

Google Admits Handing over European User Data to US Intelligence Agencies - itg
http://news.softpedia.com/news/Google-Admits-Handing-over-European-User-Data-to-US-Intelligence-Agencies-215740.shtml

======
eis
Corporations operating in the EU are subject to EU data protection laws. It
does not matter if the PATRIOT Act forces them to hand this data over. They
are breaking the law in the EU.

Google had two choices:

    
    
      1. Don't hand over the data => they break the US law
      2. Hand over the data => they break EU law plus hand over personal data of users who might not want that
    

To me choice number one would be the lesser "evil" thing to do.

The solution is to have completely separate entities of the company in the
local jurisdictions. Those follow local law and only share data with their
foreign sister companies in a lawful manner and otherwise can ignore foreign
law. Of course this creates some complexities but it's the right way to do,
everything else gets you into trouble and even huge companies as Google can't
get around colliding laws from different jurisdictions.

Handing over data to intelligence agencies is just one example of mutually
exclusive laws. There are actually many more like data retention laws. The
internet is probably the biggest challenge to international laws and treaties
ever.

~~~
wisty
Well, let's hope that legislators drag their feet on this, until good
practices have been bedded down for them to codify.

------
omh
The article doesn't mention the "Safe Harbor" provisions. This is a negotiated
exception to EU Data Protection - roughly speaking, US companies can export
the data to the US, as long as they promise to give equivalent protection.
Google uses this to allow it to operate with personal data in the EU.

If Google have exported the data to a US jurisdiction under Safe Harbor, then
a subsequent PATRIOT Act request wouldn't need to involve any EU-stored data
or EU companies.

This seems like a much more general issue with exceptions like Safe Harbor,
and something that people/companies should bear in mind. Promises like
"equivalent" protection don't help with new local laws which can always trump
anything.

~~~
mattmanser
That doesn't make one jot of sense.

By complying with the request they immediately violated the safe harbor
provision.

~~~
omh
They certainly violated the spirit, but may not have violated any actual
rules. I could imagine that there's some exclusion in the safe harbor rules
for "national security".

It's not clear whether the Data Protection laws were ever designed to guard
against national governments. I imagine that those who wrote them were really
thinking about avoiding disclosure to private individuals or other companies.

------
balpha
> According to German-language magazine WirtschaftsWoche, a Google
> spokesperson confirmed that the company has complied with requests from US
> intelligence agencies for data stored in its European data centers.

This isn't true; the WirtschaftsWoche article doesn't claim this. It says this
_could_ happen, but the claim that this article says it already _did_ happen
is a lie.

Not that this means it hasn't happened or is unlikely.

~~~
darklajid
From the 'WirtschaftsWoche' article:

Die US-Regierung könne "auf außerhalb der USA gespeicherte Daten zugreifen".
Der Konzern habe schon viele solche Abfragen erhalten, schreibt ein Sprecher
des Unternehmens.

\-- Rough, sorry: --

The US government is able to to access 'data stored outside the USA'. The
company already got a large number of these requests, comments a spokesperson
of the corporation.

\--

Put like this, next to each other, is a strong indicator (yeah, it's still on
the edge) that they did, in fact, already comply in the past.

First part is 'would/could/in theory' style, but the following sentence says
they got these requests in the past and 'diese' (these) builds a rather strong
link to the sentence before.

So - I'm not 100% sure, but let's error on the side of caution: They did it in
the past.

~~~
balpha
"outside the USA" != "in Europe"

I assume that WW would have used a much stronger phrasing, had the "Google
spokesperson" actually said that. And a Google spokesperson is obviously
careful when talking to the press.

Yes, it's not unlikely that they did -- but Softpedia is blatantly misquoting
here. They base their writing solely on the WW article, and that one doesn't
include anything to back up the claim.

------
nopinsight
This is a clear example why China does not welcome US internet behemoths in
their country. Who would want to give competitors easy access to their
internal data?

------
d0ne
This is a very real problem and provides case in point as to why everyone
needs to start using client-side encryption for their data and communications.

In some cases this is still currently impractical to do on a day to day basis
but in others such as Email, Social Networking or Instant Messaging it is
not[1][2].

[1] I'm involved with a company that recently launched a free tool that
provides transparent client-side AES256 encryption for Facebook, Google+,
Major Email apps among others.

[2] <https://www.socialfortress.com/>

