European privacy laws are very consumer-friendly and usually very reasonable. US companies should look at those laws as a guidebook on how to get your customer's privacy right in the US as well.

You build houses - think of it like fire safety rules. "What do you mean I have to keep track of all the fire safety rules for the country I build the houses in? Can't I just keep track of a set of rules of my choosing instead?" -- well, no, for one and even if you could, that'd be a bad idea. Almost universally, there's good reasons behind specific rules in the fire code. (And in the rarer cases the rules really are broken, that's a problem with the law, but not one that can't be fixed).

Unfortunately, most companies don't give a rat about their customers' privacy (we care deeply about it we swear). What really should happen instead is that US customers demand laws like the ones we have in Europe.

But the situation prior to this ruling is basically what you described: that there's a particular set of rules that you have to follow. Now you potentially have to follow everyone's rules for every house you build, but which rules you had to follow depends on who buys it.

The situation prior to this ruling is "There's a particular set of rules which you have to follow... unless you're an american company, in which case, we trust you".

Some EU laws may be intended to be consumer-friendly, but the intended outcomes don't necessarily line up. Case in point, the cookie law absurdity.

Basically every website in the world except basic static sites use cookies. So the EU wants every website in the world to have a warning message about the dangers of cookies. That will show up every single time you visit every single website. Unless you accept the cookie that allows the site to see the fact that you saw a warning about cookies. So, websites have to use cookies to display a warning about cookies and if you don't accept the cookie, you get a warning about it on every single subsequent visit.

It screams laws written by politicians for special interest groups none of whom have the first clue about technology or how it works.

You could just have the web browser show an alert when a site wants to set a cookie and the user can click that alert or always allow it. Which is what we used to have in every web browser. Until users got sick of seeing the stupid warning because every single website uses cookies. And they got blind to the warning and paid no attention to it. Which made any other warning a browser shows more likely to just be clicked through.

So browsers removed the warning because we all realized it was stupid and pointless and ineffective and served no purpose any longer. But politicians with no idea how the technology works and no understanding of the fact that we already went through all this decide that everyone should see the dumb, stupid, ineffective warning on every single website and have it show up every single time for the people who understand how to manage their cookies and only show up once for the people who have no idea how to use their cookies. Just brilliant. It serves no purpose and everyone just clicks it away just like any other popup ad.

You're incorrectly thinking the EU cookie law applies to all cookies. It only applies to tracking data, including tracking cookies. Don't use Google Analytics -> No cookie law for you.

Except that every single site with the tools to help businesses comply says it applies to all cookies.

Fun fact, the EU excluded "third-party social plug-in content-sharing", which are used for more tracking than any of the other cookies.

Actually, I do. There's a fallacy that displaying information before requesting consent necessarily leads to informed consent. Many users have insufficient background to understand what they're consenting to, particularly since such info-dumps tend to not mention what the consequences of various choices would be. With no context for their decision other than "Accept makes things work," all you're doing is training users to sign away their rights without knowing that they are

> European privacy laws are very consumer-friendly and usually very reasonable.

Cookie notifications and censorship of the news under the guise of the "right to be forgotten" come to mind as obvious counterexamples.

The easiness of setting up a startup should not be held in higher regard than people's right to privacy.

Don't conflate people's privacy and random laws that say they are about privacy.

With prevalent encryption on-the-wire, fibre tapping is less useful. So the way people get their privacy leaked is via hacking or other compromises. Saving to disks in a person's country of origin is probably rather far down on threats to their privacy. (Yeah, I know, if you host it all on disks in the US, then the FBI can come steal those disks. But that's less a risk than a hacking group dumping your DB on pastebin.) And a compromise to the company will compromise the data no matter where the disk are.

If countries were really concerned, they'd mandate strong security for personal info. Not like PCI where technical details are spec'd, but somehow offload it so that companies must make reasonable steps. Then have enforcement to fine companies that misbehave. Perhaps make it something where companies will want to get insurance.

That way, a startup, instead of grabbing everything, they'll ask themselves: "Hey, do we really wanna capture this info?" Just like PCI shot a lot of plans to store card numbers and CVV, a strong law could make companies think twice and plan around handling private info.

