My personal favorite outcome of this would be a joint public and corporate funded leap in open source development. This would do much for the budget, privacy and probably also security of businesses and private users. A good example where this principle is already in use is the Matrix protocol.
Getting the balance of this right to prevent a tragedy of the commons turns out to be hard. Element (who funds most of Matrix dev) has released almost everything we do as permissive-licensed FOSS open source. As a result, there's a huge ecosystem of folks building commercial solutions on Matrix. But surprisingly little $ actually gets back to Element (or the Matrix Foundation) from those commercial solutions, if any.
> TI-Messenger is gematik’s technical specification for an interoperable secure instant messaging standard. The healthcare industry will be able to build a wide range of apps based on TI-Messenger specifications knowing that, being built on Matrix, all those apps will interoperate.
The ones getting most of the money will probably be third-party developers integrating Matrix into their gematik-certified healthcare products.
It's disappointing that Germany decided to go their own way rather than joining DirectTrust and working on the Trusted Instant Messaging Plus open industry standard. It's specifically designed for healthcare.
But would AGPL have gotten traction in the first place? I guess we can’t say for sure, but my guess is no. I think it safe to say that at minimum it would be an additional barrier to entry.
I’d say the jury is still out on Mastadon (and anyways would not be competitive except for Twitter imploding), and I haven’t even heard of the other one, so I’m not sure this is a compelling argument.
Perhaps its actually good that one company can't capture significant ammounts of money when the goal should be to move away from single-company communication tools. Of course the Foundation does need funding and I think it would be in Germany's / the EU's interest to secure that.
Forget the migration costs just to develop and standup the cost and infra would be a few billion euros just for one O365 app. I don't think people understand how much O365 apps are used. Nobody is filing github issues either with this, you need to do commercial and customer support, basically replace a core MS SaaS product but not with some shitty idealistic hack because the economic consequences are dire!
Investments in that area would be investment into European open source development as a whole and European IT in general. Businesses can spring up around such efforts, people can find employment, technology can be developed, and the European market could be strengthened.
Why haven’t Europeans been able to be successful in this area already? It’s not like there aren’t always European businesses working on this problem.
It is striking that both the evil empire solution (Microsoft 365) and the underdog disruptive upstart (Google Docs, at least that’s what it was ~15 years ago) are both American companies. iWork is American, Zoho is Indian.
The problem with the MS products is a different one.
All authorities and almost all business are in tight vendor lock-in when it comes to US software. That's a powerful factor. You can't escape 30+ years of grown lock-in without "insane" investments.
The second factor is of course the corruption all across the EU and its authorities.
Ever heard the story of Munich's switch to Linux and than back to MS? "By chance" MS built its German headquarter in Munich right after that… (Of course hundreds of millions of Euros where in play there). And the sister of one of the lead politicians behind that is "by chance" working for MS in a high management role. There are also known buddy connections between the ex mayor of Munich and MS.
Just 4 examples from Germany. There are countless software companies in Europe, and not just western...eastern Europe is going big in IT in some areas as well. The ability is certainly there.
As to why that didn't (yet) result in good EU-centric alternatives to some of the big US providers in certain areas of IT...good question. I think the correct answer will be a mix of startup culture, government appreciation for the topics importance, convenience of existing solutions, marketing, and several other topics. Certainly not an easy question to give an answer to.
Back before Gmail ate the world there were a number of small “mail server with webmail” in a box setups - those mostly died off. Similar things happened with office suites.
And now the document foundation, which is behind LibreOffice (the active fork of the dead OpenOffice) is also german based. And they put a lot of work into it, also the modernisation.
But to be honest, I am not sure, if they could ever become a serious competition. I think they would have to do a fresh UI start and be 100 microsoft office compatible. Then they would have a chance. With more official backing, this is maybe remotely possible, but I do not count on it. Rather political pressure for a slight modification for Microsofts operations for germany.
EU market would also weaken because they lose the competitive advantage of O365, even google workspace would be better. O365 (or its replacement) is as important as diesel and gasoline to the economy!
Are business allowed to use M365 if all of this open source investment fails to produce an equal-or-better solution? Or are businesses forced to operate with the result even if it’s terrible?
I’ll take the strawman. Of course, the software would not be forced upon businesses. Commercial solutions that protect people’s data properly should be perfectly fine to use. I’d even expect many proprietary solutions to come up that solve niche use cases or provide a more polished UX/UI.
Let me put put it another way, that's just the start. You would effectively need the EU to operate a SaaS service and compete against MS. The money is hardly the issue, you can't just throw money at it or say the magic phrase "open source" it isn't for a lack of money that libreoffice is nowhere near excel for example, tech people would actually say it is pretty good without knowing how these apps are used.
It is the digital equivalent of replacing all cars of a certain make that everyone uses for critical business functions and replacing them with your own line of cars that will take a decade plus to even mature after you spent a ton of money and an army of devs and dev-support/mgrs.
A few billion is no problem. Simply collect the GDPR defined maximum fine of 4% of total global revenue from Microsoft, and use that to build the alternative. Provide that solution for self-hosting, so the cost of the infrastructure is payed for by the user organizations.
Why would Microsoft (or Google, or anyone) continue to operate in Europe in that model? Seems like a recipe to go from an imperfect tech solution to none at all.
Because there is a market in Europe they can service.
Microsoft and Google are not shoestring budget bootstrapped startups - they can afford to run multiple products, or multiple variants of the same product adjusted for market need, and they will do it, as long as it's net profitable for them. Sure, it's nicer to earn X than X/2 or X/10, but as long as it's a positive amount, it's still worth doing.
That is, as long as it's more profitable to do it by the books than what a lot of industry players did so far, which is to spend money on malicious compliance and sabotaging GDPR.
The calculus changes when you’re being fined tens of billions of dollars that will be used to develop a competitor to your core product.
It’s not (X/2), it’s (X/2) - (NPV of future profits from giving X/2 to develop competition).
Your model would work for just an adaptation to a compliant product, but not to the proposed “just seize 4% of their global revenue and use that to fund a competitor” model that I was replying to.
Open source isn't all upside with no down and that is why co.mercial software still dominates and will unless someone decides to take the hit and carry the load for those downsides.
Besides, in terms of MS365 there is the added problem that there is no good alternative. There are some reasonable alternatives for individual instances but not for the delivers of using 365.
Kolab was originally an open source alternative to Exchange developed by BSI (Bundesamt für Sicherheit in der Informationstechnik) and different companies. I don’t think it has been very successful though.
AFAIK Nextcloud does have some funding from the EU. I've got an instance for file storage and notes, but more advanced stuff is pretty buggy and unstable in my experience
I have had broadly the same use case - small scale file sync (text notes, some documents)
If you want to save some cash, I can recommend Syncthing. You don't need to host a server for it unless you want to - it is peer-to-peer with all devices you want to be linked via their discovery servers (you can host your own as well).
I used to host my own Nextcloud for about 3 years, moved to Syncthing a few weeks ago, pretty happy so far.
OpenOffice has been good enough for a while, but we're still here. I'm not sure what's missing for governments to adopt it, but the solution isn't just "more open source development." Something else is wrong.
More likely, someone will figure out a corporate structure that makes the EU subsidiaries out of reach from the US government. It's obvious that eventually all US-based services will be declared in breach of the GDPR given the US stance on global surveillance.
Am I mistaken, or did MS have that with Deutsche Telekom running a special Azure zone on their behalf? The idea was that MS wouldn't be able to comply with US court orders because they weren't in control of that zone, and DT's German subsidiary running that operation wouldn't be in US jurisdiction.
As far as I know, they shut it down two years ago citing higher costs and operational issues.
I don’t know about that, but that’s how it works in China, at least. 21vianet is the operator for the Chinese Azure cloud, and presumably is fully accountable to Chinese law, not American.
So self-hostable or on-prem software has the advantage, not specifically FOSS. But in many cases this transfers the gdpr compliance burden to the business that's running the software
The burden is on the owner of the data in any case. When using an external data processor like Microsoft they have to make sure that the external company complies, and this must be explicitly covered by the contract.
It is not the main point I am trying to make, but FOSS may be hosted in the same country by an entity whose business is integration and support.
The main point I am trying to make, though, is that investing in software that can be used and improved by anyone is (IMO) the appropriate allocation of tax money.
Right now, the money is used on licenses (and, of course, support). What if it was used on development (and support) and the byproduct is a software that ideally can be used by anyone who paid for it, too?
