The UK has all the EU laws it had before Brexit. It needs a new law in the UK to remove existing things. UK will not lose protection until the UK decides upon it.
> The UK has all the EU laws it had before Brexit. It needs a new law in the UK to remove existing things. UK will not lose protection until the UK decides upon it.
> * the Charter of Fundamental Rights of the European Union;
> * the legislative instruments known as EU directives themselves (as opposed to the legislation implementing them or rights and obligations under them, which will be retained);
> * the principle of supremacy of EU law (for prospective legislation); and
> * the Francovich principle of state liability (in relation to post exit facts).
Britain never was bound by the
EU Charter of Fundamental Rights. Read the small print....
Protocol 30: ON THE APPLICATION OF THE CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION TO POLAND AND TO THE UNITED KINGDOM...
1. The Charter does not extend the ability of the Court of Justice of the European Union, or any court or tribunal of Poland or of the United Kingdom, to find that the laws, regulations or administrative provisions, practices or action of Poland or of the United Kingdom are inconsistent with the fundamental rights, freedoms and principles that it reaffirms.
2. In particular, and for the avoidance of doubt, nothing in Title IV of the Charter creates justiciable rights applicable to Poland or the United Kingdom except in so far as Poland or the United Kingdom has provided for such rights in its national law.
Article 2
To the extent that a provision of the Charter refers to national laws and practices, it shall only apply to Poland or the United Kingdom to the extent that the rights or principles that it contains are recognised in the law or practices of Poland or of the United Kingdom.
the ECJ ruled that opt-out to be meaningless in 2011
> "... does not intend to exempt the Republic of Poland or the United Kingdom from the obligation to comply with the provisions of the Charter or to prevent a court of one of those Member States from ensuring compliance with those provisions"
this is a common criticism of the EU and the ECJ: what was negotiated by the member states during treaty revision is irrelevant if the ECJ can strike out whichever bits of it pleases at will (with no appeal/recourse possible)
> In addition, according to the sixth recital in the preamble to that protocol, the Charter reaffirms the rights, freedoms and principles recognised in the Union and makes those rights more visible, but does not create new rights or principles.
Additionally, let's consider the alleged opt out, Protocol (No 30), itself. Its Preamble literally says:
> the aforementioned Article 6 [TEU] requires the Charter to be applied and interpreted by the courts of Poland and of the United Kingdom strictly in accordance with the explanations referred to in that Article
In summary, the UK and Poland signed a legal document. They then, for political reasons, signed a meaningless political statement saying ‘we don't really like this’. Of course the political statement carries no legal weight compared to the legal document.
The ECJ has determined that this ruling will have no effect post-Brexit because it will have no jurisdiction on any case not already before it pre-Brexit.
regardless, the critisism of the ECJ still stands: it operates as a political court that almost always rules in such a way that extend the EU's power over that of its member states
even when the letter and the spirit of the treaty was the complete opposite (as in the above example)
poles should never have been able to negotiate any such out on anything titled 'fundamental rights'. It's ridiculous they have been able to do this. The price for admittance has always been that prospective members are up to EU standard on such things. ECJ is therefore correct in its judgement.
And pretty much ever since the GCHQ/conservative UK government have been freaking out about it and it's been one of the main reasons they wanted out of the EU.
The GCHQ really, REALLY wanted out of the fundamental charters of rights. I mean the ECJ has ruled like twice or thrice against their mass surveillance activities, but they've managed to buy time by "updating the law" in ways in which a new ruling was needed to show once again that their mass surveillance laws are STILL violating the charter.
My departure from the UK was initially due to the post-Brexit impossibility of fighting the latest of those laws, the Investigatory Powers Act. There is a technical difference between the EU and European Court of human rights et cetera, but politically they are seen as equivalent by the UK.
On the day thre results came in I had been of the opinion “it can’t be too bad, because only an idiot would hold a referendum on something important where the wrong result was possible” — Although it quickly became clear Brexit was inherently a terrible plan implemented by incompetent politicians, and therefore Cameron was in fact an idiot, adding to my reasons to leave the UK.
I hate to break it to you but France and Germany both have intelligence agencies that operate in the same way as GCHQ, both are allied with the NSA (although not to the same extent), and all of these governments care equally little about the matter. There is no EU exceptionalism here - their agencies just aren't quite as well funded or quite as good at hacking. But the differences are minor.
Perhaps you believe that whilst the member states are pro-mass surveillance, the EU itself isn't?
There's no real difference between countries on the matter of mass surveillance. I wish it were the case, but it's also hard to argue that they should be totally pro-privacy and shutting down their intelligence agencies when the public doesn't care and in fact, a big chunk of the public wants better protection from terrorism.
Whilst the consensus on sites like HN may well be that mass surveillance is dangerous and bad, that argument hasn't been won with the general public. At least, not yet.
> I hate to break it to you but France and Germany both have intelligence agencies that operate in the same way as GCHQ, both are allied with the NSA (although not to the same extent), and all of these governments care equally little about the matter.
I’m aware. The point is that a court that can override a government is the only way a private person like me could possibly limit such an agency to the strictly necessary — and even then only when their excess gets leaked, because the courts obviously can’t know about it before then.
Why would you want to fight RIPA? Spying was happening on a large scale, mostly unregulated. Lots of different agencies were doing it: security services, law enforcement, through to local authorities (eg, child protection social workers using social media comments in court cases) and even schools (to check whether parents lived in the relevant catchment area).
RIPA put a stop to a lot of the worst snooping, and gave real protections to citizens for the rest of it.
There are parts that are worrying (key disclosure), but so far that's not being misused.
> I'm sorry, but the will of the people is never "wrong"
The city I live in has gold-coloured plaques on the ground outside random homes memorialising all those who died because the people elected a dictator.
Democracy is “least bad”, not “incapable of fault”.
>> The city I live in has gold-coloured plaques on the ground outside random homes memorialising all those who died because the people elected a dictator.
