It's not fragmenting the internet; fragmentation is the whole point of the internet. It's (re-)decentralizing something that has been decentralized the whole time, until these gluttonous whales decided try to eat the whole pie.
It isn't about "one computer talking to another", it's about where sensitive information is stored. It has never been legal to store classified US intelligence on computers outside of the control of the US government. That's an extreme example, but the handling of many types of information is prescribed by laws in different jurisdictions. Does that mean that US computers cannot "talk" to another other computers? No. Does that make the internet invalid? No.
Decentralization of the cloud is a good thing for so many reasons. I think you're deliberately confusing it with your PII issues and not grasping the larger picture.
Those poor small international businesses? If you want to do business internationally, it'll be complicated, and that's fine. The internet has spoiled us by making it so easy for a while.
Seems like it doesn't bother you at all if this hurts competition. Or maybe you don't understand that by hurting competition, consumers are hurt? In our case, with a medical product, it was patients who were hurt.
It just shifts competition into new areas that are compliant with the law. If you can't use aws-us-east from france, then AWS is incentivized to build a (compliant) center in france or else lose that slice of the pie to the locals (or to a potential compliant azure center there).
It's always a tradeoff between racing to the bottom and stagnating. Both are bad, both hurt consumers, and this seems like a good balance between them.
So eventually, we'll all just run a full copy of our stack in each of the 50 United States, plus the few extras for cities that have different laws, and then in each of the other 190 countries around the world?
Does that seem like a good balance of needs to you?
If that's what it takes to allow locals to govern themselves independently, sure.
The technical difficulties seem so entirely solvable, in time (and with that competition you mentioned). Right now it's easy to deploy servers across tons of instances. In the future, if we need to, we can build analogous solutions to the problems you're talking about.
And where we can't build our way to easy solutions, that's fine. Those cases are probably the ones where there are legitimate local differences in what's acceptable, and I want locals to be able to decide that for themselves. It's an absurd goal to try to make it easy for six engineers alone to scale to the entire planet.
> It's an absurd goal to try to make it easy for six engineers alone to scale to the entire planet.
That's an interesting assertion. As counter-example to that assertion, [gestures at huge amounts of the internet as we know it, which was started by small teams.]
And I'm not talking about scaling to 7 billion users. I'm talking about scaling to all of _my_ users, even though they live in dozens or hundreds of countries.
Your demand of having users does not supersede my right to have laws enforced in my jurisdiction. That's the point of sovereignty.
If that means I don't get your business and I'm worse off for it, I'm happy to have my laws changed. Or maybe someone else will come up with the same service who does follow the local law.
You're basically discovering something that physical stores have had to deal with forever. Gary's International Store of Chainsaws and Weed knows that it can't sell chainsaws in jurisdictions where chainsaws are illegal to sell from stores. The people of that jurisdiction made the decision that chainsaws should not be sold from stores; Gary doesn't get to ignore that. Instead he has to incorporate the fact that not all stores get the same inventory in his logistics.
If that means Gary refuses to open his stores in such jurisdictions at all, that's fine. The people of the jurisdiction can decide whether they're happy with the outcome and change their laws if they're not.
>Gary has every right to object if Indiana says he can only sell chainsaws made in Indiana, as that would be an absurd law.
He has the right to object in any case. That's free speech. But despite all his objections, he either does his business respecting the law or doesn't do business at all.
It's funny that you think that such a law would be absurd, when laws that require a store to sell locally-produced goods over imported ones also already exist in the real world.
>Forcing me to run servers in France is absurd.
You're welcome to think that. Don't run servers in France then.
You're absolutely right. Unfortunately, the little guy is more easily accommodated for with lenoency during onboarding regulation-wise, and the bigger actors can never be brought to heel if something doesn't go down on paper.
And I think your team did not think through before implementing your product. The GDPR and its consequences have been discussed for a very long time. And the product even managed to get locked into Azure.
You are building up a whole strawman here. This is all about sending personal data to a machine in the US, owned by a company, which falls under US law. You don't have to send that personal data to the US, do you? Why would you do such a thing in the first place? Surely informed people would not simply consent to such a practice. And I mean informed. Not just clicking "OK OK next OK" without knowing what actually goes on, just to be able to see the actual content of a website.
It's not a strawman, it was the company I worked for.
We helped manufacture medical devices. We sold a device that took medical images, and then sent the images to a server. The server would do tons of processing on the images, and help manufacture a medical device custom to the patient.
We ran our servers in the United States.
We could not sell our product in France, until we stood up servers in France to store and process the data.
Why would we do such a thing? To provide excellent healthcare to people. Even ungrateful French people. Our product was lower cost and higher quality than our competitors, with better patient outcomes.
What monsters we were for running our servers in the U.S., right?
Why are you so shocked that people want to assert control over their medical data? This is the crux of the problem. You're being absolutely incredulous that someone have a say in data that is about them.
Other people exist and have rights. It's about time that people assert their rights over data that is absolutely consequential to their lives, instead of being tiny pawns of companies who treat them like a highschool science experiment with live ants.