The GDPR situation poses an opportunity to make that switch.
Your suggestion boils down to developing a business based on deploying and supporting a software product they can neither control nor own. 'Improved by anyone' tends to mean improved by no one who has a real stake in the product.
What they mean is that FOSS is more likely to be developed with product quality and value in mind. Proprietary software need to satisfy corporate goals too. And these are often contradictory to the spirit behind GDPR.
Problem as always is, it's all talk and (almost) zero enforcement in Germany.
Complaints to a data protection official take forever, are usually dismissed at first, even if counter to published opinions or decisions such as TFA. And only if you still care after a few years of waiting and at least one appeal you might get a decision, however usually a very cheap one for the perpetrator.
> Problem as always is, its all talk and (almost) zero enforcement in Germany.
I have the exact opposite impression. Even in small start-up, every new external supplier will be judged whether the is any customer data processing in the US. People are super afraid of Google analytics. If you use the Google Fonts on your website you will get an cease and desist letter in no time from scummy lawyers. You pratically need an external company to manage your cookie banner because it is a legal risk.
The first example isn't enforcement, it is due diligence and compliance in companies. That does happen, of course, sometimes in a useful way, sometimes to just have some fig leaf to point at in case of a complaint.
Google analytics and Google fonts are regularly enforced, but not by data protection officials. "Enforcement" of those is, as you've said, done by scummy private lawyers, scanning websites and sending expensive letters ("Abmahnungen") en masse. Basically, due to a weird precedent, those lawyers are allowed to give you unasked advice on your wrongdoing and billing you for it. But that is, afaik, a specialty of German law, and mostly limited to stuff that can be fully automated. So while you can scan for a website using Google Fonts, you cannot as easily scan for someone using Office365. Although you might, maybe, get a hint by looking at the DNS MX records.
What needs to be true about me and my website to possibly be subject to Abmahnungen? Does my website need to be hosted I'm Germany? Do I need to reside in Germany?
Just any adress. Their point is, it needs to be an physical adress - so in case someone wants to sue the website, they have somewhere to send the physical letters to.
In other words, many people got expensive physical letters, to make it in general easier for other people to send them expensive phyical letters.
But yes, as far as I know, this only affects germans. But once we control the EU, who knows.
But if I have no imprint which is a common cause of the Abmahnungen? I am curious because I am a German citizen, but haven't lived there in a long time. Right now I just ignore all of that legal German stuff. What would need to change for me to worry? Moving residence to Germany? The server being there?
Not really feasible in a lot of cases without giving up things the business absolutely wants. I work on an e-commerce site for a large company. Marketing wants to track all clicks and user inputs and get heat maps to improve the conversion based on their findings. They want to know where their users come from, where they go to see if their campaigns work. They also want google maps integration to find retail stores. They want users who come back 2 days later to retain their shopping cart and their preferences even without a login in case they checkout without an account. They want dynamic A/B testing based on user behaviour and they don’t want to/can’t reinvent all these solutions so they go buy them and the devs get to integrate them - whether they like it or not and some things simply make it so that you need to store some data on the client and communicate it on the client in some way while not being completely anonymous.
So cookie banner it is and to be sure you don’t get sued you buy that elsewhere.
> Marketing wants to track all clicks and user inputs and get heat maps to improve the conversion based on their findings. They want to know where their users come from, where they go to see if their campaigns work. They also want google maps integration to find retail stores. They want users who come back 2 days later to retain their shopping cart and their preferences even without a login in case they checkout without an account. They want dynamic A/B testing based on user behaviour and they don’t want to/can’t reinvent all these solutions so they go buy them and the devs get to integrate them - whether they like it or not and some things simply make it so that you need to store some data on the client and communicate it on the client in some way while not being completely anonymous.
Speaking a as user, I don't want your company to know or do any of those things. I'm very glad these practices are getting outlawed and I'd like your marketing team to know they can get hit by a bus for all I care, the world would be a better place without their cancerous doings. Psychological warfare against the general public is despicable.
I’m with you. In fact I have had more meetings with these people arguing against these practices than I can count. However every single customer facing project I have worked on so far that tries to sell something uses practices like these. Sometimes even worse. I guess it’s a result of being profit oriented before anything else and it works apparently, otherwise it would not be done. So the change you advocate for is one I would like to see too but it challenges structures which are so pervasive I’m not sure they can be easily reversed. If this company got fined for using Google analytics their answer would not be to re-evaluate tracking, they would make their legal department lay out just how far they can stretch it while still getting away with it and the do that.
You don't need notifications for purely functional cookies. If you have a Nextcloud instance that only uses a cookie to remember your user identity throughout a login session, no notifications are required. If you also feed the value of the Nextcloud cookie into a tracking system, that's when a notification is required. And only then.
With GDPR, the data protection agencies have grown teeth. And fangs. And claws and talons.
GDPR enforcement is young, and the goal is compliance, not maximum fines. So depending on the offence and the offender, they start with a warning or a small fine. This will ratchet up and the maximum is € 10 million or 2% of the previous year's annual revenue (not profit), whichever is greater!
Microsoft's annual revenue for FY 2022 (I guess they are early) was almost $200 Billion. So the fine for them could be $4 billion. Yes, that's noticeable and not something you want to explain to your shareholders.
And of course this seems to apply to their customers, for whom margins tend to be tighter, and for whom IT is not their main business, but an operating expense in the first place. For example, Volkswaken has an operating profit of around 6-7%. So 2% of revenue is around a third of their profit. And also around a third of their entire R&D budget. Yeah, compliance is the cheaper option by far.
There were plenty of EU countries with privacy laws. The laws were all ignored by all but the largest companies in the country. Getting FAANG to take note of local law was basically impossible.
On paper, the GDPR is weaker than what it replaced in my country. I lost some privacy rights with the GDPR, and gained some bureacratics if I want my rights enforced. In practice, the GDPR gets some following, even outside the EU. It has teeth.
Enforcement is a major issue for most countries. I once asked for a data export from GitHub and GitHub said becuase I couldn't prove 2fa I couldn't prove I owned the account. The account was in my name with my profile picture, I can prove who I am via Passport. I'm legally entitled to know what personal data they have of me and to get an export. The Netherlands were very wishywashy and basically too lazy to do anything about it, probably because they were overworked.
GDPR, mostly seems like an annoyance to developers while providing little actual benefit to users since countries aren't willing to enforce it and even if you do take it to court yourself the courts aren't doing much. In once case, a German court found that a company breached GDPR by using Mailchimp but because they stopped using Mailchimp they didn't fine them, for the breach. That is realistically a complete joke of a judgement. And honestly, there are lots of judgements that are basically similar.
Who would have thought that uploading business data (trade secrets) and personal data straight to servers that are known to be accessed by the NSA would be incompatible with GDPR? /s
The kicker is that EU companies are essentially paying to upload their trade secrets to their direct competitors in the US.
Yes. But there is too few of them, and usually in situations where other companies can still wait and see. "We aren't Facebook", "We are too small to be noticed" and "but we had them sign a waiver" are still prevalent in most companies.
For things to change, there would really need to be something like:
- data protection fines the whole of the customer list of Amazon/Google/MS cloud
- data protection fines a high-profile company a lot of money for using Office365
- a court forces a public institution to cease using Office365 (no fines possible there)
- enforcement accelerates to a point where, from complaint to fine, things take only a few weeks, instead of a few years, so that lots of medium and smaller businesses are hit. Currently enforcement seems to be starting with the big cases, and being bogged down in the complexity of those.
There's nothing wrong with persecuting the large perpetrators first, and only going into the smaller ones once the large get under control. In fact, it's the cost-effective way of doing it.
Besides, the GDPR is not extremely clear, so setting the boundaries in a very public way is a good thing.
Don't know about Norway. But whether fines apply to public institutions is up to the member states, and most member states, including Germany, have decided not to fine their public institutions for GDPR violations.
> have decided not to fine their public institutions for GDPR violations
Because they’re too Byzantine to make enforcement practicable, or because they’re not seen as a privacy risk (the government in Germany should know lots about you), or something else?
The official argument is that fining public institutions is a game of taking from the right pocket to put in the left pocket. It's the state fining itself. Also, officially, public servants are thought to obey the law as a matter of cause. A certain interpretation of the law can just be made an official order to all subordinate government agencies, and any civil servant disobeying that interpretation is at fault for not performing their duties and treated accordingly.
