It blows my mind how European political leaders are so incompetent that they don't see any issue having their sensitive IT infrastructure outsourced to foreign providers.
They feel confident because they believe the words of providers or what is said in contract or "paper" agreements that the US will not spy on them when it is possible. Despite all previous examples of shamelessly doing what they wanted. Like when there was undercover operations to retrieve the fingerprints of political leaders.
The European Commission has been using Microsoft Office since the 1980s, so it’s hard to get rid of, given all the established processes and existing documents, and there were no significant data privacy concerns until the rise of telemetry and the push to the cloud a few years ago. But there are actual steps being taken to reduce the dependency.
Thats why every smart person and institution should insist on using ončy completely free and open documents formats (like OpenDocument Format for office documents), protocols and standards. So that the chance of getting trapped into vendor locking is greatly reduced.
You will get locked in to the one/two vendors that can make those free and open document formats and protocols work, interoperate, and integrate with all the processes and requirements of a government.
"Free and open" is not a silver bullet. Neither is Microsoft, but Microsoft has been providing government services for decades, and they know the ins and outs, the requirements, the policies, the access levels and a billion other details. None of that exists in "free and open". I wouldn't be surprised if just resolving the complex web of Active Directories in a small government department will make anyone mad.
The fact that Active Directory is asinine isn't a slight against free software. Pretty much every reason I can imagine a government picking Microsoft has to do with prior contracts and integration.
> You will get locked in to the one/two vendors that can make those free and open document formats and protocols work
You don't seem to understand what the phrase "locked-in" means. A document format that is open and documented is not lock-in at all. It's the opposite - it enables people to create competing and integrated solutions without licensing proprietary software. Better yet, it incentives companies like Microsoft and Google to support something other than their own document format if they want to be competitive. An effective democracy cannot have a government that only supports customers of a product.
"Locked-in" are the poor saps that license Microsoft software to control their battleships, their SAM sites, their CIWS and their TACANs. Nobody is ever going to disrupt their dominance even if Active Directory is the worst option available on the market. The lack of meaningful competition and standardization literally costs lives in some industries. It's why every modernized military is backed by a government that strictly drafts and defines it's demands for competing contractors.
> You don't seem to understand what the phrase "locked-in" means. A document format that is open and documented is not lock-in at all.
An open document format in the context of a government is only as good as the integrations made with these formats.
What you seem to not understand is why the "poor saps" are locked into Google, Oracle etc. Because OSS is incapable of understanding that a format or a protocol on their own are worth nothing
I feel that way about IT organisations. How can you hold politicians to such a high standard if every typical dev shop is cloud-native these days.
And who's going to provide the politicians a better way of doing it? Not only does IT lead by example in blind trust of the cloud, but they only sell their services that way also.
> And who's going to provide the politicians a better way of doing it? Not only does IT lead by example in blind trust of the cloud, but they only sell their services that way also.
This is where smaller and more specialized providers can gain ground, and in some areas has done so. When the large providers focus on price and ignoring the law, smaller providers can compete with a better (but more expensive) product.
The biggest hurdle for a positive change is that in many situations, IT companies that ignore the law can often gain more by paying fines and splitting the cost among multiple won contracts, than smaller companies that follow the law. There is a similar problem in procurement where a large company can have a strategy to agree to anything in order to win all contracts, then relying on their lawyers to limit the fallout when they eventually fail to deliver. Systematic abusing the legal system should simply lead to increased fines.
This is the key sentence but it's not clear to me how to parse it:
"The EDPS has therefore decided to order the Commission, effective on 9 December 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision."
Does it mean suspend flows to Microsoft anywhere and to its affilietes and sub-processors outside EEA?
Or does it mean suspend flows to (Microsoft and to its affilietes and sub-processors) which are located outside EEA?
In other words can data still flow to Microsoft within EEA?
> The EDPS has also decided to order the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725.
Which, to me, reads like they can keep using Microsoft 365, they just need to work with Microsoft to bring it in compliance.
As I read it, in practice it will mean that Microsoft comes up with a compliant version of Word 365. (Or at least a roadmap how to bring it into compliance.)
The Comission doesn't care about privacy and wants tighter integration with the US (for the companies). The parliament and the European Court of Justice want stronger privacy (for the people).
That is the reason for the drama over the last years concerning Privacy Shield etc.
Yeah, they will do whatever they can to keep our data flowing to the US so that their intelligence agencies and data brokers can extract the info and sell it back legally
This is taking it a bit far. The choice is a lot simpler in most cases, between the loss of privacy and the loss of productivity the choice is usually for the former. Eventually for almost anything "computers" you'll loop back to a US company. Where do you think every EU company and institution is going "to the cloud"? Hetzner? OVH? Or AWS, Azure, GCP, OCI?
The background being that there's little competition for the M365 ecosystem in general, least of all in the EU. EU has homegrown "bits and pieces" that could, maybe, somehow, go head to head with the equivalent bits from M365. But as soon as you need more of them you hit the integration and synergies wall and the advantages of M365 get compounded.
It’s not about storing data with Microsoft and the like. It’s about allowing them to send that data back to the US, which allows their intelligence and data brokers to mine the data.
That would not be allowed if it stayed in the EU, and there is literally no technical reason why it has to be sent to the US ever.
I'm surprised those agencies cannot setup their own infrastructure to be honest.
We're not talking about high volumes of traffic, this is mostly internal tools for few hundreds/thousands people, of those few dozens at best concurrently connected?
With all due respect those are few servers worth of hardware plus redundancy, plus all the security you want.
The European Commission (which is the institution in question here) has a staff of about 32000 people. Other institutions (parliament, the courts, independent bodies) have their own staff. And while heavily concentrated in Brussels, they’re spread throughout the entire EU and also include 144 delegations abroad. This is not a small setup.
This is still nothing particularly heavy, I've run with systems with far more concurrent users a decade ago on a handful of servers.
Imho the real devil is the reliance on the suite itself, which is hard to replace, especially when you get mail/calendar/sharepoint/office/etc all bundled in one.
> This is still nothing particularly heavy, I've run with systems with far more concurrent users a decade ago on a handful of servers.
The question isn't about "concurrent users". The question is about processes, documents, revisions, access levels, interdepartmental access, policies, and a billion other details.
Yes, there is not enough democracy in the world, just like with the UKs house of lords or the US supreme court. Unelected people making important decisions isn't democratic. Also this Electoral College thing in the US. People should be able to directly vote for the US president instead of an "Electoral College". One person, one vote.
Ursula von der Leyen wants to be relected, but people in the EU are not asked about this. If find this highly suspicious.
I also for example find the UKs habit suspicious, where the change of a prime minister does not lead to a general election. The UK probably has the largest number of unelected prime ministers of any western country. And it's not voted for like the US president (Electoral College aside). After being voted into the parliament with a majority, an UK party could
elect any prime minister they want.
I've recently talked to someone from Switzerland about all of this, where much more is voted on by the general public, and how this changes peoples mind, about how they feel responsible for politics. People don't see a dividing line between politics and themselves. Wish more countries would be like Switzerland.
German here. It's been blowing my mind for 20ys now how incompetent and naive our leadership (nation-wise but also on EU level) is.
The current German gov't silently issued a statement in December 2023 of IT license cost on federal level for the upcoming years which essentially was 6 billion EUR to Microsoft and Oracle.
1. They throw valuable tax-payer money at companies who do tax evasion.
2. They simply ignore the _fact_ that we've been spied on by our allies.
3. They became over-dependent on US tech which trickled down into all fine-granular processes of private and public institutions.
4. They make it additionally hard for local companies to compete with their regulation frenzies.
Don't know what to say anymore but mocking them and mention what might happen if Trump gets re-elected and discovers this dependency. If US is playing hardball, Germany will be back in stone age.
Tbh. after the recent sets of Microsoft ToS/Privacy Terms I would argue _any usage of Microsoft Windows and/or most Microsoft products_ is not legally possible in a public office handling any private or otherwise sensitive data.
...
I mean they might have different ToS/Privacy Terms, but I it would still be high risk due to MS track record of "accidentally" undoing or ignoring various "I don't want to be tracked" choices.
Like tbh. from a privacy POV MS has become a joke, I mean how hard do you have to mess up that google is preferable bay a not so small margin.
The risk of not being compatible with XYZ Word/Excel/Powerpoint feature is too great. Do you really want your employees to not be able to open the client's document because you cheaped out on your productivity suite? Or, conversely, your prospective customer to not be able to open your proposal because of the same?
Alternatives did exist, who remembers Lotus Notes, Word Perfect, Open Office, Apple Pages, ..., but to use them today would be akin to deploying a new fangled AI web app as a Flash application.
The other thing to mention is that the Microsoft products are really pretty good and for most businesses really pretty cheap.
You can get a 365 licence (Teams, OneDrive/Sharepoint, Powerpoint, Excel, Word, Outlook & hosted exchange) for $12.50/month.
It's only really Google that's competing at this price point (Broadly both their 'standard' packages are approx. the same price).
Plus I've not come across a product that's better than being Excel than Excel is (and your analyst and finance teams will hate you if you take Excel away!).
> Tbh. after the recent sets of Microsoft ToS/Privacy Terms I would argue _any usage of Microsoft Windows and/or most Microsoft products_ is not legally possible in a public office handling any private or otherwise sensitive data.
Then MS is violating GDPR and must come into compliance, less it risks turning into a cashcow for the EU and get fined billions of dollars day after day.
It's very simple to be compliant - just don't process PII that isn't core to your business process for serving given user (marketing isn't considered core process unless it's literally the service you provide the affected user)
This is not GDPR. Regulation (EU) 2018/1725 is about how the European Parliament, Council and other bodies, offices of it has to handle information.
It would be similar to a federal law in the US that dictate that no information stored in the tax office, police databases or social security administration may be shared or stored outside the US. US citizens may expect that when dealing with the US government, information stored about them stays inside the US.
In the context of internal security and national sovereignty, it make sense to have dedicated regulation. It similar to how lawyers/doctors has more strict regulation regarding personal information that other professions.
I have personal experience of authorities in the European Union abusing GDPR laws to circumference laws on transparency. In the case I was involved with, they refused to give out public documents where political parties have to list the people that receive money from them, by getting the data protection authority involved and saying it was not possible because the recipient might use an American company for backup or an American e-mail provider on their computers. All this communication of course sent to us through their Microsoft Exchange server.
As with all laws in Europe, GDPR has a chief purpose to be abused by the rulers and used against the public and the public interest. That's a long standing tradition in Europe, and I feel that it's only people here that don't "get it" and actually believe the propaganda. You don't believe Apple propaganda, Monsanto propaganda, or Republican propaganda. So why swallow EU propaganda?
"They" in this case is a national authority within a EU country. They are responsible for handing out tax payer's money as subsidies to political parties, and the political parties have to declare and account for how they used this money. The authority refused to give out these declarations, saying it would break GDPR laws because they might be backed up to an American server. Of course it is blatant mis-interpretation of the law, but this is how these laws and other laws get applied in reality. Used when they benefit the rulers and ignored when they would benefit the population.
In the US you don't have this kind of financing I believe, because your political parties pay for themselves by endless fundraising from their voters.
Do you have experience of asking for these type of funding documents before 2016? Was is much easier then?
Because the argument (as you describe it) doesn't make any sense, so I would expect they already have another nonsensical interpretation of some other law at hand from before GDPR applied.
These "data protection authorities" weren't established instantly when the law was written. It took a good few years. But yes and yes, we never had such a problem getting any public documents before they could use the data protection authority to deny giving them out. This was easy, the local politicians just had to put a crooked individual as head of that authority and that person would do their bidding. Before that they didn't have any legal basis for denying public documents, and each time they tried to do that you could threaten court and they'd bend. With a crooked data protection authority to help them, they'd have the support of the law to deny giving out any public document they didn't want to give out.
Not in the field anymore, but I wouldn't be surprised if somebody took the data protection authority to court over this in the near future.
Can you specify which jurisdiction you are talking about? I find it very surprising that the politicians could put in corrupt heads of agencies but not prevent handling out incriminating documents some other ways, sounds like the product of very interesting historical circumstances.
There's probably nothing outright incriminating in those documents, rather that the political party or parties were using their subsidy money to pay for services rendered from companies owned by the party leadership – which is 100% legal, but not very pretty in the public eye.
I don't find it very surprising that they could and did use the GDPR "loophole" to close the public sector from public insight. Before GDPR there were very clear laws of transparency making sure that they could not deny giving out public documents. And if they did, they'd be taken to court and always loose. They would still try denying some public documents and threatening court would work against that.
With a data protection authority on their side, they finally got the law on their side, using tactics such as saying that there is a risk that these documents end up on an American server. While at the same time using Microsoft services and American servers themselves. Which is the subject of the OP article.
Appointing a crooked head of a data protection authority or any authority is easy and it is legal. Circumventing laws is not that easy. But it is easier when you have more laws that are more open for interpretation.
The right thing to do would have been to make transparency laws more powerful than GDPR laws, because it was obvious that they would be abused. Now the EU has GDPR laws enforced on a union-wide basis, but not wholesome transparency laws enforced on a union-wide basis.
most financing in the US for parties come from corporate donations, very much with a condition imposed by the corporation. Kind of acting like a bribe.
Those are false equivalencies. The EU bureaucracy is a mess of competing factions. It isn't a corporation or a political party. A better analogy would be a US Government department breaking a law.
Ideally there are are legal avenues for redress in your situation. If there are not, that is more likely to be the problem than a conspiracy of propaganda.
I agree with you, but this is what happens in reality. Laws and regulations get abused more than they get used, unless they are very well written. The minimum would be to require the EU itself to not use Microsoft 365 and other services that they have explicitly tried to counteract with their laws.
Change the word "propaganda" to "marketing", if it is offensive to you.
> You don't believe Apple propaganda, Monsanto propaganda, or Republican propaganda. So why swallow EU propaganda?
Because I vote for my EU representatives. Sure one doesn't have to "believe" everything, but not believing _anyone_ is also a dangerous slippery ride down the conspiracy lane.
Look, I understand you have been burned, but to jump from your anecdotal "authorities in the EU abusing GDPR" to a universal "[a]s with all laws in Europe, GDPR has a chief purpose to be abused by the rulers" is quite a stretch.
You are free to believe what you want but it is getting old to say that people who do not agree with you are falling for some ruse. Maybe they know something you don't?
I've never said that people not agreeing with me are falling for some ruse. With "swallowing propaganda" I don't think anybody swallows it whole, just that people are not be sceptical enough regarding one huge organisation like the EU, while having no problem being sceptical on the other huge organisations I mentioned.
They feel confident because they believe the words of providers or what is said in contract or "paper" agreements that the US will not spy on them when it is possible. Despite all previous examples of shamelessly doing what they wanted. Like when there was undercover operations to retrieve the fingerprints of political leaders.