187 comments

[ 3.3 ms ] story [ 223 ms ] thread
This is an excellent decision from the Austrian DPA: there is no good argument for exfiltrating data to a country with low-to-non-existent data-protection standards.

It would be nice if the same logic applied to manufacturing and environmental legislation - it stops the race to the bottom.

Also cloud-act, not the best idea to open up your crown-jewels to every single US-Secret-service....by default ;)
Will make no difference for what really matters...

"BND helped NSA to spy on Austria, EU partners: report" https://www.aa.com.tr/en/world/bnd-helped-nsa-to-spy-on-aust...

"Alleged NSA post in Austria becomes state affair" https://apnews.com/a3537677459e41b9ba4d21d8208dd28a

"UK, Dutch spy agencies curb intel flow to Austria over Russia ties: MP" https://www.reuters.com/article/us-austria-security-idUSKCN1...

"Vienna Is the New Havana Syndrome Hot Spot" https://www.newyorker.com/news/news-desk/vienna-is-the-new-h...

At least it seems like the head of the Danish intelligence services is actually facing charges for helping the NSA spy on Swedish politicians: https://www.dw.com/en/danish-spy-chief-detained-over-highly-...

But I think this more then anything shows why the US should not be regarded a country with adequate level of data protection. I would honestly just assume that they force Google to record every single meeting between heads of states or meetings with companies that work in telecom or weapon systems. Even the most boring meeting with officials in some small municipality can probably be valuable information about infrastructure and how it's going to be protected and these are maybe the most unsuspecting because they think "why would anybody care about the water distribution in our small city".

You got the charges wrong. It's speculation on my part because it's kept secret, but all journalists in Denmark more or less agree that he is held for leaking information on the NSA partnership and two other stories involving the intelligence agencies (one about an agent being left in jail in Spain and one about a withheld security assesment of refugees held in camps in Syria). This is based on which journalists got interrogated and what stories they have brought to light
And then one wonders why the EU is such a *it-show ;)
Just imagine:

California helps Germany to spy on Texas.....what a shame that Union is.

This is already affecting websites and web apps.

At least all of our customers are moving away from Google Analytics and many try to also get rid of other Google services like fonts and maps.

I'm very interested to see what this changes in other european countries.

> I'm very interested to see what this changes in other european countries.

As it's a direct result of an CJEU ruling (Schrems II), all other (EU) countries will have to do the same.

Analytics and fonts shouldn't be too hard. What about Captcha?
Or things like Stripe’s anti fraud js script.
The directory linked in the article actually contains a captcha service called FriendlyCaptcha: https://www.developedin.eu/item-detail?recordId=recG9DsaUnGd...
From a first look it seems like the subscription requires to use that service in a EU-only fashion costs at least 200$. While this seems like a good option for large and medium size companies, I fear that this pricing leaves out all small companies that may not require 50k solved captchas a month but may require EU-based hosting nonetheless.
FriendlyCaptcha will probably get a ton of new business. It's what some EU institutions themselves use.
https://www.hcaptcha.com/ is a drop-in replacement for recaptcha.

It's not EU based, but at least it's not Google, and the service is privacy oriented...

It's run by Intuition Machines, Inc. which seems to be incorporated in California. That fact alone disqualifies it.
Actually, no. hCaptcha has always been very privacy-focused, so in this case there are technical safeguards available: enterprise customers can pre-blind all data on their end, meaning hCaptcha gets no PII at all.

(disclosure: work there)

If y’all write a blog post about how your preblinding option makes you GDPR-compliant for silent embedding even though you’re a US entity, that would be front page material right now.
And the more this happens, the worse the search results will get because measuring popularity of a link and time spent on a website needs to be measured for ranking purposes, next time someone used the same search term.
Google search seemed to work fine before that stuff was tracked.
That's because way less people were trying to game it.
And because websites used to link to other websites for non-profitable reasons (blogs, directories, and webrings).
*according to Google.

I spend 5 minutes on american recipe websites to scroll through the SEO bullshit before finding the actual recipe, but that doesn't mean it's useful.

So, no, it's just Google telling you to let them collect analytics on every aspect of your life for "search improvement purposes".

also the worse the search results will get if someone put a bunch of ads in before the search results for people to click on instead of the search results.
Google Analytics is very hard to replace, because the real value to businesses is in the integrations with Google Ads and Search Console. There's no viable alternative to Google's advertising networks at the minute.
This. We use a non-Google analytics product that we could even move to self-hosting if needed. But the marketing director basically was like “This is better than GA, and I will use it for almost everything, but we have to have GA also because it shows as conversions.”
Which non-Google analytics product are you using?
(comment deleted)
What are the services they are switching to?
Matomo has gotten a ton of traction in Sweden at least.
We can't sell AWS consulting services to anyone right now, haven't been able to for over a year, almost two I think. Non of our clients trust Amazon right now. The claims from AWS is that it's fine to host EU data in AWS, but very few companies are willing to risk that.
I mean, they have EU datacenters... the issue with Google Analytics is that this data can be moved through other datacenters.

This was one of the ways the NSA programs worked... just tap the google lines which were unencrypted and slurp the data as it moved from datacenter to datacenter.