However, that all leads to the obvious workarounds: the official interpretation is usually the most lenient possible, compliance is put off to some time next century due to lack of personell/budget/willpower. And if something is found to be amiss, the data protection officer may order a government agency to fix whatever is wrong, but can neither fine nor discipline a civil servant. Because disciplining is up to the direct disciplinary superior, which cannot be (due to them being independent) the data protection officer.
So 3 enforcements in Germany in all of 2022, and the highest fine in Germany was 35mil. 35mil is how much for Microsoft? The yearly Office 365 fees of one of their DAX customers?
The possible fine for Microsoft would be 4% of the sales revenue of the whole company, which would amount to 6.8 billion dollars (at 170 billion dollars revenue in 2021)
The big fish all have their EU branches incorporated in Ireland for tax reasons. Filter by Ireland and you'll see some larger fines and some more well-known company names. And even then, it's a well-known contention within the EU that the Irish data protection authority is dragging their feet on investigations and fines because of the "tax reasons" part.
It's nothing, but once one of their customers gets a 5 millioj euro fine for using Office365 for sensitive data, the impact will be significantly higher. Microsoft can take the hit but most of its customers can't.
Microsoft's incompatibility with the GDPR puts some of its customers at risk. A fine or two and businesses might stop paying for those lucrative cloud subscriptions.
That's not what's being discussed. My comment asserts with certainty that a small business will never be punished as leverage against the upstream big corp.
It's not Microsofts fault if customers use it to store GDPR relevant data. It's Microsofts customers using them as an external data processor. It's the companies that are using O356 for such data that will get fined.
The fine is not to send a signal to Microsoft. The fine is a punishment for letting Microsoft process personal information when it's know that they do so in a way that violates the GDPR.
The €100 fine to that one website that included Google Fonts wasn't an attempt to get Google to put Google Fonts in a European holding or whatever. That was never going to happen. It was to punish that website for breaking the law.
Before anything like this will hit the news, there would first be a massive lawsuit that will probably take months or years. I wouldn't be surprised if Microsoft would throw lawyer money to the company involved just to make sure the lawsuit doesn't end setting a precedent against their product.
Never underestimate German courts and their willingness to uphold privacy laws when they get challenged.
Tech will end up exactly the same way finance is (if it isn’t already there). Employees will work for the regulatory enforcement agency for around five years on shit pay learning how the system works from the inside and making contacts in the industry before leaving and being ushered into a tech firm with a nice six figure salary. Meanwhile, no regulations will really get enforced apart from the odd token case against a big company so the agency can continue to justify its existence and funding. The fine against the big company will be a complete drop in the ocean and will have already been accounted for well in advance by said company as a natural cost of doing business. No-one will go to prison for any wrong doing unless it’s a fraud case where someone’s tried to cheat the company and the regulators for their own individual gain in which case there’ll be made an example of to ensure all the other players stay in line and don’t rock the apple cart. Repeat until the end of the time.
Any attempts to appoint new leadership to reform the existing corrupt agencies will most likely end up being sabotaged from within by bureaucrats who gain from the system remaining dysfunctional. The only two ways you can effectively change it are:
- setting up complete new ‘start up’ agencies and appointing people to wind down and distract the power players in the existing ones.
- going full nuclear like Elon just did at Twitter and firing the majority of the workforce
So I first heard about it as a young man in the early 2010s when I encountered a woman who worked in the financial regulation sector in the UK who told me exactly what I just summed up in the first paragraph. Google “revolving door $INDUSTRY” and you’ll get a pretty good feel for how widespread it is. Naturally it’s downplayed by the official narrative such as in the last of the following three links:
If you’re based in the UK, buy an issue or two of Private Eye who will often name such people as well as the staggering amount of general corruption at play in UK politics.
As for the last paragraph, I recently heard some system thinkers express similar sentiments based on how FDR managed to enact real change and how most presidents have failed to achieve much in comparison since.
> During his first term, FDR quickly found that the federal bureaucracy, specifically at the Treasury and State Departments, moved too slowly for his tastes. FDR often chose to bypass these established channels, creating emergency agencies in their stead.
In time however, these new agencies become bloated bureaucratic nightmares themselves. In my opinion, the circle of life extends to organisations as well life forms. I view economic booms and busts as a “changing of the seasons”: old organisations that can no longer compete die and new ones take their place. The problems start occurring when government intervenes to keep zombie companies around because they’re “too big to fail”.
What leads you to think this will happen with privacy laws in the EU? Out of all jurisdictions they seem to be one of the ones you shouldn't fuck around with. They take time to pick up speed, but once they do, lord help you.
Wherever there is lots of money and power at stake there will be corruption to some degree. The EU might be better than most but it is absolutely still there.
> "For greater transparency, we would welcome the publication of the detailed DSK report, with appropriate redaction, alongside the detailed responses Microsoft had provided the DSK."
Redactions? How should the data owners be able to verify Microsofts processes if some of the information is redacted?
IMNHO the most likely outcome is that o365 will come to be GDPR compliant - and so business will be able to (continue to) deliver on government contracts building on o365.
I use onlyoffice[0] because MS Office doesn't run on Linux. It is open source and seems to have the best compatibility with MS Office. You can self host it and/or use it locally. It also integrates with e.g. nextcloud or seafile.
Some features are missing yes, but the usability (IMO) is better than Libre-/OpenOffice.
I don't know how good the collaboration is but they seem to advertise for it.
365 is the cloud base suite of Microsoft Office, you can still use the Microsoft Office 2021 Professional or older versions.
365 is a nice way of collaborate at work, if you are a small business is a nice product, for the big companies this is just going to be more headache for their I.T department, so now instead of relying in the Microsoft servers to allocate and store the documents, they will use any other server from who knows what company and hosted who knows where, some will be hosted with e2ee including at rest while others will end up using some shit show of servers from a company owned by some dude from not so friendly countries.
I understand that privacy for companies is a big risk, but regulating it this way can easily end with a cobra effect.
Yeah, the file storage is so messy - I still don't know if the file I saved is in SharePoint or onedrive, and that they seem to be the same but different at the same time
I've found these cloud editing solutions great for working with your colleagues but terrible for collaborating externally. You can't share a doc with their company for policy reasons and likewise they can't share with you.
I've resorted to sending docx back and forward instead.
Is it me or does Germany switches (back?) to open-source every few years? I remember being excited they were switching to Linux (or was it Munich?) years ago
You are more or less. LiMux started in 2004. Last two points on its long timeline[0]:
* November 2017 - The city council decided that LiMux will be replaced by a Windows-based infrastructure by the end of 2020. The costs for the migration are estimated to be around 90 million Euros.
* May 2020 - Newly elected politicians in Munich take a U-turn and implement a plan to go back to the original plan of migrating to LiMux.
Last time I've heard about it, it ended with users (i.e. bureaucrats) complaining about missing features and/or differences between MS and the open source alternative and forcing switching back to MS
I shared the excitement, but as so often it was only executed half-way. In essence, instead of recreating processes from the ground up to fit the new reality, they tried to make everything as beforehand. Unsurprisingly, that was a huge uphill battle - in the end they spend more money than beforehand and had a lot of trouble in maintenance etc.
(Regarding the 2020 public announcement; nothing has happened since then IIRC so I would not count that in - just talk no actions)
It's quite safe to assume that none does. Unless all your data (including metadata) is end-to-end encrypted outside of the US, the service is non-conforming. And the internet makes it quite hard to encrypt metadata.
At this point, virtually no digital service - or in fact in business - can be considered to be compliant with GDPR. The reason for this is an ECJ case ruling informally known as Schrems II (https://www.gdprsummary.com/schrems-ii/ ).
That ruling not only invalidated the Privacy Shield agreement, but in fact prohibits the transfer of any data to any company affiliated with a US-based company in any way (including subsidiaries or even mere suppliers or customers), which comprises pretty much every company out there - US-based or not - because in today's globalized economy you'd be hard-pressed to find a company that doesn't in some way at least transitively deal with US-based companies.
Technically, the reason for this is the US CLOUD Act (https://en.wikipedia.org/wiki/CLOUD_Act ), which requires US-based companies to hand over any data, regardless of where that data is stored geographically. This also means that the common naïve assumption that you're safe in terms of GDPR as long as your data is stored in EU-based data centres is false as well.