~~~
solid
The Chrome extension is not working for me on Mac. When I click "options"
nothing happens, and there's no confirmation that it's working.

~~~
d0ne
What site are you visiting? There is no "options" option in Social Fortress.
If you can email a detailed explanation to support@socialfortress.com and we
will get back to you promptly.

------
caf
The PATRIOT Act is already surfacing as a competitive disadvantage for US-
headquartered companies in foreign markets.

------
runjake
Key internet traffic choke points on US soil are monitored by the National
Security Agency and people are surprised by this?

<http://en.wikipedia.org/wiki/The_Shadow_Factory>

[http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_co...](http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy)

<http://en.wikipedia.org/wiki/Mark_Klein>

<http://en.wikipedia.org/wiki/Hepting_v._AT%26T>

------
dpatru
One solution might be for Google to spin off its EU datacenter operations into
a company incorporated outside of US jurisdiction. The Patriot Act would then
no longer apply and Google would not be force to break EU law.

~~~
arethuza
They almost certainly have local operating companies that are wholly owned
subsidiaries of the US parent company - just having a separate company isn't
enough I suspect that separate _ownership_ would also be requried.

~~~
wisty
They could set up special purpose vehicles, with very clear operating rules.
That way, if the US asks, Google can say that they have no control over the
subsidiary.

~~~
omh
If Google US has no control over Google EU then a number of issues could
arise. Does Google EU have access to Google US data? What about the code that
runs everything? What about profits - why would Google EU send profits back to
Google US?

~~~
wisty
It's tricky, but no trickier than their accounting system ;)

Google EU has a mission to "provide Google US with data hosting, and send
profits back to the mothership". They have a contract, in which Google US
grants free use of any code data that Google EU needs.

Google EU has a strict constitution, which prevents them from disclosing data,
even if Google US wants them to. This clause in their constitution states that
it _cannot_ be changed.

If that's too extreme, they could allow the information to be released, but
only if cleared by some specific third party.

That's just a rough idea. I'm sure Google's lawyers could come up with
something _much_ better.

------
ditojim
The first sentence of the article also mentions that Microsoft has been forced
to do the same thing.

~~~
ZoFreX
No it doesn't:

> Gordon Frazer, Microsoft UK's managing director, made news headlines some
> weeks ago when he admitted that Microsoft can be compelled to share data
> with the US government regardless of where it is hosted in the world.

~~~
ditojim
Read between the lines. Don't be naive.

~~~
ZoFreX
I'm not being naive, I'm being factually accurate. I would 100% agree with the
statement "Microsoft has probably done the same", for example, but this
article does not provide supporting evidence that they have.

~~~
ditojim
This is a news article. It sounds like you are assuming news=facts. Microsoft
employs FUD in the media. In this case, they are making specific use of the U
in FUD. They are neither confirming or denying that they have ever shared such
information, thus one can safely assume they have. If they hadn't, they would
come out and state that clearly.

------
brudgers
I think there is a misunderstanding of the intent of this provision of the
PATRIOT act. It's primary purpose is to serve US based companies by providing
cover from shareholder activism and negative press when they are outed for
providing such information; and to streamline the process of dealing with such
requests because there is little to be gained from resistance through
litigation.

In other words, the PATRIOT act provides corporations with the least expensive
option for providing user data and provides them with political and legal
cover when they do so.

------
amatus
It's not clear to me that these laws are mutually exclusive. 1\. "the USA
PATRIOT ACT, which states that companies incorporated in the United States
must hand over data administered by their foreign subsidiaries if requested."
2\. "European Union legislation requires companies to protect the personal
information of EU citizens" It could be that the US gov't requested data on
non-EU citizens which happened to be stored in EU data-centers.

------
antr
If this had been the other way round, I can easily imagine this issue going to
U.S. Congress, leading to hearings, etc.

------
dendory
There's a huge need for people to start drifting to non-US based companies for
everything that has to do with cloud storage or data, either that or force
Google and such to offer solutions with end to end encryption that they have
no access to.

------
aik
"Do no evil" -- What do you think? Does this qualify as a breach of their
motto? Or is it only a clear message to those who may have thought their
Google data is private?

~~~
rjd
While I'm an open critic of Google I don't think in this case its a breach of
that motto. Maybe a failure to disclose obligations to users.

