What an embarrassment.
https://news.ycombinator.com/newsguidelines.html
I suppose I'd better add that this isn't about which side you're on. It's just about having an international forum that doesn't suck and doesn't destroy itself. All of you flaming each other in this thread have made HN suck (in this neighborhood) and contributed to destroying it.
No more of this, please. You can make your substantive points without any of that. If you can't, please don't post until you can.
What an embarrassment indeed. Hackernews deserves better moderation.
I'm just writing this because a lot of comments are getting the wrong idea from this and causing some weird mix of hysteria and europhoby. In the grand scheme of things, there is no money lost for Azure and AWS, the potential of the once in a full moon cloud projects from public european institutions wouldn't even amount to something that would be described as pocket chance.
By this logic almost every non-EU Saas would be forbidden.
For sure Stripe is also not allowed, huge amount of customer data in US hands.
The problem isn't non EU services, it's the US CLOUD act
Other countries have legal systems which are considered as offering equivalent protection:
> The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection.
And for many more countries standard contractual clauses would probably be enough
So why does USA fail at this? Or are they just too big and diverse for that sort of stuff? And you can't really expect such nation to succeed... In anything...
It will take many years to of delays and fretting (due to the dependence on US clouds) but fundamentally the current legal position is that GDPR is fundamentally incompatible with any personal data transfer to the USA, that's how Google Analytics keeps getting banned too.
At some point this will all come to a head and something will have to budge given the gigantic consequences of such a position, from AWS to GCP to Stripe to even basic things like your Domain Registrar.
Microsoft initially did this for Azure, I believe.
Certainly will cause a lot of friction.
Does that exempt them from the CLOUD Act? If US companies have access to independent operators in Europe, presumably they can still be compelled to give that data to the US.
[1]: https://en.wikipedia.org/wiki/CLOUD_Act
[2]: https://www.imy.se/en/organisations/data-protection/this-app...
But as soon as competitors start moving to european hosting solutions, you need to too - because if you're slow to move over you can bet the courts will be chasing after people with fines.
Colocated hosting is very, very large in europe, and many small/medium bussinesses operate out of a couple of VM's on a server in some datacenter, usually managed by some MSP.
Also, Egress fees are very expensive in the cloud, especially if you look at the cost of data transfer inside colocated facilities. data transfer in the US seem expensive even if you look at colo/private circuits compared to europe.
1. Would A be dealing directly with S, or is A dealing with C which is using S to store A's data.
2. Is S incorporated in the EU?
3. Does C have access to data stored in S, other than data that C itself put there using the APIs that S makes available to all its storage customers?
AFAIK public procurement documents are often public.
So you might then split your app to an EU hosted datacenter of your preferred cloud provider.
This ruling says that's insufficient as while the data remains functionally in the EU it's still possible for it to be accessed on the backend by non EU entities.
Why is this the case? Why aren't EU employees who allow the data to leave the EU negligent?
news article (German): https://www.golem.de/news/vergabekammer-clouddienste-von-us-...
primary source (German): https://rewis.io/s/u/PjK/
press statement of law firm (German): https://gruendelpartner.de/newsroom/gruendelpartner-erwirkt-...
(The emphasis is mine. Almost all commenters here so far seem to think it's broader than this, which it isn't.)
> The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server that provides such access was located in the EU was irrelevant.
I think this is an interpretation of GDPR that most companies are not prepared for. You could write an implementation that restricts access to EU data, but if the parent company is not in EU, I guess the implementation could always be changed to allow access. Ergo, GDPR violation?
I have no beef with US companies doing business here as such, but as long as they're supporting espionage and sabotage by handing crucial data to the NSA and CIA they should simply not be allowed to operate here.
The case concerns a decision by the Vergabekammer Baden-Württemberg ("Procurement chamber Baden-Wuerttemberg"), the administrative authority that reviews the public procurement procedures.
On 3.11.2021, a public authority issued a Europe-wide invitation to tender for the procurement of software for digital management via an open procedure. The award criteria contained, among other things, requirements for data protection and IT security. The public authority received offers from company A and company B.
1. A company in your own country which got marketshare mostly because of legal reasons and government interference.
2. A company which got marketshare by building products that people loved all over the world, has the smartest people working for them and have generated more value than the vast majority of the companies that existed previously in the world combined.
