise a company can’t grow. “Enough revenue to survive” doesn’t incentivize the kind of rapid business development that consistently comes out of the US versus Europe and is just a naive economic worldview. You have to either sell user data, serve ads, or sell the product wholesale or a subscription. Currently the market (including European users) have decided that they’d rather click skip on an ad and have their usage data sold to drive those ads than pay for the product.
Since GDPR every interaction with public administration, healthcare, and employer within EU results with additional form or two "oh that's just a GDPR form, you have to sign it". I imply they are all malicious as well?
In fact, yes. It’s malicious in the vast majority of cases, with behavior patterns quite akin to cons where you are made into signing something under time pressure and are actively discouraged from asking questions.
I had maybe one occasion where upon asking questions about how long they store my information and who exactly they give it to, I actually got answers and learned something. It was a dentist office, and by that time I had been visiting them so often that we were practically friends.
The rest of the time (mostly in hotels), they didn’t like it very much that I took time to read through their GDPR forms and actively withdraw my consent from optional things, of which there was like 85%, and some dealt with sharing my data with undisclosed marketing partners. Some of this, especially the undisclosed bit, I think, is a no-no under GDPR, although a lawyer may promise you a way to weasel out of trouble.
Note that when you deal with public administration, depending on the country, they may have you sign something to the effect that if they fine you and you don’t pay, your data will go to a debt collection firm, at which point you may assume it goes to all of them, because they trade debts between themselves, too. And of course, those share data with further companies according to agreements between themselves to which you are not a party, so I’m wondering if there is/should be a way to curb them…
Yes, because there are specific exceptions in the GDPR that allow data processing and storage in many of these cases. However, managers are pissed off by the law, or just ignorant, and they make you sign a document that has no legal value.
Heck, many documents that I saw while interacting with P.A. in my country are lacking the basics, such as "what are you doing with the data".
One clinic once made me sign a document where they said that I received a copy of the privacy policy (which was not given to me). I politely asked for the privacy policy, and they sent me the entire GDPR regulation PDF. I spent one hour explaining to them that they need to fix it.
In another article (https://nos.nl/l/2534629, Dutch language) Uber claimed to have been talking to the Autoriteit Persoonsgegevens about what they said was an “unclear law”. Via iOS Translate:
> A spokesperson for Uber explains to the NOS that they have also contacted the AP themselves about the ambiguity surrounding the privacy rules. Then, according to Uber, the watchdog didn't say that the company violated the rules.
Which is all fine and dandy but the rule really is that if it’s not clear to you (as a rich and well-lawyered company) that something is permitted, that doesn’t give you the right to then do it.
And yes, the fine really has to be this high: fines can never be just a part of doing business; colouring within the lines has to have the attention of everybody involved, from the shareholders on down.
> The appeals process is expected to take some four years and any fines are suspended until all legal recourses have been exhausted, according to the DPA.
Palantir runs on the customer’s own cloud, or a major cloud provider of the customer’s choosing in the region of their choosing. There’s no data aggregation/sharing across customers, it works similar to AWS.
Can anyone explain how this relates to the EU-US Data Privacy Framework (also sometimes called the Trans-Atlantic Data Privacy Framework)?
I thought that that framework was supposed to allow this (as a replacement for the EU–US Privacy Shield framework)? Presumably this wouldn't have been a problem under Privacy Shield (i.e., pre-2020), or am I getting that wrong?
Basically the framework, like the Shield before, is the Commission trying to show "look, we fixed it".
Sadly, for the previous two times, the ECJ pointed out after the fact that no framework can fix the lack of data privacy law in the US, and that as such, the Shield, just like its predecessor, was not allowing what it claimed to do.
The Framework has not been tested in the ECJ so far, but the US has not significantly altered its laws so...
Thanks. So basically the new framework hasn't accomplished anything that can be relied upon when architecting a system to reduce the risk of GDPR compliance issues?
This article[1] by the Dutch DPA has some details about it: The Privacy Shield was invalidated in 2020, leaving only the Standard Contractual Clauses as a valid transfer tool. Uber stopped using Standard Contractual Clauses in August of 2021, before adopting the new Privacy Framework in 2023. For a period of two years they were transmitting extremely sensitive information without a valid way to do so.
Thanks. That gives a lot more information. With respect to the new framework, the article you linked to just says "Since the end of last year, Uber uses the successor to the Privacy Shield." Do you know if the Dutch DPA endorsed the new framework, or did they leave it ambiguous/unresolved as to whether post-2023 transfers are GDPR compliant?
I don't think endorsing the new framework is something the DPA does. The EC declared the new framework adequate[1], Uber got certified for it[2], so there is now a valid method in place for Uber to transmit data.
We are fortunate to have lived through a brief period where the internet was truly a global network. A person in the Netherlands or Nigeria [1] could access the best technology services the world had to offer. People could more or less interact freely across borders.
Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the internet being a global network is obviously becoming inviable. It was fun while it lasted.
Well, I'm not sure that I'd equate "freedom" with companies exploiting people's personal identifying information and selling it for their own profit. Personally, I don't want my information that's protected by GDPR in my own country to be smuggled into another country where there's almost no legal protection for someone's data/privacy.
And this freedom was ended by companies like Google and Facebook who abused this freedom forcing governments to act. Internet was at its worst right before GDPR. I don't think we will ever get back to the old free Internet and instead we will have this power balance between big corps and governments.
Like with any new frontier. There's age of exploration, then the age of exploitation, and in the latter. Even if the former is usually funded by commercial interests, it's in the latter that they finally suck out everything that's nice and fair and fun about the venture. We're at this stage now with the Internet.
The US still does not have legislation to protect Personal Data like the GDPR.
That did not prevent the corrupt European Commission to issue a third variant of the Shield to still allow american corporation to send data of EU citizens to the US, despite the Schrems2 ruling.
Freedom to some means creating a startup that willfully ignores regulations in virtually every market while playing a funding ponzi game until finally handing the consequences off to the foolish public (IPO).
You've missed the point of my comment. It has no normative claims, unlike your angry invective about rights. I'm just pointing out that the inevitable consequence of these new regulatory regimes is a nationally siloed internet. You can feel however you want about it; maybe that's a good thing from your perspective. But it's happening
These laws have been created for good reasons, and US tech companies have had free reign to trample on people's privacy rights for a very long time.
If a company acts in a honorable way, there's nothing to fear and they can easily do business world wide. It's when companies do things that are shady and should've been outlawed from the start that they run into trouble. The main issue here is that the US has the least restrictive laws and allows its citizens' privacy to be grossly invaded, which means these companies now feel like they're being unnecessarily restricted.
If the US had stricter laws, this would be a non-issue and you wouldn't hear anyone about it. It's all very myopic and US-centered to focus on the company's freedom to do as it pleases. What about the users' freedom to live without being spied upon? Free market rules don't apply - the network effects are too big to really say "you can take your business elsewhere if you don't like it". Also it's a transparency issue - it's too hard to tell from the outside how your data will be handled to make an informed decision about what companies to deal with. Especially because all of them treat your data like they own it, as a cash cow.
> It's all very myopic and US-centered to focus on the company's freedom to do as it pleases.
The Dutch DPA is not accusing Uber of doing anything nefarious. They are mad that Uber, as an American company, can be compelled by the US government to hand over data. Ultimately, their beef is not with US companies, it’s with the US government.
This is all wildly ironic because the EU is constantly trying to spy on their own citizens and undermine encryption. The EU is just upset that the US is able to do it instead of them.
This is just companies being caught in a geopolitical spat between competing powers. The EU keeps moving the goalposts on what constitutes “safe” transfers (we’re on the 5th round of this). So there’s no way for companies to be compliant unless the US government changes its laws. So right now it’s just a lever to extract money from US corporations via never ending fines.
The US government and the EU need to sort this out. Blaming the companies shows a total lack of understanding of the real situation. I get that we all hate big tech now, but there’s literally no way to comply in good faith with these competing EU cash grabs over the shifting specifics of how you can transfer data to US servers.
"These cannibals keep eating people because their country's laws allow it. It's not right to blame the cannibals, the governments should figure it out."
There is no actual OR theoretical harm from the companies. Only theoretical harm in the event the US government decides to spy on an EU citizen.
The correct analogy: “There’s cannibals in both countries governments. Country A claims Uber hasn’t done enough to protect from Country B’s government cannibals.
This ignores the shifting rules around proper data transfers to the US, but you wanted a pithy logical fallacy, so there you go.
Since the company getting fined is also the company that spied on police car positions in the US I don't think that this type of shady behaviour helped in showing good faith in this case.
That's a nonsensical load of hyperbole, pardon my French. It's not particularly difficult to be careful with personal data, it's just inconvenient and prevents all kinds of uses that can make you money - which is why US corporations would prefer to not implement it. But if you want to do business in the EU, you need to play by their rules. Simple.
I have soberly explained the actual situation to you. I know it’s impossible to have a rational conversation about privacy on HN and my comments go against the narrative everyone has stuck in their heads here, but I urge you to look further into this issue.
This is an ongoing geopolitical spat and compliance in good faith is currently impossible.
I have spoken to many lawyers about this. Any US company operating in the EU is at risk of constant fines no matter what you do, due to this geopolitical issue.
> Any US company operating in the EU is at risk of constant fines no matter what you do, due to this geopolitical issue.
So why don't the poor trillion-dollar supranational corporations do anything about it?
I can tell you why: they are happy about this. And you can often find they sign their support for these laws in the US.
--- start quote ---
The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
The CLOUD Act received support from Department of Justice and of major technology companies like Microsoft, AWS, Apple, and Google.
At my company, we do business in the EU. It's a wide market with many opportunities. We're extremely careful with personal data: we do not intentionally collect user data, we do not share data with any third-party (and certainly never sell it)!
Importantly though, the law does not suffice with "careful". We *think* we have our bases covered and are careful to try to ensure they are but we're not sure how to *know* our bases are covered. There's the fear that some logs that we believe are anonymous might be considered identifying by some data scientist armed with techniques we've never heard of. There's the concern that some third-party library might dynamically pull in a font-set that comes from a US-based CDN based on some user configuration that we don't foresee. There's the anxiety of asking "Did we forget something? Is the DNS server in us-east-1?" when trying to roll out new features.
These are all strawmen, but they represent the kind of anxiety we feel. Having done our best to respect the requirements and the spirit in which they were written, there's the fear that we were imperfect in our awareness and that that something could cost us a fine that would have gone to someone's salary.
