[YetAnotherNick]

I really don't understand why countries are so persistent about storing data in their country. It's not like the enforcers could walk into the datacenter and plug in the usb drive and get the data. And it's even hard to see what all constitutes user data. Does logging constitute user data. Does that mean that to get logs for the error the developer need to travel to every country and remember the log messages in his head.

And companies could easily copy their data in a click if they need to. A much saner approach should be limiting what the company is allowed to do with the data.

[blitzar]

> A much saner approach should be limiting what the company is allowed to do with the data.

Perhaps we should have some sort of GENERAL rules or legislation specifically for DATA to define what companies, based in or with customers in a region, can and can't do for the PROTECTION of the data and end users, so the companies can stay compliant with this REGULATION.

[aspenmayer]

We could call it GDPR for short.

[simion314]

>I really don't understand why countries are so persistent about storing data in their country

It is about having some rights. So say if you are from USA then Google or NSA should follow the laws , but if say I am a politician from some other country the Google and NSA employees can just read my emails and then blakmail me (or grab my paypal code and grab my money) because US laws only protect US citizens, terms of service are not laws and we know that we can't attribute morality to Google,Apple or NSA.

[kmlx]

> the Google and NSA employees can just read my emails and then blakmail me

this is a new level of conspiracy theory.

[simion314]

>this is a new level of conspiracy theory.

This is a new level of denial, I mean you should be outrage if your CIA is not doing it's job , this is why you americans pay them, to spy on foreign governments and companies, if something changes in the direction that would disadvatae US then blackmailing, killing and other methods are required by the CIA dudes to do.

At least you can use your logic and think

1 CIA job is to spy

2 Google/Apple has juicy content of CIA targets

3 CIA wants that content, they could send dudes in black at night int he server room to grab the data or they can just ask for it, since if are foreign people they have no rights, even if an employee would see this since is an US citizen he will also need to respect US laws and shut up or he will be in trouble.

[sgc]

Blackmail is new? Of course providing the opportunity for blackmail is one of the primary concerns when foreign actors exfiltrate data. Blackmail is a lot older than the cold war, and has been going on as long as people have been doing embarrassing things.

It would be absolutely foolish to think anything other than that there are many spies for various governments working in telecom and other IT companies. It is likely their primary target, even before infiltrating government positions.

[simiones]

Well, them reading this data is a known fact, mostly from Snowden's leaks.

Blackmail happening is harder to prove, but it would approach incompetence if the NSA at least found no opportunity to blackmail someone using the data we know they have access to.

[simiones]

If your data is in Russia, the Russian government can do what they want with it, within the limits of Russian law (at least theoretically). If your data is in France, the French government can do what it wants with it, within the limits of French law (at least theoretically).

Now, most countries have close to 0 protections for non-citizens' data - particularly, the USA has 0 protections for a French person's data sitting on a Google server. If a US government agency wants to read this French person's data (of any kind, including, say, medical records), they can ask Google for access to it and, if Google agrees, they can just use it. If Google doesn't agree, they only need a warrant against Google, not against the French citizen in question.

The same is NOT true for a US citizen's data - which is more or less sufficiently protected, at least theoretically. But foreign nationals' data that happens to reside in the USA has 0 legal protections from the US government.

On the other hand, the US government can not (legally) obtain data that resides in France or Russia, unless they work with the French/Russian legal system to obtain access to that data.

[tantalor]

> US government can not (legally) obtain data that resides in France

Explain how? If the US govt orders "copy the data from FR to US, or else" and the French govt orders "you can't do that, or else" then what is the company to do? They are breaking the law no matter what. Something has to give.

[simiones]

In general, such international disputes can be arbitrated either at a diplomatic level between the two governments, or by an international court.

[foxfluff]

If they're an European company operating and hosting in Europe, the US government has no jurisdiction over them.

If it's an international company, sucks for them (until the countries harmonize their laws to guarantee reasonable privacy protections for everyone internationally). That's exactly why people are now looking for local alternatives to Google et al.

[YetAnotherNick]

> If they're an European company operating and hosting in Europe, the US government has no jurisdiction over them.

No it is not true. Region of operation is completely irrelevant. US could arrest Kim Dotcom. Or non European companies have to comply with GDPR for European customers.

[foxfluff]

It's not completely irrelevant. The US has to cooperate with whichever country Kim/Julian/etc resides in. That country can totally reject the extradition request.

[YetAnotherNick]

They only have to contact them because Kim was not in US soil. They would have to request for any people including American citizens if they are physically in some other country. If Kim decided to vacation to US they could skip all the extradition requests.

[phaer]

> It's not like the enforcers could walk into the datacenter and plug in the usb drive and get the data.

They can ask and/or force a given company to hand data to them in many cases in most jurisdictions.

> Does logging constitute user data.

Logging of user-data? yes

> A much saner approach should be limiting what the company is allowed to do with the data.

GDPR does also regulate what a company is allowed to do with data. The thing is: whether the GDPR applies and is enforceable depends on where that data is stored.

[zauguin]

The companies are already restricted in what they are allowed to do with the data, but allowing to transfer it without restrictions would allow this to be easily circumvented by just moving the data to a location where data protection can't/wouldn't be enforced. Therefore the EU rules are not at all persistent about storing data only in the EU, it's explicitly allowed to store data in other countries as long as the data is still protected there.

This decision is a great example of this: The decision isn't made because it's not allowed to export data at all, instead it explicitly references US law which forces the affected companies to violate the data protection guarantees provided by the GDPR.

[M2Ys4U]

>I really don't understand why countries are so persistent about storing data in their country.

That's not what this is.

The EU is not saying "data MUST stay in the EU", it's saying "Data can only be transferred to a jurisdiction which has equivalent data protection".

>It's not like the enforcers could walk into the datacenter and plug in the usb drive and get the data.

No, they send a request for the data and threaten to jail anybody who even reveals that a request has been made.

>And it's even hard to see what all constitutes user data. Does logging constitute user data.

Article 4 of the GDPR: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

>A much saner approach should be limiting what the company is allowed to do with the data.

That's exactly what the GDPR is...