No one in my circles cares about Facebook leaving Europe. Until they realize that Facebook includes Instagram and WhatsApp and they do actually use those other services.
Point being: to all the commenters saying no one cares, a lot more people care than you think.
Eh. If all three of those left the US I would care exactly not at all. There are better alternatives and if FB et al disappeared suddenly it would just create room for those services to take hold.
In the last 5 years, Whatsapp has basically replaced SMS in many EU countries. The equivalent in the US is probably the combined market share of FB Messenger, Whatsapp, iMessage and Signal.
There was a forerunner of that last year when there was a massive exodus to Signal when FB changed WhatsApp's privacy policy to force users to allow sharing of data with Facebook. If they shut down, even people who were too apathetic to switch would do so overnight. I hope Signal has a contingency plan for scaling up 10x ready...
if WhatsApp goes people would move to signal or telegram.
Instagram is a bit trickier, but I'm fairly sure people would start making a new one immediately. You could even relatively easily transfer everything and everyone across using the zip you can get thanks to GPDR.
Leaving Whatsapp is hard because everyone is using it. But suppose whatsapp becomes unavailable for whatever reason, people will turn to other apps within hours (actually within a hour). In fact many people already have Telegram/Signal on their phone (although not using it).
As for instagram, things are a bit different. But the way I see it, 1- general population isn't using it. 2- This is not a necessary tool like whatsapp. Something else will fill the void but it will take some considerable time.
My understanding of Telegram is that it's big in eastern europe, but here in Ireland at least, it's got a reputation of "that thing you contact your drug dealer on".
That's exactly why the EU is doing this. The various EU courts all have issue with the fact that the US Government can force US Companies to share data with US Intelligence companies even if that data resides outside of the US. This is why simply storing the data in the EU isn't enough.
Our government allows intelligence agencies to spy on everyone, and as a result foreign countries do not trust us. As long as other countries have to worry about US companies sharing data under gag orders those countries will not trust our companies with their data. Nor should they.
The European Commission, the executive branch of the EU, was trying not to rock the boat, possibly fearful of starting a trade war with the US. It's the European judiciary, egged on by lawsuits filed by activists like Max Schrems that has been pushing forwards, with the legendary nimbleness of any judicial process.
US intelligence agencies are increasingly hurting US business interests. I’m really wondering why big business in US allows this to happen. I was always under the impression, that money trumps everything in the US. But times are changing. The US seems to change from pure capitalism into a surveillance state.
This was fake news since day 1. There was never any source which pointed back to Facebook implying any such thing. Just tech bloggers/clickbait journalists doing what they do best.
Reading Facebook's own reports? "“If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe."
That doesn't mean it's not also a threat. It just means that if it is a threat they can always say "That's not a "threat". It's a legally-required warning in a regulatory filing for investors of a possible negative event which might occur." Facebook knew journalists would see this and may have wanted it to be reported on.
Given that the warning is, as you say yourself, legally required, what do you consider to be the most likely primary reason for it being published? It being legally required (and the consequences of violating that), or "knowing journalists would see this"?
Especially since this wasn't the first report where it was included...
They are telling their shareholders if something becomes illegal they will have to cease doing it. You will find similar "threats" in every financial statement or disclosure by every public company.
Their form 10-k, in listing all the business risks, said something along the lines of "if it becomes illegal to operate in Europe we'll have to stop operating in Europe". Then the clickbait factories were off to the races.
This is actually an interesting case study of who is spreading and consuming fake news.
This fake news reached the top of reddit and trended on Twitter. Both are dominated by users who think of themselves as smarter than the fake news consuming boomers on Facebook.
In my country it was reported by both the tabloids and mainstream media. Only the publicly owned Danmarks Radio (Danish BBC) didn't spread this fake news.
It also made it to the top of Hacker News multiple times, a site much worse than Reddit in its users having inflated measures of their group's intelligence.
This was not just fake news, this was deliberate misinformation. A title saying 'FB threatens to leave EU' means something very different from 'FB lists EU regulation as a potential threat to business in SEC filings'
> To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookies Policy
How am I supposed to read the cookies policy without clicking or navigating?
To be fair seems like a backoff, but the problem is - nobody cares. Millions of man-hours saved a day. On a serious note - that market would be filled in a month...
Meta does not want to understand. People are not happy that their data is Meta's business and that, as a result, Meta keeps socially engineering them to milk more of their time.
People are not even mad about ads, they are mad at the waste of time and general sense that FB brings the worst out of you.
They need to shift their business, changing the landscape (metaverse) will not change anything or trying to convince people that what they offer is great is a long term losing proposition, imh.
I don't think that Facebook needs to address the fear in people from leaving Europe.
If nothing else, they've definitely heard feedback that people wouldn't mind at all if they left.
>But the simple reality is that Meta, like many other businesses, organisations and services, relies on data transfers between the EU and the US in order to operate our global services
Yeah.. The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars
> The reality is you don't really have to transfer anything out of EU in order to keep your service running.
Practically speaking, running FB in a way that doesn't transfer anything out of the EU would involve either:
1. Siloing off the EU facebook, with no contact with the US side
or
2. Building a federated facebook, which transfers across e.g. only the timeline entries US friends are granted view access to
The former would not be well-accepted, as it would cut off communication from e.g. international relatives, and would be a rather large project to launch. The latter would be an even bigger rearchitecture, which would likely take, at a minimum, several years to complete, since it's unlikely this was ever anticipated as being a possibility when FB was originally created.
So, I sympathize with them - while in the long term they might be able to find a solution, in the short-to-medium term, FB would have no choice to stop operating.
> 1. Siloing off the EU facebook, with no contact with the US
That's already business as usual with China, but companies like Facebook have absolutely no problem with that silo as it protects them and benefits their bottom line.
But somehow, use cases that protect users, those suddenly pose major blockers.
Yes, they do silo. Nobody is claiming otherwise. My point is that they'd almost certainly prefer not to; they are siloing to comply with Chinese laws.
What makes you think they have "absolutely no problem with it"? You don't think it would be operationally simpler and more profitable to allow communication between Chinese and non-Chinese accounts?
No, not really. Companies operating in China silo their services because Chinese laws demand access to servers, and by siloing the company ensures that the Chinese regime does keep it's hands off stuff they have no business accessing.
Siloing services in China has zero to do with CCP's demands and everything to do with a company's self-interest.
Can you direct me to the evidence suggesting that Facebook/Meta operates in China? My understanding is that the only FAANG corporation that deals with the CCP is Apple, who has gone beyond siloing content and straight-up relocated a portion of their servers to the country.
About 2010, I realised that siloing the internet is basically the only way for nations to remain fully sovereign — can’t enforce laws on copyright, libel, porn, personal data protection, un-accredited education, scams, hacking, gambling, false or misleading advertising, unregulated political advertising[0], indecent communications, malicious communications, menacing communications, nor treasonous/seditious communications, when the people doing it are in a country you don’t have a treaty with.
This is not to say I “want” this — what I want is for everyone in the world to be one big happy group of friends, but I don’t know how to get there from here, and silos look to me like the next thing that will happen.
The issue is not having Europeans sharing photos and posts with Americans, but to have unshared personal data like logs, user preferences or non-public PII hosted on European servers without granting the US government access to it since it is outside of their jurisdiction.
Also, if a European citizen shares photos with an American friend, this friend will fetch the image from an European server, so that the US government doesn't have access to the remaining photos, unless they contact European authorities.
If that were the case, how would any global communication medium be allowed to operate? Can't you provide the same service while not moving PII out of the EU? As far as I know this is not about a user in the US viewing a EU citizen's facebook page, this is about where the original data resides, is it not? Playing devil's advocate here, can't you just figure out what jurisdiction the user belongs to and route the request to the right server?
There are a lot of edge cases that people don't think about.
A lot of communication data has two people associated, and a lot of it is highly sensitive. If a US person and a French person chat how does each get the messages? Message data is obviously highly sensitive and shouldn't be shared.
Does the US person need to hit the French servers to see new messages, and vice versa? What about quoting?
Message metadata (i.e. the fact that these two people are talking at all) is also pretty valuable -- the classic pen register is just a record of which calls were made to which numbers. Where do you store the metadata of the thread? It arguably belongs to and is private to both people.
> So you propose to copy the private data of European citizens on US servers?
> What happens when the law makes that illegal?
just follow the Chinese model. complete blackout between the European Union, China and ROW. this is where this thing is headed, so we might as well start thinking about it.
Keep in mind that with other communication mechanisms (e.g. email, SMS) we already send over a copy of the message and keep the original. I'm not saying it's "better" from a privacy perspective, just that it seems like the logical solution here, and I'm not sure how a court might conclude otherwise. The data is being hosted in Europe at that point. It's just that a copy needs to be sent to the recipient only when the message is initially sent (because how else do you communicate?!).
That's true for some kinds of PII data and not others. The social graph (who are your friends) is symmetrical. Shared-edit documents, dropbox-like file sharing, and wikis are often ownership-ambiguous.
Sending data to the US and storing it there, is the very point that is being contested.
People are acting like this is a trivial problem both technically & legally but it’s not. I don’t have sympathy for Facebook but if you are a small company handling data in the EU and other data outside it I have sympathy as it’s going to cost a lot in architectural complexity and compliance costs.
How do SMS/MMS/email/etc. handle this? Are you saying they would all become illegal? Or is this law going to uniquely place requirements on social media that other communication systems do not/would not comply with?
I’m not a lawyer, so take the following with a pinch of salt.
My GDPR compliance training said that data strictly necessary for the provision of a service is something a business can freely use to that end without explicit consent. This is why GitHub doesn’t show cookie popups: https://github.blog/2020-12-17-no-cookie-for-you/
So “User @Alice sent $message to user @Bob” is necessary for a chat platform, but “Notice to advertisers: User @Alice posts a lot about cars, cats, and funny shaped carrots” isn’t even though advertisers pay for the continued existence of the service.
I sincerely doubt that I understand enough about the topic to apply what little I’ve heard through the media about the Schrems judgements and the decision to invalidate the Privacy Shield framework and its predecessor to answer that.
Aside from the difficulties in operating effectively without passing any PII (which includes identifiers) across international/org lines, the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US.
The reality that the EU government has recognized is that a FISA order of the parent company could compel a US organization to pull data from the EU servers to provide to the US government; and it’s a valid critique.
The cloud act allows US agencies to gain access to all data a US Company has access to regardless the physical location. This in turn means that a EU Company can't guarantee that the data isn't transferred out of the EU. To transfer data out of the EU one either needs a legal framework or consent.
Consent has to be given in an informed manner, but since the company does not know for what reasons an US agencie can access the data they can not inform the person correctly under gdpr.
A legal framework has to comply with the EU Charta. Indiscriminate access to information is not in compliance with the EU Charta so a framework cannot exist.
Which the EU will solve by forcing companies to erect a legal firewall; otherwise they would define their laws as being underneath American laws with anything related to a US company operating in Europe.
That wouldn't solve anything. The EU treats all US services as being in the US, regardless of where the physical servers are, as Facebook is still subject to the US subpeonas and they are legally required to give data to the US even if it's on a European server.
You are right that the same logic would make any American communication website illegal. I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.
> regardless of where the physical servers are, as Facebook is still subject to the US subpeonas and they are legally required to give data to the US even if it's on a European server
Is that so? I'd like to know more about this then, I don't see how that would be practical at all then.
> Principally, it asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.
I think that's the difference. Facebook could be forced to keep all PII in the EU for the purpose of protecting peoples data from unlawful (EU) use but still have to surrender it to US law enforcement. Would that violate the EU law?
> I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.
I think their end goal is regulatory convergence. They don't want companies to be able to trivially circumvent laws protecting their citizens simply by operating in a different jurisdiction, which is to say, if you want to play by different rules, barriers are inevitable, or else the rules are meaningless. Over the long run, the hope is that people can converge on similar enough rules that the barriers become unnecessary.
For example, suppose a country passes an air quality law that forces companies to reduce emissions from factories. They might suspect that instead of updating their factories, companies might sell their manufacturing equipment to new companies that mysteriously pop up right across the border and happily sell finished goods back across the border. Anticipating that, the country would want to do something to prevent it. The measures they come up with might be onerous and inefficient in the short run, but in the long run, the two countries would be motivated to converge on regulatory regimes that were mutually acceptable.
(not intending to endorse or criticize this idea, just giving my best understanding of how countries approach questions like this)
If you are sending a message to a person in another country, you are consenting to that communication traveling to the location of that person. See article 6:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
[.. other permissible purposes snipped ..]
Generally, the GDPR issues with sending to another country boil down to whether the EU accepts that the other country's government will allow the company protect the data in ways compatible with the GDPR. When sending that data to another company happens for reasons incidental to the permissible purpose of your data (eg EU-to-EU data processed in the US) this becomes an issue, as you've not consented to that risk. If you are specifically requesting that your data be sent to, say, the US, however, then processing that data in the US becomes necessary and thus much more justified.
From a technical perspective, you can certainly silo your data and transfer only as needed. This is however way more complicated, as you need to now deal with the fact that you're potentially performing joins across high-latency datastores, where you might need to be careful about what query data you're sending across the wire, and where your different silos need to apply access controls against each other. If you didn't engineer for this from the start, it's a big shift in architecture.
A facebook feed doesn't just show data from one user. When I look at my feed, I am seeing posts from 100 people distributed over 7 countries on 3 continents. Stitching that data together from multiple data sources is an extremely difficult thing to accomplish.
The issue is not your feed, that's what Facebook wants you to believe, you agreed to share that data with other FB users. the issue is they transfer personal data of EU citizens to the US to process them and sell them or use them to improve their adv war machine. Or give it to their US government.
Much harder for a large company than a small one, actually. The coordination overhead to get a bunch of disparate teams in a large company to rearchitect the fundamental structure of the service should not be overlooked.
This is about data sending without consent, which has to be explicit. E.g. if I, as european, create a Gmail account and my mails reside in an US server, I give explicit permission for all my emails to be transferred between Europe and the US. Namely: I'm informed of the extent of data collection (all my mails incoming our outgoing), the duration (forever), the storage (Google servers) and algorithms used (I consent the scanning of my emails to create adds).
But if I visit a web page hosted in Europe, and that page uses the FB cookies, Google analytics, etc. maybe I'm unaware what and how the data is being collected.
They relied on the cookie banners as explicit consents (i.e. if you click this "OK" button, you give explicit consent to all our data gathering and sending), but that might be not fully compliant with GDPR.
> E.g. if I, as european, create a Gmail account and my mails reside in an US server, I give explicit permission for all my emails to be transferred between Europe and the US.
NOYB has used this as an example of something that would be illegal.
If stop operation is the only alternative to stop collecting and sending out data, then let it be.
An if that happens, if Facebook really gets banned from operating in Europe, I'm pretty sure “good enough” technical solution approved by the EU administration would be found pretty quick.
I assume the most interesting requirements are about data residency. And that probably 1) can be avoided by just making sure EU data is stored in the EU, US data in the US, and looking up a foreign region profile (which is rare) would need to a a pure API proxy request which is not allowed to store anything in the local region and probably has some kind of per-request authorization to do this.
I certainly have not spent any time to look into the actual legislation - so don't take this as "everything would be fine" - but I feel a solution could be found that governments would be ok with if FB would be willing to spend the engineering effort.
The problem is that US law says that the US can tell a US company to share data with US Intelligence Agencies even if that data exists in a subsidiary outside of the US.
That's why simply storing EU data in the EU isn't enough when there's a US company involved. Our surveillance state isn't just horrible for privacy, it's also bad for business.
1) Providing end-to-end encryption on user data travelling from Europe to outside Europe.
2) Your option for number 1, but then allowing users to freely consent with their data to be shared internationally (which they can then revoke later if required).
I'm sure there are others... Also IANAL but a social media post may be covered under the "legitimate interests" scope of GDPR (but facebook's tracking data would certinally not be covered).
> Siloing off the EU facebook, with no contact with the US side
That's insufficient as the US CLOUD Act allows the US government to compel a US company to cough up the data even if it is hosted in the EU and subject to EU privacy laws.
The only workaround I could see is one where they would spin out Facebook EU as a legally independent non-US entity (giving shares in it to Meta shareholders) and federate that with FB US.
Is the purpose of the data transfer necessarytransparent and proportionate? If so, no problem and your far flung relatives can communicate without issue. These principles frustrate the surreptitious core purposes of Facebook however and so it doesn’t make sense for them to facilitate in those terms. If you’re not paying for a service you are the product.
I'm not sure that is the case. The data that people are posting themselves on Facebook clearly has consent to be published.
What is not is all of the tracking that they do - not only on the Meta properties, but also all of the other websites who are dumb enough to execute code or otherwise expose their users to Facebook. Lots of them do it unwittingly too.
I'd be amazed if they couldn't come to a medium-term compromise agreement if they wanted to. EU authorities have precedent in giving companies time to fix things up if they show that they're willing to do that.
Erm, 1. doesn't really make sense, because EU isn't really the problem here. It should read "siloing off the US Facebook". And that makes perfect sense.
There are other companies that silo each customer from each other in ways that are very expensive to the platform owner (can't get more specific, sorry).
I'm fairly confident that data encrypted over the wire and only decrypted locally on the user's machine, shared willingly with the intended recipient, would not violate anything of interest (clearly, European companies can serve pages to the US). Of course, there are many more ambiguous cases than that (like, where exactly can metadata about which Europeans are allowed to view an American's posts be stored? Is that PII?), but the specific case of serving a post is not really all that complicated.
For those downvoting me, I'd love to hear why you think it's more complicated than that. Contrary to popular belief, the people who wrote the GDPR are pretty technically sophisticated and understand that data on the internet has to move between countries from time to time.
Let's take a more complicated example, that is one of the main things that happens on Facebook:
1. Sam makes a post.
2. FB predicts Pat will comment on this post if they see it.
3. Pat sees the post, and writes a comment.
4. FB predicts Alex will reply to Pat's comment if they see it.
5. Alex sees the comment, and writes a reply.
To show why data transfer is such an issue, assume Sam, Pat, and Alex are all in jurisdictions with EU-style privacy regulations and that don't have data transfer agreements with each other.
How would you build a system that supports 1-5, a user journey that is core to Facebook's usage, in a way compliant with these regulations? For example, where is the discussion stored? Where do the models in (2) and (4) run?
Insofar far as I understand GDPR, models (2) and (4) can run anywhere, provided that the data are ephemeral, encrypted in transit, and their output decision cannot be queried later (e.g. by logging a relationship between the input to the model and the eventual message delivery that includes PII like IP). The question of "where is the discussion stored?" would indeed be problematic if it were not possible for it to be encrypted in such a way that a key from both countries was needed in order to reveal the conversation plaintext, but I don't see a clear reason why that should not be possible (it may not be how Facebook actually stores conversations now, of course, but it is not a technical barrier).
As far as I can tell, the really difficult aspect here is how and where to permanently store the fact that the two users are talking to each other once the comments are actually made, since the mere fact that they are talking to each other demonstrates a relationship between them which may be considered PII in some contexts. Or at least, it would be difficult if the US also had privacy laws like the EU's, and IMO any coherent solution should be able to work if the US adopts something like GDPR. Unlike the message contents, this is quite difficult to store in a privacy-preserving way. I think the discussion would be more interesting and feel less like attacking a strawman if people were to focus on the interesting questions like this one, rather than the extremely uninteresting question of whether Facebook can serve posts to the US at all (which it obviously can).
I live in the US, I have several friends that live in the EU. "Who our friends are" is unquestionably PII. Is this friendship graph something that must reside in the US or EU?
Yes, that was the example I brought up as something more complicated. This does not really have anything to do with the fact that data has to eventually be transferred to the US though, which is what the majority of this thread seems to be about. I suspect that a good answer to this is quite complicated, but it's worth looking at the work Signal has been doing to protect this sort of data in a reasonably privacy-conscious way.
One option would be to serve this data directly from the European server. However, it's not the public profile data which most people object to be shared, it's the tracking/user-profile data which FB collects in the background.
Yeah, to the user who requested it. Also, it's just the user's post, not the user's tracking/advertisement data.
So the only thing the US government could get, are the public facing posts/images which the user posted but nothing more. If the profile is private, even less. No messenger data (except when send to users in the US).
You can access EU-served data from all over the world, that's not a problem. What's in question is bringing data from EU residents outside of the EU to process it.
Right, the people at Meta aren't stupid. They understand fully will that users posts aren't the issue, but steering the debate in that direction would make the EU look unreasonable.
Meta could be more accommodating to the wishes of the EU and place a greater focus on privacy, but that would mean changing how they do business. Meta clearly don't believe that it's possibly for their businesses to be profitable without data mining the crap out of their users. I know it's not a popular opinion, but business like Facebook and Instagram are the direct reason why the EU feel the need to step in and regulate.
Inherently isn’t the data stored and kept everywhere it’s accessed? If you’re in Germany and are a German your message sent to me just now also now is being stored where I’m located to even read it, no?
It’s not semantics, though. If I saved everything I ever read onto a database, indexed uniquely by website schema, how does anything change? The point is the same.
This is where lawyers, regulators, and engineers can reasonably disagree with very serious consequences for governments, shareholders, and ultimately citizens.
If you're in a given geography/regulatory regime, and you read something on your smart phone, technically you were served that via some cell tower or ISP, those bits transited that infrastructure. In the US there's a massive clot of regulatory blockage working it's way slowly through the bowels of government around the term of art: "common carrier".
As with many things that devolve into nitpicking, there is a deeper issue: the EU is increasingly regretting becoming the host to, ironically, European-style colonialism on large-scale consumer Internet platforms. The PRC has its own Google, Twitter, Facebook, etc. The EU has Google, Twitter, Facebook, etc. and doesn't love that US companies and regulators are kind of driving the digital lives of the citizens.
The proximate tussle is about the durability of the storage involved. As a European regulator I might be much more comfortable with a write-through cache like TAO holding messages, or FBIDs of messages, including a German in the chat than I am with all such chats being held on a DFS in Prineville among other places, and having them ground over by a Spark or Hadoop job in Forest City among other places.
They'll kick it around and come up with some compromise that will serve end-users by accident at best. Europe won't develop a homegrown consumer Internet industry in our lifetimes. The odds are both US and EU legislators and regulators will miss a step and it'll be ByteDance everywhere by the time anyone reads this :)
Not on their servers though. If the data is in your browser, it's not trivial for e.g. Facebook to then go an do nefarious things with that data at scale. This is how I understand it.
My understanding was that it's about where the data resides. That assumption may or may not be true. But if it is it's feasible for EU data to be stored in the EU and US users request that data from the EU server. Again, my understanding was that this would be a valid way to handle that data but I might be wrong.
I'm sure we'd all benefit from hearing the TurtleCoin guy expound on how one goes about multi-national regulation of terrabits/s of multi-layered write-through caching ranging from extremely cold storage on custom hardware to the POP sitting in a Munich suburb and where exactly the line should be drawn on data custody in that setting.
That's one issue. Another more complicated issue is which country's legal authority does the owner of the data have to respond to. If the answer is USA, then the data can be requested by this government regardless of where it's stored...
Just for clarification, GDPR does not prohibit in any way that privat personal data leaves the EU (obviously). However, if you want to transfer privat personal data out of the EU you have to certify it still conforms with GDPR (this can be self certified).
"Yeah.. The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars" - nixass
Look, I realize I'm not an elite hacker news hacker, but how can I as a US user look at my friends posts in germany without them transferring data to me in the US?
What makes this so obviously a lie that such strong language is called for?
Large computer systems with baked in assumptions of the fact that data locality regulations wouldn't be as strict as they are in 2022 are... difficult to update
Would be really great to see even more regulation to make these so-called “data businesses” to stop gambling with people’s information.
One example of that would a mandatory paid option which takes you out of all company data sharing stuff.
I dont use any facebook/Meta related platforms such as facebook, instagram or whatsapp. But it makes me sick seeing people around me addicted to it, due to their shady operation patterns.
> Yeah.. The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars
Only as long as your users are fine to only talk with people from their "world region cluster". Everyone else would not be able to communicate with, say, family that lives overseas.
> Yeah.. The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars
Can you explain to me how would you allow communication between EU and USA users without transferring any data out of EU? Expect for putting all the datacenters in EU?
I'm pretty sure when we talk about "transfers" here, we aren't talking about "user in US requests data from URL that is served from server in EU". We're talking about user-data from/about/on EU citizens that is stored on servers in the US (or transferred there from servers in the EU with the intent to keep it on servers in the US). The former is fine[0], but the latter is not.
[0] Obviously if there is some web forum hosted in Germany that a bunch of Germans living in Germany post to, and I -- in the US -- visit the forum, that involves data leaving Germany and flowing to the US. There's nothing wrong with that.
Very simple example - I'm in EU, and I like and post a comment on a photo of Rihana. How do you do that on the backend, without transferring data or keeping all the data in EU?
Even if you keep data for individual profile in corresponding country, any interaction with a content outside of EU is impossible without data transfer.
> The reality is you don't really have to transfer anything out of EU in order to keep your service running. Liars
Ok you would have to make actual legal guarantees that no PII data will _ever_ be processed outside of the EU. given that this effectively means that if you fly out of the EU, or are _routed_ out of the EU, you won't be able to use those services. This is because PII is anything personal to you, and processing means anything that makes decisions, like routing based on IP or username.
This isn't actually a facebook specific problem S3/azure/google and their customers all have the same problem.
About 5 years ago, I was told Facebook uses a single global “write” datacenter, which works for their use case of read-mostly.
I’m not sure it this is still the case, but assuming it is, wouldn’t that make for a reasonable argument why it would be “impossible” (a.k.a. possible but non-trivial) to keep the data in the EU?
Yeah I remember something similar. It’s not just about coming up with a compliant architecture, but how to get there from what already exists. Of course authorities could say ”not our problem”.
I'm sure a good chunk would be fine with it. Facebook only maintains their social media dominance because the product is sticky: when your friends, family, municipality, favorite businesses, and clubs use Facebook and only Facebook for announcements, you kind of have no choice but to participate unless you're willing to work around inconveniences. Most users barely log in, maybe once or twice a month to check their direct messages and waste a few minutes on the feed.
It's a bit of a prisoner's dilemma: if other people use Facebook, they get to see things you don't and have an advantage in some domains. So a lot of people "use" facebook. But if all of the businesses and groups get forced off of Facebook they'll just find another way to make announcments.
Same thing with car ownership: if everyone stopped owning cars, everyone could happily get around with bikes, feet, and public transit. The world would quickly restructure to accommodate it. Sure, some things would be lost (it would be harder to go to remote places to hike, for instance), but other things, like the ease of getting around your immediate neighborhood, or easy access to stores, or polluting the air with less CO2, would balance that out in many ways.
Having seen how quickly MySpace became irrelevant, I am certain FB is acutely aware of how tenuous the position is as the king of social media. It is no wonder they behave like they do to capture and keep users.
Offerup, while filled with dark patterns, is something I recently discovered. And it is just as viable, available lots of areas and seemingly less filled with scammers. (By no means empty though)
Anecdotally, I would love to stop using Messenger and WhatsApp; however, the social friction in doing so is too great. Far too many friends and family are using those services exclusively for me to abandon them.
If those services suddenly closed then I wouldn't have to use them!
It's silly, really; in order to contact specific people I must use all of: SMS, Email, Signal, Telegram, WhatsApp, Messenger, and Discord.
I live in Mexico and have several friends in different EU countries. Would it be possible for me to follow them , read their feeds and interact normally if I was in the US and Facebook blocked data transfers between EU/US?
> Meta Is Absolutely Not Threatening to Leave Europe
But then in the body of their post...
> EU-US data transfers mechanisms poses a threat to our ability to serve European consumers and operate our business in Europe [and] we have absolutely no desire to withdraw from Europe, of course we don’t, But the simple reality is that Meta relies on data transfers between the EU and the US.
I mean, that sounds like a threat to leave to me? If you can't operate your business in Europe? Talk about mixed messaging and double-speak!
If you're going to interpret every risk disclosed to investors as a threat, that means companies can't be honest about the risks facing them without making threats.
Since public companies get sued for not disclosing risks to investors, there is no winning this.
Came here for this comment. This choice of headline by Meta seems like a bad choice. The language just reeks of double speak even if it isn't (No, I haven't read the article!). Who is running PR at Meta these days? "Dad Is Absolutely Not Threatening to Leave Mom".
Getting in to the article, the language is bizarre: "We have absolutely no desire to withdraw from Europe; of course we don’t." What? Who talks like that.
"we want the internet to continue to operate as it was intended: without friction, in compliance with applicable laws — but not confined by national borders."
We want the internet to be an unrestricted free for all! But also follow the laws ... the ones we like, of course. But not ones from other countries, I mean we all have a line guys.
What are you talking about? It's completely clear to someone who isn't coming at this issue with an axe to grind. Meta's ability to serve European customers is under threat. In other words, the regulatory framework is making it hard for them to do their jobs. Meta is not threatening to leave. They couldn't be clearer.
An international social network where one posts pictures/videos, write posts, has a profile, look at news, communicate through direct messages or group chats should be fully compliant with GDPR. Even across borders. Because consent for those activities is very explicit.
What's not compliant with GDPR: Store cookies on a users computer, then let others look for that cookie and share the users data with them so they can target ads at you. Collect all that data from different site and create a profile of you that you then sell. You can also not move data out of the EU without guaranteeing to not do that.
Why does this sound like a series of Tweets? I cannot believe an SVP wrote this and thought it was a professional enough tone to publish. It reflects doubly bad on Meta because not only do Europe’s (or Apple’s or Google’s or whatever enemy du jour) privacy laws limit their ability to execute (as seen from their latest quarterly results), but they don’t even have the maturity to address the situation without more whining about how user privacy means they can’t harvest their data to make billions of dollars. This sort of tone might fly for a start-up but not one of the largest companies in the world. Doubly true since Meta just identified a huge downside in their prospects and this does nothing to assuage investors. Rather than say “we are looking for ways to continue to provide our services while remaining compliant with privacy laws” and a bunch of marketing speak about it, they throw in the towel and say “boo hoo, if Europe wants privacy, we just can’t have Facebook there.”
The EU doesn't care if Meta gets the data of its users but that there is no possibility to prevent that the intelligence services get them too.
That killed Safe Harbour.
The headline is accurate. Even a company as tin-eared as Meta knows their reputation is deep down in the septic tank, and the threat would be as credible as the black sheriff in Mel Brook's "Blazing Saddles" pointing his gun at his own forehead and saying "Or the N*** gets it's"
Yup, you did. Annual report, page 9, and it backfired.
Everybody knows you won't leave but that's what you suggested point blank. You put this there to put pressure on Europe to surrender its citizens data to the US unconditionally.
Second paragraph: But if we don't get what we want, we will have to consider blah.
I guess it's time for an update to Betteridge's Law: The more emphatically a press-release headline denies something, the more likely it is to be true.
If there is no Facebook, WhatsApp, Instagram, what will replace it?
Already it seems using Google Analytics is illegal in some countries at EU.
What about Microsoft Teams, Windows 11, etc? How can I prevent those sending any telemetry data etc to outside of EU? Will Microsoft Teams, Windows 11 etc be illegal too?
Microsoft has setup an independent business unit and a data center in Germany. From all cloud companies, Microsoft is likely the best prepared for the US untethering, because of their B2B background.
Seems pretty clear that Facebook is putting this statement out because they're sweating their big stock slide and looking to staunch the bleeding whereever possible. If they were in a stronger position they would be sticking to attempting to strong-arm the EU.
>"If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe."
Compared this to Apple.
>Apple's position is it should indeed be able to reflect on the terms and decide whether commercially it is right to accept them or to leave the UK market. There may be terms that are set by the court which are just commercially unacceptable.
I will let HN decide which one of them is really a threat.
While Apple haven't said anything similar to the Dutch, I think they just gave them the middle finger.
Love how many people refer to them as Facebook, unlike Twitter and the news where they even refer to past activities as coming from Meta which sounds incongruent.
is it possible that if they go through with it, it might open up the entire continent to an alternate / competitor, which can then threaten them globally ?
thinking a bit more, it seems that there might be a fine acceptable line of action between the scylla of share everything (which mean no privacy) and charybdis of share nothing (which means no internet), and it might (unfortunately !) be upto the politicians to draw it...
With so many centralized services making up what the average person thinks of as “the Internet”, if the centralized services disappear, isn’t that the same as “turning off the Internet”?
I wonder if there’s a threshold yet to be crossed where “shutting down the Internet” becomes a fad? Where people begin abandoning social media en masse? This idea actually makes me a bit hopeful!
What many people in this thread get wrong is that the problem is not and never has been posts, photos or messages shared with the public or a person that can reasonably be expected to be in the US. This data is mad explicitly public, and by posting, the user grants consent to distribute - worldwide. The problem is, however, with tracking data facebook runs it’s advertisements on. This data is compiled from a number of things, but must be orderly protected. That is - in my opinion - only possible in a federated service model. Anything that is explicitly shared and needs to be delivered in the US (or anywhere, for that matter) still will be. The GDPR and the concerns over the SCC only concern the ad path. Federating facebook will likely hurt their ad business, and, to make it worse, they still need to ensure the US has no jurisdiction (even if they would like to have it). This seems only possible by making the federated company 100% independent, which brings its own problems.
The reality is that Facebook (and meta, for that matter) very well could do that. But they probably won’t, because it would hurt their bottom line.
Can someone please explain exactly what data is the issue here? Is Facebook being targeted just because of their scale or is anyone who runs an online service expected to keep any data from their European users on EU servers? Is there a TLDR of the laws applying to transatlantic data transfers anywhere?
Meanwhile Brits needs to confirm your age with your phone operator before accessing certain pages (even if it is just switch).
And how is it going with proposal to ban encryption in UK?
> International data transfers underpin the global economy and support many of the services that are fundamental to our daily lives. For many years, the legal framework supporting the transfer of data across the Atlantic has faced severe disruption.
Huh, if I were a Facebook investor I'd be pretty disappointed to hear that they've known this was an area of active disruption for years but haven't managed to rework their business model to avoid it.
Their whole function is letting people send data to other people. The EU saying that it's illegal to send data to a US company is a pretty unsolvable problem for them.
I am as certain as one can be without any capacity to prove it, that fb and meta and Mr. Zuck.. are subject of some sort of attack for the past 2 years (the intensity/frequency of critical opinion pieces went up within the last 2 years).
It's entertaining albeit unfruitful to wonder who could be behind. FB's reputation has been tarnished specially in the USA (which hints that it's an interest originating in the USA).
I'm not saying all criticisms are without merit, I'm saying that's very interesting that so many 'different' outlets have begun to directly criticize Facebook.
I like stratechery's opinion that a lot of FB's problems (legitimate concerns under scrutiny) aren't really FB's but the Internet's (given that FB is a large portion of the internet, and for certain users it's really most of the internet).
tl;dr; it sure seems like a lot of FUD about facebook these days.
> It's entertaining albeit unfruitful to wonder who could be behind.
I'm not associated with anyone and I'll shit on fb/zuck as long as I can, I doubt I'm the only one. They're so widely criticised because they're the epitome of everything one can possibly hate about modern tech companies.
Google has immediate, easily discernible and credible utility to the average person. If I want to find "best recipes for brownies" Google helps me there regardless. I have clear intent to find the best recipes for making brownies.
On Facebook my 82 year old grandma might post an article like "BEST BROWNIE RECIPES FOR SOUTH FLORIDA GRANDMAS" that might hit my feed.
Of course there must be a lot of people who might have an agenda to destroy Zuck and/or Facebook, so it could be that, but personally I think the media just capitalises on the sentiments that already exist in society because that's the way to get more clicks. So, those stories that make people outraged about Facebook or Billionaires get amplified. But for Facebook especially, people have love-hate relationship with it because a) it's clear now that it is bad for society b) people need it at the same time because it continues to be convenient. So those stories in the media are really good for clicks because Facebook is not going away despite its issues, so it's always giant drama.
It's because Facebook and Google tolerates far-right content on their platforms. That is why they're being targeted by progressive MEPs from the EU and liberal American media.
As an EU citizen I will not miss Facebook but it's healthy to be aware of what is actually going on instead of pretending Brussels care about my privacy.
"Brussels" is not one entity and this is not just about Facebook. Strange that some people are so invested in political believes that they need to insert it in places one would not expect. Do you know that there was lot of right not only far-right content removed from FB?
> I will not miss Facebook but it's healthy to be aware of what is actually going on
Maybe you did have uncovered "what is actually going on" or maybe you are just driven by "enemy of my enemy".
Point being: to all the commenters saying no one cares, a lot more people care than you think.