On the contrary, it only forces those providers to have a European presence.
We're not fragmenting the internet by looking after our own interests. This wouldn't be an issue if Americans viewed rights (and in this case privacy rights) as belonging to human being as opposed to Americans citizens. The US's policy is what led to this:
> Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information
We had PII on Azure. We wanted to do business in France. We had to fork our services, and run a full stack on a crappy provider in France. They charged a lot more, would take weeks of vacation with zero support for us. It was a freaking nightmare.
EDIT: I love the responses I'm getting. People are in absolute denial that this does in fact fragment the internet. You may believe that's a good thing, and that's a rational discussion we can have. But don't lie to yourself, or to me, that this doesn't fragment the internet.
There is so much I want to say about this comment! First of all, it sounds like you had a terrible experience because you picked a bad ISP. I sympathize. But then you generalize from that and imply that anyone wanting an EU host will experience the same. Obviously that's not true - or do you believe no good ISPs exist in France? Second of all, why did you fork your code? Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity to incrementally extract the proprietary apis out of your application and replace them with processes you actually own? This will allow you to undo the fork and continue on, able to deploy your application anywhere you want.
We did our research, and settled on the French cloud provider that fit our parameters. They made promises about support hours that they did not keep. Changing cloud service providers is not cheap. We were a small team, and this cost us lots of effort.
We didn't fork our code, we forked our services. We ran everything on Azure. Then we had to configure our kiosk devices to either talk to Azure, or to talk to our servers in France.
"Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity"
I'm sorry, do you have any idea of the cost of doing these things?
If you have 6 developers, total, how many of them are you willing to allocate to rewriting your stack, so that you can sell your product in Europe?
>I'm sorry, do you have any idea of the cost of doing these things?
Oh indeed yes, which is why for years now I've been warning people to not write to proprietary APIs in the first place. It's a faustian bargain and sooner or later the bill is going to come due! If not because of legal requirements, then because MS or Amazon saturates the market, and has to increase revenue somehow. This is an example of where an ounce of prevention is worth a pound of cure. The upshot is that ignoring the warnings of people like me was a mistake.
(It's funny how people have moaned for years about "vendor lock-in" WRT Oracle. "They charge for every core!" But the cloud providers charge for every invocation, which is infinitely worse. And yet no-one seems to worry about it. It's really odd.)
So yeah, using HTTP to connect to a server that happened to be in the US...
That's the thing that prevented us from selling in France.
But thanks for lecturing me that "vendor lock in" was what killed our 6-developer team that was developing hardware, and computer vision, and 3D computer graphics, while developing a health care product under the tons of regulation that comes with that.
Hey, I feel your pain. Companies are like children to a founder, and you have described the heroic acts you've taken to save your child. It absolutely sucks to be in your position.
I think it's important to warn "parents" (or future parents) to avoid this particular tragedy, which I think is quite avoidable. I want to encourage people to question the orthodoxy around cloud, that everyone is doing it so its fine, and worse is better anyway, yada yada. It may be insensitive to use your situation to illustrate the downside of cloud vendor lock-in, but my motivation is not to look down on you, but to warn others about this very real, very painful outcome that they court when they make the popular choice.
I wasn't a founder. I was one of the 6 developers.
We happened to not use any vendor-specific APIs.
And it still killed us to fork our stack, and to teach our kiosks to be able to talk to the right server, and the extra cost of the servers in France, and the lack of support we saw from the provider in France...
Many noble efforts fail this way. You are not alone. This is one of those lessons you learn in regards to keeping your audience narrow, and executing on one thing at a time.
It's embittering, hardens the heart, and makes you want to give up, but you've gotta redouble and bust through it.
And by all means, shame the provider if they didn't live up to their end of the bargain.
Sorry if I don’t follow your reasoning, I’m still stuck at this piece of USA policy you seemed to have glossed over:
> Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
"Agencies" refers to parts of the US govt; that is a US govt regulation for its own agencies with respect to its own citizens and the regulation of immigration. It has nothing to do with e-commerce, cloud storage, start-ups, web services, etc.
Just as France accords its own citoyens rights that foreigners aren't entitled to.
your frustration is justified. azure/aws is the entire environment. i dont think you could have implemented the suggested magical suggestion in any relevant or practical way.
Thank you for this response. Calling it a magical suggestion really does feel accurate. I was sitting here trying to think how you would even do this when everything is running on AWS (or Azure).
A better wording would be “don’t make calls into jurisdictions that violate our legal statutes”.
Ok, let me make a simple “marvel comics” example: what if all your calls were funneled through “Putin servers” or “Iran cloud” or “ People's Liberation Army computers”? Would you mind?
I hear you arguing “but we’re the good guys! We’re USA, flag bearers of Democracy!” but no. Really according to EU law, under USA jurisdiction Pricacy Rights are fair game for people like Zuck. The guy that said “ I have over 4,000 emails, pictures, addresses, SNS. People just submitted it. I don't know why. They "trust me". Dumb fucks.”
Now, granted: our politicians likely want to stay on top of the consensus forming media, and make sure it’s within reach of their network. Annoying to see all the action moving to a different platform after all the years spent building relationships with the old media, but that’s the business.
I am so delighted I am able to access blog posts from people in Russia or Iran or China. Otherwise, it would be far easier for human rights abuses to exist. (This is somewhat tongue in cheek. My point is that information wants to be free, and we're all better off if there's LESS friction.)
When I found out Parler was being hosted on Russian servers, I immediately informed everyone I knew who was thinking about switching to Parler that it was a really bad idea. And it's their choice whether to use Parler or not.
I think it's great if companies can't hide that they're doing something like routing data through Russia. I think it's pretty stupid to not let someone use a product that routes data through Russia.
I also think that if Facebook stands up servers in France, it'll still be just as problematic as it is today.
This sounds really americentric. Have you considered that the every non-US citizen'd PII is fair game for US companies one in the county? As a European I wouldn't want my stuff to be routed through the US the same way you don't want your data going through Russia.
Yeah, it sucks that the US doesn't respect non-citizen data. But TBH I really don't think it respects citizen data either. Consider that Snowden discovered all kinds of ways the CIA and NSA were hoovering up data, in defiance of the law. But did the American people get pissed and force a change in those agencies, and call the leadership to account for disregarding the law because it was convenient? No: they successfully demonized the whistleblower who is still on the run. (Although I will say that excessive snoopiness is a lesser evil than censorship).
In the end, though, there is a high-tech solution here, and that's to migrate to 100% asymmetrically encrypted messaging, at the application level, regardless of underlying transport. This would force nation states to risk large scale hacking of devices, but that's more visible and easier to combat, as long as we remain free to make (and buy) the compute hardware we want to make.
The U.S. doesn't even respect Citizen@s data half the time. Remember, the Courts ruled that expectation of privacy, and therefore 4th Amendment protections are waived as soon as you engage with a Third Party.
His whole comment was about how he want to let traffic route through Russia even though he doesn't like it... but it's really Americentric? Could you explain that point please?
Do cloud service providers like Azure not have a way to "pin" some of your service instances to servers in specific countries? Seems like this capability would be important differentiating feature given EU privacy laws about where user data is hosted.
AWS most certainly isn't for as far as the data protection is concerned. An EU entity runs the EU regions of AWS cloud, you enter a contract with that entity and _not_ with the parent and the data is under the EU law.
The core issue here are the CLOUD ACT and FISA Section 702.
Basically the US government says it gets free access to all data stored by any US company or its international subsidies anywhere and that non-us-citizens have absolutely no right to any data privacy at all.
However european citizens do have such a right, and as such, companies can not process personal information using american subprocessors, because those can not guarantee to respect the citizens rights.
For a long time this was all about some contractual clauses between processor and sub-processor: the american subprocessor guarantees by contract to respect the data subjects fundamental right to data privacy.
And then the USA made the CLOUDA and FISA and all those contracts are no longer worth the bits they are encoded in. American companies are by law required to not respect the right to data privacy and can not guarantee to respect it in good faith, as they are themselves subjects of a surveillance state.
