Hacker News new | past | comments | ask | show | jobs | submit login
German privacy watchdogs conclude that Microsoft 365 is incompatible with GDPR (twitter.com/wolfiechristl)
311 points by Quanttek on Nov 26, 2022 | hide | past | favorite | 328 comments

Thanks! Macroexpanded:

German state of Hesse has banned the use of Microsoft 365 in its schools - https://news.ycombinator.com/item?id=33741537 - Nov 2022 (115 comments)

Germany Forces a Microsoft 365 Ban Due to Privacy Concerns - https://news.ycombinator.com/item?id=33741300 - Nov 2022 (11 comments)

France bans Office 365 and Google Docs from schools and public administration - https://news.ycombinator.com/item?id=33686599 - Nov 2022 (183 comments)

The first one is a partial copy of the full article (and of a much bigger discussion) :

German state of Hesse has banned the use of Microsoft 365 in its schools (techgenix.com) - https://news.ycombinator.com/item?id=33741537 - Nov 2022 (115 comments)

Thanks! I've added that one to the list.

My personal favorite outcome of this would be a joint public and corporate funded leap in open source development. This would do much for the budget, privacy and probably also security of businesses and private users. A good example where this principle is already in use is the Matrix protocol.

Getting the balance of this right to prevent a tragedy of the commons turns out to be hard. Element (who funds most of Matrix dev) has released almost everything we do as permissive-licensed FOSS open source. As a result, there's a huge ecosystem of folks building commercial solutions on Matrix. But surprisingly little $ actually gets back to Element (or the Matrix Foundation) from those commercial solutions, if any.

I don't have any proof but I'm certain Germany must have made some sort of funding for matrix


The messengerfor German armed forces is based on matrix


> TI-Messenger is gematik’s technical specification for an interoperable secure instant messaging standard. The healthcare industry will be able to build a wide range of apps based on TI-Messenger specifications knowing that, being built on Matrix, all those apps will interoperate.

The ones getting most of the money will probably be third-party developers integrating Matrix into their gematik-certified healthcare products.

Ironically very little of the $ seems to be propagating back to Matrix itself…

It's disappointing that Germany decided to go their own way rather than joining DirectTrust and working on the Trusted Instant Messaging Plus open industry standard. It's specifically designed for healthcare.


It’s definitely unfortunate that there’s a schism between e2ee matrix and e2ee xmpp there.

Looks like it's based on the established and mature standard XMPP. Not disappointing to me.

Which somewhat highlights the problem with "permissive" licences, as opposed to copyleft ones like AGPL.

But would AGPL have gotten traction in the first place? I guess we can’t say for sure, but my guess is no. I think it safe to say that at minimum it would be an additional barrier to entry.

Mastodon and peertube are both AGPL

I’d say the jury is still out on Mastadon (and anyways would not be competitive except for Twitter imploding), and I haven’t even heard of the other one, so I’m not sure this is a compelling argument.

the problem of AGPL for Matrix is that it would have likely impeded uptake significantly. But yes, it’s something we’ve considered.

Perhaps its actually good that one company can't capture significant ammounts of money when the goal should be to move away from single-company communication tools. Of course the Foundation does need funding and I think it would be in Germany's / the EU's interest to secure that.

Agreed. Ideally, the official policy should be introduced to either fund or contribute to FOSS used.

Forget the migration costs just to develop and standup the cost and infra would be a few billion euros just for one O365 app. I don't think people understand how much O365 apps are used. Nobody is filing github issues either with this, you need to do commercial and customer support, basically replace a core MS SaaS product but not with some shitty idealistic hack because the economic consequences are dire!

Investments in that area would be investment into European open source development as a whole and European IT in general. Businesses can spring up around such efforts, people can find employment, technology can be developed, and the European market could be strengthened.

Why haven’t Europeans been able to be successful in this area already? It’s not like there aren’t always European businesses working on this problem.

It is striking that both the evil empire solution (Microsoft 365) and the underdog disruptive upstart (Google Docs, at least that’s what it was ~15 years ago) are both American companies. iWork is American, Zoho is Indian.

Why aren’t Europeans producing competitive software?

There is more than enough EU software.

The problem with the MS products is a different one.

All authorities and almost all business are in tight vendor lock-in when it comes to US software. That's a powerful factor. You can't escape 30+ years of grown lock-in without "insane" investments.

The second factor is of course the corruption all across the EU and its authorities.

Ever heard the story of Munich's switch to Linux and than back to MS? "By chance" MS built its German headquarter in Munich right after that… (Of course hundreds of millions of Euros where in play there). And the sister of one of the lead politicians behind that is "by chance" working for MS in a high management role. There are also known buddy connections between the ex mayor of Munich and MS.

And that's just the tip of the iceberg.

> Why aren’t Europeans producing competitive software?

They absolutely do;





Just 4 examples from Germany. There are countless software companies in Europe, and not just western...eastern Europe is going big in IT in some areas as well. The ability is certainly there.

As to why that didn't (yet) result in good EU-centric alternatives to some of the big US providers in certain areas of IT...good question. I think the correct answer will be a mix of startup culture, government appreciation for the topics importance, convenience of existing solutions, marketing, and several other topics. Certainly not an easy question to give an answer to.

There’s a small market for it.

Back before Gmail ate the world there were a number of small “mail server with webmail” in a box setups - those mostly died off. Similar things happened with office suites.

OpenOffice was German (Star Office).

And now the document foundation, which is behind LibreOffice (the active fork of the dead OpenOffice) is also german based. And they put a lot of work into it, also the modernisation. But to be honest, I am not sure, if they could ever become a serious competition. I think they would have to do a fresh UI start and be 100 microsoft office compatible. Then they would have a chance. With more official backing, this is maybe remotely possible, but I do not count on it. Rather political pressure for a slight modification for Microsofts operations for germany.

EU market would also weaken because they lose the competitive advantage of O365, even google workspace would be better. O365 (or its replacement) is as important as diesel and gasoline to the economy!

Are business allowed to use M365 if all of this open source investment fails to produce an equal-or-better solution? Or are businesses forced to operate with the result even if it’s terrible?

Where is it allowed to do illegal things because you don't like the legal alternative (or there isn't even one)?

I’ll take the strawman. Of course, the software would not be forced upon businesses. Commercial solutions that protect people’s data properly should be perfectly fine to use. I’d even expect many proprietary solutions to come up that solve niche use cases or provide a more polished UX/UI.

A few billion Euro?

That's nothing even for a middle sized EU state.

Considering the whole EU such costs would be a rounding error; even really hard to spot in the budget.

But it would be an investment in domestic economy and a step towards independence form the empire. Should be a nobrainer therefore.

Let me put put it another way, that's just the start. You would effectively need the EU to operate a SaaS service and compete against MS. The money is hardly the issue, you can't just throw money at it or say the magic phrase "open source" it isn't for a lack of money that libreoffice is nowhere near excel for example, tech people would actually say it is pretty good without knowing how these apps are used.

It is the digital equivalent of replacing all cars of a certain make that everyone uses for critical business functions and replacing them with your own line of cars that will take a decade plus to even mature after you spent a ton of money and an army of devs and dev-support/mgrs.

> libreoffice is nowhere near excel


What does it lack (besides cloud lock-in, and compatibility with formats that are made in a way that it's impossible to be fully compatible).

> […] that will take a decade plus to even mature after you spent a ton of money and an army of devs and dev-support/mgrs.

You need to start somewhere.

A few billion is no problem. Simply collect the GDPR defined maximum fine of 4% of total global revenue from Microsoft, and use that to build the alternative. Provide that solution for self-hosting, so the cost of the infrastructure is payed for by the user organizations.

Why would Microsoft (or Google, or anyone) continue to operate in Europe in that model? Seems like a recipe to go from an imperfect tech solution to none at all.

> Why would Microsoft (or Google, or anyone) continue to operate in Europe in that model

Because the european single market has a GDP of about 16.3 TRILLION dollars (2020 estimate, source; https://en.wikipedia.org/wiki/European_single_market)

By GDP, it's the third biggest market in the world, directly behind the US and China.

Because there is a market in Europe they can service.

Microsoft and Google are not shoestring budget bootstrapped startups - they can afford to run multiple products, or multiple variants of the same product adjusted for market need, and they will do it, as long as it's net profitable for them. Sure, it's nicer to earn X than X/2 or X/10, but as long as it's a positive amount, it's still worth doing.

That is, as long as it's more profitable to do it by the books than what a lot of industry players did so far, which is to spend money on malicious compliance and sabotaging GDPR.

The calculus changes when you’re being fined tens of billions of dollars that will be used to develop a competitor to your core product.

It’s not (X/2), it’s (X/2) - (NPV of future profits from giving X/2 to develop competition).

