[phoronixrly]

The key points in the article for me:

> Max Schrems, honorary chair of noyb.eu: "Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options."

> In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States.

> No penalty (yet). The decision is not dealing with a potential penalty, as this is seen as a "public" enforcement procedure, where the complainant is not heard. There is no information if a penalty was issued or if the DSB is planning to also issue a penalty.

We need more trials related to GDPR breaches. While having the legislation is a huge achievement, it needs to be backed with enforcement.

If there is no enforcement, a third long-term solution arises -- just ignoring the law until you manage to get the necessary amendments to it in order to keep operating as before without fear of penalty.

[jokoon]

I'm really curious what would happen if those companies followed the law.

My bet is that they would entirely stop doing business in the EU, because I'm suspecting that data collection is the cornerstone of google/facebook/etc's business model.

They cannot properly advertise if they don't collect data.

To me it's a bit similar to what happened with China. China doesn't want the US to get data on chinese people, but their solution was to just block those companies.

The EU uses courts to protect itself, but I guess the result would be a bit similar.

[MomoXenosaga]

The expulsion of US tech led to a native Chinese tech industry fully compliant to Chinese law. They didn't go back to the Stone Age (which was the prediction of US experts at the time).

[ReleaseCandidat]

No, they'll just host their data in europe

[cblconfederate]

Is that enough? If a company uses google services , they are liable if google decides to take a bite at this data (because e.g. NSA asked them to). And it's not enough if google makes a contract that promises not to do so. the company is essentially liable for the NSA

- Ironically, if Google does create an EU spinoff just to run analytics as a free service, it will kill the local competitors

- The NSA is not "exempt": https://www.eff.org/deeplinks/2020/07/eu-court-again-rules-n...

[azernik]

The point of hosting the data in Europe is that the law can intervene before that data is re-shared outside of Europe. (And to be frank, the NSA is not the target; the GDPR has lots of exceptions for intelligence agencies.)

[phoronixrly]

They'll just host data related to their European customers in Europe*

[olivierduval]

Ant they will use an European Branch, under the EU regulation... but money will still flow back to US

[aspenmayer]

I think that’s all that the court is asking them to do, for the last 1.5 years or so.

[ReleaseCandidat]

Data centers cost money. They need incentives (read: high fines) to do that.

[blitzar]

https://www.google.com/about/datacenters/locations/

Turns out, shockingly, that Google already have some in the EU for some totally unknown reason. Might have something to do with making $XX billion in the region each year.

[aspenmayer]

This ruling doesn’t have enforcement recommended (yet), but under GDPR, the EU's data protection authorities can impose fines of up to up to €20 million, or 4% of worldwide revenue for the preceding financial year, whichever is higher. I’m not sure whether this offense would rise to the full 4%, or only a lesser 2%, if it came to enforcement.

https://gdpr.eu/fines/

[hyperman1]

A little bit more. The management of that data should also happen by people falling under the GDPR, so either EU members or people living in country's with compatible laws. The USA explicitly is not, because of the FISA courts with secret justice.

The problem is, some USA Googler can issue a query to an EU server and still access data he's not supposed to see. A FISA court can require him to do that and not tell anyone. No legal document written by a business can override a court decision, so nothing any US company can do helps here.

Google might create a local company with local personnel. The theory goes, when the USA Googler orders a lookup of some date, the EU Googler says can't do that, it's illegal.

I wonder why Microsoft's Office365 or Windows platform aren't hit by these lawsuits. The issues are the same, and the information gained seems much more interesting.

[thrawn0r]

I don't believe that 3 letter agencies will care about the physical location of the user data. So storing the data in europe might not solve this issue.

[simiones]

Well, with data residing in the USA, US three-letter agencies can just ask the data operators to give them the data. I'm sure the same is true of French three-letter agencies for data residing in France, or possibly even the whole EU.

BUT, it's much harder to US three-letter agencies to obtain access to data residing in France, or the other way around - that would require hacking, and that carries a much higher degree of difficulty and risk (not that I would ever imagine it doesn't still happen).

[avar]

The GPDR is explicitly not about trying to get you protection from state-operated intelligence agencies, and in fact within the EU state agencies like that are explicitly exempt from it.

[M2Ys4U]

It would be if the EU had the legal powers to do so, however the EU's treaties reserve national security to the member states.

EU law does apply when national security concerns of non member states are engaged, though hence the Schrems cases succeeding (and why the UK in on shaky ground when it comes to equivalency decisions post-Brexit).

[kuschku]

That's wrong, GDPR explicitly applies to government agencies, police, etc.

Eurpol is currently on trial for violating it, as was the German BND previously.

[M2Ys4U]

The GDPR doesn't apply to the police, at least not in their capacity as law enforcement.

But it does have sister legislation - the Law Enforcement Directive[0] - that does apply many of the same principals.

[0] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...

[jokoon]

Maybe the GDPR issues would be resolved if countries would settle and agree how to do surveillance on their population... Obviously the gears of silicon valley turn faster than the gears of intelligence agencies.

[jokoon]

Why don't they?

[blitzar]

I would have thought they do. There is also a decent chance that at any given moment even Google have absolutely no idea where a given piece of information is physically located (and mirrored to X times).

[sofixa]

You might be interested in

https://www.enforcementtracker.com/

I agree we need more enforcement, but it's reassuring to see the current levels.

[anonymousab]

Violations outpace enforcement both in current volume and rate of growth, by orders of magnitude. This is the opposite of reassuring.

[sofixa]

But the fines are getting very significant, and major types of violations are awarded with fines ( so other violators might see that and stop, or at least when they get caught the ruling will be faster due to precedents).