Danish Data Protection Agency bans Google Workspace for Municipalities (opens in new tab)

(blog.simpleanalytics.com)

58 pointsironman13y ago27 comments

27 comments

Wow, stunning. The real test will be whether chromebook use gets banned in schools - an office you can switch over, but a whole school bound to chromebook hardware? This will be a very difficult/expensive switch. Alternatively one could dream that this brings Linux to schools - which would be the basis of a long-term break with the MS/Apple/Google dependency.

hulitu3y ago

Chromebooks are not so popular in europe.

ecmascript3y ago

This is a good thing! I hope my country (Sweden) follows suit.

dontreact3y ago

Why do you think this is a good thing?

nisa3y ago

Not OP but but I try to explain it from my subjective perspective: It's good because that's not your small nodejs startup but rather Municipalities. They process sensitive data about their citizens and I'm sure Denmark has strict privacy laws for that. Giving that data to Google means it's now in the US and can be used by NSA or other organisations for spying. Does that happen? I don't know. But why take the risk. Secret court orders for national security are a thing. So it's a danger to the independence of the Danish state. Might all sound a little hyperbolic and theoretic but it can't be excluded. Furthermore it's illegal under current EU law ontop of that. See the other links to Max Schremps works here. Of course due to the sad state of public it infrastructure in Europe the risk for loosing the data is probably much higher than storing it at Google. I'm not optimistic that this will change. Too much lousy small firms and borderline corruption and too much tax money to earn.

AinderS3y ago

> Might all sound a little hyperbolic and theoretic but it can't be excluded

> the Central Intelligence Agency (CIA), the Bureau of Intelligence and Research (INR) and the United States European Command (USEUCOM) already spied on France in their 2012 elections. Targets have been all parties and their leaders. [..] All targets were infiltrated both by human (”HUMINT”) and electronic (”SIGINT”) CIA spies. Specific tasks have been selected for all targets individually. [1,2]

Associated Press, on the other hand, did everything they could to downplay the degree of espionage and infiltration:

> American spies wanted an insider’s take on the race, including details of party funding, internal rivalries and future attitudes toward the United States. Although WikiLeaks’ publication of a purportedly secret CIA document was striking, the orders seemed to represent standard intelligence-gathering. [3]

I wonder if they would have described Russian infiltration of US parties as "standard", and not striking.

[1] https://www.huffpost.com/entry/cia-spied-french-elections_b_...

[2] https://wikileaks.org/cia-france-elections-2012/

[3] https://apnews.com/article/8e5094a33ad84837a7faa31c426ca909

dogma11383y ago

Impacts of such rulings also mean that the small startups and everyone in between is impacted.

There are no EU only alternatives to GCP, Azure or AWS, I mean there’s always Alicloud but well…

Alternatives will not be developed in time for these rulings to have a devastating impact on EU companies and in fact any company that works in the EU that processes data covered by GDPR even if they host purely within the EU simply because the parent company is in the US.

And even if my some miracle a real European cloud competitor would arise they wouldn’t limit their market to the EU, and the moment they have a substantial US presence and a US legal entity they can fall under similar circumstances as US originated companies.

This also means that potentially using solutions such as customer supplied or managed keys to encrypt data outside of the direct control of cloud providers is no longer sufficient to protect yourself from data transfer risk.

2 more replies

konschubert3y ago

Counterpoint:

The data that municipalities store is not super sensitive, at worst it contains information about the number of sick days and salary. If the NSA cares about this data at all, it will probably have other means to obtain it.

On the other hand, the municipalities might now have to spend a lot more taxpayer money to support a worse system that might reduce their efficiency, increasing wait times and frustrations for citizens.

2 more replies

frozencell3y ago

WikiLeaks argument.

petters3y ago

That would be bad, since that’d mean storing the data themselves, with an increased risk of data leaks. (There was a medical data leak as recently as today from a Swedish agency. The track record is unfortunately not good)

But the law is the law.

peterhunt3y ago

I’m trying to understand the current position of the EU commission on data transfers to the US. Based on this plus the recent google analytics decisions, it seems to me that data transfers to the US are going to be prohibited by default under the recent interpretations of chapter V. Am I understanding this correctly?

Y-bar3y ago

Since the entire Privacy Shield has been ruled invalid it seems all EU-US transfers/multinational corporations which process personal data are in a tough spot. I think Max Schrems (who took Facebook, among others, to court on GDPR) has a good explanation:

https://noyb.eu/en/project/eu-us-transfers

> At its core, this case is about a conflict of law between US surveillance laws which demand surveillance and EU data protection laws that require privacy.

jimkleiber3y ago

I really hope that in the (near) future we figure out a system of governance to better resolve inter-national conflict. I assume these conflicts will only increase as we increasingly interact across national borders.

betaby3y ago

As all court rulings that one uses wording which is impossible interpret unambiguously. Example " A general ban on processing with Google Workspace until adequate documentation and impact assessment has been made and until the processing operations have been brought into compliance with the Regulation" whatever it means.

ChrisArchitect3y ago

Just a changed URL from yesterday's post: https://news.ycombinator.com/item?id=32099850

lizardactivist3y ago

Well done Denmark!

A cue to other countries. Follow Denmark's lead and safeguard your data, your systems, and the privacy and security of everyone working in your municipalities.

theplumber3y ago

Finally some good things come out of GDPR

j / k navigate · click thread line to collapse

27 comments

lock-the-spock3y ago

hulitu3y ago

Chromebooks are not so popular in europe.

ecmascript3y ago

This is a good thing! I hope my country (Sweden) follows suit.

dontreact3y ago

Why do you think this is a good thing?

nisa3y ago

AinderS3y ago

> Might all sound a little hyperbolic and theoretic but it can't be excluded

Associated Press, on the other hand, did everything they could to downplay the degree of espionage and infiltration:

I wonder if they would have described Russian infiltration of US parties as "standard", and not striking.

[1] https://www.huffpost.com/entry/cia-spied-french-elections_b_...

[2] https://wikileaks.org/cia-france-elections-2012/

[3] https://apnews.com/article/8e5094a33ad84837a7faa31c426ca909

dogma11383y ago

Impacts of such rulings also mean that the small startups and everyone in between is impacted.

There are no EU only alternatives to GCP, Azure or AWS, I mean there’s always Alicloud but well…

2 more replies

konschubert3y ago

Counterpoint:

2 more replies

frozencell3y ago

WikiLeaks argument.

petters3y ago

But the law is the law.

peterhunt3y ago

Y-bar3y ago

https://noyb.eu/en/project/eu-us-transfers

> At its core, this case is about a conflict of law between US surveillance laws which demand surveillance and EU data protection laws that require privacy.

jimkleiber3y ago

betaby3y ago

ChrisArchitect3y ago

Just a changed URL from yesterday's post: https://news.ycombinator.com/item?id=32099850

lizardactivist3y ago

Well done Denmark!

A cue to other countries. Follow Denmark's lead and safeguard your data, your systems, and the privacy and security of everyone working in your municipalities.

theplumber3y ago

Finally some good things come out of GDPR

j / k navigate · click thread line to collapse