Most people would understand the real culprit is the government. Microsoft and
Amazon space there data centres geo graphically for a few reasons, and this is
one of them.

~~~
darklajid
I think the 'evil' part here is in this case the failure to disclose the
fact(s).

The law's evil as well, agreed. The government did evil things passing it, in
my world. But that doesn't seem to be the reason for the 'Google did evil'
claim here.

------
meow
I think the requirement to be silent about handing over data is more for the
corporations than the government. No wonder this remained secret for so long.

------
mattvot
Hypothetical question that would never happen: What's to stop Google moving to
Switzerland?

------
iamelgringo
Weren't we just talking about this yesterday?....
<http://news.ycombinator.com/item?id=2855764>

Okay, not about this issue exactly, but the amount of data that Google
collects on individuals is Law Enforcement's dream.

------
mikecaron
We can't get Diaspora soon enough!

------
yanw
Corporations based and operating in the US are subject to the PATRIOT Act,
it's a shitty law but it's still the law. At least they are transparent about
it.

Edit: here is the article in question: [http://www.wiwo.de/politik-
weltwirtschaft/google-server-in-e...](http://www.wiwo.de/politik-
weltwirtschaft/google-server-in-europa-vor-us-regierung-nicht-sicher-476338/)

They asked if their EU based dataceters are also subject to US warrants and
they answered that they are.

~~~
ZoFreX
And corporations based and operating in Europe are subject to our data
protection laws. Microsoft and Google (and plenty others) have fully fledged
companies in Europe. This raises an interesting question - what should
companies do when they are subject to mutually exclusive laws like that?

My opinion is that they need to comply with the laws, which might require not
having overseas companies in this case. Could they operate without them? Do
they only exist for dodging huge amounts of taxes? (If yes, then this means
that Google decided to "do evil" in return for a 20% boost in earnings)

~~~
yanw
I'm merely guessing, but seeing how the law takes a backseat when security and
anti-terror are involved I suppose that EU governments and the US have reached
some sort of agreement about which set of laws to enforce in certain cases.

~~~
mkuhn
My guess is that such an "agreement" would have been reached by one side
only...

The law has been taking much less of a backseat in Europe when it comes to
security and anti-terror. Also I find it hard to believe that the EU would
just give up its data protection laws just to please Americans and allow the
enforcement of an American law.

~~~
onli
Which is exactly what the EU did with bank and flightdata. The EU will make a
bit of a fight and then simply back down. Like they always do.

Which is possibly preferable for every US-company which thus do not have to
challenge your agencies.

~~~
Lol_Lolovici
Which is not what they always do. Microsoft got some nice fines from the EU, I
think more than once even.

~~~
Silhouette
I think we Europeans as a diverse society have far less willingness to give up
basic rights than those in the US.

Public sentiment does sway sharply in the aftermath of events like 9/11 (or,
in our cases, 7/7 in London and the like). We sometimes tolerate nanny state
behaviour and suspending basic rights and freedoms more than I personally
would like following such extreme, high-profile events.

However, even then, public sentiment seems to sway back again much faster
here. Just look at the level of public concern over a tiny number of high
profile deaths in the UK in recent years where police were involved, or look
at how sharply Google have been slapped down over privacy in places like
Germany. I think this is probably down to having a lot of very different
cultures who have come together in their common interest but never merged to
the extent that the US is a federation of relatively similar states.
Consequently we have a much broader spectrum of political opinions permanently
in play here and it's much harder to permanently overrule many years of
history and precedent without someone objecting loudly enough to slow things
down and force more debate.

There seems to be an inherent tension between recognising that the US is often
a useful partner in economic and military matters, and recognising that we
must not act as some sort of junior partner to a country that frequently gets
big issues spectacularly wrong and that has a demonstrated history of screwing
its partners whenever its own interests dictate.

My sense is that the US has been cut a lot of slack in recent years because of
its economic strength and 9/11, particularly when we had Blair running the
show here in the UK, but that public patience with the one-sided deals and all
the silliness we have to put up with as a result is now rapidly running out as
we have our own problems to deal with and the US are getting in the way or
indeed causing some of them.

------
iwwr
It's not as if EU governments have any more qualms about the privacy of their
citizens.

~~~
iwwr
The only difference is the greater bureaucratic procedures in handling this
data, but there is technically nothing off-limits (information-wise) to law-
enforcement or security agencies. This is especially true in the wake of anti-
terror legislation all across the EU. This will become more apparent as
copyright lobbies are pushing for greater surveillance of internet users.

The old adage that 'if you have nothing to hide, you have nothing to fear' has
been thoroughly incorporated into modern state doctrine.

So downvote at will, but it would be nice to do so with some counter-
arguments.

------
paganel
How to kill the President of the United States:
<http://www.youtube.com/watch?v=HDZ574eh9Yw>

