Danish Data Protection Agency bans Google Workspace for Municipalities

lock-the-spock 3 years ago |

Wow, stunning. The real test will be whether chromebook use gets banned in schools - an office you can switch over, but a whole school bound to chromebook hardware? This will be a very difficult/expensive switch. Alternatively one could dream that this brings Linux to schools - which would be the basis of a long-term break with the MS/Apple/Google dependency.

hulitu 3 years ago | |

Chromebooks are not so popular in europe.

ecmascript 3 years ago |

This is a good thing! I hope my country (Sweden) follows suit.

dontreact 3 years ago | |

Why do you think this is a good thing?

nisa 3 years ago | | |

Not OP but but I try to explain it from my subjective perspective: It's good because that's not your small nodejs startup but rather Municipalities. They process sensitive data about their citizens and I'm sure Denmark has strict privacy laws for that. Giving that data to Google means it's now in the US and can be used by NSA or other organisations for spying. Does that happen? I don't know. But why take the risk. Secret court orders for national security are a thing. So it's a danger to the independence of the Danish state. Might all sound a little hyperbolic and theoretic but it can't be excluded. Furthermore it's illegal under current EU law ontop of that. See the other links to Max Schremps works here. Of course due to the sad state of public it infrastructure in Europe the risk for loosing the data is probably much higher than storing it at Google. I'm not optimistic that this will change. Too much lousy small firms and borderline corruption and too much tax money to earn.

AinderS 3 years ago | | |

> Might all sound a little hyperbolic and theoretic but it can't be excluded

> the Central Intelligence Agency (CIA), the Bureau of Intelligence and Research (INR) and the United States European Command (USEUCOM) already spied on France in their 2012 elections. Targets have been all parties and their leaders. [..] All targets were infiltrated both by human (”HUMINT”) and electronic (”SIGINT”) CIA spies. Specific tasks have been selected for all targets individually. [1,2]

Associated Press, on the other hand, did everything they could to downplay the degree of espionage and infiltration:

> American spies wanted an insider’s take on the race, including details of party funding, internal rivalries and future attitudes toward the United States. Although WikiLeaks’ publication of a purportedly secret CIA document was striking, the orders seemed to represent standard intelligence-gathering. [3]

I wonder if they would have described Russian infiltration of US parties as "standard", and not striking.

[1] https://www.huffpost.com/entry/cia-spied-french-elections_b_...

[2] https://wikileaks.org/cia-france-elections-2012/

[3] https://apnews.com/article/8e5094a33ad84837a7faa31c426ca909

dogma1138 3 years ago | | |

Impacts of such rulings also mean that the small startups and everyone in between is impacted.

There are no EU only alternatives to GCP, Azure or AWS, I mean there’s always Alicloud but well…

Alternatives will not be developed in time for these rulings to have a devastating impact on EU companies and in fact any company that works in the EU that processes data covered by GDPR even if they host purely within the EU simply because the parent company is in the US.

And even if my some miracle a real European cloud competitor would arise they wouldn’t limit their market to the EU, and the moment they have a substantial US presence and a US legal entity they can fall under similar circumstances as US originated companies.

This also means that potentially using solutions such as customer supplied or managed keys to encrypt data outside of the direct control of cloud providers is no longer sufficient to protect yourself from data transfer risk.

hulitu 3 years ago | | |

Why would someone want to store private data in the cloud ?

konschubert 3 years ago | | |

Counterpoint:

The data that municipalities store is not super sensitive, at worst it contains information about the number of sick days and salary. If the NSA cares about this data at all, it will probably have other means to obtain it.

On the other hand, the municipalities might now have to spend a lot more taxpayer money to support a worse system that might reduce their efficiency, increasing wait times and frustrations for citizens.

danaris 3 years ago | | |

That sounds very much like an "if you have nothing to hide, why are you worried about privacy?" argument. Which is deeply suspect and entirely serves the interest of the massive surveillance apparatus.

konschubert 3 years ago | | |

I see your point. But I think there is also value in choosing your battles.

I would l rather see resources spent towards the defense against Russian aggression, instead of major IT projects with really unclear privacy impact.

djbebs 3 years ago | | |

On the contrary, since the state ostensibly exists to serve its citizens, there is no legitimate reason to withhold any data whatsoever from them.

The idea that all but the most dangerous military information should not be public in real time flies in the face of the concept of an informed citizenry, and is far more dangerous and pernicious than its access by hostile powers.

If some information should not be public, it simply should not be accessible by the state.

hulitu 3 years ago | | |

You're right, apart from name, age, address, type of home there is no sensitive information stored.

frozencell 3 years ago | | |

WikiLeaks argument.

petters 3 years ago | |

That would be bad, since that’d mean storing the data themselves, with an increased risk of data leaks. (There was a medical data leak as recently as today from a Swedish agency. The track record is unfortunately not good)

But the law is the law.

peterhunt 3 years ago |

I’m trying to understand the current position of the EU commission on data transfers to the US. Based on this plus the recent google analytics decisions, it seems to me that data transfers to the US are going to be prohibited by default under the recent interpretations of chapter V. Am I understanding this correctly?

Y-bar 3 years ago | |

Since the entire Privacy Shield has been ruled invalid it seems all EU-US transfers/multinational corporations which process personal data are in a tough spot. I think Max Schrems (who took Facebook, among others, to court on GDPR) has a good explanation:

https://noyb.eu/en/project/eu-us-transfers

> At its core, this case is about a conflict of law between US surveillance laws which demand surveillance and EU data protection laws that require privacy.

jimkleiber 3 years ago | | |

I really hope that in the (near) future we figure out a system of governance to better resolve inter-national conflict. I assume these conflicts will only increase as we increasingly interact across national borders.

betaby 3 years ago |

As all court rulings that one uses wording which is impossible interpret unambiguously. Example " A general ban on processing with Google Workspace until adequate documentation and impact assessment has been made and until the processing operations have been brought into compliance with the Regulation" whatever it means.

ChrisArchitect 3 years ago |

Just a changed URL from yesterday's post: https://news.ycombinator.com/item?id=32099850

lizardactivist 3 years ago |

Well done Denmark!

A cue to other countries. Follow Denmark's lead and safeguard your data, your systems, and the privacy and security of everyone working in your municipalities.

theplumber 3 years ago |

Finally some good things come out of GDPR