OTOH it's behind a stupid paywall
Kinda crazy how Irish regulators did everything in their power to avoid this outcome. But I guess that's why Meta and other big players are situated in Ireland, they rely on them not enforcing stuff and some meager taxes.
So $120m/year fine?
That’s a rounding error
Not that bad
If I understood correctly, if they keep transferring data to the US before CJEU considers that the nee deal does satisfy regulations, they may just be setting themselves up to another record fine.
I'm fine with this.
For this reason, I don't think we'll ever see a Chinese-style expulsion of US tech companies from the EU.
Therefore, we've seen over a decade of a dance between the judiciary banning data transfers to the US (Safe Harbor ruling, etc) and then politicians overturning these rulings before it actually impacts anything.
Care to point me in the direction of more information about this?
Despite all of this, we haven't seen any creation of an EU internet, and even in this latest ruling, they've suspended the ruling until they hope the new system comes into place that will allow cross-border data transfers to the US.
The point being that politically, there is no desire in the EU to cut themselves off from the US internet as you see in China, Russia, etc.
> 273. In light of the above, the EDPB instructs the IE SA to impose an administrative fine on Meta IE for the infringement of Article 46(1) GDPR that is in line with the principles of effectiveness, proportionality and dissuasiveness under Article 83(1).
> 279. In light of the above, the EDPB instructs the IE SA to include in its final decision an order for Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the IE SA’s final decision to Meta IE.
I understand the financial incentive for Ireland to be an attractive host country for tech companies, but as the article points out, this took on truly ridiculous dimensions. Even more so after May 2018, when the GDPR was published, which -- by recognizing the protection of PII as a fundamental right -- dealt a massive blow to the "productize your customer" business model.
> Ten years, three court proceedings and millions in legal costs. The Irish DPC’s role in this procedure is exceptional, as it has consistently tried to block the case from going ahead, in 2013 it rejected the original complaint as “frivolous” – requiring Mr Schrems to go all the way to the CJEU. The DPC then took the view that it cannot take action, given that Meta made use of so-called “Standard Contractual Clauses”, which was again rejected by the CJEU, who told the DPC that it must take action. Finally, the DPC tried to shield Meta from a fine and the deletion of data that is already transferred, just to be overturned by the EDPB. Overall these procedures lead to costs of more than 10 million Euro - the fine, however, will go the Irish state.
This is big news:
"Furthermore, the EU's Collective Redress Directive must also be implemented this summer, which will for the first time allow collective actions by European user for GDPR violations."
A = <totally random bits>
B = <personal data> XOR A
Store A in USA
Store B in EU
The data is not stored in EU, and it's not stored in USA either. It's not stored elsewhere. But Evil Corp still has it!
Globalised tech companies caught in the middle here, hard to see how they can continue to service global markets without a huge per-country localisation effort. Ones that could do it will increase cost (passed onto users of course), those that cannot withdraw from the market, furthering the fragmentation of the global internet. May not be a bad thing overall, especially for local players and for national sovereignty evangelists
Even if cloud providers use local datacenters they are still in "violation". If the US makes a data request using CLOUD act, they will have to comply, no matter where these servers are sitting.
Ironically, the UE intelligence services are happy to take the anti-terrorist information that the US is extracting with the CLOUD act and sharing with them.
Well, the whole "global jurisdiction" is iffy for the rest of the world.
Yep, especially if they have to play by different rules and have different values then the companies they try to compete against.
You (the company) could maybe instead protect everyones data equally (or rather, avoid slurping up as much personal data as they possibly could), then you won't have to go through the whole process of making everything per-country localized.
By GDP, the European market is the second largest in the world, it's hard to imagine US companies would try to avoid it without thinking about it for a good while.
The problem with protecting everyone's data equally (and the point of why EU courts are rejecting the current regime) is that national laws override company intent. If a US company is served a national interest letter, they are giving up the data and keeping mum about it, or someone is potentially going to jail. And nobody will go to jail to protect the data of a user of a free (or a $8/mo, whatever) service.
This happens similarly in other countries - China, obviously; UK has a similar "national interest" rule; I don't know about the EU but I wouldn't be surprised if their spies and law authorities have also codified access on an as-needed basis for themselves. It's all the other kids that must be kept out of the personal data sandbox.
Avoiding collecting the data in the first place is far more robust against this sort of government behavior. There are organized government efforts to mandate centralized data collection and facilitate access anyway (e.g. UK's attempts to ban end-to-end encryption), so we'll see if that approach holds.
True globalization (one global rulebook) is a probably not to achieve, considering all the different aspects of societies in this world (degree of capitalism, degree of privacy, degree of social class responsibility, degree of liberal society, degree of ...).
The G7 countries (aka US, EU, JP, Australia) are lucky to have a rough idea on what that should be. When you talk to China then you start banning stuff instead of playing court fines and regulatory alignment.
