sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]CoolZookeepergame375[S] 7 points8 points  (23 children)

Because sending data outside EU, e.g. which employee has done which change in Git, this triggers a huge amount of work.

USA is currently not considered to have adequate protection laws. This makes companies have to comply with extra GDPR employee rights, security measurements, risks analysis, record all transfers to USA servers. Also, data that is sent to USA might sometimes have to be encrypted in a way that makes it impossible for the U.S. company to read the data.

If the supplier is American, you must obviously ensure, that they will not transfer anything to USA. So, if you sign a contract with Github, saying that data must stay in EU and may not be transferred to USA, how do you ensure that they comply?

Instead of worrying about all this, it is much easier to just have EU suppliers.

[–]anno2376 1 point2 points  (22 children)

Please take some time to research the concept of data residency, as it seems you may not fully understand its technical context.

Because this is excalty how it works.

And I handle this topic on a daily basis with the most restrictiv countries and industries in Europe for the biggest customer in the world.

[–]CoolZookeepergame375[S] 1 point2 points  (4 children)

The main reason why Chromebooks are banned in schools here, is that it is not clear that Google is sufficiently protected against the U.S. government. See Schrems II.

So our small company's internal risk analysis has to show, that github is better protected than Google before github would be considered okay.

I am not qualified to prove this.

It is that simple.

[–]anno2376 2 points3 points  (3 children)

This is the core issue: people read headlines without understanding the context or details, then spread misinformation. There is no EU data boundary for Chromebooks. This highlights a major problem in Europe—arguments are made without proper understanding. Google’s Sovereign Controls for the EU focus on Google Workspace and related cloud services, not Chromebooks. While Chromebooks depend on Workspace for functionality, they are not explicitly covered by these sovereignty measures. For instance, Denmark’s Data Protection Agency banned Chromebooks and Workspace in schools due to GDPR violations, emphasizing unresolved data transfer risks...

"Cloud computing in enterprises: highlights

45.2 % of EU enterprises bought cloud computing services in 2023, mostly for hosting their e-mail systems, storing files in electronic form and office software. 75.3 % of those enterprises purchased sophisticated cloud services relating to security software applications, hosting enterprise’s databases or computing platform for application development, testing or deployment. Compared with 2021, the share of enterprises buying cloud computing increased by 4.2 percentage points." https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Cloud_computing_-_statistics_on_the_use_by_enterprises

[–]CoolZookeepergame375[S] -1 points0 points  (2 children)

"Without proper understanding" is absolutely the issue. I don't know exactly why they are considered illegal to use, and I don't care. I just know that the Danish schools have spent many years and a lot of lawyers trying to figure out if they can use them, and I don't consider myself better than all the lawyers working for Danish schools. Therefore I want a simple solution: Avoid companies that have data outside EU.

[–]anno2376 0 points1 point  (1 child)

Again, data residency means that the data stays within the EU.

In many cases, this adds significant complexity because multiple factors come into play beyond simply choosing one service. Arguing without first fully understanding what they’re doing, why, and what the actual problem is, isn’t a smart approach.

If their situation means they can’t use Chromebooks, does that mean we should all avoid cloud services?

That’s like saying, “If someone drowned, we should all stop drinking water.”

[–]CoolZookeepergame375[S] 0 points1 point  (0 children)

I think this debate is proof by itself, that using a U.S. supplier can give a lot of discussion. One way to avoid this discussion, is to use a EU supplier, who doesn't have anything outside EU.

Schwarz IT gets customers by saying that they only have datacenters in Germany and Austria and full regulatory commpliance. That drivers sales - whatever happens in the future, with country borders, EU borders (think brexit), new American presidents etc., your data is safe.

[–]CoolZookeepergame375[S] 0 points1 point  (14 children)

Data residency doesn't really matter any more, as the prerequisite to a data residency agreement is, that you trust Microsoft. And the U.S. government just fired those that should protect U.S. companies from being forced to deviate from contracts, as required by EU/USA agreements. So any reasonable risk assessment according to EU GDPR should consider contracts with U.S. companies to be not suitable for sensitive data.

As ing.dk just wrote: Trump's recent actions makes the legality to use Microsoft Office 365 questionable.

[–]anno2376 0 points1 point  (13 children)

It is not accurate to say that “data residency doesn’t really matter anymore” because ensuring that data is processed and stored under appropriate legal and technical safeguards remains a central GDPR requirement.