Location of storage devices might end up on the list of requirements, somewhere. Like once you store info on more than X people, you're required to address how you handle differing jurisdictions or something.

The two are not incompatible; EU countries are already fining companies that leak private data, and talking about increasing those fines (the EP suggests a max of 5% of global revenue or €100M, whichever is higher).

EDIT: fixed wording

I'm as much for generating friction as anyone else. But I wouldn't pretend that keeping data in any country in NATO isn't akin to giving it to five eyes.

Basically the EU is creating a PR stunt that in theory could force them to enact some minimum veneer of standards and that PR stunt is going to have higher short term costs for the small private sector players than the large ones.

It is entirely possible the stunt will instead pay off for the other EU governments and against the privacy of their population by getting them invited further into the club.

>But I wouldn't pretend that keeping data in any country in NATO isn't akin to giving it to five eyes.

Collecting data which is routed internationally is a well documented method that NSA et al have used to skirt domestic law and grab/share the data. If you already live in country "C", and by statute your data must never leave country "C", then your data are more protected than if it had been sent outside the legal jurisdiction of country "C"'s courts.

A ruling from the higher court of the EU is a PR stunt?

Germany thought the antennas on their land were just for astronomy?

What has to do some antennas in Germany with a ruling from the ECJ of a case referred by the Irish High Court about Facebook?

Are you saying that the ECJ ruled without looking at the case merits?

I'm saying that no material facts have changed or were unknown by the governments before the safe haven and that I am skeptical that the case would have been heard at all without public revelation and interest.

I am also very skeptical that private data in Germany was or is any safer from the problems with the safe haven as far as data intentionally illegally shared with institutions in the US, not due purely to issues on the ground when defending the data in good faith.

While this is true, it's interesting to see what kind of effect this will have on the market.

I also didn't talk about startups, i mean small business in general.

This could be a reason not to launch your business in europe, if the cost of "deployment" is to high. Sure, someone else will fill that hole for you, but that's less money in your bank account. :)

Exactly. There's a bit of "pulling up the ladder" here. The guys who got in when the Internet was still the wild west got established without all this overhead.

There will be an enormous burden on new businesses satisfying these laws - previously we've got away with privacy policies but could still code the same. If we need to maintain N servers for N countries customers could be from, that's a massive operational overhead that is bound to do nothing other than stifle innovation.

Now, I'm all for privacy, but if each country starts fragmenting the internet on country boundaries - to the level of physical servers and data storage locations, bringing a new idea to market is going to much much harder. This is different to, e.g. different tax regulations, etc, because you can still benefit from centralised computation while processing orders for different localities.

And while today this might be just about Europe, it sets a trend. Before it was just Russia and China. How long before all countries want to see the code a la the Chinese?

So the NSA has screwed things up for all of us now who are trying to start businesses.

If my costs go from: developer -> developer + global devops team + legal, etc., that's a massive burden that will affect the "bedroom/garage" startups.

From my experience, majority of "bedroom/garage" startups self-limit geographically - whether it's expecting a phone number or a bank account in a given country, or assuming everyone has a U.S. state and zipcode (90210). Data regulation is hardly the deal-breaker when their own dataschemes don't support internationalization.

I guess it all comes down to how you're meant to determine where someone's data should be stored. Is it by their nationality? What if your app gains popularity outside your launch country? Are you suddenly on the hook for not having sharded your data geographically?

Plenty of popular apps don't require anything like bank account/post code, etc. that could be assumed to prove which country someone is from.

What about the English speaking world or the Spanish speaking world?

What kind of services or small businesses do you have in mind that a) have offices in different data jurisdictions and b) do not require any localization for these jurisdictions?

Yes, what about them?

The fragmentation might be good when we talk about pricacy. It gives motivation to create more local services and not depend on foreign ones.

China is good example of how that works: they have their own search engine, blog platforms, website analytics software, video sharing sites, IM software. So Chinese users do not send their data (and money) to USA and goverment can protect personal data from NSA while EU cannot.

Of course I do not approve other things like censorship in China but having local services is a good thing both economy-wise and privacy-wise.

I don't know why you are downvoted. This is going to become a real concern indeed: should I have one deployment per country of sale, ultimately, etc? This is getting tricky.

"I don't know why you are downvoted. "

How many times a day is this phrase written in Hacker News? How many times is it found on reddit?

The poster, in this specific case is not being downvoted.

The issue I think is understanding about how commenters and viewers use HN and reddit and upvote and downvote over time. If you understand this process you will no longer want to write "I don't know why" because you will understand the process.

I hope more people would understand the voting processes of these various discussion forums.

The poster was actually heavily downvoted, until I mentioned this, and now it isn't anymore.

I almost never complain about downvotes (as mentioned in HN guidelines), yet felt that there was a misunderstanding and a lack of full perception of the implications of what the downvoted message conveyed.

Truth is (again, as someone who is privacy-sensitive, and running a EU SaaS) this is going to be complicated to run an international SaaS, as a bootstrapper.

So was the actual comment "I do understand why you are being downvoted, and I disagree with the reasons" or "I do not understand why you are being downvoted?"

Because they are two different things.

We can figure out Paxos but can't figure out how to order a server in Europe.

He is being downvoted because he weights more the easiness of a business than the citizen's privacy.

Ah - I didn't read like "it's a bit of pain" (easy or not) but rather like the extra friction brought by this issue is going to stop many people from starting businesses, at all.

(for some context, I'm a French SaaS bootstrapper; I am as careful with my customers data as I can be, and found that starting a SaaS has been a major pain already - VAT rules, finding a SafeHarbor provider which doesn't suck at security, too etc).

> (for some context, I'm a French SaaS bootstrapper; I am as careful with my customers data as I can be, and found that starting a SaaS has been a major pain already - VAT rules, finding a SafeHarbor provider which doesn't suck at security, too etc).

I was talking about this to someone just now and it strikes me that all these regulations are very much wasted on startups during their creation. Maybe what we need is a way for startups to be able to playtest their idea and only have to worry about all the extra responsibilities once they're more certain about the results.

Exactly - having strategies to help new business get up to speed would help, if more friction keeps being added.

Because hacker news isn't dominated by people who actually create things anymore... certainly not startups.

At this point, upvotes and downvotes are mostly driven by a reddit-esque crowd with political grudges.

> Yeah good luck setting up a startup now. If other countries follow Russia's suit, we'll soon end up having to somehow determine where a user is from (what if they're roaming, etc.?) so we can shard the datastore across multiple geographic locations.

Or just host everything in Europe.

Or lobby Congress to stop shitting all over privacy so that the US can be considered a safe harbour again.

Hosting in Europe wouldn't fix the issue that Russian law wants to have Russian persons' info stored in Russia. It could very easily end up with several countries requiring this, and needing to store data differently depending on user's selected country.

And think about it: is there a really huge increase to privacy? What exact attack scenarios does this defeat, and how likely are such scenarios compared to run-of-the-mill privacy breaches (lax security)?

It's obviously about regulatory requirements rather than a random hacker. If I host my data in the US, then I am subject to the whims of the US government, and as such they have jurisdiction over European data (which of course, is not protected in any way in the US, even by the meagre data protection laws that the US affords its own citizens).

The problem is there are some judges in the US who disagree. So ultimately it might not even matter where your data is stored:

http://www.theguardian.com/technology/2014/apr/29/us-court-m...

> And think about it: is there a really huge increase to privacy? What exact attack scenarios does this defeat, and how likely are such scenarios compared to run-of-the-mill privacy breaches (lax security)?

Those are two entirely different scenarios. There's no reason both couldn't (and shouldn't) be handled in parallel. For example starting next year companies within the EU are held liable for data loss, with up to IIRC 3% of their global revenue. That policy handles the lax security concerns; no reason to not tackle other problems, like the one described on this thread.

Or you could work on starting a startup that helps to 'store stuff in their geographic region' as a service. And let all the other startups leverage your service.