Yes, I'm not defending the EU hypocrisy or their own hostile surveillance laws. However, keep in mind that this report mentioned many issues about MS's own processing purposes, policies, and practices, and wasn't only about the problems posed by US surveillance law. It's those MS-specific issues for which the Dutch government got fixes applied to Dutch private sector use of MS 365; naturally they haven't changed US surveillance law.
And as bad as government surveillance is in both the EU and the US, it's awful when local companies send the data of the majority of their population into the jurisdiction of surveillance law whose political bosses the population can't even indirectly vote against.
This is rare in the US because US companies rarely send the data of US citizens to EU providers, which itself is because the big tech players are American. Whereas for exactly the same reason of where the big tech players are based, it's common for EU companies to send the data of EU citizens to US providers.
I think we probably agree on almost everything here. I'm not defending the corporate surveillance culture. On the contrary I think that should be the first target.
I'm only saying that in politics you have to pick your battles if you want to make real progress instead of earning a ten second sound bite on tonight's news. The EU politicians aren't so good at that sometimes and the result is legal positions like Schrems II that are so impractical that they are widely ridiculed and compliance is negligible.
Yeah, well the reason the Schrems II ruling is widely ridiculed with negligible compliance is not because of the ECJ ruling - it's the natural result of the legal status quo on both sides of the Atlantic and was predicted accurately by plenty of lawyers who weren't forced by their financial incentives to ignore the obvious.
It's ridiculed and ignored primarily because enforcement is irrelevantly rare and small in financial impact, just like enforcement of the rules around cookie consent and many other aspects of the GDPR. Companies calculate that true compliance costs more than pretending to comply plus occasional fines for not doing so. Therefore they don't implement the parts of true compliance under their own control, and don't feel a need to lobby politicians on either side of the Atlantic to fix the incompatibility between US surveillance law on the GDPR. Similarly, the politicians and regulators are okay pretending that new EU-US agreements with no real legal substance can solve the problem, such that nobody has to comply and the ECJ and Max Schrems stay busy spinning their wheels.
If this were different and the EU were actually enforcing the rules, either companies in the EU would have to stop using American providers - helping build a home-grown EU software industry without being crowded out by American providers - or US companies like MS would have to change what internal practices they can and lobby the US government to make the necessary legislative changes for them to fully comply with the GDPR.
To be honest, I don't think the EU politicians/regulators are bad at what they're trying to do. It's simply that what they're trying to do is to look tough on privacy while actually not pissing off the deep-pocketed megacorps and the politicians they can/do fund on either side of the Atlantic. Which is different than what I'd like them to do, of course.
And as bad as government surveillance is in both the EU and the US, it's awful when local companies send the data of the majority of their population into the jurisdiction of surveillance law whose political bosses the population can't even indirectly vote against.
This is rare in the US because US companies rarely send the data of US citizens to EU providers, which itself is because the big tech players are American. Whereas for exactly the same reason of where the big tech players are based, it's common for EU companies to send the data of EU citizens to US providers.