Hacker News new | past | comments | ask | show | jobs | submit login

This is the decision: https://edpb.europa.eu/our-work-tools/consistency-findings/r...

From the press release:

> The inquiry was initially commenced in August 2020, and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021. Following a comprehensive investigation, the DPC prepared a draft decision dated 6 July 2022. Notably, it found that:

> 1. the data transfers in question were being carried out in breach of Article 46(1) GDPR; and

> 2. in these circumstances, the data transfers should be suspended.




So, what I don't understand is:

Based on the EDPB Decision [1], it seems the most weight of the decision is from paragprah 107:

> As explained by the EDPB in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (hereinafter ‘EDPB Recommendations on Supplementary Measures’) 243, when assessing third countries and identifying appropriate supplementary measures, controllers should assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools that they are relying on 244. In this regard, the EDPB notes that, according to Meta IE’s assessment, ‘the level of protection required by EU law is provided for by relevant US law and practice’ and that Meta IE implemented supplementary measures in addition to the 2021 SCCS in order to ‘further ensure that an adequate level of protection continues to apply to User Data transferred from FIL to FB, Inc’ 245 . In other words, Meta IE has implemented supplementary measures on the basis of an assessment which concluded that there was no need for such measures, since, in Meta IE’s view, the relevant US law and practice were already providing a level of protection equivalent to the one provided under EU law

My follow on question, let's say they understood the risk, I fail to see any safeguards which could be equivalent to the EU law? FISA 702 + other intrusive surveillance laws basically make this impossible.

So it seems that because Meta:

> seems to identify its own test for determining suitability of supplemental measures by lowering the standard to include measures that can “address” or “mitigate” any “relevant remaining” inadequacies in the protections offered by US law and practice and the SCCs’ 249, and concludes in the Draft Decision that ‘Meta Ireland does not have in place any supplemental measures which would compensate for the inadequate protection provided by US law’

I'm just confused what would have been sufficient for Meta in this circumstance?

The decision continues in paragraph 121 to say:

> In this regard, the EDPB recalls that the IE SA carries out a detailed assessment of whether Meta IE implemented supplementary measures that could address the inadequate protection provided by US law 273. More specifically, the IE SA analyses the organisational, technical and legal measures implemented by Meta IE and concludes that these measures cannot, ‘whether viewed in isolation, or in tandem with the 2021 SCCs and the full suite of measures outlined in the ROS’, compensate for the deficiencies identified in US law and cannot provide essentially equivalent protection to that available under EU law 2

I am aware of zero technical and organsiational measures which could protect against 702 FISA DOWNSTREAM (PRISM), short of not transfering the data to US?

Thoughts?

[1]: https://edpb.europa.eu/system/files/2023-05/edpb_bindingdeci...


You are right. The only solutions are to not host in the US and/or have a parent company in the US. And/Or to get the US to apply basic human rights.

There are no other real way.

What would have been sufficient is to process all data in EU jurisdiction and transfer HQ to equivalent country.


But since it's a global network it means that they would have had to up and moved the whole operation into the EU which is pants on head stupid. The moment two countries have incompatible laws it all breaks down. This isn't something that should even concern Meta and should be a US/EU negotiation.


It has been a US/EU negotiation. Unfortunately the US is not willing to budge on its principle of “we get to look at whatever we want to without the need for a due process”.


I mean i could tell it otherwise which is that the US should maybe consider providing basic human rights to their citizens and residents.

If they do not, why would the rest of the world let them interact with them and endanger everyone?


Can you elaborate on what you mean by basic human rights?


Right to privacy and due process? At least for this specific problem. I recommend going to read the Schrems II opinion by the CJEU, it is quite readable.

After that we can extend to deeper Human Rights but let's start with the basics.


Or don't build global networks. Build local networks and federate them.


And the moment a user from the UK messages a user in the US?


Ultimately the EU is going to have to come up with a detailed compliance framework. The wording of the GDPR is too high-level and we can't trust companies to self-regulate.


What? The wording is really not high level, it is highly detailed. The fact that we refuse to acknowledge it is not due to the language not being detailed enough




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: