A US user can see EU information. It's the storage and processing that's restricted. So, I would guess that the US user's facebook app would have to get its data from an EU server and show it to the US user, without storing it elsewhere.
I do not understand if or how the physical location of the servers matters.
As I remember, the EU-US data sharing agreement was killed (Schrems II) because of the US CLOUD Act, which infamously doesn't care where the data is stored - as long as the company is under US jurisdiction, it has to let the government snoop at will.
So, it seems to me that Facebook putting data on EU servers wouldn't matter? A three-letter agency could still go to their SV office and legally demand "give me an API key to query through your Irish datacentre and don't tell anyone". To protect EU citizens from that, the Facebook servers in the EU should treat non-EU FB servers exactly like third parties, using OAuth or similar restricted access protocols.
Not sure to understand why the US Cloud Act is « infamous » in that respect. It would make little sense to let companies operating under US jurisdiction store their data in unsearchable data havens outside of US territory. The act has to be fully actionable.
No as it was pursued before it. There are not yet any enforcement or complaint i know targeting the CLOUD Act because everyone agree it would be unenforceable right now.
Try to have an EU tech scene without Microsoft, Azure, Google, Google Cloud or AWS. Or Salesforce. Datadog. Etc
That just tells me that the EU is requiring all storage and processing to be in the EU, for every profile that is friends with somebody in the EU. Otherwise they can’t store the fact that we are friends.
To be more accurate, the EU is requiring all storage and processing to be in a country which doesn't violate EU privacy laws. That's reasonable and flexible.
So people in the EU just can’t have friends in the US or communicate with people in the US? How do I process a communication between a group of friends - some in the US and some in the EU - without the data being in the US?
Then their browser can get that data from another server. It may be more complex, no, it is more complex than storing everything in one large database, but it can be done.
> You really don’t see the added complexity of this and how this makes a worse user experience?
Bluntly said: IDGAF, and neither should you. Who cares if it's harder for facebook/meta to program? Must we waive our rights because of incompetent or cheap engineering?
The GDPR does make UX worse. If you have to click away a cookie banner, it's because companies love to try to coax you into accepting as many cookies as they can get their grubby hands on. Storing a cookie for session administration is acceptable. You don't even have to announce it. It wouldn't make much sense, because it's less useful than your IP address (for the purposes of tracking). Only if the site wants to do more, it must get the user's permission.
> nanny state
Sadly, technology is nearly incomprehensible to most people, and the state must protect their rights. The rest is either an authoritarian or libertarian fantasy under the pretense of liberty.
> Sadly, technology is nearly incomprehensible to most people, and the state must protect their rights. The rest is either an authoritarian or libertarian fantasy under the pretense of liberty.
So I’m sure you’re in favor of Apple’s “walled garden” to protect ignorant users, you want to make alcohol, cigarettes, sugar and everything else illegal that’s bad for users?
It’s sad that so many people are willing to give up their own agency because they don’t trust themselves to make intelligent choices.
People elected the government. The people made the choice. GDPR and other privacy protections are also widely supported by most people in Europe. It's so popular with the average person that vver 17 countries have already adopted laws based on GDPR. And it's common sense: most people like privacy and don't like someone invading their privacy.
So you're a libertarian, I guess. Abolishing protection doesn't bring freedom, it brings anarchy and in its wake, the right of the strongest. Look at the 19th century. Do you want to live in Dickensian horror? Because that's the alternative. There's no bucolic paradise awaiting after abolishing labor and health regulations. There's only exploitation of the weak.
We give up a bit of control to avoid losing more. That's a social contract that has worked very well, and I'd like to keep it that way. I'm sure you also benefit from it.
Facebook loses no control by not operating in countries where they can't obey the laws. You keep focusing on individual choice but conveniently never include Facebook as a party perfectly capable of making choices too.
Worse user experience depends on your priorities. Some people and companies think privacy is an essential UX factor. Apple, the most successful company in the world from time to time, agrees.
Facebook operates in the EU and the majority of EU citizens prefer their privacy. Facebook must obey the laws of the land if they want to operate there.
Just as Facebook must obey Apple's rules if they want to be in the app store.
Similar privacy laws applied to some EU phone companies long before Facebook existed.
These laws are good and should stay. If better privacy has side effects, that's fine. Do business elsewhere if you don't like the legal preferences of the locals.
If the majority of people preferred their privacy, would they really be using Facebook?
And you never answered the question, how do you have a social graph with people in the US or send messages to people in the US without storing data in the US?
Not my problem how you implement it. That's Facebook's problem. My rate is $600 an hour and I'll guarantee I can come up with a GDPR compliant solution within a year or you don't have to pay. That's far less expensive than the fines, isn't it?
> Just maybe the EU regulators are technologically illiterate?
Of course they are because
1) all regulators are technologically illiterate, these are not exceptions
2) regulations of this kind are fundamentally about people not microchips. They talk about results to people, not coding constructs or network topologies. If it's technically possible to do it, but not technically possible to do it legally, then maybe it's a bad thing and don't do it at all? If there's a new technology, is it exempt from current standards? Would you say, "hey, new weapon invented, it's legal to murder people with it!" ?
NB: I'm fairly certain that Instant messaging can be done legally; what maybe can't and shouldn't be done legally, is the FB business model of monetising user data over that. IDK why someone would defend it so strongly.
So do you also agree that e2e encryption with a backdoor is impossible to do securely? Should people not be allowed to use e2e encryption? The EU also is trying to pass a law forcing companies to have a backdoor to their encryption.
That's a gross exaggeration of what was claimed. The idea was that if a law is good but it prevents some companies from legally operating, that's ok. For example, if a company can't profit without using child labor then it's ok for that company to go out of business. Lots of folks feel the same about privacy. If you can't protect my data, then it's fine if you go out of business.
In order to collect, store and process data about people in the EU, you have to do so in a manner compliant with the EU law on that.
Collecting that data on a web page is a choice.
A semi-hidden security benefit of GDPR is that it makes people think twice before collecting and keeping data - you can't leak data that isn't in your database in the first place.
Does it really take that much of a leap of logic that if EU person sends data to a person in the US, that data is going to be stored on a server in the US?
>Does it really take that much of a leap of logic that if EU person sends data to a person in the US, that data is going to be stored on a server in the US?
Yeah, it does. A person in the US is not a server in the US. It's an iPhone in the US, not a server.
Does it really take that much of a leap of logic to understand that the server doesn't have to be on the same continent as the user?
Do you collect and store personal information for this website?
I bet you could find a dozen or more websites summarizing your legal obligations if you wanted to create one web page.
Since the context was Facebook, I was speaking about what businesses should do. And especially large businesses. As far as I've heard, the EU isn't chasing folks who run a small website.
>As far as I've heard, the EU isn't chasing folks who run a small website.
But they could, which has already had a chilling effect on small businesses. Even though the intent (and current enforcement) is to punish large companies, GDPR is written in a way that puts a large compliance burden on many small companies and startups.
I have zero problem saying your startup or small business doesn't deserve to collect my personal info if you can't protect it.
Doing your accounting, paying taxes, and following labor laws are also burdens on small businesses. Not every small business is profitable enough to manage those things and that's ok.
