European citizen here, and as much as i welcome a step like this, it's also pretty interesting to see, what this means for smaller (online) businesses outside of europe.
Sure, you want to host customer data from europe in europe (latency-wise) anyways, but now that this will be more or less required it will be interesting to see how people will solve this. The good thing is, with "the cloud" you have a lot of option (locations) to choose from.
It's interesting to see the regional differences in this discussion, because that attitude is pretty foreign to the way I think about the Internet.
I know that if I use Yandex, at least some of my data is going to reside in Russia. If Dailymotion, France. I consider it up to me as a consumer to decide whether that's what I really want. I don't consider it my local government's job to force those companies to change their business models.
I'm from EU and I don't like it. EU should offer standards of data protection that foreign companies could choose to adhere to, then those companies could advertise to EU citizens that they comply with said EU standards. Same penalties that exist or are proposed now could exist under that model. Maybe even incentivize adoption with modest taxes if you feel really statist. Then EU citizens can choose whether they value these protections or not. Personally, I don't care what Facebook does with data I provided them with freely, but for online purchases I would strongly favor companies who protected my data.
> I know that if I use Yandex, at least some of my data is going to reside in Russia. If Dailymotion, France. I consider it up to me as a consumer to decide whether that's what I really want. I don't consider it my local government's job to force those companies to change their business models.
This is a ridiculous position to take, because it requires a humanly impossible amount of research to know whether the privacy of your data is protected. And that's when the information is even available.
Privacy is a basic human right. When corporations collect your data it becomes the responsibility of those corporations to protect your privacy. Individuals simply do not have the resources to enforce this, which is why we elect people to enforce this. This isn't some crazy responsibility for governments: this is the fundamental reason why governments exists: to protect the interests of their citizens collectively when it's infeasible to protect those interests individually.
> This is a ridiculous position to take, because it requires a humanly impossible amount of research to know whether the privacy of your data is protected. And that's when the information is even available.
How about looking at this from another angle? Why the heck should your browser and Internet connection leak anything that allows to single you out as an individual to any corporation or individual in the world?
The focus should IMO be on providing secure tools to end users for browsing the web.
I come across this response quite frequently and I remain mystified why anyone would think that it's important or even a good idea for the millions of people interested in privacy to try to solve privacy issues from the same angle. Skillsets don't even fit for this: as a developer I am well-suited for working on network technologies that don't leak information about their users, but a lawyer for example is much better suited at changing legislation so corporations are responsible for protecting privacy. We don't need a "focus", we need everyone to use their skills to protect our right to privacy.
This is actually very common. Politicians have to care about getting re-elected, and that often means chasing after campaign contributions more so than it does actually being on the side of the people.
Judges usually have tenure, this makes a huge difference to someones impartiality.
> European citizen here, and as much as i welcome a step like this, it's also pretty interesting to see, what this means for smaller (online) businesses outside of europe.
I'm not sure if it means anything for them. If a company does not have a business presence in the EU, it likely isn't subject to EU jurisdiction at all. This case happened because Facebook is a multinational company with a European subsidiary in Ireland and was sued before the Irish courts. Companies that may be affected by this are:
* Multinationals that exchange personal data between their US and their EU branches.
* Companies in the EU that are in a business relationship with companies in the US and as part of that business relationship send personal data to the US.
* Companies in the EU that avail themselves of US data centers and store personal data in those data centers.
Non-European companies that get paid for services rendered to EU citizens or countries.
If found to be violating laws, the ECJ can order banks to block payments made to those companies from within the EU, which harms their bottom lines between nothing and a lot.
Under article 4 of the Data Protection Directive, such companies should not be subject to its jurisdiction unless they have an establishment or equipment in an EU member state where they carry out data processing operations.
Actually they were sued before the European courts. Specially the European Court of Justice, which is in Luxembourg. I don't believe there was any case in the Irish courts.
The EU is not a state and therefore typically you cannot directly sue in its courts.
In most cases (such as this) a national court refers the case to a european level if european directives and interests are involved.
