
ECJ rules US Cloud services fundamentally incompatible with EU Privacy laws - onyva
https://nextcloud.com/blog/breaking-news-ecj-rules-us-cloud-services-fundamentally-incompatible-with-eu-privacy-laws/
======
jjcon
This is a weird take (I’m not familiar with nextcloud, perhaps a bit
sensationalist?).

To suggest the state of surveillance is much different here in the EU is odd
to me. The US and many EU countries have highly integrated and open sharing of
intelligence systems and have for decades. As of late EU countries are
becoming more integrated (not less) with each other and the US when it comes
to the intelligence front.

Nearly all countries have complex surveillance programs, they are arguably
necessary to maintain national security. The hope of democratic countries is
to have ample checks and balances so that information is used appropriately
and only in the scope of national security.

~~~
AmericanChopper
EU countries have equivalent surveillance programs (and equivalently poor
protections for citizens), as well as having intelligence sharing arrangements
with the US (and a number of other countries). This is simply an indisputable
fact. For an EU citizen it makes exactly 0 difference whether it’s a US agency
spying on them, or a French one. The same people end up with access to the
data.

If you’re looking at this from a privacy protection standpoint, it makes very
little sense. However if you look at it for what it actually is, economic
protectionism, it makes perfect sense. The purpose of all EU privacy
regulation is to tariff foreign companies, apply pressure on foreign companies
to move more operations to the EU, and to provide a competitive advantage to
EU companies.

The US has a very significant trade surplus with the EU when it comes to
services (which is what these regulations target, rather than goods). These
regulations simply exist as a barrier to that trade, with the added benefit of
not having to implement tariffs (which can be very unpopular).

~~~
hedora
I thought you generally needed a warrant to obtain private information in
Europe.

The US CLOUD act says that any government official (even outside law
enforcement) from any partner country can obtain data stored (inside or
outside the US) without further justification.

Under EU law, can the French government grant their agricultural inspectors
access to Angela Merkel’s private Swiss email account?

Under US law, they could, assuming they signed on to the CLOUD act, and the
account was provided by a US or French firm.

~~~
AmericanChopper
> I thought you generally needed a warrant to obtain private information in
> Europe.

Sadly you thought wrong. Using France as just one example, they allow
warrantless wiretaps, require ISPs to forward intercepted traffic (again
without a warrant), and whole bunch of other completely unsavoury stuff.

[https://www.vox.com/2015/11/14/11620670/france-has-a-
powerfu...](https://www.vox.com/2015/11/14/11620670/france-has-a-powerful-and-
controversial-new-surveillance-law)

Anything an EU government collects will also be shared freely with all of its
SIGINT allies (including the US).

[https://theintercept.com/2018/03/01/nsa-global-
surveillance-...](https://theintercept.com/2018/03/01/nsa-global-surveillance-
sigint-seniors/)

If this was an issue the EU was actually trying to address, you’d quickly find
that many member states intelligence collection practices are incompatible
with EU privacy laws, along with their intelligence sharing arrangements.

~~~
JAlexoid
LEt's just ignore the little fact that NSA was caught on spying on EU
officials during FTA negotiations... not to mention industrial espionage.

Intelligence sharing has nothing to do with this.

~~~
jjcon
> caught on spying on EU officials

There were reports of possible spying on Merkel but considering Germany then
sought entrance into the five eyes (a process currently underway) it seems
there is likely a lot more than meets the eye there

------
zenexer
Can we get a neutral source on this? Nextcloud undoubtedly stands to benefit a
great deal from the claims being made here, since Nextcloud is self-hosted.
There’s inevitably a strong PR bias here.

~~~
number6
It's on point. We are trying to get something working under the current
ruling, but I think it is impossible.

EUCJ ruled that US law is incompatible with the GDPR. There might be instances
where FISA might not apply but in general you can't export data in the US.

Most EU Firms have contracts with MS Europe, Amazon in Luxemburg or Google
Ireland - I guess they should come up with a solution...

~~~
zenexer
Regardless, this is Hacker News; I’d like to think that, as a community, we
tend to appreciate having a more neutral source for news such as this. I’m
always going to be skeptical of such an announcement from a company that has
so much to gain from the ruling.

~~~
number6
To be fair: I am working as a GDPR Consultant so you might take my word with a
bit of skepticism too.

On the other hand, this is rather bad news for me too. We had all the
paperwork in place and now it's all nill.

At some point I will have to advise against the use of Google, Amazon,
Microsoft, Apple, Atlassian... pretty much everything. I have no idea how to
solve this issue. Only the U.S. could solve it by changing it's laws. The EU
can't just change it's constitution...

------
cromwellian
With Trump's actions on TikTok, it really looks to me like a nationalist trade
war involving everyone is on the horizon. Cyberspace, once seen as free and
independent of geography and nation states, by people like Jerry Perry Barlow,
is now being carved up and balkanized. Much different than the dreams we had
in the 80s.

Just take the Giphy example. Most likely an API call to search for emoji.
There are various ways to protect this (e.g. mixnets), but the whole point of
the internet was effortless peer-to-peer transmission, permission less
innovation, which in the 00s meant people collaborating and piecing together
highly functional services by gluing together many service providers.

Now something as simple as adding an Emoji button to your keyboard can get you
sanctioned in different jurisdictions. And the cost of overcoming this is too
high for smaller players.

AWS, Azure, GCP, Microsoft and Google have the money to adapt. If they need to
set up separate European operations and legal entities with "air-
gapped"/"firewalled" data centers with respect to the US, they have the power
to work around this, not many others do.

This just looks like to me like further entrenching their power. When GDPR
first arrived, a lot of HN posts were speculating "this is the end of FAANG",
and of course, mostly what happened was everyone got spammed with cookie
popups, some small fines were paid, and business got more expensive for the
mid-sizedfirms.

~~~
jlgaddis
> _Jerry Perry Barlow_

That'd be John, not Jerry.

[https://en.wikipedia.org/wiki/John_Perry_Barlow](https://en.wikipedia.org/wiki/John_Perry_Barlow)

~~~
cromwellian
Thanks, typo brain fart on my part, see my last posts, I know who John Perry
Barlow is.

------
woodhull
This is from two weeks ago...

~~~
Theory5
Yup, and its not like it was a minor thing that escaped everyone's notice. It
was huge.

~~~
woodhull
What would actually be interesting to me is info on how local data protection
authorities across the EU are now interpreting the principles articulated by
the ECJ when applied to standard contractual clauses which are what most data
transfers actually happen under rather than Privacy Shield.

How all this will play out and be interpreted by regulators is interesting and
currently hard to see how everything will be reconciled between trade in
digital services, the US national security state, and the fundemental rights
guaranteed to EU citizens.

~~~
number6
SCC is not enough without additional measures to provide an equal level of
privacy protection. [https://edpb.europa.eu/news/news/2020/european-data-
protecti...](https://edpb.europa.eu/news/news/2020/european-data-protection-
board-publishes-faq-document-cjeu-judgment-c-31118-schrems_de)

------
shadowgovt
No surprise there. The next question is: which will change?

------
Kednicma
I wonder whether this will lead to some sort of passport system, where people
traveling to Europe force Facebook to transfer account data from one continent
to another, but without being allowed to link account activities across
continents.

Of course, I also wonder whether we'll be allowed to travel to Europe again,
but that's another question!

~~~
gruez
>Of course, I also wonder whether we'll be allowed to travel to Europe again,
but that's another question!

Even the GDPR only applies to EU _residents_. Tourists will surely be exempt.

------
detaro
doesn't really add much over the other reporting at the time, which had HN
discussion here:
[https://news.ycombinator.com/item?id=23857072](https://news.ycombinator.com/item?id=23857072)