I would very much condemn the indiscriminate collecting, reuse, and selling of personal data, but I would also caution that those of us wanting to play by the rules find them lacking in precision.
> These are all strawmen, but they represent the kind of anxiety we feel.
No idea why you would feel the anxiety. If you're found lacking, you will forest get s notification from the DPA asking you to remedy the situation. You wont even be fined
Government spying on citizens is one thing. Companies is another. GDPR applies mostly to the latter, and in practice, today, most people in Europe aren't being harmed by their governments spying on them, but they are being harmed by private business abusing personal data.
>The EU keeps moving the goalposts on what constitutes “safe” transfers (we’re on the 5th round of this)
This is a wrong phrasing of the problem: The US is not, and has never been, a safe haven to transfer personal data to. However, it would significantly impact trade (and policing) concerns between the EU and the US if that statement were to be treated seriously. This is why the European Commission and the Parliament have repeatedly tried to create a framework which allows transfer of data despite the US' insistence on secret access to the data without due process (aka secret courts, which cannot be due process by any reasonable definition). European courts, again repeatedly, have taken the stipulations in various laws guaranteeing rights to citizens seriously, and keep striking down the badly made frameworks. It's not "shifting goal posts", but rather "not willing to accept the political costs of respecting citizens' rights".
The people advocating for more privacy in the EU and pushing legislation like GDPR aren’t necessarily the same people who want to weaken encryption. Lots of things going on in the EU at the same time.
I agree though that it can be hard for a US company to comply with GDPR as every country seems to interpret it slightly differently. The same difficulty is coming on the AI legislation side.
>This is all wildly ironic because the EU is constantly trying to spy on their own citizens
I am assuming you refer to a law proposal that was rejected, but did you know americans were sponsoring and pushing that law proposal to spy on chats? Yeah same CP people.
Also there is a GIANT difference for a country to "spy" on their own citizens and USA spying on foreigners , a country has a consitution and lwas that protect the citizens freedom where USA has no laws that protect foreigners freedom so the NSA guys could watch an EU citizens photos, read their emails since they are not from USA they are lesser humans.
I'm not going to address your comment at the object level; I'm just going to point out that you've missed the point of my comment entirely. My comment is descriptive (the internet is going to become nationally siloed) not normative (a moral judgement on the conditions that are leading to this state of affairs).
> Every fiefdom wants their cut and their say, to the point where the internet being a global network is obviously becoming inviable
Why exactly would physical products have to comply with local laws when exported to other countries and not online services? Do you also call it "fiefdom wanting their cut and their say"? Do you disagree with the concept of laws altogether?
The thing that made a global internet possible is that it was understood that sending bits over a wire is different from shipping physical goods. The customs regime for physical goods is prohibitively expensive for bits.
I'm not interested in arguing if eliminating free transit of data is a good idea or not; I'm just pointing out the inevitable consequence of the current trends.
EU citizens: We don't want our data in the US, where it can be siphoned off to other companies.
US company: siphons data
EU: You can't do that.
HN commenter: Damn these fiefdoms wanting their cut, what has the internet become? I pine for a simpler time, when I could do anything I wanted with data against people's will and nobody could stop me, that truly was the golden age.
He was saying that Uber will no longer operate in NL/EU, the pining was for "equal access to US services", not your data. FWIW, I am annoyed myself about having to accept GDPR popups on every website I visit, so I too pine for a day where US companies have nothing to do with "EU citizens".
Right, but the reason EU citizens don't have equal access to US services is because EU citizens decided that the services they use need to be careful with the EU citizens' data. US services said "nah, that sounds too hard, I'm outta here" instead.
Hahaha, that will not happen. And if Uber against all odds actually leaves some other company will swoop in and take their market. Personally I prefer Bolt over Uber for rides here in Sweden.
>We are fortunate to have lived through a brief period where the world was truly a global trade network. A person in England could access the best tea the world had to offer. People could more or less interact freely across borders.
>Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the world being a global network is obviously becoming inviable. It was fun while it lasted.
- Some ignorant bloke at the end of the British empire, probably
Point, but IIRC the end of the British Empire was met with a mix of "We didn't want it anyway it was so expensive"* and "We lost an empire but gained a continent".
(The latter followed by lots of pikachu surprise face because they weren't in charge of said continent).
* Not only an Aesop reference, but also an actual claim I've repeatedly encountered
Access to tech is different from handling of personal data though -- the EU GDPR laws around that are clear and fair
People have a right to know where their personal data is going, what is being stored, what it is being used for and should have a mechanism to correct it and delete
The wider challenge is how that is handled in a compliant way with LLMs and generative tools which vendors do not seem to be taking particularly seriously yet
> The wider challenge is how that is handled in a compliant way with LLMs and generative tools which vendors do not seem to be taking particularly seriously yet
I'm curious as to why people would want to train LLMs on personal identifying information. What's the benefit of an LLM that has a large collection of names, addresses, dates of birth etc.?
Free-form text like Reddit posts contains a whole load of PII. Since there is absolutely no regard for what goes into a LLM, naturally, they also contain this PII.
You mean, the epicenter of that global network transformed it into a tool of influence and surveilance? [1] Or maybe that the companies participating in that global network saw interest in walling that global network ? [2] [3] Or maybe that global network is being reshaped by a few dominant actors so much that outside regulation becomes necessary? [4] [5]
No, of course not; it must be local barons trying to scrap a bit of power, not at all a reaction to massive abuses from the industry.
European organizations are often fined as well, it's just that the amount of fines depends on the income of an organization. This means that big American companies jump out more, because they tend to have bigger incomes. Here's a database of fines for GDPR:
Ah yes, the poor-poor American companies who assume that they God-given right to every single scrap of data on their users that they possibly can. Under the guise of "we and our 1400 partners would really like to track your every breath"
1400? https://www.theverge.com/ (to pick a site at random) has 3,615 in the optional cookies setting alone, and a further 514 in the “strictly necessary” section. I think they might be lying on the last point.
It's an indirect Marshall plan for europe. Since EU is unable to grow a shred of infotech, at least give them some scraps to add to the EU budget (At least, i hope that is where the fines end up).
> EU has realized American companies got a hell lot of expendable cash so they enjoy milking them xD
EU has realised American companies have become highly optimised wealth extraction machines and aren't providing nearly as much value as they are extracting, while also violating local privacy laws and skirting taxes.
The value void that Uber leaves will easily be filled, which is merely an app to buy services that have existed as long as the horse and cart. Keeping Uber benefits no one in the EU.
> The Dutch DPA started the investigation on Uber after more than 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme (LDH), which subsequently submitted a complaint to the French DPA.
I wonder on what the initial suspicion from the drivers was based.
Many years ago I was involved with a US organization, and then happily forgot about it. Almost 15 years later they started spamming me with emails coming from their head office in Washington.
I asked them to stop. They didn't. I threatened legal action under GDPR and requested deletion, also under GDPR. They said they complied. A year later they started spamming me again. From the same address.
That's how I knew that they never deleted my info and kept it in the US.
Even worse when you move between countries and suddenly "Uber Country X" uses your account of "Country Y" to spam notify you about promotions in X. It's weird in a bad way
I've visited us not long ago and took a uber (i had uber on my phone since 2019, when i used it before). They started aggressively spamming notifications to my phone and uber eats this and uber that. in the end, i was still going to use the service that was the cheapest
I guess this is always going to raise some eyebrows, with this amount of money it's hard to say it's not political.
However I would like to say that the Dutch privacy authority actually seems pretty sincere at enforcing privacy legislation. It's just that until recently they were just sending angry letters, and now they've been given power to do more than empty threats.
> with this amount of money it's hard to say it's not political.
If by political you mean "aimed to be effective", then yes it is political. If the fine is too low and these companies make a healthy profit through these practices, they will just take the loss.
Does anyone know good best practices and software/DB patterns to model localized GDPR-compliance into global software systems?
I know ASP.NET Core comes with some GDPR-related helpers but it's more interesting to know general best practices and patterns not related to a specific framework.
It's pretty much part of your normal data management that you'd be doing anyway, except it now has an additional lifetime (on top of any you might have had).
Since when ingesting the data you knew where it came from and on what timestamp, you also know when to next check for deletion. And since you also know where it came from (the owner), deleting/sending it on request (when applicable - not all data is always required to be deleted) is pretty straightforward. In essence it's like garbage collection for managed languages (like C#) but for your data.
At the end of the day, no matter what you use (existing process, create a new process if you weren't managing your data so far, or use some product), treating data like radio active waste will generally lead to good designs. You only keep what you need for the time that you need it, everything else gets removed.
> You only keep what you need for the time that you need it
Just to add that it's stricter than that - you can only keep the data that is required for the purpose that you detailed to the customer. e.g. If you ask for their email address for password validation, then you're not allowed to use that email for other communication unless you explicitly asked for that as well.
I completely agree, GDPR is definitely a more detailed ruleset than what I outlined, but from a data management superset perspective you would have the mechanisms and facilities to deal with the GDPR-specific rules anyway.
I've found that this is mostly a problem in organisations where data isn't managed, the government doesn't protect the people, or where some vague value is assigned to the data (so it does get stored, but when it leaks it is supposed to not have value and therefore do no damage). So looking at it from an "you will be managing it anyway" angle has worked well for me when trying to activate teams/units/orgs.
First off, just presume GDPR applies globally. Then, know your legal 'zones' and by default keep all data in those containers. Thirdly, if you need to send data from one zone to another, ask "Do I really need to?? really???" and only if the answer is 'yes' do you do a proper design and engage legal and security from the beginning of the project through to the end and on an ongoing basis.
Yeah, I have to think things like DynamoDB Global Tables and other tools designed (in a bygone era) of "magic low latency from anywhere in the world" are going to be big footguns going forward.
> Since the end of last year, Uber uses the successor to the Privacy Shield.
Sounds like they're going to get condemned again in the future, seeing how these things get knocked down again and again. The EU commission is really dropping the ball there.
So maybe the DPAs will defer to the EC's interpretation of adequacy under the GDPR for this new Framework?
Lots of unknowns though, since Schrems has already announced a challenge to the Framework. The only "safe" option without any uncertainty seems to be architect every system so that data never transits to the US and is also never in the custody of a subsidiary of a US-domiciled corporate parent.