So, when following GDPR and this court ruling to the letter, we'd (as in "everyone") pretty much have to stop trading and doing business altogether. Since that's (hopefully) not going to happen, none of this is enforced, at least not consistently or according to the rule of law (which in a way is even worse because at that point law and law enforcement becomes arbitrary and fines will be imposed based on how eagerly local authorities pursue these matters rather than universal principle).
Now, it can be argued that the EU and GDPR really aren't to blame because it's the US CLOUD Act that created this issue, after all. That CLOUD Act indeed is hugely problematic, to say the least.
However, the problem remains and it's on the EU to negotiate an agreement with the US that allows companies to legally do business in the real world (as opposed to an ideal world according to GDPR) again.
it's on the EU to negotiate an agreement with the US
Wouldn't it be equally on the US to negotiate an agreement with the EU to maintain the global dominance their tech sector currently enjoys? I don't see a categoric reason why the EU should blink first.
The EU's relevance and clout is notoriously overestimated, particularly when it comes to the digital economy. There's this pipe dream that GDPR would somehow jumpstart a privacy-focused digital economy with viable alternatives to US-based services, cloud providers in particular. By and large, these ideas so far have proven to be unrealistic, delusional even.
Let's consider the possibly ways this might play out:
1. The US maintains its position and the CLOUD Act, specifically. The EU maintains its position and GDPR and the Schrems II ruling, but doesn't strictly enforce those.
So, pretty much the status quo as it is today. In that scenario, the EU and local authorities will keep pestering EU-based businesses here and there, but overall prove they're a paper tiger with lofty ideals but no power or will to back those up with action.
From a US perspective, that's an not only an acceptable but even a desirable outcome, because a relevant international party decided to deliberately hamper themselves and their economy with no repercussions for the US. So, no need for the US to blink first, or at all, as a matter of fact.
2. The US maintains its position. The EU maintains its position, too, but contrary to the first scenario does suddenly decide to strictly enforce GDPR and crack down on any business that doesn't comply.
Since, as outlined above, this would mean pretty much every business under EU jurisdiction, the entire economy of the EU would come to a grinding halt within weeks, which in turn would probably lead to major insurrections and the EU ceasing to exist within a matter of weeks as well.
This of course would entail major turmoil and crisis for the world economy as a whole as well, but the EU and EU countries what suffer the most.
So, not exactly a desirable outcome for the US. However, there'd be no need for the US to blink first in this scenario either. If a player decides to commit economic suicide, why should the other player indulge them?
3. The US maintains its position. Again, the EU maintains its position, too, but contrary to scenario #1 and #2 not only decides to strictly enforce GDPR, but first entirely extricates itself from the US economy (i.e. mercantilism 2.0) by not only requiring businesses under EU jurisdiction to cut all ties to the US but by managing to provide viable alternatives to US-based services first.
As pointed out above, so far this hasn't been happening and there's no obvious reason why that would change all of a sudden.
Still, even if such a scenario were realistic, the economic consequences probably would be more severe for the EU than for the US, too.
So, again, no need for the US to blink first.
Hence, in any possible scenario - however likely or unlikely - the US can simply wait it out and it's on the EU to make the first move.
<< the entire economy of the EU would come to a grinding halt within weeks,
You may have a better insight into this, but could you elaborate a little further? Is entirety of EU running everything on AWS the way US seems to be and thus making it a vulnerable monoculture of sorts? For example, I can see some heavily digitized countries suffer( Germany, Estonia ), but not all of them seem that independent of paper documentation.
As outlined above, simply having a US-based supplier or customer might be enough for a business to be in violation of GDPR.
Even if your entire business is offline and all your processes are still paper-based (which today would be highly unusual, even in less digitized countries such as Germany, where quite a few businesses actually still rely on paper and - indeed - fax for at least some of their processes), that might still be the case.
More realistically, any run-of-the-mill SMB will use at least some digital tools, e.g., for accounting or for running their website. Relying on EU-based suppliers and EU data centres exclusively or even going all the way and storing everything on-premises doesn't necessarily mean you're compliant with GDPR.
If only one of those EU-based suppliers has any dealings whatsoever with just one US-based company you're technically in violation of GDPR again.
>. There's this pipe dream that GDPR would somehow jumpstart a privacy-focused digital economy with viable alternatives to US-based services
I would like to see this, but given the extremely shitty track record of European software projects (400 million Euro wasted on a search engine, just as an example), I can only agree that this is very unrealistic.
it dates back at least to the warrantless wiretapping authorized by Bush with the 2001 Patriot Act and legalized with the 2008 update of the US Foreign Intelligence Surveillance Act,
being incompatible with the 2000-2010 Charter of Fundamental Rights of the European Union,
making the 1998-2000 Safe Harbor agreements between the US and the EU null and void,
as first judged by the Court of Justice of the European Union in 2015 (Schrems I).
GDPR (2016-2018) and the CLOUD Act (2018) are basically just the EU and the US digging deeper into their respective positions.
From what I've seen at a few places I've worked (you'd know the names), regulatory compliance is good enough to make the auditor happy, but that's about it.
Isn’t California data privacy law more or less equivalent to GDPR? If Silicon Valley’s companies don’t conform to GDPR, I would expect them to face the same type of issues locally. That will maybe come in the future, GDPR is still fairly new, that type of stuff can take a long time to develop.
I'm not European, and maybe this is why I struggle to understand this, but why do people want regulators to say, "This doesn't comply with our regulations, so you aren't allowed to use it?"
I understand the hope is that companies will comply rather than forego the entire European market, but if they don't, the last consequence is ultimately on the consumer, not the company.
It seems like the same type of thing as when Quebec recently decided any service that serves customers in Quebec must offer a French version of all their services. Quebec is a much smaller market than Europe, so the effect was that companies just stopped offering services to people in Quebec, but it seems like these are the same kind of issue.
Government wants services to be provided in a certain way. Service provider declines. Consequences disproportionately impact the consumer, not the service provider.
Why should it be up to a governmental agency to tell you you are not permitted to use a service because they think the service is being provided in a way they don't like?
For some reason it's a big national security concern when Chinese companies collect data on US citizens, but when Europeans apply the same caution with American companies, people across the Atlantic see it purely from a business perspective. Why is that?
This isn't TikTok and what people do on their private phones. This is a foreign company that has the capability to siphon off a lot of data about business decisions, businesses connections, contracts etc.
Imagine things would move towards every electronic document in American companies going through the servers of a European country, say in France. Do you really believe, there wouldn't be an outcry in Washington? Do you really believe, Congress would just watch? Do you really believe, US security agencies would just sit idly by? I don't.
This has nothing to do with totalitarian countries. Regardless of the political system, this is about a loss of control. About industrial espionage. Ask anyone who's work concerns US national security how much they trust foreign democries, like for instance France.
Let's be real, no Western country is banning Chinese products or services because China is spying on their own citizens or abusing Uyghurs. That's at best the "feel good" story sold in the media to get the people's support and distract from other issues. They're banning them for 2 reasons. One is that China will abuse them to spy and get a competitive advantage over those other countries. The second is that it's hard to compete in price so local alternatives are pushed out.
In the same vein the EU isn't blocking a US company from collecting data because the US is spying on its own citizens and abusing people of color. They're doing it for almost the same 2 reasons. Everyone knows (with evidence) that the US will abuse them to spy and get a competitive advantage. The second is that it's hard to compete in performance/features so local alternatives are pushed out.
The only reason to see a difference here is nationalistic bias. And that's fair enough, most people aren't educated enough (not talking just academic degrees) to be capable of critical thinking when their own principles or morals are under attack. They will just go to the first easy, "feel good" explanation when they do something to others, and the opposite when others do something to them.
For the same reasons you're not allowed to sign particular contacts, such as enslaving yourself. Without restriction companies will do every illegal thing they can get away with via their collective power of size versus your weak individualism.
In some cases it's rather trivial, in other cases its dependent on the survival of the nation state to enforce the rules on the corporation.
Hmm that is a good point. It is forbidden to sign contracts of enslavement in every country I know of, even if the potential contractee is making it free from duress.
Therefore forbidding some types of contracts for everyone does have established precedent.
However, there does not appear to be a limit to this.
For example, can governments ban their residents from signing contracts to distribute or host porn, gambling, etc.?
> can governments ban their residents from signing contracts to distribute or host porn, gambling, etc.?