Fun fact: the EU commission/parliament has also not the power to pass any binding laws. They pass directives which are than implemented into national laws by the legislative bodies of it's member states and can also be overthrown by courts of each state individually (e.g. happened in germany with EU data preservation directives)
Yeah good luck setting up a startup now. If other countries follow Russia's suit, we'll soon end up having to somehow determine where a user is from (what if they're roaming, etc.?) so we can shard the datastore across multiple geographic locations. So obviously this = increased costs & complexity which will slow the speed of iteration :-(
European privacy laws are very consumer-friendly and usually very reasonable. US companies should look at those laws as a guidebook on how to get your customer's privacy right in the US as well.
You build houses - think of it like fire safety rules. "What do you mean I have to keep track of all the fire safety rules for the country I build the houses in? Can't I just keep track of a set of rules of my choosing instead?" -- well, no, for one and even if you could, that'd be a bad idea. Almost universally, there's good reasons behind specific rules in the fire code. (And in the rarer cases the rules really are broken, that's a problem with the law, but not one that can't be fixed).
Unfortunately, most companies don't give a rat about their customers' privacy (we care deeply about it we swear). What really should happen instead is that US customers demand laws like the ones we have in Europe.
But the situation prior to this ruling is basically what you described: that there's a particular set of rules that you have to follow. Now you potentially have to follow everyone's rules for every house you build, but which rules you had to follow depends on who buys it.
The situation prior to this ruling is "There's a particular set of rules which you have to follow... unless you're an american company, in which case, we trust you".
In the end we ended up with a requirement to ensure more and more prominent information. Do you think it's bad that more consumers are aware of the potential privacy impact of their actions?
Basically every website in the world except basic static sites use cookies. So the EU wants every website in the world to have a warning message about the dangers of cookies. That will show up every single time you visit every single website. Unless you accept the cookie that allows the site to see the fact that you saw a warning about cookies. So, websites have to use cookies to display a warning about cookies and if you don't accept the cookie, you get a warning about it on every single subsequent visit.
It screams laws written by politicians for special interest groups none of whom have the first clue about technology or how it works.
You could just have the web browser show an alert when a site wants to set a cookie and the user can click that alert or always allow it. Which is what we used to have in every web browser. Until users got sick of seeing the stupid warning because every single website uses cookies. And they got blind to the warning and paid no attention to it. Which made any other warning a browser shows more likely to just be clicked through.
So browsers removed the warning because we all realized it was stupid and pointless and ineffective and served no purpose any longer. But politicians with no idea how the technology works and no understanding of the fact that we already went through all this decide that everyone should see the dumb, stupid, ineffective warning on every single website and have it show up every single time for the people who understand how to manage their cookies and only show up once for the people who have no idea how to use their cookies. Just brilliant. It serves no purpose and everyone just clicks it away just like any other popup ad.
You're incorrectly thinking the EU cookie law applies to all cookies. It only applies to tracking data, including tracking cookies. Don't use Google Analytics -> No cookie law for you.
Actually, I do. There's a fallacy that displaying information before requesting consent necessarily leads to informed consent. Many users have insufficient background to understand what they're consenting to, particularly since such info-dumps tend to not mention what the consequences of various choices would be. With no context for their decision other than "Accept makes things work," all you're doing is training users to sign away their rights without knowing that they are
Don't conflate people's privacy and random laws that say they are about privacy.
With prevalent encryption on-the-wire, fibre tapping is less useful. So the way people get their privacy leaked is via hacking or other compromises. Saving to disks in a person's country of origin is probably rather far down on threats to their privacy. (Yeah, I know, if you host it all on disks in the US, then the FBI can come steal those disks. But that's less a risk than a hacking group dumping your DB on pastebin.) And a compromise to the company will compromise the data no matter where the disk are.
If countries were really concerned, they'd mandate strong security for personal info. Not like PCI where technical details are spec'd, but somehow offload it so that companies must make reasonable steps. Then have enforcement to fine companies that misbehave. Perhaps make it something where companies will want to get insurance.
That way, a startup, instead of grabbing everything, they'll ask themselves: "Hey, do we really wanna capture this info?" Just like PCI shot a lot of plans to store card numbers and CVV, a strong law could make companies think twice and plan around handling private info.
Location of storage devices might end up on the list of requirements, somewhere. Like once you store info on more than X people, you're required to address how you handle differing jurisdictions or something.
The two are not incompatible; EU countries are already fining companies that leak private data, and talking about increasing those fines (the EP suggests a max of 5% of global revenue or €100M, whichever is higher).
I'm as much for generating friction as anyone else. But I wouldn't pretend that keeping data in any country in NATO isn't akin to giving it to five eyes.
Basically the EU is creating a PR stunt that in theory could force them to enact some minimum veneer of standards and that PR stunt is going to have higher short term costs for the small private sector players than the large ones.
It is entirely possible the stunt will instead pay off for the other EU governments and against the privacy of their population by getting them invited further into the club.
>But I wouldn't pretend that keeping data in any country in NATO isn't akin to giving it to five eyes.
Collecting data which is routed internationally is a well documented method that NSA et al have used to skirt domestic law and grab/share the data. If you already live in country "C", and by statute your data must never leave country "C", then your data are more protected than if it had been sent outside the legal jurisdiction of country "C"'s courts.
I'm saying that no material facts have changed or were unknown by the governments before the safe haven and that I am skeptical that the case would have been heard at all without public revelation and interest.
I am also very skeptical that private data in Germany was or is any safer from the problems with the safe haven as far as data intentionally illegally shared with institutions in the US, not due purely to issues on the ground when defending the data in good faith.
While this is true, it's interesting to see what kind of effect this will have on the market.
I also didn't talk about startups, i mean small business in general.
This could be a reason not to launch your business in europe, if the cost of "deployment" is to high. Sure, someone else will fill that hole for you, but that's less money in your bank account. :)
Exactly. There's a bit of "pulling up the ladder" here. The guys who got in when the Internet was still the wild west got established without all this overhead.
There will be an enormous burden on new businesses satisfying these laws - previously we've got away with privacy policies but could still code the same. If we need to maintain N servers for N countries customers could be from, that's a massive operational overhead that is bound to do nothing other than stifle innovation.
Now, I'm all for privacy, but if each country starts fragmenting the internet on country boundaries - to the level of physical servers and data storage locations, bringing a new idea to market is going to much much harder. This is different to, e.g. different tax regulations, etc, because you can still benefit from centralised computation while processing orders for different localities.
And while today this might be just about Europe, it sets a trend. Before it was just Russia and China. How long before all countries want to see the code a la the Chinese?
So the NSA has screwed things up for all of us now who are trying to start businesses.
If my costs go from: developer -> developer + global devops team + legal, etc., that's a massive burden that will affect the "bedroom/garage" startups.
From my experience, majority of "bedroom/garage" startups self-limit geographically - whether it's expecting a phone number or a bank account in a given country, or assuming everyone has a U.S. state and zipcode (90210). Data regulation is hardly the deal-breaker when their own dataschemes don't support internationalization.
I guess it all comes down to how you're meant to determine where someone's data should be stored. Is it by their nationality? What if your app gains popularity outside your launch country? Are you suddenly on the hook for not having sharded your data geographically?
Plenty of popular apps don't require anything like bank account/post code, etc. that could be assumed to prove which country someone is from.
If your app gains popularity in Italy, you have to care about Italy. That means supporting the Italian language always, it means supporting the odd Italian phone numbers if your app happens to deal with phone numbers, and it means complying with Italian law.
Now, if your app does not become popular in Italy, you just have five users there, do you still have to comply? No you don't, because de minimis non curat lex.
What kind of services or small businesses do you have in mind that a) have offices in different data jurisdictions and b) do not require any localization for these jurisdictions?
The fragmentation might be good when we talk about pricacy. It gives motivation to create more local services and not depend on foreign ones.
China is good example of how that works: they have their own search engine, blog platforms, website analytics software, video sharing sites, IM software. So Chinese users do not send their data (and money) to USA and goverment can protect personal data from NSA while EU cannot.
Of course I do not approve other things like censorship in China but having local services is a good thing both economy-wise and privacy-wise.
I don't know why you are downvoted. This is going to become a real concern indeed: should I have one deployment per country of sale, ultimately, etc? This is getting tricky.
How many times a day is this phrase written in Hacker News?
How many times is it found on reddit?
The poster, in this specific case is not being downvoted.
The issue I think is understanding about how commenters and viewers use HN and reddit and upvote and downvote over time. If you understand this process you will no longer want to write "I don't know why" because you will understand the process.
