Facebook profiles? They're not 'personal data' Mr Putin With less than a week until a new Russian data localisation law comes into effect, Facebook is making a last-ditch effort to avoid compliance. The rules forcing companies to keep Russians’ personal data on Russian soil becomes law on 1 September. It is not yet clear what sanctions, if any, will be handed out for non-compliance …
"Facebook said it would not comment on the speculations, adding 'we regularly meet with government officials and have nothing more to share at this time.'”
That's the problem right there - and the solution is so easy! They only need to take a truckload of cash to one of those meetings, and then it would all work out the way they want.
So if the Russian Law states "any information relating directly or indirectly to an identified or identifiable natural person" is in effect "personal data" I would love be to a fly on the wall when FB meet the government. If FB manage to convince the Russians that FB hold no "personal data", they need to quit the tech game and go and sell sand to Saudi Arabia.
I will give them a slight tip of the hat for the brazen bollocks to argue it though.
"In this particular case I would like to Zuk to loose, but not just in Russia. Everywhere. Including Eu."
In the wake of Ashley-Madison, I would be interested to see some real statistics on Facebook's users and how it gets its income. What services really get provided to its customers? How many people is it tracking who do not have Facebook accounts?
When in tinfoil hat mode I wonder a little if Facebook is actually a honeypot of the CIA/NSA that has succeeded beyond their wildest imaginings, and its continued existence owes something to off-the-budget subventions from the TLAs. If the Russians know this, everything becomes clear.
...no, not really, that assumes a level of competence beyond the people who brought you the Bay of Pigs, Iraq, and Snowden.
Does that particular law really mean that any personal data of Russian nationals needs to be stored exclusively on servers located in Russia? How about Russians living abroad? How do sites do that where no nationality needs to be entered (or cannot reasonably be verified, which would be true for the vast majority)?
While I welcome any way governments can leverage to piss on Facebook and in particular its attitude to privacy, this law doesn't seem to be thought through.
The result for Facebook -and even more so for smaller sites who can't be bothered or afford to set up Russia-based servers- might be: "Sorry, since you are Russian, we cannot currently offer our service to you."
That's neither feasible nor enforceable. We all know how easy it is to bypass GeoIP based checks when we watch telly channels which are "not available in your country". ;-)
Since Facebook knows who you are, and where you log in from... anyone who signs up and routinely uses Facebook within Russia would be considered Russian.
Its a pretty straight forward proposition.
So either the Zuck get's the 'zuck' out of Russian or it complies with the law.
"Does that particular law really mean that any personal data of Russian nationals needs to be stored exclusively on servers located in Russia?"
Russian citizens and residents. There are quite a few exceptions - things like data needed for travel security (PNR) and medical data for treatment in foreign hospitals, etc.
"That's neither feasible nor enforceable."
Sites ignoring the legislation may end up with access blocked for users located in Russia. Technical means can probably be used to get around such blocked access, just as is the cases for sites blocked in the UK e.g. Pirate Bay.
This post has been deleted by its author
Yes, but it's been tried before in Poland, and they eventually had to give it up (as far as I recall) because it became difficult to use *any* service. Protectionist measures only make sense if you can offer local alternatives, and Russia is not set up for that.
As far as I can see, that law is a bit of an own goal. Probably the only benefit is that they can throw out Facebook :).
"Protectionist measures only make sense if you can offer local alternatives, and Russia is not set up for that."
That's not correct - sites like VK and Odnoklassniki are probably more popular in Russia (and some other parts of the former Soviet Union) than the likes of Facebook.
Technically, I, the site operator, would be breaking the law unless I either
1) Ban russians
2) Rent some server space in Russia to shunt those details to
...neither of which I have any intention of doing. An interesting question is who, exactly will be liable....would it be me the technician who would be doing the actual law-breaking bit or would it be the company that owns the website? Probably the people to go after would be the company, as they're usually the ones with money.
There's no mention in the article of how the Russians intend to enforce this...can't see how they can, really. All they can do is block the site off; but that's easily got round by playing the piratebay whack-a-mole game, if Russian business is that important to a site. They can demand fines; but that's just going to get them laughed at.
"Technically, I, the site operator, would be breaking the law"
But are you under Russian jurisdiction? Assuming your business isn't in Russia and you don't have a branch office or subsidiary there then presumably not. So can you break a law that applies outside the jurisdiction you're in? (Other, of course, than USian laws where the default assumption of USian politicians and prosecutors is that they apply everywhere.) Where the parties to a contract may be in more than one country it's normal to specify as one of the terms of the contract whose laws should apply; presumably Fb's contract (T&Cs) specify the US.
Although at first sight it appears that this is the sort of thing we European users want to replace safe harbour it isn't. In the safe harbour situation we have someone giving data to a site in their own country, or at least in a country where broadly similar data protection laws apply and having exported to a country where they don't under an unenforceable undertaking to apply similar standards. In the Russian case we have someone voluntarily giving data to a site in another country under whatever DP laws apply in that country.
"So can you break a law that applies outside the jurisdiction you're in?"
Of course you can. In fact, it's really easy with the internet. The question is, what exactly can the "offended" jurisdiction do about it? And how far will they go to prove a point?
Can't remember the country that has a long prison term for people that say horrible things about the royal family; but the existence of the law proves that they're a bunch of insecure tosspots who probably have tiny penises. Even the girls. There you go. Law broken.
Now with this Russian thing I would be breaking the law in Russia, but I fail to see exactly what they can do about it...this law in particular is phrased to apply to people outside their legal jurisdiction...it's calling on tech companies to store all personal data on Russian citizens in servers on Russian soil. Now that's not going to happen because it's inconvenient, expensive and impractical. Even if Russia offered free server space and were trustable (heh!) it still wouldn't happen because you would still need to detect, separate and redirect Russian users and that would take time and effort. No company is going to go through all that just because Putin is off on yet another power-wank. Assuming that names are “any information relating directly or indirectly to an identified or identifiable natural person”, then the previous sentence will be illegal on 1st September.
Technically, any article mentioning a Russian by name will also fall foul of the law. It might be amusing for the press to take this literally for a while and use nicknames instead. "batshit baldy" is the best I have come up with so far (obviously not referring to a specific person there).
1. Create the law that is as stupid and ambiguous as possible, holes intended
2. Make sure that government people can interpret the law in any way they want
3. Use it to slap your political opponents and extort money from businesses
4. Profit
"The rules forcing companies to keep Russians’ personal data on Russian soil becomes law on 1 September."
A certain Mr Vladimir Putin has been quite vociferous in claiming he may have to defend russian speakers and russians living abroad if hey feel threatened, as in Crimea or eastern Ukraine. But if a russian lives 'abroad', won't his or her data also be held 'abroad'? Does this apply even when the russian in question has sent personal data overseas, such as, for instance booking a holiday, or a flight, or buying something over the 'Internet from a foreign place'.
I am confused, unles, of course this is just a way for Putin to have an excuse to attack anyone he doesn't like whenever he wants to.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