The question is always what do local laws say. Even in the US you have laws or court decisions that allow child marriage, non-revocable consent, upskirt photos, or regulate that men are allowed to show nipples but women aren't.
Other countries have equally outrageous (or reasonable, depending on your views) laws making something effectively (il)legal. So yes, governments can and do prohibit porn or gambling, or just the hosting and distribution. Laws and regulation can have a lot of purposes. They can protect you from abuse you may not even understand, or they can even protect the abusers.
> I understand the hope is that companies will comply rather than forego the entire European market, but if they don't, the last consequence is ultimately on the consumer, not the company.
This is one hope sure but at least in Germany the simple thing about it is that people don't want to lose control over their data if they don't have to (we even have a word for it: "Datensparsamkeit" = data econonomy/thriftiness). If that means that some German company won't be able to use O365, so be it.
Only few here will care what happens to Microsoft because of this. It's not about Microsoft. It's about people who use it (and/or force you to use it).
I don't see a downside here. There are other solutions within the Microsoft product portfolio and outside.
The fact that a government agency looks it up and gives you a result saves you actually money because you don't have to hire somebody to check that for you and save you from lawsuits. It's a service you already paid for with your taxes. I don't see the problem here either.
> I understand the hope is that companies will comply rather than forego the entire European market, but if they don't, the last consequence is ultimately on the consumer, not the company.
Essentially you are asking „why should a government expect anyone to follow the law“
It's more "why should a government expect any foreign company to follow the law".
Personally I run a small business, GDPR came out, our solution is to just violate it and not care. They have no legal jurisdiction over us so their laws do not matter.
If we had to comply with every jurisdictions special laws on the entire planet we'd surely waste most of our time doing it.
<< If we had to comply with every jurisdictions special laws on the entire planet we'd surely waste most of our time doing it.
Without making a judgment here if you do business somewhere the expectation typically is that you will comply with local laws. This is partially the reason why only big companies can handle truly international business.
<< GDPR came out, our solution is to just violate it and not care.
Anecdotally, when GDPR came out, in the old country the, almost, first thing that happened is whole bunch of companies started bothering small businesses saying they are not complying and offering to bring them into compliance by adding cookie warning popup we love so much.
It seems you are not doing business within the EU. Microsoft does business within the Eu and how important that business is you could see when Munich tread the water to migrate to Linux and open office
Are you serious or is this a strawman posted as a joke?
Just applying this to medicine, car safety, building codes and fire, food safety, industrial regulations saying 'you can't dump toxic waste around', etc etc makes me really surprised someone would actually hold such a bizarre opinion.
The first misconception is that governments do what people want. They do what serves their national and personal interests. What people want plays a rather small role in it. Far to often they do the exact opposite.
> I understand the hope is that companies will comply
Not at all, they can comply or fuck off. The US gov just runs things differently from the EU. They want full access to everything in secrecy and will hand over or sell data to corporations if it serves US interests.
It means for EU enterprise all information on suppliers, customers, orders, road maps, finances etc etc can be forwarded to your US competitors.
You also forget how easy it is to make software. If [say] Microsoft no longer wants to do it there will be others.
The whole point of the EU is to instruct how business is done here. It was specially designed to stand up to uncle Sam and his army of evil automatons.
I agree in principle, but not if it is applied to Microsoft 365 or GCP.
If it’s my small business animal shelter, or my grocery store, or even just my little SaaS… leave me alone, please, from requirements like the Quebec translation law, or similar.
Microsoft 365 is different. Odds are that there are dozens of businesses you interact with, who store their data in 365 without your knowledge. Microsoft 365 is a “in the shadows” method you probably don’t know of that is sending your data to the US.
If I could lay down a principle, it would be that the privacy rule should be determined on the privacy level of the company I the consumer interact with. If I interact with a EU business, I do not expect my data to enter the US by any method. If I interact with a US business, that is implied consent.
Speaking from the US perspective, Europe still imports from Xinjiang region of China, where over 2 million Muslims do forced labor. The US banned imports already. Not only that, according to SCMP, they more than doubled in just August.
Straighten out the obvious before adding another yoke on small businesses.
True - but equating the US prison system to what is happening to them is an absurdity. It’s like if Nazi Germany said their camps weren’t that bad, after all, the US has prisons.
They just moved it to occupied foreign soil to technically not have a concentration camp in US soil. But then Germany had concentration camps in occupied soil as well, like Auschwitz in occupied Poland.
I think what parent is trying to say that at certain point over-regulation is not helpful and actually detrimental not just to the business, but the ecosystem as a whole. For a smaller business, onerous regulation could mean closing the doors. For a big business, the burden is also there, but it can more easily withstand it due to its size ( and it typically has some resources to throw at a given issue ).
I agree that there are some 'minimal functioning society' laws like the ones you listed, but I am not certain Canada law example in previous posts or GDPR falls in the same category.
As usual, the question is that of where the line is. And that should be determined by societies at large.
What parent forgot to mention is that (from what I managed to find out) law 96 doesn't apply to businesses with less than 25 employees. Down from less than 50 in the previous law (though I'm not certain what other changes might have been made).
Because individuals rarely have the choice here in the US. Our schools here require the use of Google accounts in a manner which is almost certainly illegal, but isn't enforced anyways. My kids privacy is mandatorily violated because of a decision of the school district. So I have to hope regulators here will wise up and start to force schools to abandon harmful products.
So what you think of as freedom of choice often isn't for students, employees, and consumers. It's why we need drastically more business regulation to guarantee individual rights.
The EU has a population of nearly 450M. That's a sizeable market. You might imagine that Microsoft would like a piece of that and would be prepared to ensure that their products meet the standards required to earn it. They already go to some lengths to adapt their products to various locales and languages in order to compete in certain markets. Adapting Office365 to comply with EU law and gain access to that market would seem to be just the cost of doing business.
People expect their government to protect them.If I buy a product based on false advertising,i will be pissed of at the government for allowing that false advertising, instead of blaming my self for not doing due diligence. Similarly with food, i expect the government to disallow things that are seriously harmful to my health (think proven carcinogens).My personal data, if not handled correctly can cause as much damage as me consuming a specific food that has been contaminated with a banned substance.
You make a general point about government regulation, and the answer is that choices made by individual consumers can affect other people too. Should people be given the choice of using leaded gas?
Then we can discuss if the GDPR protects important rights or not , but that's a different discussion.
I want to have the podunk builder build my house however I want. What is with all those pesky building codes!
Because they (the government) think it is the minimum required for a dignified, safe society. And they are placed in a position of power and must make those judgment calls, because that is their job.
Why would people want that? Because they understand, in general, that government is important and don't want an unhinged libertarian abandonment of mutual assistance in society. And in specific, because many of them value privacy enough to put up with this type of restriction. But of course there will always be people who find this or that law too intrusive, and in the EU that means they are free to organize, protest, be activists, vote, run for office, etc.
> Because they (the government) think it is the minimum required for a dignified, safe society. And they are placed in a position of power and must make those judgment calls, because that is their job.
Ha, this is a naïve view of it. In the US, this is only kinda-sorta true. Building permits can often be a lucrative source of income for the city and sleazy inspectors who often come out without the faintest idea of what they are looking at.
It often turns into holding previously-recognized rights captive and selling them back for cash. People get angry real quick.
(My father owns a small business in fireplaces. The inspectors often are idiots, and the city charges hundreds of dollars, sometimes more. Total grift we have to suck up. So much so they sometimes ask us what to look for. I doubt the inspectors have stopped any residential fires, ever, in some of these cities.)
Has your father taken this to his city councillor? If nobody reports the problem the city will think things are fine and nothing will change.
Regardless I’m quite happy with my safe home. I know that it’s not going to kill me. In some regulations have we gone too far? Yes. Have we gone too far protecting our data? We barely have anything in place, so I applaud the EU on forging ahead.
I know several people who help write building codes in the US in various fields, and none of them are incompetent or write code other than to deal with known concerns based on past building performance and materials testing, etc. That there might be a problem with enforcement is more a byproduct of municipal professionalism in general than a problem with building codes. I have never seen hundreds of dollars in my (high cost of living) area for a fireplace inspection, but I guess it might exist as an outlier somewhere. Permits cost more, but that is because we have very low property taxes in California, and they recoup through the permits because they need funding from somewhere.
But the building code reference was just to provide an introductory analogy. The sentence you quoted was part of my direct answer to OP's question, which was why the GDPR, and why would people want it.