> A Stolperstein (German pronunciation: [ˈʃtɔlpɐˌʃtaɪn]; plural Stolpersteine; literally "stumbling stone", metaphorically a "stumbling block") is a sett-size, 10 by 10 centimetres (3.9 in × 3.9 in) concrete cube bearing a brass plate inscribed with the name and life dates of victims of Nazi extermination or persecution.
> The Stolpersteine project, initiated by the German artist Gunter Demnig in 1992, aims to commemorate individuals at exactly the last place of residency—or, sometimes, work—which was freely chosen by the person before he or she fell victim to Nazi terror, euthanasia, eugenics, deportation to a concentration or extermination camp, or escaped persecution by emigration or suicide. As of 23 October 2018, 70,000[1] Stolpersteine have been laid making the Stolpersteine project the world's largest decentralized memorial.[2][3]
> The majority of Stolpersteine commemorate Jewish victims of the Holocaust.[4] Others have been placed for Sinti and Romani people (then also called "gypsies"), homosexuals, the physically or mentally disabled, Jehovah's Witnesses, black people, members of the Communist Party, the Social Democratic Party, and the anti-Nazi Resistance, the Christian opposition (both Protestants and Catholics), and Freemasons, along with International Brigade soldiers in the Spanish Civil War, military deserters, conscientious objectors, escape helpers, capitulators, "habitual criminals", looters, and others charged with treason, military disobedience, or undermining the Nazi military, as well as Allied soldiers.
> Did the dictatorial killing take place transparently within the rule of law?
Within the rule of law, yes — though the standards of international law were changed retrospectively after the event because of how obviously evil it was.
Transparently? I’m not sure. What would your standard be for that?
I’m not sure why you see your point as a relevant counter-argument though: the people voted, several minorities were systematically exterminated.
Someone who has by that point written a book saying that the minority he hated needed to exterminated and that the process would be bloody.
I will not name him. Naming him serves no benefit, especially as I do not wish to conflate him with Leave, merely to demonstrate that democracies are capable of being wrong.
If I were, would it be good or bad? Would it even matter at all?
Remember the specific thrust of argument in this subthread isn’t to demonise Leave voters it’s just to demonstrate that it’s possible for democracy to give bad answers. Mentioning He Who Cannot Be Named isn’t going to help separate concerns here, rather the opposite.
If that implies true answers can be bad, I agree: they can upset whoever one is trying to communicate with to the point they shut you out entirely.
History is my source of facts, not me personally. If I am not being unambiguous already, then there is more than one example of the situation I have described.
It can be morally wrong, or financially wrong, or wrong in terms of human rights, or wrong for minorities. There's many types of "wrong". Just like you can make a "wrong" decision for yourself when having to choose between two options, the society can choose "wrongly" when presented with a simple yes/no question. There's a difference between that choice being invalid and wrong.
Even that term "will of the people" is a kind of assault on rationality.
It was a vote at one time, once, 4 years ago, with a 2% victory.
The "will of the people" excludes all desires and agency from 15m+ people, who did not want this, in a civilised society subsuming those people to be "wrong" or to be ignored is a recipe for some deeply unpleasant and authoritarian thinking.
Also, 17 million people elected Hitler in 1933 in Germany, that did not make it "right". Dangerous times.
> It was a vote at one time, once, 4 years ago, with a 2% victory
What criteria should I cherry pick in order to invalidate a result? Can I apply the same logic the the one that added the UK to the EU?
> in a civilised society subsuming those people to be "wrong" or to be ignored is a recipe for some deeply unpleasant and authoritarian thinking
I didn't describe remainers as "wrong", I responded to a comment describing leavers as "wrong".
However, as to "ignored" - why not? I'm sure it's unpleasant to lose a democratic vote, but its not "authoritarian".
> Also, 17 million people elected Hitler in 1933 in Germany, that did not make it "right"
Make what right? That they elected him? or that he became chancellor?
Conflating brexit with Nazi elections is what I consider truly "dangerous". Many things happened after that election that contributed to the rise of Hitler.
> Can I apply the same logic the the one that added the UK to the EU?
Yes, and you must — otherwise the vote to leave isn’t legit in the first place.
> I didn't describe remainers as "wrong", I responded to a comment describing leavers as "wrong".
What I wrote was “…only an idiot would hold a referendum on something important where the wrong result was possible” [added emphasis]. That’s not leavers being wrong, that’s leave being wrong. Politically, it was the wrong move for the PM and you can tell by him resigning immediately. I think that alone is sufficient to call him an idiot for having called the referendum, which is what I was doing. Him and his successors being idiots is the main reason why I think this is going to be much, much worse for the UK, not the mere fact of leaving the EU, the departure from which is something I estimate to be a “economically bad but if you want it that’s your call”.
I found your comment really interesting, I think there are quite a few vested interests involved in the desire to leave the EU. This and most notably the work on tax havens the EU was doing, the UK being one of the biggest with several opaque jurisdictions being under its control. Saying GCHQ doesn’t make political decisions by downvoting this is extremely naive.
What's the value of acknowledging that some vested interests hold the view though? At face value I mean. There are lots of legitimate economic reasons to consider leaving the EU, it's not the unilaterally bad decision that's become a meme around here and Reddit, the reason I say this being that it shouldn't be surprising in and of itself as a decision.
The only economic reason I can think of is “I have a plan which requires violating EU rules, which will be more valuable than the additional trade costs that will be caused in the event that the EU continues to think that that rule we want to violate is a good rule and insists on the UK not breaking it as a precondition for a zero-friction trade deal”.
I would be more optimistic if the UK government didn’t appear to hold the position “pivot to a no-manufacturing/service-only economy while simultaneously aiming for a trade deal that only covers food, mining, and manufacturing but not services”.
> The only economic reason I can think of is “I have a plan which requires violating EU rules, which will be more valuable than the additional trade costs that will be caused in the event that the EU continues to think that that rule we want to violate is a good rule and insists on the UK not breaking it as a precondition for a zero-friction trade deal”.
That is basically true. And the economics of this sort of situation is kinda funny; the only way Britain will be materially worse off is if the EU was giving Britain a free ride before Brexit - otherwise market forces will probably kick in and not much will happen in practice. Realistically it is hard to see Britain being worse off because of anything externally inflicted. If anything, their biggest losses will be due to getting the stuff they want; like restricting migrant inflows for non-economic reasons.
> the only way Britain will be materially worse off is if the EU was giving Britain a free ride before Brexit
Isn’t that the point of the club? To give all of the members a free ride with each other? In a well-defined way that doesn’t hurt each member but still a free ride?
Hmm. EU members get advantages from each other that non-members do not get, so by leaving the EU, the UK looses said benefit, which hurts both even if everyone else in the world retains exactly the same trading rules with each as they did before Brexit.
I’m not going to be too precise with terminology, but I didn’t realise you were being precise either or I would’ve at least looked up the concept before my previous reply.
The uk could veto anything from the eu so if they wanted to violate eu law they could have stopped it being created in the first place, there is no rational reason for brexit
In practice I agree; I was trying to be generous and find a situation where it wasn’t entirely silly. I don’t believe the UK government has thought this thought, or indeed know what it has already agreed to in the withdrawal agreement.
Many EU laws are badly thought out nonsense that doesn't make anything better and often makes things worse. So yeah, that's pretty much the meat of it. Lawmaking is hard. You say yourself, you view British politicians as incompetent - so you recognise that lawmaking is a matter in which competence can make a big difference.
A simple sort of plan that British companies might have could be, for instance, to not require tons of annoying cookie popups on their websites.
In other cases expect laws to get tighter. EU financial regulation isn't as solid as the UK's is. This was a sore point after the collapse of the Icelandic banks. British regulators had raised the alarm over those banks but could do nothing to stop them because they were regulated by Iceland and under EU rules the UK had to allow them to trade. When they went pop and the Icelandic government refused to bail them out, the Brits were left carrying the can. Given that financial regulation is popular with the public I'd expect that to be one of the areas in which regulations diverge.
In short, back then Law and Justice was a ruling party and they are very homophobic (see https://en.wikipedia.org/wiki/LGBT_rights_in_Poland#Law_and_...). They were worried Charter of Fundamental Rights might force Poland to grant homosexual couples the same kind of benefits which heterosexual couples enjoy.
Opting in after Law and Justice opted out is pretty much impossible because two-thirds majority is needed for that, and Law and Justice would block attempts to do so.
Probably because they negotiated it together - Poland and UK were effectively an alliance in EU institutions for long stretches, united by common defense and economic policies (aggressive NATO stance vs Russia, hardcore free-market support, etc). This is why one of the many effects of Brexit is an increased isolation of Poland and the other Visegrád members, who lost their biggest ally in EU circles.
Maybe. The Estonians come pretty close to Singaporean standards though. And the rest of the Scandinavians ain't too bad; apart from having high tax they don't interfere in the economy that much.
Countries like Estonia and Luxembourg, although EU members, hold little sway because of their size. Nobody will ever look at them and decide that they set a good model for larger countries.
Because they have very similar geopolitical views, they both view the EU as mostly an economic institution, are very pro-NATO, they are both free market supporters.
Poland alone isn't enough anymore to keep that view of the EU since the UK left.
Free market supporters you say? Current government is forcing state owned companies to buy bankrupt companies and subsidize them, just because they are 'Polish' (examples: PESA, Autosan).
The government also tries to nationalize some private banks, price of electricity is no longer 'free' and is now regulated. When subsidies are illegal, the government offers back payments for final users. Coal mines and power stations are expanded, and we already know that they won't be economically viable. Renewable energy sources have been successfully blocked by absurd requirements (for example distance of newly constructed wind turbines from other buildings makes 99% of Poland not suitable for such investments).
The charter is far more than just a bit of geopolitical meandering, it has far-reaching judicial consequences. Since so many things are decided in the courts these days, it's really quite important.
This artifact alone is legitimate grounds for non-participation in any such union.
While I empathise with the sentiment, the alternative to courts with the power to bind all parties — in this case governments — is that any party can violate any agreement at any time without consequence, making all of the agreements meaningless.
No, the alternative is courts that respect the boundaries of treaties. The ECJ can apparently rule that 'The Constitution is Unconstitutional'. Which is a problem.
Deciding what the treaty means is literally the job of the ECJ. I think (in both the sense of ”I believe it is” and “I believe it ought to be“) that that means it gets to decide which bits are or are not conscionable in much the same way and for much the same reasons that the UK courts get to decide that certain things cannot be signed away by contracts under UK law.
"Deciding what the treaty means is literally the job of the ECJ."
And there you have laid the foundation for the obliteration of liberal institutions.
This purview has taken hold in the last 50-ish years around the world, leading to Judicial Supremacy.
I would use a polite term like 'absurd', but I think 'stupid' is a better term for the powers that courts have evolved to have, to the point wherein they de-facto make the law, which is not correct.
If the EU legislators, with 1000's of the nation's top lawyers, cannot enact legislation that is lawful, then something is very deeply wrong. How is it that a handful of other lawyers, sitting in a different institution can have a fundamentally different reading of the same thing?
Any ruling by the court that overturns relatively recent legislation should cause calamity and consternation.
At very least there should be a means to translate legislation into law that facilitates the participation of some officials to make sure that it's legal.
You're effectively advocating parliamentary sovereignty. Which is a British tradition, no doubt - but most other countries aren't operating under these principles, and never did, so it's not a "last 50-ish years" thing.
I don't think Constitutionally-bound legislatures count as 'Parliamentary Sovereignty' moreover, the alternative, 'separation of powers' - is simply not that, it's just 'Judicial Supremacy'.
