Comment by digitalengineer
3 years ago
Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.
if anyone is curious about why that gives the govt. access:
https://en.wikipedia.org/wiki/CLOUD_Act
(God willing they repeal it, even if only for the international commerce implications...)
This will never be repealed. It was introduced to effectively enshrine a right US authorities have had since the PATRIOT Act was introduced 17 years prior, since that act had become politically contentious and was left to expire.
If anybody seriously thinks US authorities will quietly lose a key power after enjoying it for 21 years, I have a few bridges ready to be sold.
No one said "quietly" -- but there has to be some threshold of backlash that would knock it back. My guess is that European privacy law could combine with it to do enough impact to large American businesses that they'd use their political weight to do something, whether or not it were to improve matters from the perspective of privacy/sovereignty.
something I'm not getting here. If you buy a EU engineered IoT home appliance that has PII including, whether a user is presently inside their home, then every company I know operating in this market uses US based clouds (what other options are there LOL) to do things like digital twin or device shadows but by using a local availability zone.
So this is very different than GA, but depending on the threat-model can be worse. Also very similar metrics can be gathered from the data as from a GA cookie (are they eating, cooking, showering, watching TV).
CloudAct would (or should) in this case also apply here or what am I missing?
You're not missing anything. A lot of companies just have no idea of the legal landscape, or simply ignore it in the name of convenience. That's because consumers are even more ignorant of their rights around technology and don't sue them. It will take a lot of civil litigation for this to change.
I am only aware of Hetzner. (German) The other day I was checking out there offerings and I was amazed at how easy it is to order a vm. And then it is live the next second. It is amazing.
Obviously they don’t have full range of services the big three have. But maybe just enough anyway.
1 reply →
The watchdogs are extremely slow and have a huge backlog. You’re right that storing that data in the US or without transferring ownership to an EU subsidiary would not be legal.
> what other options are there LOL
This blogpost lists a few :
https://news.ycombinator.com/item?id=27393854
Also, even if no options were available, it's not like the law would care - the illegality of it has been advertised for years...
(what other options are there LOL)
It is a hot topic, here are a few: IONOS - https://cloud.ionos.com/ Onep Telekom Cloud - https://open-telekom-cloud.com/en
But if you want to do scale in Europe you have to go for OVH: https://www.ovhcloud.com/en/
> every company I know operating in this market uses US based clouds (what other options are there LOL)
Alibaba has a sizeable cloud offering and has for years.
Presumably the Five Eyes alliance could also mean that servers in Australia, Canada, New Zealand, and the UK may also be unusable since they share intelligence information with the US.
> (God willing they repeal it, even if only for the international commerce implications...)
It's hard to express how impossible this is. It is very very strongly in the state's interest to keep powers like this. We're more likely to get communism...
This then comes down to whether you think the US govt. these past few decades is better at self-perpetuating power or toadying up to the demands of capital. Cynicism vs. cynicism!
Why is that not fully legal? Wouldn't the same law prevent Google USA from querying PII data from Google Italia?
If Google US can access the data, that means the US government by extension can also. This is exactly what GDPR doesn’t want happening. More details in this open letter by Max Schrems “ the Court has clearly held that US surveillance laws and practices violate Article 7, 8 and 47 of the Charter of Fundamental Rights” https://noyb.eu/en/open-letter-future-eu-us-data-transfers
Italian laws do not apply to Google USA.
The Italian market doesn’t have to apply to Google USA either.
Companies can always choose to ignore a specific nation’s laws[1], they don’t still get access to that nations markets. At the borders the nation state is the one with the guns and firewalls
[1] unless you piss off a nation that can project global power, lol if you piss off China or America
5 replies →
Oh yes they do. GA is part of a company that also sells services in Italy. They should follow the law if they want to keep earning that non-US Adwords money that allows GA to remain free.
Not generally, but they do apply to Google Italia, who would not legally be allowed to respond to requests from Google USA for European PII.
3 replies →
But someone will have to foot the bill when their branch in Italy is fined by the government for violating Italian law
Like Adobe, who uses tracking servers in the EU, but Data Processing happens in the US?
The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.
The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.
On the last point: how does that work with cloud computing providers, as all the big ones are US-based?