> I mean, they have EU datacenters

That doesn't matter anymore. According to the relatively recent ECJ ruling mentioned in the article you're not allowed to transfer any PII to companies that are in any way affiliated with a US-based entity (e.g., by virtue of having a US-based parent company), which clearly is the case for Amazon and AWS.

It doesn't stop there. According to some privacy experts, even a third party just having a US-based supplier might be construed as a customer of that third party being in violation of GDPR, at which point we'd basically have to cease all economic activity.

Go GDPR for the win!

I like the goal of privacy, but I won't be sad to see the ridiculous GDPR law implode.

That’s a weird attitude, at its core the GDPR is simply about keeping track of data, and ensuring that it’s not used for anything the users didn’t consent to.

I’m having a hard time seeing how the rules could be any different. Remember that the GDPR is also result of companies looking at the cookie law and deciding “fuck it, let’s find a loop hole and not change anything”.

Oh, I don't know, maybe writing it so that it doesn't mean companies in the EU "basically have to cease all economic activity"?

Or writing it so that it doesn't claim to tell me what I have to do with my website when I live in another jurisdiction. I laugh at GDPR. The EU can keep its bureaucracy to itself thank you very much. Making simple websites illegal and forcing me to hire a lawyer to figure out not what I'm allowed to do, but how I must do it just so is just the sort of nonsense I've come to expect from them.

And yes, I agree that it is a continuation of the stupid cookie law that has made the web measurably worse in every regard. As I wrote here recently,

> What an utterly useless law. We have a convenient way for people to request universally that sites not track them. So let’s make a law that makes them have to ask “the right way” every. Single. Stinking. Site. On. The. Internet. Every. Single. Time. They. Visit. Every. Single. Site. > > One might be forgiven for assuming that the law was actually intending to accomplish the reverse of the stated goal. It gives site owners tons of explicit opt-ins that nobody can complain about, even though they were coerced.

Companies in the EU need cease no legitimate economic activity. What one must do is seek consent of European citizens before using their data.

Those abusing personal information without consent deserve all the fines that can be thrown at them. I'd rather there were personal liability in the same manner as Title IX of Sarbanes-Oxley, but in the meantime, this is the best there is.

Then your argument is not with me, but with the privacy experts that BjoernKW mentioned:

> According to some privacy experts, even a third party just having a US-based supplier might be construed as a customer of that third party being in violation of GDPR, at which point we'd basically have to cease all economic activity.

That's the only thing I was really replying to here at the start.

Consent is insufficient. Exclusively storing data on servers physically located in the EU is insufficient. As soon as a business has dealings with a US-based company or an EU-based company owned by a US-based company that potentially might have access to user data that business technically is in violation of GDPR.

As of now, as a business you essentially have three alternatives:

1. Run the entire infrastructure you need yourself or have it run by EU-based companies guaranteed to have no relations with US-based entities whatsoever (Good luck with finding those ...). This, for example, includes payment systems and banking infrastructure, because guess where many EU-based banks host their infrastructure? That's right, AWS.

2. Go out of business.

3. Ignore this aspect of GDPR for now, document everything, continue to do your own due diligence, and hope for the best.

> basically have to cease all economic activity

I'm sorry, but that's the same bullshit argument that the Danish online retailers are making. So apparently it is absolutely impossible to do business, of any kind, without violating users privacy? Sure, some business can't function under the GDPR, that is true. The question then become, do we actually care? I don't. Those who can not deal with the GDPR are either extremely shady, or they are based in countries where the governments do not care about violating my privacy at all and will use creepy laws to force them to hand over information and shut up about it.

The GDPR is very aggressive, and rather broad in scope. Ideally I do agree that it should be a bit more forgiving, but given that business didn't even want to pretend to respect the privacy of customers, it's forced to be very restrictive.

The business that rely on user tracking, sell and reselling user data are directly to blame for the GDPR. They went WAY to fare and the GDPR is the EU reacting to an industry that failed to play nice.

That's the argument made by the recent ECJ ruling on the matter, not by shady players.

As a business, technically you're simply not allowed to have dealings with US-based companies anymore if you want to be GDPR-compliant.

It doesn't matter if that relation is direct or transitive. If you buy a product or service from an EU-based company, even if data on their servers is guaranteed to never physically leave the EU you're still in violation of GDPR in case that company is owned by a US-based parent company.

The reason for this is that with FISA US law enforcement can force US-based companies to hand over any data, even if that data is stored with an international subsidiary under a completely different jurisdiction.

Now, you might say: "See? This is GDPR working as intended." While that's technically true that doesn't take economic reality into account. It's simply not possible to have an exclusively EU-based economy. Otherwise, why would the EU even need to negotiate trade agreements with other countries (which during the Brexit debate has often been cited as one of the main benefits that comes with being an EU member)?

Why do businesses even have to deal with this? This is a problem at the national and international level and it needs to be solved at that level. Why is it impossible for the EU to demand a FISA exemption for EU-based companies - US-owned or not? That's not an unreasonable demand, after all, given that FISA interferes with other jurisdictions.

The reason is the EU is weak. It's far easier to bully local companies into submission than to do the right thing and stand up to the US.

