Funny thing is, us data is almost always maintained by people outside of the US, at least for banking. The servers may live in the us, but the people accessing it are probably located in Europe or India. This also means that the data lives their temporarily while it is being accessed.
Can someone clarify for me why the physical location where data is stored is a big deal? Why does the US need stronger laws here?
This is probably just my inner naive technologist speaking, but I really enjoyed the moment of time during which the internet was a global network of computers that created a virtual space where physical borders were largely irrelevant. So it's a bit jarring for me to see people take for granted the idea that borders matter on the internet after all.
> Can someone clarify for me why the physical location where data is stored is a big deal?
What can you do if your data is silently copied by third parties and used for other activities? What if I build a ghost profile of you and steal your identity when I have enough data? What if I relay that you have a fancy car to some people who have the means to get that from you while sleeping? What if I craft a good scam by targeting you with your own data?
It's not about data is sent to where, it's about what happens when it arrives to the physical servers, who has access to these files, and what can they do with it.
When I visited the states, I got EZ-Pass spam/scam e-mails for a year, on an e-mail I gave to nobody when I was there. So, these laws matter.
> Can someone clarify for me why the physical location where data is stored is a big deal?
Because the place where data is collected and stored may have different rules around privacy and data protection then the place it is exfiltrated to.
If I give my data to a company in one place that has strict laws on what may be done with that information, I don’t want it escaping to a low-protection jurisdiction where there are no penalties for selling it to the highest bidder for god knows what purpose.
If there was an acceptable worldwide convention on personal data privacy that would solve the problem. Until there is, it matters a lot.
Global network of computers where data ultimately flowed to American mainframes. Countries realize data is a resource / liability / vunerability, and even if most struggle to profit from it, they'd still want sovereign control over it. You only really control things on your soil. Physical location / possession matters for control.
The reason why the physical location matters, besides latency, is that certain governments have laws in place that allows them access to any data in their territory.
In the case of EU countries (I think its part of gdpr), services that handle personal data need to make sure that that data stays safe. The only way they can do that is to make sure that the data stays in a certain region.
I think that is why op is advocating for stronger laws. Due to lax privacy laws in the US, it's impossible for European companies (and other privacy concerned companies) to host their data in the US, therefore your missing a share of the market
Except that the US authorities have the right to access the data you stored on Apple or Google & Co. servers whenever needed, without your consent and even if you are completely innocent.
It shouldn't be a problem for Europeans to access/process U.S. data that belongs to U.S. citizens - GDPR doesn't cover that AFAIK, so it's fine for it to cross borders. The issue is with GDPR protected data of EU citizens, as the law does not permit that data to cross non-EU borders unless it's for specific exemptions such as law enforcement.
Or, IIRC, if the destination country has privacy protections that are at least as strict as those in the EU, which the US legal regime for foreign intelligence definitely doesn’t provide (a non-US-citizen wouldn’t even have standing to sue wrt their personal data).
NAL, but I think GDPR has exceptions for remote access, i.e. if a worker in India is viewing data held in the US, that is not necessarily formally considered a transfer from the US to India, even though the data clearly has made it to India if it's being displayed on a screen there.
Under GDPR I believe if the data access is from an employee of the company (eg Uber) then there aren’t location checks. (Been a while so I could be mistaken here.)
But if you are subcontracting to an agency you need to list them as Subprocessors in your DPA. So subcontracted support staffing companies for example would be required to be listed and explicitly consented to.
This is all assuming you set up the base contractual protections for the data required to export the data at all, which Iber apparently didn’t do here.
Well technically data transfer according to GDPR has nothing to do with where the data is geographically. It’s what legal jurisdiction the controller or processor is under that matters. If you move data to a processor under another jurisdiction that is a transfer.
In another article (https://nos.nl/l/2534629, Dutch language) Uber claimed to have been talking to the Autoriteit Persoonsgegevens about what they said was an “unclear law”. Via iOS Translate:
> A spokesperson for Uber explains to the NOS that they have also contacted the AP themselves about the ambiguity surrounding the privacy rules. Then, according to Uber, the watchdog didn't say that the company violated the rules.
Which is all fine and dandy but the rule really is that if it’s not clear to you (as a rich and well-lawyered company) that something is permitted, that doesn’t give you the right to then do it.
And yes, the fine really has to be this high: fines can never be just a part of doing business; colouring within the lines has to have the attention of everybody involved, from the shareholders on down.
> Since the end of last year, Uber uses the successor to the Privacy Shield.
Sounds like they're going to get condemned again in the future, seeing how these things get knocked down again and again. The EU commission is really dropping the ball there.
So maybe the DPAs will defer to the EC's interpretation of adequacy under the GDPR for this new Framework?
Lots of unknowns though, since Schrems has already announced a challenge to the Framework. The only "safe" option without any uncertainty seems to be architect every system so that data never transits to the US and is also never in the custody of a subsidiary of a US-domiciled corporate parent.
> The only "safe" option without any uncertainty seems to be architect every system so that data never transits to the US and is also never in the custody of a subsidiary of a US-domiciled corporate parent.
If i'm not mistaken, because of this (via[0])
> The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
It sounds like compliance is only possible* if "the US company doesn't have any influence on the EU data-holding company" which is insane. This might be satisfied if the US company simply licenses their software product (e.g. the Uber backend) to an EU company. But this might not be adequate since chances are updates would be somewhat automated, and thus the US-based Uber might be compelled by the government to ship malware with their update to catch some US criminal (or otherwise enact some US spying).
* edit: only possible in lieu of a data agreement like Privacy Shield or its successor as mentioned above
No, the EC asked ChatGPT to rewrite the Privacy Shield but give it another name, and the CJEU is expected to retroactively invalidate the law again. This will only change if the US provides essentially equivalent privacy protection laws, which they don't.
Exactly, compliance is currently impossible since this is a geopolitical spat between the US and EU over US law.
The goalposts on this move every 6 months, so the fines are easy money for the EU.
The companies are just collateral damage. For some reason HN is full of people who don’t actually understand this issue but feel very emotionally passionate that all US tech companies are evil and doing this on purpose.
“Just follow the law, you evil companies!”
Lol. They would if there was a clear law/process to follow that didn’t get shot down every few months.
As it stands, you cannot operate in the EU as a US company if you want to be totally immune from fines.
I urge you to talk to your government representatives (on both sides of the pond) if you care about this issue. This benefits nobody except for EU government coffers.
Funny they are being fined in the Netherlands, because Uber is almost invisible there, as regular taxis have been protected. I don't have accurate data, but it's at least 15€ per inhabitant, so it seems like a very very steep fine. I can't imagine how much this is per driver, €25000?
It seems the dutch regulator is saying "why don't you just go away?". The feeling is likely mutual.
Uber europe is headquartered in the Netherlands, which is why the fine was handed out there, the complaint was passed from the french privacy watchdog to the Dutch one.
> Although the fine comes from the Dutch regulator, the investigation began in France. In June 2020, 21 Uber drivers there stepped forward to human rights organization Ligue Des Droits De L'homme Et Du Citoyen. Another 151 Uber drivers later joined that complaint. The LDH took that complaint back to the CNIL, France's national privacy regulator. The latter forwarded the complaint to the Dutch Personal Data Authority in January 2021 because Uber's European headquarters is in the Netherlands.
That's one way of saying "Europe is full of nations who provide unethical tax shelters for businesses (while criticizing any nation that doesn't provide their level of social programs), so they can regulate and fine and fill their coffers with money from businesses all over the world." But yeah, blame it on the companies that take advantage of the tax shelters EU nations choose to provide and the EU chooses to allow.
> > The appeals process is expected to take some four years and any fines are suspended until all legal recourses have been exhausted, according to the DPA.
fine is suspended. it will take 4 years of appeals :)
Once again demonstrating that fining a corporation for criminal behavior is simply adding to their operating cost, and the lawyers will always get paid
It's a fine meant to be a punishment, not damage settlement.
> All DPAs in Europe calculate the amount of fines for businesses in the same manner. Those fines amount to a maximum of 4% of the worldwide annual turnover of a business.
> because Uber is almost invisible there, as regular taxis have been protected
Uber is almost invisible there because they continue to blatantly break the law, and even when told to stop, they continue like nothing happened. (https://www.wsj.com/articles/dutch-authorities-raid-uber-off...). This seems to be just another case of the same hubris.
Of course Uber faces pushback when they act like that.
> The Dutch DPA started the investigation on Uber after more than 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme (LDH), which subsequently submitted a complaint to the French DPA.
I wonder on what the initial suspicion from the drivers was based.
Many years ago I was involved with a US organization, and then happily forgot about it. Almost 15 years later they started spamming me with emails coming from their head office in Washington.
I asked them to stop. They didn't. I threatened legal action under GDPR and requested deletion, also under GDPR. They said they complied. A year later they started spamming me again. From the same address.
That's how I knew that they never deleted my info and kept it in the US.
Even worse when you move between countries and suddenly "Uber Country X" uses your account of "Country Y" to spam notify you about promotions in X. It's weird in a bad way
Can anyone explain how this relates to the EU-US Data Privacy Framework (also sometimes called the Trans-Atlantic Data Privacy Framework)?
I thought that that framework was supposed to allow this (as a replacement for the EU–US Privacy Shield framework)? Presumably this wouldn't have been a problem under Privacy Shield (i.e., pre-2020), or am I getting that wrong?
This article[1] by the Dutch DPA has some details about it: The Privacy Shield was invalidated in 2020, leaving only the Standard Contractual Clauses as a valid transfer tool. Uber stopped using Standard Contractual Clauses in August of 2021, before adopting the new Privacy Framework in 2023. For a period of two years they were transmitting extremely sensitive information without a valid way to do so.
Thanks. That gives a lot more information. With respect to the new framework, the article you linked to just says "Since the end of last year, Uber uses the successor to the Privacy Shield." Do you know if the Dutch DPA endorsed the new framework, or did they leave it ambiguous/unresolved as to whether post-2023 transfers are GDPR compliant?
Basically the framework, like the Shield before, is the Commission trying to show "look, we fixed it".
Sadly, for the previous two times, the ECJ pointed out after the fact that no framework can fix the lack of data privacy law in the US, and that as such, the Shield, just like its predecessor, was not allowing what it claimed to do.
The Framework has not been tested in the ECJ so far, but the US has not significantly altered its laws so...
Thanks. So basically the new framework hasn't accomplished anything that can be relied upon when architecting a system to reduce the risk of GDPR compliance issues?
We are fortunate to have lived through a brief period where the internet was truly a global network. A person in the Netherlands or Nigeria [1] could access the best technology services the world had to offer. People could more or less interact freely across borders.
Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the internet being a global network is obviously becoming inviable. It was fun while it lasted.
These laws have been created for good reasons, and US tech companies have had free reign to trample on people's privacy rights for a very long time.
If a company acts in a honorable way, there's nothing to fear and they can easily do business world wide. It's when companies do things that are shady and should've been outlawed from the start that they run into trouble. The main issue here is that the US has the least restrictive laws and allows its citizens' privacy to be grossly invaded, which means these companies now feel like they're being unnecessarily restricted.
If the US had stricter laws, this would be a non-issue and you wouldn't hear anyone about it. It's all very myopic and US-centered to focus on the company's freedom to do as it pleases. What about the users' freedom to live without being spied upon? Free market rules don't apply - the network effects are too big to really say "you can take your business elsewhere if you don't like it". Also it's a transparency issue - it's too hard to tell from the outside how your data will be handled to make an informed decision about what companies to deal with. Especially because all of them treat your data like they own it, as a cash cow.
> It's all very myopic and US-centered to focus on the company's freedom to do as it pleases.
The Dutch DPA is not accusing Uber of doing anything nefarious. They are mad that Uber, as an American company, can be compelled by the US government to hand over data. Ultimately, their beef is not with US companies, it’s with the US government.
This is all wildly ironic because the EU is constantly trying to spy on their own citizens and undermine encryption. The EU is just upset that the US is able to do it instead of them.
This is just companies being caught in a geopolitical spat between competing powers. The EU keeps moving the goalposts on what constitutes “safe” transfers (we’re on the 5th round of this). So there’s no way for companies to be compliant unless the US government changes its laws. So right now it’s just a lever to extract money from US corporations via never ending fines.
The US government and the EU need to sort this out. Blaming the companies shows a total lack of understanding of the real situation. I get that we all hate big tech now, but there’s literally no way to comply in good faith with these competing EU cash grabs over the shifting specifics of how you can transfer data to US servers.
I'm not going to address your comment at the object level; I'm just going to point out that you've missed the point of my comment entirely. My comment is descriptive (the internet is going to become nationally siloed) not normative (a moral judgement on the conditions that are leading to this state of affairs).
> Every fiefdom wants their cut and their say, to the point where the internet being a global network is obviously becoming inviable
Why exactly would physical products have to comply with local laws when exported to other countries and not online services? Do you also call it "fiefdom wanting their cut and their say"? Do you disagree with the concept of laws altogether?
The thing that made a global internet possible is that it was understood that sending bits over a wire is different from shipping physical goods. The customs regime for physical goods is prohibitively expensive for bits.
I'm not interested in arguing if eliminating free transit of data is a good idea or not; I'm just pointing out the inevitable consequence of the current trends.
>We are fortunate to have lived through a brief period where the world was truly a global trade network. A person in England could access the best tea the world had to offer. People could more or less interact freely across borders.
>Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the world being a global network is obviously becoming inviable. It was fun while it lasted.
- Some ignorant bloke at the end of the British empire, probably
Point, but IIRC the end of the British Empire was met with a mix of "We didn't want it anyway it was so expensive"* and "We lost an empire but gained a continent".
(The latter followed by lots of pikachu surprise face because they weren't in charge of said continent).
* Not only an Aesop reference, but also an actual claim I've repeatedly encountered
You mean, the epicenter of that global network transformed it into a tool of influence and surveilance? [1] Or maybe that the companies participating in that global network saw interest in walling that global network ? [2] [3] Or maybe that global network is being reshaped by a few dominant actors so much that outside regulation becomes necessary? [4] [5]
No, of course not; it must be local barons trying to scrap a bit of power, not at all a reaction to massive abuses from the industry.
Freedom to some means creating a startup that willfully ignores regulations in virtually every market while playing a funding ponzi game until finally handing the consequences off to the foolish public (IPO).
You've missed the point of my comment. It has no normative claims, unlike your angry invective about rights. I'm just pointing out that the inevitable consequence of these new regulatory regimes is a nationally siloed internet. You can feel however you want about it; maybe that's a good thing from your perspective. But it's happening
Well, I'm not sure that I'd equate "freedom" with companies exploiting people's personal identifying information and selling it for their own profit. Personally, I don't want my information that's protected by GDPR in my own country to be smuggled into another country where there's almost no legal protection for someone's data/privacy.
And this freedom was ended by companies like Google and Facebook who abused this freedom forcing governments to act. Internet was at its worst right before GDPR. I don't think we will ever get back to the old free Internet and instead we will have this power balance between big corps and governments.
Like with any new frontier. There's age of exploration, then the age of exploitation, and in the latter. Even if the former is usually funded by commercial interests, it's in the latter that they finally suck out everything that's nice and fair and fun about the venture. We're at this stage now with the Internet.
EU citizens: We don't want our data in the US, where it can be siphoned off to other companies.
US company: siphons data
EU: You can't do that.
HN commenter: Damn these fiefdoms wanting their cut, what has the internet become? I pine for a simpler time, when I could do anything I wanted with data against people's will and nobody could stop me, that truly was the golden age.
He was saying that Uber will no longer operate in NL/EU, the pining was for "equal access to US services", not your data. FWIW, I am annoyed myself about having to accept GDPR popups on every website I visit, so I too pine for a day where US companies have nothing to do with "EU citizens".
Access to tech is different from handling of personal data though -- the EU GDPR laws around that are clear and fair
People have a right to know where their personal data is going, what is being stored, what it is being used for and should have a mechanism to correct it and delete
The wider challenge is how that is handled in a compliant way with LLMs and generative tools which vendors do not seem to be taking particularly seriously yet
> The wider challenge is how that is handled in a compliant way with LLMs and generative tools which vendors do not seem to be taking particularly seriously yet
I'm curious as to why people would want to train LLMs on personal identifying information. What's the benefit of an LLM that has a large collection of names, addresses, dates of birth etc.?
The US still does not have legislation to protect Personal Data like the GDPR.
That did not prevent the corrupt European Commission to issue a third variant of the Shield to still allow american corporation to send data of EU citizens to the US, despite the Schrems2 ruling.
> The appeals process is expected to take some four years and any fines are suspended until all legal recourses have been exhausted, according to the DPA.
Readit News
The US definitely needs stronger laws here.
Can someone clarify for me why the physical location where data is stored is a big deal? Why does the US need stronger laws here?
This is probably just my inner naive technologist speaking, but I really enjoyed the moment of time during which the internet was a global network of computers that created a virtual space where physical borders were largely irrelevant. So it's a bit jarring for me to see people take for granted the idea that borders matter on the internet after all.
Edit: 0x62 has a good explanation here: https://news.ycombinator.com/item?id=41357888
I hadn't considered the recursive nature of suppliers.
What can you do if your data is silently copied by third parties and used for other activities? What if I build a ghost profile of you and steal your identity when I have enough data? What if I relay that you have a fancy car to some people who have the means to get that from you while sleeping? What if I craft a good scam by targeting you with your own data?
It's not about data is sent to where, it's about what happens when it arrives to the physical servers, who has access to these files, and what can they do with it.
When I visited the states, I got EZ-Pass spam/scam e-mails for a year, on an e-mail I gave to nobody when I was there. So, these laws matter.
Because the place where data is collected and stored may have different rules around privacy and data protection then the place it is exfiltrated to.
If I give my data to a company in one place that has strict laws on what may be done with that information, I don’t want it escaping to a low-protection jurisdiction where there are no penalties for selling it to the highest bidder for god knows what purpose.
If there was an acceptable worldwide convention on personal data privacy that would solve the problem. Until there is, it matters a lot.
Global network of computers where data ultimately flowed to American mainframes. Countries realize data is a resource / liability / vunerability, and even if most struggle to profit from it, they'd still want sovereign control over it. You only really control things on your soil. Physical location / possession matters for control.
Deleted Comment
https://incountry.com/blog/data-residency-laws-by-country-ov...
In the case of EU countries (I think its part of gdpr), services that handle personal data need to make sure that that data stays safe. The only way they can do that is to make sure that the data stays in a certain region.
I think that is why op is advocating for stronger laws. Due to lax privacy laws in the US, it's impossible for European companies (and other privacy concerned companies) to host their data in the US, therefore your missing a share of the market
But if you are subcontracting to an agency you need to list them as Subprocessors in your DPA. So subcontracted support staffing companies for example would be required to be listed and explicitly consented to.
This is all assuming you set up the base contractual protections for the data required to export the data at all, which Iber apparently didn’t do here.
> A spokesperson for Uber explains to the NOS that they have also contacted the AP themselves about the ambiguity surrounding the privacy rules. Then, according to Uber, the watchdog didn't say that the company violated the rules.
Which is all fine and dandy but the rule really is that if it’s not clear to you (as a rich and well-lawyered company) that something is permitted, that doesn’t give you the right to then do it.
And yes, the fine really has to be this high: fines can never be just a part of doing business; colouring within the lines has to have the attention of everybody involved, from the shareholders on down.
Sounds like they're going to get condemned again in the future, seeing how these things get knocked down again and again. The EU commission is really dropping the ball there.
So maybe the DPAs will defer to the EC's interpretation of adequacy under the GDPR for this new Framework?
Lots of unknowns though, since Schrems has already announced a challenge to the Framework. The only "safe" option without any uncertainty seems to be architect every system so that data never transits to the US and is also never in the custody of a subsidiary of a US-domiciled corporate parent.
To bad the EC isn't the body that can judge whether that deal is legal, and has been caught repeatedly lying about past deals [1].
> So maybe the DPAs will defer to the EC's interpretation of adequacy under the GDPR for this new Framework?
As before, cases will go to the actual authority on the matter: the CJUE. I personally don't have high hopes for this deal to last.
[1]: https://noyb.eu/en/european-commission-gives-eu-us-data-tran...
If i'm not mistaken, because of this (via[0])
> The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
It sounds like compliance is only possible* if "the US company doesn't have any influence on the EU data-holding company" which is insane. This might be satisfied if the US company simply licenses their software product (e.g. the Uber backend) to an EU company. But this might not be adequate since chances are updates would be somewhat automated, and thus the US-based Uber might be compelled by the government to ship malware with their update to catch some US criminal (or otherwise enact some US spying).
* edit: only possible in lieu of a data agreement like Privacy Shield or its successor as mentioned above
0: top comment on https://news.ycombinator.com/item?id=33561222
The goalposts on this move every 6 months, so the fines are easy money for the EU.
The companies are just collateral damage. For some reason HN is full of people who don’t actually understand this issue but feel very emotionally passionate that all US tech companies are evil and doing this on purpose.
“Just follow the law, you evil companies!”
Lol. They would if there was a clear law/process to follow that didn’t get shot down every few months.
As it stands, you cannot operate in the EU as a US company if you want to be totally immune from fines.
I urge you to talk to your government representatives (on both sides of the pond) if you care about this issue. This benefits nobody except for EU government coffers.
It seems the dutch regulator is saying "why don't you just go away?". The feeling is likely mutual.
> Although the fine comes from the Dutch regulator, the investigation began in France. In June 2020, 21 Uber drivers there stepped forward to human rights organization Ligue Des Droits De L'homme Et Du Citoyen. Another 151 Uber drivers later joined that complaint. The LDH took that complaint back to the CNIL, France's national privacy regulator. The latter forwarded the complaint to the Dutch Personal Data Authority in January 2021 because Uber's European headquarters is in the Netherlands.
> > The appeals process is expected to take some four years and any fines are suspended until all legal recourses have been exhausted, according to the DPA.
fine is suspended. it will take 4 years of appeals :)
> All DPAs in Europe calculate the amount of fines for businesses in the same manner. Those fines amount to a maximum of 4% of the worldwide annual turnover of a business.
Uber is almost invisible there because they continue to blatantly break the law, and even when told to stop, they continue like nothing happened. (https://www.wsj.com/articles/dutch-authorities-raid-uber-off...). This seems to be just another case of the same hubris.
Of course Uber faces pushback when they act like that.
I wonder on what the initial suspicion from the drivers was based.
Personal anecdote:
Many years ago I was involved with a US organization, and then happily forgot about it. Almost 15 years later they started spamming me with emails coming from their head office in Washington.
I asked them to stop. They didn't. I threatened legal action under GDPR and requested deletion, also under GDPR. They said they complied. A year later they started spamming me again. From the same address.
That's how I knew that they never deleted my info and kept it in the US.
The didn't slip, fall, and drop some USB flash drives into the hands of a US data processor...
I doubt it is any sort of negligence, but if it is - it's not "simple".
Even worse when you move between countries and suddenly "Uber Country X" uses your account of "Country Y" to spam notify you about promotions in X. It's weird in a bad way
I thought that that framework was supposed to allow this (as a replacement for the EU–US Privacy Shield framework)? Presumably this wouldn't have been a problem under Privacy Shield (i.e., pre-2020), or am I getting that wrong?
[1]: https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-d...
Basically the framework, like the Shield before, is the Commission trying to show "look, we fixed it".
Sadly, for the previous two times, the ECJ pointed out after the fact that no framework can fix the lack of data privacy law in the US, and that as such, the Shield, just like its predecessor, was not allowing what it claimed to do.
The Framework has not been tested in the ECJ so far, but the US has not significantly altered its laws so...
Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the internet being a global network is obviously becoming inviable. It was fun while it lasted.
[1]: https://www.reuters.com/technology/nigerias-consumer-watchdo...
If a company acts in a honorable way, there's nothing to fear and they can easily do business world wide. It's when companies do things that are shady and should've been outlawed from the start that they run into trouble. The main issue here is that the US has the least restrictive laws and allows its citizens' privacy to be grossly invaded, which means these companies now feel like they're being unnecessarily restricted.
If the US had stricter laws, this would be a non-issue and you wouldn't hear anyone about it. It's all very myopic and US-centered to focus on the company's freedom to do as it pleases. What about the users' freedom to live without being spied upon? Free market rules don't apply - the network effects are too big to really say "you can take your business elsewhere if you don't like it". Also it's a transparency issue - it's too hard to tell from the outside how your data will be handled to make an informed decision about what companies to deal with. Especially because all of them treat your data like they own it, as a cash cow.
The Dutch DPA is not accusing Uber of doing anything nefarious. They are mad that Uber, as an American company, can be compelled by the US government to hand over data. Ultimately, their beef is not with US companies, it’s with the US government.
This is all wildly ironic because the EU is constantly trying to spy on their own citizens and undermine encryption. The EU is just upset that the US is able to do it instead of them.
This is just companies being caught in a geopolitical spat between competing powers. The EU keeps moving the goalposts on what constitutes “safe” transfers (we’re on the 5th round of this). So there’s no way for companies to be compliant unless the US government changes its laws. So right now it’s just a lever to extract money from US corporations via never ending fines.
The US government and the EU need to sort this out. Blaming the companies shows a total lack of understanding of the real situation. I get that we all hate big tech now, but there’s literally no way to comply in good faith with these competing EU cash grabs over the shifting specifics of how you can transfer data to US servers.
Why exactly would physical products have to comply with local laws when exported to other countries and not online services? Do you also call it "fiefdom wanting their cut and their say"? Do you disagree with the concept of laws altogether?
I'm not interested in arguing if eliminating free transit of data is a good idea or not; I'm just pointing out the inevitable consequence of the current trends.
>Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the world being a global network is obviously becoming inviable. It was fun while it lasted.
- Some ignorant bloke at the end of the British empire, probably
(The latter followed by lots of pikachu surprise face because they weren't in charge of said continent).
* Not only an Aesop reference, but also an actual claim I've repeatedly encountered
You mean, the epicenter of that global network transformed it into a tool of influence and surveilance? [1] Or maybe that the companies participating in that global network saw interest in walling that global network ? [2] [3] Or maybe that global network is being reshaped by a few dominant actors so much that outside regulation becomes necessary? [4] [5]
No, of course not; it must be local barons trying to scrap a bit of power, not at all a reaction to massive abuses from the industry.
[1]: https://en.wikipedia.org/wiki/PRISM [2]: https://www.eff.org/fr/deeplinks/2013/05/google-abandons-ope... [3]: https://blockthrough.com/blog/the-walled-gardens-of-the-ad-t... [4]: https://www.theverge.com/c/23998379/google-search-seo-algori... [5]: https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Ana...
What’s freedom? GPL? BSD? Swinging a fist? Not getting hit on the nose?
I'm not sure I like Meta's and the influence of other foreign companies on European culture too. We were more free before them.
US company: siphons data
EU: You can't do that.
HN commenter: Damn these fiefdoms wanting their cut, what has the internet become? I pine for a simpler time, when I could do anything I wanted with data against people's will and nobody could stop me, that truly was the golden age.
Deleted Comment
People have a right to know where their personal data is going, what is being stored, what it is being used for and should have a mechanism to correct it and delete
The wider challenge is how that is handled in a compliant way with LLMs and generative tools which vendors do not seem to be taking particularly seriously yet
I'm curious as to why people would want to train LLMs on personal identifying information. What's the benefit of an LLM that has a large collection of names, addresses, dates of birth etc.?
That did not prevent the corrupt European Commission to issue a third variant of the Shield to still allow american corporation to send data of EU citizens to the US, despite the Schrems2 ruling.
i guess we’ll hear more about this in 4 years.