Hacker News new | past | comments | ask | show | jobs | submit login
ECJ rules US Cloud services fundamentally incompatible with EU Privacy laws (nextcloud.com)
76 points by onyva 49 days ago | hide | past | favorite | 37 comments



This is a weird take (I’m not familiar with nextcloud, perhaps a bit sensationalist?).

To suggest the state of surveillance is much different here in the EU is odd to me. The US and many EU countries have highly integrated and open sharing of intelligence systems and have for decades. As of late EU countries are becoming more integrated (not less) with each other and the US when it comes to the intelligence front.

Nearly all countries have complex surveillance programs, they are arguably necessary to maintain national security. The hope of democratic countries is to have ample checks and balances so that information is used appropriately and only in the scope of national security.


Nextcloud are positioning themselves as the appropriate competition in this space, so you're right to query the source.

> The hope of democratic countries is to have ample checks and balances so that information is used appropriately

This appears to be the fundamental issue. For data stored in the US, US law protects US residents but not foreign residents. So if $service moves both your and my data to the same server in the US, yours is subject to legal checks and balances and mine is not.

So far the only way we can retain these and checks and balances is to have some say in where our data is stored. Which is a pretty crap solution, but the US doesn't appear to be willing to afford us any legal protections on data within their jurisdiction, so it's the only option left.


> to have some say in where our data is stored

But this is what confuses me. These intelligence systems are so integrated that it doesn’t really matter where the data is. Certain data on US residents is available to intelligence agencies here in the EU (well a few countries at least) and the reverse is true. These shared systems aren’t going anywhere so I’m not sure I understand the sentiments in this article.

Edit - I’ll also add that while the US doesn’t explicitly grant constitutional rights to non citizens the agreements between all these countries does govern how this data is used.


If my data leaks to a US server, the checks and balances you mentioned don't apply, because I'm not American. The US authorities are then free to misuse my data however they please, in ways that would be highly illegal if done to Americans.


> the checks and balances you mentioned don't apply

That is not true - you aren’t guaranteed anything by the US constitution but the agreements in place by these partner countries specifically govern how this data is handled. Again though... they are highly integrated systems addressable by agencies both here in the EU and in the US.


Those agreements do not guarantee anything on their own; they need enforcement by a human once slight is detected. And that leaves a non-zero chance that US is spying the data of foreigners going through their servers.

This is the hilarious part of American complaints over TikTok and China. It implicitly reveals the knowledge of such techniques used in practice (why is US fine with Facebook holding same position wrt. foreigners?)

EU would be wise to restrict American access to our information ecology. European Firewall can't come soon enough.


> EU would be wise to restrict American access to our information ecology.

When it comes to intelligence the opposite is happening - we are becoming more integrated with each other and the US. I personally think that’s probably a good thing. Our combined efforts encourage positive cooperation.


This is not only for "certain data on individuals", this is the case for all data.

The worst part is that US may demand that Amazon expatriate data from EU to US for US intelligence to get at it.

The source of this issue lies with the fact that US intelligence agencies have been caught in the past on industrial espionage and tapping EU government officials' data during negotiations.

And no - these intelligence systems are not integrated. UK intelligence has been half infiltrated by US and Russia(CIA and GRU run free in UK). Others have a very clear dependencies. There are only a few intelligence agencies that are truly independent - US, Russia, China, Israel and France.


> And no - these intelligence systems are not integrated.

Yeah ummm... they very much are (see 5 eyes, 9 eyes, 13 eyes).

I’m not sure I could totally follow your reply but these are definitely fully networked intelligence systems - not just agreements.

These agencies are all share (quite automatically) intelligence information with each other.


They are cooperating, but they aren’t integrated.

There’s a difference in what tech considers integrated and what everyone else considers integrated.

The cooperative information sharing is not “take all of our information and do whatever you like”. It’s a case of “we have this info that is relevant to everyone else”.

