Usage of EU subsidiaries of US cloud providers deemed unlawful by German court

All: the hellish and puerile flamewar that many of you stooped to in this thread is exactly what HN is not for. We ban accounts that post like this, so please don&#x27;t post like this.<p>What an embarrassment.<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;newsguidelines.html" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;newsguidelines.html</a><p>I suppose I&#x27;d better add that this isn&#x27;t about which side you&#x27;re on. It&#x27;s just about having an international forum that doesn&#x27;t suck and doesn&#x27;t destroy itself. All of you flaming each other in this thread have made HN suck (in this neighborhood) and contributed to destroying it.<p>No more of this, please. You can make your substantive points without any of that. If you can&#x27;t, please don&#x27;t post until you can.

Telekom and Microsoft partnered together a long time ago to fix this problem but it turns out in european public comunal and state procurement projects that cloud offerings play a very insignificant role since its largely all on-prem IT projects and so that partnership was closed.<p>I&#x27;m just writing this because a lot of comments are getting the wrong idea from this and causing some weird mix of hysteria and europhoby. In the grand scheme of things, there is no money lost for Azure and AWS, the potential of the once in a full moon cloud projects from public european institutions wouldn&#x27;t even amount to something that would be described as pocket chance.

Yeah wondering about the consequences.<p>By this logic almost every non-EU Saas would be forbidden.<p>For sure Stripe is also not allowed, huge amount of customer data in US hands.

This is EU law. That is why you are seeing similar court rulings &#x2F; administrative rules coming out of Denmark, France, Italy ...

And slowly but surely the tidal wave of the consequences of GDPR versus the CLOUD Act come into view.<p>It will take many years to of delays and fretting (due to the dependence on US clouds) but fundamentally the current legal position is that GDPR is fundamentally incompatible with any personal data transfer to the USA, that&#x27;s how Google Analytics keeps getting banned too.<p>At some point this will all come to a head and something will have to budge given the gigantic consequences of such a position, from AWS to GCP to Stripe to even basic things like your Domain Registrar.

Simply the CLOUD Act [1] which is incompatible with GDPR. No problem transferring to a third country [2] as long as you can uphold GDPR.<p>[1]: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;CLOUD_Act" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;CLOUD_Act</a><p>[2]: <a href="https:&#x2F;&#x2F;www.imy.se&#x2F;en&#x2F;organisations&#x2F;data-protection&#x2F;this-applies-accordning-to-gdpr&#x2F;transfer-of-data-to-a-third-country&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.imy.se&#x2F;en&#x2F;organisations&#x2F;data-protection&#x2F;this-app...</a>

Looking for an informed opinion; what are the practical consequences for European companies using American cloud providers (which I guess is most of them) ?

It is not clear to me from that what the relationships are between company A, the EU subsidiary (which I&#x27;ll call S), and the US cloud provider (which I&#x27;ll call C).<p>1. Would A be dealing directly with S, or is A dealing with C which is using S to store A&#x27;s data.<p>2. Is S incorporated in the EU?<p>3. Does C have access to data stored in S, other than data that C itself put there using the APIs that S makes available to all its storage customers?

Does anyone know the Company A and Company B in the question? Microsoft?<p>AFAIK public procurement documents are often public.

The context for this: say you&#x27;re a SaaS and you want to tap into the EU market. Per GDPR, personally identifiable data shouldn&#x27;t leave the jurisdiction of the EU so you should use EU hosted servers, storage etc.<p>So you might then split your app to an EU hosted datacenter of your preferred cloud provider.<p>This ruling says that&#x27;s insufficient as while the data remains functionally in the EU it&#x27;s still possible for it to be accessed on the backend by non EU entities.

summary (English): <a href="https:&#x2F;&#x2F;gdprhub.eu&#x2F;index.php?title=VK_Baden-W%C3%BCrttemburg_-_Az._1_VK_23&#x2F;22" rel="nofollow">https:&#x2F;&#x2F;gdprhub.eu&#x2F;index.php?title=VK_Baden-W%C3%BCrttemburg...</a><p>news article (German): <a href="https:&#x2F;&#x2F;www.golem.de&#x2F;news&#x2F;vergabekammer-clouddienste-von-us-firmentoechtern-sind-nicht-dsgvo-konform-2208-167456.html" rel="nofollow">https:&#x2F;&#x2F;www.golem.de&#x2F;news&#x2F;vergabekammer-clouddienste-von-us-...</a><p>primary source (German): <a href="https:&#x2F;&#x2F;rewis.io&#x2F;s&#x2F;u&#x2F;PjK&#x2F;" rel="nofollow">https:&#x2F;&#x2F;rewis.io&#x2F;s&#x2F;u&#x2F;PjK&#x2F;</a><p>press statement of law firm (German): <a href="https:&#x2F;&#x2F;gruendelpartner.de&#x2F;newsroom&#x2F;gruendelpartner-erwirkt-weitreichende-entscheidung-zur-unzulaessigkeit-von-cloud-und-it-dienstleistungen-durch-us-tochterunternehmen-in-deutschland&#x2F;" rel="nofollow">https:&#x2F;&#x2F;gruendelpartner.de&#x2F;newsroom&#x2F;gruendelpartner-erwirkt-...</a>

&gt; It followed that company A&#x27;s service qualified as an unlawful transfer of data to a third country because their parent company was located in the US, violating relevant data protection law (Article 44 GDPR).<p>&gt; The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server that provides such access was located in the EU was irrelevant.<p>I think this is an interpretation of GDPR that most companies are not prepared for. You could write an implementation that restricts access to EU data, but if the parent company is not in EU, I guess the implementation could always be changed to allow access. Ergo, GDPR violation?

Keep rocking.<p>I have no beef with US companies doing business here as such, but as long as they&#x27;re supporting espionage and sabotage by handing crucial data to the NSA and CIA they should simply not be allowed to operate here.

For public services, as in government <i>public</i>. From the page:<p>The case concerns a decision by the Vergabekammer Baden-Württemberg (&quot;Procurement chamber Baden-Wuerttemberg&quot;), the administrative <i>authority that reviews the public procurement procedures</i>.<p>On 3.11.2021, a <i>public authority</i> issued a Europe-wide invitation to tender for the procurement of software for digital management via an open procedure. The award criteria contained, among other things, requirements for data protection and IT security. The <i>public authority</i> received offers from company A and company B.

Thank god at least some government has the sense to take steps to protect their country&#x27;s sovereignty. All the US has to do to regain trust is to stop using BigTech for spying on other countries. To begin with, it can start by creating laws and regulations like the GDPR (or better) and move on to breaking up the monopolies of BigTech.

I think this kind of affirms the general opinion that Germany and many traditionally powerful European countries is doing poorly when it comes to modern tech. What went wrong with Germany and Europe? They used to be the front runners in tech once upon a time.

Simple question. Who do you trust your data with?<p>1. A company in your own country which got marketshare mostly because of legal reasons and government interference.<p>2. A company which got marketshare by building products that people loved all over the world, has the smartest people working for them and have generated more value than the vast majority of the companies that existed previously in the world combined.

Hey America - stop spying on our our citizens or we will stop buying your tech.<p>Seriously.<p>We talk about this cloud stuff like it is rocket science. It is not. It is a box in a basement. We are capable of doing that ourselves.<p>And no. It ain’t cool for NSA to sniff around some German governmental software, even though you are the good guys and on our side.

Isn’t this sort of what we accuse the Chinese of doing? The US designs the technology and then the Chinese manufacturers steal that design to make their own?<p>Except now, the EU is more or less forcing American companies to sell unaffiliated spin-offs to the EU to continue doing business there. Seems a bit underhanded to change the rules now after so long, especially considering the fact that the EU can’t make these companies for themselves or they would have already.

Sounds like blatant protectionism to me.<p>If I&#x27;m reading the ruling correctly, the relevant legal standard applied here is completely bogus. They find that it is a violation of GDPR because the parent company could access the data, in principle if they wanted to. It doesn&#x27;t matter if there are safeguards, technical, or institutional preventions in place.<p>However, the exact same argument applies to any EU company with any internet connection, and directly applies to any EU company with infrastructure in the US. EU companies could, in principle, transfer data to the US intentionally or by accident. If technical, institutional, and legal prevention isn&#x27;t good enough for US companies, why is it good enough for EU companies? Seems like GDPR has to also be construed to prevent EU companies from doing business in the US.<p>If the counter argument is that US companies could be compelled by the US government to hand over data, while EU companies cannot be, that is factually untrue.

US needs to economically retaliate in kind. If the US has the same data protections as the EU they’d make up some other excuse to attack US companies. This is what happens when you can’t compete you make up regulatory excuses.<p>I’m sure I’ll get downvoted by Europeans but it’s the truth. Look at the valuable companies and where they are located :)

The US parent company was given access to the EU data. That&#x27;s the problem here.<p>&gt; A included clauses in the offer that stated, among other things, that it will not access, use, or disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body.<p>Of course giving a US company control over EU data at a whim means that it&#x27;s a transfer to the US. The court made the only reasonable decision.