Skip to content

Getting out of the cloud…

So this happened (Warning: 1st clickthrough opens newsletter subscription window, 2nd clickthrough works, if you accept cookies):

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

This basically destroys all legal groundwork necessary for the Privacy Shield to stand on. Privacy Shield is supposed to be the legal framework that enables US companies to process personally identifiable information (PII) of European Citizens in the US.

Privacy Shield replaces for the Safe Harbor Agreement, which has been challenged in court and found inadequate. As a replacement, it is already being found inadequate by many parties, and is being challenged in court again once it becomes active. With the current situation, the viability of the agreement is being weakened even more.

The WSJ reports Trump Executive Order Jeopardizes U.S.-EU Data Pact, Lawfare is also kind of undecided, and EU Observer reports Trump’s anti-privacy order stirs EU angst and quotes

“I need to be reassured that Privacy Shield can remain”, EU justice commissioner Vera Jourova told EUobserver on Friday (27 January) in Malta.

At Papers Please the outlook is less undecided, obviously: “Trump repudiates agreement with EU on PNR data”, and so is diginomica: “Privacy Shield’s wooly thinking just unraveled thanks to President Trump”.
On the other hand, Forbes speaks about “The Anti-Business Implications Of Trump’s Xenophobic Privacy Policies” and the relatively sober National Law Review advises companies:

Recommendation:  Companies relying on the Privacy Shield framework as their data transfer mechanism should consider having a “back up” data transfer mechanism for key contracts, such as Standard Contractual Clauses (“Model Clauses”) or Binding Corporate Rules (“BCRs”), in the event the Privacy Shield framework is invalidated.  However, given the validity of Model Clauses is being challenged in the Irish High Court, they may not be a perfect solution.

This is Lawyerspeak for GTFO.

So if you are running your shit on US soil, or in a US companies cloud, you should have implemented a backup solution last Friday. Yes, that is your shit on Amazon, GCE or Azure or anything else that’s not European.

Published inFluffy Fluff


  1. kris kris

    Microsoft is the only cloud operator that kind of anticipated that: They created a European shell company and then handed the operation of their Frankfurt Azure data center to Deutsche Telekom _through_ that shell company, just to be sure.

    and especially “Wichtig ist die rechtliche und technische Ausgliederung”. That is, it is important that the data is not physically in the US, and that the US company does not own, control or otherwise is related or administratively able to access that data.

    Or you choose a EU cloud provider. There are plenty.

    • Jason

      Can you recommend some? Off the top of my head I only know Jiffy Box from DomainFactory and Microsoft Azure (afaik Microsoft founded a German subsidiary – or used the existing one – who then bought and owns the equipment, but the DCs are operated by T-Systems so that Microsoft does not have access to the data).

      Any recommendations for (good) EU cloud providers highly appreciated!

      • kris kris

        This blog is hosted at one, I don’t have a huge deployment, but it works for me.

        • Nisse

          Please be warned, Scaleway do NOT use ECC RAM. This means that if you run into faulty RAM, your backups and data will be ruined long before you detect it.

      • Mr P.

        What about OVH, french hosting company, n°3 worldwide ?

        They got Datacenters in France, UK and Poland and currently building one in Germany

  2. Bernd

    Hm, die Privacy Policy von Agencies hat allerdings nichts mit privatwirtschaftlichen Unternehmen zu tun…

    Irgendwie ist es nicht hilfreich in Trumps Anweisungen mehr reinzulesen als drin steht.

  3. Phil

    Just to echo the last comment (in German) – this is spreading FUD. The Privacy Shield doesn’t rely on the US Privacy Act 1974, so the new executive order doesn’t impact it. The Squire Patton Boggs post you linked to has mislead you.
    The Privacy Act is relevant to the Umbrella Agreement, which affects non-commercial data flows (sending data from the EU directly to US agencies, like the Department of Justice, e. G. airlines sharing passenger data directly to US. There’s no connection to the privacy shield, which is for company – company data flows. See for the fuller explanation.

  4. Carlos

    OVH offer bare metal servers if you don’t mind managing some servers by yourself. They work in Canada. Of course they are not like Amazon, GCP or Azure, but they started working outside USA to avoid that kind of issues.

Leave a Reply

Your email address will not be published. Required fields are marked *