Now look at how AWS reacted to this problem: they added new clauses to the contract with their european customers, in which they promise to challenge law enforcement requests, especially those that are overbroad.
When EU goes after FAANG like this, it pushes them to position themselves against mass surveillance and in favor of a global basic human right to data privacy. In my honest opinion this fight is very necessary and i can only hope that humanity wins against surveillance capitalism in the end.
The small startup I worked for in Hamburg had a similar problem. They had to run all their infra on premise due to some wording of some of their largest clients and some odd rulings from BaFin.
The colo/managed provider they chose and had been working with for years was nigh incompetent. I was positive that being able to spin up infra in any of the clouds would have been a ton more reliable.
This completely misses the point, the laws shouldn't be written to accommodate businesses, its the other way around. If fragmenting is a consequence of better privacy laws, so be it.
Laws should be written to facilitate and improve the growth of civilization. This includes practical and fair measures for conducting business.
Imposing byzantine regulations on every webmaster on the planet isn't helping anyone, least of all the European user, who will increasingly be locked out from the rest of the planet.
Depends on your perspective. It might be that American/Chinese predatory service providers are instead locked out of the European market, allowing the breathing space for local solutions to flourish.
If your local providers need the rest of the world to be kneecapped in order to compete, you may want to start with that problem.
The EU consumer will end up with strictly worse solutions and all the rest of the world will “gain” will be the crappy trade-barrier-supported Euro versions of Google and Facebook.
This is a short term view. There's a certain amount of 'activation energy' that a system needs to be able to kick off and become self sustaining. If a giant generalized, subsidized solution already exists PHBs are much happier to spend years trying to knock a round peg into a square hole than take the risk of doing something bespoke for the problem at hand.
Creating an artificially easy sandbox for your local engineers and entrepreneurs by banning the competition will not lead anywhere good. Competing with the best forces you to improve; playing on easy mode leads to stunted skills and inflated confidence - and worse products, companies, and economies.
It isn't banning the competition. It's forcing the external competition to follow the same rules as the locals w.r.t. privacy laws. The fact that the external competition can't comply means that there's a market niche available which locals have an opportunity to exploit.
The cookie banners are a byproduct of companies still wanting to abuse your data, when was the last time you saw a cookie pop-up on HN? Logged in or not.
If only there were some way that European citizens could have told their browsers to not accept Cookies, then maybe we all wouldn't have to click on those banners all the damn time.
If a business pays taxes, and the laws don't take their needs into account to some extent, that's not justice. It's just mob protection with a veneer of legitimacy.
Lots of loaded assumptions there, of course, starting with the first conditional clause.
It's not fragmenting the internet; fragmentation is the whole point of the internet. It's (re-)decentralizing something that has been decentralized the whole time, until these gluttonous whales decided try to eat the whole pie.
It isn't about "one computer talking to another", it's about where sensitive information is stored. It has never been legal to store classified US intelligence on computers outside of the control of the US government. That's an extreme example, but the handling of many types of information is prescribed by laws in different jurisdictions. Does that mean that US computers cannot "talk" to another other computers? No. Does that make the internet invalid? No.
Decentralization of the cloud is a good thing for so many reasons. I think you're deliberately confusing it with your PII issues and not grasping the larger picture.
Those poor small international businesses? If you want to do business internationally, it'll be complicated, and that's fine. The internet has spoiled us by making it so easy for a while.
Seems like it doesn't bother you at all if this hurts competition. Or maybe you don't understand that by hurting competition, consumers are hurt? In our case, with a medical product, it was patients who were hurt.
It just shifts competition into new areas that are compliant with the law. If you can't use aws-us-east from france, then AWS is incentivized to build a (compliant) center in france or else lose that slice of the pie to the locals (or to a potential compliant azure center there).
It's always a tradeoff between racing to the bottom and stagnating. Both are bad, both hurt consumers, and this seems like a good balance between them.
So eventually, we'll all just run a full copy of our stack in each of the 50 United States, plus the few extras for cities that have different laws, and then in each of the other 190 countries around the world?