Your model would work for just an adaptation to a compliant product, but not to the proposed “just seize 4% of their global revenue and use that to fund a competitor” model that I was replying to.

There is already some work in progress to replace Office 365 with an free software stack for governments:


Ayayay, the list of partners does not really inspire confidence that this will be the fast success we'd need:


This is a pipe dream not based in reality.

Open source isn't all upside with no down and that is why co.mercial software still dominates and will unless someone decides to take the hit and carry the load for those downsides.

Besides, in terms of MS365 there is the added problem that there is no good alternative. There are some reasonable alternatives for individual instances but not for the delivers of using 365.

Kolab was originally an open source alternative to Exchange developed by BSI (Bundesamt für Sicherheit in der Informationstechnik) and different companies. I don’t think it has been very successful though.

AFAIK Nextcloud does have some funding from the EU. I've got an instance for file storage and notes, but more advanced stuff is pretty buggy and unstable in my experience

I have had broadly the same use case - small scale file sync (text notes, some documents)

If you want to save some cash, I can recommend Syncthing. You don't need to host a server for it unless you want to - it is peer-to-peer with all devices you want to be linked via their discovery servers (you can host your own as well).

I used to host my own Nextcloud for about 3 years, moved to Syncthing a few weeks ago, pretty happy so far.

Thank you, I'll try it. I don't spend any money on my Nextcloud though, it's hosted on an "always free" (true so far) compute instance of Oracle OCI.

OpenOffice has been good enough for a while, but we're still here. I'm not sure what's missing for governments to adopt it, but the solution isn't just "more open source development." Something else is wrong.

Who host it for the organization?

Who supports it when something goes wrong?

Who ensures there are a wide base of users trained to use it?

How good are the transition resources?

How much will it really cost to transition to the "free" option...

More likely, someone will figure out a corporate structure that makes the EU subsidiaries out of reach from the US government. It's obvious that eventually all US-based services will be declared in breach of the GDPR given the US stance on global surveillance.

Am I mistaken, or did MS have that with Deutsche Telekom running a special Azure zone on their behalf? The idea was that MS wouldn't be able to comply with US court orders because they weren't in control of that zone, and DT's German subsidiary running that operation wouldn't be in US jurisdiction.

As far as I know, they shut it down two years ago citing higher costs and operational issues.

I don’t know about that, but that’s how it works in China, at least. 21vianet is the operator for the Chinese Azure cloud, and presumably is fully accountable to Chinese law, not American.

How does FOSS make gdpr compliance easier?

You can host it yourself on servers in the EU.

But most companies don't actually want to host things themselves. If they did, 'cloud computing' wouldn't be so popular.

Sure, but smaller EU-resident providers could do hosting for companies.

But Office supports this too. This isn’t an FOSS advantage. It’s a disadvantage of cloud hosted providers.

So self-hostable or on-prem software has the advantage, not specifically FOSS. But in many cases this transfers the gdpr compliance burden to the business that's running the software

The burden is on the owner of the data in any case. When using an external data processor like Microsoft they have to make sure that the external company complies, and this must be explicitly covered by the contract.

It is not the main point I am trying to make, but FOSS may be hosted in the same country by an entity whose business is integration and support.

The main point I am trying to make, though, is that investing in software that can be used and improved by anyone is (IMO) the appropriate allocation of tax money. Right now, the money is used on licenses (and, of course, support). What if it was used on development (and support) and the byproduct is a software that ideally can be used by anyone who paid for it, too?

The GDPR situation poses an opportunity to make that switch.

Your suggestion boils down to developing a business based on deploying and supporting a software product they can neither control nor own. 'Improved by anyone' tends to mean improved by no one who has a real stake in the product.

Not in a direct way.

What they mean is that FOSS is more likely to be developed with product quality and value in mind. Proprietary software need to satisfy corporate goals too. And these are often contradictory to the spirit behind GDPR.

Most companies are going to be well-aligned with not being sued out of existence for gdpr violations

Problem as always is, it's all talk and (almost) zero enforcement in Germany.

Complaints to a data protection official take forever, are usually dismissed at first, even if counter to published opinions or decisions such as TFA. And only if you still care after a few years of waiting and at least one appeal you might get a decision, however usually a very cheap one for the perpetrator.

> Problem as always is, its all talk and (almost) zero enforcement in Germany.

I have the exact opposite impression. Even in small start-up, every new external supplier will be judged whether the is any customer data processing in the US. People are super afraid of Google analytics. If you use the Google Fonts on your website you will get an cease and desist letter in no time from scummy lawyers. You pratically need an external company to manage your cookie banner because it is a legal risk.

The first example isn't enforcement, it is due diligence and compliance in companies. That does happen, of course, sometimes in a useful way, sometimes to just have some fig leaf to point at in case of a complaint.

Google analytics and Google fonts are regularly enforced, but not by data protection officials. "Enforcement" of those is, as you've said, done by scummy private lawyers, scanning websites and sending expensive letters ("Abmahnungen") en masse. Basically, due to a weird precedent, those lawyers are allowed to give you unasked advice on your wrongdoing and billing you for it. But that is, afaik, a specialty of German law, and mostly limited to stuff that can be fully automated. So while you can scan for a website using Google Fonts, you cannot as easily scan for someone using Office365. Although you might, maybe, get a hint by looking at the DNS MX records.

What needs to be true about me and my website to possibly be subject to Abmahnungen? Does my website need to be hosted I'm Germany? Do I need to reside in Germany?

Probably a german address in the imprint. I can't imagine they'd bother with anyone abroad. They're just after easy money after all.

"Probably a german address in the imprint."

Just any adress. Their point is, it needs to be an physical adress - so in case someone wants to sue the website, they have somewhere to send the physical letters to.

In other words, many people got expensive physical letters, to make it in general easier for other people to send them expensive phyical letters.

But yes, as far as I know, this only affects germans. But once we control the EU, who knows.

But if I have no imprint which is a common cause of the Abmahnungen? I am curious because I am a German citizen, but haven't lived there in a long time. Right now I just ignore all of that legal German stuff. What would need to change for me to worry? Moving residence to Germany? The server being there?

> You pratically need an external company to manage your cookie banner because it is a legal risk.

Don't set cookies for visitors. Notify on signup for everyone else.

Not really feasible in a lot of cases without giving up things the business absolutely wants. I work on an e-commerce site for a large company. Marketing wants to track all clicks and user inputs and get heat maps to improve the conversion based on their findings. They want to know where their users come from, where they go to see if their campaigns work. They also want google maps integration to find retail stores. They want users who come back 2 days later to retain their shopping cart and their preferences even without a login in case they checkout without an account. They want dynamic A/B testing based on user behaviour and they don’t want to/can’t reinvent all these solutions so they go buy them and the devs get to integrate them - whether they like it or not and some things simply make it so that you need to store some data on the client and communicate it on the client in some way while not being completely anonymous.

So cookie banner it is and to be sure you don’t get sued you buy that elsewhere.

> Marketing wants to track all clicks and user inputs and get heat maps to improve the conversion based on their findings. They want to know where their users come from, where they go to see if their campaigns work. They also want google maps integration to find retail stores. They want users who come back 2 days later to retain their shopping cart and their preferences even without a login in case they checkout without an account. They want dynamic A/B testing based on user behaviour and they don’t want to/can’t reinvent all these solutions so they go buy them and the devs get to integrate them - whether they like it or not and some things simply make it so that you need to store some data on the client and communicate it on the client in some way while not being completely anonymous.

Speaking a as user, I don't want your company to know or do any of those things. I'm very glad these practices are getting outlawed and I'd like your marketing team to know they can get hit by a bus for all I care, the world would be a better place without their cancerous doings. Psychological warfare against the general public is despicable.

I’m with you. In fact I have had more meetings with these people arguing against these practices than I can count. However every single customer facing project I have worked on so far that tries to sell something uses practices like these. Sometimes even worse. I guess it’s a result of being profit oriented before anything else and it works apparently, otherwise it would not be done. So the change you advocate for is one I would like to see too but it challenges structures which are so pervasive I’m not sure they can be easily reversed. If this company got fined for using Google analytics their answer would not be to re-evaluate tracking, they would make their legal department lay out just how far they can stretch it while still getting away with it and the do that.

> Notify on signup for everyone else.

You don't need notifications for purely functional cookies. If you have a Nextcloud instance that only uses a cookie to remember your user identity throughout a login session, no notifications are required. If you also feed the value of the Nextcloud cookie into a tracking system, that's when a notification is required. And only then.


I mean, yes, that's what it used to be, pre-GDPR.

With GDPR, the data protection agencies have grown teeth. And fangs. And claws and talons.

