Sure, you want to host customer data from europe in europe (latency-wise) anyways, but now that this will be more or less required it will be interesting to see how people will solve this. The good thing is, with "the cloud" you have a lot of option (locations) to choose from.
It is already an interesting experience trying to explain to off-shore companies that they cannot just take our data like that.
Well they can in practice, but then better prepare some good explanations in case the company gets a security audit from the local government.
I know that if I use Yandex, at least some of my data is going to reside in Russia. If Dailymotion, France. I consider it up to me as a consumer to decide whether that's what I really want. I don't consider it my local government's job to force those companies to change their business models.
It's sad to see how the judges of the courts are more on the side of the people than the politicians they elected...
Judges usually have tenure, this makes a huge difference to someones impartiality.
I'm not sure if it means anything for them. If a company does not have a business presence in the EU, it likely isn't subject to EU jurisdiction at all. This case happened because Facebook is a multinational company with a European subsidiary in Ireland and was sued before the Irish courts. Companies that may be affected by this are:
* Multinationals that exchange personal data between their US and their EU branches.
* Companies in the EU that are in a business relationship with companies in the US and as part of that business relationship send personal data to the US.
* Companies in the EU that avail themselves of US data centers and store personal data in those data centers.
Non-European companies that get paid for services rendered to EU citizens or countries.
If found to be violating laws, the ECJ can order banks to block payments made to those companies from within the EU, which harms their bottom lines between nothing and a lot.
Actually they were sued before the European courts. Specially the European Court of Justice, which is in Luxembourg. I don't believe there was any case in the Irish courts.
You build houses - think of it like fire safety rules. "What do you mean I have to keep track of all the fire safety rules for the country I build the houses in? Can't I just keep track of a set of rules of my choosing instead?" -- well, no, for one and even if you could, that'd be a bad idea. Almost universally, there's good reasons behind specific rules in the fire code. (And in the rarer cases the rules really are broken, that's a problem with the law, but not one that can't be fixed).
Unfortunately, most companies don't give a rat about their customers' privacy (we care deeply about it we swear). What really should happen instead is that US customers demand laws like the ones we have in Europe.
Or just host everything in Europe.
Or lobby Congress to stop shitting all over privacy so that the US can be considered a safe harbour again.
Without replication between locations, you're stuck: replication IS data transfer.
With such a ruling, you can't implement an intercontinental social network anymore.
"Look, the EU is reasonable and wants to get rid of the cookie ruling and the high bar for startups on geographical server requirements - TTIP would allow all this to happen!"
These countries are demanding we run our services in their countries. This is a money grab.
Note that these same countries expect the United States to act as World Police, and do not contribute as much money as they should. They want the US to know about attacks ahead of time. I wonder how the US could possibly know about attacks ahead of time?
I deplore mass surveillance. I really do. But I think wiretapping with a warrant is a necessary tool for fighting crime, and terror, and bad state actors.
There's a part of me that desperately hopes all major internet services just shut off Europe entirely. Welcome back to the Stone Age.
The court's decision hurts the internet, hurts small companies on the internet, and hurts the ability of the United States to fight terrorism.
I may not have worded this opinion particularly well, but it's ridiculous that my comment cannot even be expressed.
Large service providers like Google and Amazon can and will comply with the laws. It is possible that social media start-ups will be unable to operate across borders due to regulations, but this will hardly be a staggering setback to the European populace's ability to share photos of their food. I doubt there are any real implications for things like freedom of speech/expression: these types of services are already effectively illegal in places with heavily authoritarian governments.
There will be services that have not yet been invented. We cannot presume to know what they'll look like, but there's a big chance the startups that invent them will be harmed by this ruling. No, big services run by established players will not die, but that's hardly the point.
Only large service providers will be able to comply with all of the laws. Why are we patting ourselves on the backs for this?
What's not legal is warantless universal wiretapping.
(Also, I don't want the US to be "world police"! Like US domestic police they are far too trigger-happy. And the US is one of the few countries not signed up to the International Criminal Court. Would you want a police without a court?)
They hand over Roman Polanski, and we're off to a good start.
> What's not legal is warantless universal wiretapping.
So punish the government of the United States - not the businesses.
> Would you want a police without a court?
That's called "a military." And yes, I want a military. And since our enemies don't bother to dress up in bright-colored uniforms, and stand in a row in a field anymore, our military needs to be a lot more nimble. And since our international efforts (the UN) are often blocked by one or two security council members, I'm not impressed with the UN's ability to keep the peace.
No, it really isn't. It won't be effective but the judge here is not aiming for EU companies to earn more money.
> There's a part of me that desperately hopes all major internet services just shut off Europe entirely. Welcome back to the Stone Age.
Economies have becomes so intertwined that shutting Europe 'off the internet' by any other party (presumably the US or the rest of the world) is no longer feasible. It will backfire tremendously on those doing the shutting off.
Besides that, you wouldn't really shut the internet down, merely split it. Even North Korea has internet access.
> Economies have becomes so intertwined that shutting Europe 'off the internet' by any other party
BS. Google shut off China. Independent companies are free to not do business anywhere the laws are stifling. I think it would be awesome if they did it all at once. Internet Blackout for Europe.
Nobody (except some Americans) want this.
"I deplore mass surveillance. I really do. But I think wiretapping with a warrant is a necessary tool for fighting crime, and terror, and bad state actors."
I hate X but Y is necessary (because I said so) so let's do X anyway.
"There's a part of me that desperately hopes all major internet services just shut off Europe entirely. Welcome back to the Stone Age."
If by stone age, you mean 2006, great.
Why do you think that? And how about https://en.wikipedia.org/wiki/United_States_and_the_United_N...
I am actually appalled the Netherlands actually contributed to your shitty conflicts.
"Governments in Australia, the United States, New Zealand, Canada, Singapore, Vietnam, Malaysia, Japan, Mexico, Peru, Brunei, and Chile will be unable to force companies from those countries to store government data in local datacentres ... governments will not only be prevented from mandating data sovereignty provision, they will also be unable to demand access to source code from companies incorporated in TPP territories."
Restricting laws are always costly: Environment laws for example -- how costly it is, not to be able to pollute the air, the water, the people. Have filters, have restrictions, use of alternative fuels ... this all costs. And reduces the growth rates of our economies .... Better remove those laws and instead install strict intellectual property laws with unrestricted duration of protection.
That is, how (capitalistic) economy works: Put the costs of the business on the shoulder of many (the people of the country) and the benefits (the profits) on few people.
Unless I'm missing something, the US government (and NZ, and Australian, etc) just completely sold out their citizen's privacy to a whole bunch foreign nations including a communist dictatorship. Wow.
(There are some narrowly focused privacy laws like HIPAA)
https://www.fdic.gov/regulations/examinations/offshore/ :
> "Few legal restrictions exist on financial service companies sending customer data to foreign countries. Financial institution customers may not opt out of these information transfers to nonaffiliated service providers if the transfer is for a purpose described in section 502(e) of the Gramm-Leach-Bliley Act (GLBA). For example, the opportunity to opt out does not apply where the information transfer is to: (1) service or process a financial product or service that the customer requested or authorized; or (2) maintain or service the customer's account."
My guess is that what it really means is that such companies are allowed to operate. OK, fine. But no one is forced to use them. So the US might say "Nice service, Vietnam. But we won't buy it unless you put servers in the US." They aren't forcing anyone to do anything.
No it doesn't de facto because the biggest (by user count) internet services are based and operated from USA, e.g. Google, Apple, Microsoft, Ebay, Youtube, Twitter, Uber etc. And it probably will not change in the future. So keeping current situation is good for USA and bad for everyone else.
It is better to have local services so the money and personal data don't go overseas and help local economy. The current situation is obviously wrong. There are customs duties that protect local companies and there is nothing to protect them in the internet. So we have USA taking over this new market. This should be changed.
China is an example of a country that has their own search engine, blogging platforms, video sharing sites and most of people prefer them over USA based websites.
> just completely sold out their citizen's privacy to a whole bunch foreign nations including a communist dictatorship.
No they did not because nobody uses services from those countries.
At the very least we may see that the TTIP Tribunal would override ECJ rulings (terrible idea for obvious reasons), but I'm hoping that if such an agreement is passed, the ECJ would also rule it invalid for not being in accordance with EU regulations and the fundamental charter of human rights.
Stated that way, it sounds far more reasonable. Source code, yeah of course. You don't want country X being able to demand country Y's company's source right?
And the data centre requirement also makes sense. You can't lock out online competitors on grounds that they aren't setting up local servers. But I don't see anything that mandates you must buy from such a service. If Mexico starts a cloud hosting company and refuses to run Canadian servers, Canada is under no obligation to buy such service. They just can't ban the service for not having Canada-based servers.
The article states that Russia's law requiring Russian personal info to be stored in Russia would be banned if Russia was in the TPP. But they don't state the language used there. It wouldn't be surprising if all other rules and regulations apply. It wouldn't make sense if, say, HIPAA didn't apply to foreign-country clouds under TPP. And if HIPAA applies, then why wouldn't other privacy regs?
If it's a public safety matter, then yes I do actually.
I do. Company X is totally free to not operate. My citizens well being or my ability to oppress my own people - depending on the type of country, trumps Y's company rights to make profit from my people.
If I host a website that has user accounts in the US, and do not stop people from the EU from registering, do I, with no offices outside the US, need to do something different because of this ruling?
If your user is submitting their own personal information to servers outside the EU, that's their lookout. That's what seems to apply to you. Carry on. Nothing to see here.
But if they're submitting to one of your nodes within the EU, they can consider that the data will continue to benefit from the protections being in the EU affords it. Moving it to the US without their permission does not abide the EU protections.
Then (from the company's perspective) I've accomplished the same ends, at a cost to the user (latency), and gone from illegal to legal.
That seems pretty ridiculous.
This would perhaps include deleting data that customers ask you to delete, not storing personal data without direct permission, nor when you no longer need it to provide your service, etc.
This only comes into effect if the data is at any time stored within EU jurisdiction.
Border control with data is the worst idea ever.
Think of it: my Facebook friends lists has EU and US people in it. This list can't reside in EU or US. This webpage can't be served by either a EU or US web-server. By law. LOL
Plus I'm a EU citizen, and I can choose to give my data to whoever I want... no more. That's sad.
This ruling only shows the dismal tech knowledge of lawyers and lawmakers. It's impossible to implement Facebook with data spread between EU and US. Same for Tweeter and others. Say goodbye to social networks. Because of model denormalization, because of network latency and intercontinental bandwidth.
Some mention cloud zones, but they're only useful with replication, which IS data transfer.
OR... social networks will cheat. And one day, they'll be sued for cheating the impossible regulations (think VW...)
But the article says "Facebook and Twitter [...] could be forced to host European user data in Europe".
That's way more agressive than just a contract change and poses a threat of technical blocking problems.
I think you're misunderstanding the ownership of the data, hence the down votes. If I as an EU citizen create a private friends list like this, that list belongs to me. If I live in the EU but create the list using a US service with servers in the US, there is no problem. US privacy laws apply. If I create the list using an EU service on EU hosted servers there is no problem, EU privacy laws apply. However in this second case if the internet service company wants to transfer the list from their EU servers to their US servers without my explicit permission, that's a problem.
When I publish something in Europe, my friends needs to see it too in the USA. And you can't build a Facebook wall with intercontinental latencies. You need replication.
It's a social graph, and you can't split it between US and EU: data has to be replicated across borders (or face massive latency and bandwidth).
Those words don't actually mean anything.
It's not bidirectional: you could keep it in the EU and serve it from there.
These bit jumped out at me: >Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
>This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.
My reading (not a legal expert) is that data residency is the important bit here. Which in my view is a small step but not sufficient.
This means that a lot of US companies are now exposed to EU privacy regulations where previously they only had to account for US privacy regulations.
The US privacy regulations are no longer considered compatible with the EU privacy regulations. That has much more impact than just data residency.
In the financial sector, the extra-territoriality of US laws has been a problem for decades. Securities issued in the EU, by EU entities and marketed to EU investors end up having some language referring to which US regulation they fall under out of fear that a US person will end up buying it, and the US applying their laws and regulations.
Maybe I'm missing something here.
My understanding is that the Safe Harbour agreement wasn't a mechanism for US companies to avoid EU data protection regulations... it was a certification that they did comply with EU data protection (particularly in situations where that data was transmitted outside the EU).
Now it's gone, EU customer data held by US companies will be governed by national data protection laws instead, so may end up having to be stored within the EU.
> The US privacy regulations are no longer considered compatible with the EU privacy regulations
I don't think they ever were, which is why the Safe Harbour needed to exist in the first place.
The agreement was that US companies sign a list with the US Dept. of Commerce that they considered themselves in compliance with EU regulations when handling EU citizen data and that would give legal immunity to them and their subsidiaries in the EU.
This ruling means that EU countries are now allowed to check if they are lying or not.
Hopefully they'll restrict that and require a higher threshold for consent than someone clicking "I agree" to 100 pages of dense legalese.
As, obviously, this ruling means no one – not even your website – may give out my data to US entities, including Google. So any type of tracking like that is now illegal.
IANAL.
Max Schrems, an Austrian lawyer and privacy activist, has
done everything he can over the last several years to be a
thorn in Facebook’s side.
Max Schrems, an Austrian lawyer and privacy activist, has
done everything he can over the last several years to protect the
rights of European citizens whose privacy has been abused and
invaded by US firms.Question: Why do companies HQ themselves in the US? Why not pick a friendlier country, then turn their US parts into a simple contractor that supplies software development and engineering resources? Then the US company would not have actual ownership of any data. Forcing them to reveal customer records would be the same as forcing an individual to steal data right?
Today you get to learn about: American Exceptionalism!
It is important to realize that, within the US, there is essentially a universal belief that the US is the best place to live, work, or be in the entire world. The debate is not so much whether the universe revolves around the United States, but which city exactly the axis passes through -- New York, DC, San Francisco, LA. It is very important that a universal axis has a commonly used two letter acronym, which is why not even a Chicagoan seriously believes the axis is through Chicago.
When the EU makes privacy complaints against US companies, the common perception -- even among US citizens who disapprove of domestic spying programs -- is that something is wrong with the EU. The idea that the EU could be right to hold a US corporation accountable to their laws never even occurs.
No American could ever conceive of establishing the HQ of a US corporation outside the US -- except maybe as part of a skeevy tax dodge. The US is the best place in the world to live, work, and run a business. Why would you want to go anywhere else? To be fair, most of the US companies that do establish some sort of off-shore setup are engaging in some sort of skeevy tax dodge.
Maybe incorporation in US really is better, at least for US citizens. It's easier to deal with local courts than foreign courts. If your European subsidy runs afoul of some regulation in a major way then they probably can't take your assets from your US based parent company. Then US is arguably more business friendly in many ways.
Nowadays that's not true but the US startup VC is a lot stronger in the US for a bunch of reasons, so new startups tend to be established there much more often (with the financial tech field being the exception I believe). If you're making a new company you're going to make it where you live just out of sheer convenience.
At least in the tech sector...because the U.S. currently has, by far, the most venture money [1] and the largest addressable market[2].
[1]http://pitchbook.com/pr_20150109_1.html [2]http://techcrunch.com/2011/12/23/flurry-largest-addressable-... (slightly old)
Amazing to see what one determined person can do!
There is no safe habor inside the EU because EU privacy law already applies there and the regular legal mechanisms apply.
Good. If you want to be a multinational company, then you should have to obey the laws of each country.
Good luck with that. If the US mandates you do X and EU mandates you do !X.
Are you are suggesting that one of those laws should be changed to make it easier for multinational companies to operate, even though there was a good reason for the law in the first place? Because I would say that if the company absolutely has to keep customer data then they shouldn't operate in a country where that is illegal, and if they refuse to keep customer data then they shouldn't be operating in the country where it is required.
Somehow the tech industry seems to think it should be exempt from that, even if it means being allowed to piss all over the basic civil rights of citizens of modern Western democracies.
Yes, this is a problem that needs to be solved given the reality modern cross-border online services. But it can't be solved by the corrupt political elite simply selling their citizens hard fought rights to corporations operating from countries that lack respect for such rights.
And you wonder why it's tougher to do startups in Europe...
I'm pleased by what the ruling says about the NSA and the pressure it puts on the need for reform, but less than pleased about the practical implications.
Updating your name, birthday and other personal information would take an extra 100 ms in order to POST to the US, but it could then be replicated back out to the EU for reads if necessary for performance.
The proposals include being able to levy a fine up to €1,000,000 or up to 5% of the annual worldwide turnover (whichever is greater) if they fail to comply with EU data protection rules.
[0] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
This is not a blanket-panic for all US/EU companies as the media are projecting.
If I ask Facebook to delete my data, they are absolutely bound by this. There is no legal way anymore to just hide the data from me.
http://www.salesforce.com/company/privacy/data-processing-ad...
What if I don't want my data going to the US though?
This said: Probably yes. EU data laws are mostly about private information, for example private chat messages, etc.
If you only store email accounts, you might get around the laws, but if you store anything like payment information, communication between users, etc, you effectively now have to follow EU data laws, which mean: You can’t give any third party (not even your government or hoster) access, you can’t store it in countries where the government might just seize your data (like the US), etc.
* Will we need to partition user data based on location, even if they are in the same organization?
* What happens when a user in EU sends a message to one in US? So right now the chat history for one-on-one conversation pairs is stored in one place, does this ruling mean that now we have to duplicate this chat history for both the users?
* Even worse, what if multiple EU and US users are part of the same chat group? Is there any way we can store the group's chat history in one place?
Even if the NSA (and GCHQ) wasn't collecting everything, US law still wouldn't provide enough protection to comply with EU privacy norms.
The proposals include being able to levy a fine up to €1,000,000 or up to 5% of the annual worldwide turnover (whichever is greater) if they fail to comply with EU data protection rules.
[0] https://en.wikipedia.org/wiki/General_Data_Protection_Regula....
> However, US companies that obviously aided US mass surveillance (e.g. Apple, Google, Facebook, Microsoft and Yahoo) may face serious legal consequences from this ruling when data protection authorities of 28 member states review their cooperation with US spy agencies.
Can't wait. This is going to be good.
http://www.politico.eu/wp-content/uploads/2015/10/schrems-ju...
Being in compliance is fairly easy for large companies, but it's going to be a challenge for startups.
this ruling ignores the decentralized nature of the internet.
worst case is Europe being shut off from any tech advances, while the Pacific region from Cali to China takes off.
Some big companies should finally stop talking and start acting, this is the only chance for a real change.
Cut the NSA-Brotherhood ties! These little Hitlers from all the affiliated "Clubs of Distopians" and the War-Industry completely destroyed the most important association of "USA == Freedom" in the world. Face it. Deal with it. Act accordingly.
For people interested in history: it might be interesting to look at the post-ww-2 de-Nazification process in germany to understand how hard it is to remove established circles of anti-democratic bureaucrats from power structures. This will take a very long time (if it happens at all).
The better immediate reaction would be to support progressive and freedom-oriented societies with your technical powers until "good old USA" is restored. Europe is not perfect, but what happens in USA nowadays is pure distopia, a very unhealthy development that will lead to a negative outcome for all of us.
Once people came to The USA because of suppression and lack of freedom in their home countries. Just a few generations later if you have the same sense and longing for freedom like these ancestors of you, it is now time to leave that continent as the suppressors followed your trails - come home to Europe and together we can build a better future!