[dataflow]

> Does the US person need to hit the French servers to see new messages, and vice versa? What about quoting?

I would imagine each user has a copy of the other's messages in their own account, and that's what they would be hitting.

[likpok]

So you propose to copy the private data of European citizens on US servers?

What happens when the law makes that illegal?

[kmlx]

> So you propose to copy the private data of European citizens on US servers?

> What happens when the law makes that illegal?

just follow the Chinese model. complete blackout between the European Union, China and ROW. this is where this thing is headed, so we might as well start thinking about it.

[stickfigure]

What is the value of legally requiring copies in every geographic location? That seems strictly worse from any kind of privacy perspective.

[dataflow]

Keep in mind that with other communication mechanisms (e.g. email, SMS) we already send over a copy of the message and keep the original. I'm not saying it's "better" from a privacy perspective, just that it seems like the logical solution here, and I'm not sure how a court might conclude otherwise. The data is being hosted in Europe at that point. It's just that a copy needs to be sent to the recipient only when the message is initially sent (because how else do you communicate?!).

[stickfigure]

That's true for some kinds of PII data and not others. The social graph (who are your friends) is symmetrical. Shared-edit documents, dropbox-like file sharing, and wikis are often ownership-ambiguous.

[kasey_junk]

How does it get to their account?

[dataflow]

A server in the sender's jurisdiction sends it to a server in the receiver's jurisdiction? How do SMS or email work in Europe?

[kasey_junk]

Sending data to the US and storing it there, is the very point that is being contested.

People are acting like this is a trivial problem both technically & legally but it’s not. I don’t have sympathy for Facebook but if you are a small company handling data in the EU and other data outside it I have sympathy as it’s going to cost a lot in architectural complexity and compliance costs.

[dataflow]

How do SMS/MMS/email/etc. handle this? Are you saying they would all become illegal? Or is this law going to uniquely place requirements on social media that other communication systems do not/would not comply with?

[ben_w]

I’m not a lawyer, so take the following with a pinch of salt.

My GDPR compliance training said that data strictly necessary for the provision of a service is something a business can freely use to that end without explicit consent. This is why GitHub doesn’t show cookie popups: https://github.blog/2020-12-17-no-cookie-for-you/

So “User @Alice sent $message to user @Bob” is necessary for a chat platform, but “Notice to advertisers: User @Alice posts a lot about cars, cats, and funny shaped carrots” isn’t even though advertisers pay for the continued existence of the service.

[likpok]

Is answering subpoenas in the US strictly necessary for the provision of a service? I believe that's the wrinkle with Privacy Shield.