[tlamponi]

> How do you have a global graph without sending data to every country where your friends are?

On-Demand, i.e., if one of your friends actually visited your "node" (profile or whatever) and also by following the law for the country the data originates from, no need to store anything in the target country – i.e., like most of the internet already works (or worked), it's really not _that_ hard.

> This is another example of clueless EU regulators creating laws with no understanding of the implications

Meh, maybe some are clueless, but one sees also a lot head scratching and scapegoating from people that don't bother to even think on solutions or what the actual laws are about (i.e., are themselves clueless about the actual implications).

[scarface_74]

And what happens when I send a private message from the EU to someone in the US via Messenger?

[robertlagrant]

It needs to simultaneously accessible to UK law enforcement and not reachable from another country. Come on Meta, can't you solve that really easy one?

[ilyt]

bans UK

[tlamponi]

If you sent that, it's OK to have the data transferred, like I can already send a letter with a USB pen drive to a friend in America without anyone in the chain being liable for handling that, as long as they don't leak to third parties, i.e., anyone I did not choose to give my data.

As said, it's really not that hard.

[niho]

Well, a private message sent via Messenger is not personal data (PII), so is not covered by GDPR. This is a very simple concept that critics of GDPR seems to ignore or get wrong over and over again.

It’s not about protecting all data. It’s about protecting personal data.

https://gdpr.eu/eu-gdpr-personal-data/

[scarface_74]

How is a private message not personal data?

[SideburnsOfDoom]

There's literally a definition of PII at the link given above, which could tell you that. So stop asking stupid questions.

[scarface_74]

So yes you’re right my personal messages attached to my user name doesn’t relate to an identifiable person.

“which is any piece of information that relates to an identifiable person.”

[niho]

No, you are misinterpreting what the law is saying. The purpose of the law is to protect from the collection of data points (height, age, political opinions, etc.) about individuals. Sure, a private message between two individuals can contain such information in a way that can be associated with a specific individual. If Facebook would scan all private messages for such data and store it in unencrypted form, then yes, they would violate GDPR. But a simple text message between two individuals does not by default violate GDPR.

A very important aspect of GDPR is a consideration for the purpose of the processing of data. If your company is providing an international messaging service in order to harvest sensitive personal data from private messages, then yes that is very much illegal. But if the purpose is simply to provide a messaging service and you are taking the appropriate steps to secure the data of your users, then it is not illegal.

[Detrytus]

If the message is really private (i.e. end-to-end encrypted) then Facebook can't see it , and if it can't see it, or process it in any way then the GDPR does not apply. And if Facebook does access the message and stores it on their servers in plaintext form then that's their (bad) choice, and they should be held responsible for it.

[bjornsing]

The message is sent to the EU bureaucrats so they can scan it for X, where X is initially child porno but will surely expand. Your friend just sees a gray box with the text “Displaying this message would violate the GDPR.”

It’s the perfect user experience!