To suggest the state of surveillance is much different here in the EU is odd to me. The US and many EU countries have highly integrated and open sharing of intelligence systems and have for decades. As of late EU countries are becoming more integrated (not less) with each other and the US when it comes to the intelligence front.
Nearly all countries have complex surveillance programs, they are arguably necessary to maintain national security. The hope of democratic countries is to have ample checks and balances so that information is used appropriately and only in the scope of national security.
> The hope of democratic countries is to have ample checks and balances so that information is used appropriately
This appears to be the fundamental issue. For data stored in the US, US law protects US residents but not foreign residents. So if $service moves both your and my data to the same server in the US, yours is subject to legal checks and balances and mine is not.
So far the only way we can retain these and checks and balances is to have some say in where our data is stored. Which is a pretty crap solution, but the US doesn't appear to be willing to afford us any legal protections on data within their jurisdiction, so it's the only option left.
But this is what confuses me. These intelligence systems are so integrated that it doesn’t really matter where the data is. Certain data on US residents is available to intelligence agencies here in the EU (well a few countries at least) and the reverse is true. These shared systems aren’t going anywhere so I’m not sure I understand the sentiments in this article.
Edit - I’ll also add that while the US doesn’t explicitly grant constitutional rights to non citizens the agreements between all these countries does govern how this data is used.
That is not true - you aren’t guaranteed anything by the US constitution but the agreements in place by these partner countries specifically govern how this data is handled. Again though... they are highly integrated systems addressable by agencies both here in the EU and in the US.
This is the hilarious part of American complaints over TikTok and China. It implicitly reveals the knowledge of such techniques used in practice (why is US fine with Facebook holding same position wrt. foreigners?)
EU would be wise to restrict American access to our information ecology. European Firewall can't come soon enough.
When it comes to intelligence the opposite is happening - we are becoming more integrated with each other and the US. I personally think that’s probably a good thing. Our combined efforts encourage positive cooperation.
The worst part is that US may demand that Amazon expatriate data from EU to US for US intelligence to get at it.
The source of this issue lies with the fact that US intelligence agencies have been caught in the past on industrial espionage and tapping EU government officials' data during negotiations.
And no - these intelligence systems are not integrated. UK intelligence has been half infiltrated by US and Russia(CIA and GRU run free in UK). Others have a very clear dependencies. There are only a few intelligence agencies that are truly independent - US, Russia, China, Israel and France.
Yeah ummm... they very much are (see 5 eyes, 9 eyes, 13 eyes).
I’m not sure I could totally follow your reply but
these are definitely fully networked intelligence systems - not just agreements.
These agencies are all share (quite automatically) intelligence information with each other.
There’s a difference in what tech considers integrated and what everyone else considers integrated.
The cooperative information sharing is not “take all of our information and do whatever you like”. It’s a case of “we have this info that is relevant to everyone else”.
But none of this actually matters in this context - as the issues with privacy isn’t an issue of intelligence gathering
If you’re looking at this from a privacy protection standpoint, it makes very little sense. However if you look at it for what it actually is, economic protectionism, it makes perfect sense. The purpose of all EU privacy regulation is to tariff foreign companies, apply pressure on foreign companies to move more operations to the EU, and to provide a competitive advantage to EU companies.
The US has a very significant trade surplus with the EU when it comes to services (which is what these regulations target, rather than goods). These regulations simply exist as a barrier to that trade, with the added benefit of not having to implement tariffs (which can be very unpopular).
The US CLOUD act says that any government official (even outside law enforcement) from any partner country can obtain data stored (inside or outside the US) without further justification.
Under EU law, can the French government grant their agricultural inspectors access to Angela Merkel’s private Swiss email account?
Under US law, they could, assuming they signed on to the CLOUD act, and the account was provided by a US or French firm.
Sadly you thought wrong. Using France as just one example, they allow warrantless wiretaps, require ISPs to forward intercepted traffic (again without a warrant), and whole bunch of other completely unsavoury stuff.
Anything an EU government collects will also be shared freely with all of its SIGINT allies (including the US).
If this was an issue the EU was actually trying to address, you’d quickly find that many member states intelligence collection practices are incompatible with EU privacy laws, along with their intelligence sharing arrangements.
Intelligence sharing has nothing to do with this.
There were reports of possible spying on Merkel but considering Germany then sought entrance into the five eyes (a process currently underway) it seems there is likely a lot more than meets the eye there
If the issue in contention is US companies being unable to protect against privacy intrusions from the US government, then EU companies being equally unable to protect against privacy intrusions from the US government sounds entirely relevant to me...
> "The purpose of all EU privacy regulation is to tariff foreign companies, apply pressure on foreign companies to move more operations to the EU, and to provide a competitive advantage to EU companies."
Great, as it should be. Imagine that, promoting domestic companies and progress. I've long thought that the Chinese Firewall was a subtle win for the Chinese. They have a flourishing information ecology of their own since they couldn't just use American product like Facebook or Amazon.
I'm not sure why you would think this is true at all. The EU has had a trade in services deficit with the US for a very long time (especially in financial and ICT services). The GDPR has only adopted 4 years ago. Even if it was enforced equally across all companies, it would still be a protectionist policy. However, it most certainly is not, having dished out about €12 million in fines to EU companies (not counting UK), about €200 million in fines to UK companies, about €160 million in fines to US companies and a total of €88,000 in fines to companies from all other countries.
This recent ruling simply adds another layer of protectionism to the regulations. The risks associated with US companies are prohibited by regulation. Those very same risks when associated with EU companies are perfectly legal. Not because the risks aren't as serious (they are exactly the same in every way), the only difference is where the company/commerce is located.
I hope the EU starts banning Twitter, Pornhub, and other American social mediacompanies. Clearly a threat to wellbeing here.
Many German Data Protection Authorities have already concluded at various points that the use of Office 365 in schools is illegal and use of foreign-hosted chat and video communication services poses compliance problems, recommending Nextcloud Talk instead. The Swedish and Dutch have come to the same conclusion repeatedly.
Aside from starting with the telltale “many”, stuffing Nextcloud in there was just awkward.
EUCJ ruled that US law is incompatible with the GDPR. There might be instances where FISA might not apply but in general you can't export data in the US.
Most EU Firms have contracts with MS Europe, Amazon in Luxemburg or Google Ireland - I guess they should come up with a solution...
On the other hand, this is rather bad news for me too. We had all the paperwork in place and now it's all nill.
At some point I will have to advise against the use of Google, Amazon, Microsoft, Apple, Atlassian... pretty much everything. I have no idea how to solve this issue. Only the U.S. could solve it by changing it's laws. The EU can't just change it's constitution...
Just take the Giphy example. Most likely an API call to search for emoji. There are various ways to protect this (e.g. mixnets), but the whole point of the internet was effortless peer-to-peer transmission, permission less innovation, which in the 00s meant people collaborating and piecing together highly functional services by gluing together many service providers.
Now something as simple as adding an Emoji button to your keyboard can get you sanctioned in different jurisdictions. And the cost of overcoming this is too high for smaller players.
AWS, Azure, GCP, Microsoft and Google have the money to adapt. If they need to set up separate European operations and legal entities with "air-gapped"/"firewalled" data centers with respect to the US, they have the power to work around this, not many others do.
This just looks like to me like further entrenching their power. When GDPR first arrived, a lot of HN posts were speculating "this is the end of FAANG", and of course, mostly what happened was everyone got spammed with cookie popups, some small fines were paid, and business got more expensive for the mid-sizedfirms.
That'd be John, not Jerry.
How all this will play out and be interpreted by regulators is interesting and currently hard to see how everything will be reconciled between trade in digital services, the US national security state, and the fundemental rights guaranteed to EU citizens.
Of course, I also wonder whether we'll be allowed to travel to Europe again, but that's another question!
Even the GDPR only applies to EU residents. Tourists will surely be exempt.