Corporations operating in the EU are subject to EU data protection laws.
It does not matter if the PATRIOT Act forces them to hand this data over. They are breaking the law in the EU.
Google had two choices:
1. Don't hand over the data => they break the US law
2. Hand over the data => they break EU law plus hand over personal data of users who might not want that
To me choice number one would be the lesser "evil" thing to do.
The solution is to have completely separate entities of the company in the local jurisdictions. Those follow local law and only share data with their foreign sister companies in a lawful manner and otherwise can ignore foreign law.
Of course this creates some complexities but it's the right way to do, everything else gets you into trouble and even huge companies as Google can't get around colliding laws from different jurisdictions.
Handing over data to intelligence agencies is just one example of mutually exclusive laws. There are actually many more like data retention laws. The internet is probably the biggest challenge to international laws and treaties ever.
The article doesn't mention the "Safe Harbor" provisions. This is a negotiated exception to EU Data Protection - roughly speaking, US companies can export the data to the US, as long as they promise to give equivalent protection. Google uses this to allow it to operate with personal data in the EU.
If Google have exported the data to a US jurisdiction under Safe Harbor, then a subsequent PATRIOT Act request wouldn't need to involve any EU-stored data or EU companies.
This seems like a much more general issue with exceptions like Safe Harbor, and something that people/companies should bear in mind. Promises like "equivalent" protection don't help with new local laws which can always trump anything.
They certainly violated the spirit, but may not have violated any actual rules. I could imagine that there's some exclusion in the safe harbor rules for "national security".
It's not clear whether the Data Protection laws were ever designed to guard against national governments. I imagine that those who wrote them were really thinking about avoiding disclosure to private individuals or other companies.
> According to German-language magazine WirtschaftsWoche, a Google spokesperson confirmed that the company has complied with requests from US intelligence agencies for data stored in its European data centers.
This isn't true; the WirtschaftsWoche article doesn't claim this. It says this could happen, but the claim that this article says it already did happen is a lie.
Not that this means it hasn't happened or is unlikely.
Die US-Regierung könne "auf außerhalb der USA gespeicherte Daten zugreifen". Der Konzern habe schon viele solche Abfragen erhalten, schreibt ein Sprecher des Unternehmens.
-- Rough, sorry: --
The US government is able to to access 'data stored outside the USA'. The company already got a large number of these requests, comments a spokesperson of the corporation.
--
Put like this, next to each other, is a strong indicator (yeah, it's still on the edge) that they did, in fact, already comply in the past.
First part is 'would/could/in theory' style, but the following sentence says they got these requests in the past and 'diese' (these) builds a rather strong link to the sentence before.
So - I'm not 100% sure, but let's error on the side of caution: They did it in the past.
I assume that WW would have used a much stronger phrasing, had the "Google spokesperson" actually said that. And a Google spokesperson is obviously careful when talking to the press.
Yes, it's not unlikely that they did -- but Softpedia is blatantly misquoting here. They base their writing solely on the WW article, and that one doesn't include anything to back up the claim.
This is a clear example why China does not welcome US internet behemoths in their country. Who would want to give competitors easy access to their internal data?
This is a very real problem and provides case in point as to why everyone needs to start using client-side encryption for their data and communications.
In some cases this is still currently impractical to do on a day to day basis but in others such as Email, Social Networking or Instant Messaging it is not[1][2].
[1] I'm involved with a company that recently launched a free tool that provides transparent client-side AES256 encryption for Facebook, Google+, Major Email apps among others.
What site are you visiting? There is no "options" option in Social Fortress. If you can email a detailed explanation to support@socialfortress.com and we will get back to you promptly.
One solution might be for Google to spin off its EU datacenter operations into a company incorporated outside of US jurisdiction. The Patriot Act would then no longer apply and Google would not be force to break EU law.
Under some interpretations of the laws, Google would need to ensure that nobody under US jurisdiction has any access to the data. A full "split" would be difficult, and seemingly break a lot of the large-scale load-balancing and redundancy of Google. And what happens when a new, separate, jurisdiction arises?
While it would be technically possible, I think Google are probably happier just not dealing with the more paranoid businesses that are worried about this. That's the impression I got when discussing similar issues with their sales staff.
They almost certainly have local operating companies that are wholly owned subsidiaries of the US parent company - just having a separate company isn't enough I suspect that separate ownership would also be requried.
They could set up special purpose vehicles, with very clear operating rules. That way, if the US asks, Google can say that they have no control over the subsidiary.
If Google US has no control over Google EU then a number of issues could arise. Does Google EU have access to Google US data? What about the code that runs everything? What about profits - why would Google EU send profits back to Google US?
It's tricky, but no trickier than their accounting system ;)
Google EU has a mission to "provide Google US with data hosting, and send profits back to the mothership". They have a contract, in which Google US grants free use of any code data that Google EU needs.
Google EU has a strict constitution, which prevents them from disclosing data, even if Google US wants them to. This clause in their constitution states that it cannot be changed.
If that's too extreme, they could allow the information to be released, but only if cleared by some specific third party.
That's just a rough idea. I'm sure Google's lawyers could come up with something much better.
I went to a talk years ago by Microsoft just after they had opened some new data centres. The MS presenter showed a government data centre dab smack in-between MS, Google, and Yahoo!. I can't remember the complex name, it was near a hydro dam, sure it had Rose in the name. Basically the data centres where they for access to the higher quality grid and cheaper rates.
He was pitching Singapore data centres and made the joke that US could just tap into any of the data centres with a warrant just like that. Then his laugh died in dry painful way leading more or less everyone in the audience to assume that the warrants had already been issued.
> Gordon Frazer, Microsoft UK's managing director, made news headlines some weeks ago when he admitted that Microsoft can be compelled to share data with the US government regardless of where it is hosted in the world.
I'm not being naive, I'm being factually accurate. I would 100% agree with the statement "Microsoft has probably done the same", for example, but this article does not provide supporting evidence that they have.
This is a news article. It sounds like you are assuming news=facts. Microsoft employs FUD in the media. In this case, they are making specific use of the U in FUD. They are neither confirming or denying that they have ever shared such information, thus one can safely assume they have. If they hadn't, they would come out and state that clearly.
I think there is a misunderstanding of the intent of this provision of the PATRIOT act. It's primary purpose is to serve US based companies by providing cover from shareholder activism and negative press when they are outed for providing such information; and to streamline the process of dealing with such requests because there is little to be gained from resistance through litigation.
In other words, the PATRIOT act provides corporations with the least expensive option for providing user data and provides them with political and legal cover when they do so.
It's not clear to me that these laws are mutually exclusive.
1. "the USA PATRIOT ACT, which states that companies incorporated in the United States must hand over data administered by their foreign subsidiaries if requested."
2. "European Union legislation requires companies to protect the personal information of EU citizens"
It could be that the US gov't requested data on non-EU citizens which happened to be stored in EU data-centers.
There's a huge need for people to start drifting to non-US based companies for everything that has to do with cloud storage or data, either that or force Google and such to offer solutions with end to end encryption that they have no access to.
"Do no evil" -- What do you think? Does this qualify as a breach of their motto? Or is it only a clear message to those who may have thought their Google data is private?
While I'm an open critic of Google I don't think in this case its a breach of that motto. Maybe a failure to disclose obligations to users.
Most people would understand the real culprit is the government. Microsoft and Amazon space there data centres geo graphically for a few reasons, and this is one of them.
I think the 'evil' part here is in this case the failure to disclose the fact(s).
The law's evil as well, agreed. The government did evil things passing it, in my world. But that doesn't seem to be the reason for the 'Google did evil' claim here.
When the government (that your business operates) is requiring you to hand over data what do you do? Is it Google's fault or the US government? I certainly don't think complying with the law is "evil". If the law is bad, fix the law.
I think the requirement to be silent about handing over data is more for the corporations than the government. No wonder this remained secret for so long.
Corporations based and operating in the US are subject to the PATRIOT Act, it's a shitty law but it's still the law. At least they are transparent about it.
And corporations based and operating in Europe are subject to our data protection laws. Microsoft and Google (and plenty others) have fully fledged companies in Europe. This raises an interesting question - what should companies do when they are subject to mutually exclusive laws like that?
My opinion is that they need to comply with the laws, which might require not having overseas companies in this case. Could they operate without them? Do they only exist for dodging huge amounts of taxes? (If yes, then this means that Google decided to "do evil" in return for a 20% boost in earnings)
It's not about earnings. Having datacenters in europe would still require them to respect the laws in europe. They need those datacenters for latency and plenty of other reasons. If they were forced to only reside in the US or in Europe it would make for a shitty experience for where they are not.
And going to europe isn't really feasible when most of the developers they hire come from the US. They could come to Canada if they want (they already have offices but they could just move the head office.) :)
Basically this is another law that fails to face the reality of globalization and is a strong overreach of the US Gov. It's potentially also destroying jobs if companies as you say must choose a place to be in.
I wonder if it's a structural problem: if the problem is that the parent incorporation is in the US rather than the US incorporation being a subsidiary of a holding company in e.g. the Cayman Islands. That seems like it'd be a solvable, if massively annoying problem.