That rubs some people, such as I, the wrong way. I wonder why :)
2. Your own government that is held accountable to local laws.
Seriously.
We talk about this cloud stuff like it is rocket science. It is not. It is a box in a basement. We are capable of doing that ourselves.
And no. It ain’t cool for NSA to sniff around some German governmental software, even though you are the good guys and on our side.
It's not what this site is for, and it destroys what it is for.
Please refrain from interfering with healthy discussion.
Except now, the EU is more or less forcing American companies to sell unaffiliated spin-offs to the EU to continue doing business there. Seems a bit underhanded to change the rules now after so long, especially considering the fact that the EU can’t make these companies for themselves or they would have already.
If I'm reading the ruling correctly, the relevant legal standard applied here is completely bogus. They find that it is a violation of GDPR because the parent company could access the data, in principle if they wanted to. It doesn't matter if there are safeguards, technical, or institutional preventions in place.
However, the exact same argument applies to any EU company with any internet connection, and directly applies to any EU company with infrastructure in the US. EU companies could, in principle, transfer data to the US intentionally or by accident. If technical, institutional, and legal prevention isn't good enough for US companies, why is it good enough for EU companies? Seems like GDPR has to also be construed to prevent EU companies from doing business in the US.
If the counter argument is that US companies could be compelled by the US government to hand over data, while EU companies cannot be, that is factually untrue.
I’m sure I’ll get downvoted by Europeans but it’s the truth. Look at the valuable companies and where they are located :)
End result is almost certain to be more cloud providers in Europe, but I'm not sure they're wrong to want that.
> A included clauses in the offer that stated, among other things, that it will not access, use, or disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body.
Of course giving a US company control over EU data at a whim means that it's a transfer to the US. The court made the only reasonable decision.
You're confused, and your petty vindictiveness is unmotivated. The EU as a space of commerce is not yours to do with as you wish. You have to follow rules and regulations just like our own companies have to. And if your country had not been engaging in espionage and sabotage then there would never have been a need for these "unfair" and "underhanded tactics".
Which companies? Seriously though. Is there a reason the biggest EU software companies are the likes of SAP and Capgemini, or niche players like Spotify?
I mean, I'm not talking about the USA or China, even Russia has a more impressive tech sector.
Could it have something to do with various regulations?
We have rights too, you are not more special and deserve more basic human rights because citizenship.
https://news.ycombinator.com/newsguidelines.html
Edit: you've been breaking the site guidelines in other threads too. We ban accounts that do that, so please stop.
Also, remember the time when Germany decided to go after their own people? How does laws like this help when it comes to situations like that?
An EU subsidiary of a US company is fully legal fair game for every 3 letter agency.
Then do it.
But here we are talking about whether the German government should use hosting centers, for their governmental software, they know are accesible to US intelligence services.
The answer to that is: Of course not.
In Europe?
I like privacy, but the business person in me is very frustrated by these GDPR rulings as they make the life of European startups even harder than it already is.
Really? In some places in Europe, people were starting to get excited about dial-up BBSes in the mid nineties, a decade after they were on their way out in North America.
In 1994 I was doing contract work in Vancouver on a website with paying subscribers.
America engages at global level surveillance. American corporations can be coerced with a single national security level to spy on their customers. Ergo they are untrustworthy and should not be used.
This is the obvious outcome of the US government’s repeated and explicit statement that non-US residents do not have any due process rights and thus no warrant requirements, followed by - when companies tried to compensate for this abuse by creating subsidiaries in the EU - stating that the US government also had access to all subsidiaries data, again with no due process protections.
What did the US government think would happen when they made it clear that no US company could provide due process protections for any EU data that they possessed?
This has nothing to do with the “IP theft”, but rather the inability of US companies to comply with universally applicable EU law.
If you let all subsidiaries of M/G/A within reach of US courts (including customer data) don't get surprised when other countries treat it as toxic
The US gov would never accept this in procurement, so why should other countries?
On the case in question, it seems the company changed the tender document to take out some (protection) clauses
Restricting the sale or transfer of personal data to a foreign-held company that can and will obey foreign laws with regards to that data is, I think, perfectly fair.
The dances companies go through to appear local or non-local with shell companies is an abuse of the intent of many laws.
Microsoft/Google/Amazon/etc. probably can figure out how to operate in Europe to comply with the intent of the law, but it might require a rather large actual separation of interests rather than a shallow apparent one.
