back to article US lobbyists commission report dismissing proposed EU cloud regulations

A proposed EU Cloud Certification Scheme has met with further criticism from a European policy think tank, although it turns out its report was commissioned by a Washington-based IT industry lobby group. The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is intended to put in place an EU-wide …

  1. Doctor Syntax Silver badge

    So it's OK for the US to restrict access of Chinese firms because the Chinese govt. could lean on them to extract data but it's not OK for the EU to restrict access for US firms because the US govt could lean on them to extract data. Does that sum it up accurately?

    1. Youngone Silver badge

      Does that sum it up accurately?

      Yup, that's about right. When we do it we're the good guys, but when China does it they're a brutal dictatorship.

      1. elsergiovolador Silver badge

        but when China does it they're a brutal dictatorship.

        But it's kind of true though.

        1. Anonymous Coward
          Anonymous Coward

          @elsergiovolador - Don't know why so many up votes.

          Dictatorship is written in their constitution. Besides, the words "kind of" are muddying the water. Is it or not a brutal dictatorship ? Compared for example with North Korea, how brutal is it ?

    2. VoiceOfTruth

      It is time to call out all US cloud operators in Europe as nothing more than spy machines for the Uncle Sam. If US companies want to operate in Europe they can obey the rules or they can leave.

  2. Claverhouse Silver badge
    Meh

    Optional by Default

    ...would hamper big US cloud providers such as Amazon, Google, and Microsoft from doing business in Europe.

    As with so much of Tech innovation and initiatives, I cannot think of any way this would impact me for good or evil.

    Apart from a general avoidance of US companies ---- yes in part due to their loathsome greedy hoovering up of data --- I utterly avoid Amazon, use Google only for Search ( even as it's usefulness steadily diminishes ), and would no more utilize anything Microsoft than I would the products of those fictional societies of the Fin-de-Siecle, occult and tortuous and occasionally criminal.

    Obviously others more consequential than I shall differ; and it is possible than other American companies not devoted to evil may overtake these three, but these are what we have got.

  3. Anonymous Coward
    Anonymous Coward

    All your data are belong to US!

    Can someone please explain the point of Microsoft’s EU Data Boundary with all the data being on EU land, where the US can just CLOUD act them into access?

    Didn’t something like that happen with Ireland and some email? Or was that why CLOUD came into being?

    So the EU are denying access to customers with the proposal, more like the US government is forcing EU hands.

    Maybe the US should also implement a no data gathering thing too where we may be more likely to play.

    1. Helcat

      Re: All your data are belong to US!

      I believe that was the Justice Department demanding emails stored in Microsoft's Irish servers in 2014. It looks to have caused quite a backlash from the EU:

      https://www.theguardian.com/technology/2014/apr/29/us-court-microsoft-personal-data-emails-irish-server

      and

      https://www.politico.eu/article/can-us-demand-emails-stored-in-ireland-cloud-congress-technology-courts-servers-internet-security/

      Looks like the answer was 'The US says yes, if it's for a US citizen but no for anyone else'. Except when the US court 'yes', the EU said 'no', then the US courts said 'erm, okay, Congress! Over to you!'.

      https://www.stanfordlawreview.org/online/microsoft-ireland-cloud-act-international-lawmaking-2-0/

      This is a more current look at the Cloud act and it looks like it's not resolved.

      So the EU data boundary was an attempt by MS to be compliant with the European DPA, and subsequently the GDPR (as of 2018) and Cloud is an attempt to bypass that in some form.

  4. Ken Hagan Gold badge

    Think of it as resilience.

    If you insist that your cloud provider is subject to the laws of a single country, that's a single point of failure. Clouds aren't supposed to have those. You need to fix your cloud.

    It still seems pretty uncontroversial to me that no country can expect its laws to trump those of another when the business is conducted in the other. Think of it as "No legislation without representation.". Do I have a representative in your legislature? Nope? Well your laws aren't worth shit in my country then.

    1. Anonymous Coward
      Anonymous Coward

      @Ken Hagan - Re: Think of it as resilience.

      Tell this to US government and prepare for the consequences.

  5. mark l 2 Silver badge

    Don't we all feel sorry for Microsoft, Amazon, Google they might loose a few dollars if they can't hoover up all the data from their EU users, if they need to set up a independent separate business in the EU to do business there and not send it all back to their US data slurping parent companies.

    1. Doctor Syntax Silver badge

      And with the CLOUD Act they have to make sure it really is independent. Some sort of franchising operation seems to be called for.

  6. Claptrap314 Silver badge

    Let's see how many downvotes I get this time

    I've been urging the EU to take this sort of step for at least five years--this is the main way I can see to trim the power of these multinationals.

    But the basic rule of law applies: do business in my country, abide by my laws. By "do business in my country", I mean ANY of the following: interact with one my citizens; interact with a company domiciled in my territory; transport anything into, through, or out of my country. If you cannot comply with the laws of my country and your own, that is NOT my problem. That's a business decision for you to make.

    So if a US entity wants to do business in Europe, or India, or China, or Russia, or Mozambique, the local authority is going to insist that they obey the laws of that country. No ifs, ands, or buts. (Subject to sufficient local currency entering the appropriate accounts, of course, just like at home). So while Google was able to beat Spain, they are going to find it much more difficult to sweat out the EU. Good.

    1. naive

      Re: Let's see how many downvotes I get this time

      The political environment is not right for Europe to demand anything from the US. Europe is depending on USA for energy and weapons supply for Ukraine.

      EU commission is either full of US assets like Ursela von der Lie or they are misguided, self preservation and protecting interests of European citizens is not on their agenda.

      Push back against US Big-Tech will result in political pressure from Washington.

      This might explain the absence of support from the EU commission to develop a viable European hosting industry that can compete on the scale of Google/MS and Amazon.

      In case European cloud data is stored in places that are under jurisdiction of the USA and thus subjected to the CLOUD act, nothing can be done about it.

      European countries could draw up laws where domestic companies using US based cloud services will get substantial fines when their data ends up in US jurisdiction.

      The absence of such laws is another sign that in the EU commission nobody cares where ones data might end up being stored.

      So to come back to the point you made: Nothing prevents US based cloud providers to store cloud data where ever they want. Bad publicity that might pop-up periodically they can easily suppress since they control the news flow to the majority of the people in the West.

      1. Lil Endian Silver badge

        Re: Let's see how many downvotes I get this time

        1. ...for Europe to demand anything from the US...

        No demands are being made of the US. The EU law is proposed for EU states.

        2. ...weapons supply for Ukraine.

        Conflating trade with military support doesn't make sense. Not all areas of politics overlap all areas of international cooperation: see The ISS.

        3. ...result in political pressure from Washington

        Which will result in reciprocal pressure against Washington. Sounds like a great way of getting along....

        4. In case European cloud data is stored in places that are under jurisdiction of the USA and thus subjected to the CLOUD act, nothing can be done about it.

        Erm, yes things can be done. Such as implementing EUCS - that's the entire point, enforcing data sovereignty and by extension "opting out" of the totalitarian CLOUD Act.

        5. Nothing prevents US based cloud providers to store cloud data where ever they want.

        Good for them. Nothing prevents non-US orgs using non-US services.

      2. Helcat

        Re: Let's see how many downvotes I get this time

        "European countries could draw up laws where domestic companies using US based cloud services will get substantial fines when their data ends up in US jurisdiction."

        EU and UK have had that in place for years.

        From GDPR:

        "Data transfer outside the EU

        When personal data is transferred outside the EU, the protection offered by the GDPR should travel with the data. This means that if you export data abroad, your company must ensure one of the following measures are adhered to:

        The non-EU country's protections are deemed adequate by the EU.

        Your company takes the necessary measures to provide appropriate safeguards, such as including specific clauses in the agreed contract with the non-European importer of the personal data.

        Your company relies on specific grounds for the transfer (derogations) such as the consent of the individual."

        So if the EU decides the US does not supply adequate protections then the data can't be exported to the US unless said importer of data meets the required conditions, or the data subject agrees.

        "The absence of such laws is another sign that in the EU commission nobody cares where ones data might end up being stored."

        Please refer to the previous answer.

        "Nothing prevents US based cloud providers to store cloud data where ever they want."

        Nothing prevents the EU from fining said company for breach of GDPR, or from banning their services from the EU. Nor does it mean the company's reputation will remain untarnished, nor that other countries will retain trust in them in the future. Indeed, the reverse is far more likely, and more damaging.

        As for an EU hosting industry:

        https://digital-strategy.ec.europa.eu/en/policies/cloud-computing

        Plus:

        https://www.expertmarketresearch.com/articles/top-cloud-computing-it-companies-in-europe#:~:text=OVHcloud%20is%20the%20largest%20provider,its%20own%20fibre%2Doptic%20network.

        While that only lists 4 non-US companies out of the top 10...

        "OVHcloud is the largest provider of cloud services in Europe and the 3rd largest web hosting provider in the world, with over 1.4 million users and over 2,200 employees worldwide. The company manages 30 data centres across 4 continents and maintains its whole supply chain with the help of its own fibre-optic network."

        So... thanks for encouraging me to go do some research. And you are welcome to the above information: I hope you find it useful going forwards.

  7. John Hawkins

    So what?

    US based Cloud services with local data centers are already off-limits for some organisations I've worked with here in Sweden. The usual story is that their technical people start a discussion with us about hosting on Microsoft/Amazon/Google, but it stops once their legal people get involved. It would be interesting to know if anybody else within the EU (or any where else for that matter) has seen this pattern.

    It does mean that there are opportunities for local cloud hosting services, though I guess pricing is an issue. One local hosting service I know of uses OpenStack, so they do exist and a customer doing medical research I worked with a couple of years ago hosted part of their operations with that local service for legal reasons.

    1. bocale1

      Re: So what?

      There are of course several domestic cloud providers across Europe that can fulfil even the most stringent digital sovereignty requirements (in the Nordics, Tietoevry to mention one). Let's not forget that digital sovereignty is not limited to where data are hosted but also who has access and operates those data and the technology used to work with it. Said that, costs and quick access to innovative features are usually 2 of the aspects that are mentioned in favor of the US giants. Without significant investments in our European capabilities, it will always be challenging to compete with these big guys. It's also why times may be mature to consider multi cloud solutions where sensitive data are segregated in a smart way.

      1. Lil Endian Silver badge

        Re: So what?

        How about self hosting? How many companies need such scalability that they profit from use of another's DC?

        Time to stop buying in to the spiel. Own your data at all costs.

  8. Lil Endian Silver badge

    Pandora's Box

    ...warning that it could "open a Pandora's box" by empowering the European Commission and individual member states to exclude foreign businesses from domestic cloud services markets...

    Shirley, the law would close Pandora's box - as in curtailing US Gov's self-obsessed and self-appointed right to access global data, beyond it's national sovereignty. You made the CLOUD Act, we don't wanna live with it TYVM.

    ...[the report] claims that the immunity requirements in the EUCS are "discriminatory by design" --- YES! Well. Fucking. Spotted.

    This might take the form of retaliatory tariffs... --- That's right. Keep excluding the rest of the World, you will soon gain your oh-so-desired isolation. Then you will control 100% of your "known World", as you'll be the only ones in it. Sammy No Friends. Seriously though, the US tried this with steel import tax hikes, that went well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like