But none of this actually matters in this context - as the issues with privacy isn’t an issue of intelligence gathering


EU countries have equivalent surveillance programs (and equivalently poor protections for citizens), as well as having intelligence sharing arrangements with the US (and a number of other countries). This is simply an indisputable fact. For an EU citizen it makes exactly 0 difference whether it’s a US agency spying on them, or a French one. The same people end up with access to the data.

If you’re looking at this from a privacy protection standpoint, it makes very little sense. However if you look at it for what it actually is, economic protectionism, it makes perfect sense. The purpose of all EU privacy regulation is to tariff foreign companies, apply pressure on foreign companies to move more operations to the EU, and to provide a competitive advantage to EU companies.

The US has a very significant trade surplus with the EU when it comes to services (which is what these regulations target, rather than goods). These regulations simply exist as a barrier to that trade, with the added benefit of not having to implement tariffs (which can be very unpopular).


I thought you generally needed a warrant to obtain private information in Europe.

The US CLOUD act says that any government official (even outside law enforcement) from any partner country can obtain data stored (inside or outside the US) without further justification.

Under EU law, can the French government grant their agricultural inspectors access to Angela Merkel’s private Swiss email account?

Under US law, they could, assuming they signed on to the CLOUD act, and the account was provided by a US or French firm.


> I thought you generally needed a warrant to obtain private information in Europe.

Sadly you thought wrong. Using France as just one example, they allow warrantless wiretaps, require ISPs to forward intercepted traffic (again without a warrant), and whole bunch of other completely unsavoury stuff.

https://www.vox.com/2015/11/14/11620670/france-has-a-powerfu...

Anything an EU government collects will also be shared freely with all of its SIGINT allies (including the US).

https://theintercept.com/2018/03/01/nsa-global-surveillance-...

If this was an issue the EU was actually trying to address, you’d quickly find that many member states intelligence collection practices are incompatible with EU privacy laws, along with their intelligence sharing arrangements.


LEt's just ignore the little fact that NSA was caught on spying on EU officials during FTA negotiations... not to mention industrial espionage.

Intelligence sharing has nothing to do with this.


> caught on spying on EU officials

There were reports of possible spying on Merkel but considering Germany then sought entrance into the five eyes (a process currently underway) it seems there is likely a lot more than meets the eye there


> Intelligence sharing has nothing to do with this.

If the issue in contention is US companies being unable to protect against privacy intrusions from the US government, then EU companies being equally unable to protect against privacy intrusions from the US government sounds entirely relevant to me...


EU agencies have exceptions under GDPR but otherwise their doing would also be incompatible with GDPR


"For an EU citizen it makes exactly 0 difference whether it’s a US agency spying on them", > "just let your sensitive information spill everywhere, who cares they got it anyway" This is not even an argument. US is a foreign state and there's zero reason they should default access to our information. There's no guarantee they won't turn up their hostilities and abuse this access.

> "The purpose of all EU privacy regulation is to tariff foreign companies, apply pressure on foreign companies to move more operations to the EU, and to provide a competitive advantage to EU companies." Great, as it should be. Imagine that, promoting domestic companies and progress. I've long thought that the Chinese Firewall was a subtle win for the Chinese. They have a flourishing information ecology of their own since they couldn't just use American product like Facebook or Amazon.


[flagged]


> These laws and regulations predate most of the service sector

I'm not sure why you would think this is true at all. The EU has had a trade in services deficit with the US for a very long time (especially in financial and ICT services). The GDPR has only adopted 4 years ago. Even if it was enforced equally across all companies, it would still be a protectionist policy. However, it most certainly is not, having dished out about €12 million in fines to EU companies (not counting UK), about €200 million in fines to UK companies, about €160 million in fines to US companies and a total of €88,000 in fines to companies from all other countries.

This recent ruling simply adds another layer of protectionism to the regulations. The risks associated with US companies are prohibited by regulation. Those very same risks when associated with EU companies are perfectly legal. Not because the risks aren't as serious (they are exactly the same in every way), the only difference is where the company/commerce is located.


It's substantially different, one is a domestic agent and the other is a hostile foreign state to Europe and EU.

I hope the EU starts banning Twitter, Pornhub, and other American social mediacompanies. Clearly a threat to wellbeing here.


Can we get a neutral source on this? Nextcloud undoubtedly stands to benefit a great deal from the claims being made here, since Nextcloud is self-hosted. There’s inevitably a strong PR bias here.


From the “article”:

Many German Data Protection Authorities have already concluded at various points that the use of Office 365 in schools is illegal and use of foreign-hosted chat and video communication services poses compliance problems, recommending Nextcloud Talk instead. The Swedish and Dutch have come to the same conclusion repeatedly.

Aside from starting with the telltale “many”, stuffing Nextcloud in there was just awkward.


It's on point. We are trying to get something working under the current ruling, but I think it is impossible.

EUCJ ruled that US law is incompatible with the GDPR. There might be instances where FISA might not apply but in general you can't export data in the US.

Most EU Firms have contracts with MS Europe, Amazon in Luxemburg or Google Ireland - I guess they should come up with a solution...


Regardless, this is Hacker News; I’d like to think that, as a community, we tend to appreciate having a more neutral source for news such as this. I’m always going to be skeptical of such an announcement from a company that has so much to gain from the ruling.


To be fair: I am working as a GDPR Consultant so you might take my word with a bit of skepticism too.

On the other hand, this is rather bad news for me too. We had all the paperwork in place and now it's all nill.

At some point I will have to advise against the use of Google, Amazon, Microsoft, Apple, Atlassian... pretty much everything. I have no idea how to solve this issue. Only the U.S. could solve it by changing it's laws. The EU can't just change it's constitution...



With Trump's actions on TikTok, it really looks to me like a nationalist trade war involving everyone is on the horizon. Cyberspace, once seen as free and independent of geography and nation states, by people like Jerry Perry Barlow, is now being carved up and balkanized. Much different than the dreams we had in the 80s.

Just take the Giphy example. Most likely an API call to search for emoji. There are various ways to protect this (e.g. mixnets), but the whole point of the internet was effortless peer-to-peer transmission, permission less innovation, which in the 00s meant people collaborating and piecing together highly functional services by gluing together many service providers.

Now something as simple as adding an Emoji button to your keyboard can get you sanctioned in different jurisdictions. And the cost of overcoming this is too high for smaller players.

AWS, Azure, GCP, Microsoft and Google have the money to adapt. If they need to set up separate European operations and legal entities with "air-gapped"/"firewalled" data centers with respect to the US, they have the power to work around this, not many others do.

This just looks like to me like further entrenching their power. When GDPR first arrived, a lot of HN posts were speculating "this is the end of FAANG", and of course, mostly what happened was everyone got spammed with cookie popups, some small fines were paid, and business got more expensive for the mid-sizedfirms.


> Jerry Perry Barlow

That'd be John, not Jerry.

https://en.wikipedia.org/wiki/John_Perry_Barlow


Thanks, typo brain fart on my part, see my last posts, I know who John Perry Barlow is.


This is from two weeks ago...


Yup, and its not like it was a minor thing that escaped everyone's notice. It was huge.


What would actually be interesting to me is info on how local data protection authorities across the EU are now interpreting the principles articulated by the ECJ when applied to standard contractual clauses which are what most data transfers actually happen under rather than Privacy Shield.

How all this will play out and be interpreted by regulators is interesting and currently hard to see how everything will be reconciled between trade in digital services, the US national security state, and the fundemental rights guaranteed to EU citizens.


SCC is not enough without additional measures to provide an equal level of privacy protection. https://edpb.europa.eu/news/news/2020/european-data-protecti...


No surprise there. The next question is: which will change?


I wonder whether this will lead to some sort of passport system, where people traveling to Europe force Facebook to transfer account data from one continent to another, but without being allowed to link account activities across continents.

Of course, I also wonder whether we'll be allowed to travel to Europe again, but that's another question!


>Of course, I also wonder whether we'll be allowed to travel to Europe again, but that's another question!

Even the GDPR only applies to EU residents. Tourists will surely be exempt.


doesn't really add much over the other reporting at the time, which had HN discussion here: https://news.ycombinator.com/item?id=23857072




Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: