[bleep_bloop]

Isn't this kind of exactly what the EU is showing us, that a global power isn't needed if countries actually set requirements and regulations. There has been a lack of desire from law makers worldwide to protect consumer data even though it's very obvious that it should be a fundamental right to control who gets to know your personal information and worse, whether they can sell it.

What I believe is happening here is the EU is setting a new standard that the US and UK and others will have to follow if they want to do business in the EU, unless they invest millions in infrastructure and staff.

I believe the same happens in the US, one state such as California will make progressive law changes that force companies to just apply the same standards across other states as it's less legal and regulatory burden, so effectively one state can actually change the system for everyone, no global super government required.

[expensive_news]

Likewise you have governments like the UK who are discussing bills that will effectively ban E2E encryption for children’s safety. If passed, companies like WhatsApp would just leave the market.

I believe your comment is somewhat true, but in your examples with the EU and California it’s mostly the case where (one of) the largest market(s) is able to set laws that govern the entire world. Which is great if everyone also happens to agree with the law, but it’s not the most democratic situation.

[bobthepanda]

The problem is, what is a democratic global government? Larger states dominate smaller states in democratic governments all over the world simply because of numbers of votes. Having yet another layer of elections over it doesn't really make much of a difference.

[sangnoir]

> Larger states dominate smaller states in democratic governments all over the world simply because of numbers of votes.

At what governance level would this be acceptable for you? The existence of political minorities is invitable. The question is where do you draw the line: street, block, postal code, city, metro, region, state, or nation? When is it ok to dominate others because they got less votes? The same issue is reflected in red states grabbing power from blue cities, with the implication that the state-level domination is A-OK.

[bobthepanda]

I didn't say anything about acceptability. But if grandparent's comment is this

> with the EU and California it’s mostly the case where (one of) the largest market(s) is able to set laws that govern the entire world

this is not likely to be solved by yet another layer of government.

[niij]

Population of a nation doesn't necessarily correspond to influence, though.

[CydeWeys]

In a democracy it does correspond with votes though. Other than one person = one vote, how would you structure a global government?

[adventured]

> how would you structure a global government?

We're not going to structure a global government, such a thing is never going to exist and we're never going to have to worry about it existing. Fortunately.

[tobylane]

It is the most democratic situation. Companies can decide between a leave that market, b treat the whole world by the strictest laws or c only follow those laws for those residents. If the cheapest solution is b, and capitalism demands the cheapest solution, then that’s useful information for the shareholders to choose a path. Just because we know what they will always choose doesn’t make it undemocratic.

[muro]

b might just not be possible as above poster wrote, regulations might be in conflict.

[akhosravian]

I think I’m missing your point here. Let’s say Texas passes a law that all Texans data has to be processed in Texas, and because cowboys don’t give a shit there’s no consideration for the EUs law.

What would the appropriate way for meta to handle a friendship between a Texan and a European be? They can’t process the Texans data outside Texas, and they can’t transfer the Europeans data outside of Europe. Disallow them to be friends?

[callalex]

You are misrepresenting this ruling. Any data that the user gives informed consent to share can be moved wherever the user consents. This ruling is about sending user data without any active informed consent.

[victorbjorklund]

Not so simple. Even with consent you arent really allowed to store in america because america is assumed to be an unsafe country (because govt can at any moment force a US company to show the data)

[ilyt]

Well, yes, that's ENTIRETY of the problem, US law pissing on privacy and user consent. Fix that and it's all well.

It never was about "where it is processed" but "who can access it".

[908B64B197]

> because america is assumed to be an unsafe country (because govt can at any moment force a US company to show the data)

I assume here the EU can't do the same?

[spiffytech]

I don't think users can consent to ongoing general-purpose data transfers.

This is from the European Data Protection Board FAQ following the Schrems II ruling. Does the text of the new ruling say something different?

> 8) Can I rely on one of the derogations of Article 49 GDPR to transfer data to the U.S.?

> it should be recalled that when transfers are based on the consent of the data subject, it should be ... specific for the particular data transfer or set of transfers (meaning that the data exporter must make sure to obtain specific consent before the transfer is put in place even if this occurs after the collection of the data has been made)

> With regard to transfers necessary for the performance of a contract between the data subject and the controller, it should be borne in mind that personal data may only be transferred when the transfer is occasional. It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”. In any case, this derogation can only be relied upon when the transfer is objectively necessary for the performance of the contract

https://edpb.europa.eu/sites/default/files/files/file1/20200...

[M2Ys4U]

This isn't a data localisation issue.

The EU isn't saying that personal data has to be processed only in the EU. They're saying it has to be processed somewhere with adequate standards of data protection.

[outside1234]

Where outside of the EU has been certified in this way?

[M2Ys4U]

Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom, and Uruguay.

[CobrastanJorji]

As long as international companies have the option to exclude any local government, they can simply vote by participation. Texas requires something that a Swiss social network cannot abide? Block Texas.

This doesn't work when a law doesn't allow some foreign company to escape, though. Suppose Texas decides that toy makers are liable for toys that hurt children. A Swiss company that makes army knives for kids decides not to sell to Texas, but other people buy some and then resell them in Texas. If the original manufacturer can't avoid the local government, that's more complicated.

[jyrkesh]

Because I don't see anyone downstream agreeing with you, I just wanted to hop in and +1 that I think you're REALLY making good points throughout this thread. I think a lot of folks are having trouble imagining a world beyond "EU laws" and "US laws". If every national or even state/provincial government has its own data laws (we already have 5 states in the US with GDPR-like legislation, and more likely on the way), then we're just accelerating towards a fragmented internet __with no opt-out mechanism for the individual__. When (especially smaller) companies get weighed down by legal interpretations and the fear of violations, they're just gonna start blocking more and more clients from everywhere outside their jurisdiction. (Apologies to the world, but I literally work on software that makes it easier to resolve geolocation for web devs and, among some other reasons, one of the top ones is to block certain georegions.)

Separately, while I'm all for internet privacy and am generally aligned with the _intent_ of GDPR, having had to meet its requirements at the highest level of scale, I have no qualms saying that it's truly a _terrible_ piece of legislation. Clearly whole sections were written without any regard for technical accuracy, and it leaves a number of ambiguities and contradictions within its language that continue to go without clarification. I don't feel like getting in the weeds here, but if you ever want to see people getting in the mud about how to actually comply with it, just go take a peek at the higher-comment threads in /r/GDPR.

Personally, I'd much prefer a cascading set of standards coming from a technically oriented consortium of (ideally OSS) folks that could be enforced from the client side as much as possible, and then independently audited on the server side (like a UL certification, but for your server architecture). Most of us here are probably already using a ton of client extensions to enforce as much privacy as we can without breaking things, and if an OSS auditing standard came along for servers, it'd be sweet if I could e.g. set my browser to "EU data servers only" and have my browser give me an option to explicitly override it if I really need to (like we do today with bad SSL certs).

As for the data export and deletion controls...I get the argument that's only enforceable via regulation and government enforcement. But given the ease of data replication and laundering (made even easier in a post-ML world), I'm not optimistic that you can actually "catch" people violating it except against the absolute largest corps ("yeah, we totallyyyyyy deleted all your data, for sureeee"). Feels like it's enforceable at about the order-of-magnitude of insider trading in the US.

[runamok]

While I like the regulations on who can collect and share your data and preventing all these backdoors to the US Gov I also think these regulations make it impossible for small companies to compete with Meta, Google, etc. You can't hire enough legal and compliance experts to get it 100% right not to mention all the extra code you need to write. Maybe that's OK but my cynical side says Google and Meta lawyers write and practically hand these regs to the legislators with that in mind.

[tonis2]

I agree, EU fuels the Corporations and blocks small companies from getting any traction, by increasing the compliance levels, without thinking stuff through.

I dont want to say, that fighting for privacy rights is a bad thing, but as small time entepreneur, they seems to be on same side.

[JohnFen]

That sort of argument sounds a lot like "Small companies should be allowed to abuse their customers because if they aren't, then they can't compete."

[thayne]

Not to mention if you can't move customer data out of a governance region that means you need a separate data center. Which is prohibitively expensive for a small business, but something a big corporation like Meta or Google would probably do anyway.

[Eduard]

A "small company" facing global-scale governance challenges rather sounds like a luxury problem of big companies.

[YounesDz]

> You can't hire enough legal and compliance experts to get it 100% right not to mention all the extra code you need to write.

You don't need to hire a team, just a company. A lot of companies offer this exact service now and effectively.

For example: Drata.

[prirun]

> I believe the same happens in the US, one state such as California will make progressive law changes that force companies to just apply the same standards across other states as it's less legal and regulatory burden, so effectively one state can actually change the system for everyone, no global super government required.

I almost bought a car from Carvana. They had all my info: driver's license images, SSN, etc. At the last minute they required a DocuSign signature, which I told them upfront I wouldn't use, so I canceled the deal.

Afterward, I told them I wanted all of my info deleted since we didn't do a transaction. They said they could only do that for CA residents. A CA law is not going to cause companies to follow that law for all US citizens if it's to the company's advantage not to follow it.

[Someone]

> What I believe is happening here is the EU is setting a new standard that the US and UK and others will have to follow if they want to do business in the EU, unless they invest millions in infrastructure and staff.

That’s called the Brussels effect (https://en.wikipedia.org/wiki/Brussels_effect), and indeed is similar to the California effect (https://en.wikipedia.org/wiki/California_effect)

[screwturner68]

I just heard Eric Hughes give a talk about this and the non-regulatory solution was pretty simple, flood the field with so much bullshit that the data collected is worthless. Sadly most people happily give away their most personal information for "free" email, chat and search engine. I don't think most people are willing to actually pay for the services provided to them in exchange for their detailed personal information, maybe people's opinions will change but I wouldn't bet on it and meaningful regulation written by lobbyists and voted on by octogenarians probably won't happen either.

[mindslight]

Do you have any examples of software that currently accomplishes this for any services that are based around user profiles, often tied to a phone number?

Especially for unilateral users of such software? (if I could convince fellow proprietary service-users to use some obfuscating software that generated/filtered a bunch of fake communications, I could just convince them to use Free software instead of the proprietary service)

[dredmorbius]

Any details on that talk or the venue it was presented in? I don't find any likely recent context from a Web search (and Hughes's name is increasingly colliding with others).

That said, effective chaffing is difficult and does little to mask methods used to surveil or profile. It's also highly ineffective against strong-intent signalling such as purchase behaviours, unless someone is willing to buy items of little interest or purchase-and-return with sufficient aggressiveness to likely provoke not only vendor cancellation but fraud or criminal investigation.

Cory Doctorow from a Reddit AMA a couple of years ago on chaffing's ineffectiveness:

Chaffing turns out to be pretty easy to detect, because people aren't random - generating data that is both plausible and doesn't leak anything is really hard.

The most common solution to this from information theory is to broadcast a steady volume of noise that is sometimes mixed with signal: for example, you start a Twitter feed that tweets out exactly 280 characters of random noise every minute. Sometimes, though, you push ciphertexts into that stream. Your counterparty analyzes EVERYTHING you tweet, looking for data that decrypts with their private key and your public key. Adversaries can't tell who you're talking to, nor can they tell when you're talking.

This is much harder to do with something like your web traffic....

<https://old.reddit.com/r/privacy/comments/j444u4/how_to_dest...>

And it's even harder with purchase history, postal mail, or phone-call activity.

In practice, the method would be unavailable to much of the public, and of and by itself a strong indication of surveillance interest, much as use of, say, PGP is long reported to be.

[scarface74]

You didn’t answer the question . How do you have a global graph without sending data to every country where your friends are?

This is another example of clueless EU regulators creating laws with no understanding of the implications

[devjab]

> You didn’t answer the question . How do you have a global graph without sending data to every country where your friends are?

You do not, but that is not what the ruling is about. This ruling is about Meta using standard contracts (SCC) to achieve mass acceptance for personal data transfers of EU citizens out of the EU. Which you are not allowed to do with the GDPR. If Meta had obtained individual permissions from you on your various personal information, then it would not have been illegal for Meta to share your information globally.

This isn’t really about what you share on FB either, it’s about all the data that Meta applications gather about you (often without your knowledge) that they then send outside the EU with a very generalised permission that you probably auto-accepted when you signed up. It’s exactly because the EU regulators know that people auto-accept those general agreements without ever reading them that the law has been made to make such agreements non-GDPR-compliant. The reasoning is that you cannot sign away your rights without understanding what you are signing away, and if corporations don’t want to make sure you know what you are agreeing to then the corporations are in violations of EU law.

[JohnFen]

> How do you have a global graph without sending data to every country where your friends are?

Why is it important that this can be done? The "social graph" is for the benefit of the likes of Facebook. You already know who your friends are and how to talk with them. You don't need a third-party social graph for that.

[scarface_74]

So Facebook and no other social media platform should exist? Or are you saying that a messaging platform shouldn’t store messages between a user in the EU and a group of users in the US?

[tlamponi]

> How do you have a global graph without sending data to every country where your friends are?

On-Demand, i.e., if one of your friends actually visited your "node" (profile or whatever) and also by following the law for the country the data originates from, no need to store anything in the target country – i.e., like most of the internet already works (or worked), it's really not _that_ hard.

> This is another example of clueless EU regulators creating laws with no understanding of the implications

Meh, maybe some are clueless, but one sees also a lot head scratching and scapegoating from people that don't bother to even think on solutions or what the actual laws are about (i.e., are themselves clueless about the actual implications).

[scarface_74]

And what happens when I send a private message from the EU to someone in the US via Messenger?

[robertlagrant]

It needs to simultaneously accessible to UK law enforcement and not reachable from another country. Come on Meta, can't you solve that really easy one?

[ilyt]

bans UK

[tlamponi]

If you sent that, it's OK to have the data transferred, like I can already send a letter with a USB pen drive to a friend in America without anyone in the chain being liable for handling that, as long as they don't leak to third parties, i.e., anyone I did not choose to give my data.

As said, it's really not that hard.

[niho]

Well, a private message sent via Messenger is not personal data (PII), so is not covered by GDPR. This is a very simple concept that critics of GDPR seems to ignore or get wrong over and over again.

It’s not about protecting all data. It’s about protecting personal data.

https://gdpr.eu/eu-gdpr-personal-data/

[scarface_74]

How is a private message not personal data?

[SideburnsOfDoom]

There's literally a definition of PII at the link given above, which could tell you that. So stop asking stupid questions.

[bjornsing]

The message is sent to the EU bureaucrats so they can scan it for X, where X is initially child porno but will surely expand. Your friend just sees a gray box with the text “Displaying this message would violate the GDPR.”

It’s the perfect user experience!

[waynesonfire]

GDPR states, "The storage limitation principles state that you should keep personal data for as long as the purpose is unfulfilled"

Seems like FB was storing a little bit more than just social graph and for a bit longer.