But the power centers (foundations etc.) are in the USA. International contributors are expected to bow to U.S. cultural dominance and follow the latest whims.
OSS has been stolen by the USA.
Isn't that what happened with TikTok?
Both China and the US have laws that force global subsidiaries of Chinese/American companies to hand over data held overseas.
I would argue the relationship between Europe and US are substantially better, although not without frustrations from both sides, some warranted and some not.
At the very least, several countries are in a formal defensive alliance with the US and each other (NATO).
But it does show how an all-reaching law like gdpr can have stramge consequences…
Except the American company made it clear that no such safeguards will be in place and that it will transfer the data out of its EU servers if legally complied to do so. This can be found in the German text at https://rewis.io/urteile/urteil/ocw-13-07-2022-1-vk-2322/ .
> Regions. Customer can specify the location(s) where Customer Data will be processed within the X. Network (each a "Region'), including Regions in the EEX. Once Customer has made its choice, X. will not transfer Customer Data from Customer's selected Region(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body.
Any governmental body can request access to EU users data and the data will be moved out of the EU region. At best it provides that it will challenge any inappropriate or overly broad request, but there is no legal framework for what qualifies as such between the EU and US and the US is unlikely to care about challenges that have no legal basis.
They have a legal search warrant, This is a EU country they likely have Law enforcement and judicial cooperation treaty with the US.
> A included clauses in the offer that stated, among other things, that it will not access, use, or disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body.
So it is a transfer of data from EU control to US control. Very clearly.
Yes, this might be a reasonable argument. You'd be in a bad place as an EU company trying to operate in the US right now. Perhaps the US should quit passing spy law and we can go back to cooperating.
And?
> So why does USA fail at this?
Because, and I'm going from memory here, should be Schrems I or Schrems II if you want to dig deeper, in the view of the ECJ (which invalidated a similar recognition for the US) the US doesn't provide a satisfactory way for EU citizens to contest their data being accessed by US government agencies
Look up the cloud act. It essentially makes it impossible for any US company to truly comply with GDPR.
How? If a company is not American how can it be forced by the US?
I'm unaware of any free trade agreements with the US: https://en.wikipedia.org/wiki/European_Union_free_trade_agre...
The US only has free trade agreements with some American countries and South Korea/Australia outside: https://en.wikipedia.org/wiki/United_States_free-trade_agree...
But this is all irrelevant because free trade doesn't trump rights (privacy/due process/etc).
How does this not compute for Americans, I cannot even comprehend.
Sorry but how can I respond when all the dudes above are accusing Germany and EU that are doing this because protectionism?
Probably I should ignore them? Or submit a TicTok article immediately and watch the hypocrisy?
Personally I just try to keep reminding myself that humans en masse, and therefore the internet, are basically wrong about everything.
What is your point exactly? Half of europe was still transitioning to a market economy or in a (civil) war/conflict in the 90's.
I am also sure, that a lot of places in the US didn't have internet access in the 90's.
Sure, but not, oh, Sweden.
Btw, your account has been adding to this flamewar in just the way that we don't want here. I'm not going to ban you right now, but only because it doesn't feel sporting to ban an account that I only noticed when you replied to me. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and sticking to the rules, though, we'd appreciate it.
Not a single rule was violated in the post above. Looks like hackernews needs more responsible moderators.
I support reigning in the NSA, GDPR seems like a weird way to do it. I don't follow the logic.
An EU company can just be hacked legally.
Individuals are not perfectly capable of this decision, especially since they are multiple steps removed from said decision (e.g. saas I use is using another service hosted on amazon); and in a lot of the cases (e.g. using a software for their job) not even in a place where they can make the decision.
Government does not tell you where you should keep your data. They tell, where you can't.
This is because it is not a compliant place to store data at. Same reason we don't want you to store data in china, for example.
Is there a reason why making it illegal for NSA and CIA to spy on EU citizens with warrants is affecting you personally? Do you work for CIA and you don't want to fill paperwork?
This is such an obvious solution, remove the stupid law and partner with EU in protecting privacy, then you can work together against China.
But I do agree Turkey is less friendly dly and is on my personal no-go zone for safety reasons.
For example, you would have had an amazing time 20 years ago with a level of security comparable to other European countries. Nowadays? Personal no-go zone is a wise decision, to say the least. If I didn't have my biological family there; I would have done the same in an instant.
