France bans Office 365 and Google Workspaces for schools and public administration. I can't read the thing but hopefully somewhere it says "BECAUSE CLOUD IS STUPID STUPID STUPID FOR THINGS LIKE THIS"
@jrm4 It’s mostly about overcollecting personal data (telemetry) and taking it outside the jurisdiction of European regulators.
I don't, but it's a damn great idea in general; If you use cloudy things only use ones that you *must* pay for.
This creates contracts and people you can call and yell at and beg -- and sue if things go wrong.
I've paid for email and hosting for over 20 years. Super inexpensive and absolutely worth it.
(poor girls and guys on the other end of the chat gotta deal with my reckless brand of "web administration" but that's what they're for :) )
I thought the original reason for this decision was some sort of "can our data be accessed from out-of-EU" sort of thing. If so, I'd wager that whatever agreement there doesn't specify that with enough precision to actually have that effect. (OTOH I do believe that the agreement is probably good enough to ensure that _in the ordinary course of business_ that data will not be accessed from out-of-EU-or-some-similar-notion).
@robryk @jrm4 There are at least three issues in play: 1) these solutions gather way more telemetry than can be justified from a data protection perspective and 2) for purposes that are not controlled by the user organisations and 3) possibly transferred to third countries (non-EEA) with insufficient checks and balances on their state security apparatuses' surveillance. Ordinary course of business is not a relevant criterium here.
I'm confused. You described why ordinary course of business if the yardstick you want to measure it by, and then said it's not.
By ordinary course of business I meant making e.g. assumptions that no (or insufficiently many) malicious insiders exist. Did you understand it in some other way?
Where did I see you say it's not the yardstick:
> Ordinary course of business is not a relevant criterium here.
Where did I think you described it as the yardstick: you talk about purposes of data usage and ways existing data is used. Well, if data is accessible from someplace, it _can_ be used for any purpose. We're relying on the company doing its business in the way it claims to/intends to to ensure that it's used only for some purposes and made accessible only from some additional places. IOW, technical controls do not understand "purpose" so can't filter on that, even in principle.
@robryk @jrm4 If the data is held in, say Ireland, the Irish government is still bound by the European Convention for Human Rights if it demands the data for, say, prosecution of a crime or intelligence purposes. That is a safeguard that is in place, for access that is not ordinary, but can and will happen. If it is held in the USA, the ECHR does not apply anymore for the same type of access by US government. See now why "ordinary course of business" isn't the yardstick here?
What does "held in" mean?
Motivating examples:
- there's a machine in Ireland that contains the data and happily provides it on request to a machine in US,
- data in encrypted form is in X, and the key is in Y,
- we've split the data into two so that XOR of the two pieces yields the original data, and each of the pieces alone is random.
