[bdonlan]

> The reality is you don't really have to transfer anything out of EU in order to keep your service running.

Practically speaking, running FB in a way that doesn't transfer anything out of the EU would involve either:

1. Siloing off the EU facebook, with no contact with the US side

or

2. Building a federated facebook, which transfers across e.g. only the timeline entries US friends are granted view access to

The former would not be well-accepted, as it would cut off communication from e.g. international relatives, and would be a rather large project to launch. The latter would be an even bigger rearchitecture, which would likely take, at a minimum, several years to complete, since it's unlikely this was ever anticipated as being a possibility when FB was originally created.

So, I sympathize with them - while in the long term they might be able to find a solution, in the short-to-medium term, FB would have no choice to stop operating.

[fivea]

> 1. Siloing off the EU facebook, with no contact with the US

That's already business as usual with China, but companies like Facebook have absolutely no problem with that silo as it protects them and benefits their bottom line.

But somehow, use cases that protect users, those suddenly pose major blockers.

[thebean11]

> but companies like Facebook have absolutely no problem with that silo

Do you honestly think that's true? I bet they'd move mountains to remove that silo if they could.

[fivea]

> Do you honestly think that's true?

Think? I know for a fact it's true. In fact, do you know a single company operating in China that doesn't silo away their China operations?

[thebean11]

Yes, they do silo. Nobody is claiming otherwise. My point is that they'd almost certainly prefer not to; they are siloing to comply with Chinese laws.

What makes you think they have "absolutely no problem with it"? You don't think it would be operationally simpler and more profitable to allow communication between Chinese and non-Chinese accounts?

[fivea]

> they are siloing to comply with Chinese laws.

No, not really. Companies operating in China silo their services because Chinese laws demand access to servers, and by siloing the company ensures that the Chinese regime does keep it's hands off stuff they have no business accessing.

Siloing services in China has zero to do with CCP's demands and everything to do with a company's self-interest.

[thebean11]

It sounds like you're saying

CCIP demands access to servers -> companys silo to protect data from CCP

But then claim siloing has "zero to do with CCP's demands". Having trouble understanding this logic.

[hdjjhhvvhga]

Even if they voice their concerns, they do it in a very quiet way.

[sidhanthp]

I don't think that's business as usual in China. I don't think Facebook operates there.

[partiallypro]

Facebook doesn't operate in China, and other companies would love to remove the restrictions China puts on them.

[smoldesu]

Can you direct me to the evidence suggesting that Facebook/Meta operates in China? My understanding is that the only FAANG corporation that deals with the CCP is Apple, who has gone beyond siloing content and straight-up relocated a portion of their servers to the country.

[fmajid]

Facebook operates in Hong Kong, which is part of China, as Hong-Kongers are learning to their dismay as their special status is being dismantled.

[smoldesu]

If China manages to assimilate them back into the mainland, I seriously doubt that Facebook would continue to provide service to their citizens.

[sudosysgen]

Doesn't FB ad-tech operate in China?

[filoleg]

Don’t forget about Azure (Microsoft) and AWS (Amazon).

[dntrkv]

> Facebook have absolutely no problem with that silo

It's less that they don't have a problem with the silo and more that they don't have a choice.

Are you really advocating for siloing European and North American internet?

[ben_w]

About 2010, I realised that siloing the internet is basically the only way for nations to remain fully sovereign — can’t enforce laws on copyright, libel, porn, personal data protection, un-accredited education, scams, hacking, gambling, false or misleading advertising, unregulated political advertising[0], indecent communications, malicious communications, menacing communications, nor treasonous/seditious communications, when the people doing it are in a country you don’t have a treaty with.

This is not to say I “want” this — what I want is for everyone in the world to be one big happy group of friends, but I don’t know how to get there from here, and silos look to me like the next thing that will happen.

[0] I don’t know how it works in most places, but in the UK there are Rules: https://commonslibrary.parliament.uk/who-regulates-political...

[qwertox]

The issue is not having Europeans sharing photos and posts with Americans, but to have unshared personal data like logs, user preferences or non-public PII hosted on European servers without granting the US government access to it since it is outside of their jurisdiction.

Also, if a European citizen shares photos with an American friend, this friend will fetch the image from an European server, so that the US government doesn't have access to the remaining photos, unless they contact European authorities.

[barbazoo]

If that were the case, how would any global communication medium be allowed to operate? Can't you provide the same service while not moving PII out of the EU? As far as I know this is not about a user in the US viewing a EU citizen's facebook page, this is about where the original data resides, is it not? Playing devil's advocate here, can't you just figure out what jurisdiction the user belongs to and route the request to the right server?

[likpok]

There are a lot of edge cases that people don't think about.

A lot of communication data has two people associated, and a lot of it is highly sensitive. If a US person and a French person chat how does each get the messages? Message data is obviously highly sensitive and shouldn't be shared.

Does the US person need to hit the French servers to see new messages, and vice versa? What about quoting?

Message metadata (i.e. the fact that these two people are talking at all) is also pretty valuable -- the classic pen register is just a record of which calls were made to which numbers. Where do you store the metadata of the thread? It arguably belongs to and is private to both people.

[dataflow]

> Does the US person need to hit the French servers to see new messages, and vice versa? What about quoting?

I would imagine each user has a copy of the other's messages in their own account, and that's what they would be hitting.

[likpok]

So you propose to copy the private data of European citizens on US servers?

What happens when the law makes that illegal?

[kmlx]

> So you propose to copy the private data of European citizens on US servers?

> What happens when the law makes that illegal?

just follow the Chinese model. complete blackout between the European Union, China and ROW. this is where this thing is headed, so we might as well start thinking about it.

[stickfigure]

What is the value of legally requiring copies in every geographic location? That seems strictly worse from any kind of privacy perspective.

[dataflow]

Keep in mind that with other communication mechanisms (e.g. email, SMS) we already send over a copy of the message and keep the original. I'm not saying it's "better" from a privacy perspective, just that it seems like the logical solution here, and I'm not sure how a court might conclude otherwise. The data is being hosted in Europe at that point. It's just that a copy needs to be sent to the recipient only when the message is initially sent (because how else do you communicate?!).

[stickfigure]

That's true for some kinds of PII data and not others. The social graph (who are your friends) is symmetrical. Shared-edit documents, dropbox-like file sharing, and wikis are often ownership-ambiguous.

[kasey_junk]

How does it get to their account?

[dataflow]

A server in the sender's jurisdiction sends it to a server in the receiver's jurisdiction? How do SMS or email work in Europe?

[kasey_junk]

Sending data to the US and storing it there, is the very point that is being contested.

People are acting like this is a trivial problem both technically & legally but it’s not. I don’t have sympathy for Facebook but if you are a small company handling data in the EU and other data outside it I have sympathy as it’s going to cost a lot in architectural complexity and compliance costs.

[sophrocyne]

Aside from the difficulties in operating effectively without passing any PII (which includes identifiers) across international/org lines, the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US.

The reality that the EU government has recognized is that a FISA order of the parent company could compel a US organization to pull data from the EU servers to provide to the US government; and it’s a valid critique.

[barbazoo]

> passing any PII (which includes identifiers) across international/org lines

My understanding was that it's not about that.

> the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US

Interesting, do you have any source on this particular aspect? I haven't heard this before.

[ascar]

Search for Schrems here on HN. There were a couple of articles recently that in effect have this implication. I was surprised too.

[barbazoo]

Thanks, will do!

[number6]

The cloud act allows US agencies to gain access to all data a US Company has access to regardless the physical location. This in turn means that a EU Company can't guarantee that the data isn't transferred out of the EU. To transfer data out of the EU one either needs a legal framework or consent. Consent has to be given in an informed manner, but since the company does not know for what reasons an US agencie can access the data they can not inform the person correctly under gdpr. A legal framework has to comply with the EU Charta. Indiscriminate access to information is not in compliance with the EU Charta so a framework cannot exist.

It's a legal deadlock.

[philistine]

Which the EU will solve by forcing companies to erect a legal firewall; otherwise they would define their laws as being underneath American laws with anything related to a US company operating in Europe.

[radicalbyte]

And hashes - legally a hash of PII is PII. The definition is literally:

IF [thing] be used to identify [person] from any arbitrary set of [persons] THEN [thing] is PII.

[mminer237]

That wouldn't solve anything. The EU treats all US services as being in the US, regardless of where the physical servers are, as Facebook is still subject to the US subpeonas and they are legally required to give data to the US even if it's on a European server.

You are right that the same logic would make any American communication website illegal. I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.

[barbazoo]

> regardless of where the physical servers are, as Facebook is still subject to the US subpeonas and they are legally required to give data to the US even if it's on a European server

Is that so? I'd like to know more about this then, I don't see how that would be practical at all then.

[roywiggins]

This is explicitly authorized by the CLOUD Act:

> Principally, it asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.

https://en.wikipedia.org/wiki/CLOUD_Act.

[barbazoo]

> when requested by warrant

I think that's the difference. Facebook could be forced to keep all PII in the EU for the purpose of protecting peoples data from unlawful (EU) use but still have to surrender it to US law enforcement. Would that violate the EU law?

[philistine]

It does. A US warrant is incompatible with the EU privacy garanties.

[dkarl]

> I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.

I think their end goal is regulatory convergence. They don't want companies to be able to trivially circumvent laws protecting their citizens simply by operating in a different jurisdiction, which is to say, if you want to play by different rules, barriers are inevitable, or else the rules are meaningless. Over the long run, the hope is that people can converge on similar enough rules that the barriers become unnecessary.

For example, suppose a country passes an air quality law that forces companies to reduce emissions from factories. They might suspect that instead of updating their factories, companies might sell their manufacturing equipment to new companies that mysteriously pop up right across the border and happily sell finished goods back across the border. Anticipating that, the country would want to do something to prevent it. The measures they come up with might be onerous and inefficient in the short run, but in the long run, the two countries would be motivated to converge on regulatory regimes that were mutually acceptable.

(not intending to endorse or criticize this idea, just giving my best understanding of how countries approach questions like this)

[bdonlan]

If you are sending a message to a person in another country, you are consenting to that communication traveling to the location of that person. See article 6:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

[.. other permissible purposes snipped ..]

Generally, the GDPR issues with sending to another country boil down to whether the EU accepts that the other country's government will allow the company protect the data in ways compatible with the GDPR. When sending that data to another company happens for reasons incidental to the permissible purpose of your data (eg EU-to-EU data processed in the US) this becomes an issue, as you've not consented to that risk. If you are specifically requesting that your data be sent to, say, the US, however, then processing that data in the US becomes necessary and thus much more justified.

From a technical perspective, you can certainly silo your data and transfer only as needed. This is however way more complicated, as you need to now deal with the fact that you're potentially performing joins across high-latency datastores, where you might need to be careful about what query data you're sending across the wire, and where your different silos need to apply access controls against each other. If you didn't engineer for this from the start, it's a big shift in architecture.

[emaginniss]

A facebook feed doesn't just show data from one user. When I look at my feed, I am seeing posts from 100 people distributed over 7 countries on 3 continents. Stitching that data together from multiple data sources is an extremely difficult thing to accomplish.

[peoplefromibiza]

they are already doing it.

The issue is not your feed, that's what Facebook wants you to believe, you agreed to share that data with other FB users. the issue is they transfer personal data of EU citizens to the US to process them and sell them or use them to improve their adv war machine. Or give it to their US government.

[barbazoo]

Probably not too difficult for a company like Facebook, don't you think?

[bdonlan]

Much harder for a large company than a small one, actually. The coordination overhead to get a bunch of disparate teams in a large company to rearchitect the fundamental structure of the service should not be overlooked.

[barbazoo]

Personally I'd be happy to accept that given Facebook's impact on society and their technical ability and capacity.

[deepsun]

Not difficult at all, I did that on a much smaller case.

[otherme123]

This is about data sending without consent, which has to be explicit. E.g. if I, as european, create a Gmail account and my mails reside in an US server, I give explicit permission for all my emails to be transferred between Europe and the US. Namely: I'm informed of the extent of data collection (all my mails incoming our outgoing), the duration (forever), the storage (Google servers) and algorithms used (I consent the scanning of my emails to create adds).

