Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
@Leo, with regard to GDPR and email, it is implied that the sender has agreed to the storage of the data on the recipient’s server by the act of sending the email.
If the sender sends any third party PII (other employees at their company, info on customers etc.) then they have to ensure they have gained permission to share that information with the third party - and they have to inform the 3rd party explicitly what they can do with that data; they cannot share it with other 3rd parties, they cannot sell it and they cannot use it for purposes other than those stated when the information was collected (E.g. if the sender says the information can only be used for guarantee purposes, the recipient cannot use the information for marketing).
Where Facebook differs is that they have collected the information directly and have to store that information under EU law within the EU or in countries with equivalent data protection standard, which excludes the USA at the current time - they refuse to exempt EU data from the Patriot Act, the CLOUD Act, NSLs and the FISA court, which is why we have the current situation - they agreed to this under Privacy Shield (and before that, Safe Harbour), in both cases, they failed to enact what they had agreed to, which is why the two cases from Max Schrems were successful in getting the agreements anulled.
This means that users in Europe can use the service, as long as Facebook (or other companies) keep the data within the EU or in an equivalent country. They cannot pass the data back to the mothership or to regional caches in the USA.
This is also why Microsoft 365 is not GDPR compliant, for example.
And WhatsApp also fall foul of this, because they upload the complete address book of the user to their servers, without getting the permission of all of those contacts. Other services, such as Signal, get around this by uploading a hash of the mobile (cell) telephone number, not the address, email addresses, private telephone numbers, work telephone numbers etc. as well.
Yes, it is up to the USA to get its arse in gear, but until that time, Meta has to comply with EU law. There attitude seems to be, “well, one day there will be an agreement, so we’ll just carry on regardless,” which doesn’t have very good standing with courts.
By the way, equivalent countries are:
Europe
- Switzerland
The Middle East
- Bahrain
- Israel
- Qatar
- Turkey
Africa
- Kenya
- Mauritius
- Nigeria
- South Africa
- Uganda
Asia
- Japan
- South Korea
Oceania
- New Zealand
South America
- Argentina
- Brazil
- Uruguay
North America
- Canada
The UK is still considered a suitable third country under GDPR, but the UK Government are doing their best to ensure they lose that status as quickly as possible, for some reason…
1 Like
Good reminder to add this regex to your network filter, if you can:
(^|\.)xn--.*$
I would’ve gotten duped by the links brought up too, but I went ahead and blocked the whole TLD too, just because.