What AWS claims is not important: the fact that US intelligence agencies are legally required to have access to data worldwide of US companies clashes with EU requirements: it is simply not allowed to expose data on natural EU persons that way.
I really don't understand the problem with Google analytics. Anyone who is able to explain that in easy terms?

So they are collecting data about me to show me better ads. Isn't that what I want? They compare my data to a collection ("look-a-likes") of others that match my data fingerprint. What's wrong with that?

The way I understand it nobody is interested in me as a person (which is a bit sad, but that's a different story...).

The problem is not that it is possible but that it is done without consent or oversight.
Isn't that solved by cookie pop-ups? And: Why is it important to consent?
Because the European view is that your data belongs to you and using it requires your consent.
(comment deleted)
(comment deleted)
EU based cloud services always could compete before. Now they will compete on the basis of being in the EU instead of being better.
Nah, what happens is the US-based companies will just geo-wall the data and throw more money at their EU-based AWS and Azure regions.
To me it reads as only walling the data off is insufficient. They will have to incorporate in Europe or in jurisdiction without FISA-like laws and completely split whole operation there.
I believe that it would come down to this as well. The problem is both them being located in the US AND being a US company.

Alternatively they could mirror an approach that Microsoft had with ther Office Online for a while, that is find a European company acting as "trustee" for the data, so that even if the NSA came knocking the US based company would not have any data on any of their infrastructure it could give them.

But this is only viable for very large companies.
One might think that all these extra regulations benefits only the giants and curbs any newcomers.
Only if one has no idea what these cases are about.
This means US government should pass laws to protect EU citizens data, if they feel generous they could apply it to every person regardless of his citizenship,
Or far simpler, revoke section 702 of the Foreign Intelligence Surveillance Act. It's an absolutely insane law anyhow, basically "we can spy on any data of non-American users of American services, without any restrictions"
I agree that section 702 is a bit extreme.

But, at the heart of it, it makes sense. If foreigners can use services in your jurisdiction, you want to see what they do for security purposes.

Nonetheless, it's against the belief of "innocent until proven guilty."

This assumption leads to the conclusion that only services that reside in the same jurisdiction (EU, USA, ...) can be used if legal protection from the state is desired.

If legal protection from the state is enforced (even for other states) this means there need to be wholly separate services in each jurisdiction.

This seems very undesirable, especially for the US with it's multinational web companies.

> This assumption leads to the conclusion that only services that reside in the same jurisdiction (EU, USA, ...) can be used if legal protection from the state is desired.

which is the correct conclusion? As the state can only offer legal protection under its own jurisdiction.

Sure, real life complicates things a bit. (mainly, the jurisdiction of the EU as an institution in and of itself compared to its member states is a messy affair) but it is still a totally valid argument none the less.

>which is the correct conclusion? As the state can only offer legal protection under its own jurisdiction.

Not sure I follow, US gov can't legally protect non US citizens from itself abusing them? It should be as hard for the spying to happen for an US or non US citizen or company.

> But, at the heart of it, it makes sense. If foreigners can use services in your jurisdiction, you want to see what they do for security purposes.

As a "foreigner" in a friendly country I'm understandably not too happy about this. And the logical outcome is that the US will lose business anywhere this is unacceptable.

I completely agree with your statement, and I feel the same!
> If foreigners can use services in your jurisdiction, you want to see what they do for security purposes.

There are a LOT of things that law enforcement agencies want that they should not get. The fact that they want it or that it would be useful to them is not enough of an argument to give it to them. It has to be balanced against other factors, to decide what is best for society as a whole.

I believe that Microsoft is already licensing Azure tech to big European companies to host GDPR-compliant, Azure-compliant regions in Europe. More expensive than regular Azure regions, but still in use for some purposes.

Given that the big 3 cloud providers already have some trouble providing stable operations, I suspect it won't be the pinnacle of reliability, but have no first-hand experience with them.

I checked the Azure Pricing Calculator just now.

Pricing for services in the EU GDPR "Sovereign" safe-zones (e.g. "Germany Central (Sovereign)") is largely the same as for services in other zones:

Azure App Service in Germany Sovereign: $62/mo

Azure App Service in West US: $54/mo

1TB Azure Storage in Germany Sovereign: $21.00

1TB Azure Storage in West US: $20.80/mo

---------------

As for reliability, I haven't noticed any difference in availability and downtime between my Azure resources in any of the zones I've got services in. YMMV. Lately Azure's actually looking pretty good compared to AWS's spate of outages over the past 6 months.

Yep, you’re spot on with this. Even with a geo-wall AWS or Microsoft are still US based companies that have to comply with a FISA order. I work for a SaaS and we’re continuously questioned by our customers about this but we can’t do much as everything we have is architected around one particular US based cloud provider. We tried HYOK/BYOK/EU entity, so both security and legal controls which are insufficient today.
It should be this way anyway. Currently they pay little to no tax on all their European income. They don't even collect VAT which to me is a mystery how they can get away with it, because AFAIK it's already a law they should have to follow.
"throw more money at their EU-based AWS and Azure regions."

Impossible, the mother company is still american.

Interestingly, it's not actually about being in the EU specifically, it's just about being in a jurisdiction with equivalent data protections. It's not a "must be EU" cloud requirement, it's a "must not be USA" requirement.

