[jeppester]

It's a very common misunderstanding (which is happily spread by US cloud providers) that it matters where the data is stored.

What matters is that the data is stored by - and accessible to - a company which submits to the US laws.

[retcon]

Equally it's a sorry indictment of our economic times that the meaning of unlawful has been hammered into a understanding that non prohibition is permission. This aggressive and putative new use is refuted by every founding principle of the common law in Anglo Saxon countries and most of the western world. See the argument of letter vs. spirit for a effect.

Ed. cleared up phrasing around new use, replaced meaning with use for .. meaning.

[brian_cloutier]

> This aggressive and putative new use is refuted by every founding principle of the common law in Anglo Saxon countries

Which founding principles, exactly? Your comment seems to imply you think we should live in a world where we are only allowed to pick our actions from an enumerated list of approved actions. That world is extremely contrary to the kind of world I would like to live in, but also seems to contradict most of what I know about the history of the western world. Is that really what you mean?

[pdpi]

> Is that really what you mean?

I'm fairly certain that's not what OP meant, no.

What OP is getting at is that the common law tradition isn't to explicitly spell out all the nuances of when that action is actually disallowed, but rather to set out the general principles, and let case law define the precise limits of that boundary. In contrast, the civil law tradition is very much based on statutory law explicitly setting the boundaries, and case law serving only to disambiguate.

The "aggressive and putative new use" they're referring to is basically taking common law's fuzzy boundaries and pushing a civil law interpretation on top where all the grey areas are assumed to be allowed.

[brian_cloutier]

That was a very clear explanation, thank you!

[Georgelemental]

> non prohibition is permission

That is exactly how things work. Unless the government goes through the effort of passing a law to prohibit something (and getting approval of the people's elected representatives, and the courts), then the thing is legal. How else do you propose things should work?

[cmroanirgo]

Those "pushing the boundaries" always end up using a similar logic. However, there's always going to be a large segment of society whose rules are based around non financially oriented methodologies, such as: "morals", or directly from spiritual texts which disallow certain practices, or historical "customs". Such things are not "illegal" per se, but it's largely held as being reprehensible by a large number of people nevertheless & causes a large amount of friction within society.

Then there's the issue of marketing/propaganda (which the parent mentions as "hammered") whose sole purpose it's to change people's minds in an emotional way. I wish people would learn about Edward Bernays, nephew of Freud, who instituted this. In and of itself, propaganda has never been illegal, but no one likes to admit to being emotionally manipulated. (But when you begin to pay attention to your emotions, you can spot this stuff from a mile away).

[masswerk]

I think, what you are addressing is social convention and social norms, which are enforced by social sanctions only. However, while these are soft norms, laws are hard norms and enforced by the legal system, which is an important difference. Therefor (however we may feel about this) something may be intuitively and morally wrong, but still perfectly legal. Still, this may subject to social action, which may be what you are aiming at. This is, what civil society is about.

[judge2020]

Not sure what the stance being argued is. Should we require companies run morality polls and submit a pre-rollout court to determine the legality of new products that push the limits of human innovation?

Also, it's important to note that humans are actually quite bad at this sort of judgement. I'm sure if you showed everyone in Germany in 1980 a computer, and how it can instantly store and retrieve files and documents, and asked them 'is this moral?' they would be against it on the grounds that it would put hundreds of office workers out of a job.

[bigDinosaur]

Great. Now what's your policy proposal?

[safety1st]

That's not exactly how things work, though. Laws aren't deterministic like a computer program. They can be drafted broadly, poorly, incompletely, or simply not take into account things that didn't exist when the law was written.

It's the job of the judiciary to interpret the laws in these situations, and part of that is looking at the spirit of the law and create case law which may alter the powers of government.

This is very much part of the Western tradition of common law, as is a vigorous discussion over how far the judiciary should be able to go. It's fair to say popular sentiment has drifted in a libertine direction over the last 50 years, but the debate is far from settled.

(In fact we can speculate with some reliability about what the future may hold: via one mechanism or another, including the judiciary, governments usually trend more libertine in times of peace and more authoritarian in times of crisis.)

[bjornsing]

I don’t think you can equate common law and Western tradition. Large parts of what I would call The Western world has the civil law system.