GDPR enforcement is young, and the goal is compliance, not maximum fines. So depending on the offence and the offender, they start with a warning or a small fine. This will ratchet up and the maximum is € 10 million or 2% of the previous year's annual revenue (not profit), whichever is greater!

Microsoft's annual revenue for FY 2022 (I guess they are early) was almost $200 Billion. So the fine for them could be $4 billion. Yes, that's noticeable and not something you want to explain to your shareholders.

And of course this seems to apply to their customers, for whom margins tend to be tighter, and for whom IT is not their main business, but an operating expense in the first place. For example, Volkswaken has an operating profit of around 6-7%. So 2% of revenue is around a third of their profit. And also around a third of their entire R&D budget. Yeah, compliance is the cheaper option by far.


There were plenty of EU countries with privacy laws. The laws were all ignored by all but the largest companies in the country. Getting FAANG to take note of local law was basically impossible.

On paper, the GDPR is weaker than what it replaced in my country. I lost some privacy rights with the GDPR, and gained some bureacratics if I want my rights enforced. In practice, the GDPR gets some following, even outside the EU. It has teeth.

Enforcement is a major issue for most countries. I once asked for a data export from GitHub and GitHub said becuase I couldn't prove 2fa I couldn't prove I owned the account. The account was in my name with my profile picture, I can prove who I am via Passport. I'm legally entitled to know what personal data they have of me and to get an export. The Netherlands were very wishywashy and basically too lazy to do anything about it, probably because they were overworked.

GDPR, mostly seems like an annoyance to developers while providing little actual benefit to users since countries aren't willing to enforce it and even if you do take it to court yourself the courts aren't doing much. In once case, a German court found that a company breached GDPR by using Mailchimp but because they stopped using Mailchimp they didn't fine them, for the breach. That is realistically a complete joke of a judgement. And honestly, there are lots of judgements that are basically similar.

Who would have thought that uploading business data (trade secrets) and personal data straight to servers that are known to be accessed by the NSA would be incompatible with GDPR? /s

The kicker is that EU companies are essentially paying to upload their trade secrets to their direct competitors in the US.

I've made this argument to employers several times. They do not worry because MS/Google are too big to care for our stuff.

We're a minority

GDPR fines can be massive, look at the list here: https://www.enforcementtracker.com/ (sort by the fine amount)

Yes. But there is too few of them, and usually in situations where other companies can still wait and see. "We aren't Facebook", "We are too small to be noticed" and "but we had them sign a waiver" are still prevalent in most companies.

For things to change, there would really need to be something like:

- data protection fines the whole of the customer list of Amazon/Google/MS cloud

- data protection fines a high-profile company a lot of money for using Office365

- a court forces a public institution to cease using Office365 (no fines possible there)

- enforcement accelerates to a point where, from complaint to fine, things take only a few weeks, instead of a few years, so that lots of medium and smaller businesses are hit. Currently enforcement seems to be starting with the big cases, and being bogged down in the complexity of those.

There's nothing wrong with persecuting the large perpetrators first, and only going into the smaller ones once the large get under control. In fact, it's the cost-effective way of doing it.

Besides, the GDPR is not extremely clear, so setting the boundaries in a very public way is a good thing.

> - a court forces a public institution to cease using Office365 (no fines possible there)

AFAIK, in Norway, most fines have been directed at public institutions.

Don't know about Norway. But whether fines apply to public institutions is up to the member states, and most member states, including Germany, have decided not to fine their public institutions for GDPR violations.

> have decided not to fine their public institutions for GDPR violations

Because they’re too Byzantine to make enforcement practicable, or because they’re not seen as a privacy risk (the government in Germany should know lots about you), or something else?

The official argument is that fining public institutions is a game of taking from the right pocket to put in the left pocket. It's the state fining itself. Also, officially, public servants are thought to obey the law as a matter of cause. A certain interpretation of the law can just be made an official order to all subordinate government agencies, and any civil servant disobeying that interpretation is at fault for not performing their duties and treated accordingly.

However, that all leads to the obvious workarounds: the official interpretation is usually the most lenient possible, compliance is put off to some time next century due to lack of personell/budget/willpower. And if something is found to be amiss, the data protection officer may order a government agency to fix whatever is wrong, but can neither fine nor discipline a civil servant. Because disciplining is up to the direct disciplinary superior, which cannot be (due to them being independent) the data protection officer.

So 3 enforcements in Germany in all of 2022, and the highest fine in Germany was 35mil. 35mil is how much for Microsoft? The yearly Office 365 fees of one of their DAX customers?

The possible fine for Microsoft would be 4% of the sales revenue of the whole company, which would amount to 6.8 billion dollars (at 170 billion dollars revenue in 2021)

The big fish all have their EU branches incorporated in Ireland for tax reasons. Filter by Ireland and you'll see some larger fines and some more well-known company names. And even then, it's a well-known contention within the EU that the Irish data protection authority is dragging their feet on investigations and fines because of the "tax reasons" part.

It's nothing, but once one of their customers gets a 5 millioj euro fine for using Office365 for sensitive data, the impact will be significantly higher. Microsoft can take the hit but most of its customers can't.

Microsoft's incompatibility with the GDPR puts some of its customers at risk. A fine or two and businesses might stop paying for those lucrative cloud subscriptions.

This will literally, not figuratively, but -literally- never happen. A smaller business will never be punished as a signal to Microsoft.

A websites using wordpress got fined for including google fonts. Not the organization that provides wordpress using google fonts by default.

Likewise, a company using O365 to store customer or employee data will get in trouble, not Microsoft for offering that service.

That's not what's being discussed. My comment asserts with certainty that a small business will never be punished as leverage against the upstream big corp.

It's not Microsofts fault if customers use it to store GDPR relevant data. It's Microsofts customers using them as an external data processor. It's the companies that are using O356 for such data that will get fined.

The fine is not to send a signal to Microsoft. The fine is a punishment for letting Microsoft process personal information when it's know that they do so in a way that violates the GDPR.

The €100 fine to that one website that included Google Fonts wasn't an attempt to get Google to put Google Fonts in a European holding or whatever. That was never going to happen. It was to punish that website for breaking the law.

Before anything like this will hit the news, there would first be a massive lawsuit that will probably take months or years. I wouldn't be surprised if Microsoft would throw lawyer money to the company involved just to make sure the lawsuit doesn't end setting a precedent against their product.

Never underestimate German courts and their willingness to uphold privacy laws when they get challenged.

even with all it's flaws, I love the EU. 746 million euro fine on Amazon for not respecting data privacy principles

It's not massive at all when you compare the fines to the profits of this companies.

Tech will end up exactly the same way finance is (if it isn’t already there). Employees will work for the regulatory enforcement agency for around five years on shit pay learning how the system works from the inside and making contacts in the industry before leaving and being ushered into a tech firm with a nice six figure salary. Meanwhile, no regulations will really get enforced apart from the odd token case against a big company so the agency can continue to justify its existence and funding. The fine against the big company will be a complete drop in the ocean and will have already been accounted for well in advance by said company as a natural cost of doing business. No-one will go to prison for any wrong doing unless it’s a fraud case where someone’s tried to cheat the company and the regulators for their own individual gain in which case there’ll be made an example of to ensure all the other players stay in line and don’t rock the apple cart. Repeat until the end of the time.

Any attempts to appoint new leadership to reform the existing corrupt agencies will most likely end up being sabotaged from within by bureaucrats who gain from the system remaining dysfunctional. The only two ways you can effectively change it are:

- setting up complete new ‘start up’ agencies and appointing people to wind down and distract the power players in the existing ones.

- going full nuclear like Elon just did at Twitter and firing the majority of the workforce

I've never seen such a cynical comment like this one here. On what basis are you theorizing this?

So I first heard about it as a young man in the early 2010s when I encountered a woman who worked in the financial regulation sector in the UK who told me exactly what I just summed up in the first paragraph. Google “revolving door $INDUSTRY” and you’ll get a pretty good feel for how widespread it is. Naturally it’s downplayed by the official narrative such as in the last of the following three links:




If you’re based in the UK, buy an issue or two of Private Eye who will often name such people as well as the staggering amount of general corruption at play in UK politics.

As for the last paragraph, I recently heard some system thinkers express similar sentiments based on how FDR managed to enact real change and how most presidents have failed to achieve much in comparison since.

> During his first term, FDR quickly found that the federal bureaucracy, specifically at the Treasury and State Departments, moved too slowly for his tastes. FDR often chose to bypass these established channels, creating emergency agencies in their stead.


In time however, these new agencies become bloated bureaucratic nightmares themselves. In my opinion, the circle of life extends to organisations as well life forms. I view economic booms and busts as a “changing of the seasons”: old organisations that can no longer compete die and new ones take their place. The problems start occurring when government intervenes to keep zombie companies around because they’re “too big to fail”.