Does that seem like a good balance of needs to you?
If that's what it takes to allow locals to govern themselves independently, sure.
The technical difficulties seem so entirely solvable, in time (and with that competition you mentioned). Right now it's easy to deploy servers across tons of instances. In the future, if we need to, we can build analogous solutions to the problems you're talking about.
And where we can't build our way to easy solutions, that's fine. Those cases are probably the ones where there are legitimate local differences in what's acceptable, and I want locals to be able to decide that for themselves. It's an absurd goal to try to make it easy for six engineers alone to scale to the entire planet.
> It's an absurd goal to try to make it easy for six engineers alone to scale to the entire planet.
That's an interesting assertion. As counter-example to that assertion, [gestures at huge amounts of the internet as we know it, which was started by small teams.]
And I'm not talking about scaling to 7 billion users. I'm talking about scaling to all of _my_ users, even though they live in dozens or hundreds of countries.
Your demand of having users does not supersede my right to have laws enforced in my jurisdiction. That's the point of sovereignty.
If that means I don't get your business and I'm worse off for it, I'm happy to have my laws changed. Or maybe someone else will come up with the same service who does follow the local law.
You're basically discovering something that physical stores have had to deal with forever. Gary's International Store of Chainsaws and Weed knows that it can't sell chainsaws in jurisdictions where chainsaws are illegal to sell from stores. The people of that jurisdiction made the decision that chainsaws should not be sold from stores; Gary doesn't get to ignore that. Instead he has to incorporate the fact that not all stores get the same inventory in his logistics.
If that means Gary refuses to open his stores in such jurisdictions at all, that's fine. The people of the jurisdiction can decide whether they're happy with the outcome and change their laws if they're not.
>Gary has every right to object if Indiana says he can only sell chainsaws made in Indiana, as that would be an absurd law.
He has the right to object in any case. That's free speech. But despite all his objections, he either does his business respecting the law or doesn't do business at all.
It's funny that you think that such a law would be absurd, when laws that require a store to sell locally-produced goods over imported ones also already exist in the real world.
>Forcing me to run servers in France is absurd.
You're welcome to think that. Don't run servers in France then.
You're absolutely right. Unfortunately, the little guy is more easily accommodated for with lenoency during onboarding regulation-wise, and the bigger actors can never be brought to heel if something doesn't go down on paper.
And I think your team did not think through before implementing your product. The GDPR and its consequences have been discussed for a very long time. And the product even managed to get locked into Azure.
You are building up a whole strawman here. This is all about sending personal data to a machine in the US, owned by a company, which falls under US law. You don't have to send that personal data to the US, do you? Why would you do such a thing in the first place? Surely informed people would not simply consent to such a practice. And I mean informed. Not just clicking "OK OK next OK" without knowing what actually goes on, just to be able to see the actual content of a website.
It's not a strawman, it was the company I worked for.
We helped manufacture medical devices. We sold a device that took medical images, and then sent the images to a server. The server would do tons of processing on the images, and help manufacture a medical device custom to the patient.
We ran our servers in the United States.
We could not sell our product in France, until we stood up servers in France to store and process the data.
Why would we do such a thing? To provide excellent healthcare to people. Even ungrateful French people. Our product was lower cost and higher quality than our competitors, with better patient outcomes.
What monsters we were for running our servers in the U.S., right?
Why are you so shocked that people want to assert control over their medical data? This is the crux of the problem. You're being absolutely incredulous that someone have a say in data that is about them.
Other people exist and have rights. It's about time that people assert their rights over data that is absolutely consequential to their lives, instead of being tiny pawns of companies who treat them like a highschool science experiment with live ants.
You either trust my company with your data, or you don't.
The idea that storing your data, encrypted at rest, on spinning rust platters inside your country somehow makes it safer than storing that same data, encrypted at rest, on spinning rust platters inside my country, is bizarre to me.
