I'm really curious what would happen if those companies followed the law.
My bet is that they would entirely stop doing business in the EU, because I'm suspecting that data collection is the cornerstone of google/facebook/etc's business model.
They cannot properly advertise if they don't collect data.
To me it's a bit similar to what happened with China. China doesn't want the US to get data on chinese people, but their solution was to just block those companies.
The EU uses courts to protect itself, but I guess the result would be a bit similar.
The expulsion of US tech led to a native Chinese tech industry fully compliant to Chinese law. They didn't go back to the Stone Age (which was the prediction of US experts at the time).
Is that enough? If a company uses google services , they are liable if google decides to take a bite at this data (because e.g. NSA asked them to). And it's not enough if google makes a contract that promises not to do so. the company is essentially liable for the NSA
- Ironically, if Google does create an EU spinoff just to run analytics as a free service, it will kill the local competitors
The point of hosting the data in Europe is that the law can intervene before that data is re-shared outside of Europe. (And to be frank, the NSA is not the target; the GDPR has lots of exceptions for intelligence agencies.)
Turns out, shockingly, that Google already have some in the EU for some totally unknown reason. Might have something to do with making $XX billion in the region each year.
This ruling doesn’t have enforcement recommended (yet), but under GDPR, the EU's data protection authorities can impose fines of up to up to €20 million, or 4% of worldwide revenue for the preceding financial year, whichever is higher. I’m not sure whether this offense would rise to the full 4%, or only a lesser 2%, if it came to enforcement.
A little bit more. The management of that data should also happen by people falling under the GDPR, so either EU members or people living in country's with compatible laws. The USA explicitly is not, because of the FISA courts with secret justice.
The problem is, some USA Googler can issue a query to an EU server and still access data he's not supposed to see. A FISA court can require him to do that and not tell anyone. No legal document written by a business can override a court decision, so nothing any US company can do helps here.
Google might create a local company with local personnel. The theory goes, when the USA Googler orders a lookup of some date, the EU Googler says can't do that, it's illegal.
I wonder why Microsoft's Office365 or Windows platform aren't hit by these lawsuits. The issues are the same, and the information gained seems much more interesting.
I don't believe that 3 letter agencies will care about the physical location of the user data. So storing the data in europe might not solve this issue.
Well, with data residing in the USA, US three-letter agencies can just ask the data operators to give them the data. I'm sure the same is true of French three-letter agencies for data residing in France, or possibly even the whole EU.
BUT, it's much harder to US three-letter agencies to obtain access to data residing in France, or the other way around - that would require hacking, and that carries a much higher degree of difficulty and risk (not that I would ever imagine it doesn't still happen).
The GPDR is explicitly not about trying to get you protection from state-operated intelligence agencies, and in fact within the EU state agencies like that are explicitly exempt from it.
It would be if the EU had the legal powers to do so, however the EU's treaties reserve national security to the member states.
EU law does apply when national security concerns of non member states are engaged, though hence the Schrems cases succeeding (and why the UK in on shaky ground when it comes to equivalency decisions post-Brexit).
Maybe the GDPR issues would be resolved if countries would settle and agree how to do surveillance on their population... Obviously the gears of silicon valley turn faster than the gears of intelligence agencies.
I would have thought they do. There is also a decent chance that at any given moment even Google have absolutely no idea where a given piece of information is physically located (and mirrored to X times).
My bet is that they would entirely stop doing business in the EU, because I'm suspecting that data collection is the cornerstone of google/facebook/etc's business model.
They cannot properly advertise if they don't collect data.
To me it's a bit similar to what happened with China. China doesn't want the US to get data on chinese people, but their solution was to just block those companies.
The EU uses courts to protect itself, but I guess the result would be a bit similar.