»Max Schrems: "In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator - not to anyone in Europe."«
That's the point: we need real data protection in US law for non-US citizens as well. Currently, US lawmakers treat EU citizens' data as US state property. Obviously, that's unfair.
> I would personally prefer better protections in the US, but this is up to the US legislator - not to anyone in Europe.
I don't agree that Europe can't change anything in that regard. Deeming US-based services illegal and banning US-based companies doing business in Europe because of the way EU-customer data is treated in the US would speed up better regulations in the US tremendously.
It's a fact that big corporations are ready to bend over backwards to the foreign governments, even when they require "immoral" [1] things, so they would have no problem complying with actual sensible requests [2] if they are forced to do it.
[1] Chinese censorship rules, ...
[2] Data protection, ...
> banning US-based companies doing business in Europe because of the way EU-customer data is treated in the US would speed up better regulations in the US tremendously
Maybe it would, or maybe it would spur a tariff-war between the EU and US and a great deal of resentment between traditional allies.
> they would have no problem complying with actual sensible requests
Morality and sensibility don't play a role in modern big corps. The real question is: do these requirements impact their bottom line? Chinese censorship rules don't, but EU's data protection rules clearly do. Hence, their willingness to comply will adjust accordingly (i.e.: US corps will fight tooth and nail to prevent that from happening).
> I don't agree that Europe can't change anything in that regard. Deeming US-based services illegal and banning US-based companies doing business in Europe because of the way EU-customer data is treated in the US would speed up better regulations in the US tremendously.
I think it would do way more damage on the EU side than anything. Imagine having to migrate applications overnight because hosting with AWS has been outlawed, even with all the protections in place (e.g. location in EU, encryption etc etc).
GDPR (which the above case is about) was approved in 2016, became enforceable in 2018, the major legal case that provided that kind of interpretation landed in 2020, and now a concrete (very high profile) enforcement is actually happened in 2022.
I think that you exfiltrating any and all data that you can access from my computer before you and I have negotiated what is authorized access is not me giving you data "willingly". The mere fact that I connect to your site or service does not give you the right to slurp my data. If you don't collect anything before I get the chance to see and agree to your terms and conditions, or privacy policy, then we can probably work something out. If you start fingerprinting my browser as soon as I connect, then it is not willingly on my part.
>The mere fact that I connect to your site or service does not give you the right to slurp my data.
But it's your computer that gives out all of this data. Your computer is presumably under your control, no? The website cannot demand anything from your computer that your computer doesn't want to send. You're using a piece of software that does the negotiation 'automatically' and permit it to send all of that data. It is possible to do without it. Disabling JavaScript goes a long way towards it.
It depends. I understand that ad networks for example take identifying data (such as IP addresses) without consent. But if I sign up to Facebook and I put there my name and my face, it's because I want to. No one has put a gun to my head. And I don't see that it matters whether that data is in a hard disk in the US or the EU. These regulations seem a power move more than anything else.
The proof of a problem isn't "someone put a gun to my head" - its a meaningful part of our society put behind a rich man's walled garden because only he had enough money to bribe every telecom and buy every competing platform.
Every competing platform? I can think of a few alternatives, starting with this one we are on right now. But some people are still choosing Facebook, and they are choosing it willingly, happy they do not have to pay for it with anything more than some targeted ads...
> But if I sign up to Facebook and I put there my name and my face, it's because I want to
Facebook wouldn't have all its negativity around privacy if they only captured & used data that the user explicitly entered. The problem is that Facebook collects much more data that what you knowingly & willingly give it.
You might have uploaded your name and face willingly to Facebook in order to set up your profile, but without proper safeguards and legislation, the data might be used to train an AI model to use your face to identify your relations with other user using photos, which they also willingly upload, to power features such as people you might know and of course, advertising. The data might also be sold or transferred to third-parities like Cambridge Analytica for political advertising or government agencies for "national security" -- all without your explicit consent.
It is true that it does not matter if a piece of data is stored in either side of the Atlantic, but this is not a engineering problem about data locality and latency. As someone who spent months working on a global distributed GDPR-compliance identity store, my life will be much easier if the problem can simply be solved by paying a slightly higher inter-region data transfer fee.
Unfortunately, US and EU here are not referring to cloud regions, but as jurisdictions because different laws on data protection apply. None of us likes this kind of complexity, but "power move" would be an overly-simplified abstraction of this problem.
>or we will end up with separate products for the US and the EU.
I thought this was the goal the EU was working towards. There was even that policy recommendation for building a firewall similar to the Chinese one. It didn't amount to much, but we seem to be going down a path like that.
Why would the US listen to the EU on this topic though? EU countries are trying to use privacy as a way to limit the reach of these US companies, but we don't have anything comparable to replace them with. Those US news sites that blocked EU visitors? They're still blocked and you can't really blame them - they don't make much money from advertising to European users, so why take the risk and cost of implementing GDPR? I understand it, but parts of the internet are still unavailable to me. And I don't seem to have any more privacy anyway.
Data protection is good, but at this point I find it difficult to believe that this is the actual goal of EU politicians.
Read up on Schrems II. This policy is actually based on a court's decision not on a decision of politicians. Politicians actually tried to save data transfer with the "Privacy Shield".
"The CJEU ruled that the Privacy Shield does not provide adequate protection, and invalidated the agreement. The court also ruled that European data protection authorities must stop transfers of personal data made under the standard contractual clauses by companies, like Facebook, subject to overbroad surveillance. This decision has significant implications for U.S. Companies and for the U.S. Congress because it calls into question the adequacy of privacy protection in the United States."
While I find it hard to believe that European countries are that much more privacy focused... the reason for the divide is that European countries, in or outside of EU, have stricter rules on user data... and much more recourse for users.
Having those rules creates an advantage for any company that doesn't operate by those rules while serving people located in the countries covered by those rules. The goal was never to "limit the reach of US companies", but to prevent uneven playing field.(EU was specifically created to keep markets competitive)
What's worse is that US government, that is legally barred from snooping on people in US, says that data of people not physically present on US soil is fair game to do as they wish.
> Currently, US lawmakers treat EU citizens' data as US state property. Obviously, that's unfair.
The unstated assumption being that the data in question belongs to those citizens.
If I write about an orchard, the writing doesn't somehow belong to that orchard. If I photograph a wedding the copyright is still held by me. It's not obvious if we're instead talking about a name or an email address that the subject of your data should magically become the owner.
The reality is that privacy in the US isn't the same as it is in the EU. Making these kind of deals with the US or China will always fail.
Ultimately there's nothing to stop the US from wiping it's ass with any treaty- that's the major advantage of being a superpower.
America lives by different values as is their right.
I recognize that this is merely my impression of the matter, but I don't think most Americans are that concerned about it. I very much doubt that enough are sufficiently concerned to convince enough politicians to do something about it.
That's the point: we need real data protection in US law for non-US citizens as well. Currently, US lawmakers treat EU citizens' data as US state property. Obviously, that's unfair.