But that's fine. I think giving you the choice makes tons of sense. I'm not saying France should have a law forcing all data to be kept in the US. I'm saying it's bonkers that I cannot offer a product in France that happens to store data and process data on a server in the US. Even with a waiver. French citizens do not have the right to let their health care information be stored on a server in a different country. (As I understood the laws, at least - perhaps our legal representatives were misinformed.)
If you want control over your medical data, then I'm sorry, none of the existing tooling does what you should actually want it to. It should be stored on systems you designate. Not on some lowest-bidder French server that has unknown security practices.
It's amazing to me that you're lecturing me about other people's rights, when you're literally denying French people the right to buy my product, unless I meet some ultimatums. I'm not denying them, you are.
And you talk about consequential to their lives? My product lowered costs and had better patient outcomes, and we couldn't sell it. Maybe try a different argument.
It is kind of a strange idea in the first place, to store medical data outside the country, in a country like the US. I don't know if any country with good data protection laws would allow such a thing. I find the idea, that this could be OK for patients to be weird. I surely wouldn't want my medical data put onto US servers, likely without even knowing, because the hospital stuff does not know themselves and not telling me either. Maybe even worse being put to the choice of having some equipment used on me, which automatically shares that data to the US.
At some point in your project there seems to have been a time, when such basic questions of consent were overlooked and later you paid the price. Your intentions may have been nothing but good, but I for one am glad, that such practice was not allowed to happen.
You're in country X, and the top radiologist in the world dealing specifically with your disease process, is in country Y.
Walk me through exactly what you would like to happen.
If you think the best outcome is that only radiologists who live in country X can look at your medical images, then please really think about what that means for under-developed countries.
Please also think about the fact that people have medical imaging exams 24 hours a day, and think about where radiologists live and sleep.
The next time you get a CT scan and have to wait 4 days for the results, you'll know that your hospital system doesn't have teleradiology.
We absolutely understand patient consent, and then France started establishing laws that denied patients the right to consent to having their data transferred to the US. (As I understood our legal representatives, at least.)
(For the record, in case it's confusing to anyone following along, I worked on half a dozen different medical products in my career, in different companies, in different parts of the body, in different modalities, etc.)
I think that is the crux of the whole thing. You cannot assume, that any randomly selected patient can actually make an informed decision about consenting, when being asked, because people in general are not so informed about these data decisions. Getting informed properly can already take 4 days or more. So what you win on one end you lose on the other end when asking for actual consent.
My guess is, that they want to avoid the situation entirely, in which a doctor (or other people in the hospital or other institution) has to ask the patient for their consent for such a thing. It would come down to things like framing, for example: "The best people for x are in country y.", which might be true or just opinion of that doctor. There are issues with this:
(1) Usually the doctor is not informed about these data protection issues themselves. Usually the doctor did not also graduate in some mathematical / statistical / data science subject or following along the various data protection scandals. Most of the doctors probably have other things to do. Just like the rest of the population is mostly not well informed.
(2) We probably don't want a situation, in which the doctor dangles a carrot (the best people are in country x) in front of the patient, luring them into consenting.
(3) Doctors want to get their work done. They don't want to have to ask every patient for consent for things outside of their own expertise. Even if you transfer the paperwork to someone else, who will want that additional workload? Also the people going to a hospital might not want to have to deal with that stuff.
(4) What is the legal side of this? For example say you send data to the best experts in another country and you get a misdiagnosis and operate based on that. How does this work?
I think it is possible to keep data generally in France for example and only have the experts look at the data via conferencing tools. Then the experts can be made aware, that obviously they may not share any of that data with anyone and that they can only look at it, while it resides in France. For that we need a secure conferencing system, which is not run by big corp living off selling data directly or indirectly. We need capable tech people in the right place to set things up. We might also need Computer literacy on higher levels for the experts.
I wish I had it for you. I'm a developer, and I don't work for that company any more. Our legal representation came in and explained it to our upper management, who assigned projects to us. I don't know the regulation.
This sort of regulation is not new when it comes to health data.
I'm actually surprised storing medical data outside the country was
legal in France at any point, I don't think it would have been in my country.
So blaming the GDPR and new rules, seems a bit weird in this case.
