Can someone clarify for me why the physical location where data is stored is a big deal? Why does the US need stronger laws here?
This is probably just my inner naive technologist speaking, but I really enjoyed the moment of time during which the internet was a global network of computers that created a virtual space where physical borders were largely irrelevant. So it's a bit jarring for me to see people take for granted the idea that borders matter on the internet after all.
> Can someone clarify for me why the physical location where data is stored is a big deal?
What can you do if your data is silently copied by third parties and used for other activities? What if I build a ghost profile of you and steal your identity when I have enough data? What if I relay that you have a fancy car to some people who have the means to get that from you while sleeping? What if I craft a good scam by targeting you with your own data?
It's not about data is sent to where, it's about what happens when it arrives to the physical servers, who has access to these files, and what can they do with it.
When I visited the states, I got EZ-Pass spam/scam e-mails for a year, on an e-mail I gave to nobody when I was there. So, these laws matter.
> It's not about data is sent to where, it's about what happens when it arrives to the physical servers, who has access to these files, and what can they do with it.
Right, but the EU can only enforce its laws on companies that have a presence in the EU. A company that doesn't do business in the EU and never will do business in the EU will not obey EU law regardless of what those laws say.
Meanwhile, a company that does business in the EU would be subject to fines by the EU and wouldn't be able to dodge them without just stopping doing business in the EU. So why do the laws not just say "here's how you have to treat data belonging to our citizens if you want to continue to do business in the EU"? Why does the physical location of the data that is being thus protected matter at all?
That works fine if the company itself stores the data, but becomes difficult to enforce when 3rd parties store the data. Imagine a company with an EU presence stores it's EU data in US, with a hypothetical cloud provider that doesn't have an EU presence.
The company would need to have a DPA with it's cloud provider. That cloud provider technically would also need a corresponding DPA with any 3rd parties that they themselves use, except without an EU presence that is hard to enforce.
In this case where there is one hop you could argue that it's the companies responsibility to ensure that their service providers are operating in compliance. Imagine the same scenario, but with one, two or more middlemen and the whole thing becomes an unenforceable mess of jurisdictions for the company to do meaningful due diligence on their service providers.
It's much easier for the EU to say EU data has to be stored in the EU, and know that any party touching the data is likely to be in compliance, and significantly easier to investigate if they are not.
There's also the Cloud act, which makes it illegal for US cloud providers to refuse data access requests from the US government.
As far as I understand, the EU is fine with you sending data to other countries, as long as those countries have the same standards for data protection. In the EU's opinion, the Cloud act, as well as the whole NSA situation, mean that the US doesn't fulfill this definition.
> Can someone clarify for me why the physical location where data is stored is a big deal?
Because the place where data is collected and stored may have different rules around privacy and data protection then the place it is exfiltrated to.
If I give my data to a company in one place that has strict laws on what may be done with that information, I don’t want it escaping to a low-protection jurisdiction where there are no penalties for selling it to the highest bidder for god knows what purpose.
If there was an acceptable worldwide convention on personal data privacy that would solve the problem. Until there is, it matters a lot.
But again I ask, why does the physical location of the data matter? Why do the laws care?
The EU has a law that said you must treat data of their citizens with respect. Fine, that's great. Any business that has a presence in the EU will need to follow that law. At that point, why does it matter where the bits are actually stored? Can the EU for some reason not enforce its privacy laws on Uber if Uber keeps its data somewhere else?
Conversely, if a business has no presence in the EU, can the EU enforce its data location laws on them?
The only thing that seems to matter for enforcement is where the company is located, so I'm really unclear what data location has to do with anything.
> Can the EU for some reason not enforce its privacy laws on Uber if Uber keeps its data somewhere else?
Yes. Even assuming these laws still work if data is in another jurisdiction (prob. not), they become unenforceable. If someone sells your data in, say, Somalia, how could EU gather evidence and start a legal process?
> Can the EU for some reason not enforce its privacy laws on Uber if Uber keeps its data somewhere else?
Maybe not, especially if they are separate corporate entities. Uber EU may choose to pay for operation of data storage by Uber US. Uber US is not under the same privacy restrictions and sells the data for profit, then what? Who sues who and for what?
This is also partly about governments - the US in particular is known for compelling access to servers that are on its soil and doing large-scale spying (not that EU powers don’t do the same, but bear with me). Companies operating in the US may not be legally able to guarantee data privacy. So having the data not enter US jurisdiction in the first place is considered safer.
Global network of computers where data ultimately flowed to American mainframes. Countries realize data is a resource / liability / vunerability, and even if most struggle to profit from it, they'd still want sovereign control over it. You only really control things on your soil. Physical location / possession matters for control.
> You only really control things on your soil. Physical location / possession matters for control.
This feels like an outdated worldview that no longer really applies to data. Data can be exfiltrated from the EU in milliseconds and there's nothing that the EU can physically do about it short of setting up a great firewall a la China.
The only thing they can do about it to retain sovereignty is to tell companies they're not allowed to exfiltrate data. But if they can do that successfully, they can also just tell the companies what they're allowed to do with the data wherever it is in the world.
Someone illegally exfiltrates data from within your jurisdication and you can use _your_ legal instruments. Someone uses your data stored on another jurisdication and your legal options more limited or even powerless. Data is too leaky to prevent, so states focus on having the most tools to deter, including legal. And for some legal instruments to have maximum effectiveness, the location of physical molecules are important.
> Someone uses your data stored on another jurisdication and your legal options more limited or even powerless.
If that someone is a legal entity within your jurisdiction, you have lots of options.
I edited my original comment to link to someone who gave a good explanation—what I hadn't considered is how difficult tracking suppliers and subcontractors recursively and ensuring that they all have a presence in the EU would be. I think it's a bad solution to that problem, but it does make sense.
What does that even mean, though? Data does not have a location. It's just information. The fact that "I live on 123 Oak Street" is data. It's not anywhere. How can you say that it's in a particular country? This post might be read by people all across the world. Now that information is in many different countries? Or none at all? Is it simply about where the physical hard drive containing a textual representation of that data is located? What makes that relevant?
These laws seem to have been written for the age of fax machines, not for today.
The reason why the physical location matters, besides latency, is that certain governments have laws in place that allows them access to any data in their territory.
In the case of EU countries (I think its part of gdpr), services that handle personal data need to make sure that that data stays safe. The only way they can do that is to make sure that the data stays in a certain region.
I think that is why op is advocating for stronger laws. Due to lax privacy laws in the US, it's impossible for European companies (and other privacy concerned companies) to host their data in the US, therefore your missing a share of the market
> certain governments have laws in place that allows them access to any data in their territory.
This explanation makes sense, but assuming "certain governments" includes the US then the remedy isn't stronger laws in the US, it's weaker laws—it means that the US was the first to break the borderless internet and it needs to rewrite its laws to be border-agnostic.
Can someone clarify for me why the physical location where data is stored is a big deal? Why does the US need stronger laws here?
This is probably just my inner naive technologist speaking, but I really enjoyed the moment of time during which the internet was a global network of computers that created a virtual space where physical borders were largely irrelevant. So it's a bit jarring for me to see people take for granted the idea that borders matter on the internet after all.
Edit: 0x62 has a good explanation here: https://news.ycombinator.com/item?id=41357888
I hadn't considered the recursive nature of suppliers.