I hope more people would understand the voting processes of these various discussion forums.
The poster was actually heavily downvoted, until I mentioned this, and now it isn't anymore.
I almost never complain about downvotes (as mentioned in HN guidelines), yet felt that there was a misunderstanding and a lack of full perception of the implications of what the downvoted message conveyed.
Truth is (again, as someone who is privacy-sensitive, and running a EU SaaS) this is going to be complicated to run an international SaaS, as a bootstrapper.
So was the actual comment "I do understand why you are being downvoted, and I disagree with the reasons" or "I do not understand why you are being downvoted?"
Ah - I didn't read like "it's a bit of pain" (easy or not) but rather like the extra friction brought by this issue is going to stop many people from starting businesses, at all.
(for some context, I'm a French SaaS bootstrapper; I am as careful with my customers data as I can be, and found that starting a SaaS has been a major pain already - VAT rules, finding a SafeHarbor provider which doesn't suck at security, too etc).
> (for some context, I'm a French SaaS bootstrapper; I am as careful with my customers data as I can be, and found that starting a SaaS has been a major pain already - VAT rules, finding a SafeHarbor provider which doesn't suck at security, too etc).
I was talking about this to someone just now and it strikes me that all these regulations are very much wasted on startups during their creation. Maybe what we need is a way for startups to be able to playtest their idea and only have to worry about all the extra responsibilities once they're more certain about the results.
> Yeah good luck setting up a startup now. If other countries follow Russia's suit, we'll soon end up having to somehow determine where a user is from (what if they're roaming, etc.?) so we can shard the datastore across multiple geographic locations.
Or just host everything in Europe.
Or lobby Congress to stop shitting all over privacy so that the US can be considered a safe harbour again.
Hosting in Europe wouldn't fix the issue that Russian law wants to have Russian persons' info stored in Russia. It could very easily end up with several countries requiring this, and needing to store data differently depending on user's selected country.
And think about it: is there a really huge increase to privacy? What exact attack scenarios does this defeat, and how likely are such scenarios compared to run-of-the-mill privacy breaches (lax security)?
It's obviously about regulatory requirements rather than a random hacker. If I host my data in the US, then I am subject to the whims of the US government, and as such they have jurisdiction over European data (which of course, is not protected in any way in the US, even by the meagre data protection laws that the US affords its own citizens).
> And think about it: is there a really huge increase to privacy? What exact attack scenarios does this defeat, and how likely are such scenarios compared to run-of-the-mill privacy breaches (lax security)?
Those are two entirely different scenarios. There's no reason both couldn't (and shouldn't) be handled in parallel. For example starting next year companies within the EU are held liable for data loss, with up to IIRC 3% of their global revenue. That policy handles the lax security concerns; no reason to not tackle other problems, like the one described on this thread.
Or you could work on starting a startup that helps to 'store stuff in their geographic region' as a service. And let all the other startups leverage your service.
What I see here is just a simple data center service which offers to store company data and ensures in complies with EU requirements for these countries. If each country has different laws that require data to store physically in that country's ___location, then it's just a matter of setting up at least one such data center in each country and provide storage for any company willing to do business. Then you can make service order in bundles with multiple countries and that's it.
You can replicate within groups of datacenters which fall under the same privacy rules. Thats more than enough to run a centralized global social network, even though I'd love it for making it impossible.
I'm not talking about replication for disaster recovery, but replication to avoid intercontinental round trips.
If my actual name is stored in Europe, my US friend must request the data from the USA just to show his friends list on an HTLM page... (is that a transfer too? is it forbidden too?)
This seems less about privacy and doing what's right for EU citizens and more about European countries enacting some kind of protection scheme to give American companies a disadvantage when doing business there.
In a more cynical light, maybe build up some 'value' that can then be 'traded' in a US/EU TTIP deal?
"Look, the EU is reasonable and wants to get rid of the cookie ruling and the high bar for startups on geographical server requirements - TTIP would allow all this to happen!"
Sure, you want to host customer data from europe in europe (latency-wise) anyways, but now that this will be more or less required it will be interesting to see how people will solve this. The good thing is, with "the cloud" you have a lot of option (locations) to choose from.