[safety1st]

Yes you're right - just meant to say that common law is one of the major Western legal traditions, and worded it awkwardly

[darkwater]

> They can be drafted broadly, poorly, incompletely, or simply not take into account things that didn't exist when the law was written.

Computer programs suffer all of this as well :)

[abigail95]

common law is very much the minority of western law traditions

[omginternets]

That’s definitely not how French law works. What is not proscribed is permitted.

[e98cuenc]

Why are then things like AWS, Azure, Google Cloud, … legal? Are they? I assume Amazon can access data stored in any of their servers, right?

[darkwater]

> I assume Amazon can access data stored in any of their servers, right?

If you encrypt the data with your own key, they should not be able to access it.

[fauigerzigerk]

Only if you encrypt before upload and decrypt after download, which renders almost all AWS/Azure/GCP services completely useless.

[darkwater]

In-transit encryption protects you against this attack scenario specifically (if you own the keys obviously).

[fauigerzigerk]

How so? Amazon, Google and Microsoft need access to your unencrypted data in order to provide most of their services (such as databases, analytics, machine learning). There's not much they can do with encrypted data. They can store it. They can pass it through. That's it.

This problem has to be solved on a political level. There is no technical fix and the legal workarounds appear to be exhausted.

[darkwater]

My RDS data is stored encrypted on disks with a private key AWS operators has no access to [1] (or at least that's what they tell you), and the application layer connection is controlled by a password transmitted over a TLS-only connection, whose private key - again - AWS has no access to.

[1] https://aws.amazon.com/blogs/database/securing-data-in-amazo...

[zelphirkalt]

Would creating competing services within Europe, falling under EU law, count as political or technical solution?

[Rebelgecko]

Wouldn't Amazon still have access to metadata, e.g. connection info, IP addresses, etc?

[darkwater]

Yes, that's absolutely right, and in fact about that I don't really know how the GDPR applies, and it's an interesting question to ask.

[srrr]

IP addresses (for connection setup) are personal data: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

You can process IP addresses without consent only if it is technically necessary: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph b)

But you always (!) need consent to transfer personal data to a non GDPR compliant entity: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph f)

[srrr]

To add: The reason why US companies can't be GDPR complaint is because of Article 5 and the conflict with the Cloud Act: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph f)

"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

See also Schrems II: https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II

[Rebelgecko]

That last bit seems incompatible with how TCPIP works? Unless opening a connection in considered consent?

[remus]

It depends how much credence you put in the standard contractual clauses (SCC) added by these companies after the privacy shield was ruled invalid by the EU.

The idea with the SCC is that instead of all data transfers being covered by a single adequacy decision, each company adds SCCs to it's contracts with customers promising that data of EU citizens will be handled in a way that's compliant with GDPR.

Reading this piece from CNIL, I can't see how a US company is going to be able to use SCCs to protect EU citizens from data access by the US government. Non US citizens typically don't have a lot of rights in the eyes of the US gov and they've traditionally been pretty happy to rifle through the data of those people at will.

ed: the point by another commenter about using your own encryption key is a good one. However, the view of CNIL essentially seems to be that transferring any data to the US is risky so to me it feels like you'd be swimming against the tide.

[martin_a]

They are probably not legal, either, yes.

[verisimi]

In what sense does it matter?

Corporations such as google have legal and financial centers all over the world and these will be structured towards providing the best circumstances for the corporation (tax, legal).

On the other hand, don't all these corporations have data centers all over, that replicate data to provide a better service? Which is to say that pretty much most data is available to all legal jurisdictions. At least as I understand it..

[8ytecoder]

I don’t think it has been tested in court. It’s akin to a U.S. Court issuing a search warrant on a house in Paris.

[moontear]

Yes, it has been tested: https://amp.theguardian.com/technology/2015/sep/09/microsoft...

And that’s exactly what it would be like, though the house in Paris would be owned by a company that has a legal entity in the United States.

[Gwypaas]

Which is exactly what happened and is causing this mess.

https://en.wikipedia.org/wiki/CLOUD_Act

No problem at all with GDPR and third countries. They simply need to have a regulatory framework making compliance possible.

https://www.imy.se/en/organisations/data-protection/this-app...

[GekkePrutser]

The problem is that frameworks we have with the US keep being shot down by the EU judiciary. First Safe Harbor and now Privacy Shield. For good reason I might add.