It's ridiculous that Europe's top lawyers make a treaty, and then some of Europe's other top lawyers say that it's illegal, whilst all reading the same, plain document. If the constitutionality of a law is 'not apparent' to Europe's top lawyers, then it's definitely not apparent to the other lawyers at the ECJ either; there should be a different process for determining the constitutionality of laws, that is separate from more common judicial rulings. And definitely the ECJ should not be able to rule on its own jurisdiction, this is crazy.
Love this bit from Wikipedia:
"The court ruled that the Community constitutes a new legal order, the subjects of which consist of not only the Member States but also their nationals. The principle of direct effect would have had little impact if Union law did not supersede national law. Without supremacy the Member States could simply ignore EU rules. In Costa v ENEL (1964), the court ruled that member states had definitively transferred sovereign rights to the Community and Union law could not be overridden by domestic law."
These are revolutionary proclamations.
"Oh, by the way, that treaty you signed that you thought meant that thing, well, we're going to rule that we have all the power. So, guess what, it meant something you didn't understand, and what you didn't know is that you were literally handing over sovereignty to us. Thanks, we own you now"
I’d have more faith if the heads of US corporations showed up when summoned to parliament.
Recent examples include Mark Zuckerberg (Facebook over Cambridge Analytica) and Irene Rosenfeld (Kraft; reneged on promises to UK government over take over of Cadburys. Refused 3 times).
Or if we were able to successfully extradite US suspects in the same way our citizens could be extradited to US. Recent examples are.. so numerous and high profile you can just google yourselves.
The UK might not have a “small” economy right now whilst we’re still in the transition phase but we’re still not powerful enough to get justice from US corporations as it is.
How will the balance of power shift after we’ve negotiated new trade agreements from a position of weakness?
Now that Britain has Brexited it needs to make a trade deal with the US. Why won't the US insist on things like lesser data protections and software patents as part of the trade deal? Now that Britain is in a weaker bargaining position, how will it avoid implementing these things?
However it hasn't happened yet, so we don't know. What we do know is that there will need to be an act of parliament and we won't just magically lose protections at some arbitrary date
On the 28th February 2019 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019[0] was made.
These Regulations basically patch the GDPR to remove the buts about working with supervisory authorities in the EU, changes the references to supervisory authorities to name the Information Commissioner, confers power on the Secretary of State instead of the Commission and stuff like that.
The substantive provisions of the GDPR remain unchanged. There's what's known as a "Keeling Schedule" (which is essentially a visual diff of the changes) available as well.[1]
The title seems to be misleading. According to the article, Google isn't removing data protection from UK users, it's moving their data to the US (which in theory would be compliant with EU data protection laws even for EU citizens, though there are some arguments stuck in the courts that it shouldn't be) whilst following the same rules. This is most likely the result of some rather messy political disputes between the EU and the UK over data hosting and the GDPR that don't look like they're going to be solved any time soon.
It's quite clear any anybody that the safe habour and privacy shield type agreements are fig leaves and logically incompatible with UK/EU data protection laws. Safe Habour was struck down, privacy shield may be going the same way.
Essentially UK data protection says you can't put data beyond UK's law ability to enforce data protection rights, as that's clearly 'getting around' the law.
The privacy shield is the latest pretense that somehow having the data under US jurisdiction, with a promise to behave nicely, is ok. However that promise is fundamentally worthless as US law takes precedence over that promise. Specifically the US government can demand US companies hand over the data, whatever they have promised to UK customers.
That kind of issue is exactly why UK data protection law talks about jurisdiction in the first place.
The only real logical legal solution to this is to have a world court on these issues - but everybody is trying to avoid that politically unpalatable outcome.
You can talk about Brexit- but this is the real sovereignty issue in the 21st century.
I think the main reason safe harbour was struck down was just that the safe harbour laws didn't have the same level of protection and enforcement as the GDPR requires, rather than fear over the US government demanding access to data.
As I understand it, The GDPR is mostly concerned with the protection of routine usage of data, mostly by business and lower levels of government, rather than the government or security agencies accessing the data as part of a legal request or investigation. Indeed, the UK pretty encourages the NSA to access data on UK citizens as part of Five Eyes (and other parts of the EU as SSEUR and Nine Eyes).
I'm no expert, but I'm guessing the idea behind those safe harbour type agreements is that both the US government has a well developed legal framework and was willing to sign a law allowing EU companies to enforce DPA violations on their own companies in the relevant context. As long as the companies have the legal requirement to protect EU data in an equivalent way to an EU company, and there are legal routes to enforce it, I don't see anything particularly wrong about them in principle.
The issue of US companies allowing access to EU citizen data is an important one, and one I believe needs more attention, but it's unlikely to get it because it's by design at this point. And storing data in AWS UK doesn't exactly get around that, because the US government can just force their UK subsidiary to exfiltrate the data. But also I don't think it's strictly relevant to the GDPR safe harbour style provisions.
> As long as the companies have the legal requirement to protect EU data in an equivalent way to an EU company, and there are legal routes to enforce it, I don't see anything particularly wrong about them in principle.
But if there is US law which overrides that promise then it's not legally enforceable. That's why jurisdiction is so important.
I'm not picking on the US particularly - I might have the same concern if I was an EU citizen and my data was in the UK post brexit. Or I was a US citizen with data aboard.
> And storing data in AWS UK doesn't exactly get around that, because the US government can just force their UK subsidiary to exfiltrate the data.
Essentially the CLOUD Act - tries to give US government the right to demand US companies move data to the US - as I said - any promise a company makes is worthless. A lot of countries might see this as a the US trying to extend it's legal reach beyond what is reasonable.
Currently the EU is playing nice, but it could decide to then charge the US companies officers with crimes ( stopping them ever visiting the EU ), or investigate the local offices etc.
If we don't sort this out internationally then it could easily escalate - with the companies stuck in the middle.
At the moment that has been a lot of LALALAL nothing to see approach to this, but the law is catching up with the technology - these issues can't be glossed over forever.
