What an embarrassment.
https://news.ycombinator.com/newsguidelines.html
I suppose I'd better add that this isn't about which side you're on. It's just about having an international forum that doesn't suck and doesn't destroy itself. All of you flaming each other in this thread have made HN suck (in this neighborhood) and contributed to destroying it.
No more of this, please. You can make your substantive points without any of that. If you can't, please don't post until you can.
What an embarrassment indeed. Hackernews deserves better moderation.
I'm just writing this because a lot of comments are getting the wrong idea from this and causing some weird mix of hysteria and europhoby. In the grand scheme of things, there is no money lost for Azure and AWS, the potential of the once in a full moon cloud projects from public european institutions wouldn't even amount to something that would be described as pocket chance.
By this logic almost every non-EU Saas would be forbidden.
For sure Stripe is also not allowed, huge amount of customer data in US hands.
The problem isn't non EU services, it's the US CLOUD act
Other countries have legal systems which are considered as offering equivalent protection:
> The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection.
And for many more countries standard contractual clauses would probably be enough
So why does USA fail at this? Or are they just too big and diverse for that sort of stuff? And you can't really expect such nation to succeed... In anything...
It will take many years to of delays and fretting (due to the dependence on US clouds) but fundamentally the current legal position is that GDPR is fundamentally incompatible with any personal data transfer to the USA, that's how Google Analytics keeps getting banned too.
At some point this will all come to a head and something will have to budge given the gigantic consequences of such a position, from AWS to GCP to Stripe to even basic things like your Domain Registrar.
Microsoft initially did this for Azure, I believe.
Certainly will cause a lot of friction.
Does that exempt them from the CLOUD Act? If US companies have access to independent operators in Europe, presumably they can still be compelled to give that data to the US.
[1]: https://en.wikipedia.org/wiki/CLOUD_Act
[2]: https://www.imy.se/en/organisations/data-protection/this-app...
But as soon as competitors start moving to european hosting solutions, you need to too - because if you're slow to move over you can bet the courts will be chasing after people with fines.
Colocated hosting is very, very large in europe, and many small/medium bussinesses operate out of a couple of VM's on a server in some datacenter, usually managed by some MSP.
Also, Egress fees are very expensive in the cloud, especially if you look at the cost of data transfer inside colocated facilities. data transfer in the US seem expensive even if you look at colo/private circuits compared to europe.
1. Would A be dealing directly with S, or is A dealing with C which is using S to store A's data.
2. Is S incorporated in the EU?
3. Does C have access to data stored in S, other than data that C itself put there using the APIs that S makes available to all its storage customers?
AFAIK public procurement documents are often public.
So you might then split your app to an EU hosted datacenter of your preferred cloud provider.
This ruling says that's insufficient as while the data remains functionally in the EU it's still possible for it to be accessed on the backend by non EU entities.
Why is this the case? Why aren't EU employees who allow the data to leave the EU negligent?
news article (German): https://www.golem.de/news/vergabekammer-clouddienste-von-us-...
primary source (German): https://rewis.io/s/u/PjK/
press statement of law firm (German): https://gruendelpartner.de/newsroom/gruendelpartner-erwirkt-...
(The emphasis is mine. Almost all commenters here so far seem to think it's broader than this, which it isn't.)
> The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server that provides such access was located in the EU was irrelevant.
I think this is an interpretation of GDPR that most companies are not prepared for. You could write an implementation that restricts access to EU data, but if the parent company is not in EU, I guess the implementation could always be changed to allow access. Ergo, GDPR violation?
I have no beef with US companies doing business here as such, but as long as they're supporting espionage and sabotage by handing crucial data to the NSA and CIA they should simply not be allowed to operate here.
The case concerns a decision by the Vergabekammer Baden-Württemberg ("Procurement chamber Baden-Wuerttemberg"), the administrative authority that reviews the public procurement procedures.
On 3.11.2021, a public authority issued a Europe-wide invitation to tender for the procurement of software for digital management via an open procedure. The award criteria contained, among other things, requirements for data protection and IT security. The public authority received offers from company A and company B.
You're confused, and your petty vindictiveness is unmotivated. The EU as a space of commerce is not yours to do with as you wish. You have to follow rules and regulations just like our own companies have to. And if your country had not been engaging in espionage and sabotage then there would never have been a need for these "unfair" and "underhanded tactics".
Which companies? Seriously though. Is there a reason the biggest EU software companies are the likes of SAP and Capgemini, or niche players like Spotify?
I mean, I'm not talking about the USA or China, even Russia has a more impressive tech sector.
Could it have something to do with various regulations?
We have rights too, you are not more special and deserve more basic human rights because citizenship.
https://news.ycombinator.com/newsguidelines.html
Edit: you've been breaking the site guidelines in other threads too. We ban accounts that do that, so please stop.
Also, remember the time when Germany decided to go after their own people? How does laws like this help when it comes to situations like that?
1. A company in your own country which got marketshare mostly because of legal reasons and government interference.
2. A company which got marketshare by building products that people loved all over the world, has the smartest people working for them and have generated more value than the vast majority of the companies that existed previously in the world combined.
That rubs some people, such as I, the wrong way. I wonder why :)
2. Your own government that is held accountable to local laws.
Seriously.
We talk about this cloud stuff like it is rocket science. It is not. It is a box in a basement. We are capable of doing that ourselves.
And no. It ain’t cool for NSA to sniff around some German governmental software, even though you are the good guys and on our side.
It's not what this site is for, and it destroys what it is for.
Please refrain from interfering with healthy discussion.
An EU subsidiary of a US company is fully legal fair game for every 3 letter agency.
Then do it.
But here we are talking about whether the German government should use hosting centers, for their governmental software, they know are accesible to US intelligence services.
The answer to that is: Of course not.
Except now, the EU is more or less forcing American companies to sell unaffiliated spin-offs to the EU to continue doing business there. Seems a bit underhanded to change the rules now after so long, especially considering the fact that the EU can’t make these companies for themselves or they would have already.
I like privacy, but the business person in me is very frustrated by these GDPR rulings as they make the life of European startups even harder than it already is.
Really? In some places in Europe, people were starting to get excited about dial-up BBSes in the mid nineties, a decade after they were on their way out in North America.
In 1994 I was doing contract work in Vancouver on a website with paying subscribers.
America engages at global level surveillance. American corporations can be coerced with a single national security level to spy on their customers. Ergo they are untrustworthy and should not be used.
This is the obvious outcome of the US government’s repeated and explicit statement that non-US residents do not have any due process rights and thus no warrant requirements, followed by - when companies tried to compensate for this abuse by creating subsidiaries in the EU - stating that the US government also had access to all subsidiaries data, again with no due process protections.
What did the US government think would happen when they made it clear that no US company could provide due process protections for any EU data that they possessed?
This has nothing to do with the “IP theft”, but rather the inability of US companies to comply with universally applicable EU law.
If you let all subsidiaries of M/G/A within reach of US courts (including customer data) don't get surprised when other countries treat it as toxic
The US gov would never accept this in procurement, so why should other countries?
On the case in question, it seems the company changed the tender document to take out some (protection) clauses
Restricting the sale or transfer of personal data to a foreign-held company that can and will obey foreign laws with regards to that data is, I think, perfectly fair.
The dances companies go through to appear local or non-local with shell companies is an abuse of the intent of many laws.
Microsoft/Google/Amazon/etc. probably can figure out how to operate in Europe to comply with the intent of the law, but it might require a rather large actual separation of interests rather than a shallow apparent one.
But the power centers (foundations etc.) are in the USA. International contributors are expected to bow to U.S. cultural dominance and follow the latest whims.
OSS has been stolen by the USA.
Isn't that what happened with TikTok?
Both China and the US have laws that force global subsidiaries of Chinese/American companies to hand over data held overseas.
I would argue the relationship between Europe and US are substantially better, although not without frustrations from both sides, some warranted and some not.
At the very least, several countries are in a formal defensive alliance with the US and each other (NATO).
But it does show how an all-reaching law like gdpr can have stramge consequences…
If I'm reading the ruling correctly, the relevant legal standard applied here is completely bogus. They find that it is a violation of GDPR because the parent company could access the data, in principle if they wanted to. It doesn't matter if there are safeguards, technical, or institutional preventions in place.
However, the exact same argument applies to any EU company with any internet connection, and directly applies to any EU company with infrastructure in the US. EU companies could, in principle, transfer data to the US intentionally or by accident. If technical, institutional, and legal prevention isn't good enough for US companies, why is it good enough for EU companies? Seems like GDPR has to also be construed to prevent EU companies from doing business in the US.
If the counter argument is that US companies could be compelled by the US government to hand over data, while EU companies cannot be, that is factually untrue.
Except the American company made it clear that no such safeguards will be in place and that it will transfer the data out of its EU servers if legally complied to do so. This can be found in the German text at https://rewis.io/urteile/urteil/ocw-13-07-2022-1-vk-2322/ .
> Regions. Customer can specify the location(s) where Customer Data will be processed within the X. Network (each a "Region'), including Regions in the EEX. Once Customer has made its choice, X. will not transfer Customer Data from Customer's selected Region(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body.
Any governmental body can request access to EU users data and the data will be moved out of the EU region. At best it provides that it will challenge any inappropriate or overly broad request, but there is no legal framework for what qualifies as such between the EU and US and the US is unlikely to care about challenges that have no legal basis.
They have a legal search warrant, This is a EU country they likely have Law enforcement and judicial cooperation treaty with the US.
> A included clauses in the offer that stated, among other things, that it will not access, use, or disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body.
So it is a transfer of data from EU control to US control. Very clearly.
Yes, this might be a reasonable argument. You'd be in a bad place as an EU company trying to operate in the US right now. Perhaps the US should quit passing spy law and we can go back to cooperating.
I’m sure I’ll get downvoted by Europeans but it’s the truth. Look at the valuable companies and where they are located :)
End result is almost certain to be more cloud providers in Europe, but I'm not sure they're wrong to want that.
> A included clauses in the offer that stated, among other things, that it will not access, use, or disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body.
Of course giving a US company control over EU data at a whim means that it's a transfer to the US. The court made the only reasonable decision.
