Danish Data Protection Agency bans Google Workspace for Municipalities
blog.simpleanalytics.comWow, stunning. The real test will be whether chromebook use gets banned in schools - an office you can switch over, but a whole school bound to chromebook hardware? This will be a very difficult/expensive switch. Alternatively one could dream that this brings Linux to schools - which would be the basis of a long-term break with the MS/Apple/Google dependency.
Chromebooks are not so popular in europe.
This is a good thing! I hope my country (Sweden) follows suit.
Why do you think this is a good thing?
Not OP but but I try to explain it from my subjective perspective: It's good because that's not your small nodejs startup but rather Municipalities. They process sensitive data about their citizens and I'm sure Denmark has strict privacy laws for that. Giving that data to Google means it's now in the US and can be used by NSA or other organisations for spying. Does that happen? I don't know. But why take the risk. Secret court orders for national security are a thing. So it's a danger to the independence of the Danish state. Might all sound a little hyperbolic and theoretic but it can't be excluded. Furthermore it's illegal under current EU law ontop of that. See the other links to Max Schremps works here. Of course due to the sad state of public it infrastructure in Europe the risk for loosing the data is probably much higher than storing it at Google. I'm not optimistic that this will change. Too much lousy small firms and borderline corruption and too much tax money to earn.
> Might all sound a little hyperbolic and theoretic but it can't be excluded
> the Central Intelligence Agency (CIA), the Bureau of Intelligence and Research (INR) and the United States European Command (USEUCOM) already spied on France in their 2012 elections. Targets have been all parties and their leaders. [..] All targets were infiltrated both by human (”HUMINT”) and electronic (”SIGINT”) CIA spies. Specific tasks have been selected for all targets individually. [1,2]
Associated Press, on the other hand, did everything they could to downplay the degree of espionage and infiltration:
> American spies wanted an insider’s take on the race, including details of party funding, internal rivalries and future attitudes toward the United States. Although WikiLeaks’ publication of a purportedly secret CIA document was striking, the orders seemed to represent standard intelligence-gathering. [3]
I wonder if they would have described Russian infiltration of US parties as "standard", and not striking.
[1] https://www.huffpost.com/entry/cia-spied-french-elections_b_...
[2] https://wikileaks.org/cia-france-elections-2012/
[3] https://apnews.com/article/8e5094a33ad84837a7faa31c426ca909
Impacts of such rulings also mean that the small startups and everyone in between is impacted.
There are no EU only alternatives to GCP, Azure or AWS, I mean there’s always Alicloud but well…
Alternatives will not be developed in time for these rulings to have a devastating impact on EU companies and in fact any company that works in the EU that processes data covered by GDPR even if they host purely within the EU simply because the parent company is in the US.
And even if my some miracle a real European cloud competitor would arise they wouldn’t limit their market to the EU, and the moment they have a substantial US presence and a US legal entity they can fall under similar circumstances as US originated companies.
This also means that potentially using solutions such as customer supplied or managed keys to encrypt data outside of the direct control of cloud providers is no longer sufficient to protect yourself from data transfer risk.
Why would someone want to store private data in the cloud ?
Counterpoint:
The data that municipalities store is not super sensitive, at worst it contains information about the number of sick days and salary. If the NSA cares about this data at all, it will probably have other means to obtain it.
On the other hand, the municipalities might now have to spend a lot more taxpayer money to support a worse system that might reduce their efficiency, increasing wait times and frustrations for citizens.
That sounds very much like an "if you have nothing to hide, why are you worried about privacy?" argument. Which is deeply suspect and entirely serves the interest of the massive surveillance apparatus.
I see your point. But I think there is also value in choosing your battles.
I would l rather see resources spent towards the defense against Russian aggression, instead of major IT projects with really unclear privacy impact.
I very much doubt that there's any real need to be making decisions at that level. The money and other resources going to this IT effort is deeply unlikely to be anywhere close to the pots of money that would be considered for allocation against Russian aggression.
And given that this is in Denmark—which, while certainly within a zone of some concern, is hardly in any imminent danger from Russia—it seems to me that focusing on defending against Russian aggression, at the expense of effectively everything else, would be quite unproductive.
Or is it just that you don't think spending on maintaining privacy is worthwhile no matter what, and the Russia situation is a convenient distraction you can point to?
I think privacy is important. I’m scared of the EU push to backdoor encryption, for example.
But I truly think that Russia is a bigger threat to the average danish citizen than the NSA.
For example: https://cphpost.dk/?p=131412
And yes, money gets moved between governments pots all the time.
On the contrary, since the state ostensibly exists to serve its citizens, there is no legitimate reason to withhold any data whatsoever from them.
The idea that all but the most dangerous military information should not be public in real time flies in the face of the concept of an informed citizenry, and is far more dangerous and pernicious than its access by hostile powers.
If some information should not be public, it simply should not be accessible by the state.
But here we're talking about giving data about the citizens to private entities in a completely different country.
I can see there being some argument for eliminating the whole idea of "classified information", but that is absolutely not what is being discussed here. This is about the private data of the people of Denmark, and keeping it private.
You're right, apart from name, age, address, type of home there is no sensitive information stored.
WikiLeaks argument.
That would be bad, since that’d mean storing the data themselves, with an increased risk of data leaks. (There was a medical data leak as recently as today from a Swedish agency. The track record is unfortunately not good)
But the law is the law.
I’m trying to understand the current position of the EU commission on data transfers to the US. Based on this plus the recent google analytics decisions, it seems to me that data transfers to the US are going to be prohibited by default under the recent interpretations of chapter V. Am I understanding this correctly?
Since the entire Privacy Shield has been ruled invalid it seems all EU-US transfers/multinational corporations which process personal data are in a tough spot. I think Max Schrems (who took Facebook, among others, to court on GDPR) has a good explanation:
https://noyb.eu/en/project/eu-us-transfers
> At its core, this case is about a conflict of law between US surveillance laws which demand surveillance and EU data protection laws that require privacy.
I really hope that in the (near) future we figure out a system of governance to better resolve inter-national conflict. I assume these conflicts will only increase as we increasingly interact across national borders.
As all court rulings that one uses wording which is impossible interpret unambiguously. Example " A general ban on processing with Google Workspace until adequate documentation and impact assessment has been made and until the processing operations have been brought into compliance with the Regulation" whatever it means.
Just a changed URL from yesterday's post: https://news.ycombinator.com/item?id=32099850
Well done Denmark!
A cue to other countries. Follow Denmark's lead and safeguard your data, your systems, and the privacy and security of everyone working in your municipalities.
Finally some good things come out of GDPR