What leads you to think this will happen with privacy laws in the EU? Out of all jurisdictions they seem to be one of the ones you shouldn't fuck around with. They take time to pick up speed, but once they do, lord help you.

Because it is already happening in the EU. Have a read through the EU section on here:


Wherever there is lots of money and power at stake there will be corruption to some degree. The EU might be better than most but it is absolutely still there.

> "For greater transparency, we would welcome the publication of the detailed DSK report, with appropriate redaction, alongside the detailed responses Microsoft had provided the DSK."

Redactions? How should the data owners be able to verify Microsofts processes if some of the information is redacted?

Thank you, both.

IMNHO the most likely outcome is that o365 will come to be GDPR compliant - and so business will be able to (continue to) deliver on government contracts building on o365.

It's hard to see how. MS would have to create an entity entirely separate from MS US... while providing the exact same services.

What’s hard about that? Every company has tons of shells for various reason.

Shells are not separate from the parent company. The Cloud act still applies to them.

Is that before or after they send the content of you powerpoint file?

If you're referring to the article posted last week, you need to read more than just the headlines

>you need to read more than just the headlines

It's sending your contend without consent...what's the problem?

Care to elaborate, instead of providing 'headline'?

Microsoft is phoning home the content of PowerPoint slides: https://news.ycombinator.com/item?id=33506576

I suppose I should've said 'read the comments' considering that the particular post is very short.


I use onlyoffice[0] because MS Office doesn't run on Linux. It is open source and seems to have the best compatibility with MS Office. You can self host it and/or use it locally. It also integrates with e.g. nextcloud or seafile.

Some features are missing yes, but the usability (IMO) is better than Libre-/OpenOffice.

I don't know how good the collaboration is but they seem to advertise for it.

[0] https://www.onlyoffice.com/

For the businesses who might want to switch to an alternative.

A great one is Cryptpad: https://github.com/xwiki-labs/cryptpad

There are hosted instances also if you're not interested in self hosting.

P.S. I'm not affiliated in any way with the project.

This is as much an alternative to Office as rolling on the floor while making engine noises with your mouth is an alternative to having a car.

I love Cryptpad, but suggesting it's an alternative to Microsoft 365 is a bold statement.

I can second cryptpad.

It can do documents and „excel“ and „PowerPoint „ and a few other things.

No experience in an „industrial „ environment though so YMMV.

365 is the cloud base suite of Microsoft Office, you can still use the Microsoft Office 2021 Professional or older versions.

365 is a nice way of collaborate at work, if you are a small business is a nice product, for the big companies this is just going to be more headache for their I.T department, so now instead of relying in the Microsoft servers to allocate and store the documents, they will use any other server from who knows what company and hosted who knows where, some will be hosted with e2ee including at rest while others will end up using some shit show of servers from a company owned by some dude from not so friendly countries.

I understand that privacy for companies is a big risk, but regulating it this way can easily end with a cobra effect.

Yeah, the file storage is so messy - I still don't know if the file I saved is in SharePoint or onedrive, and that they seem to be the same but different at the same time

I've found these cloud editing solutions great for working with your colleagues but terrible for collaborating externally. You can't share a doc with their company for policy reasons and likewise they can't share with you.

I've resorted to sending docx back and forward instead.

> I've found these cloud editing solutions great for working with your colleagues but terrible for collaborating externally.

You can blame this on your O365 admins rather than Microsoft. For admins who want to generally restrict external sharing, it can even be limited to select Document Libraries. https://learn.microsoft.com/en-us/microsoft-365/solutions/co...

It is admins that are to blame, but not making easy for an end user to get permission to share something is on Microsoft.

Also not just Microsoft is at fault. Using Google docs to share with a company that doesn't have Google docs is just as painful.

Next is Windows 11 with its always log-on requirements.

Is it me or does Germany switches (back?) to open-source every few years? I remember being excited they were switching to Linux (or was it Munich?) years ago

You are more or less. LiMux started in 2004. Last two points on its long timeline[0]:

* November 2017 - The city council decided that LiMux will be replaced by a Windows-based infrastructure by the end of 2020. The costs for the migration are estimated to be around 90 million Euros.

* May 2020 - Newly elected politicians in Munich take a U-turn and implement a plan to go back to the original plan of migrating to LiMux.

[0] https://en.wikipedia.org/wiki/LiMux

You forgot the quite important

September 2016 - Microsoft moves its German headquarters to Munich

Last time I've heard about it, it ended with users (i.e. bureaucrats) complaining about missing features and/or differences between MS and the open source alternative and forcing switching back to MS

It was Munich - and it only happened once.

I shared the excitement, but as so often it was only executed half-way. In essence, instead of recreating processes from the ground up to fit the new reality, they tried to make everything as beforehand. Unsurprisingly, that was a huge uphill battle - in the end they spend more money than beforehand and had a lot of trouble in maintenance etc.

(Regarding the 2020 public announcement; nothing has happened since then IIRC so I would not count that in - just talk no actions)

At this points, isn't it pretty safe to assume very few Silicon Valley services conform to GDPR?

Another example was shared recently: Shopify is technically illegal in Germany [1]

[1] https://news.ycombinator.com/item?id=33561222

It's quite safe to assume that none does. Unless all your data (including metadata) is end-to-end encrypted outside of the US, the service is non-conforming. And the internet makes it quite hard to encrypt metadata.

At this point, virtually no digital service - or in fact in business - can be considered to be compliant with GDPR. The reason for this is an ECJ case ruling informally known as Schrems II (https://www.gdprsummary.com/schrems-ii/ ).

That ruling not only invalidated the Privacy Shield agreement, but in fact prohibits the transfer of any data to any company affiliated with a US-based company in any way (including subsidiaries or even mere suppliers or customers), which comprises pretty much every company out there - US-based or not - because in today's globalized economy you'd be hard-pressed to find a company that doesn't in some way at least transitively deal with US-based companies.

Technically, the reason for this is the US CLOUD Act (https://en.wikipedia.org/wiki/CLOUD_Act ), which requires US-based companies to hand over any data, regardless of where that data is stored geographically. This also means that the common naïve assumption that you're safe in terms of GDPR as long as your data is stored in EU-based data centres is false as well.

So, when following GDPR and this court ruling to the letter, we'd (as in "everyone") pretty much have to stop trading and doing business altogether. Since that's (hopefully) not going to happen, none of this is enforced, at least not consistently or according to the rule of law (which in a way is even worse because at that point law and law enforcement becomes arbitrary and fines will be imposed based on how eagerly local authorities pursue these matters rather than universal principle).

Now, it can be argued that the EU and GDPR really aren't to blame because it's the US CLOUD Act that created this issue, after all. That CLOUD Act indeed is hugely problematic, to say the least.

However, the problem remains and it's on the EU to negotiate an agreement with the US that allows companies to legally do business in the real world (as opposed to an ideal world according to GDPR) again.

it's on the EU to negotiate an agreement with the US

Wouldn't it be equally on the US to negotiate an agreement with the EU to maintain the global dominance their tech sector currently enjoys? I don't see a categoric reason why the EU should blink first.

The EU's relevance and clout is notoriously overestimated, particularly when it comes to the digital economy. There's this pipe dream that GDPR would somehow jumpstart a privacy-focused digital economy with viable alternatives to US-based services, cloud providers in particular. By and large, these ideas so far have proven to be unrealistic, delusional even.

Let's consider the possibly ways this might play out:

1. The US maintains its position and the CLOUD Act, specifically. The EU maintains its position and GDPR and the Schrems II ruling, but doesn't strictly enforce those.

So, pretty much the status quo as it is today. In that scenario, the EU and local authorities will keep pestering EU-based businesses here and there, but overall prove they're a paper tiger with lofty ideals but no power or will to back those up with action.

From a US perspective, that's an not only an acceptable but even a desirable outcome, because a relevant international party decided to deliberately hamper themselves and their economy with no repercussions for the US. So, no need for the US to blink first, or at all, as a matter of fact.

2. The US maintains its position. The EU maintains its position, too, but contrary to the first scenario does suddenly decide to strictly enforce GDPR and crack down on any business that doesn't comply.

Since, as outlined above, this would mean pretty much every business under EU jurisdiction, the entire economy of the EU would come to a grinding halt within weeks, which in turn would probably lead to major insurrections and the EU ceasing to exist within a matter of weeks as well.

This of course would entail major turmoil and crisis for the world economy as a whole as well, but the EU and EU countries what suffer the most.

So, not exactly a desirable outcome for the US. However, there'd be no need for the US to blink first in this scenario either. If a player decides to commit economic suicide, why should the other player indulge them?

