- Background on the EU-US data transfer saga
- TADPF information PDF by the EU
- TADPF program page by the US Government
- TADPF Decision (EU) 2023/1795
- CJEU: Schrems I and Schrems II
- Report on the removal of PCLOB members
The EU-US Data Transfer System – a mix of EU and US law. Generally, EU law prohibits exporting personal data to countries outside of the EU since 1995, unless there is an absolute need (e.g. when sending an email to any non-EU country). Data can be sent abroad when the non-EU country provides “essentially equivalent” protection of Europeans’ personal data. The US, on the other hand, has very strong mass surveillance laws (e.g. FISA702 or EO 12.333), that allow the US government to access any data stored with Amazon, Meta, Microsoft, Google and any other US Big Tech firm without probable cause or individual judicial approval. Therefore, the European Court of Justice has held twice (Schrems I and Schrems II) that US law is not “essentially equivalent”. However, Ursula von der Leyen has insisted to pass a third EU-US deal, called “Transatlantic Data Privacy Framework” (TADPF).
TADPF was built on sand. On 10.7.2023 the European Commission issued Implementing Decision (EU) 2023/1795, formally passing the TADPF. This allowed any EU business to freely transfer data to US providers, despite US surveillance laws. The European Commission relied on (very questionable) executive orders or letters by the US government, including the PCLOB, to find that the US is “essentially equivalent”. However, these elements are not reflected in US statutes and codified law, because there was no majority in the US Congress to pass such laws. It was long criticised that the next US president could kill these protections with the strike of a pen. This scenario is now on the horizon. In its decision, the European Commission mentioned the PCLOB a whopping 31 times to explain why the US has “essentially equivalent” protections. The PCLOB is the only general “oversight” body that monitors if US services actually compy with laws, orders and other promises. Other elements of US law, like various redress mechanisms, require a plaintiff to become active. The US has traditionally blocked access to these bodies via various “standing” rules, leading to basically no lawsuits ever beeing admitted. This means that the PCLOB is the only relevant oversight mechanism that the TADPF relied upon.
Max Schrems: “This deal was always built on sand, but the EU business lobby and the European Commission wanted it anyways. Instead of stable legal limitations, the EU agreed to e
25 Comments
NomDePlum
Interesting read. I wasn't aware there was a formal process that allowed the US to snoop on EU data in cloud providers. Very big brother.
amarcheschi
God I hope so
mrtksn
What if EU gives a year to American cloud providers to sell their companies to a European owner?
It's important to learn from the best. Considering the election meddling efforts from agents directly from within the US government who are also owner of large media and AI companies the only reasonable outcome would be either sell those companies to EU owners or guarantee exclusion from EU markets for national security reasons.
ChemSpider
In my main job we provide SaaS services. We get more and more requests for "EU located" services.
A new trend I see is that some customers even rule out using EU located servers that are owned/run by US companies (such as the AWS Dublin or Franfurt locations).
juliangmp
> Thousands of EU businesses, government agencies or schools rely on these provisions. Without the TADPF, they would need to stop using US cloud providers like Apple, Google, Microsoft or Amazon instantly.
Please God let this happen
Gravityloss
One thing is a bit unclear here. US headquartered cloud providers have physical data centers in EU. Would this also prevent EU businesses from using those?
throwue
[flagged]
fergie
It already is in practice. You can't legally use cloud services for "red" (personal information) or "black" (national security) data in most jurisdictions.
Some organizations that are deeply invested in a given tech provider do it anyway, but this is gradually going away.
rustc
What cloud services are there that operate exclusively in the EU? Hetzner has servers in US now so I guess they also won't be an alternative?
xeonmc
Would Cloudflare fall under this category?
dathinab
Honestly most non lobbyist people here in the EU has been expecting this to fall apart sooner or later, even without Trump.
Some companies have gone further and not only are assuming data transfer to the EU will become illegal but also that European daughter companies (e.g. MS) might become illegal for some use-cases (e.g. lawyer documents).
tomtomistaken
EU should make a own cloud storage (hosted in the EU) giving every citizen 10GB of base storage after applying for it. Cloud is critical infrastructure. Besides, that would lift also the favorability of the EU.
suraci
eu is the digital colony of the US, it has no other choice
politicians like von der Leyen will make sure it's not gonna happen.
seper8
This is economical suicide for most European companies.
yearesadpeople
FYI
https://european-alternatives.eu/
pjmlp
Followed by OS, could not have those backdoors there.
Finally it is going to be the year of SuSE Linux Desktop, and Jolla.
Maybe we could have a second coming of Nokia N900 as well.
ArtTimeInvestor
Are there any publicly traded cloud companies in the EU besides OVH, IONOS and Nebius?
I have looked into these 3 so far and was not too impressed. Would like to look at more, if there are some.
nonrandomstring
International relations with US tech has been a serious talking point
for over 25 years at least. Some good talking points here [0]
[0] https://cybershow.uk/episodes.php?id=31
ilove196884
EU holds all the cards here. Aws and azure have everything to lose. Europe has competitors but the offerings are fragmented between different companies. If they come together then yes they can have replacement for most users. Most users don't need bleeding edge features. Painful but can be done. Definitely not impossible.
tticvs
I suspect that this is going to fall into the "nothing ever happens" bucket.
What they're implying is that it is illegal for US companies to comply with EU law.
This is significantly different than the EU enforcing the GDPR extraterritorially since that's basically just an increased cost of doing business in Europe and is apparently worth it.
But if the US companies have to choose between complying with US extraterritorial law or EU extraterritorial law they're going to have to choose the US, for obvious reasons.
It doesn't seem to me that convenient legal subsidiary structures or data physicality setups are gonna work here.
The effect of US companies withdrawing cloud services would be devastating to the EU. Imagine if you could no longer access your gmail or outlook account, your apple or google photos disappear , whatsapp shuts down, all you companies documents are no longer accessible on Office365 or G drive.
The results would be indistinguishable from a massive cyber attack and would take decades to recover from.
There's just no way the EU would inflict a wound of this magnitude on itself.
jsnell
A lot of people here seem to be interpreting "Cloud" as as "public Cloud infrastructure provider". Note that this isn't just a question of AWS, Azure and GCP. It's about any kind of hosted services. So it would also apply to things like Dropbox, Slack, Gmail, WhatsApp, iCloud, etc.
(But it also wouldn't be a ban on personal use of such services, as long as the user consents. It'd "just" be very hard to use those services in business or government.)
Havoc
Given how unreliable the US is becoming a bit of distance might not be a bad thing.
leowoo91
FYI, there is already a type of deployment called "sovereign cloud" where data exports are controlled by the country and already under works by major providers.
jc_811
Worth noting that there is a European company (I believe headquartered in Sweden) whose mission is to build an EU-first cloud to compete with the large US offerings.
Evroc[1] is their name and I’ve been following them for a few years now. They raised a large amount in 2023 [2] and looks like they’ve just broken ground on land to build a data center just last week [3]
Very curious on how this will work for them and I plan on following their journey very closely. Any EU-based cloud engineers should apply to join!
[1] https://evroc.com/
[2] https://sifted.eu/articles/evroc-plans-e600m-investment
[3] https://www.datacenterdynamics.com/en/news/swedens-evroc-acq…
silexia
The EU has become increasingly irrelevant due to it's draconian communist laws.