It might be compliant to move data from the EU to the US under the privacy shield agreement, but this agreement might soon be dead as there is a court case against it (for good reason):
So it’s not unlikely that the US and UK will be considered unsafe countries for handling personal data of EU citizens due to their aggressive stance on digital spying and surveillance.
> Google isn't removing data protection from UK users, it's moving their data to the US
This means that Google is removing data protection from UK users. There is absolutely no way to claim in good faith that you can protect your users when the data exists (or is touched in any way by, but that's another story) in the US, the examples for which we've seen often enough that every reader can be assumed to be familiar with them by now.
The EU's position is that you can, in fact, claim in good faith that you're protecting your users when the data exists in the US, despite evidence to the contrary. There have been a few court cases about this, one of which is currently in progress, and at least one of which they lost and carried on doing it anyway. In any case, it's not something you can rely on EU data protection rules to protect against right now.
On the other hand, the EU has been threatening to refuse to agree on the same for the UK, despite both having the exact same data protection frameworks as it currently stands. The actual rules have at least as much to do with internaational politics as they do with protecting people's privacy.
The physical location of the data doesn't matter. US employees can access any datacenter remotely around the world, so I often wonder why this topic comes up at all.
For a while playing games with physical location was a neat legal hack in the US specifically, but the USG closed that loophole a few years back if I recall correctly and can now force US firms to give up data even if it's in a foreign datacenter.
US employees accessing EU data held in the EU in manners that contravene EU laws, would be breaking the law and would expose their company to prosecution in EU courts.
The issue is not about technical feasibility, it’s about exposure to legal repercussions.
You can argue that respecting EU laws might expose you to prosecution in US and vice-versa, and that’s absolutely true. International law is messy.
Except not quite: while the UK will have laws that effectively mirror the GDPR, the crucial difference is that it's now a UK law, not a European law, and there is no EU enforcement of that UK law.
UK citizens also won't be able to appeal all the way up the EU courts: it stops at the UK supreme court.
And most importantly: now that the UK is out of the EU, it is a tiny, barely relevant factor in multinational corporate online practice. Any business that gets told by the UK to follow their GDPR can quite comfortably go "lol, no" and barely affect their bottom line, as opposed to having the entire EU block go "obey our GDPR or we won't let you do business in any of these 27 nations, a large portion of which make up a substantial cut of your global revenue".
The biggest players won't, of course, but smaller companies?
The 3rd biggest online market is barely a blip? And probably the 2nd biggest for the US because of the shared language.
Poorly informed comments like this pop up a lot, they don't understand the reality of just how big the UK economy is compared to the vast majority of coutnries that make up the EU.
The UK was 20% of the EU's GDP, 1/5th of the total GDP out of 27 countries.
The EU+UK combined is about the same size as the USA. No EU country alone is a world player any more, that’s basically the entire reason everyone got together to negotiate trade issues as a block.
I agree with you that the language barrier is stop going to be at least somewhat important.
I guess it depends on your definition of a "world player". By GDP, it goes something like US, EU, China, Japan, India, UK, Brazil, Canada, Russia, South Korea, Australia. There's a fairly large gap (more than double) between Japan and China.
Obviously exact orders will depend on the estimate and how fair it is to use 2019 figures and then subtract the UK from them.
But however you slice it, the UK is not pocket change. Maybe smaller companies can ignore all but the largest three, but I doubt it.
It's more likely that the UK will prefer a more liberal market, and for that reason their laws will be a little ignored - they won't enforce them and will forever be planning their repeal even if they never quite get there.
GDP rankings are as follows from the last posted results (2018):
1) United States 20,544,343.46
2) China 13,608,151.86
3) Japan 4,971,323.08
4) Germany 3,947,620.16
5) United Kingdom 2,855,296.73
6) France 2,777,535.24
7) India 2,718,732.23
8) Italy 2,083,864.26
9) Brazil 1,868,626.09
10) Canada 1,713,341.70
So out of "EU" it's only Germany which was larger according to those figures (from the World Bank).
Of course things will have changed over the last couple of years, but I doubt it is substantially different in terms of order.
UK's been ping-ponging between 5th and 7th due to the pound fluctuations.
In reality the EU is not a unified market for e-commerce because of the language barriers and very large discrepancies in laws. For example, France has some pretty crazy stuff to protect the French language, Germany is very strict about certain subjects and the denial of them like the holocaust. And while there are some top level EU laws or efforts to police the bigger internet players, enforcement is still mainly regional too.
I'm under no pretensions that the UK is far, far from the super-power status of the US or now China, or previously USSR.
But if we're a blip, most countries in the world aren't even a notch.
> But if we're a blip, most countries in the world aren't even a notch.
That is the impression I’ve been getting from what economists have been saying. Of course, not being in economist myself, there is no way for me to tell if I’m reading real economists or merely people wearing economist clothing.
They probably pop up a lot because they're the result of people being actively misinformed. The UK press has been pushing this narrative about the UK being a tiny, irrelevant backwater of the EU hard ever since the referendum was announced. It's certainly not the only way they've lead people astray either.
> And most importantly: now that the UK is out of the EU, it is a tiny, barely relevant factor in multinational corporate online practice.
California emissions standards for automobiles dictate how cars are made for the entire USA. The UK has almost double the population of California and is a huge online market.
Since the laws are identical wouldn’t it still mean that any business complying with the GDPR (in order to do business in the EU) would already comply with the UK’s version of it, and vice versa?
How can you comply with one but not another given they are exact copies of each other?
The article basically claims that google won't bother to follow developments in UK regulation, and instead ask all users to accept a move to US regulation. Presumably this means stopping service for those that don't accept.
> An employee familiar with the planned move said that British privacy rules, which at least for now track GDPR, would continue to apply to that government’s requests for data from Google’s U.S. headquarters.
It quite literally says the opposite of that. I don't think Google could continue to do business in the UK if they just ignore regulation, nor could they ask users to waive their own rights.