I tend to agree with you about what will happen, but it illustrates the depth of legal uncertainty that exists in architecting software systems in Europe that process personal information. Corporations can't necessarily trust the EC's own published interpretations of their own laws, nor the certification processes the EC has created, so the only risk-minimizing route is a maximally pessimistic approach about what is permissible.
> but it illustrates the depth of legal uncertainty that exists in architecting software systems in Europe that process personal information.
Oh I agree with that. EC's behaviour in that case is appalling.
> Corporations can't necessarily trust the EC's own interpretations of their own laws
There is a way to be safe with regards to EU law, and it's to engineer systems where European data stays in Europe. Of course, the issue is that corporations would then be liable under US' FISA 702.
That's the big issue: the United States made a law that basically states that no US company should follow EU law, and the US admin manages to beat EC officials into submission every few years with another flawed agreement to keep the ball rolling.
It's not that easy really. Several European countries have FISA s.702 functional equivalents that enable intelligence to get orders for interception of personal information on servers and entities within their legal jurisdiction. (e.g., The French Law on Intelligence and the German BND Act)
It's easy to say that the US should just scrap s.702, but unless it's reciprocal with Europe scrapping their interception powers as well, that's a pretty unrealistic ask.
Hm. I was aware that French law was kind of awful on this, but never investigated the specifics. As, say, a non-EU person, would I be able to bring suit to a French court (and, if that fails, to the CJEU) regarding foreign-intelligence eavesdropping violating my privacy rights? (AFAIU the US answer is that if I’m a foreigner on foreign soil I don’t have any of those).
Yes, you could bring a suit if you knew about the interception. However, like FISA s.702, intelligence collection warrants under the French LI and German BND are generally secret, so most targets have no knowledge they are under surveillance. All three pieces of legislation have an oversight mechanism in terms of oversight bodies who have access to secret warrants and are supposed to ensure that they are being used appropriately.
> that enable intelligence to get orders for interception of personal information on servers and entities within their legal jurisdiction.
That is common indeed. What's peculiar with US law is that it can mandate companies to move data about people outside of US jurisdiction that is stored outside of US jurisdiction and turn it over to US authorities, even when it violates local law.
Exactly, compliance is currently impossible since this is a geopolitical spat between the US and EU over US law.
The goalposts on this move every 6 months, so the fines are easy money for the EU.
The companies are just collateral damage. For some reason HN is full of people who don’t actually understand this issue but feel very emotionally passionate that all US tech companies are evil and doing this on purpose.
“Just follow the law, you evil companies!”
Lol. They would if there was a clear law/process to follow that didn’t get shot down every few months.
As it stands, you cannot operate in the EU as a US company if you want to be totally immune from fines.
I urge you to talk to your government representatives (on both sides of the pond) if you care about this issue. This benefits nobody except for EU government coffers.
> feel very emotionally passionate that all US tech companies are evil and doing this on purpose.
Oh no, it's the US government that claims authority to use these companies to surveil EU citizens that is the problem here. One that, unfortunately, does affect all US companies.
> Lol. They would if there was a clear law/process to follow that didn’t get shot down every few months.
There isn't a process because US law makes it clear that US companies should be auxiliary to illegal acts abroad. And we find out every few months, that even when they aren't forced to, they disregard the law.
Sure, maybe they're not "evil", but they apparently can't find a way to be law-abiding entities.
> The only "safe" option without any uncertainty seems to be architect every system so that data never transits to the US and is also never in the custody of a subsidiary of a US-domiciled corporate parent.
If i'm not mistaken, because of this (via[0])
> The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
It sounds like compliance is only possible* if "the US company doesn't have any influence on the EU data-holding company" which is insane. This might be satisfied if the US company simply licenses their software product (e.g. the Uber backend) to an EU company. But this might not be adequate since chances are updates would be somewhat automated, and thus the US-based Uber might be compelled by the government to ship malware with their update to catch some US criminal (or otherwise enact some US spying).
* edit: only possible in lieu of a data agreement like Privacy Shield or its successor as mentioned above
You mean like the EU governments? Which country / countries have fundamental protections for free speech and censorship free social media? Which are seeking to force encryption backdoors?
It's true, the extensive surveillance capabilities the American government demands from American businesses is one of the reasons American companies cannot enter the European market.
I doubt this will change any time soon. The GDPR isn't going away, and the USA isn't known for loosening their data collection laws. Maybe in a few years the EU can find a legal ground to allow the USA to spy on EU citizens without acceptable legal defences, maybe the USA will give up their capability to use American businesses as a tool to spy on the EU, but for now surveillance law is a major roadblock for American companies expanding to Europe.
As far as I understand (IANAL) the CLOUD Act has not been used as basis of decision at least for Schrems II. The primary issues court found were regarding surveillance programs authorized under Section 702 of the FISA & executive order 12333.
That makes more sense then. Is it still right to say that they're afraid of a US company being compelled to access data at the request of the US gov when it's stored in the EU, or is it still only trying to avoid EU data actually going to the US during _regular_ operations of a business (paragraph 63)? I feel like it's still a threat if some US employee could access servers inside the EU as a one-off for NSA/etc surveillance?
No, the EC asked ChatGPT to rewrite the Privacy Shield but give it another name, and the CJEU is expected to retroactively invalidate the law again. This will only change if the US provides essentially equivalent privacy protection laws, which they don't.
Funny thing is, us data is almost always maintained by people outside of the US, at least for banking. The servers may live in the us, but the people accessing it are probably located in Europe or India. This also means that the data lives their temporarily while it is being accessed.
It shouldn't be a problem for Europeans to access/process U.S. data that belongs to U.S. citizens - GDPR doesn't cover that AFAIK, so it's fine for it to cross borders. The issue is with GDPR protected data of EU citizens, as the law does not permit that data to cross non-EU borders unless it's for specific exemptions such as law enforcement.
Or, IIRC, if the destination country has privacy protections that are at least as strict as those in the EU, which the US legal regime for foreign intelligence definitely doesn’t provide (a non-US-citizen wouldn’t even have standing to sue wrt their personal data).
> a non-US-citizen wouldn’t even have standing to sue wrt their personal data
Sure they would, I think? They would just have to foot the bill to travel and file in a US court. And whatever user agreements they 'agreed' to might come in to play without legislation to supersede it. But they would have standing, I'm pretty sure.
Not a lawyer and not going to find the relevant references in the US’s vast body of law in reasonable time, so let’s check what the CJEU concluded?
Schrems I [1] (the old CJEU judgment invalidating Safe Harbor) endorses (§90) the opinion that:
> [D]ata subjects [whose personal data was transferred to the US] had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.
In what reads like a reference to FISA, it continues (§95):
> Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter [of Fundamental Rights of the European Union].
It then stops short of calling out FISA by name, instead (IIUC) invalidating on the basis that the adequacy of the legal regime was not addressed in the Safe Harbour decision to begin with. Privacy Shield came next and did, so Schrems II [2] (the newer judgment invalidating Privacy Shield) states (§181–2):
> According to the findings in the Privacy Shield Decision, the implementation of the surveillance programmes based on Section 702 of the FISA is, indeed, subject to the requirements of PPD‑28. However, although the Commission stated, in recitals 69 and 77 of the Privacy Shield Decision, that such requirements are binding on the US intelligence authorities, the US Government has accepted, in reply to a question put by the Court, that PPD‑28 does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter [...].
> As regards the monitoring programmes based on E.O. 12333, it is clear from the file before the Court that that order does not confer rights which are enforceable against the US authorities in the courts either.
It sounds like the official legal position of the US executive is that individual foreigners do not have standing to contest FISA 702 surveillance of them. (I could not quickly find the text of that position.) This is a 2020 judgment in a case from July 2018 regarding a European Commission decision from 2016, so the implications of the CLOUD Act, signed in March 2018, do not look to be in scope.
I think you are right. I lost the context the original comment was made in, and was thinking more about damage coming from company negligence, and not government sanctioned surveillance.
NAL, but I think GDPR has exceptions for remote access, i.e. if a worker in India is viewing data held in the US, that is not necessarily formally considered a transfer from the US to India, even though the data clearly has made it to India if it's being displayed on a screen there.
Under GDPR I believe if the data access is from an employee of the company (eg Uber) then there aren’t location checks. (Been a while so I could be mistaken here.)
But if you are subcontracting to an agency you need to list them as Subprocessors in your DPA. So subcontracted support staffing companies for example would be required to be listed and explicitly consented to.
This is all assuming you set up the base contractual protections for the data required to export the data at all, which Iber apparently didn’t do here.
Well technically data transfer according to GDPR has nothing to do with where the data is geographically. It’s what legal jurisdiction the controller or processor is under that matters. If you move data to a processor under another jurisdiction that is a transfer.
Can someone clarify for me why the physical location where data is stored is a big deal? Why does the US need stronger laws here?
This is probably just my inner naive technologist speaking, but I really enjoyed the moment of time during which the internet was a global network of computers that created a virtual space where physical borders were largely irrelevant. So it's a bit jarring for me to see people take for granted the idea that borders matter on the internet after all.
> Can someone clarify for me why the physical location where data is stored is a big deal?
What can you do if your data is silently copied by third parties and used for other activities? What if I build a ghost profile of you and steal your identity when I have enough data? What if I relay that you have a fancy car to some people who have the means to get that from you while sleeping? What if I craft a good scam by targeting you with your own data?
It's not about data is sent to where, it's about what happens when it arrives to the physical servers, who has access to these files, and what can they do with it.
When I visited the states, I got EZ-Pass spam/scam e-mails for a year, on an e-mail I gave to nobody when I was there. So, these laws matter.
> It's not about data is sent to where, it's about what happens when it arrives to the physical servers, who has access to these files, and what can they do with it.
Right, but the EU can only enforce its laws on companies that have a presence in the EU. A company that doesn't do business in the EU and never will do business in the EU will not obey EU law regardless of what those laws say.
Meanwhile, a company that does business in the EU would be subject to fines by the EU and wouldn't be able to dodge them without just stopping doing business in the EU. So why do the laws not just say "here's how you have to treat data belonging to our citizens if you want to continue to do business in the EU"? Why does the physical location of the data that is being thus protected matter at all?
That works fine if the company itself stores the data, but becomes difficult to enforce when 3rd parties store the data. Imagine a company with an EU presence stores it's EU data in US, with a hypothetical cloud provider that doesn't have an EU presence.
