On Tuesday, 6th December, several it news tickers (see, e.g., heise online ) announced that Microsoft is about to change the end user agreement for its cloud service Office 365 in such a way that it conforms to German and European data protection legislation. The data protection officer from the state of Bavaria in Germany is reported to attest conformance. So let’s see whether Microsoft found a new solution to a known problem.
The ongoing conflict between the German data protection law and the USA PATRIOT act forms the background. According to the data protection law personal data may only be exported into countries that provide a data protection level at least as high as in the European Union. Data circulation may only happen after the customer agreed to this step. This agreement cannot be asked for by general statements in terms and conditions. Rather each individual case requires an individual agreement from the customer’s side.
The USA Patriot Act allows US authorities like, e.g., the FBI to access data that are hosted by companies doing business in the USA. These access rights are pretty general. They were introduced to ease fighting terrorism. In principle customers whose data were screened have to be notified of this by the authorities. But the act does not contain a statement until when this has to happen. The authorities decide about this by themselves in each case individually. That means it would still be conformant to US law if customers are notified only after the usual time period that classified documents get declassified – normally 50 years. Cloud service providers like Microsoft can be committed to remain silent to their customers. This means that potentially affected customers are in principle incapable of establishing whether or not their data have been screened. As a consequence, no German data protection officer can ever attest whether a cloud service provider that is subject to the patriot act adheres to the German data protection law. He can state at best whether the terms and conditions as written on paper are in line with German law. But such a statement would be of quite a low value, since all it says is that the provider wants to obey German laws. Isn’t this something we should expect from every company doing business in Germany?
Every cloud service provider who offers his services in the EU and who is based in the USA or does a substantial part of his business there faces an unsolvable conflict. It is impossible for him to respect European data protection laws and the USA Patriot act at the same time. For all US based service providers – and all the big players are – priorities are pretty clear. The US authorities can always enforce conformance to the patriot act. In case of doubt it will be the European laws that will be broken by the service providers. European customers probably have the right to sue for damage compensation. But as long as a customer does not even get to know of the infringement this right is of very limited use.
EU based cloud service providers have in principle the option to refuse the cooperation with the US authorities referring them to EU data protection legislation, if their servers are located in the EU. That would probably lead to the US authorities to close down their US business rather quickly. That this threat is real is something the Swiss Bank UBS had to learn when negotiating the transfer of customer data to US tax authorities. The tax office took hostage of the US branch of UBS thereby forcing UBS to hand over the demanded customer data. In case where the servers are located in the US there is no chance of escaping from the patriot act. US authorities would always be capable of enforcing physical access to servers.
This leaves just two alternatives to the customers. Either they accept that US authorities have in principle access to their data and that in case these data are screened they will only be notified much later. Or they decide to choose cloud service providers that are based in the EU and do not offer their services in the USA.
Although the considerations here refer to German law, the situation is pretty much the same in all EU countries, because the national data protection laws all implement the same EU data protection directive. And no member state has the right to weaken the data protection standard spelled out in this directive.
Selenium WebDriver for Safari 8
This is just a short note on how to get the Selenium WebDiver installed and running for the browser Safari (ver. 8) under Mac OS 10.10 “Yosemite” . It isn’t that easy to find the solution on the internet. Core insight is that you need a WebDriver ...
4.2.2015 | 1 Minuten Lesezeit
Persistence without Persistence
NoSQL-databases typically run on virtual machines in the cloud. But if the machines they run on are virtual, how can persistence be ensured? Enterprise relational database management systems typically run on expensive robust and highly reliable hardware...
17.6.2012 | 6 Minuten Lesezeit
Verwendung GPL-lizenzierter Komponenten in kommerziellen Projekten
Software, die unter der GNU General Public License lizenziert ist, ist freie Software, und alle Software, die auf GPL-lizenzierten Komponenten aufbaut, ist ebenso frei und muss ebenso unter der GPL lizenziert werden. Daher wird häufig angenommen, dass...
29.5.2012 | 8 Minuten Lesezeit
Set-up of a small Riak cluster with VirtualBox, part II
This is the second part of a small tutorial to set up a small Riak cluster using VirtualBox. In the first part , we explained how to install and set up the first node. Adding Riak nodes Let us now add more nodes to set up a real cluster, even if a small...
23.4.2012 | 6 Minuten Lesezeit
Set-up of an small Riak cluster with VirtualBox, part I
Introduction The aim of this article is to show how to set-up a small Riak cluster using VirtualBox. Riak is a NoSQL database of the key-value-type. Objects in the database are uninterpreted atomic binary entities. They are addressed by unique keys. ...
22.4.2012 | 6 Minuten Lesezeit
Cloud, soziale Netzwerke & Co.: vernetzte Trends erkennen und bewerten
IT-Trends zu beobachten, ist wichtig, um sich rechtzeitig auf neue Herausforderungen einstellen zu können. Auf der anderen Seite ist es genauso wichtig, die richtigen Maßnahmen zu ergreifen und keinen kurzlebigen Hypes aufzusitzen. Das übliche isolierte...
23.2.2012 | 1 Minuten Lesezeit
Selenium 1 Remote Control Plugin for Firefox 5 and 6
Selenium is a powerful tool for web browser automation. As such it is an important component in many test set-ups for GUI or acceptance tests. It’s current version is 2, Selenium Webdriver. But many people still use version 1. Unfortunately the Selenium...
20.9.2011 | 2 Minuten Lesezeit
Kommerzielle Nutzbarkeit der Daten von Twitter und Facebook
Persönliche Statusmeldungen, die Nutzer auf Twitter oder Facebook hinterlassen, sind zweifelsfrei nicht nur für deren Freundeskreis, sondern auch für Unternehmen interessant. Dabei geht es nicht nur um Kommentare über Unternehmen, sondern durchaus auch...
7.7.2011 | 6 Minuten Lesezeit
Personenbezogene Daten in der Cloud
Das Thema Personenbezogene Daten in der Cloud hat mindestens zwei Perspektiven. Da ist die Perspektive des Endanwenders, wo wir als Benutzer uns fragen, ob unsere Daten in der Cloud sicher sind. Und dann gibt es die Unternehmensperspektive. Stellen Sie...
17.5.2011 | 6 Minuten Lesezeit
Dein Job bei codecentric?
Agile Developer & Consultant (w/d/m)
An allen Standorten
Gemeinsam bessere Projekte umsetzen.
Wir helfen deinem Unternehmen.
Du stehst vor einer großen IT-Herausforderung? Wir sorgen für eine maßgeschneiderte Unterstützung. Informiere dich jetzt.
Hilf uns, noch besser zu werden.
Wir sind immer auf der Suche nach neuen Talenten. Auch für dich ist die passende Stelle dabei.
Senior IT Consultant, Cloud and Data Architect
Do you still have questions? Just send me a message.