All this seems to be is moving the location at which data-related requests for the UK are handled, which is probably because the Irish office is smaller and it is easier to keep them focussed solely on EU law.
It doesn't say the literal opposite of it. Your quote says "British privacy rules would continue to apply to [UK government] requests for data".
This is very different from British privacy rules applying to private requests for data.
Under the GDPR, and presumably British law, a private person can get a copy of your data and demand that it be deleted. According to your quote, there's no suggestion that will continue to be available.
If that were the claim, it wouldn't work. It could only work if the citizens could live without it. If it's necessary, then it will simply mean a little more money for a few more features (needed for France and Germany anyway) will let the company rake it in, so they will comply.
I don't understand what you are saying. I see it only working if citizens couldn't live without it, because if they can government can just forbid Google from operating in their jurisdiction, e.g. by simply blocking them. On the contrary, if it's necessary, it's Google who has leverage in the case of the conflict with the foreign government.
What exactly are the EU protections that I don't get as an non EU citizen? I thought most companies applied EU laws like data deletion and data download(at leas Google did afaik) worldwide.
Your service provider and data controller is now Google LLC: Because the UK is leaving the EU, we’ve updated our Terms so that a United States-based company, Google LLC, is now your service provider instead of Google Ireland Limited. Google LLC will also become the data controller responsible for your information and complying with applicable privacy laws. We’re making similar changes to the Terms of Service for YouTube, YouTube Paid Services and Google Play. These changes to our Terms and privacy policy don’t affect your privacy settings or the way that we treat your information (see the privacy policy for details). As a reminder, you can always visit your Google Account to review your privacy settings and manage how your data is used.
If you’re the guardian of a child under the age required to manage their own Google Account and you use Family Link to manage their use of Google services, please note that when you accept our new Terms, you do so on their behalf as well, and you may want to discuss these changes with them.
This simply isn't true. The GDPR cares about where you are and where you reside, not who you are. I live in the United States and hold Irish citizenship. The GDPR does not apply to me (unless I were to visit the EU.)
It applies to EU residents regardless of where the data processor is located, and anyone anywhere whose data is processed by an EU based company (or the EU subsidiary of a multinational):
This is incorrect. "In the EU" refers to the physical location, not your citizenship.
Otherwise there would be no way to know who you are without having your data in the first place which means the law is a catch 22. The only working interpretation is based on physical location.
Was the parent post edited? Otherwise it agrees with you. They don't mention citizenship.
Surely my physical location is no less part of my data than my citizenships? I guess if it's being processed immediately when it's collected it's possible to gdpr it or not, but if it's an offline process, then how can you do that?
Yes it was edited, the part I quoted came from that comment.
Anyways it's based on physical location. There are lots of specifics around what PII is but in this case: 1) your location alone cannot identify you individually, and 2) nothing specific is stored and IP/network to region lookup for applying GDPR rules is acceptable.
My citizenship can't identify me individually. If I use a VPN that makes me appear like I'm in China, I'm still in Europe so I think my data should still be treated as if I'm in Europe. My location/residency is a matter of fact.
1) Your citizenship is not easily accessible over the internet anonymously. You would need to hand over personal data to prove that your personal data needs to be handled different. This doesn't work.
2) The point of location data not identifying you is in response to the parent comment saying that location could also be considered personal data. It can, but only if used in conjunction with enough other data to uniquely identify you; not to just check if you're currently in the EU.
3) Using a VPN prevents GDPR enforcement if your location is inaccurate. Again it comes down to the law preventing your personal data from being used before you consent, so whether your location is a fact or not doesn't matter when the service provider isn't allowed to use it in the first place and must rely on network lookup for a best guess.
Upvoting because this was my mistake. My comment was copied verbatim from and older discussion on the same topic (it's a common cause for confusion), including a URL that I didn't check was still valid. I subsequently changed it to another one with the same info, but didn't call out the edit. Apologies scarejunba for the collateral damage!
How would that be workable? I am a Dutch EU citizen living in Indonesia; does that mean that all Indonesian businesses I interact with should follow the EU GDPR law?
No company outside the EU will face fines and there's nothing the EU can do about it.
Also the law is based on physical location (either companies or people in the EU at the time), not your nationality or citizenship which would be unknown without access to the very data the law is trying to protect.
If you're a foreign company selling to EU citizens you can be subjected to EU fines because there's usually a trade deal that says so.
But yes, checking the nationality of all your customers isn't feasible, but I bet the waters get murky when requests, such as data access or deletion requests, come after the fact, with proof of EU citizenship.
You may have to prove residence too in the requests, and that can include notarized documents (all acceptable under GDPR rules).
As for trade deals, the Safe Harbor agreement that would have allowed this was repealed before (and partly because of) GDPR. The only deal in place now is Privacy Shield which is completely voluntary and has no cross-border enforcement.
I recently moved to the EU, since the GDPR came into existence. Is Spotify and Google only subject to the GDPR for my data they collected since I moved here?
Technically the law only applies to data after you are physically in the EU, not before it, although most companies will store a user's data together so it's likely that once you change your address that it will be treated differently. Most companies have also applied GDPR data access rules globally instead of maintaining separate databases.
I'm not a lawyer, but I don't think this is how it works unless Indonesia has signed an agreement with the EU or Netherlands regarding this. Otherwise countries could just unilaterally declare laws for all its citizens abroad?
I also looked at the text in Article 3, "Territorial scope"[1], and that says it only applies to EU-based organisations and "data subjects who are in the Union". It seems to me that "in the Union" means "residing in", and not "citizen of"?
The third clause says it applies to "a place where Member State law applies by virtue of public international law", but I don't think this applies to Indonesia?
> The third clause says it applies to "a place where Member State law applies by virtue of public international law", but I don't think this applies to Indonesia?
