I think I’m missing your point here. Let’s say Texas passes a law that all Texans data has to be processed in Texas, and because cowboys don’t give a shit there’s no consideration for the EUs law.
What would the appropriate way for meta to handle a friendship between a Texan and a European be? They can’t process the Texans data outside Texas, and they can’t transfer the Europeans data outside of Europe. Disallow them to be friends?
You are misrepresenting this ruling. Any data that the user gives informed consent to share can be moved wherever the user consents. This ruling is about sending user data without any active informed consent.
Not so simple. Even with consent you arent really allowed to store in america because america is assumed to be an unsafe country (because govt can at any moment force a US company to show the data)
I don't think users can consent to ongoing general-purpose data transfers.
This is from the European Data Protection Board FAQ following the Schrems II ruling. Does the text of the new ruling say something different?
> 8) Can I rely on one of the derogations of Article 49 GDPR to transfer data to the U.S.?
> it should be recalled that when transfers are based on the consent of the data subject, it should be ... specific for the particular data transfer or set of transfers (meaning that the data exporter must make sure to obtain specific consent before the transfer is put in place even if this occurs after the collection of the data has been made)
> With regard to transfers necessary for the performance of a contract between the data subject and the controller, it should be borne in mind that personal data may only be transferred when the transfer is occasional. It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”. In any case, this derogation can only be relied upon when the transfer is objectively necessary for the performance of the contract
The EU isn't saying that personal data has to be processed only in the EU. They're saying it has to be processed somewhere with adequate standards of data protection.
Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom, and Uruguay.
As long as international companies have the option to exclude any local government, they can simply vote by participation. Texas requires something that a Swiss social network cannot abide? Block Texas.
This doesn't work when a law doesn't allow some foreign company to escape, though. Suppose Texas decides that toy makers are liable for toys that hurt children. A Swiss company that makes army knives for kids decides not to sell to Texas, but other people buy some and then resell them in Texas. If the original manufacturer can't avoid the local government, that's more complicated.
Because I don't see anyone downstream agreeing with you, I just wanted to hop in and +1 that I think you're REALLY making good points throughout this thread. I think a lot of folks are having trouble imagining a world beyond "EU laws" and "US laws". If every national or even state/provincial government has its own data laws (we already have 5 states in the US with GDPR-like legislation, and more likely on the way), then we're just accelerating towards a fragmented internet __with no opt-out mechanism for the individual__. When (especially smaller) companies get weighed down by legal interpretations and the fear of violations, they're just gonna start blocking more and more clients from everywhere outside their jurisdiction. (Apologies to the world, but I literally work on software that makes it easier to resolve geolocation for web devs and, among some other reasons, one of the top ones is to block certain georegions.)
Separately, while I'm all for internet privacy and am generally aligned with the _intent_ of GDPR, having had to meet its requirements at the highest level of scale, I have no qualms saying that it's truly a _terrible_ piece of legislation. Clearly whole sections were written without any regard for technical accuracy, and it leaves a number of ambiguities and contradictions within its language that continue to go without clarification. I don't feel like getting in the weeds here, but if you ever want to see people getting in the mud about how to actually comply with it, just go take a peek at the higher-comment threads in /r/GDPR.
Personally, I'd much prefer a cascading set of standards coming from a technically oriented consortium of (ideally OSS) folks that could be enforced from the client side as much as possible, and then independently audited on the server side (like a UL certification, but for your server architecture). Most of us here are probably already using a ton of client extensions to enforce as much privacy as we can without breaking things, and if an OSS auditing standard came along for servers, it'd be sweet if I could e.g. set my browser to "EU data servers only" and have my browser give me an option to explicitly override it if I really need to (like we do today with bad SSL certs).
As for the data export and deletion controls...I get the argument that's only enforceable via regulation and government enforcement. But given the ease of data replication and laundering (made even easier in a post-ML world), I'm not optimistic that you can actually "catch" people violating it except against the absolute largest corps ("yeah, we totallyyyyyy deleted all your data, for sureeee"). Feels like it's enforceable at about the order-of-magnitude of insider trading in the US.
What would the appropriate way for meta to handle a friendship between a Texan and a European be? They can’t process the Texans data outside Texas, and they can’t transfer the Europeans data outside of Europe. Disallow them to be friends?