Edit: I'm reacting to "Facebook and Twitter [...] could be forced to host European user data in Europe"
Border control with data is the worst idea ever.
Think of it: my Facebook friends lists has EU and US people in it. This list can't reside in EU or US. This webpage can't be served by either a EU or US web-server. By law. LOL
Plus I'm a EU citizen, and I can choose to give my data to whoever I want... no more. That's sad.
This ruling only shows the dismal tech knowledge of lawyers and lawmakers. It's impossible to implement Facebook with data spread between EU and US. Same for Tweeter and others. Say goodbye to social networks. Because of model denormalization, because of network latency and intercontinental bandwidth.
Some mention cloud zones, but they're only useful with replication, which IS data transfer.
OR... social networks will cheat. And one day, they'll be sued for cheating the impossible regulations (think VW...)
The judgment does not prevent you from storing personal data in the US per se. It only nullifies the blank check of the safe harbor provision. As far as I can tell, there's nothing preventing Facebook from obtaining consent from you using Model Contract Clauses or Binding Corporate Rules, for example. This is already normal for companies from countries that do not enjoy the benefits of a safe harbor provision, after all.
I didn't say that it's just a problem with Facebook's contract. Model Contract Clauses and Binding Corporate Rules are pretty restrictive, and Facebook may not like them and prefer to instead separate their data. But neither does it mean that they cannot do it.
> Think of it: my Facebook friends lists has EU and US people in it. This list can't reside in EU or US.
I think you're misunderstanding the ownership of the data, hence the down votes. If I as an EU citizen create a private friends list like this, that list belongs to me. If I live in the EU but create the list using a US service with servers in the US, there is no problem. US privacy laws apply. If I create the list using an EU service on EU hosted servers there is no problem, EU privacy laws apply. However in this second case if the internet service company wants to transfer the list from their EU servers to their US servers without my explicit permission, that's a problem.
I think the parent is getting at if you're in the EU and your data cannot be transferred to the US, and a friend in the US has data that cannot be transferred to the EU (if they were to follow suit) you wouldn't be able to create a list of friends in both localities because of the restriction to send data around, without incurring intercontinental latencies. Obviously the list itself could reside in either ___location, but the service provider would need to perform an intercontinental join each time you wanted to view the names of friends in your list.
But user names in e.g. Facebook aren't private information, they are explicitly public. As are messages you publish to people. That's just not an issue. The issue concerns private information associated with your account that you have not chosen to share such as your personal phone number, physical address, date of birth, etc. Of course if you send that information around in public messages that's your problem, but if you keep it in your account, then the company, such as Facebook, transferring that account information to the US it is a problem.
My name is private data and should be treated as such. Companies need to have my permission to gather my name, and they need to tell me what they use it for and how long they store it, they should not gather it if they don't need it, they should store it securely, they should not share it with other people without getting my explicit opt-in.
That doesn't make it impossible for Facebook to do business. It just means Facebook needs to be more careful with what they gather and store.
I don't know. The EU's own website[1] on data protection refers to your name and photographs as private information that is subject to privacy protection laws.
Relevant quote:
> Individuals regularly disclose personal information such as their names, photographs, telephone numbers, birth date and address while engaged in a whole range of everyday activities.This personal data may be collected and processed for a wide variety of legitimate purposes such as business transactions, joining clubs, applying for a job, and so on.
> Nonetheless, the privacy rights of individuals supplying their personal data must be respected by anyone collecting and processing that data.
Where it gets really tricky is caching. Say you do your intercontinental join but then want to cache HTML fragments for performance, well, is that classed as "transferring data" because technically it is...
I think it will be reasonably argued that data in this context is the master record. The source of truth to which queries are sent.
A cache is not that, and you need only look at something like the EU e-commerce directive to find exceptions for caches and networks on the basis of being a "mere conduit" for the communication.
It is not as if the data is now toxic and cannot be cached or communicated outside of the EU, only that the data must be stored in the EU and should not be replicated to any database or storage outside of the EU that would prevent EU privacy law taking effect. That's important as EU privacy law already has enough exceptions to allow reasonable scenarios like caching to function.
And if you are going to say "well I could just query my cache", then I'd suggest that if your cache is able to do much more than a single key|value lookup to retrieve the cached item then it is in fact a database you'd lose the protections of being a cache and you're back in the world of not storing EU data outside of the EU.
Imagine I'm in the EU, and Facebook wants to store my data in the EU.
But I'm friend with US people. So I'm in their own friend list too, which is stored in the USA. So my data is needed in the USA too.
When I publish something in Europe, my friends needs to see it too in the USA. And you can't build a Facebook wall with intercontinental latencies. You need replication.
It's a social graph, and you can't split it between US and EU: data has to be replicated across borders (or face massive latency and bandwidth).
I think this relates more strongly to things like the fb tracking through like-buttons, building a shadow profile of your online activities and such - and moving that data from an EU data centre to an US one. It might also relate to storing archives of private messages you've "sent" to other users - "transferring" a message from you, in the EU to a user in the US isn't part of this -- transferring your entire chat history from the EU to the US might be.
I don't think published messages to people you have chosen to share them with are the kind of information at issue here. Otherwise this would also affect email being sent across the Atlantic.
You're completely missing my point. Your facebook user name isn't personal private data, it's explicitly public. If people in the US have your name in their friends list that list belongs to them, not you. Not even the bit of it with your username.
> And you can't build a Facebook wall with intercontinental latencies.
I have yet to see a Facebook wall in under 0.133 seconds, I'm not sure intercontinental latencies are the biggest problem in web performance these days...
The latency would be incurred several times when loading a single wall. As an experiment, take a moderately complex web app and deploy it in a different continent from the database it connects to.
If you're at the point of storing data on different continents and being aware where it is stored, I'm not sure what is stopping you from batching your trans-continent queries so that you only hit the trans-continent latency once.
For exaqmple
> Think of it: my Facebook friends lists has EU and US people in it. This list can't reside in EU or US. This webpage can't be served by either a EU or US web-server.
This is plainly wrong, a reference tyo an user in a list is not the user data
A reference will not be enough when my friend wants to see my name and photo on the list. And if my friend must fetch it from Europe (and not cache it), expect Facebook to be slower and use more bandwidth than ever.
Without intercontinental replication, you'll be facing latency and bandwidth problems which will make social networks impossible.
note: when I say bandwidth, I mean intercontinental bandwidth, not your local internet bandwidth.
Border control with data is the worst idea ever.
Think of it: my Facebook friends lists has EU and US people in it. This list can't reside in EU or US. This webpage can't be served by either a EU or US web-server. By law. LOL
Plus I'm a EU citizen, and I can choose to give my data to whoever I want... no more. That's sad.
This ruling only shows the dismal tech knowledge of lawyers and lawmakers. It's impossible to implement Facebook with data spread between EU and US. Same for Tweeter and others. Say goodbye to social networks. Because of model denormalization, because of network latency and intercontinental bandwidth.
Some mention cloud zones, but they're only useful with replication, which IS data transfer.
OR... social networks will cheat. And one day, they'll be sued for cheating the impossible regulations (think VW...)