3. The US maintains its position. Again, the EU maintains its position, too, but contrary to scenario #1 and #2 not only decides to strictly enforce GDPR, but first entirely extricates itself from the US economy (i.e. mercantilism 2.0) by not only requiring businesses under EU jurisdiction to cut all ties to the US but by managing to provide viable alternatives to US-based services first.

As pointed out above, so far this hasn't been happening and there's no obvious reason why that would change all of a sudden.

Still, even if such a scenario were realistic, the economic consequences probably would be more severe for the EU than for the US, too.

So, again, no need for the US to blink first.

Hence, in any possible scenario - however likely or unlikely - the US can simply wait it out and it's on the EU to make the first move.

<< the entire economy of the EU would come to a grinding halt within weeks,

You may have a better insight into this, but could you elaborate a little further? Is entirety of EU running everything on AWS the way US seems to be and thus making it a vulnerable monoculture of sorts? For example, I can see some heavily digitized countries suffer( Germany, Estonia ), but not all of them seem that independent of paper documentation.

As outlined above, simply having a US-based supplier or customer might be enough for a business to be in violation of GDPR.

Even if your entire business is offline and all your processes are still paper-based (which today would be highly unusual, even in less digitized countries such as Germany, where quite a few businesses actually still rely on paper and - indeed - fax for at least some of their processes), that might still be the case.

More realistically, any run-of-the-mill SMB will use at least some digital tools, e.g., for accounting or for running their website. Relying on EU-based suppliers and EU data centres exclusively or even going all the way and storing everything on-premises doesn't necessarily mean you're compliant with GDPR.

If only one of those EU-based suppliers has any dealings whatsoever with just one US-based company you're technically in violation of GDPR again.

>. There's this pipe dream that GDPR would somehow jumpstart a privacy-focused digital economy with viable alternatives to US-based services

I would like to see this, but given the extremely shitty track record of European software projects (400 million Euro wasted on a search engine, just as an example), I can only agree that this is very unrealistic.

The issue is older than that :

it dates back at least to the warrantless wiretapping authorized by Bush with the 2001 Patriot Act and legalized with the 2008 update of the US Foreign Intelligence Surveillance Act,

being incompatible with the 2000-2010 Charter of Fundamental Rights of the European Union,

making the 1998-2000 Safe Harbor agreements between the US and the EU null and void,

as first judged by the Court of Justice of the European Union in 2015 (Schrems I).

GDPR (2016-2018) and the CLOUD Act (2018) are basically just the EU and the US digging deeper into their respective positions.

From what I've seen at a few places I've worked (you'd know the names), regulatory compliance is good enough to make the auditor happy, but that's about it.

Isn’t California data privacy law more or less equivalent to GDPR? If Silicon Valley’s companies don’t conform to GDPR, I would expect them to face the same type of issues locally. That will maybe come in the future, GDPR is still fairly new, that type of stuff can take a long time to develop.

I think most of the problems came from EU data being sent to US located servers, that won't be a problem for silicone Valley and California laws

No, California's data privacy law is far weaker than the GDPR, though far better than what most of the US has.

I'm not European, and maybe this is why I struggle to understand this, but why do people want regulators to say, "This doesn't comply with our regulations, so you aren't allowed to use it?"

I understand the hope is that companies will comply rather than forego the entire European market, but if they don't, the last consequence is ultimately on the consumer, not the company.

It seems like the same type of thing as when Quebec recently decided any service that serves customers in Quebec must offer a French version of all their services. Quebec is a much smaller market than Europe, so the effect was that companies just stopped offering services to people in Quebec, but it seems like these are the same kind of issue.

Government wants services to be provided in a certain way. Service provider declines. Consequences disproportionately impact the consumer, not the service provider.

Why should it be up to a governmental agency to tell you you are not permitted to use a service because they think the service is being provided in a way they don't like?

For some reason it's a big national security concern when Chinese companies collect data on US citizens, but when Europeans apply the same caution with American companies, people across the Atlantic see it purely from a business perspective. Why is that?

This isn't TikTok and what people do on their private phones. This is a foreign company that has the capability to siphon off a lot of data about business decisions, businesses connections, contracts etc.

> Why is that?

because china is a totalitarian country and the us isn't

Imagine things would move towards every electronic document in American companies going through the servers of a European country, say in France. Do you really believe, there wouldn't be an outcry in Washington? Do you really believe, Congress would just watch? Do you really believe, US security agencies would just sit idly by? I don't.

This has nothing to do with totalitarian countries. Regardless of the political system, this is about a loss of control. About industrial espionage. Ask anyone who's work concerns US national security how much they trust foreign democries, like for instance France.

Not being a totalitarian country gives you the right to spy on people?

Not being totalitarian implies no to spy on your people. Spying on your people implies being totalitarian.

Pretty sure US agencies have more rights to spy on not-their people, e.g., Microsoft EU customer data than Microsoft US customer data.

Let's be real, no Western country is banning Chinese products or services because China is spying on their own citizens or abusing Uyghurs. That's at best the "feel good" story sold in the media to get the people's support and distract from other issues. They're banning them for 2 reasons. One is that China will abuse them to spy and get a competitive advantage over those other countries. The second is that it's hard to compete in price so local alternatives are pushed out.

In the same vein the EU isn't blocking a US company from collecting data because the US is spying on its own citizens and abusing people of color. They're doing it for almost the same 2 reasons. Everyone knows (with evidence) that the US will abuse them to spy and get a competitive advantage. The second is that it's hard to compete in performance/features so local alternatives are pushed out.

The only reason to see a difference here is nationalistic bias. And that's fair enough, most people aren't educated enough (not talking just academic degrees) to be capable of critical thinking when their own principles or morals are under attack. They will just go to the first easy, "feel good" explanation when they do something to others, and the opposite when others do something to them.

My favorite illustration on the topic: https://pics.me.me/their-barbarous-wastes-our-blessed-homela...

You make it sound as if the GDPR is specifically targeted at US companies, which is not the case. It applies to domestic companies too.

From many European capitals perspective, the USA is one wrong election away from fascism.

Tell that to Assange. Or Snowden.

Sir, you must have grown up in front of a TV with strictly US American programming.

From the point of view of the EU it is, since it violates basic (EU) rights of (at least) non-US citizens since 2001 :


For the same reasons you're not allowed to sign particular contacts, such as enslaving yourself. Without restriction companies will do every illegal thing they can get away with via their collective power of size versus your weak individualism.

In some cases it's rather trivial, in other cases its dependent on the survival of the nation state to enforce the rules on the corporation.

Hmm that is a good point. It is forbidden to sign contracts of enslavement in every country I know of, even if the potential contractee is making it free from duress.

Therefore forbidding some types of contracts for everyone does have established precedent.

However, there does not appear to be a limit to this.

For example, can governments ban their residents from signing contracts to distribute or host porn, gambling, etc.?

> can governments ban their residents from signing contracts to distribute or host porn, gambling, etc.?

The question is always what do local laws say. Even in the US you have laws or court decisions that allow child marriage, non-revocable consent, upskirt photos, or regulate that men are allowed to show nipples but women aren't.

Other countries have equally outrageous (or reasonable, depending on your views) laws making something effectively (il)legal. So yes, governments can and do prohibit porn or gambling, or just the hosting and distribution. Laws and regulation can have a lot of purposes. They can protect you from abuse you may not even understand, or they can even protect the abusers.

They could, but at the risk of losing public mandate, leading to a change of government and/or losing in the next elections.

In somewhat functional representative democracies, that is.

> I understand the hope is that companies will comply rather than forego the entire European market, but if they don't, the last consequence is ultimately on the consumer, not the company.

This is one hope sure but at least in Germany the simple thing about it is that people don't want to lose control over their data if they don't have to (we even have a word for it: "Datensparsamkeit" = data econonomy/thriftiness). If that means that some German company won't be able to use O365, so be it.

Only few here will care what happens to Microsoft because of this. It's not about Microsoft. It's about people who use it (and/or force you to use it).

I don't see a downside here. There are other solutions within the Microsoft product portfolio and outside.

The fact that a government agency looks it up and gives you a result saves you actually money because you don't have to hire somebody to check that for you and save you from lawsuits. It's a service you already paid for with your taxes. I don't see the problem here either.

> I understand the hope is that companies will comply rather than forego the entire European market, but if they don't, the last consequence is ultimately on the consumer, not the company.

Essentially you are asking „why should a government expect anyone to follow the law“

It's more "why should a government expect any foreign company to follow the law".

Personally I run a small business, GDPR came out, our solution is to just violate it and not care. They have no legal jurisdiction over us so their laws do not matter.

If we had to comply with every jurisdictions special laws on the entire planet we'd surely waste most of our time doing it.

Because when you're doing business in the EU you must follow EU law.

Nobody is telling MS what to do in the US.

<< If we had to comply with every jurisdictions special laws on the entire planet we'd surely waste most of our time doing it.

Without making a judgment here if you do business somewhere the expectation typically is that you will comply with local laws. This is partially the reason why only big companies can handle truly international business.

<< GDPR came out, our solution is to just violate it and not care.

Anecdotally, when GDPR came out, in the old country the, almost, first thing that happened is whole bunch of companies started bothering small businesses saying they are not complying and offering to bring them into compliance by adding cookie warning popup we love so much.

Microsoft has equipment and employees in Europe and specifically, in Germany. Plenty of room to expect them to follow the law.

It seems you are not doing business within the EU. Microsoft does business within the Eu and how important that business is you could see when Munich tread the water to migrate to Linux and open office

Are you serious or is this a strawman posted as a joke?

Just applying this to medicine, car safety, building codes and fire, food safety, industrial regulations saying 'you can't dump toxic waste around', etc etc makes me really surprised someone would actually hold such a bizarre opinion.

> I'm not European, and maybe this is why I struggle to understand this

Put it another way.

Most sensible Americans would rather have European employment law and healthcare provisions.

Well, the same goes for privacy legislation....

> why do people want regulators to...

The first misconception is that governments do what people want. They do what serves their national and personal interests. What people want plays a rather small role in it. Far to often they do the exact opposite.

> I understand the hope is that companies will comply

Not at all, they can comply or fuck off. The US gov just runs things differently from the EU. They want full access to everything in secrecy and will hand over or sell data to corporations if it serves US interests.

It means for EU enterprise all information on suppliers, customers, orders, road maps, finances etc etc can be forwarded to your US competitors.

You also forget how easy it is to make software. If [say] Microsoft no longer wants to do it there will be others.

The whole point of the EU is to instruct how business is done here. It was specially designed to stand up to uncle Sam and his army of evil automatons.

I agree in principle, but not if it is applied to Microsoft 365 or GCP.

If it’s my small business animal shelter, or my grocery store, or even just my little SaaS… leave me alone, please, from requirements like the Quebec translation law, or similar.

Microsoft 365 is different. Odds are that there are dozens of businesses you interact with, who store their data in 365 without your knowledge. Microsoft 365 is a “in the shadows” method you probably don’t know of that is sending your data to the US.

If I could lay down a principle, it would be that the privacy rule should be determined on the privacy level of the company I the consumer interact with. If I interact with a EU business, I do not expect my data to enter the US by any method. If I interact with a US business, that is implied consent.

Leave you alone to determine your own health code? To buy meat without proper paperwork? To hire children to work? Where is the border?

Speaking from the US perspective, Europe still imports from Xinjiang region of China, where over 2 million Muslims do forced labor. The US banned imports already. Not only that, according to SCMP, they more than doubled in just August.

Straighten out the obvious before adding another yoke on small businesses.

We also import goods from the US where prisoners do forced labour.

At any rate; one bad thing does not cancel out another. We can fight both slave labor and strive for protecting citizen data.

True - but equating the US prison system to what is happening to them is an absurdity. It’s like if Nazi Germany said their camps weren’t that bad, after all, the US has prisons.

The Nazi camp counterpart for US would be Guantanamo: https://en.m.wikipedia.org/wiki/Guantanamo_Bay_detention_cam...

They just moved it to occupied foreign soil to technically not have a concentration camp in US soil. But then Germany had concentration camps in occupied soil as well, like Auschwitz in occupied Poland.

That does not answer my question at all

I think what parent is trying to say that at certain point over-regulation is not helpful and actually detrimental not just to the business, but the ecosystem as a whole. For a smaller business, onerous regulation could mean closing the doors. For a big business, the burden is also there, but it can more easily withstand it due to its size ( and it typically has some resources to throw at a given issue ).

I agree that there are some 'minimal functioning society' laws like the ones you listed, but I am not certain Canada law example in previous posts or GDPR falls in the same category.

As usual, the question is that of where the line is. And that should be determined by societies at large.

What parent forgot to mention is that (from what I managed to find out) law 96 doesn't apply to businesses with less than 25 employees. Down from less than 50 in the previous law (though I'm not certain what other changes might have been made).

Because individuals rarely have the choice here in the US. Our schools here require the use of Google accounts in a manner which is almost certainly illegal, but isn't enforced anyways. My kids privacy is mandatorily violated because of a decision of the school district. So I have to hope regulators here will wise up and start to force schools to abandon harmful products.

So what you think of as freedom of choice often isn't for students, employees, and consumers. It's why we need drastically more business regulation to guarantee individual rights.

The EU has a population of nearly 450M. That's a sizeable market. You might imagine that Microsoft would like a piece of that and would be prepared to ensure that their products meet the standards required to earn it. They already go to some lengths to adapt their products to various locales and languages in order to compete in certain markets. Adapting Office365 to comply with EU law and gain access to that market would seem to be just the cost of doing business.

People expect their government to protect them.If I buy a product based on false advertising,i will be pissed of at the government for allowing that false advertising, instead of blaming my self for not doing due diligence. Similarly with food, i expect the government to disallow things that are seriously harmful to my health (think proven carcinogens).My personal data, if not handled correctly can cause as much damage as me consuming a specific food that has been contaminated with a banned substance.

You make a general point about government regulation, and the answer is that choices made by individual consumers can affect other people too. Should people be given the choice of using leaded gas?

Then we can discuss if the GDPR protects important rights or not , but that's a different discussion.

I want to have the podunk builder build my house however I want. What is with all those pesky building codes!

Because they (the government) think it is the minimum required for a dignified, safe society. And they are placed in a position of power and must make those judgment calls, because that is their job.

Why would people want that? Because they understand, in general, that government is important and don't want an unhinged libertarian abandonment of mutual assistance in society. And in specific, because many of them value privacy enough to put up with this type of restriction. But of course there will always be people who find this or that law too intrusive, and in the EU that means they are free to organize, protest, be activists, vote, run for office, etc.

> Because they (the government) think it is the minimum required for a dignified, safe society. And they are placed in a position of power and must make those judgment calls, because that is their job.

Ha, this is a naïve view of it. In the US, this is only kinda-sorta true. Building permits can often be a lucrative source of income for the city and sleazy inspectors who often come out without the faintest idea of what they are looking at.

It often turns into holding previously-recognized rights captive and selling them back for cash. People get angry real quick.

(My father owns a small business in fireplaces. The inspectors often are idiots, and the city charges hundreds of dollars, sometimes more. Total grift we have to suck up. So much so they sometimes ask us what to look for. I doubt the inspectors have stopped any residential fires, ever, in some of these cities.)

Has your father taken this to his city councillor? If nobody reports the problem the city will think things are fine and nothing will change.

Regardless I’m quite happy with my safe home. I know that it’s not going to kill me. In some regulations have we gone too far? Yes. Have we gone too far protecting our data? We barely have anything in place, so I applaud the EU on forging ahead.

I know several people who help write building codes in the US in various fields, and none of them are incompetent or write code other than to deal with known concerns based on past building performance and materials testing, etc. That there might be a problem with enforcement is more a byproduct of municipal professionalism in general than a problem with building codes. I have never seen hundreds of dollars in my (high cost of living) area for a fireplace inspection, but I guess it might exist as an outlier somewhere. Permits cost more, but that is because we have very low property taxes in California, and they recoup through the permits because they need funding from somewhere.

But the building code reference was just to provide an introductory analogy. The sentence you quoted was part of my direct answer to OP's question, which was why the GDPR, and why would people want it.

The reasoning is that your personal data doesn't belong to you. It belongs to your government. A user's personal data is a vector for attack for a foreign agent. You can argue up to which degree this is correct or not, but the EU instance on this matter is of paranoia.

What utter drivel.

The EU stance is this: "a person's data belongs to the person, and you can't obtain, collect, sell, or transfer this data in any way, shape, or form without an explicit consent from the person".

The US on the other hand: all your data belongs to the US government regardless of where you are on the globe: https://en.wikipedia.org/wiki/CLOUD_Act?wprov=sfti1 And this is on top of all the large scale data collection already performed by companies.

This is not surprising as Austria, France and Denmark have already concluded the same.

finally, this is really great news for anyone european, I hope it won't take long to determine there are a whole lot of other MS products that should also be illegal

How is that great news? The competition is literally decades behind.

This is crippling Europe.

Microsoft products haven't really changed in 20 years. What are you referring to? The fact that you can access them anywhere?

Can you clarify your usage of Office products?

I'm assuming that 100% of people saying "it's fine we have LibreOffice" or "it's fine we have Office 2014 installed locally" don't use it beyond basic PowerPoints and the occasional resume update on Word.

Just as an example, the world pretty much runs on Excel, and each version brings valuable additions.

Good guess! I use PowerPoint and word. I occasionally use excel for a quick spreadsheet but for data storage we have databases and for visualisation we have grafana. The only time I use the live edit feature of excel is when we are coordinating pizza orders.

We must live in completely different worlds if you can't imagine a reality without MS crap

How is it crippling Europe? The sooner we stop the US from raping us, the better

I genuinely don't understand why anyone would need MS products ever. I thought it was just hard lobbying that made it so our instituitions have to use that garbage.

And obviously your opinion is not at all biased by the fact that you are a software developer working on Linux.

This propensity of developers to reject the existence of everything that they cannot see through their own tiny lens is beyond laughable.

"reject the existence"? What are you on about? I had to use MS office all my life and it has always been a very poor user experience, I wished I wasn't forced to use it and now maybe people won't be.

> I had to use MS office all my life

Ah, so actually it wasn't true when you were saying "I genuinely don't understand why anyone would need MS products ever"?

Both are true, I was forced to use subpar solutions because MS paid a lot of money to become the default. I have no idea why anyone given the freedom to do so would choose MS products over alternatives.

Microsoft just needs to place data from EU customers on EU soil and in a manner that is inaccessible to US authorities.

Why is this so hard?

US law, specifically the CLOUD Act. https://en.m.wikipedia.org/wiki/CLOUD_Act :(

It involves sub licensing the entire suite to a EU entity. It is happening in France with Bleu (MS365 run by Capgemini and Orange): https://www.datacenterdynamics.com/en/news/orange-and-capgem...

It should be possible to put these bureaucrats into place. After all Germany is just another client state.

Good. The sooner this data-siphon is cut off from the EU the better.

These people keep acting like they're so clever for figuring this out, yet in reality all they're doing is giving death sentences to European companies by making them unable to use industry standard products.

Let me fix that for you: "industry standard products" -> "monopolist's products".

Microsoft spent decades aggressively lobbying European governments and companies to use their stuff. Even if this finding has any short term impact (see the other comments about this point), I find it hard to believe Microsoft wouldn't swallow the pill and simply become compliant. If not - yeah, companies who are entrenched in Microsoft products have to find alternatives, which is gonna cost them significant efforts, but also open the door to more competition. Sounds like a short term problem for European businesses even in the worst case scenario.

The main problem for them is that it's not in Microsoft's power to be compliant here, as the problems are created by the US CLOUD act, not Microsoft's own policies.

The only way for Microsoft to become compliant is to carve out its European business into a separate organization (not even a subsidiary -- it could be that even a joint venture would not be enough to escape the reach of the CLOUD act).

If they can do a double Irish with a Dutch sandwich to pay fewer taxes in Europe, I doubt they couldn't find a creative way to deal with this. They only have to be compliant enough for the fines and repercussions to be lower than their profits.

It's not just about swallowing the pill: MS has a close relationship with the US government, and NSA having a backdoor to workings to all other countries is a part of US keeping its power, so it's national security critical for US (just like for EU).

Or it will force the European market to innovate instead of directly sending cash to US Megacorps.

I totally agree with you. I think the EU should innovate more, than just relying on the usual tech giants.

Everyone in Europe would like Europe to innovate more. Unfortunately every time European governments add more regulation they usually also make it harder to do that.

You need to find the sweet spot. Too little regulation is harmful. Too much regulation is also harmful. The EU and US are near opposite ends of the spectrum at the moment and neither is an ideal place to be. The US produces many more financially successful big tech businesses but those businesses do a lot of things we don't like. The EU doesn't produce many successful big tech businesses in the first place.

I don't agree with everyone in Europe wanting to innovate more. I'm a Bulgarian citizen and from my PoV a small group of people only want to innovate. One good thing that I've noticed is that the snowball here is slowly spinning up - we have a good university trying to be on a IVY league level as much as it can (for Bulgarian levels it's good, for EU maybe just about average) which teaches people tech or whatever they want to learn. Some part of them have really sharp skills. But a big portion of them don't really care about innovation, they still have the mindset of their parents/grandparents which is: I get my bachelors, I maybe get a masters, I work one job for the rest of my life and that's it.

I'm more a fan of the EU because I think these sorts of regulations are good. The thing they do wrong here is that they do it slow. E.g. they introduce the universal USB-C port, companies won't be motivated to innovate on that tech since they know it'll take ages for the EU to update the law. So after all yeah finding a sweet spot of course is the best, the thing is that we don't know how to find it.

> I work one job for the rest of my life and that's it.

Fight tooth and nail to preserve this. We're living in the future here in USA, trust me on this, gig economy and corporate churn sucks. You don't want to get on this ride.

Is it bad that companies don't innovate on the power outlets any more ?

(BTW, USB standards are up to 240W already, it would be a decent power cable itself alone if not for the fire / power loss / safety / cable size issues that DC causes...)

I don't think that creating a web based word processor, cloud storage and an email hosting service is something that is impossible for a whole continent to do. Especially considering that o365 isn't exactly the gold standard when it comes to software quality.

And yet the developers on one continent have done so with commercial success while those on another have not.

Obviously there are plenty of skilled software developers in Europe so the question we have to ask is what else is different.

If you think Microsoft is a "US Megacorp" you are tuly underestimating their global reach and ownership.

They mean in the sense that its an american company first and foremost. Having worked there a few years I can certainly attest to that, even if they do put a nice enough veneer of local adjustment for their non us orgs.

In many ways multinationals are worse. In order to avoid even lose a penny they will do any number of things that violate national sovereignty.

Its harder as Europeans are scared of debt, its just a system based on misery and poverty where the rich are richer and the poor just produce cheap migrant workforce for northern europeans

Works very well for Cuba and North Korea

Both China and Russia eschewed US tech and they have much, much healthier tech industries than Europe.

The US also doesn't really believe in foreign competition ("Buy American", recent huge industrial subsidies as part of the IRA), so I don't really know if Europe should kowtow to the US here. If the US gave up on the CLOUD act none of this would be a problem anyway.

Monopoly is not the same as "industry standard". And specifically in the case of Microsoft Office / O365 there is very little actually benefit of using it over any of the more open (and even free) alternatives... rather than being an "industry standard" it's really just an "industry default", i.e. what most companies use because no IT manager ever got fired for deploying it.

You're a SRE, I'd argue that you have absolutely no idea about what is the industry standard when it comes to office productivity suites.

Having this discussion on HackerNews is useless, because people here are at best very light users of Office and at worst don't use it at all.

How many hours per week does your work involve Office software? Because for a lot of people it's 40, but those people are not on HN.

MS Excel is much better than the open and free alternatives (I say that as someone who uses both Excel and LibreOffice fairly regularly).

Businesses operated just fine before O365 came along and they will operate just fine after O365, this is a pretty moot point. "But they can't use what they're using right now!" Yes, that's the point, because what they're using right now is breaking the law.

Businesses used Microsft office before 365 for decades now. In many industries all software integrates with office applications and with Microsoft pushing everything to 365 subs moving back to standalone office will be difficult enough.

Not being able to use Office is a death sentence?

Microsoft 365 is extremely widespread in companies in the EU. Not because they love Microsoft but because this is a relatively simple setup.

Like Google (US) or Zoho (Indian).

I do not know European companies providing a cloud solution easy to deploy (I wild truly be glad to know one).

You could look into NextCloud and their NextCloud Office if you haven't heard of it yet. If you have are there any point that speak against it in your opinion?

It's open source so you can even self host. Should be more than enough for most comapnies.

Not sure how difficult the set-up process for an enterprise environment is, I only used the docker version before. But should be viable and if a company has Money for Microsoft365 they should have money to pay to someone to set it up manage for them.


I know NextCloud, for having self-hosted it for years, alongside many other similar software and having reviewed its code. I am a strong proponent of open source, both as a user and a developper - and managed IT for very large companies (thi si to bring some context to my comments).

While something like NextCloud or Seafile it is fine for personal use or for small teams it is no way close to something like Microsoft 365 with the extensive backend it provides out of the box. Not to mention email integration.

Again, this is from the perspective of someone who uses and develops open source software and hots a lot of services for personal/family ise, but also from someone who knows the complexity and shitbat crazy wrchitectures you find in large, distributed companies.

If we managed to have in Europe something similar to Zoho, driven by European laws, that would be fantastic. We do not, and this is a real shame.

> But should be viable and if a company has Money for Microsoft365 they should have money to pay to someone to set it up manage for them.

Microsoft 365 is expensive, but the expense of running a home-made solution for a large company is not only the pure management, but also the ability to have hope if there is a problem. I have raised issues for Nextcloud (some of them quite impacting from a security monitoring perspective) and the community replies were horrible. If NextCloud does not monitor the community forum when someone raises such issues then I cannot have any trust that they will fix it for a paying user.

I think you underestimate how many industries have software that integrates with office and cannot be easily replaced, if at all.

Well, an entire country outlawing some software has a tendency to change this.

> industries have software that integrates with office and cannot be easily replaced, if at all.

It's just a question of money.

Having the US spy on Europeans is also very costly.

With Office or Office 365?

It's not great for Microsoft...

I have to admit though that O365 is handy for collaboration. I hope we can do something like a LibreOffice-based similar thing that companies can star using as a platform for online collaboration.

Where I work we already have lots of regulations on what we can and what we can't store on SharePoint or work on O365. My job is mostly safe from those inconveniences, but one of my first jobs was to build an asset delivery system that would comply with a number of US and EU regulations on what asset can be delivered to whom from where. Took lots of meetings with legal.

If your business processes are based on that: yes. You may argue "adapt your processes" but that's not something that you do within a week. Besides that it's also about exchanging information. Excel is a quasi-standard in some cases. Again you may argue "change that, its ridiculous". Still it's not something that you "just do".

People think this will hurt MS, but in reality it will also make doing business in Europe more expensive. Almost all big companies use M365.

It will keep these already slow organizations busy trying to find and implement alternatives. Instead they could focus on growing their businesses.

Good luck Europe.

I don't disagree that finding alternatives will be expensive, but I think this is the same harmful thinking we have in the US where people disagree with regulation that adds necessary protection at the cost of business. So we have a "regulation is bad" mindset. Most prominently I wish we could convince companies here to believe handling/retaining unnecessary data is like handling something radioactive. Until we convince these companies it's a danger to themself, we won't see change. Sure, in the near future US companies will have an advantage continuing to use Microsoft 365, but harm to our privacy and beyond that is demonstrable. I haven't used a computer like its my own private space to think in decades because of what I know is collected with telemetry. My creativity and passion for computing is harmed by what Microsoft engineers its products to do, and glean from my daily use. If Microsoft wants access to a large customer base in Europe, they should make changes to their products that respect consumer privacy laws in that area. I hope we benefit tangentially.

Something-something auto makers conform to California emission laws, same argument.

Absolutes are often bad (i.e., zero tolerance). And many regulations are absolutes. It isn't enough to comply with the law as written, you have to comply with the strictest interpretation that a judge may come up with. And that may not be enough, because some court may be even more creative in their interpretation.

Also often times business like regulation, as it forces all their competitors to play on the same playing field. Which may be easy enough for established players, but is a difficult mote to cross for smaller up-and-coming organizations (regulatory capture).

Then there is the the frequent enough occurrence of conflicting regulations. For example, the EPA may require that an oil change shop store used oil above ground (underground storage can have undetected leaks). But the fire department requires below ground storage (above ground is a fire hazard). So which regulation do you violate? The one that fines you less, and the fine is a cost of doing business.

Yes. Without careful stewardship, the compliance becomes a very weird dance, where regulators might focus on things that actually undermine the original intent of the law. For different example, lets look at the BSA front in US banking system, where SARs as a system was developed primarily to assist LEOs, but due to overzealous enforcement by various regulators, banks effectively threw their hands in the air and collectively said "Fine, we will report everything." ( look up defensive SAR filing if you are curious about the details). And now we are in a weird situation where LEOs have to sometimes say things like "If you file it, make it stand out and tell us why it matters so that we can use it"(paraphrased).

Unintended consequences of good intentions.

I am not even sure where to start. What are we afraid of? What can happen with the data? In Sweden all tax filings are public. No one cares.

So let me ask, are you OK sharing all your work documents with China or Russia?

The US commonly uses corporate data in geopolitical moves. Buy using Microsoft cloud products you're sharing all your data with us.gov

Have you been paying attention to all the TikTok scare in the US? Lot of people care.


I wish you luck in your new life in Somalia.

> Almost all big companies use M365.

I think that's a bit more nuanced. There's definitely a lot of "nobody gets fired for MS", and lots of big companies use O365 because of existing licenses. At the same time, there's lots of small companies using Google suite. There are companies relying on specialised software. There's lots of those that don't use anything beyond a simple text editor where switching is trivial.

And yeah, huge companies rely on O365, but those will get fixes that get them to compliance very soon.

Google suite is the absolute worst thing you can use for privacy. Every keystroke that comes near Google is data mined.

We'll wait and see when the next MS security appears.

How many data was copied because of the MS chain of Windows->Exchange->Office?

Well Im european and I can tell you from the inside, it's not the same mindset at all. We dont want to grow companies, in fact we barely give a fuck at all. It s hard to understand for capitalists, and I disliked this mindset so much I moved to Hong Kong, but that s what the people vote for: they d rather have no growth and no Microsoft 365 than put their data there.

People in most of Europe are truly convinced finance, money and growth are mirages made to enslave them in eternal pursuit of an unreachable state, and instead prefer to cool it down. It's not a pragmatic strategy because it ignores we re not alone.

I’m also European. Thanks for the insight.

I don’t agree with you. So think about that next time you say “most Europeans”.

What's funny is that many Europeans I have spoken with from across the continent have the attitude that you come to the US when you are young to make money then retire to Europe to take advantage of the social safety net.

Perhaps not yoir personal opinion, but definitely one that is anecdotally common among white collar workers.

@tomrod is completely right. Here in Bulgaria people have this exact mindset. Some also might just never return.

Indeed. I've heard it from Serbians, Bulgarians, Irish, Scottish, Swedish, German, Italian, Romanian, and Belgian folks that I can recall offhand, maybe more that I'm not completely recalling.

I'm actually surprised of this since I've always though of Sweeden, Germany, Italy, Belgium as very good countries. I can only speak for bulgarians as I know how the mass thinks here.

Maybe they’re good precisely because of this mindset?

That’s very unsustainable for Europe and great for the US since the latter gets the most productive years.

Right? European policy makers should look to determine what incentives they encourage that generates this fairly common attitude.

Maybe they just cater to their electorate. Democracy etc.

Did the electorate vote on gdpr directly?

If so, I stand corrected.

If not, it was performed by representatives whose incentives are not aligned to the electorate (see Arrows impossibility theorem).

More direct democracy would be nice.

However, as a citizen of EU member, I’d say GDPR pretty well aligns with the general notion of the people.

Sometimes people ain’t happy when government uses GDPR as a scapegoat to keep iffy data private. E.g. hiding final beneficiaries of companies. But I don’t see people unhappy that GDPR prevents crappy software practices.

Same deal as credit cards. Here in Europe cards processing fees are capped. Thus we don’t have US-style kickbacks or points programmes. Which probably limits credit card issuers innovations and business models. But I don’t see people complaining about that.

I am an European, too, and I do agree with xwolfi. Therefore "most European" is an accurate statement.

Yeah. It’s called the European way of doing stats.

It's a vast place, maybe you're german. They're pragmatic and care about work, efficiency, building stuff, growing companies.

I'm French, the motherland is a constant source of sad despair for me.

Just because you disagree doesn't contradict "most Europeans".

Or how many are you?

That was exactly my point.

> It's not a pragmatic strategy because it ignores we re not alone.

It's worse than that, it's delusional and hypocritical. Here in Sweden people will proudly write "We are not like the Americans" on their iPhones, drive Teslas and generally base their whole lifestyles on the foundation created by the American capitalism and possible thanks to the protection of US military.


You think all eu companies will die because microsoft will have to update their product? That’s a bit rash and random.

Maybe the companies and the US government should respect European laws and people's privacy.

Instead MS brought back productivity-tracking.

That's a No-Go and MS only gets away with it because of their desktop monopoly in the industry.

I don't think Microsoft products are "industry standard", an email is

I think they'll do just fine without Microsoft harvesting your precious data

I think they'll do just fine without being forced to use Microsoft products

I think they'll do just fine without having Microsoft as only choice

I think it's important to fight lobbies and monopolies

I think it's sad that many European companies died because they couldn't compete with Microsoft lobbies

Europe is the home of many big open source projects and open standards

Maybe this will result in a proper open alternative to Microsoft 365

You mean MS Office?

Yeah, right. Plenty of companies will fail if they are forced to use some of the almost perfectly equal alternatives.

One other way to see this is that this will stop MS360 from being the "industry standard", it doesn't take that much effort nowadays to make an alternative that is good enough, we are past the days where collaborative editing is considered "cool".

People from the US tend to underestimate the EU, the EU could easily give a bit of cash to a competitor along with some juicy contracts, the US is not the only bloc that can throw millions at a problem.

Yeah, for example some China company :D

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact