[barbazoo]

If that were the case, how would any global communication medium be allowed to operate? Can't you provide the same service while not moving PII out of the EU? As far as I know this is not about a user in the US viewing a EU citizen's facebook page, this is about where the original data resides, is it not? Playing devil's advocate here, can't you just figure out what jurisdiction the user belongs to and route the request to the right server?

[likpok]

There are a lot of edge cases that people don't think about.

A lot of communication data has two people associated, and a lot of it is highly sensitive. If a US person and a French person chat how does each get the messages? Message data is obviously highly sensitive and shouldn't be shared.

Does the US person need to hit the French servers to see new messages, and vice versa? What about quoting?

Message metadata (i.e. the fact that these two people are talking at all) is also pretty valuable -- the classic pen register is just a record of which calls were made to which numbers. Where do you store the metadata of the thread? It arguably belongs to and is private to both people.

[dataflow]

> Does the US person need to hit the French servers to see new messages, and vice versa? What about quoting?

I would imagine each user has a copy of the other's messages in their own account, and that's what they would be hitting.

[likpok]

So you propose to copy the private data of European citizens on US servers?

What happens when the law makes that illegal?

[kmlx]

> So you propose to copy the private data of European citizens on US servers?

> What happens when the law makes that illegal?

just follow the Chinese model. complete blackout between the European Union, China and ROW. this is where this thing is headed, so we might as well start thinking about it.

[stickfigure]

What is the value of legally requiring copies in every geographic location? That seems strictly worse from any kind of privacy perspective.

[dataflow]

Keep in mind that with other communication mechanisms (e.g. email, SMS) we already send over a copy of the message and keep the original. I'm not saying it's "better" from a privacy perspective, just that it seems like the logical solution here, and I'm not sure how a court might conclude otherwise. The data is being hosted in Europe at that point. It's just that a copy needs to be sent to the recipient only when the message is initially sent (because how else do you communicate?!).

[stickfigure]

That's true for some kinds of PII data and not others. The social graph (who are your friends) is symmetrical. Shared-edit documents, dropbox-like file sharing, and wikis are often ownership-ambiguous.

[kasey_junk]

How does it get to their account?

[dataflow]

A server in the sender's jurisdiction sends it to a server in the receiver's jurisdiction? How do SMS or email work in Europe?

[kasey_junk]

Sending data to the US and storing it there, is the very point that is being contested.

People are acting like this is a trivial problem both technically & legally but it’s not. I don’t have sympathy for Facebook but if you are a small company handling data in the EU and other data outside it I have sympathy as it’s going to cost a lot in architectural complexity and compliance costs.

[dataflow]

How do SMS/MMS/email/etc. handle this? Are you saying they would all become illegal? Or is this law going to uniquely place requirements on social media that other communication systems do not/would not comply with?

[sophrocyne]

Aside from the difficulties in operating effectively without passing any PII (which includes identifiers) across international/org lines, the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US.

The reality that the EU government has recognized is that a FISA order of the parent company could compel a US organization to pull data from the EU servers to provide to the US government; and it’s a valid critique.

[barbazoo]

> passing any PII (which includes identifiers) across international/org lines

My understanding was that it's not about that.

> the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US

Interesting, do you have any source on this particular aspect? I haven't heard this before.

[ascar]

Search for Schrems here on HN. There were a couple of articles recently that in effect have this implication. I was surprised too.

[barbazoo]

Thanks, will do!

[number6]

The cloud act allows US agencies to gain access to all data a US Company has access to regardless the physical location. This in turn means that a EU Company can't guarantee that the data isn't transferred out of the EU. To transfer data out of the EU one either needs a legal framework or consent. Consent has to be given in an informed manner, but since the company does not know for what reasons an US agencie can access the data they can not inform the person correctly under gdpr. A legal framework has to comply with the EU Charta. Indiscriminate access to information is not in compliance with the EU Charta so a framework cannot exist.

It's a legal deadlock.

[philistine]

Which the EU will solve by forcing companies to erect a legal firewall; otherwise they would define their laws as being underneath American laws with anything related to a US company operating in Europe.

[radicalbyte]

And hashes - legally a hash of PII is PII. The definition is literally:

IF [thing] be used to identify [person] from any arbitrary set of [persons] THEN [thing] is PII.

[mminer237]

That wouldn't solve anything. The EU treats all US services as being in the US, regardless of where the physical servers are, as Facebook is still subject to the US subpeonas and they are legally required to give data to the US even if it's on a European server.

You are right that the same logic would make any American communication website illegal. I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.

[barbazoo]

> regardless of where the physical servers are, as Facebook is still subject to the US subpeonas and they are legally required to give data to the US even if it's on a European server

Is that so? I'd like to know more about this then, I don't see how that would be practical at all then.

[roywiggins]

This is explicitly authorized by the CLOUD Act:

> Principally, it asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.

https://en.wikipedia.org/wiki/CLOUD_Act.

[barbazoo]

> when requested by warrant

I think that's the difference. Facebook could be forced to keep all PII in the EU for the purpose of protecting peoples data from unlawful (EU) use but still have to surrender it to US law enforcement. Would that violate the EU law?

[philistine]

It does. A US warrant is incompatible with the EU privacy garanties.

[dkarl]

> I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.

I think their end goal is regulatory convergence. They don't want companies to be able to trivially circumvent laws protecting their citizens simply by operating in a different jurisdiction, which is to say, if you want to play by different rules, barriers are inevitable, or else the rules are meaningless. Over the long run, the hope is that people can converge on similar enough rules that the barriers become unnecessary.

For example, suppose a country passes an air quality law that forces companies to reduce emissions from factories. They might suspect that instead of updating their factories, companies might sell their manufacturing equipment to new companies that mysteriously pop up right across the border and happily sell finished goods back across the border. Anticipating that, the country would want to do something to prevent it. The measures they come up with might be onerous and inefficient in the short run, but in the long run, the two countries would be motivated to converge on regulatory regimes that were mutually acceptable.

(not intending to endorse or criticize this idea, just giving my best understanding of how countries approach questions like this)

[bdonlan]

If you are sending a message to a person in another country, you are consenting to that communication traveling to the location of that person. See article 6:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

[.. other permissible purposes snipped ..]

Generally, the GDPR issues with sending to another country boil down to whether the EU accepts that the other country's government will allow the company protect the data in ways compatible with the GDPR. When sending that data to another company happens for reasons incidental to the permissible purpose of your data (eg EU-to-EU data processed in the US) this becomes an issue, as you've not consented to that risk. If you are specifically requesting that your data be sent to, say, the US, however, then processing that data in the US becomes necessary and thus much more justified.

From a technical perspective, you can certainly silo your data and transfer only as needed. This is however way more complicated, as you need to now deal with the fact that you're potentially performing joins across high-latency datastores, where you might need to be careful about what query data you're sending across the wire, and where your different silos need to apply access controls against each other. If you didn't engineer for this from the start, it's a big shift in architecture.

[emaginniss]

A facebook feed doesn't just show data from one user. When I look at my feed, I am seeing posts from 100 people distributed over 7 countries on 3 continents. Stitching that data together from multiple data sources is an extremely difficult thing to accomplish.

[peoplefromibiza]

they are already doing it.

The issue is not your feed, that's what Facebook wants you to believe, you agreed to share that data with other FB users. the issue is they transfer personal data of EU citizens to the US to process them and sell them or use them to improve their adv war machine. Or give it to their US government.

[barbazoo]

Probably not too difficult for a company like Facebook, don't you think?

[bdonlan]

Much harder for a large company than a small one, actually. The coordination overhead to get a bunch of disparate teams in a large company to rearchitect the fundamental structure of the service should not be overlooked.

[barbazoo]

Personally I'd be happy to accept that given Facebook's impact on society and their technical ability and capacity.

[deepsun]

Not difficult at all, I did that on a much smaller case.

[otherme123]

This is about data sending without consent, which has to be explicit. E.g. if I, as european, create a Gmail account and my mails reside in an US server, I give explicit permission for all my emails to be transferred between Europe and the US. Namely: I'm informed of the extent of data collection (all my mails incoming our outgoing), the duration (forever), the storage (Google servers) and algorithms used (I consent the scanning of my emails to create adds).

But if I visit a web page hosted in Europe, and that page uses the FB cookies, Google analytics, etc. maybe I'm unaware what and how the data is being collected.

They relied on the cookie banners as explicit consents (i.e. if you click this "OK" button, you give explicit consent to all our data gathering and sending), but that might be not fully compliant with GDPR.

[tyrfing]

> E.g. if I, as european, create a Gmail account and my mails reside in an US server, I give explicit permission for all my emails to be transferred between Europe and the US.

NOYB has used this as an example of something that would be illegal.

[otherme123]

Do you have a link? AFAIK they are fighting against analytics, cookies and advertising ids.

[tyrfing]

Sure, here: https://noyb.eu/sites/default/files/2020-03/ag_prep_en.pdf

The main issue is differences between EU and US law.