The reasoning is that your personal data doesn't belong to you. It belongs to your government. A user's personal data is a vector for attack for a foreign agent. You can argue up to which degree this is correct or not, but the EU instance on this matter is of paranoia.
The EU stance is this: "a person's data belongs to the person, and you can't obtain, collect, sell, or transfer this data in any way, shape, or form without an explicit consent from the person".
The US on the other hand: all your data belongs to the US government regardless of where you are on the globe: https://en.wikipedia.org/wiki/CLOUD_Act?wprov=sfti1 And this is on top of all the large scale data collection already performed by companies.
finally, this is really great news for anyone european, I hope it won't take long to determine there are a whole lot of other MS products that should also be illegal
I'm assuming that 100% of people saying "it's fine we have LibreOffice" or "it's fine we have Office 2014 installed locally" don't use it beyond basic PowerPoints and the occasional resume update on Word.
Just as an example, the world pretty much runs on Excel, and each version brings valuable additions.
Good guess! I use PowerPoint and word. I occasionally use excel for a quick spreadsheet but for data storage we have databases and for visualisation we have grafana. The only time I use the live edit feature of excel is when we are coordinating pizza orders.
I genuinely don't understand why anyone would need MS products ever. I thought it was just hard lobbying that made it so our instituitions have to use that garbage.
"reject the existence"? What are you on about? I had to use MS office all my life and it has always been a very poor user experience, I wished I wasn't forced to use it and now maybe people won't be.
Both are true, I was forced to use subpar solutions because MS paid a lot of money to become the default. I have no idea why anyone given the freedom to do so would choose MS products over alternatives.
These people keep acting like they're so clever for figuring this out, yet in reality all they're doing is giving death sentences to European companies by making them unable to use industry standard products.
Let me fix that for you: "industry standard products" -> "monopolist's products".
Microsoft spent decades aggressively lobbying European governments and companies to use their stuff. Even if this finding has any short term impact (see the other comments about this point), I find it hard to believe Microsoft wouldn't swallow the pill and simply become compliant. If not - yeah, companies who are entrenched in Microsoft products have to find alternatives, which is gonna cost them significant efforts, but also open the door to more competition. Sounds like a short term problem for European businesses even in the worst case scenario.
The main problem for them is that it's not in Microsoft's power to be compliant here, as the problems are created by the US CLOUD act, not Microsoft's own policies.
The only way for Microsoft to become compliant is to carve out its European business into a separate organization (not even a subsidiary -- it could be that even a joint venture would not be enough to escape the reach of the CLOUD act).
If they can do a double Irish with a Dutch sandwich to pay fewer taxes in Europe, I doubt they couldn't find a creative way to deal with this. They only have to be compliant enough for the fines and repercussions to be lower than their profits.
It's not just about swallowing the pill: MS has a close relationship with the US government, and NSA having a backdoor to workings to all other countries is a part of US keeping its power, so it's national security critical for US (just like for EU).
Everyone in Europe would like Europe to innovate more. Unfortunately every time European governments add more regulation they usually also make it harder to do that.
You need to find the sweet spot. Too little regulation is harmful. Too much regulation is also harmful. The EU and US are near opposite ends of the spectrum at the moment and neither is an ideal place to be. The US produces many more financially successful big tech businesses but those businesses do a lot of things we don't like. The EU doesn't produce many successful big tech businesses in the first place.
I don't agree with everyone in Europe wanting to innovate more. I'm a Bulgarian citizen and from my PoV a small group of people only want to innovate. One good thing that I've noticed is that the snowball here is slowly spinning up - we have a good university trying to be on a IVY league level as much as it can (for Bulgarian levels it's good, for EU maybe just about average) which teaches people tech or whatever they want to learn. Some part of them have really sharp skills. But a big portion of them don't really care about innovation, they still have the mindset of their parents/grandparents which is: I get my bachelors, I maybe get a masters, I work one job for the rest of my life and that's it.
I'm more a fan of the EU because I think these sorts of regulations are good. The thing they do wrong here is that they do it slow. E.g. they introduce the universal USB-C port, companies won't be motivated to innovate on that tech since they know it'll take ages for the EU to update the law. So after all yeah finding a sweet spot of course is the best, the thing is that we don't know how to find it.
> I work one job for the rest of my life and that's it.
Fight tooth and nail to preserve this. We're living in the future here in USA, trust me on this, gig economy and corporate churn sucks. You don't want to get on this ride.
Is it bad that companies don't innovate on the power outlets any more ?
(BTW, USB standards are up to 240W already, it would be a decent power cable itself alone if not for the fire / power loss / safety / cable size issues that DC causes...)
I don't think that creating a web based word processor, cloud storage and an email hosting service is something that is impossible for a whole continent to do. Especially considering that o365 isn't exactly the gold standard when it comes to software quality.
They mean in the sense that its an american company first and foremost. Having worked there a few years I can certainly attest to that, even if they do put a nice enough veneer of local adjustment for their non us orgs.
Its harder as Europeans are scared of debt, its just a system based on misery and poverty where the rich are richer and the poor just produce cheap migrant workforce for northern europeans
Both China and Russia eschewed US tech and they have much, much healthier tech industries than Europe.
The US also doesn't really believe in foreign competition ("Buy American", recent huge industrial subsidies as part of the IRA), so I don't really know if Europe should kowtow to the US here. If the US gave up on the CLOUD act none of this would be a problem anyway.
Monopoly is not the same as "industry standard". And specifically in the case of Microsoft Office / O365 there is very little actually benefit of using it over any of the more open (and even free) alternatives... rather than being an
"industry standard" it's really just an "industry default", i.e. what most companies use because no IT manager ever got fired for deploying it.
Businesses operated just fine before O365 came along and they will operate just fine after O365, this is a pretty moot point. "But they can't use what they're using right now!" Yes, that's the point, because what they're using right now is breaking the law.
Businesses used Microsft office before 365 for decades now. In many industries all software integrates with office applications and with Microsoft pushing everything to 365 subs moving back to standalone office will be difficult enough.
You could look into NextCloud and their NextCloud Office if you haven't heard of it yet. If you have are there any point that speak against it in your opinion?
It's open source so you can even self host. Should be more than enough for most comapnies.
Not sure how difficult the set-up process for an enterprise environment is, I only used the docker version before. But should be viable and if a company has Money for Microsoft365 they should have money to pay to someone to set it up manage for them.
I know NextCloud, for having self-hosted it for years, alongside many other similar software and having reviewed its code. I am a strong proponent of open source, both as a user and a developper - and managed IT for very large companies (thi si to bring some context to my comments).
While something like NextCloud or Seafile it is fine for personal use or for small teams it is no way close to something like Microsoft 365 with the extensive backend it provides out of the box. Not to mention email integration.
Again, this is from the perspective of someone who uses and develops open source software and hots a lot of services for personal/family ise, but also from someone who knows the complexity and shitbat crazy wrchitectures you find in large, distributed companies.
If we managed to have in Europe something similar to Zoho, driven by European laws, that would be fantastic. We do not, and this is a real shame.
> But should be viable and if a company has Money for Microsoft365 they should have money to pay to someone to set it up manage for them.
Microsoft 365 is expensive, but the expense of running a home-made solution for a large company is not only the pure management, but also the ability to have hope if there is a problem. I have raised issues for Nextcloud (some of them quite impacting from a security monitoring perspective) and the community replies were horrible. If NextCloud does not monitor the community forum when someone raises such issues then I cannot have any trust that they will fix it for a paying user.
I have to admit though that O365 is handy for collaboration. I hope we can do something like a LibreOffice-based similar thing that companies can star using as a platform for online collaboration.
Where I work we already have lots of regulations on what we can and what we can't store on SharePoint or work on O365. My job is mostly safe from those inconveniences, but one of my first jobs was to build an asset delivery system that would comply with a number of US and EU regulations on what asset can be delivered to whom from where. Took lots of meetings with legal.
If your business processes are based on that: yes. You may argue "adapt your processes" but that's not something that you do within a week. Besides that it's also about exchanging information. Excel is a quasi-standard in some cases. Again you may argue "change that, its ridiculous". Still it's not something that you "just do".
