[tempodox]

Nobody should be allowed to export personal data from such jurisdictions except for the owners of that data themselves. A U.S.-ian should be allowed to decide to trust their personal data to a company inside E.U. jurisdiction but that company shouldn't be allowed to trade that data anywhere else (especially, back to the U.S.). Of course, that's a complete pipe dream, and I'm just hallucinating.

[cm2187]

How do you define "export"? Does that mean any website needs to have a server located in every single country in the world?

[kiiski]

I imagine that would only apply to sites which store PII[1]. The database should be located under the same jurisdiction (which doesn't mean every country, since some will have treaties to allow exporting to certain places (EU for example)) as the person whose data it is, and the data should not be transferred through other jurisdictions.

[1]: https://en.wikipedia.org/wiki/Personally_identifiable_inform...

[cm2187]

Well, pretty much any website stores an email, name and password. Every startup would need to look at all the bilateral treaties between every major country in the world. This is simply impractical.

[kuschku]

If a German user shares data with Facebook, Facebook should not be allowed to give the data to any entities in the US.

You may never give userdata to anyone else or give anyone else access to userdata.

Embedding tracking scripts from third parties is equally problematic. Google Analytics should be globally forbidden.

[lcswi]

What if the user shares the data directly with a server in the US? People don't care...

[kuschku]

And what if Google Analytics tracks me? 3rd-party tracking needs to be illegal right now.

[caskance]

That would only force people to confront the uncomfortable reality that just because data is about you doesn't mean you own it.