IANAL, but I think that is primarily a reference to member state embassies, consulates, overseas military bases, ships having member state flag in international waters, aircraft registered in a member state, and spacecraft operated by a member state. So GDPR would apply to data kept in a member state embassy/consulate in Indonesia.
In practice, a lot of the work embassies/consulates do may fall into one of the exemptions from the GDPR – national security, etc. But embassies/consulates often also do other stuff, like host conferences, workshops, dinner parties, etc. GDPR may well apply to data collected for those purposes.
They're kind of used to it, they went from the most powerful empire in the world to a tiny island without much going on for them in like 300 years, not sure how much lower they could go at that point, I guess Ireland &co could get independent in the near future.
At least they have their own independence day now.
UK will breakup soon. It's quite possible there will be a (separate) Great Britain and Ireland in our life times, maybe even a separate Scotland, too. "England & Wales" would be all that's left. "E-double-U". Heh.
Under section 3 of the European Union (Withdrawal) Act 2018,[2] the GDPR will be incorporated directly into domestic law immediately after the UK exits the European Union.
So much for "we get to write our own laws" as per the Brexiteers. We'll just copy paste EU laws! I wonder how long it will take for those laws to be removed
We still follow several British laws in India 70+ years after independence. Unless, there is a demonstrable political benefit, old laws generally stay on the books.
UK law won't diverge from EU law if the consequence is loss of access to or friction with the European common market. The difference between the UK and the US in your comparison is that the US turned into the world's largest economy and sole superpower. The UK's economy is smaller than that of California.
Realistically you can only write your own laws if you're the top dog.
Many sites geocode them. If you are outside the EU (+ "close enough" countries like Switzerland, Norway, ...) and think you're getting a lot, you'd be getting a lot more in the EU.
There might be a small subset of websites that do not show popup. However, the question is whether the users adjust their browsing behavior based on those popups or not? If the users have just become acclimatized to clicking on them, then the situation has not really changed in any meaningful way.
Only recently have they added the popup (last 6 months or so), they previously used google analytics with no consent and made themselves exempt from the law
That’s great. Same with mine. Sadly most sites still use them, and will still display the banners with no real option but to accept. Most are horrendous to deal with.
IANAL This is why the GDPR requires that the default or most obvious option should be the one that denies use of personal data.
Consent should be given by a clear affirmative act [...] Silence, pre-ticked boxes or inactivity should not therefore constitute consent. [...]
So, all those websites that have preticked boxes where you share data unless you untick them are in violation of the GDPR (unless the personal data is required for the site to function). So are websites that only present an 'accept/ok' option, since processing personal data is typically not necessary to retrieve the page:
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Websites that are designed to let unattentive users consent to data by e.g. clicking the most visible button are probably in violation as well, since it is not a clear affirmative act.
GDPR has an enforcement problem. Ideally we should have some mechanism that allows us to submit violations as easy as posting to HN. The next problem are courts in Ireland which have been stonewalling attempts to move things swiftly (and moving things at scale will simply be impossible). See also Max Schrems v. Facebook
Long time lurker but had to create an account when I saw no one gave the correct answer when replying to this.
The cookie pop-ups is definitely not GDPR - it is a separate thing called the ePrivacy Directive and came about many years before GDPR.
GDPR and ePD are both wonderful for consumers. I am fairly annoyed that the implementation and skirting by 90%+ of websites is due to them not being able to monetize our data or track us.
I suspect the rate of non-compliance is closer to 99%+ considering most of the annoying cookie banners I see pop up are actually not following the guidance.
Cookiebot seems the closest to me (defaults to only required cookies, etc.)
I'm pretty certain the article is misinformed. The GDPR transfer regime still applies in the UK, as it does in the EU. Google would have to implement the "Privacy Shield" mechanisms by which EU or UK data can be transferred legally to the US.
The law in the UK remains the same as the EU. There is no divergence at present.
If Google has got the Privacy Shield system set up, then any EU or UK data can be transferred to it.
Chapter 5 of The Data Protection Act 2018 refers http://www.legislation.gov.uk/ukpga/2018/12/part/3/chapter/5
The article explicitly states Google is pre-empting the UK diverging significantly from EU law in order to get a trade deal with the US.
I don't think that's a bad bet given that Downing Street is keen to make clear food standards and the NHS are also up for grabs.
If anything, data protection is so badly understood as being important to ministers, it would not surprise me if they trade it away in order to protect food standards and the NHS because they're more prevalent in the headlines and scarier to the over-50s that predominantly voted for Brexit and this government.
It's true, it's weird the NHS should be up for grabs considering it's older people who would be most hurt by changes to the NHS who voted for the Brexit.
But it's also a bit weird. I mean, I guess the issue with the NHS is drugs. Australia has long had policies the US doesn't like, like the single purchaser PBS and parallel imports. But we still have a FTA with the US.
The same was said about the single market, we're leaving that now contrary to statements by:
Owen Paterson
Daniel Hannan
Nigel Farage
Matthew Elliot
Arron Banks
It’s more the EU diverging from the status quo it shares with the UK if the CJEU rules inadequate US data protection guarantees (which under the laughable fig-leaf that is Privacy Shield, i.e. the honor system). The likelihood a UK desperate for a US free trade agreement would follow the EU in banning data transfers to the US is slim to none.
I don't believe there is a single briefing on the matter - save the one line the President generously gave just before the election stating the contrary - where it hasn't been clear that access to the UK's health market and the ability to import US meat with lower health/safety criteria were not mentioned as being key to a US trade deal.
You can call them scare stories, but in truth your denial running contrary to all known actual evidence is a real problem here.
How precisely does Google determine which of its users are UK users?
For example, I lived in the UK when I opened my Google account(s), but now I live in Portugal. Do I need to inform Google of this somehow. Do they look at my payment information, or at my recent logins? I certainly cannot see any 'what country do you live in' options in my account settings.
I'd certainly prefer to keep any EU data protections should I have the choice.
