[shoto_io]

I’m not the biggest fan of Ben Evans, but he’s right on “privacy fanatism”:

> At a certain point EU privacy regulators will realise: When an EU citizen requests a US internet resource, they provide a US server with their IP address; An IP address is PII; The CIA could record that; Therefore it is illegal to provide any internet resource to anyone in the EU

Source: https://twitter.com/benedictevans/status/1492102034409066504

PS: saying this a German citizen…

[pjc50]

Extraterritorial jurisdiction + global nature of the internet causes these problems. We've already seen lots of the reverse: it's illegal to provide gambling to Americans. https://en.wikipedia.org/wiki/United_States_v._Scheinberg

It's also legally difficult to provide bank accounts to Americans: https://www.thelocal.fr/20210924/why-americans-are-finding-i...

Then there was the whole incompatible court orders in re Azure: https://www.theverge.com/2018/4/5/17203630/us-v-microsoft-sc...

Really the only workable outcomes are a global agreement on internet-touching governance (which the US will never accept on principle) or Balkanization. Or I suppose an eternal chasing into new as yet unbanned services.

[shoto_io]

Thanks, that’s was really insightful. I wonder if global agreements are really unimaginable. There have been quite a few from the old days, e.g. international marine conventions. What do you think?

[fenier]

The last two data exchange agreements between US/EU were overturned. I think it's unlikely at this point unless the USA adjusts some of its surveillance laws.

[lumost]

That gets to the heart of it. Europeans are increasingly uncomfortable using US based services due to how the data is used. It is not inconceivable that there will be multiple Internets based on legal jurisdiction, we already see this with China.

[stickfigure]

Do you imagine the EU blocking EU citizens from accessing US services? I find that hard to believe. "We're blocking your access to the outside world for your protection" must ring pretty hollow to the people who vote. It works in China because nobody gets a vote.

[lumost]

Extra-territorial laws are one way of achieving the same effect. A logical next-step would be blocking websites from jurisdictions where such extra-territorial laws are unenforceable.

"This website is in a territory not subject to EU regulations governing privacy, security, and content. Do you wish to proceed?"

[shoto_io]

It is already a reality that you can't access certain US websites as a European. They block you out because they don't want/don't know if they comply with GDPR. Same effect.

[shadowgovt]

I remember when the Great Firewall was considered the manifestation of evil by old-time internet users.

It'll be hilarious if European nations decide pursuing GDPR cases is intractable when so many services Europeans use are fully outside the country (and beyond EU enforcement of jurisdiction) and they decide a firewall is necessary to protect their citizens from American surveillance. It would prove China was just ahead of the curve.

[modo_mario]

Do we then also finally get some of our own internet giants that won't get bought out immediately?

[disgruntledphd2]

Yup, Section 702 of the FISA act needs to be repealed in order for these judgements to not be relevant.

That's not to mention all of the other, non-legally justified analytics performed by the NSA/CIA etc.

[madrox]

I suspect there's a third outcome within crypto many are quietly pursuing. Looked through the lens of "what if the internet were its own country" a lot of web3 makes a bit more sense.

Or maybe I've read too many Neal Stephenson novels.

[pjc50]

That was my "eternal chasing into new as yet unbanned services". The ban wave has largely caught up with big ICOs, but not with "governance tokens" or "NFT based communities".

There's going to be a cycle of "web3 gets big money", "big money fraud in web3", "SEC enforcement against web3", and then the launch of "web4" in 2030.

[meheleventyone]

Crypto can never manage that because the infrastructure running it, the power needed to do that and all the people using it are in countries already.

[kuschku]

There’s no issue with that. If a person manually takes their information and mails it to the CIA, that’s also fine.

The issue is if a person visits a resource from a company in the EU, they should be able to expect that that information won’t be passed along to any third party that’s not absolutely necessary. Especially not to foreign governments.

You wouldn’t expect a visit to latimes.com to leak your information to the Chinese Party either.

[shadowgovt]

Maybe I'm just old-school, but I expect when I visit a site I'm leaking some PII (my IP address) to every router between my client and latimes.com to do with as they will.

I wouldn't necessarily expect the CCP to be involved unless Internet routing is having a very bad day, but I'd expect the American government to be involved when hitting an American server.

[remus]

> Maybe I'm just old-school, but I expect when I visit a site I'm leaking some PII (my IP address) to every router between my client and latimes.com to do with as they will.

Presumably you don't expect the american government to get involved after your request has reached latimes.com though?

[shadowgovt]

Technically, the only thing stopping them is SSH, and that can be handled (as Snowden publicized) by tapping latimes.com's systems on the other side of decryption.

Old-school me would not have expected that to happen. Post-Snowden? It's a definite possibility.

[martin_a]

> Old-school me would not have expected that to happen. Post-Snowden? It's a definite possibility.

And... Is that a "favorable" (hope that's the right word, non-native here) thing?

[shadowgovt]

It's neither favorable not disfavorable to me; it just is. Something I file away in the back of my head about how the Internet works right now. Individual uses can be favorable or disfavorable.

If I walk into a store and buy some gum, my face is on their security camera. If the cops are hunting for a murderer, they can pull that camera feed. Is this favorable? shrug. I like my privacy but I also like catching murderers. And I have no expectation of privacy when I step in someone's store; similarly, once I've shipped 1s and 0s to someone else, my expectation is they'll use them as they will, and if I don't like it I'll stop shipping 1s and 0s to them.

This is probably just my American sensibilities talking, but growing up in a culture where I was building a credit score before I knew what that was, I'm not surprised services like Google Analytics are e-gossiping on my preferences (any more than I'd have been surprised if two BBS owners, back in the day, gossiped about their users).

[throwhauser]

> The issue is if a person visits a resource from a company in the EU

Does it have to be a company in the EU? I thought the GDPR covered any website an EU citizen, resident, or visitor might use, in which case US-based websites might have contradictory obligations to the GDPR and US law.

[fenier]

It depends on Art 3.

https://gdpr-info.eu/art-3-gdpr/

Just because a website exists and may be visited by a EU resident, does not mean that the site automatically has to comply.

[morelisp]

It will be hard for a lot of US media making deals with European advertisers to claim they’re not intended for use by European residents, though.

[ensignavenger]

Is that not what 2(a) says- if a service is being provided to an EU data subject, that the regulation applies? At least, that is clearly what the EU seems to be claiming? Sure, if no EU data subject actually accesses the site, it doesn't apply, but the moment one does...

[fenier]

Well I mean think of a store which doesn't accept EU payment or ship to EU addresses, nor target EU residents with Advertising. You'd be hard pressed to say they service EU residents even if the site was able to be visited by EU residents.

[ensignavenger]

No where in Article 3 does it say anything about "targeting" them- it only says if the "service" is "offered", whether or not payment is required. So in broad interpretation, simply serving a webpage to an EU data subject is an act of processing personal data (IP address) of an EU data subject related to offering them a service (the web page itself). That is as long as it doesn't fall into one of the carve outs in Article 2- https://gdpr-info.eu/art-2-gdpr/

It could be argued that such an act "falls outside the scope of Union law;" but that seems to be a matter of contention.

[stickfigure]

The US isn't going to enforce GDPR violations, so why does it matter?

[nr2x]

Do they have a TikTok?

[tsimionescu]

Well, the obvious responses here are that (1) the law does no such thing, and (2) even if it did, the right target for public concern should be the CIA and the government theoretically controlling its behavior, not the EU.

Even if it came to a point where the EU decided that the only for to keep its citizens safe from US intelligence monitoring were to cut out all access between EU and USA internets, the problem would be the US intelligence framework, not the EU.

[Angostura]

Nope. Because legitimate interest kicks in there - you can’t provide the requested service without the IP address. At all.

Turn off Google analytics and you can still provide the service.

[pinephoneguy]

Really you should just stop using Google analytics. I know all the data is really fun to look at and can even be useful but it’s a bit like poisoning people just for walking into your business.

[timeon]

> I know all the data is really fun to look at

bit of voyeurism as well

[tssge]

You most definitely can provide a service without having a US IP address. Many services have IPs and servers in the EU instead of the US.

[shafyy]

He is not right. Does anyone really think that EU regulators don't know that every request provides the server with an IP address?

Will they start sueing every US company that doesn't comply with GDPR? Of course not. The EU is doing this to build pressure against the US and their surveillance fetish. And it's good that they are, because otherwise, who will?

The US government has proven time and over again that they do not care about their citizens' privacy and straight up lie to their faces. And then there is the CLOUD act, which now starts to affect non-US citizens, too.

[donohoe]

IP address by itself is not considered PII (at least not yet).

Context matters. IP address along with other information could be considered PII.

[rndgermandude]

There were rulings finding IP addresses by themselves are already PII[0], because an IP address might be tracked back to a person. E.g. an IP address can potentially be used to go to an ISP and request the subscriber information, and the subscriber information potentially identifies the user of the IP address at a given time, if the subscriber cannot name anybody else who could have reasonably used used the IP address at a given time. Courts found that this abstract risk is enough to qualify IP addresses as PII, as they can potentially identify people indirectly.

The recent German ruling about loading Google Fonts without prior consent explicitly mentioned these rulings and made them a core part of their own conclusions.

[0] The most important ruling is the Breyer ruling (C‑582/14), that found, answering question one, that "dynamic" IP addresses are PII. Further rulings have regularly found that "static" IP addresses are PII, and that you cannot really know what is a "dynamic" and a "static" IP address with reasonable certainty anyway.

"Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person."

https://curia.europa.eu/juris/document/document.jsf?text=&do...

[morelisp]

These rulings are about personal data, not PII. Please don't confuse the two; it's extremely relevant for IPs.

They are personal data because they are a fact about an identifiable person and thus fall under the GDPR's processing requirements esp. relevantly when transferring to third-parties; but they are not per se PII.

[shadowgovt]

Do we have a ruling that IP address alone isn't PII? I thought the opposite was true.

https://www.fieldfisher.com/en/services/privacy-security-and...

[sigzero]

Exactly right.

[marcosdumay]

Yes, taking it literally at the extreme case, the rule is unreasonable.

But Google Analytics is the kind of thing the Law was created to stop, it's not an unreasonable unintended effect.

[anfogoat]

> ... When an EU citizen requests a US internet resource, they provide a US server with their IP address; An IP address is PII; The CIA could record that; Therefore it is illegal to provide any internet resource to anyone in the EU

Forget that. An EU user visiting an EU site might have their packets routed through an entity outside the EU anyway, without their intent and certainly without their explicit consent.

[morelisp]

An IP address is personal data, it’s only PII in combination with other data. Don’t collect the other data if you don’t need to.

[kuschku]

> it’s only PII in combination with other data

It’s always PII for static IPs, and together with a timestamp it’s also PII for dynamic IPs...

[morelisp]

I think you're confusing personal data and PII.

[kuschku]

An IP address can legally identify a person, e.g. in the industry of lawyers sending cease & desist notices (and taking you to court) if you torrent something.

There’s a whole bunch of legal precedent for that in the EU.

[MauranKilom]

Providing the IP address for the communication channel is quite obviously necessary and does not require explicit consent.

https://gdpr-text.com/read/article-49/#para_gdpr-a-49_1_1b

> In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, [...] a transfer [...] of personal data to a third country or an international organisation shall take place only on one of the following conditions:

> [...]

> (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request

> [...]

GDPR does not forbid providing internet resources to EU users, that is simply a lie. All it requires is that data handling happens in the best interest of the user.

[tremon]

True, but storing the IP address server-side for purposes other than serving the HTTP request doesn't fall under (b).

Diagnostic logging (e.g. apache logs) is probably okay as long as the organization can show that these logs are destroyed in a reasonable timeframe, but FAFAIK even that is legally a gray area (in the sense that it isn't explicitly forbidden nor allowed).

[tyfon]

Diagnostic logging is ok as long as you have a sane retention policy.

[nickpp]

Recent court orders in Germany and France beg to differ.

[rightbyte]

Opening a communications channel to a third party, e.g. a shady spyware company like Google, requires content, which makes sense.

[makeitdouble]

I don’t remember any case related to accessing first party resources, can you give a link ?

[fenier]

https://iapp.org/news/a/new-eu-data-blockage-as-german-court...

[zauguin]

That case is not about accessing first party resources. It was about a German website which (effectively) shared data with a third party provider from a country with no adequate privacy protection.

[fleddr]

Well, the other side of the coin is US intelligence agencies monitoring and collecting all traffic, far outside its jurisdiction.

[stefan_]

What's next, Twitter geniuses realizing it's also not legal for the CIA to poison people in foreign countries? Supply weapons to militias? Trade narcotics?

[stubish]

That seems a ridiculous interpretation. US companies liable for actions performed by the CIA? Forget GDPR, the entire population of the USA is guilty of war crimes.

If the CIA required web sites to explicitly include a privacy invading snippet, even then it is dubious since it is under duress. And in any case, exactly the sort of stuff you would want laws like GDPR to hinder.

[yobbo]

That is false. Businesses outside EU are not bound by GDPR.

The problem is when websites in EU, which are expected to follow GDPR, randomly leak information to businesses outside EU.

[merijnv]

> Businesses outside EU are not bound by GDPR.

Business outside the EU, interacting with users in the EU are bound by the GDPR. There might not really be a way (currently) to impose penalties on those businesses for violations, but they are certainly bound by them.

[GlitchMr]

This is such a weird argument. Let's say those things are true (and I think they are reasonably true).

- When an EU citizen requests a US internet resource, they provide a US server with their IP address

- An IP address is PII (well, personal data as far GDPR is concerned, but that's a nitpick)

- The CIA could record that

I don't think how you would go to a conclusion from those that "it is illegal to provide any internet resource to anyone in the EU".

First, it's worth noting that GDPR only applies to companies that specifically target its services at individuals in the EU. Targeting means having an EU office, using an EU domain, providing EU languages such as Polish or allowing payments in EU currencies. If your service makes no effort to provide service specifically for European users there is no need to worry about GDPR - even if you are in the US.

Second, while US services targeting individuals in the EU are legally problematic, this doesn't affect other countries - so I see no reason to say "any" here. For example, a Japanese server is free to provide services at individuals in the EU provided they comply with GDPR as EU has an adequacy decision for Japan.

Also, I would like to point out you can replace US with North Korea in this argument. I think it would be ridiculous to say that if European Union were to disallow sending personal data to North Korea (including IP address) then it would mean that it's illegal to provide any internet resource to anyone in the EU.

[zeepzeep]

> Targeting means having an EU office, using an EU domain, providing EU languages such as Polish or allowing payments in EU currencies.

Nope. There's only a single requirement: having EU users.

[GlitchMr]

GDPR recital 23 says the following:

> In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.