You either trust my company with your data, or you don't.
The idea that storing your data, encrypted at rest, on spinning rust platters inside your country somehow makes it safer than storing that same data, encrypted at rest, on spinning rust platters inside my country, is bizarre to me.
But that's fine. I think giving you the choice makes tons of sense. I'm not saying France should have a law forcing all data to be kept in the US. I'm saying it's bonkers that I cannot offer a product in France that happens to store data and process data on a server in the US. Even with a waiver. French citizens do not have the right to let their health care information be stored on a server in a different country. (As I understood the laws, at least - perhaps our legal representatives were misinformed.)
If you want control over your medical data, then I'm sorry, none of the existing tooling does what you should actually want it to. It should be stored on systems you designate. Not on some lowest-bidder French server that has unknown security practices.
It's amazing to me that you're lecturing me about other people's rights, when you're literally denying French people the right to buy my product, unless I meet some ultimatums. I'm not denying them, you are.
And you talk about consequential to their lives? My product lowered costs and had better patient outcomes, and we couldn't sell it. Maybe try a different argument.
It is kind of a strange idea in the first place, to store medical data outside the country, in a country like the US. I don't know if any country with good data protection laws would allow such a thing. I find the idea, that this could be OK for patients to be weird. I surely wouldn't want my medical data put onto US servers, likely without even knowing, because the hospital stuff does not know themselves and not telling me either. Maybe even worse being put to the choice of having some equipment used on me, which automatically shares that data to the US.
At some point in your project there seems to have been a time, when such basic questions of consent were overlooked and later you paid the price. Your intentions may have been nothing but good, but I for one am glad, that such practice was not allowed to happen.
You're in country X, and the top radiologist in the world dealing specifically with your disease process, is in country Y.
Walk me through exactly what you would like to happen.
If you think the best outcome is that only radiologists who live in country X can look at your medical images, then please really think about what that means for under-developed countries.
Please also think about the fact that people have medical imaging exams 24 hours a day, and think about where radiologists live and sleep.
The next time you get a CT scan and have to wait 4 days for the results, you'll know that your hospital system doesn't have teleradiology.
We absolutely understand patient consent, and then France started establishing laws that denied patients the right to consent to having their data transferred to the US. (As I understood our legal representatives, at least.)
(For the record, in case it's confusing to anyone following along, I worked on half a dozen different medical products in my career, in different companies, in different parts of the body, in different modalities, etc.)
I think that is the crux of the whole thing. You cannot assume, that any randomly selected patient can actually make an informed decision about consenting, when being asked, because people in general are not so informed about these data decisions. Getting informed properly can already take 4 days or more. So what you win on one end you lose on the other end when asking for actual consent.
My guess is, that they want to avoid the situation entirely, in which a doctor (or other people in the hospital or other institution) has to ask the patient for their consent for such a thing. It would come down to things like framing, for example: "The best people for x are in country y.", which might be true or just opinion of that doctor. There are issues with this:
(1) Usually the doctor is not informed about these data protection issues themselves. Usually the doctor did not also graduate in some mathematical / statistical / data science subject or following along the various data protection scandals. Most of the doctors probably have other things to do. Just like the rest of the population is mostly not well informed.
(2) We probably don't want a situation, in which the doctor dangles a carrot (the best people are in country x) in front of the patient, luring them into consenting.
(3) Doctors want to get their work done. They don't want to have to ask every patient for consent for things outside of their own expertise. Even if you transfer the paperwork to someone else, who will want that additional workload? Also the people going to a hospital might not want to have to deal with that stuff.
(4) What is the legal side of this? For example say you send data to the best experts in another country and you get a misdiagnosis and operate based on that. How does this work?
I think it is possible to keep data generally in France for example and only have the experts look at the data via conferencing tools. Then the experts can be made aware, that obviously they may not share any of that data with anyone and that they can only look at it, while it resides in France. For that we need a secure conferencing system, which is not run by big corp living off selling data directly or indirectly. We need capable tech people in the right place to set things up. We might also need Computer literacy on higher levels for the experts.
I wish I had it for you. I'm a developer, and I don't work for that company any more. Our legal representation came in and explained it to our upper management, who assigned projects to us. I don't know the regulation.
This sort of regulation is not new when it comes to health data.
I'm actually surprised storing medical data outside the country was
legal in France at any point, I don't think it would have been in my country.
So blaming the GDPR and new rules, seems a bit weird in this case.
Now, consumer protection regulation is always a balancing act. And most consumer protection laws will hurt some companies that didn't actually do anything bad. That doesn't mean I don't want any regulations. Particularly when it comes to healthcare.
Sorry, I'm talking in general, not specifically about GDPR and new rules. The whole trend stifles innovation because it's literally a barrier to entry.
And my real concern was people who want that cake, and also want to pretend they're not "fragmenting" the Internet. I wish people would call it what it is.
It's not fragmenting the internet; fragmentation is the whole point of the internet. It's (re-)decentralizing something that has been decentralized the whole time, until these gluttonous whales decided try to eat the whole pie.