Given that the UK is "intending" to follow GDPR and, for now, it is still enshrined in UK law, this initially seems like a bit of a sensationalist scare piece.
However, the lede is somewhat buried:
“There’s a bunch of noise about the U.K. government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy,” Kissner said.
It's possible that, over time, the UK will adjust its laws and lose EU "adequacy". This currently seems unlikely so the game, from Google's point of view, is to work out whether to move out early and cause a sensation or to wait until it happens (if it happens) and then make a rush then.
It's complicated because things may change gradually, over a long period of time, and there may be some things that are advantageous earlier or later. Also, Google might not want to put itself in a position where it appears to be trying to influence British law: "if you change that particular thing, we'll move out". If they do it up-front under the guise of Brexit then they put themselves in the best possible position to use the data as they wish (within whatever law applies) and avoid such accusations later.
This is complex and involves a lot of game theory.
This move will make it considerably easier for influence shops to shape public opinion in the UK and could help open up e.g. healthcare markets which are currently closed.
So, what can all the pro-FB/Google shills say about this? Wasn't GDPR, according to them, a god-send for Google, FB and Big Tech because smaller companies cannot possibly comply, while they can easily do? If that were true, why are they moving their users out of GDPR reach at the first chance?
No. During the current transition period there's a treaty which (to paraphrase the situation greatly) causes the UK to be treated as if it was in the EU. What happens when that ends (on 31st Dec 2020) is not yet clear, despite the large amounts of noise being made by the UK government. It will depend on what deal if any is struck before then.
It's much more likely to depend on what UK legislation is in force. Right now there is UK legislation to enact GDPR and that does not simply disappear because the UK left the EU. Unless new laws are passed, whatever is on the UK statute books remains unaltered.
The article calls out that Google are betting that they will introduce new laws with lower protections to get trade deals with the US, and so they're getting ready for that now.
That is not a bad bet given briefings from Downing Street on trade deals.
Indeed - the Data Protection Act (2018) effectively is the GDPR, by updating existing data protection legislation. Indeed, some parts of it are referenced against the GDPR itself, e.g. paragraph 157 on penalties.
One can only hope. Big EU initiatives are two types - first prove that road to hell is paved with good intentions, the other are similar to Herod reforming the preschool industry in Bethlehem.
GDPR is nightmare that has not improved anything except now we have to click for both cookies and GDPR form. I don't feel protected by it, mostly annoyed. And a lot of sites did the smart thing - just cut off access for EU ips - thanks Brussels.
Talking from the consumer perspective, I completely disagree - things have very much improved. Google and Facebook now make available everything they have on you, easily accessible. Companies now have to tell me why they are asking for information and what they are going to do with it. I can ask companies for all information they hold on me, and they have to comply.
This is a big improvement - there is a sense of companies going from hoovering up every PI data point they could, to treating PI as a liability. That's a big deal.
We ask for your information to improve our service. We know that you opted out by selecting the "opt out" button in your web browser, but we're going to ignore that and try to trick you into opting in, since we're so special that your generic opt out probably doesn't apply to us. We will make it hard to identify which links are really buttons that you need to click to disagree to increase the probability that you will accidentally agree or agree out of frustration. If you don't agree, we'll make you sit through a two minute spinner while we during which time we do nothing since it takes no time at all to save a cookie on your computer that says "don't save any cookies".
I mean seriously. If the GDPR had any teeth, the companies that do this shit would be made to suffer. But since all they do is make us suffer and the EU dgaf I wonder what the point is. It's just so much privacy theatre.
Maybe there's a shift somewhere. But I can't feel it as a user.
Privacy is the point but enforcement is very much lacking. The GDPR is supposed to be enforced by the member states so the EU is not to blame – at least if by "EU" you mean the EU bodies. The EU as a whole, including its members and citizens may be but imo it's more accurate to say that it isn't coherent enough to actually have opinions.
Honestly, I think GDPR was way better than I feared. They fined literally no one and we all got access to our data. It created a great interoperability situation. I am quite happy with it because they essentially do not enforce but everyone abides by it.
Nice! I was entirely wrong about what I thought would happen. If I were starting up I'd probably ignore building the entire framework to start with and deal with it when I have to.
Well, here's one obvious and useful benefit for the average user: you can now remove content that identifies you (especially photos/video) rather easily, like you would under DMCA. Just a polite reminder of GDPR is enough for websites/hosting providers to comply.
If not, you can go to the data agency of the hosting provider's country and lodge in a formal complaint that can lead to an actual investigation and fine. It really works!
This is true. GDPR has proved to be completely toothless. Flagrant offenders flaunt it brazenly. The much-vaunted 4%-of-turnover fines have never once been enforced.
I think this is mostly the difference between American and EU regulation and enforcement.
It seems like US institutions like to take a big player, make a huge case and then hope everyone else is scared enough to follow. In EU on the other hand the first inquiry would be validate the practices, allow corrections and if they aren't timely start stepping up the fines.
In the end you end up with the huge cases like for example the browsers or Apple tax payment and by that time you have a law with regulations and previous judgements to stand on creating a system that's hopefully understandable and easy enough to follow for the regular user with good intentions.
> Google is planning to move its British users’ accounts out of the control of European Union privacy regulators, placing them under U.S. jurisdiction instead, sources said.
Did the author mean "US", or "UK?
This article seems confused. I don't think the author knows what they are writing about.
> This article seems confused. I don't think the author knows what they are writing about.
They meant US, and the authors clearly weren't confused:
> If British Google users have their data kept in Ireland, it would be more difficult for British authorities to recover it in criminal investigations.
> The recent Cloud Act in the United States, however, is expected to make it easier for British authorities to obtain data from U.S. companies. Britain and the United States are also on track to negotiate a broader trade agreement.
This is not a big deal, this gives UK freedom to make their own laws more suitable to UK rather than laws made in Brussels. In a twist to the headline we could also say tech companies around the world are in a better position to push their innovations in UK without the red tape of EU.
