Not OP but but I try to explain it from my subjective perspective: It's good because that's not your small nodejs startup but rather Municipalities. They process sensitive data about their citizens and I'm sure Denmark has strict privacy laws for that. Giving that data to Google means it's now in the US and can be used by NSA or other organisations for spying. Does that happen? I don't know. But why take the risk. Secret court orders for national security are a thing. So it's a danger to the independence of the Danish state. Might all sound a little hyperbolic and theoretic but it can't be excluded. Furthermore it's illegal under current EU law ontop of that. See the other links to Max Schremps works here. Of course due to the sad state of public it infrastructure in Europe the risk for loosing the data is probably much higher than storing it at Google. I'm not optimistic that this will change. Too much lousy small firms and borderline corruption and too much tax money to earn.
> Might all sound a little hyperbolic and theoretic but it can't be excluded
> the Central Intelligence Agency (CIA), the Bureau of Intelligence and Research (INR) and the United States European Command (USEUCOM) already spied on France in their 2012 elections. Targets have been all parties and their leaders. [..] All targets were infiltrated both by human (”HUMINT”) and electronic (”SIGINT”) CIA spies. Specific tasks have been selected for all targets individually. [1,2]
Associated Press, on the other hand, did everything they could to downplay the degree of espionage and infiltration:
> American spies wanted an insider’s take on the race, including details of party funding, internal rivalries and future attitudes toward the United States. Although WikiLeaks’ publication of a purportedly secret CIA document was striking, the orders seemed to represent standard intelligence-gathering. [3]
I wonder if they would have described Russian infiltration of US parties as "standard", and not striking.
Impacts of such rulings also mean that the small startups and everyone in between is impacted.
There are no EU only alternatives to GCP, Azure or AWS, I mean there’s always Alicloud but well…
Alternatives will not be developed in time for these rulings to have a devastating impact on EU companies and in fact any company that works in the EU that processes data covered by GDPR even if they host purely within the EU simply because the parent company is in the US.
And even if my some miracle a real European cloud competitor would arise they wouldn’t limit their market to the EU, and the moment they have a substantial US presence and a US legal entity they can fall under similar circumstances as US originated companies.
This also means that potentially using solutions such as customer supplied or managed keys to encrypt data outside of the direct control of cloud providers is no longer sufficient to protect yourself from data transfer risk.
The data that municipalities store is not super sensitive, at worst it contains information about the number of sick days and salary.
If the NSA cares about this data at all, it will probably have other means to obtain it.
On the other hand, the municipalities might now have to spend a lot more taxpayer money to support a worse system that might reduce their efficiency, increasing wait times and frustrations for citizens.
That sounds very much like an "if you have nothing to hide, why are you worried about privacy?" argument. Which is deeply suspect and entirely serves the interest of the massive surveillance apparatus.
I very much doubt that there's any real need to be making decisions at that level. The money and other resources going to this IT effort is deeply unlikely to be anywhere close to the pots of money that would be considered for allocation against Russian aggression.
And given that this is in Denmark—which, while certainly within a zone of some concern, is hardly in any imminent danger from Russia—it seems to me that focusing on defending against Russian aggression, at the expense of effectively everything else, would be quite unproductive.
Or is it just that you don't think spending on maintaining privacy is worthwhile no matter what, and the Russia situation is a convenient distraction you can point to?
On the contrary, since the state ostensibly exists to serve its citizens, there is no legitimate reason to withhold any data whatsoever from them.
The idea that all but the most dangerous military information should not be public in real time flies in the face of the concept of an informed citizenry, and is far more dangerous and pernicious than its access by hostile powers.
If some information should not be public, it simply should not be accessible by the state.
But here we're talking about giving data about the citizens to private entities in a completely different country.
I can see there being some argument for eliminating the whole idea of "classified information", but that is absolutely not what is being discussed here. This is about the private data of the people of Denmark, and keeping it private.
That would be bad, since that’d mean storing the data themselves, with an increased risk of data leaks. (There was a medical data leak as recently as today from a Swedish agency. The track record is unfortunately not good)