Europe is Apple’s third largest market, making $90 billion last year alone. You don’t think other companies will step up for even a tiny percent of that?
If those US companies were to go away however, the market will adjust to Europe/Asia grown companies.
A German court would use judicial assistance and ask US law enforcement to help. US law enforcement would then adhere to local laws and protect the rights of US citizens while trying to help.
This is named Mutual legal assistance: https://en.wikipedia.org/wiki/Mutual_legal_assistance_treaty .
I think you have a point with Lambda though I don't use serverless much. How does Knative compare?
"Mosaic was developed at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana–Champaign beginning in late 1992." -- Wikipedia
Other than Linux's European origin, Europe has not produced any viable operating system or browser. It continues to rely on key software of American origin, like the rest of the world.
The Brit Tim Berners-Lee designed the architecture, wrote the first browser and web server, and wrote the first HTML spec at CERN around 1989. Mosaic was released in like 1993 after Berners-Lee released his specs and source.
To claim the internet was invented in Europe is equally absurd.
Internet created 1983. WWW created 1989.
The internet was created by meshing many different networks together (mostly ARPANET and SFNET).
Networks which now form the backbone of the internet also existed in europe at the time, mainly in britain and france.
It looks like you've been breaking the site guidelines in other contexts too. Can you please review them and stick to the intended spirit here? https://news.ycombinator.com/newsguidelines.html
It's not about just installing Linux on a box, plugging in an Ethernet cable and calling it a day. We're talking about cloud providers here. You need to create something on the scale of AWS and Azure if you want to be taken seriously. Hetzner and OVH aren't going to cut it.
It's not? Because that's what most Europeans think.
>> We're talking about cloud providers here.
Ooooooooooooooooooh weeeeeeeeeeeh, now that's fancy.
Maybe if we could get an American over here to help us out, it could work? Are you available? Because we need answers to questions that you can't just google. We need someone who's been there, done that and who has money beyond what any European could ever even imagine. We need a Texan.
Are you a Texan? Or an absolute asshole? Both of those combined seems to fit the profile of a person that could make a change over here.
'Merica, F yeah!
Usually most countries are smart enough not to damage themselves economically by preventing their companies from selling to a large, reasonably rich union.
The US government will not back up from their policy and so we do neither but since we otherwise enjoy a great partnership and alliance, we take this issue pretty "dry and emotionless", trust me, there are no hard feelings or ill intentions.
I could imagine a US based law that banned the sale of any durable goods produced by a company headquartered in a country that still got more than 5% of its power from lignite coal due to a strong climate commitment. That's tailored basically only to impact Germany. Is that fair?
If you talk to actual people in Europe, outside of HN, you’ll find that overwhelming majority of people do not give a flying fuck about the “safety of their data” from US government. They just blissfully post shit on Facebook with no care in the world. This matter is a concern mostly to politicians and to activist hacker types.
This is not to say that this is not a valid concern to have, but I’d like people to spare me pretending that it’s about politicians caring about people’s rights, when just past few years they trampled all the rights in the interest of fighting coronavirus (and if you want to argue that it was all worth it, because the goal justified the means, keep in mind that the US government can say the exact same thing about its data access!). This is just standard power politics, a protectionist trade war whitewashed with talk about “rights” and “privacy”, only surprising thing is how people on HN are gobbling it up. I guess maybe that’s just willful ignorance - by pretending you don’t understand why EU actually attacks American companies like that, you might actually get some extra privacy protections you care about.
That would be rather awkard for Boeing, who would have to strip out half the engines on its 787s and all its 737-MAXes for being certified by the same "insufficient" safety standards.
If you cannot see the difference between this and the GDPR, I have no idea why we're talking. The GDPR is some pretty reasonable law, for the most part - if we had carve-outs for Americans who don't have to adhere to it, it would be entirely pointless.
The US is very welcome to end this by repealing their spy law.
If you think a warrant should apply from an outside jurisdiction imagine Mississippi issuing a warrant to arrest a Californian abortion doctor.
Of course that means the US will no longer be a global superpower, but the US can freely choose that.
I never understood American magical thinking that blames Europe for US military spending. In the end, if you want to cut military spending, you can.
Regardless, you're the hegemon. I don't accept that you don't benefit from that position.
EDIT: It's like saying "This thing you're giving me that allows my whole economy to function, I don't like the consequences of how you're doing it."