But if I visit a web page hosted in Europe, and that page uses the FB cookies, Google analytics, etc. maybe I'm unaware what and how the data is being collected.

They relied on the cookie banners as explicit consents (i.e. if you click this "OK" button, you give explicit consent to all our data gathering and sending), but that might be not fully compliant with GDPR.

[tyrfing]

> E.g. if I, as european, create a Gmail account and my mails reside in an US server, I give explicit permission for all my emails to be transferred between Europe and the US.

NOYB has used this as an example of something that would be illegal.

[otherme123]

Do you have a link? AFAIK they are fighting against analytics, cookies and advertising ids.

[tyrfing]

Sure, here: https://noyb.eu/sites/default/files/2020-03/ag_prep_en.pdf

The main issue is differences between EU and US law.

[tut-urut-utut]

If stop operation is the only alternative to stop collecting and sending out data, then let it be.

An if that happens, if Facebook really gets banned from operating in Europe, I'm pretty sure “good enough” technical solution approved by the EU administration would be found pretty quick.

[Matthias247]

I assume the most interesting requirements are about data residency. And that probably 1) can be avoided by just making sure EU data is stored in the EU, US data in the US, and looking up a foreign region profile (which is rare) would need to a a pure API proxy request which is not allowed to store anything in the local region and probably has some kind of per-request authorization to do this.

I certainly have not spent any time to look into the actual legislation - so don't take this as "everything would be fine" - but I feel a solution could be found that governments would be ok with if FB would be willing to spend the engineering effort.

[stickfigure]

The social graph itself is PII. BobUS and SallyEU are friends. Where can that data reside?

[zamalek]

In a blind index, in each region: https://medium.com/@joshuakelly/blind-indexes-in-3-minutes-m...

[tedivm]

The problem is that US law says that the US can tell a US company to share data with US Intelligence Agencies even if that data exists in a subsidiary outside of the US.

That's why simply storing EU data in the EU isn't enough when there's a US company involved. Our surveillance state isn't just horrible for privacy, it's also bad for business.

[Closi]

There are possibly other options, such as:

1) Providing end-to-end encryption on user data travelling from Europe to outside Europe.

2) Your option for number 1, but then allowing users to freely consent with their data to be shared internationally (which they can then revoke later if required).

I'm sure there are others... Also IANAL but a social media post may be covered under the "legitimate interests" scope of GDPR (but facebook's tracking data would certinally not be covered).

[fmajid]

> Siloing off the EU facebook, with no contact with the US side

That's insufficient as the US CLOUD Act allows the US government to compel a US company to cough up the data even if it is hosted in the EU and subject to EU privacy laws.

The only workaround I could see is one where they would spin out Facebook EU as a legally independent non-US entity (giving shares in it to Meta shareholders) and federate that with FB US.

[rusk]

Is the purpose of the data transfer necessary transparent and proportionate? If so, no problem and your far flung relatives can communicate without issue. These principles frustrate the surreptitious core purposes of Facebook however and so it doesn’t make sense for them to facilitate in those terms. If you’re not paying for a service you are the product.

[radicalbyte]

I'm not sure that is the case. The data that people are posting themselves on Facebook clearly has consent to be published.

What is not is all of the tracking that they do - not only on the Meta properties, but also all of the other websites who are dumb enough to execute code or otherwise expose their users to Facebook. Lots of them do it unwittingly too.

[andrewaylett]

I'd be amazed if they couldn't come to a medium-term compromise agreement if they wanted to. EU authorities have precedent in giving companies time to fix things up if they show that they're willing to do that.

[the_mitsuhiko]

Meta could also lobby for US laws to change. I’m sure they are large enough.

[trasz]

Erm, 1. doesn't really make sense, because EU isn't really the problem here. It should read "siloing off the US Facebook". And that makes perfect sense.

[jll29]

There are other companies that silo each customer from each other in ways that are very expensive to the platform owner (can't get more specific, sorry).

[arrosenberg]

It would be pretty arrogant if they had never considered this possibility. Hard to feel too bad for the robber barons losing a bit of profit.

[Xylakant]

3. Move all data to Europe instead of the US.