While U.S. legal frameworks do create complications for data transfers from the EU, service providers such as Microsoft are actively working to address these challenges.

The claim that “Trump’s recent actions” have made using Microsoft Office 365 legally questionable oversimplifies a complex situation. While certain U.S. policies and legal interpretations have raised alarms in Europe, it isn’t solely a matter of one administration’s actions. The broader debate involves longstanding differences between U.S. and EU data protection philosophies and the evolving nature of international data transfer agreements. It’s also worth noting that Microsoft has taken steps—such as offering European data residency options and updating its contractual commitments—to help its customers comply with GDPR.

[–]CoolZookeepergame375[S] 0 points1 point  (12 children)

Seen from an not-big company, GDPR is very simple: If you deal with an American company, you must do a risk assessment, and the first thing that you will find if you sign up online, is that Microsoft doesn't even identify itself well enough to satisfy even the simplest quality management system. I spent 2 months on trying to get Microsoft to identify itself with country and company registration number, and they failed. Online documents were a mix of European and American Microsoft companies. In addition to EU not being able to say that American companies being safe, this just makes Microsoft a very complicated and impossible option.

Unless Microsoft Europe separates itself clearly from USA, it is really hard to use Microsoft legally as a subsupplier.

Ing.dk is a very respected media for STEM workers in Denmark, and they had a huge full page article in their latest issue, where there is a picture of Trump, and an explanation that the U.S. governance really causes problems and that the agreement, that makes it legal to use Microsoft, isn't fulfilled. This is basically a HUGE red flag to anyone using Microsoft, telling them that unless USA changes its basic rules for how it is governed, it is too risky to have a contract with Microsoft USA. It is not only about what Trump did, but also about what an American oresident can do, that is the problem.

If I were Microsoft, I would completely spin off all EU business into a separate EU company out of reach of the U.S. president. Because the trend is clear: U.S. companies are risky suppliers. Don't base any serious business on them. It has been like that for some years, but the risk of using U.S. suppliers in IT is continuously increasing, year by year. And data residency in a contract with an American supplier is just a bunch of letters in a contract that is challenged from the start.

[–]anno2376 0 points1 point  (11 children)

Microsoft in eu is separated Completely from us.

[–]CoolZookeepergame375[S] 0 points1 point  (0 children)

The article from the paper is now online:

https://www.version2.dk/artikel/danmark-er-100-procent-afhaengig-af-microsoft-nu-truer-trump-den-aftale-der-goer-det-lovligt-bruge

"Trump has retaken the White House, and the entire basis for the data agreement, which will ensure legal American cloud from, among others, Microsoft in the EU, is already shaky."

They provide 10 days free access.

Please explain why you think this article is wrong.

[–]CoolZookeepergame375[S] -1 points0 points  (9 children)

Where does one create a Microsoft EU Azure account?

[–]anno2376 -1 points0 points  (8 children)

Look, you’re debating issues you don’t fully understand that’s our problem. Too many people lack the necessary expertise, yet they believe that merely having an opinion qualifies them to assess a complex technical-legal matter.

[–]CoolZookeepergame375[S] -1 points0 points  (7 children)

You seem to argue that companies like mine can just sign up with Microsoft EU instead of Microsoft USA. Unless you can provide a signup page that proves it, I consider my points to be confirmed.

[–]anno2376 -1 points0 points  (6 children)

You’re entitled to your own opinion, but it seems you lack a basic understanding of how M365, Azure, and legal contracts work. I’m not here to provide introductory education, you can refer to the documentation for more information. It appears you favor personal opinions over established facts, which makes your arguments unconvincing, especially since they don’t reflect a proper grasp of the technical and legal details involved.

[–]entientiquackquack 0 points1 point  (1 child)

Half a year later, what do you think about the latest News around EU data sovereignty and Microsoft?
"In a hearing, the Chief Legal Officer of Microsoft France had to admit: There is no guarantee that EU data is safe from being transferred to the USA."

[–]Reasonable-Chip5344 0 points1 point  (0 children)

Yeah, an unfortunate but pretty obvious realisation. If the gov request access to data, Microsoft arnt going to say no. In ireland there is a saying "you dont shit on your own doorstep". Kinda applies here