The company would need to have a DPA with it's cloud provider. That cloud provider technically would also need a corresponding DPA with any 3rd parties that they themselves use, except without an EU presence that is hard to enforce.
In this case where there is one hop you could argue that it's the companies responsibility to ensure that their service providers are operating in compliance. Imagine the same scenario, but with one, two or more middlemen and the whole thing becomes an unenforceable mess of jurisdictions for the company to do meaningful due diligence on their service providers.
It's much easier for the EU to say EU data has to be stored in the EU, and know that any party touching the data is likely to be in compliance, and significantly easier to investigate if they are not.
There's also the Cloud act, which makes it illegal for US cloud providers to refuse data access requests from the US government.
As far as I understand, the EU is fine with you sending data to other countries, as long as those countries have the same standards for data protection. In the EU's opinion, the Cloud act, as well as the whole NSA situation, mean that the US doesn't fulfill this definition.
> Can someone clarify for me why the physical location where data is stored is a big deal?
Because the place where data is collected and stored may have different rules around privacy and data protection then the place it is exfiltrated to.
If I give my data to a company in one place that has strict laws on what may be done with that information, I don’t want it escaping to a low-protection jurisdiction where there are no penalties for selling it to the highest bidder for god knows what purpose.
If there was an acceptable worldwide convention on personal data privacy that would solve the problem. Until there is, it matters a lot.
But again I ask, why does the physical location of the data matter? Why do the laws care?
The EU has a law that said you must treat data of their citizens with respect. Fine, that's great. Any business that has a presence in the EU will need to follow that law. At that point, why does it matter where the bits are actually stored? Can the EU for some reason not enforce its privacy laws on Uber if Uber keeps its data somewhere else?
Conversely, if a business has no presence in the EU, can the EU enforce its data location laws on them?
The only thing that seems to matter for enforcement is where the company is located, so I'm really unclear what data location has to do with anything.
> Can the EU for some reason not enforce its privacy laws on Uber if Uber keeps its data somewhere else?
Yes. Even assuming these laws still work if data is in another jurisdiction (prob. not), they become unenforceable. If someone sells your data in, say, Somalia, how could EU gather evidence and start a legal process?
> Can the EU for some reason not enforce its privacy laws on Uber if Uber keeps its data somewhere else?
Maybe not, especially if they are separate corporate entities. Uber EU may choose to pay for operation of data storage by Uber US. Uber US is not under the same privacy restrictions and sells the data for profit, then what? Who sues who and for what?
This is also partly about governments - the US in particular is known for compelling access to servers that are on its soil and doing large-scale spying (not that EU powers don’t do the same, but bear with me). Companies operating in the US may not be legally able to guarantee data privacy. So having the data not enter US jurisdiction in the first place is considered safer.
The reason why the physical location matters, besides latency, is that certain governments have laws in place that allows them access to any data in their territory.
In the case of EU countries (I think its part of gdpr), services that handle personal data need to make sure that that data stays safe. The only way they can do that is to make sure that the data stays in a certain region.
I think that is why op is advocating for stronger laws. Due to lax privacy laws in the US, it's impossible for European companies (and other privacy concerned companies) to host their data in the US, therefore your missing a share of the market
> certain governments have laws in place that allows them access to any data in their territory.
This explanation makes sense, but assuming "certain governments" includes the US then the remedy isn't stronger laws in the US, it's weaker laws—it means that the US was the first to break the borderless internet and it needs to rewrite its laws to be border-agnostic.
Global network of computers where data ultimately flowed to American mainframes. Countries realize data is a resource / liability / vunerability, and even if most struggle to profit from it, they'd still want sovereign control over it. You only really control things on your soil. Physical location / possession matters for control.
> You only really control things on your soil. Physical location / possession matters for control.
This feels like an outdated worldview that no longer really applies to data. Data can be exfiltrated from the EU in milliseconds and there's nothing that the EU can physically do about it short of setting up a great firewall a la China.
The only thing they can do about it to retain sovereignty is to tell companies they're not allowed to exfiltrate data. But if they can do that successfully, they can also just tell the companies what they're allowed to do with the data wherever it is in the world.
Someone illegally exfiltrates data from within your jurisdication and you can use _your_ legal instruments. Someone uses your data stored on another jurisdication and your legal options more limited or even powerless. Data is too leaky to prevent, so states focus on having the most tools to deter, including legal. And for some legal instruments to have maximum effectiveness, the location of physical molecules are important.
> Someone uses your data stored on another jurisdication and your legal options more limited or even powerless.
If that someone is a legal entity within your jurisdiction, you have lots of options.
I edited my original comment to link to someone who gave a good explanation—what I hadn't considered is how difficult tracking suppliers and subcontractors recursively and ensuring that they all have a presence in the EU would be. I think it's a bad solution to that problem, but it does make sense.
What does that even mean, though? Data does not have a location. It's just information. The fact that "I live on 123 Oak Street" is data. It's not anywhere. How can you say that it's in a particular country? This post might be read by people all across the world. Now that information is in many different countries? Or none at all? Is it simply about where the physical hard drive containing a textual representation of that data is located? What makes that relevant?
These laws seem to have been written for the age of fax machines, not for today.
Except that the US authorities have the right to access the data you stored on Apple or Google & Co. servers whenever needed, without your consent and even if you are completely innocent.
Funny they are being fined in the Netherlands, because Uber is almost invisible there, as regular taxis have been protected. I don't have accurate data, but it's at least 15€ per inhabitant, so it seems like a very very steep fine. I can't imagine how much this is per driver, €25000?
It seems the dutch regulator is saying "why don't you just go away?". The feeling is likely mutual.
It's a fine meant to be a punishment, not damage settlement.
> All DPAs in Europe calculate the amount of fines for businesses in the same manner. Those fines amount to a maximum of 4% of the worldwide annual turnover of a business.
Uber europe is headquartered in the Netherlands, which is why the fine was handed out there, the complaint was passed from the french privacy watchdog to the Dutch one.
That's one way of saying "Europe is full of nations who provide unethical tax shelters for businesses (while criticizing any nation that doesn't provide their level of social programs), so they can regulate and fine and fill their coffers with money from businesses all over the world." But yeah, blame it on the companies that take advantage of the tax shelters EU nations choose to provide and the EU chooses to allow.
Maybe our definitions of "Tax shelters" are a bit different, but I think of Cayman Islands or Bermuda when I hear that, and Netherlands is not like that in the context of Europe. Probably Ireland is the closest you get, so would have been a much better example.
The Dutch Innovation Box regime provides a lower effective tax rate (7% as of 2024) on profits derived from qualifying intellectual property, such as patents and software. For companies like Uber, which rely heavily on proprietary technology, this can significantly reduce their overall tax burden on profits derived from IP.
The participation exemption in the Netherlands allows companies to receive dividends and capital gains from qualifying foreign subsidiaries free from Dutch corporate tax. This is particularly beneficial for multinational corporations with substantial foreign operations, as it prevents profits from being taxed multiple times as they move up through the corporate structure.
The Netherlands is a popular location for holding companies due to its favorable tax regime for holding and managing subsidiaries. The combination of participation exemptions, tax treaties, and rulings makes it ideal for structuring complex international operations.
So... a nation like the Netherlands optimizes their tax laws such that it's advantageous for businesses that are otherwise completely unrelated to their nation to HQ in their nation to avoid their proper tax burdens in the country they were started in and operate in much more significantly, for the benefit of the Netherlands getting additional tax revenue and to the detriment of other nations who would otherwise be able to tax that business.
Some people might call that a "tax shelter." Since it you know, benefits Uber, benefits the Netherlands, at the detriment of the nation(s) that Uber operates in...
> > The appeals process is expected to take some four years and any fines are suspended until all legal recourses have been exhausted, according to the DPA.
fine is suspended. it will take 4 years of appeals :)
Once again demonstrating that fining a corporation for criminal behavior is simply adding to their operating cost, and the lawyers will always get paid
Corporations recognize nothing but operating cost, so that’s in fact an appropriate lever. The question is if the correct amount of force is applied to it—usually not, but here I’m not so sure.
> Although the fine comes from the Dutch regulator, the investigation began in France. In June 2020, 21 Uber drivers there stepped forward to human rights organization Ligue Des Droits De L'homme Et Du Citoyen. Another 151 Uber drivers later joined that complaint. The LDH took that complaint back to the CNIL, France's national privacy regulator. The latter forwarded the complaint to the Dutch Personal Data Authority in January 2021 because Uber's European headquarters is in the Netherlands.
> because Uber is almost invisible there, as regular taxis have been protected
Uber is almost invisible there because they continue to blatantly break the law, and even when told to stop, they continue like nothing happened. (https://www.wsj.com/articles/dutch-authorities-raid-uber-off...). This seems to be just another case of the same hubris.
Of course Uber faces pushback when they act like that.
My first instinct would say if someone pulls out I hope that would finally spur some competition. You don't need to apply anti-trust to companies that don't operate in your market. Maybe a competing video platform or phone operating system would get a chance at organic growth.
Maybe a pipe dream though. I haven't given it serious thought.
>building alternatives takes time and resources. the EU has neither.
This is kind of a FUD fueled false dichotomy, when the truth is we can't know if the EU doesn't have time or resources if it never tries.
What the US has that EU doesn't is the infinte money to throw in the bonfire at moonshot projects knowing that 99% will fail and the 1% will be hugely successful, but now the market is mature with less untapped opportunities, and the EU doesn't have to spend like the US did to achieve the same results, since we now know what works and what doesn't and how to make an Uber that's compliant with local regulations while using less money.
> but now the market is mature with less untapped opportunities
at a macro level i don’t think things stand still waiting for the europeans to catch up. i think things are moving extremely fast and you either adapt or “stagnate”.
What's "moving" right now besides overhyped and unprofitable generative AI and AI chat bots, most of which are trained on copyrighted content and can be regulated away with a piece of paper when copyright holders lobby enough?
> building alternatives takes time and resources. the EU has neither.
This is a smartphone app that buys a local service that already exists, it's not hard... In fact alternatives already exist.. I mean of course they do cmon.
On the flip side do you realise the lithographic tech used to build your Intel fabs come from EU? (ASML) building an alternative to that will take serious time and resources. EU is not some third world country.
> building alternatives takes time and resources. the EU has neither.
The EU does not have the motivation, mostly. They are not rivals of the US in the way China is. So money goes elsewhere. Europe is still a continent with a whole bunch of people and quite a lot of money. The path of least resistance is to just use American solutions in some areas and to develop others locally. This might change and if there is a vacuum, it will be filled quickly.