Good point,it would also be interesting to know if this affects any business that does business in the US or only US based. My bet is it's the former (I am not a lawyer). Just because of the loophole you exposed. Think of all the foreign banks.
what should companies do when they are subject to two mutually exclusive laws? they don't really have a choice: they need to break one of the laws, and pay the penalty for that. the only question is which law to break, and the answer to that is the one with fewer consequences.
The EU must enact sanctions against google for this, if they don't they are essentially letting all multinationals know that EU laws are less important than American laws.
No, you've missed a possibility: their only legal option is not to operate in both countries for as long as the laws are incompatible.
That will, in this particular case, probably result in a significant dent in both the US and EU economies in the immediate future, followed by a phenomenal boost to the European economy at the expense of the US in the longer term. That will continue until the US understands that it can't just impose its will on other countries around the world any time it feels like it, and more specifically that while the US government and big business don't care much about privacy, it is a fundamental societal value in several EU countries.
The only legal option is to creat a world government, possibly extend the authority of UN. Governments need to match the size of multinational corporations.
I don't think that really solves the problem. People are different, and societies have different collective values. That diversity is IMHO valuable, and in case, it's probably unavoidable. Trying to force everyone into the same template seems to me a Very Bad Idea.
I think we do much better with our current model, where each jurisdiction has its own legal and ethical norms, jurisdictions may reach multilateral agreements on areas of common interest, and anyone wanting to operate across jurisdictions needs to do so in a way that is compatible with everywhere they operate and any common agreements between those places. In this case, economic incentives for major multinationals to be able to operate across borders is, or at least should be, a compelling reason for national governments to accept their limitations and not try to exert influence beyond their borders in unsustainable ways.
That's what some people would like the EU to be about. Fortunately, there is a healthy diversity in people's views on that issue just as with many other issues. Thus, in practice, we have always had European integration on several different levels depending on the individual needs of the nations involved and their collective benefit from co-operation.
Today, being in the EU is not the same as using the Euro. Though the Lisbon Treaty blurred a lot of lines, we historically had the European Courts of Justice rather separate from the European Union as well. There is a lot more historical detail on Wikipedia's page on the EU if you're interested.
If anyone thinks Europe will still look the same in five years, I think they are probably missing something, given the obvious differences in financial power between say Germany and Greece today and the obvious negative effects it is having on the better off nations. Who knows the consequences at this stage? Maybe the result will be closer integration where the financial policies of the weaker nations are restricted by the stronger nations who support them. Maybe Europe will fracture as an economic community but perhaps continue as a legal, diplomatic, free trade, and/or military one. It is clear that on matters like the privacy issue at hand, there is a lot of common ground on the basic principles regardless of economics, so I suspect that side of things will be maintained.
I'm merely guessing, but seeing how the law takes a backseat when security and anti-terror are involved I suppose that EU governments and the US have reached some sort of agreement about which set of laws to enforce in certain cases.
My guess is that such an "agreement" would have been reached by one side only...
The law has been taking much less of a backseat in Europe when it comes to security and anti-terror. Also I find it hard to believe that the EU would just give up its data protection laws just to please Americans and allow the enforcement of an American law.
I definitely agree with you on the one sided part..
I'm less concerned by the fact that Google handled the data over US agencies than by the fact that the EU doesn't seem to have made any objections.
Whether it's because the EU doesn't care, or because they was nothing they could possibly do, I don't know. But either way, it doesn't sound right to me.
I think we Europeans as a diverse society have far less willingness to give up basic rights than those in the US.
Public sentiment does sway sharply in the aftermath of events like 9/11 (or, in our cases, 7/7 in London and the like). We sometimes tolerate nanny state behaviour and suspending basic rights and freedoms more than I personally would like following such extreme, high-profile events.
However, even then, public sentiment seems to sway back again much faster here. Just look at the level of public concern over a tiny number of high profile deaths in the UK in recent years where police were involved, or look at how sharply Google have been slapped down over privacy in places like Germany. I think this is probably down to having a lot of very different cultures who have come together in their common interest but never merged to the extent that the US is a federation of relatively similar states. Consequently we have a much broader spectrum of political opinions permanently in play here and it's much harder to permanently overrule many years of history and precedent without someone objecting loudly enough to slow things down and force more debate.
There seems to be an inherent tension between recognising that the US is often a useful partner in economic and military matters, and recognising that we must not act as some sort of junior partner to a country that frequently gets big issues spectacularly wrong and that has a demonstrated history of screwing its partners whenever its own interests dictate.
My sense is that the US has been cut a lot of slack in recent years because of its economic strength and 9/11, particularly when we had Blair running the show here in the UK, but that public patience with the one-sided deals and all the silliness we have to put up with as a result is now rapidly running out as we have our own problems to deal with and the US are getting in the way or indeed causing some of them.
I don't think it's huge. Compare "Honey I lied about cheating on you" with "Honey, I didn't tell you that I was cheating on you". It's a fine line when it's information that you know is relevant.
I would expect my EU government to impose sanctions on google forcing them to put a banner on all pages they serve to inside EU advertising that your information might be handed over to us intelligence services.
The Patriot Act seems to trump EU law in many cases, as security fears oft trump privacy concerns. It's a good discussion to be had for sure, am I'm sure EU parliament members will debate it in length:
From the article "but they [the companies] can be forced to keep quiet about it in order to avoid exposing active investigations and alert those targeted by the probes."
There are a number of reasons why both the government and the companies would want to keep it secret:
1. Bad reputation for the company.
2. Bad reputation for the government on how much spying they actually are doing.
3. "keep quiet about it in order to avoid exposing active investigations" (this point I would think to be irrelevant in this case however)
The US companies can be forced by the US government to be kept quiet about the data they revealed. However, their subsidiaries are European companies, and therefore must comply to EU law, therefore they shouldn't share the data, and if they do, that's a crime, and if they furthermore keep quiet about it, it's an even bigger crime.
I think they should be punished by law to the fullest extent available. Along with everybody that was responsible and is within the reach of EU law.
Actually, the EU should request extradition of those responsible that reside in the US, even if they didn't break the US law. Fair, isn't it?
Well, there is that as well. But I guess most people are less concerned about Google US having access to their data (even if it is illegal) than their data being given to US intelligence agencies.
I don't understand why you think that the Patriot Act seems to trump the EU law. The companies have separate subsidiaries in Europe. What the Patriot Act seams to be doing is Piercing the corporate veil. http://en.wikipedia.org/wiki/Piercing_the_corporate_veil. Making the EU company break EU law.
That's a very incorrect statement. Noone can make you break the law.
In this case, the correct interpretation is, preventing US companies from having EU subsidiaries. Which means that the US offices have to be a subsidiary of some overseas corporation (i.e. make Google incorporate in Europe, or possibly some tax&law haven, like Cayman islands (I don't actually know about the laws there, but I'm sure there is a place on earth that would be ok)).
The Patriot Act does not trump EU law here, because the Patriot Act is not in force in the EU, it is not the law of the land in the EU, and is not legal.
'Being transparent' about it is not what comes to my mind if we're including these gag orders.
I won't comment on the law in general for the discussion's sake, but not being allowed (or: required) to be transparent about the disclosure of data is just evil in my world.
I don't have any expertise in this area, but the first comment on that article claims that the quote they have wasn't given specifically to that paper, and the original quote is kind of dodgy:
"As a law abiding company, we comply with valid legal process, and that - as for any US based company - means the data stored outside of the U.S. may be subject to lawful access by the U.S. government. That said, we are committed to protecting user privacy when faced with law enforcement requests. We have a long track record of advocating on behalf of user privacy in the face of such requests and we scrutinize requests carefully to ensure that they adhere to both the letter and the spirit of the law before complying."
From that, it sounds like the data is subject to subpoena, but it would be nice to not have speculation three layers thick on this point and just get a straight answer.
Yes, Google is such an innovative and constructive company. I imagine that they will make it up to us with a brand new innovative product that we can use while on the toilet.
The only difference is the greater bureaucratic procedures in handling this data, but there is technically nothing off-limits (information-wise) to law-enforcement or security agencies. This is especially true in the wake of anti-terror legislation all across the EU. This will become more apparent as copyright lobbies are pushing for greater surveillance of internet users.
The old adage that 'if you have nothing to hide, you have nothing to fear' has been thoroughly incorporated into modern state doctrine.
So downvote at will, but it would be nice to do so with some counter-arguments.
Google had two choices:
To me choice number one would be the lesser "evil" thing to do.The solution is to have completely separate entities of the company in the local jurisdictions. Those follow local law and only share data with their foreign sister companies in a lawful manner and otherwise can ignore foreign law. Of course this creates some complexities but it's the right way to do, everything else gets you into trouble and even huge companies as Google can't get around colliding laws from different jurisdictions.
Handing over data to intelligence agencies is just one example of mutually exclusive laws. There are actually many more like data retention laws. The internet is probably the biggest challenge to international laws and treaties ever.