There is a general, Europe-wide restriction on exporting personal data outside of the EEA to somewhere that doesn't provide an acceptable level of protection (which by default the United States does not).
There is also a Safe Harbor scheme that is intended to overcome this problem so working with US businesses is still possible if they provide additional safeguards. However, it's now clear that no business operating in the United States can actually offer the required guarantees, no matter how sincerely they might wish to. It is therefore unclear whether a European business relying on Safe Harbor to cover its rear would actually have much of a case in court if one of its customers were actually damaged as a result.
I've seen a lot of businesses at least considering pulling out of US services, cloud or otherwise, for this reason in recent months. Some are sticking with it, on the grounds that there is safety in numbers: no government regulator really wants to damage global trade by making examples of businesses who are just trying to do their work and acting in good faith, and if you're dealing with a similarly honest business from the US then the odds of an actual customer complaint are probably low enough that it might be considered an acceptable business risk. Others seem to have lawyers who are more wary and fear the penalties of something like a mass leak across the pond that would come back to bite their clients back home.
In addition, some nations in Europe are a lot more concerned about privacy both legally and culturally than the US, for obvious historical reasons if nothing else, and they may have stronger laws still.
> There is also a Safe Harbor scheme that is intended to overcome this problem so working with US businesses is still possible if they provide additional safeguards. However, it's now clear that no business operating in the United States can actually offer the required guarantees, no matter how sincerely they might wish to.
Can you provide more data on that?
I'm 'only' a system administrator, but I'm working for a company that is doing business in the both US and UK.
Real Soon now we're going to be standing up a stack in the UK .. but I'd like to know what safeguards I can't guarantee so when I'm dealing with _two_ data sets and _two_ code bases and squared complexity I know _why_.
I don't know anything special that hasn't been all over the news anyway.
Basically, the US government seems to be actively trying to compromise data held by US businesses on non-US citizens. That same US government has made it clear in public statements from the highest levels that they don't consider foreigners to have any privacy rights at all that should prevent this.
Given that this all happens in secret, any promise made by any business operating in the US that they will safeguard personal data of non-US citizens to the standards required by European law is now known to be worthless, even if it was made with complete sincerity.
This is now common knowledge, and anyone controlling personal data in Europe would have to take it into consideration when applying the general data protection principles. In other words, any legal cover afforded by the Safe Harbor scheme may not be worth anything any more. (In case your question was intended to be about the Safe Harbor programme itself: This was created so that US businesses can be used to process personal data from Europe, as long as the US business promises to uphold similar data protection standards to those required by law of European businesses.)
So the bottom line is that as a European business, if you don't have adequate disclosure when you collect any personal information that basically says it might be exported to somewhere without any safeguards on how it's used, and you don't get prior informed consent from everyone whose personal data you are dealing with, you might be on the hook legally for regulatory non-compliance as well as for any actual damages that result from any breach. Whether it's possible to give prior informed consent to a carte blanche handling of the data is itself debatable.
(Just to be clear, my comments in this thread are based on the perception of the current situation as I have encountered it anecdotally in a few cases. Some of the people I've spoken with may have taken legal advice, but what I've described here is not based on formal legal advice I or any of my own companies have received. Please consider these notes as food for thought only and for goodness' sake don't rely on them instead of taking proper advice if these kinds of issues might actually affect you.)
Presumably because of FISA orders. Other countries have their equivalents of the NSA, but as far as I know none of them have a law preventing companies from announcing that their respective agency has grabbed a user's data.
> Other countries have their equivalents of the NSA, but as far as I know none of them have a law preventing companies from announcing that their respective agency has grabbed a user's data.
It's hard to know exactly what the US law is too because it's classified. I would not trust that any country is safe from snooping--always assume it will happen.
US law is not classified. The exact ways that the executive enforces and upholds the law sometimes is, but the law itself is not.
That was what led the initial opposition to the Patriot Act, FISA Amendments, etc. was that they would make NSA programs like the ones that have hit the news substantially (if not completely) legal. That's apparently not what Sensenbrenner had intended when he drafted Patriot Act, but it was exactly this kind of issue that was raised at the time by privacy groups and promptly ignored by policymakers.
> In more than a dozen classified rulings, the nation’s surveillance court has created a secret body of law giving the National Security Agency the power to amass vast collections of data on Americans while pursuing not only terrorism suspects, but also people possibly involved in nuclear proliferation, espionage and cyberattacks, officials say.
> But since major changes in legislation and greater judicial oversight of intelligence operations were instituted six years ago, it has quietly become almost a parallel Supreme Court
> “We’ve seen a growing body of law from the court,” a former intelligence official said. “What you have is a common law that develops where the court is issuing orders involving particular types of surveillance, particular types of targets.”
Again, what the executive does is sometimes classified. This includes foreign surveillance by the very definition of national security. The U.S. having a FISC at all is unusual compared to the standards of other nations, where foreign surveillance may very well be done completely at the whim of the executive. We should push for improvements to the oversight process, but I can envision no such feasible improvement that would allow the public to see exactly what the government is doing (since then Russia, AQ, etc. would also know by definition) so at some point you're going to have a trust a third-party.
The safe and conservative option is to assume that the executive is doing literally anything permitted by the public law without the aid of 'activist judges' (as the GOP would say) on your side of the argument. This is exactly why it is so important to be judicious in crafting legislation, as the judges will operate by what's in the written law not contrary to the Constitution when the law is clear. They only start worrying about "what the legislators meant" when the law is fuzzy.
That's also why it is important to quickly get a legal framework around foreign surveillance that includes recognition of the fact that the Internet is global while the Fourth Amendment is domestic. MUSCULAR is a pretty shocking breach of what we all understand the Fourth Amendment to mean, but I guarantee that it's technically legal. It shouldn't be, but the Fourth Amendment has long been known to effectively not apply at all outside of CONUS.
My understand is that since Amazon is a US-based company, they could be forced, by the US government, to turn over data that is hosted in other countries. So using an Amazon cloud, even if its based in the EU, is still not possible.
EDIT: well, I guess I'm sorta wrong. The whole thing looks complicated. Making sure you don't violate German data protection laws is confusing [0][1].
You are not wrong: Amazon now agrees not to move data from EU servers... unless compelled by authorities. US authorities can force Amazon to open their data centres wide open, regardless of location, at any time under Patriot Act provisions. Before Snowden, this was considered a far-fetched scenario, unlikely to ever pan out in practice. We now know that it happens pretty much every day.
The Safe Harbour program is a weak attempt at saving face: as long as the Patriot Act exists, no US-based company will ever be able to comply with EU privacy laws as they stand. Being "compliant with Safe Harbour provisions" only means that they're making promises they won't be able to keep.
how comes that governments are allowed to destroy international relations, just to keep "control of everything"? I can't find any reason that would give the government an advantage for doing so. Ok, one maybe, selling insider data to traders, companies and enemies. But we have no proof for that.
There is also a Safe Harbor scheme that is intended to overcome this problem so working with US businesses is still possible if they provide additional safeguards. However, it's now clear that no business operating in the United States can actually offer the required guarantees, no matter how sincerely they might wish to. It is therefore unclear whether a European business relying on Safe Harbor to cover its rear would actually have much of a case in court if one of its customers were actually damaged as a result.
I've seen a lot of businesses at least considering pulling out of US services, cloud or otherwise, for this reason in recent months. Some are sticking with it, on the grounds that there is safety in numbers: no government regulator really wants to damage global trade by making examples of businesses who are just trying to do their work and acting in good faith, and if you're dealing with a similarly honest business from the US then the odds of an actual customer complaint are probably low enough that it might be considered an acceptable business risk. Others seem to have lawyers who are more wary and fear the penalties of something like a mass leak across the pond that would come back to bite their clients back home.
In addition, some nations in Europe are a lot more concerned about privacy both legally and culturally than the US, for obvious historical reasons if nothing else, and they may have stronger laws still.