Uber is a poor example of dominant American companies. They don’t really have a moat and they don’t really provide a better service than the alternatives in Europe. I don’t think people would miss them much if they left.
The famous companies with a moat are Apple, Google, Microsoft and Amazon(AWS) since they're vertically integrated so no start-up stands a chance of competing or like Reddit and you hold a large userbase knowledge repository.
Food delivery companies, ride sharing companies, flight & boarding booking companies are all expendable. If one goes down, another one will spring up tomorrow.
Yes, and I don’t see them moving away any time soon. It’s too much on their balance sheets (Europe is a bigger market than China for Apple, and the other two are deeply embedded with the local administrations and companies). All of them are following the legislative frameworks and adapting.
I'm not sure if it will actually happen. But the theoretical "problem" with these "X% of worldwide revenue" fines is that they change the calculus of launching an existing product in Europe. It makes it so that if a company enters the EU they risk it being a net negative to revenue.
Not necessarily, but it should "change the calculus of launching an existing product in Europe", factoring in privacy laws. Either don't launch, or make sure that your product complies.
That's not a EU problem. If the US puts laws in place that prevents their company from expending overseas, that's a problem that Americans need to fix.
Yeah. But even if you act in good faith there's still a chance you'll make mistakes and run afoul of the law. And now the cost of a mistake is not "we'll end up losing money in this new market" it's "our business might fail worldwide".
The intended effect is that they follow the law, it's really not that complicated. Why do people assume that US-based companies have this inalienable right to break any law they want in every country around the world and that we all have to cheer for them when they do it?
> Europe had taxis, private for hire limousines, taxi apps and delivery services long before Uber arrived.
All the "Uber" rip-offs in Norway are worse than Uber was last time I used it. Not that anyone can afford to use a taxi here anyway unless the government covers the bill, which they do and which is the only thing that keeps taxis employed, I think.
At least here in non-EU Switzerland, Uber often provides superior service over regular taxis. They‘re cheaper and you can’t get ripped off by a driver choosing a more circuitous route.
I doubt it. Besides Apple, none has even complained very loudly, and even Apple just did it in order to garner some sympathy points from the fans. That is, for marketing reasons. The fact is that none of this legislative stuff, this basic level of consumer protection in the EU is in any way a dealbreaker or a significant hindrance to big tech, merely a cost of doing business.
Too big a market. That's the power of the EU I guess. If they can adapt to abide, they will. If they can't, quite likely due to GDPR for many US companies.
Why do you think they will leave? They will make noise, complain but if the choice is between following rules or give up profits, they will fall in line. Money trumps everything else.
They will however keep lobbying, support candidates favorable to them etc.
EU (and other governments) should be vigilant all the time. The moment they take it easy a bit, big tech will be back to their usual shenanigans
They interacted with a local subsidiary. Being subsidiaries of an American company does not mean that they get to ignore local laws. Funnily enough, even Americans get to follow the rules in other countries.
So they sent their documents to the local company, which in turn transferred them overseas. I really fail to see how this is the drivers’ fault.
"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care", Dutch DPA chairman Aleid Wolfsen says. "But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious."
Why is this absurd? Companies bend over backwards to do business in countries like China, put up with all kinds of nonsensical local laws and rules.
This privacy requirement at least makes sense, it is the local government’s responsibility to protect their citizens privacy.
Comments like the above reflect how big corporations have gotten, they will push and bend the laws until someone hits back. This is an example of a government hitting back. Good on them
413 comments
[ 2.8 ms ] story [ 310 ms ] threadBy investigating a complaint?
From the article: The Dutch DPA started the investigation on Uber after more than 170 French drivers complained...
Did they made the allegations up and they happened to be right? I don’t think that’s the case.
In any event the fine is mostly for not having adequate protections in place. Those protections? Better contracts between wholly-owned subsidiaries of Uber. So, not much protection at all! This is very much Uber shooting themselves in the foot by not doing their homework. Again.
This is the DPA's press release: https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-d...
The fine is here, and is 48 pages long, and in Dutch: https://www.autoriteitpersoonsgegevens.nl/documenten/boete-u...
The investigation report isn't included. It may surface if Uber decided to right the fine and take it to court. Or, if some-one takes an interest and tries to get it via the local 'freedom of information act' equivalent, though that might take just as long and will result in a heavily redacted version being made available.
But before the DPA can get involved, there must be a complaint.
Such complaint came from Ligue des droits de l’Homme (LDH) and here is my question: how was this group informed that Uber was sending data to the US?
No doubt about what happens when the DPA gets involved, I'm not arguing over that.
In reality, no one gets fined based on whims and wishes, but after investigations, just like in this case:
> The DPA said it started the investigation after more than 170 French drivers complained to a French human rights interest group, which then filed a complaint to France's data protection watchdog.
> Under the GDPR, a business that processes data in several EU countries must deal with the data protection authority where its main office is located. Uber's European headquarters are in the Netherlands.
https://www.lemonde.fr/en/economy/article/2024/08/26/uber-fi...
Seems the investigation uncovered that Uber didn't process data in their European headquarters but instead sent the data to the US, otherwise there obviously wouldn't be any basis for the fine.
If it is a genuine mistake the fine would be tiny if there would be a fine at all. At least that is how it has been in other cases. A this big fine indicates that the DPA found serious negligence or willfulness.
The DPA has previously fined Uber €600.000, €10.000.000, and now €290.000.000. Do you really think they won't do a follow-up investigation and issue another fine if they are found to still be in violation?
It's always trivially easy to break the law and not get caught for it.
I'm currently in a small village and if I want to break the law right now I can go outside, get in my car, and accelerate to 90mph along the 30mph road running past the house. I'd probably get away with it too.
But I wouldn't be doing it by accident: I'd be doing it because I'd chosen to.
In the same way, whilst I could configure an S3 bucket in a different zone, I'd have to choose to do that. It's not that easy to get it wrong.
I'm not about to do either of these things.
Is it any easier to investigate violent crimes like murder? Financial crimes? Organized crime? Smuggling? Fraud? Criminal negligence (like food or environmental contamination)?
I do agree though that with current cloud infrastructure and engineering standards it is rather easy to do accidentally.
Even though the rules are great, I'm just not sure if it will be good or bad long term for EU.
The analogy to China during the industrial revolution is simply non-applicable, to the point of not being even wrong.
America loves to pretend that no other data points exist so they can attribute whatever good performance they’ve historically seen to whatever supposed cornerstone of American life is advantageous to make whatever point they want to make.
Could you explain how the Uber drivers are worse off due to their data being in the USA?
Following your reasoning, then the whole legislation is moot, and all European citizens data should be sifoned in the US without anyone complaining, because "hey, I'm in the UE so you cannot touch me", no?
They are now at risk if there is a data leak in the USA. There are higher fines for data leaks in Europe, so they aren't as well protected as before
It’s not from us to explain why would drivers be worse. It’s from the one who took the datas to explain why would drivers be better. Because if they would have been better I guess Uber would have done a marketing campaign around it to talk about the benefits instead of doing it this way without anyone noticing.
And ideas like Uber aren't hard to copy by local companies.
There was even a time where copy cats were an easy way to get rich.
Copy a US company, wait to get bought by that company. That made the Samwer brothers rich.
I would love it if companies from the U.S.A. left the EU. Not solely for the economic boost it would give local competitors (who have all but shut down when U.S.A. companies came), but also because they clash with our culture in negative ways.
We can speculate this all we want, but I think it's fair to say with confidence that leaving companies unregulated (or poorly regulated) is bad for everyone in the long term. A slightly different example is the poor enforcement of antitrust laws being one of the reasons we have the tech oligopoly we have today with Apple, Google, Amazon and Meta.
We had app based ride hailing services before Uber and still have them so it can't be that. Surge pricing also has existed before them.
For example, for Uber, lack of it (it took a while to come to some countries) already spawned lots of successful competition.
Chokepoint Capitalism with Cory Doctorow - FACTUALLY Podcast: https://youtu.be/vluAOGJPPoM?si=zuezwnlUHhuoQFNt&t=2668
As a consumer, I can't visit every factory to check if the pasta isn't tainted with lead, if the chicken meat isn't full of antibiotics and hormones and if the webapp I am using isn't selling my data.
We have market regulations for reasons. Companies that won't comply should be punished and if it's a repeatable offence they should lose a license to operate in EU.
clearly:
https://www.flossbachvonstorch-researchinstitute.com/fileadm...
It feels heartless. I wish there was a better system.
You have massive selection bias in your sample. “Morally-based decision ends well” is not exactly something that makes headlines or that is seized upon by historians to explain memorable cataclysmic events.
You don’t need to be an ethics expert to see a difference between moral principles that lead to suffering, and moral principles that don’t.
Waving away all morality in moral nihilism is teenage-level ethical sophistication.
Name one non-capitalistic system more moral than the currently existing ones.
All rankings trying to quantify morality and order societies by it, are consistently topped by social market economies, a form of capitalism.
> Waving away all morality in moral nihilism is teenage-level ethical sophistication.
It is also something I have never done. With the edits to your post, its nature became more and more apologetic to dictatorships. I hope this was not what you have intended.
What are you talking about?(!)
It’s easy to point to some barbaric act and say “see, this is what morally motivated policies result in”.
But in reality, moral value judgments are all around us in the most mundane of places. It’s moral value judgments that cause us to have anti-monopoly laws. It’s moral value judgments that cause us to configure tax codes one way or another. It’s moral value judgments that cause us to appreciate the things that capitalism gives us. Etc etc. You can’t escape it.
I would highly recommend the book!
I'm honestly curious (and adding this as a disclaimer to be clear it's not an attack): why would you think there was any shard of imbued morality when the whole point of the system is based on greed?
That's a category error. Economic and political system don't have morals. Not capitalism, socialism, democracy, autocracy.
Economic and political system should be designed to create incentives where externalities are positive and not negative.
Note how I didn’t mention capitalism to have bad morals or to be evil. I did say heartless because neglecting morality (good or bad) feels heartless.
This is largely a false meme, an urban legend. There is no meaningful privacy difference between Europe and the US.
This is simply a money grab; it won’t move the needle on privacy one bit. You’ll still be surveilled everywhere you go in Europe by the state, the mobile operators, and most of the other apps on your phone.
Furthermore, it doesn’t matter if the data stays inside the EU or not. Google collects the same data and the US intelligence agencies can compel them to access the data on EU citizens, stored on EU-located Google servers just the same as if it were in Mountain View.
The US is where companies from Google, Facebook, and Microsoft to Visa, Mastercard and Equifax are headquartered.
EU-based snooping companies just aren't as good at it, and don't have anywhere near the same scale.
> Domestically these countries have entities collecting personal data in the same evil way as US entities
Can you provide sources for this allegation?
I don't know where you are getting your information from but that's not true.
> careful when buying stuff online
I know what I'm doing online. You sound like communication from most of retail banks.
If you are so certain that you are right and that you 'know what you are doing online,' have you reported this incident to law enforcement? It would benefit everybody. Could you also specify which healthcare service providers you believe sold your data? This information could help others avoid using them.
1. provide details about how the data was collected according to GDPR's Article 14 paragraph 1, I also request the information they should provide as delineated by paragraph 2.
2. send you all the data related to your person according to GDPR's Article 15.
3. complete erasure of all personal data they have collected in accordance with GDPR's Article 17.
So far I have not had to contact the Swedish DPA since the few times it happened the companies actually followed my GDPR request.
Edit: and even if you have given consent through some GDPR form you can withdraw it at any time, contacting the company with a GDPR request and explicitly stating you withdraw all consent to their processing of personal data should be enough.
Clearly the American capitalist strategy is working since all the products you keep regulating are made in the US. I’d welcome Europe to make some alternatives to what the US is providing before you just unilaterally say we’re immoral and wrong, because currently if all the US companies got fed up enough with the regulation and for some reason pulled out of the market it would cripple the digital life you’re used to in Europe.
Revenue has to come from somewhere otherwise a company can’t grow. “Enough revenue to survive” doesn’t incentivize the kind of rapid business development that consistently comes out of the US versus Europe and is just a naive economic worldview. You have to either sell user data, serve ads, or sell the product wholesale or a subscription. Currently the market (including European users) have decided that they’d rather click skip on an ad and have their usage data sold to drive those ads than pay for the product.
I had maybe one occasion where upon asking questions about how long they store my information and who exactly they give it to, I actually got answers and learned something. It was a dentist office, and by that time I had been visiting them so often that we were practically friends.
The rest of the time (mostly in hotels), they didn’t like it very much that I took time to read through their GDPR forms and actively withdraw my consent from optional things, of which there was like 85%, and some dealt with sharing my data with undisclosed marketing partners. Some of this, especially the undisclosed bit, I think, is a no-no under GDPR, although a lawyer may promise you a way to weasel out of trouble.
Note that when you deal with public administration, depending on the country, they may have you sign something to the effect that if they fine you and you don’t pay, your data will go to a debt collection firm, at which point you may assume it goes to all of them, because they trade debts between themselves, too. And of course, those share data with further companies according to agreements between themselves to which you are not a party, so I’m wondering if there is/should be a way to curb them…
Heck, many documents that I saw while interacting with P.A. in my country are lacking the basics, such as "what are you doing with the data".
One clinic once made me sign a document where they said that I received a copy of the privacy policy (which was not given to me). I politely asked for the privacy policy, and they sent me the entire GDPR regulation PDF. I spent one hour explaining to them that they need to fix it.
> A spokesperson for Uber explains to the NOS that they have also contacted the AP themselves about the ambiguity surrounding the privacy rules. Then, according to Uber, the watchdog didn't say that the company violated the rules.
Which is all fine and dandy but the rule really is that if it’s not clear to you (as a rich and well-lawyered company) that something is permitted, that doesn’t give you the right to then do it.
And yes, the fine really has to be this high: fines can never be just a part of doing business; colouring within the lines has to have the attention of everybody involved, from the shareholders on down.
i guess we’ll hear more about this in 4 years.
Thanks to the CloudAct there is not protection of EU user data no matter the location of the servers.
IANAL, but cloud act purpose is to allow the usa government to ask data from USA-based or USA-related services providers, for offsense/crimes.
It does not allow service providers to do anything else with that data.
I thought that that framework was supposed to allow this (as a replacement for the EU–US Privacy Shield framework)? Presumably this wouldn't have been a problem under Privacy Shield (i.e., pre-2020), or am I getting that wrong?
Basically the framework, like the Shield before, is the Commission trying to show "look, we fixed it".
Sadly, for the previous two times, the ECJ pointed out after the fact that no framework can fix the lack of data privacy law in the US, and that as such, the Shield, just like its predecessor, was not allowing what it claimed to do.
The Framework has not been tested in the ECJ so far, but the US has not significantly altered its laws so...
[1]: https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-d...
[1]: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae6... [2]: https://www.dataprivacyframework.gov/list (no deeplinks for some reason)
Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the internet being a global network is obviously becoming inviable. It was fun while it lasted.
[1]: https://www.reuters.com/technology/nigerias-consumer-watchdo...
That did not prevent the corrupt European Commission to issue a third variant of the Shield to still allow american corporation to send data of EU citizens to the US, despite the Schrems2 ruling.
I'm not sure I like Meta's and the influence of other foreign companies on European culture too. We were more free before them.
What’s freedom? GPL? BSD? Swinging a fist? Not getting hit on the nose?
If a company acts in a honorable way, there's nothing to fear and they can easily do business world wide. It's when companies do things that are shady and should've been outlawed from the start that they run into trouble. The main issue here is that the US has the least restrictive laws and allows its citizens' privacy to be grossly invaded, which means these companies now feel like they're being unnecessarily restricted.
If the US had stricter laws, this would be a non-issue and you wouldn't hear anyone about it. It's all very myopic and US-centered to focus on the company's freedom to do as it pleases. What about the users' freedom to live without being spied upon? Free market rules don't apply - the network effects are too big to really say "you can take your business elsewhere if you don't like it". Also it's a transparency issue - it's too hard to tell from the outside how your data will be handled to make an informed decision about what companies to deal with. Especially because all of them treat your data like they own it, as a cash cow.
The Dutch DPA is not accusing Uber of doing anything nefarious. They are mad that Uber, as an American company, can be compelled by the US government to hand over data. Ultimately, their beef is not with US companies, it’s with the US government.
This is all wildly ironic because the EU is constantly trying to spy on their own citizens and undermine encryption. The EU is just upset that the US is able to do it instead of them.
This is just companies being caught in a geopolitical spat between competing powers. The EU keeps moving the goalposts on what constitutes “safe” transfers (we’re on the 5th round of this). So there’s no way for companies to be compliant unless the US government changes its laws. So right now it’s just a lever to extract money from US corporations via never ending fines.
The US government and the EU need to sort this out. Blaming the companies shows a total lack of understanding of the real situation. I get that we all hate big tech now, but there’s literally no way to comply in good faith with these competing EU cash grabs over the shifting specifics of how you can transfer data to US servers.
The correct analogy: “There’s cannibals in both countries governments. Country A claims Uber hasn’t done enough to protect from Country B’s government cannibals.
This ignores the shifting rules around proper data transfers to the US, but you wanted a pithy logical fallacy, so there you go.
This is an ongoing geopolitical spat and compliance in good faith is currently impossible.
I have spoken to many lawyers about this. Any US company operating in the EU is at risk of constant fines no matter what you do, due to this geopolitical issue.
So why don't the poor trillion-dollar supranational corporations do anything about it?
I can tell you why: they are happy about this. And you can often find they sign their support for these laws in the US.
--- start quote ---
The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
The CLOUD Act received support from Department of Justice and of major technology companies like Microsoft, AWS, Apple, and Google.
https://en.wikipedia.org/wiki/CLOUD_Act?wprov=sfti1#
--- end quote ---
Boohoo cry me a river about the plight of these poor hapless companies.
Importantly though, the law does not suffice with "careful". We *think* we have our bases covered and are careful to try to ensure they are but we're not sure how to *know* our bases are covered. There's the fear that some logs that we believe are anonymous might be considered identifying by some data scientist armed with techniques we've never heard of. There's the concern that some third-party library might dynamically pull in a font-set that comes from a US-based CDN based on some user configuration that we don't foresee. There's the anxiety of asking "Did we forget something? Is the DNS server in us-east-1?" when trying to roll out new features.
These are all strawmen, but they represent the kind of anxiety we feel. Having done our best to respect the requirements and the spirit in which they were written, there's the fear that we were imperfect in our awareness and that that something could cost us a fine that would have gone to someone's salary.
I would very much condemn the indiscriminate collecting, reuse, and selling of personal data, but I would also caution that those of us wanting to play by the rules find them lacking in precision.
No idea why you would feel the anxiety. If you're found lacking, you will forest get s notification from the DPA asking you to remedy the situation. You wont even be fined
This is a wrong phrasing of the problem: The US is not, and has never been, a safe haven to transfer personal data to. However, it would significantly impact trade (and policing) concerns between the EU and the US if that statement were to be treated seriously. This is why the European Commission and the Parliament have repeatedly tried to create a framework which allows transfer of data despite the US' insistence on secret access to the data without due process (aka secret courts, which cannot be due process by any reasonable definition). European courts, again repeatedly, have taken the stipulations in various laws guaranteeing rights to citizens seriously, and keep striking down the badly made frameworks. It's not "shifting goal posts", but rather "not willing to accept the political costs of respecting citizens' rights".
I agree though that it can be hard for a US company to comply with GDPR as every country seems to interpret it slightly differently. The same difficulty is coming on the AI legislation side.
I am assuming you refer to a law proposal that was rejected, but did you know americans were sponsoring and pushing that law proposal to spy on chats? Yeah same CP people.
Also there is a GIANT difference for a country to "spy" on their own citizens and USA spying on foreigners , a country has a consitution and lwas that protect the citizens freedom where USA has no laws that protect foreigners freedom so the NSA guys could watch an EU citizens photos, read their emails since they are not from USA they are lesser humans.
Why exactly would physical products have to comply with local laws when exported to other countries and not online services? Do you also call it "fiefdom wanting their cut and their say"? Do you disagree with the concept of laws altogether?
I'm not interested in arguing if eliminating free transit of data is a good idea or not; I'm just pointing out the inevitable consequence of the current trends.
US company: siphons data
EU: You can't do that.
HN commenter: Damn these fiefdoms wanting their cut, what has the internet become? I pine for a simpler time, when I could do anything I wanted with data against people's will and nobody could stop me, that truly was the golden age.
>Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the world being a global network is obviously becoming inviable. It was fun while it lasted.
- Some ignorant bloke at the end of the British empire, probably
(The latter followed by lots of pikachu surprise face because they weren't in charge of said continent).
* Not only an Aesop reference, but also an actual claim I've repeatedly encountered
People have a right to know where their personal data is going, what is being stored, what it is being used for and should have a mechanism to correct it and delete
The wider challenge is how that is handled in a compliant way with LLMs and generative tools which vendors do not seem to be taking particularly seriously yet
I'm curious as to why people would want to train LLMs on personal identifying information. What's the benefit of an LLM that has a large collection of names, addresses, dates of birth etc.?
If there is indeed a lot of personal identifying information from Europeans on Reddit, then they'd better get ready for a GDPR investigation.
You mean, the epicenter of that global network transformed it into a tool of influence and surveilance? [1] Or maybe that the companies participating in that global network saw interest in walling that global network ? [2] [3] Or maybe that global network is being reshaped by a few dominant actors so much that outside regulation becomes necessary? [4] [5]
No, of course not; it must be local barons trying to scrap a bit of power, not at all a reaction to massive abuses from the industry.
[1]: https://en.wikipedia.org/wiki/PRISM [2]: https://www.eff.org/fr/deeplinks/2013/05/google-abandons-ope... [3]: https://blockthrough.com/blog/the-walled-gardens-of-the-ad-t... [4]: https://www.theverge.com/c/23998379/google-search-seo-algori... [5]: https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Ana...
https://www.enforcementtracker.com/
https://www.enzuzo.com/blog/biggest-compliance-fines
EU has realised American companies have become highly optimised wealth extraction machines and aren't providing nearly as much value as they are extracting, while also violating local privacy laws and skirting taxes.
The value void that Uber leaves will easily be filled, which is merely an app to buy services that have existed as long as the horse and cart. Keeping Uber benefits no one in the EU.
I wonder on what the initial suspicion from the drivers was based.
Personal anecdote:
Many years ago I was involved with a US organization, and then happily forgot about it. Almost 15 years later they started spamming me with emails coming from their head office in Washington.
I asked them to stop. They didn't. I threatened legal action under GDPR and requested deletion, also under GDPR. They said they complied. A year later they started spamming me again. From the same address.
That's how I knew that they never deleted my info and kept it in the US.
The didn't slip, fall, and drop some USB flash drives into the hands of a US data processor...
I doubt it is any sort of negligence, but if it is - it's not "simple".
Most companies are negligent. Many of those are also deliberately negligent
Even worse when you move between countries and suddenly "Uber Country X" uses your account of "Country Y" to spam notify you about promotions in X. It's weird in a bad way
However I would like to say that the Dutch privacy authority actually seems pretty sincere at enforcing privacy legislation. It's just that until recently they were just sending angry letters, and now they've been given power to do more than empty threats.
If by political you mean "aimed to be effective", then yes it is political. If the fine is too low and these companies make a healthy profit through these practices, they will just take the loss.
For abusing its dominant position, the post has only 2 points [0].
Yet, this one has significantly more comments.
The only political aspect is where the company comes from.
Forum members then want to speak up.
[0] https://news.ycombinator.com/item?id=41115644
I know ASP.NET Core comes with some GDPR-related helpers but it's more interesting to know general best practices and patterns not related to a specific framework.
Tools like collibra, purview, informatica, ... that know you database, are your best tools at enterprise level.
Since when ingesting the data you knew where it came from and on what timestamp, you also know when to next check for deletion. And since you also know where it came from (the owner), deleting/sending it on request (when applicable - not all data is always required to be deleted) is pretty straightforward. In essence it's like garbage collection for managed languages (like C#) but for your data.
At the end of the day, no matter what you use (existing process, create a new process if you weren't managing your data so far, or use some product), treating data like radio active waste will generally lead to good designs. You only keep what you need for the time that you need it, everything else gets removed.
Just to add that it's stricter than that - you can only keep the data that is required for the purpose that you detailed to the customer. e.g. If you ask for their email address for password validation, then you're not allowed to use that email for other communication unless you explicitly asked for that as well.
I've found that this is mostly a problem in organisations where data isn't managed, the government doesn't protect the people, or where some vague value is assigned to the data (so it does get stored, but when it leaks it is supposed to not have value and therefore do no damage). So looking at it from an "you will be managing it anyway" angle has worked well for me when trying to activate teams/units/orgs.
Sounds like they're going to get condemned again in the future, seeing how these things get knocked down again and again. The EU commission is really dropping the ball there.
So maybe the DPAs will defer to the EC's interpretation of adequacy under the GDPR for this new Framework?
Lots of unknowns though, since Schrems has already announced a challenge to the Framework. The only "safe" option without any uncertainty seems to be architect every system so that data never transits to the US and is also never in the custody of a subsidiary of a US-domiciled corporate parent.
To bad the EC isn't the body that can judge whether that deal is legal, and has been caught repeatedly lying about past deals [1].
> So maybe the DPAs will defer to the EC's interpretation of adequacy under the GDPR for this new Framework?
As before, cases will go to the actual authority on the matter: the CJUE. I personally don't have high hopes for this deal to last.
[1]: https://noyb.eu/en/european-commission-gives-eu-us-data-tran...
Oh I agree with that. EC's behaviour in that case is appalling.
> Corporations can't necessarily trust the EC's own interpretations of their own laws
There is a way to be safe with regards to EU law, and it's to engineer systems where European data stays in Europe. Of course, the issue is that corporations would then be liable under US' FISA 702.
That's the big issue: the United States made a law that basically states that no US company should follow EU law, and the US admin manages to beat EC officials into submission every few years with another flawed agreement to keep the ball rolling.
It's easy to say that the US should just scrap s.702, but unless it's reciprocal with Europe scrapping their interception powers as well, that's a pretty unrealistic ask.
That is common indeed. What's peculiar with US law is that it can mandate companies to move data about people outside of US jurisdiction that is stored outside of US jurisdiction and turn it over to US authorities, even when it violates local law.
The goalposts on this move every 6 months, so the fines are easy money for the EU.
The companies are just collateral damage. For some reason HN is full of people who don’t actually understand this issue but feel very emotionally passionate that all US tech companies are evil and doing this on purpose.
“Just follow the law, you evil companies!”
Lol. They would if there was a clear law/process to follow that didn’t get shot down every few months.
As it stands, you cannot operate in the EU as a US company if you want to be totally immune from fines.
I urge you to talk to your government representatives (on both sides of the pond) if you care about this issue. This benefits nobody except for EU government coffers.
Oh no, it's the US government that claims authority to use these companies to surveil EU citizens that is the problem here. One that, unfortunately, does affect all US companies.
There isn't a process because US law makes it clear that US companies should be auxiliary to illegal acts abroad. And we find out every few months, that even when they aren't forced to, they disregard the law.
Sure, maybe they're not "evil", but they apparently can't find a way to be law-abiding entities.
If i'm not mistaken, because of this (via[0])
> The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
It sounds like compliance is only possible* if "the US company doesn't have any influence on the EU data-holding company" which is insane. This might be satisfied if the US company simply licenses their software product (e.g. the Uber backend) to an EU company. But this might not be adequate since chances are updates would be somewhat automated, and thus the US-based Uber might be compelled by the government to ship malware with their update to catch some US criminal (or otherwise enact some US spying).
* edit: only possible in lieu of a data agreement like Privacy Shield or its successor as mentioned above
0: top comment on https://news.ycombinator.com/item?id=33561222
https://en.wikipedia.org/wiki/CIA_black_sites
It's completely sane from the EU's point of view. Why would they submit their citizens to forceful government eavesdrop?
I do agree it's insane. But the insanity is not on the GDPR.
I doubt this will change any time soon. The GDPR isn't going away, and the USA isn't known for loosening their data collection laws. Maybe in a few years the EU can find a legal ground to allow the USA to spy on EU citizens without acceptable legal defences, maybe the USA will give up their capability to use American businesses as a tool to spy on the EU, but for now surveillance law is a major roadblock for American companies expanding to Europe.
>> The CLOUD Act primarily...
As far as I understand (IANAL) the CLOUD Act has not been used as basis of decision at least for Schrems II. The primary issues court found were regarding surveillance programs authorized under Section 702 of the FISA & executive order 12333.
Full Schrems II judgement is available at https://curia.europa.eu/juris/document/document.jsf?text=&do...
The US definitely needs stronger laws here.
Sure they would, I think? They would just have to foot the bill to travel and file in a US court. And whatever user agreements they 'agreed' to might come in to play without legislation to supersede it. But they would have standing, I'm pretty sure.
Schrems I [1] (the old CJEU judgment invalidating Safe Harbor) endorses (§90) the opinion that:
> [D]ata subjects [whose personal data was transferred to the US] had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.
In what reads like a reference to FISA, it continues (§95):
> Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter [of Fundamental Rights of the European Union].
It then stops short of calling out FISA by name, instead (IIUC) invalidating on the basis that the adequacy of the legal regime was not addressed in the Safe Harbour decision to begin with. Privacy Shield came next and did, so Schrems II [2] (the newer judgment invalidating Privacy Shield) states (§181–2):
> According to the findings in the Privacy Shield Decision, the implementation of the surveillance programmes based on Section 702 of the FISA is, indeed, subject to the requirements of PPD‑28. However, although the Commission stated, in recitals 69 and 77 of the Privacy Shield Decision, that such requirements are binding on the US intelligence authorities, the US Government has accepted, in reply to a question put by the Court, that PPD‑28 does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter [...].
> As regards the monitoring programmes based on E.O. 12333, it is clear from the file before the Court that that order does not confer rights which are enforceable against the US authorities in the courts either.
It sounds like the official legal position of the US executive is that individual foreigners do not have standing to contest FISA 702 surveillance of them. (I could not quickly find the text of that position.) This is a 2020 judgment in a case from July 2018 regarding a European Commission decision from 2016, so the implications of the CLOUD Act, signed in March 2018, do not look to be in scope.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62...
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62...
But if you are subcontracting to an agency you need to list them as Subprocessors in your DPA. So subcontracted support staffing companies for example would be required to be listed and explicitly consented to.
This is all assuming you set up the base contractual protections for the data required to export the data at all, which Iber apparently didn’t do here.
Can someone clarify for me why the physical location where data is stored is a big deal? Why does the US need stronger laws here?
This is probably just my inner naive technologist speaking, but I really enjoyed the moment of time during which the internet was a global network of computers that created a virtual space where physical borders were largely irrelevant. So it's a bit jarring for me to see people take for granted the idea that borders matter on the internet after all.
Edit: 0x62 has a good explanation here: https://news.ycombinator.com/item?id=41357888
I hadn't considered the recursive nature of suppliers.
What can you do if your data is silently copied by third parties and used for other activities? What if I build a ghost profile of you and steal your identity when I have enough data? What if I relay that you have a fancy car to some people who have the means to get that from you while sleeping? What if I craft a good scam by targeting you with your own data?
It's not about data is sent to where, it's about what happens when it arrives to the physical servers, who has access to these files, and what can they do with it.
When I visited the states, I got EZ-Pass spam/scam e-mails for a year, on an e-mail I gave to nobody when I was there. So, these laws matter.
Right, but the EU can only enforce its laws on companies that have a presence in the EU. A company that doesn't do business in the EU and never will do business in the EU will not obey EU law regardless of what those laws say.
Meanwhile, a company that does business in the EU would be subject to fines by the EU and wouldn't be able to dodge them without just stopping doing business in the EU. So why do the laws not just say "here's how you have to treat data belonging to our citizens if you want to continue to do business in the EU"? Why does the physical location of the data that is being thus protected matter at all?
The company would need to have a DPA with it's cloud provider. That cloud provider technically would also need a corresponding DPA with any 3rd parties that they themselves use, except without an EU presence that is hard to enforce.
In this case where there is one hop you could argue that it's the companies responsibility to ensure that their service providers are operating in compliance. Imagine the same scenario, but with one, two or more middlemen and the whole thing becomes an unenforceable mess of jurisdictions for the company to do meaningful due diligence on their service providers.
It's much easier for the EU to say EU data has to be stored in the EU, and know that any party touching the data is likely to be in compliance, and significantly easier to investigate if they are not.
As far as I understand, the EU is fine with you sending data to other countries, as long as those countries have the same standards for data protection. In the EU's opinion, the Cloud act, as well as the whole NSA situation, mean that the US doesn't fulfill this definition.
Yes, we have a GPDR compliant law in place, and we can interoperate with EU.
Because the place where data is collected and stored may have different rules around privacy and data protection then the place it is exfiltrated to.
If I give my data to a company in one place that has strict laws on what may be done with that information, I don’t want it escaping to a low-protection jurisdiction where there are no penalties for selling it to the highest bidder for god knows what purpose.
If there was an acceptable worldwide convention on personal data privacy that would solve the problem. Until there is, it matters a lot.
The EU has a law that said you must treat data of their citizens with respect. Fine, that's great. Any business that has a presence in the EU will need to follow that law. At that point, why does it matter where the bits are actually stored? Can the EU for some reason not enforce its privacy laws on Uber if Uber keeps its data somewhere else?
Conversely, if a business has no presence in the EU, can the EU enforce its data location laws on them?
The only thing that seems to matter for enforcement is where the company is located, so I'm really unclear what data location has to do with anything.
Yes. Even assuming these laws still work if data is in another jurisdiction (prob. not), they become unenforceable. If someone sells your data in, say, Somalia, how could EU gather evidence and start a legal process?
Maybe not, especially if they are separate corporate entities. Uber EU may choose to pay for operation of data storage by Uber US. Uber US is not under the same privacy restrictions and sells the data for profit, then what? Who sues who and for what?
This is also partly about governments - the US in particular is known for compelling access to servers that are on its soil and doing large-scale spying (not that EU powers don’t do the same, but bear with me). Companies operating in the US may not be legally able to guarantee data privacy. So having the data not enter US jurisdiction in the first place is considered safer.
In the case of EU countries (I think its part of gdpr), services that handle personal data need to make sure that that data stays safe. The only way they can do that is to make sure that the data stays in a certain region.
I think that is why op is advocating for stronger laws. Due to lax privacy laws in the US, it's impossible for European companies (and other privacy concerned companies) to host their data in the US, therefore your missing a share of the market
This explanation makes sense, but assuming "certain governments" includes the US then the remedy isn't stronger laws in the US, it's weaker laws—it means that the US was the first to break the borderless internet and it needs to rewrite its laws to be border-agnostic.
Global network of computers where data ultimately flowed to American mainframes. Countries realize data is a resource / liability / vunerability, and even if most struggle to profit from it, they'd still want sovereign control over it. You only really control things on your soil. Physical location / possession matters for control.
This feels like an outdated worldview that no longer really applies to data. Data can be exfiltrated from the EU in milliseconds and there's nothing that the EU can physically do about it short of setting up a great firewall a la China.
The only thing they can do about it to retain sovereignty is to tell companies they're not allowed to exfiltrate data. But if they can do that successfully, they can also just tell the companies what they're allowed to do with the data wherever it is in the world.
If that someone is a legal entity within your jurisdiction, you have lots of options.
I edited my original comment to link to someone who gave a good explanation—what I hadn't considered is how difficult tracking suppliers and subcontractors recursively and ensuring that they all have a presence in the EU would be. I think it's a bad solution to that problem, but it does make sense.
https://incountry.com/blog/data-residency-laws-by-country-ov...
These laws seem to have been written for the age of fax machines, not for today.
It seems the dutch regulator is saying "why don't you just go away?". The feeling is likely mutual.
> All DPAs in Europe calculate the amount of fines for businesses in the same manner. Those fines amount to a maximum of 4% of the worldwide annual turnover of a business.
The participation exemption in the Netherlands allows companies to receive dividends and capital gains from qualifying foreign subsidiaries free from Dutch corporate tax. This is particularly beneficial for multinational corporations with substantial foreign operations, as it prevents profits from being taxed multiple times as they move up through the corporate structure.
The Netherlands is a popular location for holding companies due to its favorable tax regime for holding and managing subsidiaries. The combination of participation exemptions, tax treaties, and rulings makes it ideal for structuring complex international operations.
So... a nation like the Netherlands optimizes their tax laws such that it's advantageous for businesses that are otherwise completely unrelated to their nation to HQ in their nation to avoid their proper tax burdens in the country they were started in and operate in much more significantly, for the benefit of the Netherlands getting additional tax revenue and to the detriment of other nations who would otherwise be able to tax that business.
Some people might call that a "tax shelter." Since it you know, benefits Uber, benefits the Netherlands, at the detriment of the nation(s) that Uber operates in...
> > The appeals process is expected to take some four years and any fines are suspended until all legal recourses have been exhausted, according to the DPA.
fine is suspended. it will take 4 years of appeals :)
what is the major insight that you are trying to share?
> Although the fine comes from the Dutch regulator, the investigation began in France. In June 2020, 21 Uber drivers there stepped forward to human rights organization Ligue Des Droits De L'homme Et Du Citoyen. Another 151 Uber drivers later joined that complaint. The LDH took that complaint back to the CNIL, France's national privacy regulator. The latter forwarded the complaint to the Dutch Personal Data Authority in January 2021 because Uber's European headquarters is in the Netherlands.
Uber is almost invisible there because they continue to blatantly break the law, and even when told to stop, they continue like nothing happened. (https://www.wsj.com/articles/dutch-authorities-raid-uber-off...). This seems to be just another case of the same hubris.
Of course Uber faces pushback when they act like that.
Maybe a pipe dream though. I haven't given it serious thought.
building alternatives takes time and resources. the EU has neither.
a diverse, competitive tech ecosystem with both EU and non-EU players is better than a protectionist approach.
hoping for an exodus of major global players when you’re leapfrogged by both China and the US…
This is kind of a FUD fueled false dichotomy, when the truth is we can't know if the EU doesn't have time or resources if it never tries.
What the US has that EU doesn't is the infinte money to throw in the bonfire at moonshot projects knowing that 99% will fail and the 1% will be hugely successful, but now the market is mature with less untapped opportunities, and the EU doesn't have to spend like the US did to achieve the same results, since we now know what works and what doesn't and how to make an Uber that's compliant with local regulations while using less money.
at a macro level i don’t think things stand still waiting for the europeans to catch up. i think things are moving extremely fast and you either adapt or “stagnate”.
This is a smartphone app that buys a local service that already exists, it's not hard... In fact alternatives already exist.. I mean of course they do cmon.
On the flip side do you realise the lithographic tech used to build your Intel fabs come from EU? (ASML) building an alternative to that will take serious time and resources. EU is not some third world country.
* ride hailing alternatives: FreeNow, Bolt
* food delivery: Wolt (technically owned by DoorDash, but still), Just Eat, Bolt Food
* bikes / scooters: Tier, Bolt, NextBike, Voi, and many others
If Uber leaves, there won't be any void to fill.
The EU does not have the motivation, mostly. They are not rivals of the US in the way China is. So money goes elsewhere. Europe is still a continent with a whole bunch of people and quite a lot of money. The path of least resistance is to just use American solutions in some areas and to develop others locally. This might change and if there is a vacuum, it will be filled quickly.
Food delivery companies, ride sharing companies, flight & boarding booking companies are all expendable. If one goes down, another one will spring up tomorrow.
Oh no. What would we poor Europeans do without a US company to lead us. /s
Of course local and regional players would appear, as they always have and are already in place in multiple segments.
Bolt, Glovo, Delivery Hero and many others are successful competitors to different Uber offerings in the different European markets they operate.
The biggest gap in Europe is not due to a lack of technical ability but rather of European wide capital that's not super risk averse.
It’s both. Copying a validated business model is not a sign of competency.
And no, they won't leave. They will comply in order to have access to the European market.
All the "Uber" rip-offs in Norway are worse than Uber was last time I used it. Not that anyone can afford to use a taxi here anyway unless the government covers the bill, which they do and which is the only thing that keeps taxis employed, I think.
They will however keep lobbying, support candidates favorable to them etc.
EU (and other governments) should be vigilant all the time. The moment they take it easy a bit, big tech will be back to their usual shenanigans
The company registration with headquarters in the Netherlands begs to differ, as do all those European Uber drivers
So they sent their documents to the local company, which in turn transferred them overseas. I really fail to see how this is the drivers’ fault.
"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care", Dutch DPA chairman Aleid Wolfsen says. "But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious."
This privacy requirement at least makes sense, it is the local government’s responsibility to protect their citizens privacy.
Comments like the above reflect how big corporations have gotten, they will push and bend the laws until someone hits back. This is an example of a government hitting back. Good on them