Now, consumer protection regulation is always a balancing act. And most consumer protection laws will hurt some companies that didn't actually do anything bad. That doesn't mean I don't want any regulations. Particularly when it comes to healthcare.
Sorry, I'm talking in general, not specifically about GDPR and new rules. The whole trend stifles innovation because it's literally a barrier to entry.
And my real concern was people who want that cake, and also want to pretend they're not "fragmenting" the Internet. I wish people would call it what it is.
The internet was designed to be resilient in the face of nuclear war. If it can't handle governments that actually protect their citizens from predation by multinational corporations, then we should rethink some things about the direction that we've taken with it.
I don't think that's what's happening here. This is about a French company being disallowed by France from selling French citizens' data to a US Company.
Maybe this decision makes France toxic/favorable to certain kinds of business--much like how many privacy companies operate in Switzerland because the Swiss government is less likely to snoop than certain others, or how advertising companies operate in the US because they'll let you do whatever you want to their citizens. So yeah, fragments.
But you as a user are free to opt-into any fragment of the internet that will have you. If your government wants to stop you from doing so you should either take it up with your government or circumvent those limitations.
I don't particularly like the kind of fragment that France is creating here, the notion that data has a physical location in space strikes me as a rather shaky one, and I think policies following therefrom are likely to create convoluted architecture that exfiltrates the benefits of access without exfiltrating database instances (I've written enough code that tap-dances around the GPDR to know). Since I'm not trying to start an ad supported business in France, though, I'm happy to respect their right to come up with whatever weird policies they want.
Would it be impossible? No. But would it be, say, 5x the amount of effort to build and maintain a federated system with no data stored across boundaries? Probably.
Looks to me like the regulations did exactly what they were designed to do, and Azure implemented support for the EU market. The goal of these regulations is not to make things harder for companies trying to publish products in different regions, the goal is to get the big platforms (AWS, Azure, GCP) to implement systems that are in line with EU privacy requirements.
I'm sorry your business was impacted during the period where the regulations came into effect and the big platforms did not have compliant services ready. It would have been better if the negative externalities of these regulations would be entirely carried by the big platforms who are responsible for consumer privacy in the first place.
However all the GDPR requirements entered into force just in may 2018?
But in any case, the point is that the issue is solved without changing the laws or people having to switch cloud providers, as simply the global cloud providers have started offering compliant services.
Its very interesting if limiting how companies are allowed to track, store and sell private information would be the central issue for which the internet will fragment around. It almost like tracking, storing and selling is the center of the modern Internet, rather than protocols like tcp, upd, https and so on.
In the past people said that the Internet was made for porn. Today the Internet is seemingly made for advertisement and surveillance. It not strange that so many people who worked in this industry for decades are feeling a bit lost in this new horrifying industry, which if the Internet really is made only to do advertisement and surveillance, I honestly think humanity is better off without it.
You should support companies with the best behavior.
I worked at a company that enabled a radiologist in over country to do a preliminary read of a CT scan performed in another country.
Cutting the amount of time for a CT scan, and even connecting a CT scan with a radiologist who specialized in that particular kind of scan, we saved lives.
And yes, there's also furry porn.
It's a tool.
I feel like I'm trying to convince you that BOOKS are good, despite the existence of hentai.
Could that company exist if it wasn't allow to use advertisement or sell private information? In the past I would say yes without question since there is nothing inherently in connecting a CT scan with a radiologist specialist that require Google Analytics. Nothing at all.
The solution to this is to get your government to get its shit together on privacy. This is just a defensive act by the Europeans and to blame it on them is victim blaming.
So why didn't you use Azure resources in Europe instead of "some crappy provider"? Sounds like you made a rod for your own back. If our clients are happy with Azure (in the right region) then I can't imagine many in the EU (other than perhaps national security services and their suppliers) reasonably refusing to allow use of it.
We host in Azure for some pretty significant financial organisations, mostly UK based but spreading our area. Some companies are requiring us to fully host in Azure DCs in their region, and some of those are Eastern, not UK/EU, based companies. At least one US interest that a friend's employer supplies demands data about its employees be hosted over there rather than over here, presumably so they can be assured it is kept to standards they are locally required to follow. Is it wrong that way around in your book too?
It isn't as easy as having everything in one region of course, but not much harder nor massively more expensive (caveat: most likely, as far as I know, I have the luxury of ignoring the bits that don't interest me and money is often one of those things, but I'm also senior enough that if there was something expensive happening, or something not happening due to expense, I'd catch wind as it would affect things I need to plan around) and it can't be as faffy/costly as using different providers in each territory.
If you are correctly following relevant regulations everywhere this does not fragment things any more than other rules that already existed. Aside from the fact things are being enforced this time, forcing companies handling PII to not quietly do things wrong because it is inconvenient to do things right. As an individual I'm perfectly fine with this.
Right. All I have to do is to stand up two complete copies of my full stack, and support both of them. There's no way that adds extra burden to me. My argument is completely invalid. Thanks for explaining that to me.
The purpose of laws is to protect and govern their local citizens. I would hate to live in a world where a law does not get passed because of an argument like "but imagine how much work developers will have to do to follow the law!"
Agreed. But the internet is already fragmented. Each countries have their own laws and other countries no reason to follow them. All kind of content is accessible only in certain countries. It's also true for physical goods. I'm not sure why it's a problem.
I think fragmentation and looking after one's interests aren't even opposites. Analytics in particular seem like a very lopsided value prop: the american entity (Google) stands to gain from collecting analytics but doesn't really provide a perceivable equivalent value through the analytics service to the affected parties (EU consumers) in return, as you'd normally expect in a fair trade policy between two countries.
Looking at it from this angle, it seems perfectly reasonable for the EU to dislike the specifics of the analytics use case while still being ok with something like Google Docs.
But that's not what CNIL is basing their decision on: "The CNIL concludes that transfers to the United States are currently not sufficiently regulated...Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services."
I probably don't understand the legal issues fully, but it seems the worry is that US intelligence services may be tapping the lines and databases of Google, may have agents working at Google as badged employees, or may be able to subpoena Google (or any US service provider). [for the record, I wouldn't doubt if all the above are true]
I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
> "CNIL recommends that these tools should only be used to produce anonymous statistical data"
So the tools are not anonymous because the request headers of the client are being logged and used to identify a session, along with what resources on the site were accessed in that session.
Any site operator has this data on their visitors.
CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly? What's the solution? A site builder can't let web clients make direct calls to any resources in the US? That seems... sweeping, profound, surprising, impactful. Have fun with that.
> because the request headers of the client are being logged and used to identify a session
No need to dig so deep: IP addresses are considered private information under the current EU law, meaning that just opening a client-side connection somewhere leaks that data to that somewhere.
> I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
There is none. The difference is that the website studied in the ruling was not including resources hosted at Google Docs, and hence no mention of it. If the site embedded or directly linked to a google docs document the same reasoning would have been applied.
> CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly?
Almost. They don't want any calls prior to explicit user acceptance.
> What's the solution?
For fonts/images required to load the page, use EU-based hosting facilities. If you want to link to a google docs document, a youtube video or something like that, ask the user before following that link.
> That seems... sweeping, profound, surprising, impactful. Have fun with that.
It is, I don't think anyone is denying that. There are several things that may happen here:
1. US tech companies take it as common practice to spin-off EU-based companies that are not subject to US law and store everything in EU soil. When they don't, EU competitors pop up and EU companies use those.
2. The US passes laws that offer EU-level protections to both their own citizens/companies and (at least) EU-based citizens/companies.
3. The EU backtracks on this by adjusting their current laws.
For me it's philosophically reminiscent of the Berlin Wall or the Chinese Great Firewall. Personally, my knee-jerk reaction is that it threatens certain freedoms, but I am also a liberal raised with a Western education.
I guess I'm seeing more like a huge swath of farmland growing a monoculture for export, versus the same land being used as a patchwork of different crops based on the various farmers' tastes and relationships with their neighbors. The latter is more likely to change gradually as the climate and the needs of the people around it change, while the former is prone to changing all at once, perhaps unexpectedly.
People's ideas about how their technology should serve them will change over time. I don't want to have to overthrow the old internet before we can try something new, I want it to grow with us--the parts that aren't serving us die off, the parts that address new challenges flourish. If its all one thing, subject to one set of rules, that doesn't happen.
>I am also a liberal raised with a Western education.
Lucky you.
We need more Western education, not less, which is why fragmentation is a bad thing. My country of birth - in Africa - is aligned with the formerly communist nations; if they had to opt-in to a fragment, it wouldn't have been to the Western one. I might have never been able to emigrate.
Fragmentation seems like a leap backwards in time and a slap in the face of the promise inherent in the free flow of information.
> We're not fragmenting the internet by looking after our own interests.
Of course you are. This is the only possible outcome of any attempt to impose national rules on an international network. Instead of one global network, we'll end up with several local ones.
The internet is among the most incredible achievements of humanity. I'm glad I got to experience it before they destroy it. By now it's only a matter of time.
At the end of the day we should be doing what is good for the People and somehow its always assumed that they will/should be the ones impacted when policies like these are enacted.
But Europe has leverage here - I don't think Amazon would want to miss out on a giant market base out of some moral principle and there are probably other levers to be pulled here to encourage that.
Anyway, not adding much to your comment other than kudos.
Nothing, this is now a solved problem. The EU didn't want the entire internet being hosted from the US. They designed policies to force hosting within EU countries. It happened.
The only people still moaning are Americans and hold-outs like Google refusing to move data.
> On the contrary, it only forces those providers to have a European presence.
If the EU has this much power to regulate operations that happen in America, then imagine how much worse it's going to be if you relocate your operations to the EU? In that case you actually become one of their subjects, rather than simply recording information about their subjects.
If by those providers you mean Google, AWS etc. then that might not solve much. As subsidiaries of American corporations they would be obligated to hand over data to the parent corp, especially if the US DOJ required it.
I think the only solution would be for them to not collect and store data from GDPR jurisdictions that would violate the GDPR if they were forced to hand it over to the parent American corp.
No, the subsidiary would be governed by European law, and would be prohibited from handing data over to either the US parent company or the US DOJ if that violated GDPR.
The US parent company could not compel the subsidiary to violate the law of the region it was located in.
Yes, I suppose you're right, at least so long as they actually host their data in the EU.
But what happens when senior data scientists at Google want to do some analysis? Each dataset for each global region can't remain fractured from each other. The subsidiary may not have to hand it over to the US government but does the GDPR prevent data from leaving the EU zone? If not, then local copies in the US would be exposed.
I think there would be a lot of loopholes that needed to be closed. "Will be" a lot might be the better choice if words if France's decision becomes guiding legal doctrine in the region.
I don't think Google would willing give up that data either so they could be forced to change their practices to at least get that which allowable under EU law. And I don't want to get too slippery slope in this, but that could mean privacy-minded services begin using servers in the EU as an added layer of user privacy.
You're making the mistake of assuming that "something can't happen" if it is inconvenient for the business. The convenience of the business is irrelevant - it must operate within the law.
And yes, GDPR prevents data from leaving the EU zone if there is then a possibility that GDPR could be violated. That's the crux of the recent court cases in Austria and France. You may not collect GDPR protected data if as a consequence of that collection there is a reasonable prospect GDPR will eventually be violated by ANYONE.
For your example case, all initial data processing would have to physically occur within Europe, performed by a subsidiary not subject to US law, and only after they had reduced it to aggregate data that could not be reverse engineered to get GDPR protected data would they be permitted to export it to America.
It's at 15% and forecast to go down to 12% by 2030. Also they're raising hell for corporations in the form of regulations and taxes. Why would any entrepreneur even bother?
We're not fragmenting the internet by looking after our own interests. This wouldn't be an issue if Americans viewed rights (and in this case privacy rights) as belonging to human being as opposed to Americans citizens. The US's policy is what led to this:
> Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information
https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield