undefined | Better HN

0 pointsjudge20201y ago0 comments

> The only "safe" option without any uncertainty seems to be architect every system so that data never transits to the US and is also never in the custody of a subsidiary of a US-domiciled corporate parent.

If i'm not mistaken, because of this (via[0])

> The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.

It sounds like compliance is only possible* if "the US company doesn't have any influence on the EU data-holding company" which is insane. This might be satisfied if the US company simply licenses their software product (e.g. the Uber backend) to an EU company. But this might not be adequate since chances are updates would be somewhat automated, and thus the US-based Uber might be compelled by the government to ship malware with their update to catch some US criminal (or otherwise enact some US spying).

* edit: only possible in lieu of a data agreement like Privacy Shield or its successor as mentioned above

0: top comment on https://news.ycombinator.com/item?id=33561222

0 comments

buzer1y ago

> If i'm not mistaken, because of this (via[0])

>> The CLOUD Act primarily...

As far as I understand (IANAL) the CLOUD Act has not been used as basis of decision at least for Schrems II. The primary issues court found were regarding surveillance programs authorized under Section 702 of the FISA & executive order 12333.

Full Schrems II judgement is available at https://curia.europa.eu/juris/document/document.jsf?text=&do...

judge2020OP1y ago

That makes more sense then. Is it still right to say that they're afraid of a US company being compelled to access data at the request of the US gov when it's stored in the EU, or is it still only trying to avoid EU data actually going to the US during _regular_ operations of a business (paragraph 63)? I feel like it's still a threat if some US employee could access servers inside the EU as a one-off for NSA/etc surveillance?

marcosdumay1y ago

> which is insane

It's completely sane from the EU's point of view. Why would they submit their citizens to forceful government eavesdrop?

I do agree it's insane. But the insanity is not on the GDPR.

blackeyeblitzar1y ago

You mean like the EU governments? Which country / countries have fundamental protections for free speech and censorship free social media? Which are seeking to force encryption backdoors?

65101y ago

> catch some US criminal

https://en.wikipedia.org/wiki/CIA_black_sites

jeroenhd1y ago

It's true, the extensive surveillance capabilities the American government demands from American businesses is one of the reasons American companies cannot enter the European market.

I doubt this will change any time soon. The GDPR isn't going away, and the USA isn't known for loosening their data collection laws. Maybe in a few years the EU can find a legal ground to allow the USA to spy on EU citizens without acceptable legal defences, maybe the USA will give up their capability to use American businesses as a tool to spy on the EU, but for now surveillance law is a major roadblock for American companies expanding to Europe.

j / k navigate · click thread line to collapse