> It's all very myopic and US-centered to focus on the company's freedom to do as it pleases.
The Dutch DPA is not accusing Uber of doing anything nefarious. They are mad that Uber, as an American company, can be compelled by the US government to hand over data. Ultimately, their beef is not with US companies, it’s with the US government.
This is all wildly ironic because the EU is constantly trying to spy on their own citizens and undermine encryption. The EU is just upset that the US is able to do it instead of them.
This is just companies being caught in a geopolitical spat between competing powers. The EU keeps moving the goalposts on what constitutes “safe” transfers (we’re on the 5th round of this). So there’s no way for companies to be compliant unless the US government changes its laws. So right now it’s just a lever to extract money from US corporations via never ending fines.
The US government and the EU need to sort this out. Blaming the companies shows a total lack of understanding of the real situation. I get that we all hate big tech now, but there’s literally no way to comply in good faith with these competing EU cash grabs over the shifting specifics of how you can transfer data to US servers.
That's a nonsensical load of hyperbole, pardon my French. It's not particularly difficult to be careful with personal data, it's just inconvenient and prevents all kinds of uses that can make you money - which is why US corporations would prefer to not implement it. But if you want to do business in the EU, you need to play by their rules. Simple.
At my company, we do business in the EU. It's a wide market with many opportunities. We're extremely careful with personal data: we do not intentionally collect user data, we do not share data with any third-party (and certainly never sell it)!
Importantly though, the law does not suffice with "careful". We *think* we have our bases covered and are careful to try to ensure they are but we're not sure how to *know* our bases are covered. There's the fear that some logs that we believe are anonymous might be considered identifying by some data scientist armed with techniques we've never heard of. There's the concern that some third-party library might dynamically pull in a font-set that comes from a US-based CDN based on some user configuration that we don't foresee. There's the anxiety of asking "Did we forget something? Is the DNS server in us-east-1?" when trying to roll out new features.
These are all strawmen, but they represent the kind of anxiety we feel. Having done our best to respect the requirements and the spirit in which they were written, there's the fear that we were imperfect in our awareness and that that something could cost us a fine that would have gone to someone's salary.
I would very much condemn the indiscriminate collecting, reuse, and selling of personal data, but I would also caution that those of us wanting to play by the rules find them lacking in precision.
> These are all strawmen, but they represent the kind of anxiety we feel.
No idea why you would feel the anxiety. If you're found lacking, you will forest get s notification from the DPA asking you to remedy the situation. You wont even be fined
I have soberly explained the actual situation to you. I know it’s impossible to have a rational conversation about privacy on HN and my comments go against the narrative everyone has stuck in their heads here, but I urge you to look further into this issue.
This is an ongoing geopolitical spat and compliance in good faith is currently impossible.
I have spoken to many lawyers about this. Any US company operating in the EU is at risk of constant fines no matter what you do, due to this geopolitical issue.
> Any US company operating in the EU is at risk of constant fines no matter what you do, due to this geopolitical issue.
So why don't the poor trillion-dollar supranational corporations do anything about it?
I can tell you why: they are happy about this. And you can often find they sign their support for these laws in the US.
--- start quote ---
The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
The CLOUD Act received support from Department of Justice and of major technology companies like Microsoft, AWS, Apple, and Google.
Since the company getting fined is also the company that spied on police car positions in the US I don't think that this type of shady behaviour helped in showing good faith in this case.
>This is all wildly ironic because the EU is constantly trying to spy on their own citizens
I am assuming you refer to a law proposal that was rejected, but did you know americans were sponsoring and pushing that law proposal to spy on chats? Yeah same CP people.
Also there is a GIANT difference for a country to "spy" on their own citizens and USA spying on foreigners , a country has a consitution and lwas that protect the citizens freedom where USA has no laws that protect foreigners freedom so the NSA guys could watch an EU citizens photos, read their emails since they are not from USA they are lesser humans.
>The EU keeps moving the goalposts on what constitutes “safe” transfers (we’re on the 5th round of this)
This is a wrong phrasing of the problem: The US is not, and has never been, a safe haven to transfer personal data to. However, it would significantly impact trade (and policing) concerns between the EU and the US if that statement were to be treated seriously. This is why the European Commission and the Parliament have repeatedly tried to create a framework which allows transfer of data despite the US' insistence on secret access to the data without due process (aka secret courts, which cannot be due process by any reasonable definition). European courts, again repeatedly, have taken the stipulations in various laws guaranteeing rights to citizens seriously, and keep striking down the badly made frameworks. It's not "shifting goal posts", but rather "not willing to accept the political costs of respecting citizens' rights".
The people advocating for more privacy in the EU and pushing legislation like GDPR aren’t necessarily the same people who want to weaken encryption. Lots of things going on in the EU at the same time.
I agree though that it can be hard for a US company to comply with GDPR as every country seems to interpret it slightly differently. The same difficulty is coming on the AI legislation side.
Government spying on citizens is one thing. Companies is another. GDPR applies mostly to the latter, and in practice, today, most people in Europe aren't being harmed by their governments spying on them, but they are being harmed by private business abusing personal data.
"These cannibals keep eating people because their country's laws allow it. It's not right to blame the cannibals, the governments should figure it out."
There is no actual OR theoretical harm from the companies. Only theoretical harm in the event the US government decides to spy on an EU citizen.
The correct analogy: “There’s cannibals in both countries governments. Country A claims Uber hasn’t done enough to protect from Country B’s government cannibals.
This ignores the shifting rules around proper data transfers to the US, but you wanted a pithy logical fallacy, so there you go.
The Dutch DPA is not accusing Uber of doing anything nefarious. They are mad that Uber, as an American company, can be compelled by the US government to hand over data. Ultimately, their beef is not with US companies, it’s with the US government.
This is all wildly ironic because the EU is constantly trying to spy on their own citizens and undermine encryption. The EU is just upset that the US is able to do it instead of them.
This is just companies being caught in a geopolitical spat between competing powers. The EU keeps moving the goalposts on what constitutes “safe” transfers (we’re on the 5th round of this). So there’s no way for companies to be compliant unless the US government changes its laws. So right now it’s just a lever to extract money from US corporations via never ending fines.
The US government and the EU need to sort this out. Blaming the companies shows a total lack of understanding of the real situation. I get that we all hate big tech now, but there’s literally no way to comply in good faith with these competing EU cash grabs over the shifting specifics of how you can transfer data to US servers.