I don't disagree that finding alternatives will be expensive, but I think this is the same harmful thinking we have in the US where people disagree with regulation that adds necessary protection at the cost of business. So we have a "regulation is bad" mindset. Most prominently I wish we could convince companies here to believe handling/retaining unnecessary data is like handling something radioactive. Until we convince these companies it's a danger to themself, we won't see change. Sure, in the near future US companies will have an advantage continuing to use Microsoft 365, but harm to our privacy and beyond that is demonstrable. I haven't used a computer like its my own private space to think in decades because of what I know is collected with telemetry. My creativity and passion for computing is harmed by what Microsoft engineers its products to do, and glean from my daily use. If Microsoft wants access to a large customer base in Europe, they should make changes to their products that respect consumer privacy laws in that area. I hope we benefit tangentially.
Something-something auto makers conform to California emission laws, same argument.
Absolutes are often bad (i.e., zero tolerance). And many regulations are absolutes. It isn't enough to comply with the law as written, you have to comply with the strictest interpretation that a judge may come up with. And that may not be enough, because some court may be even more creative in their interpretation.
Also often times business like regulation, as it forces all their competitors to play on the same playing field. Which may be easy enough for established players, but is a difficult mote to cross for smaller up-and-coming organizations (regulatory capture).
Then there is the the frequent enough occurrence of conflicting regulations. For example, the EPA may require that an oil change shop store used oil above ground (underground storage can have undetected leaks). But the fire department requires below ground storage (above ground is a fire hazard). So which regulation do you violate? The one that fines you less, and the fine is a cost of doing business.
Yes. Without careful stewardship, the compliance becomes a very weird dance, where regulators might focus on things that actually undermine the original intent of the law. For different example, lets look at the BSA front in US banking system, where SARs as a system was developed primarily to assist LEOs, but due to overzealous enforcement by various regulators, banks effectively threw their hands in the air and collectively said "Fine, we will report everything." ( look up defensive SAR filing if you are curious about the details). And now we are in a weird situation where LEOs have to sometimes say things like "If you file it, make it stand out and tell us why it matters so that we can use it"(paraphrased).
I think that's a bit more nuanced. There's definitely a lot of "nobody gets fired for MS", and lots of big companies use O365 because of existing licenses. At the same time, there's lots of small companies using Google suite. There are companies relying on specialised software. There's lots of those that don't use anything beyond a simple text editor where switching is trivial.
And yeah, huge companies rely on O365, but those will get fixes that get them to compliance very soon.
Well Im european and I can tell you from the inside, it's not the same mindset at all. We dont want to grow companies, in fact we barely give a fuck at all. It s hard to understand for capitalists, and I disliked this mindset so much I moved to Hong Kong, but that s what the people vote for: they d rather have no growth and no Microsoft 365 than put their data there.
People in most of Europe are truly convinced finance, money and growth are mirages made to enslave them in eternal pursuit of an unreachable state, and instead prefer to cool it down. It's not a pragmatic strategy because it ignores we re not alone.
What's funny is that many Europeans I have spoken with from across the continent have the attitude that you come to the US when you are young to make money then retire to Europe to take advantage of the social safety net.
Perhaps not yoir personal opinion, but definitely one that is anecdotally common among white collar workers.
Indeed. I've heard it from Serbians, Bulgarians, Irish, Scottish, Swedish, German, Italian, Romanian, and Belgian folks that I can recall offhand, maybe more that I'm not completely recalling.
I'm actually surprised of this since I've always though of Sweeden, Germany, Italy, Belgium as very good countries. I can only speak for bulgarians as I know how the mass thinks here.
However, as a citizen of EU member, I’d say GDPR pretty well aligns with the general notion of the people.
Sometimes people ain’t happy when government uses GDPR as a scapegoat to keep iffy data private. E.g. hiding final beneficiaries of companies. But I don’t see people unhappy that GDPR prevents crappy software practices.
Same deal as credit cards. Here in Europe cards processing fees are capped. Thus we don’t have US-style kickbacks or points programmes. Which probably limits credit card issuers innovations and business models. But I don’t see people complaining about that.
> It's not a pragmatic strategy because it ignores we re not alone.
It's worse than that, it's delusional and hypocritical. Here in Sweden people will proudly write "We are not like the Americans" on their iPhones, drive Teslas and generally base their whole lifestyles on the foundation created by the American capitalism and possible thanks to the protection of US military.
One other way to see this is that this will stop MS360 from being the "industry standard", it doesn't take that much effort nowadays to make an alternative that is good enough, we are past the days where collaborative editing is considered "cool".
People from the US tend to underestimate the EU, the EU could easily give a bit of cash to a competitor along with some juicy contracts, the US is not the only bloc that can throw millions at a problem.
I'm not sure why there is such a doomer sentiment (mostly from the US community but also some EU) about stepping away from Office 365. There are already existing replacements which do comply with GDPR for all of their service (modulo any vendor lock that I can't think of right now). The ruling is mainly for Gvt and Edu sectors since those handle PII regularly through these services, so the main challenge will be packaging the currently relatively fragmented market in such a way that these sectors can migrate and adopt easily, which if done right is a single-time investment from the EU.
Finding mail and cloud storage alternatives is fairly easy, but as a business operator having this bundled into good identity management is what makes it hard to replace. OIDC provider support with mail and a secure way to store documents and I would be good.
Then slack could be wired in via SAML or apis for account management etc.
Right now its just a huge undertaking to replace the convenience of GSuite or O365 :(
Maybe in your case self-hosted/on-premise OnlyOffice is an option[0][1], but as I implied earlier the main issue currently isn't that there aren't alternatives for each individual service but that often a combined package is not there yet.
It's very likely that (if this becomes a bigger issue within the EU), the EU itself will provide more convenient options.
I would argue it's basically impossible to have an internet connected app that does not run afoul of GDPR in one way or another. It's really just a question of how much of GDPR can you comply with at a reasonable cost or a better strategy is to do your best to comply with the spirit of GDPR, if not the letter.
Aren't CDNs against GDPR in some cases? Seems like an overly broad regulation that is enforced by often dismissed in judgement. Changing nothing, adding headache, and preventing meaningful regulation from taking its place...
And when you request data from companies, you don't even get what you want a lot of the time because it is often aggregated.
It would really depend on the situation to be decided, whether MS would have to pay up, or rather the company using MS products to handle customer data. One can imagine a way to use MS products that might not be illegal, e.g. never use it to process personal data, use anonymized accounts that are not bound to a real person, swap around accounts and computers to prevent association with a person, etc. Then, all it would take for MS to get its 'get out of jail free'-card is to publish that in a whitepaper and make all the problems just be an unfortunate misconfiguration by the company using MS products.
Microsoft can already claim that you can use Excel legally by only ever using it as an expensive calculator or table layout generator.
A theoretical methodology to do so is not enough to make their spyware legal.
There are alternative products that can do almost everything Excel does in almost every real life company without consuming data like the Very Hungry Caterpillar. It's up to them to prove why they need all that data that others don't need, and in what specific ways this data is used for the good of the customer.
Microsoft will need to act and change to solve this problem.
That’s a good point: The use of general-purpose tools like Excel is by essence non-GDPR compliant, since there is no way to mark a column as “person” and therefore attach it to that person’s rights.
Therefore, all corporate tools must be specific for one purpose when managing PII, and no tool should allow free-text fields. Excel, Access, notepads shouldn’t exist in companies.
The point isn't about the tool, it's about where and by whom the tool is run.
Office 365 is cloud based, that's what makes it potentially non-compliant. Having Excel in your company, on your computer, and the data never leaves that computer is a totally different scenario.
The fine is so outrageously high (up to 4% of global revenue) exactly so this argument can't be made. It's really hard to imagine that implementing proper privacy controls would cost 4% of Microsoft's global revenue, it amounts to US$ 8B for the past year...
But more privacy mean less data they get and less revenue they generate by using that data, similar to how Meta/Google are affected by Apple privacy changes, at least that's my speculation
You can still use office365. It's just that the cloud-based M365 shouldn't be used.
TBH, i used to work at a bank (and now at an energy company), and anecdotal evidence i have is that no big business use M365 cloud services(2 for 2 now). At least not in the IT departement, even where we have people using access to mash .xlsx together and get actionnable data from it.
[edit] I must add that the bank used azure (as an AWS backup mostly), and still, we had no M365 product installed on our microsoft computer.
I'm not a hater or anything, i do have a FOSS bias, but i try to stick to the facts here.
LibreOffice has a ribbon these days. There are several ways to run it in the cloud with simultaneous editing. I don't know what the default UI settings are like these days, but the UI design is quite comparable to Office.
I suppose Office went "everything is flat and coloured rectangles" but I don't think that's necessarily a good thing.
What a depressing reality where hostile US corporate data privacy practices and hostile US surveillance law take de facto priority over the EU's own privacy legislation meant to protect its own residents. I wish the EU politicians and regulators were more willing to enforce their own rules, and that the ECJ were more willing to be explicit rather than implicit about the meaning of its Schrems rulings, all of which would eventually force a privacy-protective solution to the problems you describe.
They have more power over MS than they think if they're willing to exercise it, but they're mostly not willing. (Examples like the Dutch public sector do exist, where they were able to get different terms from MS that are more compliant with the GDPR, including effective audit rights that have successfully verified compliance with these terms.)
What a depressing reality where hostile US corporate data privacy practices and hostile US surveillance law take de facto priority over the EU's own privacy legislation meant to protect its own residents.
The EU has provisions for very similar "hostile surveillance law" in its own member states. It just gave them a get out of jail free card in the GDPR. There is a considerable amount of hypocrisy about the EU's positions on privacy and data protection.
The trouble with this whole subject is that you get grandstanding politicians trying to make big statements that go so far that it becomes unrealistic to enforce them because you'd cause catastrophic economic and/or social damage. If you really want to improve things what you need is steady, incremental progress towards restricting unwanted invasions of privacy. You can start with the most invasive commercial spyware. After a while you have moved the Overton window so that the worst excesses of governments' own surveillance programmes start to become viable candidates for reform as well. Ideally you eventually move societies away from the politics of fear that motivates those kinds of mass surveillance laws but that doesn't seem likely any time soon.
Yes, I'm not defending the EU hypocrisy or their own hostile surveillance laws. However, keep in mind that this report mentioned many issues about MS's own processing purposes, policies, and practices, and wasn't only about the problems posed by US surveillance law. It's those MS-specific issues for which the Dutch government got fixes applied to Dutch private sector use of MS 365; naturally they haven't changed US surveillance law.
And as bad as government surveillance is in both the EU and the US, it's awful when local companies send the data of the majority of their population into the jurisdiction of surveillance law whose political bosses the population can't even indirectly vote against.
This is rare in the US because US companies rarely send the data of US citizens to EU providers, which itself is because the big tech players are American. Whereas for exactly the same reason of where the big tech players are based, it's common for EU companies to send the data of EU citizens to US providers.
I think we probably agree on almost everything here. I'm not defending the corporate surveillance culture. On the contrary I think that should be the first target.
I'm only saying that in politics you have to pick your battles if you want to make real progress instead of earning a ten second sound bite on tonight's news. The EU politicians aren't so good at that sometimes and the result is legal positions like Schrems II that are so impractical that they are widely ridiculed and compliance is negligible.
Yeah, well the reason the Schrems II ruling is widely ridiculed with negligible compliance is not because of the ECJ ruling - it's the natural result of the legal status quo on both sides of the Atlantic and was predicted accurately by plenty of lawyers who weren't forced by their financial incentives to ignore the obvious.
It's ridiculed and ignored primarily because enforcement is irrelevantly rare and small in financial impact, just like enforcement of the rules around cookie consent and many other aspects of the GDPR. Companies calculate that true compliance costs more than pretending to comply plus occasional fines for not doing so. Therefore they don't implement the parts of true compliance under their own control, and don't feel a need to lobby politicians on either side of the Atlantic to fix the incompatibility between US surveillance law on the GDPR. Similarly, the politicians and regulators are okay pretending that new EU-US agreements with no real legal substance can solve the problem, such that nobody has to comply and the ECJ and Max Schrems stay busy spinning their wheels.
If this were different and the EU were actually enforcing the rules, either companies in the EU would have to stop using American providers - helping build a home-grown EU software industry without being crowded out by American providers - or US companies like MS would have to change what internal practices they can and lobby the US government to make the necessary legislative changes for them to fully comply with the GDPR.
To be honest, I don't think the EU politicians/regulators are bad at what they're trying to do. It's simply that what they're trying to do is to look tough on privacy while actually not pissing off the deep-pocketed megacorps and the politicians they can/do fund on either side of the Atlantic. Which is different than what I'd like them to do, of course.
It might imply that o365 sevices in the EU/EEC will increase in price - but I'm quite certain the data privacy will be better.
Remember that this has implications for all businesses that deliver on government contracts in the EU - they would all have to move away, for example not hosting email with o365 because government won't communicate details involving GDPR protected data over untrusted services (even with encryption enabled).
We regularly discuss GDPR matters in our German company because there's a lot of FUD concerning the various cloud platforms and we have to cater to sensitive customers with our own hosting. One extreme is that you can't use AWS at all because of Schrems and it's a US compancy etc. On the other hand there's some hearsay about Microsoft (Azure) being tolerated because there's no way around it.
Imho, the "FUD" is largely right and most cloud platforms are indeed illegal.
However, due to enforcement being absent or taking ages, there are too few legal decisions and big expensive enforcement actions that one can point to. Currently everything is really still fear, uncertainty and doubt, the hammer hasn't come down yet. I'm not sure if it ever will, at least not before EU institutions or other member states such as France force Germany to stop dragging its feet.
It's a bit tedious to work in that climate of uncertainty. Every time we want to use some AWS service it prompts endless discussions.
On the other hand it made us research and use European alternatives such as Hetzner (they have a cloud too, although with less SaaS offerings), OVH or Scaleway.
There's already some high level people lobbying to update interpretation of GDPR in a way that it would require proof of actual harm to user for any fines to be issued - essentially completely neutering the regulation.
I don't really understand the GDPR, maybe because I'm not a lawyer.
For example, the GDPR states:
>An establishment's failure to designate an EU Representative is considered ignorance of the regulation and relevant obligations, which itself is a violation of the GDPR subject to fines of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. The intentional or negligent (willful blindness) character of the infringement (failure to designate an EU Representative) may rather constitute aggravating factors.... Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater...
Why have neither of these been done? Speaking as an American who has spent his entire adult life advocating on these issues, it personally offends me when I basically get myself punted out of so called civil society trying to get a law like this enacted, and then our so called "allies" across the pond refuse to utilize it.
Here in "The States", folks used to joke "I'll believe corporations are people when they execute one in Texas"... given the EU's views on the death penalty, maybe some of these companies should be given what the Chinese would call "death with a suspended sentence"[1] -- fine them the full two to four percent, and use that money to fund things like universal health care, pensions, and the rebuilding of critical infrastructure instead of... well, based on my last trip to Tim Hortons[2], it looks like the new hotness is building a buncha condos that sit empty and drive up the rents -- but it's been a while, so I'll let any Canadians who want to wander in below and give their thoughts the floor.
The above is what I like to call "venture socialism". It is not communism, it is not even really socialism, more just... republicanism. But I can understand why even that feels violent and oppressive to... some people.
[1] https://en.wikipedia.org/wiki/Death_sentence_with_reprieve
[2] Fun fact: for many Americans, the cost of a passport, let alone an international vacation is out of bounds -- once you understand this, a lot of the past four to forty years begins to make sense.
I can change the bio to a quote more literary in a bit if that'll help you address my ideas instead of my reputation.
Folks seem to pick and choose when to take me seriously in the hacker scene, which is amusing considering rumor has it "Chapo Trap House" is a reference to what the portmanteau of DNS requests coming out of my college house share looked like to the local FBI field office during the Pittsburgh G20.
Spoiler alert: One guy was playing a lot of illegal poker, one guy was really into certain types of... free expression... and one was discovering the joys of democratic socialism as he did experiments on undergrads like Bill Murray at the beginning of Ghostbusters as he pirated everything on the IMDB Top 250. Guess which one was me, and you win a special prize.
I can change the bio to a quote more literary in a bit if that'll help you address my ideas instead of my reputation.
Folks seem to pick and choose when to take me seriously in the hacker scene, which is amusing considering rumor has it "Chapo Trap House" is a reference to what the portmanteau of DNS requests coming out of my college house share looked like to the local FBI field office.
(Spoiler alert: One guy was playing a lot of illegal poker, one guy was really into certain types of pornography, and one was discovering the joys of democratic socialism as he did experiments on undergrads like Bill Murray at the beginning of Ghostbusters... guess which one was me, and you win a special prize.)
related : https://news.ycombinator.com/item?id=33686599