We're not fragmenting the internet by looking after our own interests. This wouldn't be an issue if Americans viewed rights (and in this case privacy rights) as belonging to human being as opposed to Americans citizens. The US's policy is what led to this:
> Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information
We had PII on Azure. We wanted to do business in France. We had to fork our services, and run a full stack on a crappy provider in France. They charged a lot more, would take weeks of vacation with zero support for us. It was a freaking nightmare.
EDIT: I love the responses I'm getting. People are in absolute denial that this does in fact fragment the internet. You may believe that's a good thing, and that's a rational discussion we can have. But don't lie to yourself, or to me, that this doesn't fragment the internet.
We didn't fork our code, we forked our services. We ran everything on Azure. Then we had to configure our kiosk devices to either talk to Azure, or to talk to our servers in France.
"Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity"
I'm sorry, do you have any idea of the cost of doing these things?
If you have 6 developers, total, how many of them are you willing to allocate to rewriting your stack, so that you can sell your product in Europe?
Nothing comparable to AWS/GCP/Azure.
The colo/managed provider they chose and had been working with for years was nigh incompetent. I was positive that being able to spin up infra in any of the clouds would have been a ton more reliable.
Imposing byzantine regulations on every webmaster on the planet isn't helping anyone, least of all the European user, who will increasingly be locked out from the rest of the planet.
I see very little advantages from these privacy laws but I use and appreciate US businesses every day.
Lots of loaded assumptions there, of course, starting with the first conditional clause.
It's not fragmenting the internet; fragmentation is the whole point of the internet. It's (re-)decentralizing something that has been decentralized the whole time, until these gluttonous whales decided try to eat the whole pie.
And you're convinced that embodies "the whole point of the internet"?
Heh. Somethings tells me a devops engineer in France has way better work-life balance.
So then Hacker News has to launch servers in France.
And then French HN users are in an island, and only see other French HN users' posts and comments.
And, to be clear, you think that's a good thing?
Or was it before Azure had that? Looks like they’ve had it for awhile, at least back to 2009 or 2010.
This was impacting us in 2014 to 2016, as I remember.
In the past people said that the Internet was made for porn. Today the Internet is seemingly made for advertisement and surveillance. It not strange that so many people who worked in this industry for decades are feeling a bit lost in this new horrifying industry, which if the Internet really is made only to do advertisement and surveillance, I honestly think humanity is better off without it.
You should support companies with the best behavior.
I worked at a company that enabled a radiologist in over country to do a preliminary read of a CT scan performed in another country.
Cutting the amount of time for a CT scan, and even connecting a CT scan with a radiologist who specialized in that particular kind of scan, we saved lives.
And yes, there's also furry porn.
It's a tool.
I feel like I'm trying to convince you that BOOKS are good, despite the existence of hentai.
So why didn't you use Azure resources in Europe instead of "some crappy provider"? Sounds like you made a rod for your own back. If our clients are happy with Azure (in the right region) then I can't imagine many in the EU (other than perhaps national security services and their suppliers) reasonably refusing to allow use of it.
We host in Azure for some pretty significant financial organisations, mostly UK based but spreading our area. Some companies are requiring us to fully host in Azure DCs in their region, and some of those are Eastern, not UK/EU, based companies. At least one US interest that a friend's employer supplies demands data about its employees be hosted over there rather than over here, presumably so they can be assured it is kept to standards they are locally required to follow. Is it wrong that way around in your book too?
It isn't as easy as having everything in one region of course, but not much harder nor massively more expensive (caveat: most likely, as far as I know, I have the luxury of ignoring the bits that don't interest me and money is often one of those things, but I'm also senior enough that if there was something expensive happening, or something not happening due to expense, I'd catch wind as it would affect things I need to plan around) and it can't be as faffy/costly as using different providers in each territory.
If you are correctly following relevant regulations everywhere this does not fragment things any more than other rules that already existed. Aside from the fact things are being enforced this time, forcing companies handling PII to not quietly do things wrong because it is inconvenient to do things right. As an individual I'm perfectly fine with this.
https://news.microsoft.com/europe/2020/09/30/our-commitment-...
It took some doing which was the whole point. The local provider even got a chance to match the offer.
Looking at it from this angle, it seems perfectly reasonable for the EU to dislike the specifics of the analytics use case while still being ok with something like Google Docs.
But that's not what CNIL is basing their decision on: "The CNIL concludes that transfers to the United States are currently not sufficiently regulated...Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services."
I probably don't understand the legal issues fully, but it seems the worry is that US intelligence services may be tapping the lines and databases of Google, may have agents working at Google as badged employees, or may be able to subpoena Google (or any US service provider). [for the record, I wouldn't doubt if all the above are true]
I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
> "CNIL recommends that these tools should only be used to produce anonymous statistical data"
So the tools are not anonymous because the request headers of the client are being logged and used to identify a session, along with what resources on the site were accessed in that session.
Any site operator has this data on their visitors.
CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly? What's the solution? A site builder can't let web clients make direct calls to any resources in the US? That seems... sweeping, profound, surprising, impactful. Have fun with that.
No need to dig so deep: IP addresses are considered private information under the current EU law, meaning that just opening a client-side connection somewhere leaks that data to that somewhere.
> I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
There is none. The difference is that the website studied in the ruling was not including resources hosted at Google Docs, and hence no mention of it. If the site embedded or directly linked to a google docs document the same reasoning would have been applied.
> CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly?
Almost. They don't want any calls prior to explicit user acceptance.
> What's the solution?
For fonts/images required to load the page, use EU-based hosting facilities. If you want to link to a google docs document, a youtube video or something like that, ask the user before following that link.
> That seems... sweeping, profound, surprising, impactful. Have fun with that.
It is, I don't think anyone is denying that. There are several things that may happen here:
1. US tech companies take it as common practice to spin-off EU-based companies that are not subject to US law and store everything in EU soil. When they don't, EU competitors pop up and EU companies use those.
2. The US passes laws that offer EU-level protections to both their own citizens/companies and (at least) EU-based citizens/companies.
3. The EU backtracks on this by adjusting their current laws.
I, for one, would really like to have more fragments to explore.
People's ideas about how their technology should serve them will change over time. I don't want to have to overthrow the old internet before we can try something new, I want it to grow with us--the parts that aren't serving us die off, the parts that address new challenges flourish. If its all one thing, subject to one set of rules, that doesn't happen.
Lucky you.
We need more Western education, not less, which is why fragmentation is a bad thing. My country of birth - in Africa - is aligned with the formerly communist nations; if they had to opt-in to a fragment, it wouldn't have been to the Western one. I might have never been able to emigrate.
Fragmentation seems like a leap backwards in time and a slap in the face of the promise inherent in the free flow of information.
Of course you are. This is the only possible outcome of any attempt to impose national rules on an international network. Instead of one global network, we'll end up with several local ones.
The internet is among the most incredible achievements of humanity. I'm glad I got to experience it before they destroy it. By now it's only a matter of time.
At the end of the day we should be doing what is good for the People and somehow its always assumed that they will/should be the ones impacted when policies like these are enacted.
But Europe has leverage here - I don't think Amazon would want to miss out on a giant market base out of some moral principle and there are probably other levers to be pulled here to encourage that.
Anyway, not adding much to your comment other than kudos.
All the big cloud providers have presences in Europe. What am I missing here?
The only people still moaning are Americans and hold-outs like Google refusing to move data.
If the EU has this much power to regulate operations that happen in America, then imagine how much worse it's going to be if you relocate your operations to the EU? In that case you actually become one of their subjects, rather than simply recording information about their subjects.
> Agencies can snoop on non-US citizens but shouldn’t snoop on US citizens
and they went and snooped on US citizens anyway.
I think the only solution would be for them to not collect and store data from GDPR jurisdictions that would violate the GDPR if they were forced to hand it over to the parent American corp.
The US parent company could not compel the subsidiary to violate the law of the region it was located in.
But what happens when senior data scientists at Google want to do some analysis? Each dataset for each global region can't remain fractured from each other. The subsidiary may not have to hand it over to the US government but does the GDPR prevent data from leaving the EU zone? If not, then local copies in the US would be exposed.
I think there would be a lot of loopholes that needed to be closed. "Will be" a lot might be the better choice if words if France's decision becomes guiding legal doctrine in the region.
I don't think Google would willing give up that data either so they could be forced to change their practices to at least get that which allowable under EU law. And I don't want to get too slippery slope in this, but that could mean privacy-minded services begin using servers in the EU as an added layer of user privacy.
another 20 years and companies simply won't bother with it at all
[1]: https://fullfact.org/europe/eu-less-important-world-economy/
It’s interesting to see the pattern here: if you can’t innovate, regulate.