Canada, Brazil, Japan, India, and many other non-EU countries have GDPR-like data protection regulation that would be totally acceptable I think (IANAL).

The core problem is USA specific - either the USA needs to implement serious data protection laws where they can't blanket surveil foreign user's data, or EU businesses will have to move elsewhere.

I wouldn't be surprised if in future, similar local rulings appear in Canada/Brazil/Japan/Indian/the rest of the world for businesses based there too. It might be a difficult few years for US-based cloud providers.

Note that the US is absolutely capable of passing a data protection law at any time. I wouldn’t hold my breath, though.
> that would be totally acceptable

There needs to be an official adequacy decision, it's not automatic

https://ec.europa.eu/info/law/law-topic/data-protection/inte...

Canada is indeed covered by one such decision

Ah, good info, thanks! Looks like the full list of 'already approved as adequate' countries for data protection is:

- Andorra

- Argentina

- Canada (commercial organisations)

- Faroe Islands

- Guernsey

- Israel

- Isle of Man

- Japan

- Jersey

- New Zealand

- Republic of Korea

- Switzerland

- the UK

- Uruguay

2022 is a great year to be a cloud provider based in any of those.

I somewhat agree, but it depends on how you define 'better'. Data privacy is better for the end user, and it wasn't something that was properly taken into account before, and users basically had no way to make any difference in the decision.
Now they will compete _also_ on the basis of being in the EU.

This adds an advantage. It doesn't mean they can be, and need to be competitive in other ways too. And there is not one, but several EU based services that compete with each other.

Have you considered that being in the EU, with higher data protection standards, makes them better?
That's again based on the work of Noyb and Max Schrems:

   In July 2020, the CJEU has issued its groundbreaking "Schrems II" ruling,
   holding that a transfer to US providers that fall under FISA 702 and EO 
   12.333 violate the rules on international data transfers in the GDPR. The 
   CJEU consequently annulled the transfer deal "Privacy Shield", after 
   annulling the previous deal "Safe Harbor" in 2015. While this sent shock 
   waves through the tech industry, US providers and EU data exporters have 
   largely ignored the case. Just like Microsoft, Facebook or Amazon, Google has 
   relied on so-called "Standard Contract Clauses" to continue data transfers 
   and calm its European business partners.


   Max Schrems, honorary chair of noyb.eu: "Instead of actually adapting 
   services to be GDPR compliant, US companies have tried to simply add some 
   text to their privacy policies and ignore the Court of Justice. Many EU 
   companies have followed the lead instead of switching to legal options."
https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...

https://noyb.eu/en/101-complaints-eu-us-transfers-filed https://noyb.eu/en/update-noybs-101-complaints-eu-us-data-tr...

If there is ever going to be an EU version of a GoFundMe for a statue for Schrems I'm in. It's one thing to have good privacy laws, it's quite another to get them enforced. As public service comes this a fantastic job for all of us.
You should support Noyb then, the no-profit he works for! https://noyb.eu/en

I am not affiliated, but I am a massive supporter of them and is one of the donations I am happier to give

Agreed.

Am a supporter too, as a matter of fact it's the only recurring donation payment i have...

The title sounds to a general impact ("..Paves the Way to EU-Based Cloud Services").

But on closer read, it seems to partially apply to SaaS/PaaS cloud services, which hold data outside EU.

Google also provides IaaS/PaaS cloud offering based within EU as well [0].

[0]: https://cloud.google.com/about/locations#europe

Considering that this ruling is based on schrems II case which concluded that FISA 702 and EO 12.333 are not compatible with GDPR it would seem that holding data within the EU is not a solution since FISA 702 and EO 12.333 are applicable to data held anywhere in the world by a US company.
That is my understanding too. The issue is as much about jurisdiction as the physical location of the hard drive that holds data.
Am not legally savvy on this to be educated on merits of what cited FISA/EO mean.

I am curious as to what argument can find it acceptable to block US company, also when they place data within EU and can’t be compelled to handover to US law enforcement.

>can’t be compelled to handover to US law enforcement

Even if a US company holds their data in the EU, due to FISA 702, the CLOUD act and EO 12.333, they can still be compelled to hand over that data. So being a US company is a dealbreaker, regardless of where the data is stored.

What if google uses EU based legal company?

https://cloud.google.com/terms/google-entity

I doubt that US courts will fall for this transparent legal tricks. It's not Google, it's Google EU!
Google would have to redesign their corporate structure so that EU customers of Google EU are never subject to US law, with no US-owned business anywhere in the subsidiary chain. Imagine that this is the current chain:

Alphabet (US) -> Google (US) -> Google (EU)

Under such a structure, Google (EU) is not GDPR-compliant, and will need to drop all upstream inheritance of (US) to comply with this ruling.

I am not your lawyer, this is not legal advice.

All of this is similar to what China did back in the day. It helped foster an ecosystem for their own services, but of course they were (and are) of a lower quality.
true, but to be fair: seems like it worked out pretty well for china...
It worked out pretty well for politicians and those who work in the tech sector. Worked out terribly for the rest of citizens.
[citation needed]
> All of this is similar to what China did back in the day.

In what way is it similar, I'm not seeing it? When did China introduce something like GDPR and how did it help foster an ecosystem of their own services?

At first, western services were banned using laws similar to what some countries in the EU have (like how some tweets are unavailable in some European countries for disputing the holocaust, etc). Also: https://www.euronews.com/2022/01/26/germany-considers-bannin...

Now they have pushed something very similar to the GDPR. More info about these two things here:

https://en.wikipedia.org/wiki/Internet_censorship_in_China#L...

So it is not similar at all? I see no relationship one can draw between GDPR and Chines censorship of the internet and how it came to be.
Would disagree on all services being of inferior quality. I think WeChat is better than WhatsApp. You can do everything and yet—it is still a straightforward, easy to use, Chat app.
> but of course they were (and are) of a lower quality

[citation needed]

My last visit to China in 2019 felt like stepping into the future: You can do anything using apps, even buy a bottle of soda at a vending machine or pay for vegetables from a street vendor. I wouldn't call that lower quality, quite the contrary actually in terms of ubiquity and functionality. Of course most people in the west wouldn't know that as the Chinese service providers do not expand as much overseas, but they're on a whole other level there in terms of technological adoption.
Nice job. Now if EU could just export this to the rest of the world … that would be fantastic!
Actually, there's an "easy" way out for Google & Co: set up a EU subsidiary and allow them to run autonomously. Il will be subject ONLY to EU laws, on EU servers... but with US technology... and money (ONLY and not datas) will flow back to the US !

As a side effect: Google.EU will be able to use the "full" power allowed by GDPR (european data & world data) as Google.WORLD will "only" be able to use world data excluding EU. But maybe Google.EU will be able to export "consolidated" (so anonymized) datas back to the US ?

Same would be applicable for Apple, Amazon, MS & Co...

this would not work, as it would still fall under the FISA jurisdiction according to US law.
No, that wouldn't work either because that EU subsidiary would still be controlled by its US-based parent company.
The part in most curious about is not even the usual web services we talk about here, but who will be the new big pipe provider in the EU. Who can compete with CloudFlare / Fastly / Akamai / Maxcdn with the raw bandwidth of DDoS that they can sink in their network.

Anyone apart from Gcore labs?

I am not really sure, but I can at least list those that has a good chance (assuming that they weren't beaten over by a startup):

European ISPs with Tier-1 capabilities: Sweden's Arelion (prev. Telia Carrier), Telecom Italia's Sparkle, T-Systems (part of Deustche Telekom), France's Orange, and the business and carrier division of Telefonica.

Webhosting with demonstrated capabilities are another one: I can only name OVH to be frank. Iliad (dba Scaleway) has good European connections but not global, and Hetzner while a capable hoster is not that invested outside of Germany.

It would be interesting if the ISPs got into this game. Although it doesn't look like they're interested so far - at least not in the non-big-government-contract way. US telcos didn't get involved either at consumer CDN level.

Hetzner has only a handful of locations - they'd have to massively scale up to be a viable CDN and add all the needed tech.

Hetzner also has facilities in Finland and even bought into a low-latency undersea cable for that purpose. They are also expanding into the US currently.
>They are also expanding into the US currently.

This makes it worse, since they fall under US CLOUD Act now.

I think they created a subsidiary company in the US for their US offering and I don't think the US cloud act can compel the parent company to do anything? Whereas the inverse direction was problematic.
If that's the case, would it make sense for US-based companies to switch their ownership structure around so their EU subsidiary becomes the parent company?
No, they will lose US domicile which is important for certain things like government and military (literal $$$) contracts. This isn't theoretical, Broadcom (which in 2015-2018 was structured to be domiciled in Singapore mainly for tax reasons) nearly acquired Qualcomm but was blocked due to US national security concerns (https://www.straitstimes.com/business/trump-signs-order-proh..., although I'll note that in practice even if US-domiciled, Qualcomm's board isn't interested and a hostile takeover is unlikely to be successful).
I guess the question is then: Are US government contracts worth more than access to a market of 500M people, mostly reasonably well off?
There aren't many/any others from what I can see, at least not to GCore's scale. GCore has a CDN, ddos protection, and many points of presence. Probably the best solution unless you want to build and maintain your own servers.
I have read here on HN a comment which said the following : US companies will still be at an advantage as they can still mine their other customers and use this knowledge for their EU operations as well.

EU based companies will not be allowed to mine US customers the same way.

Perhaps a business that doesn’t mine it’s customers data can find an advantage in that restriction. Plenty of successful businesses are built around the idea that you don’t need to sell out.
Plenty? Or a handful?
Every restaurant, every taxi, every plumber you have ever interacted with did not make their money by selling your personal information. They did it by providing value in exchange for a fee. Google and Facebook are the exception to the rule. Sure in the category of free and very popular social networks and search engines this may be the norm, but that category consists of less than a dozen companies.
> Every restaurant, every taxi, every plumber

Sure, except they don't find an advantage in the restriction.

They are not cloudy. A dark kitchen OTOH ...

Proton Mail, GitLab, Pivotal Tracker, Dropbox, Square, ecobee, DuckDuckGo. All found ways to make money without selling your personal data.
Well, that is a better answer. Still doesn't invalidate my original comment though.
Probably because they don't have a good way to monetize. Lots of auto repair shops sell your personal information (mileage, condition of vehicle) to a data collection company that sells it to insurance companies (checking if miles driven is within the policy limits) and carfax/similar services. Of course, mechanics also charge a fee.
Whenever a company tries to sell you their GDPR compliance by stating data is "encrypted at rest" you should call bullshit. If the data is stored on servers that are online the data will never be at rest (until the day the servers are discarded) making this protective measure useless in the context of Schrems II.

The EDPB Guidelines from November 2020 says:

"where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys"

https://edpb.europa.eu/sites/default/files/consultation/edpb...

> Whenever a company tries to sell you their GDPR compliance by stating data is "encrypted at rest" you should call bullshit.

"Encryption at rest" is part of any sensible GDPR compliance concept; the threat that is being defended against is theft or seizure of servers and in the case of portables like laptops and USB sticks also loss of them - without the keys or password, the data is useless.

What would happen if Google would decide to host all of EU related data in EU? They would be 100% compliant?
No, because Google hast to comply with US law and has to transfer data to US officials.
Not if it's run through a European subsidiary surely
They still do since they're a subsidiary/related.

Microsoft tried to get around that by not hosting in the EU but having a european trustee do it for them.

That got us the CLOUD act

The rulings this past week specifically contradict this. Subsidiaries of US corporations are subject to illegal-under-GDPR data collection requests by US authorities, just as much as any other US corporation, as the subsidiary has no legal protections under US law from GDPR-illegal requests by its parent.
It'd only be compliant if they would then also not allow US intelligence agencies to access the data at will. That would however break US law, specifically section 702 of the Foreign Intelligence Surveillance Act
(comment deleted)
So how does this apply to Gmail? If somebody sends an email to me, and I'm using Google Workspace, could they argue I'm sharing their personal information with Google then?
Yes. If you have a Business plan for Workspace you can choose your data region to be in Europe (this is still not water tight but probably the best you can do if you want to use Google Workspace).
Yes, they could theoretically file a GDPR complaint. It is not certain that the courts would judge it a violation, but it’s quite likely, since their data is resting in servers owned (subsidiary-to) a US business.
> It's amazing the amount of vitriol of some europeans (usually french and german) towards United States.

Are you confusing holding US corporations to local standards with vitriol?

> Regarding regulation, Google will just lock the data in the EU and keep doing business as usual.

Isn't that the desired outcome?

What do you mean with vitriol? The handling of personal data by the United States government is just an unsolved problem that has to be dealt with. How is Google going to lock the data in the EU, in a way that it can't be grabbed by the unbound US surveillance apparatus?
I am much more afraid of my data being grabbed by EU / my government surveillance apparatus.
Can't you be worried about both? In the EU you at least theoretically have legal recourse. But these issues go hand in hand, as surveillance data sharing programs like Five Eyes have shown.
Politicians:

The kings of deception, the GOATs at breaking the terms and conditions

"Google will just lock the data in the EU and keep doing business as usual."

Personal data of EU citizens cannot be processed by american companies, full stop.

I mean do whatever you want yourself. I will keep using google, and no puerile wanker will stop me. Thanks!
Wow, as an EU citizen with some data stored by US credit agencies, I would love to see those credit rating agencies restricted in how they use my data!

<serious, not snark. I find the US credit rating system abusive>

Send them threatening GDPR emails. I've found that helps in most cases - once had a VP emailing me to personally apologize
I think part of it is desperation. There is absolutely nothing the EU can say that will convince the American politicians that privacy and corporations are out of control in the US. Americans might believe it's fine, but Germans are careful about how personal data is handled and who has access to it.

Culturally the US and Europe is drifting further apart and from the European side it's very hard to see that the US isn't wrong.

To me, it's economic and political nationalism, and a lot of resentment.

Citizens use google and facebook and whatsapp because they trust these companies.

Politicians are trying to intervene because politicians like posturing, being the center of attention, pretending problems exist and they have the solution.

In Europe, politicians dominate too much the debate. We are gullible not for trusting google, but for trusting politcians

Pretty sure Google and Facebook have more trust than politicians.

Maybe politicians should ban themselves?

It's not about Google or Facebook.

It is about USA politicians and USA laws that allow USA to do anything with our data as if we were terrorists.

The "Privacy Shield" was established by politicians twice already and dismantled twice by EU courts.

The initiative to strike down privacy shield and enforce ban is a result of civil society.

https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...

> 2020 CJEU ruling hits the real world. In July 2020, the CJEU has issued its groundbreaking "Schrems II" ruling, holding that a transfer to US providers that fall under FISA 702 and EO 12.333 violate the rules on international data transfers in the GDPR. The CJEU consequently annulled the transfer deal "Privacy Shield", after annulling the previous deal "Safe Harbor" in 2015. While this sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Facebook or Amazon, Google has relied on so-called "Standard Contract Clauses" to continue data transfers and calm its European business partners.

> Max Schrems, honorary chair of noyb.eu: "Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options."

That depend on where you live. Regardless of how extreme, I trust every single politicians in the Danish parliament a lot more than both Google and Facebook.
American here - we absolutely do not think it's fine. There is no cultural drift[0]. The reason why we don't have GDPR-like laws is that our political system uses culture wars as a distraction tactic. There are plenty of things that Americans absolutely support that have a snowball's chance in hell if it were put into the form of a bill for Congress to vote on.

The EU basically threatening to ban the US from the Internet if they don't play ball on data protection is the sort of thing that might just be loud and forceful enough to get US politicians to actually pass some strong privacy legislation. I'm also happy that US intelligence agencies have been specifically called out - it's like some kind of virtuous inverse of the Five Eyes policy-laundering strategy.

My only complaint is that this ruling is the second-biggest incursion[1] of national borders into what is ostensibly supposed to be an international space. If interpreted a specific way, one might argue that even basic things like messaging systems and web forums need to be totally hosted in the EU, or users need to be siloed off from the US. I'd much rather prefer an international privacy framework that fixes the privacy issues without splintering the Internet, but we tried that with Privacy Shield and the courts shot that down.

[0] More generally, I've found that the gulf in culture between countries is often overstated. Usually because the person overstating it either wants to make the foreign country seem alien and thus interesting, or seem alien and thus dangerous.

[1] First-biggest one being China's Great Firewall

I sometimes see this argument that nations aren't responsible for what their leaders do... but don't they ? After all it was the nation that elected those leaders to represent them ! (This principle is sometimes applied even to the non-nation peoples, in non-democratic countries, as in "you get the leaders that you deserve".)

Also consider how it looks from outside : you can't expect to be aware of all the internal political details of all the countries, at some point you have to consider the people and their government as a single entity (remember how this is also what nations are supposed to be ?)

Well, first off, we're talking about a representative democracy. So you don't get to vote for what your leaders actually do, you only get to vote for who they are, out of a very small list of potential major-party candidates. So right off the bat, you're voting for people who have to, at a minimum, convince the people who specialize in the electoral process to support them. And if you don't like the guy you have, then your only option is to pick someone else whose main difference is being the opposite on a handful of cultural wedge issues. This introduces severe value drift in and of itself.

As an example of this, consider right-to-repair. In cases where it has been put up to a popular vote, it wins dramatically - like, 75% to 86% in favor. But if you go to legislators, they laugh you out of the room; and if they don't laugh you out of the room the governor vetoes it. This is an issue where the American public see it as obvious that repair should be open to all; while many of our politicians either just disagree with the concept, are worried about "intellectual property theft", or don't want to be the first to sponsor something that will wind up being in the next election's attack ads.

So what we have is a situation where Americans and Europeans are more aligned with one another than they are with American politicians.

I also really hate the whole "you get the leaders that you deserve" mentality, especially when applied to non-democratic societies. Not everyone voted for those leaders, nor does everyone always have the opportunity to vote in the first place. The whole concept of a "nation" is at best a convenient fiction; and worst an outright cancer that has fucked over several regions of the world. If you do not understand the internal divides of a nation, at least on a basic level, then you're just engaging in useless stereotyping.

> Google will just lock the data in the EU

Can you explain what you mean by this? If the data is owned by Google, then the US government can compel them to turn it over; full stop. The fact that it lives in another country and never enters into the US is irrelevant; the US government can just say "give us this data, or we will do things that will cause you serious financial/legal harm".

I keep hearing that claim, yet it is never backed up by any substantive evidence or actionable advice as to which of these apparently abundant exclusively EU-based services to use for solving a particular problem.

Well, other than the usual Fathom and Plausible, that is. It might come as a surprise to some, but the web and software in general isn't just comprised of analytics.

Just to try and prove myself wrong I searched for a GDPR-compliant EU-based video conferencing tool on that "developed in Europe" site linked to in the article. The only result I got was "api.video - Video APIs for building, scaling and operating on-demand and live streaming videos".

So, because of GDPR I'm now supposed to code and run my own video conferencing service?

Livestorm.co - Paris

Wonder.me - Berlin

whereby.com - Oslo (technically not EU, but close enough)

That site is just lacking.

Adding pexip.com to that list as well
If FOSDEM, a pretty large but fully volunteer-run organization can host their own videos, why can't you?
First, I'm not a large organization and I don't have volunteers who do my work for me for free.

Secondly, hosting videos is not my core business. The shop around the corner doesn't run its own payment system either, after all.

Finally, I don't need to host videos, I need a video conferencing software, which is something entirely different.

Services in the EU with stricter ethical and privacy standards could pick up US business. I'd rather use almost anyone but google for everything, privately or professionally.
This could go a few ways. First, I'm sure Google will fight this and the fight will go on for some time. If they loose, Google could build EU data-centers and try to be GDPR compliant, which seems the most likely outcome. They could also pull out of the market, which seems less likely. If they pull out, I'm not sure that would be good for the EU market. People are suggesting that EU entities will spring up to fill the void, and thats probably true, but those services will almost certainly lag the benefits of the big US clouds. That may put EU entities at a competitive disadvantage.
>Google could build EU data-centers and try to be GDPR compliant

That doesn't matter, since US CLOUD Act allows US law enforcement to subpoena data even if they are stored in the EU.

The only "way out" is to use cloud providers that have no presence in US.

Basically create a new, completely independent EU entity.
Then what would Google gain from it? The whole point of subsidiaries is that they are not independent and push profits up to mother company.
You could most likely set it up so the EU entity pays "licensing fees" or similar to the US entity without any formal ownership or control.
Does this also mean that e.g. EU business are not allowed to use Stripe or PayPal, since those are owned by US companies? Or, that it's not good enough anymore to use a EU hosting for Mixpanel or AWS or DigitalOcean?
If you, a GDPR-bound business, are silently serving, embedding, or otherwise using resources served by US businesses without explicit opt-in approval, then you absolutely could be violating GDPR, specifically for example if the user’s IP becomes known to the US-operated resources.

This would theoretically apply whether using AWS hosting (even in EU availability zones), Stripe or PayPal cart checkouts, or any other platform owned and/or operated by a US business or its subsidiaries. It isn’t relevant where those US-owned data or servers are hosted.

This unfortunate situation could be corrected by the US signing a new treaty or other law that ensures that the US governments, law enforcement, and courts cannot compel US business to violate GDPR.

(I am not your lawyer, this is not legal advice.)

Thanks for explaining - that's how I also understood it, just wanted to make sure I didn't miss anything.
Out of couriosity: Does the CLOUD act, FISA and whatever else also cover offshore subsidiaries? E.g. would a german Google GmbH still be subject to the CLOUD act if that legal entity has no relationship with the US?

On the one hand, I can't imagine US surveillance leaving open such a glaring hole, on the other hand I wonder what basis US law could apply to companies of non-US countries.

In your scenario, is the theoretical Google GmbH a subsidiary of a US corporation?
I don't know much about the legal details, but I imagine it would have to be.

After all, the purpose of the company would be to offer Google services in Germany - so I imagine, it would either be a subsidiary or a de-facto shell company.

Good point though, that sort of answers my question already.

The website of the German federal tax office is not GDPR-compliant:

https://twitter.com/jdvhouten/status/1488481039630704644

Seems premature to sanction private businesses when EU governments have not yet been able to come fully into compliance. Perhaps the changeover is more difficult than anticipated? As others allude below, it might make sense for the relevant EU-based alternatives to come online/scale up.

>The website of the German federal tax office is not GDPR-compliant:

The German government is, in general, a joke when it comes to websites and doing things online instead of fax/mail/paper.

That’s not how the GDPR is written. It may seem premature, but someone has to be first to be ruled against in order for the interpretation to come into being, same as the Supreme Court and any other interpretive judicial systems.

That the private fine is essentially a token throwaway amount reflects that the court isn’t trying to throw the book at them; one can imagine the court will be much more upset about the government instance you highlight if it remains unaddressed.

Can it be explained, why “data is encrypted at rest using your own key” isn’t acceptable to regulator? Google might be compelled to hand data over, but data is encrypted and useless.
There's no mention of encryption at rest using your own key. To quote the ruling:

> If the second respondent (Google) subsequently refers to encryption technologies - such as the encryption of "data at rest" in the data centers - he must again be countered with recommendations 01/2020 of the EDSA. Namely, it states that a data importer (such as the Second Respondent) who is subject to 50 US Code § 1881a (“FISA 702”) has a direct obligation with regard to the imported data that is in his possession, custody or control to grant access to or release them. This obligation can expressly also apply to the cryptographic key without which the data cannot be read (ibid. margin no. 76).

> As long as the second respondent has the opportunity to access data in the Plain text access, the technical measures taken cannot be regarded as effective in the sense of the above considerations.

The last paragraph suggests true end-to-end encryption may be acceptable, but that's not how Google Analytics works.

> but that's not how Google Analytics works

Yes. I made the question, given the discussion is being treated as much wider, beyond GA.

This also tells me, using own key can still be used by Google to operate as is (US company with EU owned entity and EU located DC)

As long as you proxy^ all requests to Google for that data through your own servers, and do not include X-Forwarded-For: <gdpr-protected-client-ip> or any other identifying details in the request you transmit to Google on their behalf, and your crypto implementation is deemed sound, then that would likely be found not to be a GDPR violation. This runs counter to the tendency of websites to offload the burden of "go fetch and evaluate XYZ" to the useragent, and requires a server under your control that is not under US jurisdiction^^ to host or proxy all internet traffic of any kind necessary to deliver the service. (I am not your lawyer, this is not legal advice.)

^ some services may ban you for proxying in this manner without a contract

^^ proxy must not be hosted by or operated within AWS, GCP, Heroku, or any other US-controlled services provider

> or any other identifying details in the request you transmit

You can definitely still use GA if you really wanted to, just not in any way that uses PII (the default).

If Google restructured into a franchise model, where each franchisee independently operates Google XY per country XY, then that would legally allow each Google XY to comply with GDPR while paying Google US a franchise fee. Technically, however, this is a nightmare to implement, since each Google XY would have a due diligence responsibility to audit all source code changes, and Google US would be required to issue a complete working set of product code to each independent franchisee, as otherwise they're just subsidiaries from a code standpoint, which when interpreted by a court would likely be found equivalent to being a full subsidiary rather than just a franchisee (as Google US would then retain the ability to collect GDPR-protected data in violation of GDPR).