[mgraczyk]

Sounds like blatant protectionism to me.

If I'm reading the ruling correctly, the relevant legal standard applied here is completely bogus. They find that it is a violation of GDPR because the parent company could access the data, in principle if they wanted to. It doesn't matter if there are safeguards, technical, or institutional preventions in place.

However, the exact same argument applies to any EU company with any internet connection, and directly applies to any EU company with infrastructure in the US. EU companies could, in principle, transfer data to the US intentionally or by accident. If technical, institutional, and legal prevention isn't good enough for US companies, why is it good enough for EU companies? Seems like GDPR has to also be construed to prevent EU companies from doing business in the US.

If the counter argument is that US companies could be compelled by the US government to hand over data, while EU companies cannot be, that is factually untrue.

[testaccountfor]

US cloud companies can be forced by the US government to spy on European citizens. That's the reasoning behind this ruling. Are you not aware of the NSA spying programs?

[mgraczyk]

Right, that's why I included my last paragraph. EU companies can also be forced by the US government to spy on European citizens. It happens all the time.

[xdennis]

> EU companies can also be forced by the US government to spy on European citizens.

How? If a company is not American how can it be forced by the US?

[wins32767]

I'm sure industrial policy and thus economics had no factor in those laws being written.

[josefx]

> It doesn't matter if there are safeguards, technical, or institutional preventions in place.

Except the American company made it clear that no such safeguards will be in place and that it will transfer the data out of its EU servers if legally complied to do so. This can be found in the German text at https://rewis.io/urteile/urteil/ocw-13-07-2022-1-vk-2322/ .

> Regions. Customer can specify the location(s) where Customer Data will be processed within the X. Network (each a "Region'), including Regions in the EEX. Once Customer has made its choice, X. will not transfer Customer Data from Customer's selected Region(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body.

Any governmental body can request access to EU users data and the data will be moved out of the EU region. At best it provides that it will challenge any inappropriate or overly broad request, but there is no legal framework for what qualifies as such between the EU and US and the US is unlikely to care about challenges that have no legal basis.

[viro]

> that it will transfer the data out of its EU servers if legally complied to do so.

They have a legal search warrant, This is a EU country they likely have Law enforcement and judicial cooperation treaty with the US.

[josefx]

There was a treaty how to deal with data protection between the EU and US, it was killed by a court decision best known as "Schrems II". Trying to get the EU data protection laws and the US governments need to collect all the data to play nicely is a non trivial and maybe even outright impossible undertaking, so no replacement currently exists.

[light_hue_1]

It's not protectionism. The agreement with the US parent company allowed them to access the data!

> A included clauses in the offer that stated, among other things, that it will not access, use, or disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body.

So it is a transfer of data from EU control to US control. Very clearly.

[mgraczyk]

Lots of EU companies have the same language in their policies. For example

https://us.ovhcloud.com/legal/privacy-policy

[solar-ice]

> However, the exact same argument applies to any EU company with any internet connection, and directly applies to any EU company with infrastructure in the US. EU companies could, in principle, transfer data to the US intentionally or by accident.

Yes, this might be a reasonable argument. You'd be in a bad place as an EU company trying to operate in the US right now. Perhaps the US should quit passing spy law and we can go back to cooperating.

[colechristensen]

I assume the WTO will get involved to clarify and the safegards required to operate in Europe will get rather well defined. Lots of powerful interests involved which should get this sorted out eventually. Much uncertainty until then.

[Rexxar]

When you read the original document it seems to be more about terms of the original contract and effective access to the machines than the location of the parent company so a clear split of should make it be possible.