US Supreme Court Just Blew Up EU-US Data Transfers
184 points
4 hours ago
| 9 comments
| noyb.eu
| HN
manueltgomes
1 hour ago
[-]
Switching to EU companies is often the solution, but also we're in a tricky position in Europe since alternatives exist but can't compete with US. So finding European alternatives is possible but hard. Also EU is doing its job enforcing privacy and anti-competition laws but then American companies just say "feature not available in EU" (like Apple is doing more and more for example), making things even harder to switch. Like nick mentioned, even EU official sites use CloudFront so it's a tricky process.
reply
yread
41 minutes ago
[-]
Switching to EU companies is easy. Switching to EU companies that don't have American companies as sub-processors is a lot harder.
reply
gb2d_hn
47 minutes ago
[-]
Think the issue is that it was supposed to be a 'world wide web', but increasingly there's caveats to that.
reply
shevy-java
1 hour ago
[-]
This is even worse. For instance, in a medical university, we recently were told we need a smartphone and install an app from Google store (!!!), in order to read emails sent out by officials at the medical university. I protested to that but they had a deal already with the private company and their signature meant they had to keep on being addicted to that private company, so now I am locked out of receiving emails since for redirect you also need to have that app installed once. I don't have a smartphone though and I find it outrageous that people are forced to install it AND forced to use Google Store, for publicly funded (!!!) universities here in central Europe. Some lobbyists are currently getting very rich. I call it theft of taxpayer's money though.
reply
dgellow
1 hour ago
[-]
What country? Which university?
reply
tempfile
1 hour ago
[-]
I don't know where you are, and I'm not an expert, but a job requiring specific technology typically means it is your employer's responsibility to provide that technology. So if they signed a contract that mandates you have a smartphone, you can use your own if you like, but I think they are legally required to provide you with one if you choose not to buy one. In fact in most cases, I think they should prefer that (since the security of your personal device is very much none of their business).

I think this is kind of a ticking time bomb with a lot of companies depending on personal devices for 2FA.

reply
LadyCailin
29 minutes ago
[-]
They might be a student, in which case the rules might be much less in their favor.
reply
tempfile
9 minutes ago
[-]
oh, of course. How did I not think of that!
reply
soco
1 hour ago
[-]
"après moi le déluge" - said every public sector purchase decision maker ever.
reply
soco
1 hour ago
[-]
Which is exactly the point of the whole "sovereignty" debate: on one hand there's a lot of slop about "national interest" and "privacy" and "features" and such, and on the other hand management decides for whoever offers something (anything) cheaper and with a golf tournament on top. And then everybody moans and complains about the situation.
reply
CalRobert
1 hour ago
[-]
European companies just ignore privacy and make their lawyers write increasingly contorted cya statements. I’ve worked in several and the idea we shouldn’t be using American hyperscalers (remember, the CLOUD act means hosting in Europe is useless) gets laughs.
reply
znpy
41 minutes ago
[-]
the issue with EU companies is often the mindset: https://julien.danjou.info/blog/europes-cloud-problem-isnt-t...

As tech worked who has worked in US FAANGs (still in europe)... the difference is immense.

EU companies simply can't compete and will never be able to compete until they change the mindset. And the change must be pervasive, across all aspects (including IC compensation).

reply
jve
13 minutes ago
[-]
Oh boy, that server story is painful to read. That ain't universal across providers. I work at european data center and was a tech and the worst SLA is like next business day and even then if our hardware is at fault, you won't be waiting for the next day for us to start taking action on it. And if you have a feeling you're left in dark, you can even pick up the phone at middle of the night to call our support and either get some status or light some fire that will prioritize the process in the pipeline (well, to actually DO something other than cold reboot at night time you may need to purchase SLA that will require involvement of higher support level at nighttime/holiday)

There are some things that I'd like to be improved in technical support side, but we are way better in "human reachability", responsiveness and "blame game" point of view than US hyperscalers.

reply
bryanrasmussen
22 minutes ago
[-]
if the EU furniture maker has the correct mindset and the EU tech company does not then it seems to me the conclusions fall apart

>European tech imported the product ambition. It forgot to import the customer obsession that’s supposed to come with it.

The French furniture maker didn't import the customer obsession. I agree that U.S tech in these particular subsets are better at the EU doing it, and that needs to be fixed but you can't really talk about how great U.S tech is when you can also point at thousands of horrifying lack of support stories from them also.

U.S Tech has a good mindset for replacing hardware when it fails, they have a good workflow for that. The idea that they have good support however should be tempered by regular reading of some sort of online tech news aggregator.

reply
raverbashing
56 minutes ago
[-]
Obviously

Behind all the legal wabble-dabble I think it would be funny if they pull the plug and realize the lights go out

reply
rdsubhas
1 hour ago
[-]
Yeah the problem with EU is that once "compliance" becomes the only reason, lethargy kicks in. Their players stop competing because they have no incentive to, the compliance will keep them afloat.

I would assume the same here. If they are forced to move to EU just because of compliance, the alternatives would remain poor quality.

reply
khalic
57 minutes ago
[-]
This is simplistic to the point of meaninglessness
reply
Chu4eeno
4 hours ago
[-]
I wonder how many billions in lobbying money Schrems has cost various big companies.

The treaties and deals he has managed to torpedo by forcing courts to uphold privacy laws is insane (and impressive).

reply
amarant
2 hours ago
[-]
Doing business with the US is just impossible these days. If this trend continues any further the US is gonna end up a piranha state with no allies and no business partners.

I'm really not sure what consequences that'll have for the rest of the world, but it looks like we're about to find out

reply
recursive-call
1 hour ago
[-]
pariah: outcast, disliked

piranha: carnivorous fish

reply
Etheryte
1 hour ago
[-]
Also piranha: Brazilian Portugese slang for hooker.
reply
rapidaneurism
1 hour ago
[-]
Do they mob potential Johns?
reply
roysting
1 hour ago
[-]
Accidental accuracy
reply
Lucasoato
30 minutes ago
[-]
Pearà: very peppery cream from Verona, served best with boiled meat
reply
mistersquid
1 hour ago
[-]
> piranha: carnivorous fish

Nice callout.

Neither here nor there, but many (most?) fish are carnivorous.

reply
nicoburns
30 minutes ago
[-]
I think the key difference with piranhas is that they eat humans. Most carnivorous fish eat other fish or water-dwelling creatures.
reply
coderbants
1 hour ago
[-]
Name checks out.
reply
bryanrasmussen
21 minutes ago
[-]
everybody loves piranha!
reply
rusk
1 hour ago
[-]
Sounds right
reply
IncreasePosts
1 hour ago
[-]
paraná: a state/river in southern Brazil
reply
amarant
18 minutes ago
[-]
Paranaueee!
reply
coffe2mug
1 hour ago
[-]
Sadly nothing will change.

- Pretty sure a large number of politicians are using claude, chatGPT etc.

- Majority of researchers in EU are dependent of all of US SV companies. There are nothing equivalent. EVen if there is mistral or other open source llms - every damn Uni/company is uploading everything to claude or open AI or gemini.

- Majority see these but just move on

- 99% of EU politicians either dont care or show apathy or worse live in a moat

- Ideally EU could have forced iphone, Google to openup. They did not.

- Same with taxation. Ireland fights EU to give tax breaks

- Its f*king broken system

reply
rusk
1 hour ago
[-]
The concern is not so much that the US will lose friends moreso that other business partners will become more prominent. The US has a lot of social capital to burn. I’m not certain that somebody hasn’t calculated how much they can get away with…
reply
vlian2088
1 hour ago
[-]
the other ~~subsidiary of AIPAC~~ party will be in power again in less than 3 years and everything will go back to business as usual. a divorce from the US is the last thing the EU really wants.
reply
hparadiz
25 minutes ago
[-]
Your racism is showing.

>> 2088

Noticing

reply
nickslaughter02
1 hour ago
[-]
Europa, the official web portal of the tech sovereign European Union, will have to change their CDN provider (Amazon's CloudFront).

https://europa.eu

reply
AndroTux
1 hour ago
[-]
So will https://wero-wallet.eu - you know, the European alternative to VISA/MasterCard.
reply
cesaref
1 hour ago
[-]
Unless that site collects personal information, it's fine isn't it? This isn't about where stuff is hosted, it's about privacy.
reply
AndroTux
1 hour ago
[-]
IPs are personal information afaik
reply
throwwwll
1 hour ago
[-]
Yes, they are
reply
hahahaa
1 hour ago
[-]
Can they even use a CDN now?
reply
dgellow
1 hour ago
[-]
We have European CDNs
reply
znpy
37 minutes ago
[-]
BTW I honestly think they could get away with running a few instances of Varnish/Vynil and call it a day.
reply
seydor
2 hours ago
[-]
The EU keeps trying to manifest the missing european data infrastructure via data regulation instead of outright bans and limits on american companies, the way China did it.
reply
bambax
1 hour ago
[-]
The EU should cut all ties with the US, tax US products and impose costly (and difficult to get) visas to American citizens wanting to visit.

It won't do any of this because it has no balls and no vision.

We're doomed and it's our fault.

reply
danmaz74
2 minutes ago
[-]
No, we shouldn't act like (stupid) children. We should enact a transition based on what we can do and when. I know that nuanced and complex solutions to complex problems don't fire up voters anywhere, but that's the only way to not shoot our own feet.
reply
CalRobert
1 hour ago
[-]
Alternately, it should roll out the red carpet for American entrepreneurs, scientists, and talent who want to try moving here and having a go of things in Europe. The Dutch American Friendship Treaty accidentally enables this and has become quite popular, but is only for one country.
reply
joe_mamba
42 minutes ago
[-]
And then what's gonna happen to the (already fucked)Dutch housing market?

> it should roll out the red carpet for American entrepreneurs, scientists, and talent who want to try moving here and having a go of things in Europe

Only if it's bidirectional. If Americans can gentrify me out of the EU housing market with their higher purchasing power, then I should also have access to their labor market for those six figure wages to compensate. Tit for tat, as freedom of movement works in the EU. Otherwise it's just monetary colonialism. Imagine if Swedes were allowed to move to Spain but spaniards would not allowed to go work in Sweden.

reply
AndroTux
1 hour ago
[-]
They should, but the entire EU economy runs on US clouds. It's hard enough to get new hardware as it is (US hardware btw), so how should the EU, especially today, move to sovereign clouds within the next few years?

I'd argue every single EU business with more than five employees would be impacted by such a decision. Just pulling the plug would be economic suicide.

reply
hahahaa
1 hour ago
[-]
Time to dust off that sampling profiler and make code way more efficient, simple and well architected.
reply
rusk
1 hour ago
[-]
> no balls and no vision

Seems to me they’re waiting it out. Everything could change in a presidential election and the European economy wins either way. It is an economic bloc after all.

What you describe would be what’s called “cutting off your nose to spite your face”

reply
GolfPopper
1 hour ago
[-]
The problem with "everything could change in a presidential election" is that offers no stability. No one wants to plan around "maybe the United States goes rabid again in four years".
reply
BlueTemplar
1 hour ago
[-]
For the worst, you mean ?

The current arrangement has been torpedoed a long time ago already, with the Patriot Act (2001) (though it took many years to understand the extent of it).

reply
watwut
1 hour ago
[-]
> Everything could change in a presidential election

A lot can change, but not everything. Trump won twice and republican elites are fully behind him. Even if he looses, the same ideologies will continue. It happened twice, it is not a fluke but a permanent property of American politics.

Moreover, constitutional changes supreme court created are structural change. They will be super hard to undone - first they would need to change supreme court composition. The influence of money in American politics will just grow, the structural advantages of conservatives have in voting system will just grow and next conservative president will have even more space for maneuvering. (Non conservative one will likely be stopped by supreme court on some excuse.)

So, basically, outside of change actual constitution which is impossible, it will stay the same at best in the long term.

reply
rusk
1 hour ago
[-]
I agree with everything you have written here, however even in the face of that it makes “economic” sense for the EU to wait it out.
reply
watwut
57 minutes ago
[-]
If it means "be strategic and start making necessary long term adjustements without entering useless temporary pissing contests" I agree.

If it means "wait and change nothing long term, hope it will be better" I dont.

reply
drstewart
1 hour ago
[-]
Europeans should cut ties with their own fascist, Russian sympathizers leading the polls first, then worry about Americans.
reply
dgellow
1 hour ago
[-]
We can and should do both at the same time
reply
sublimefire
1 hour ago
[-]
Privacy laws are actually one of the very useful things that came out. It is difficult to do the same in the US because of the business lobby. It is crazy that US citizens data can be purchased in the “black” market and the used by the agencies. Leaving tech companies to self regulate is just not viable and it is proven time and time again they cannot do it.
reply
armchairhacker
1 hour ago
[-]
Outright bans would destroy European companies that rely on American companies. First they need to build their own infrastructure (which China has done).
reply
shmeeed
59 minutes ago
[-]
Legislation for a ban will take years anyway, and will have sunrise/sundown provisions. This will provide ample time to build the infrastructure. But infra won't happen without mandating the transition, since market incentives will always pull against it.

The time to start this process is now.

reply
BlueTemplar
58 minutes ago
[-]
What kind of 'infrastructure' did China have when they had "fallen out" with Google (in 2010?), that the EU does not have now ?
reply
jimbob45
1 hour ago
[-]
Ban, limits, and regulation won’t solve a country with too many worker protections. The EU simply can’t compete in the modern globalized world.
reply
barnabee
1 hour ago
[-]
The only answer isn't to sink to the lowest common denominator.

Ban or tax things from the "globalised" world that are just worker/societal/environmental protection arbitrage so they're competing for the EU market on a level playing field, then we'll see who can compete.

The EU is plenty big enough to be self-sufficient if it has to and shouldn't be afraid of risking this if abusive and exploitative companies from other places don't way to pay their way.

reply
dgellow
1 hour ago
[-]
The EU isn’t a country, which is exactly why things are lacking vision and feel confusing. The EU is actually too decentralized and fragmented for its own good, contrary to what people whine about. We need more federalism, and an actual single market
reply
hgtt664868
1 hour ago
[-]
slashing worker protections would do what exactly?
reply
CalRobert
1 hour ago
[-]
Tbf it could reduce hiring friction and make it easier to take a chance on a riskier hire. Also makes it easier for workers to change jobs, notice periods here can be outright insane (3 months in some cases) and even as an employee I hated them.
reply
someonebaggy
23 minutes ago
[-]
Is a 6 month probationary period not good enough to take a chance?
reply
shmeeed
57 minutes ago
[-]
You pick it. From what I keep hearing, it's a cure-all. /s
reply
eecc
1 hour ago
[-]
free the "animal spirits"?

/s

reply
0dayz
1 hour ago
[-]
It's more simple than that; lack of investment due to various factors among which some are due to regulations, but also because the lower ROI you get in the USA due to corporate culture, higher cost in general (wages, energy, resources, manufacturing, etc.), slower economic growth and so on.
reply
geraneum
1 hour ago
[-]
Reduced worker protections -[somehow]-> better worker output. /s
reply
eecc
1 hour ago
[-]
the [somehow] is pretty clear: exploitative working conditions.
reply
joe_mamba
23 minutes ago
[-]
Check Swiss worker protections compared to France or Germany and then check their economy and tech companies there. Biggest Google office outside the US is in Switzerland.

It's not better worker output, it's faster movement and pivoting to rapid changing market conditions as a company, if you can get rid of slackers that abuse unions and worker protections to coast and do nothing.

reply
atoav
4 hours ago
[-]
As a European citizen I do not trust entities located in the US to not abuse my private data ever since the patriot act.

If it was me that deal would have never came to be. If some EU entity decides to use Microsoft 365 can Microsoft guarantee that it won't give access to one US government agency or another? It really can't. Because if that EU entity wants to act in accordance with EU law, this matters. This is what that deal was for. Basically the EU saying "it is okay" although it never really was okay.

IMO we in the EU need to finally start doing our own stuff that adheres to our own laws and isn't subject to the whims of a mad king. Public Money, Public Code.

reply
nickslaughter02
1 hour ago
[-]
> As a European citizen I do not trust entities located in the US to not abuse my private data ever since the patriot act.

EU is working on mandating scans of all your private encrypted messages right now. EU data protection is marketing for the gullible.

https://news.ycombinator.com/item?id=48707719

reply
jeroenhd
1 hour ago
[-]
A small group of people from the EU parliament is going against the wishes of the EU commission in an attempt to force through a change that contains a subsection of the bill that tries to mandate E2EE scanning.

The way this is going is definitely worrying, but what you're saying is disingenous at best.

Furthermore, even if this passes somehow, that doesn't change the fact that the US remains an unreliable partner. Now we have two governments scouring through your data instead of one.

reply
dgellow
59 minutes ago
[-]
The EU isn’t a single entity, it’s a whole ecosystem of actors pushing their own agenda. The parliament, which represents the people, has been very clearly opposed to chat control
reply
pbasista
48 minutes ago
[-]
> Public Money, Public Code

This seems like a very good principle to adhere to in general. Anything that is funded by the public needs to serve the public interest, in my opinion.

Putting public money into e.g. proprietary software and proprietary services that are then operated and gated by a few selected companies, for profit, with their only goal being the rent seeking via long term government contracts, is in my opinion far from being in the public's best interest.

reply
sublimefire
57 minutes ago
[-]
I do not trust either but you have to at least agree that having some sort of mutually recognised data privacy framework is a good idea because the courts can enforce it then. Saying everything must be from EU is also slightly silly and we should instead have something similar like certification (cyber act ?) to ensure enough competition exists to avoid service degradation. IMO cryptography could be the answer to many privacy related issues for the cross border transfers.

Also these decisions related where the data is stored and which service is used are under control of each commercial org buying them. The risks are assessed at the end of the day and in case of any issues the providers change. Why would a publicly funded org store citizen data in the US is a question regardless of privacy laws though.

reply
rixed
2 hours ago
[-]
Who do you want to abuse your private data then? Some administration closer to home?

It's well overdue to take seriously and put all our efforts behind the many (various but little known) local-first initiatives.

See for instance: https://elfaconsortium.eu/ It's a race against time.

reply
frereubu
1 hour ago
[-]
> Who do you want to abuse your private data then? Some administration closer to home?

This is a very bad-faith question. If you want people to take you seriously, at least give them the respect of trying to argue with a strong, good-faith interpretation of what they're saying.

reply
jhanschoo
3 hours ago
[-]
For the skimmer/TL;DR'er, note that this article is by an advocacy group presenting their analysis of a situation, and then advocating and taking action on it: "Next Steps: Commission must repeal EU-US deal. noyb ..."

It is not reporting on an opinion of a representative or proxy of the European Commission.

reply
eesmith
3 hours ago
[-]
For the skimmer, the advocacy group was founded by Maximilian Schrems, whose legal cases first got the European Court of Justice to overturn the International Safe Harbor Privacy Principles (which described how a US company could legally store private data on EU citizens), and then got the ECJ to overturn EU–US Privacy Shield, which replaced the Safe Harbor principles.

These decisions are known as Schrems I and Schrems II after the founder of this advocacy group.

The newest version of that data transfer framework is called the Trans-Atlantic Data Privacy Framework. The European Commission deemed it sufficient, in no small part because they considered it (and more specifically the Data Protection Review Court, an extrajudicial executive branch tribunal) sufficiently independent of the president.

However, in January 2025, Trump fired the Democrat members of the review court, leaving it unable to reach quorum to make decisions, which highlighted it wasn't all that independent. Now it's clearly not independent.

I don't see how a Schrems III is not in the works.

reply
maratc
1 hour ago
[-]
You could both be right: Shrems III could be in the works, and TLA could be presenting their legal analysis as an established fact.

In other words, (a) no, the "US Supreme Court" didn't "Just Bl[ow] Up EU-US Data Transfers" – there's nothing in the decision even remotely addressing the transfers (nor the EU!) – but (b) the situation might progress in that direction (or it might not.)

reply
shevy-java
1 hour ago
[-]
So the US Supreme Court is doing here more and better for EU citizens (!!!) than the EU commission and EU courts are. Because the EU officials constantly keep on lying to EU citizens how our data is safe in the USA, which it clearly is not, even aside from Trump's brown shirts, the ICE snipers that have already killed US citizens in shootings. The world is a very strange place, but one good thing is that Trump's criminal gangster organisation has not undermined the whole US court system yet. And he is now too old and too demented to do so, so they will rally behind hugely uncharismatic losers such as eyeliner-boy "can't stop it with my make-up" Vance or "I change my opinion all the time" Mr. Rubio.

A big loser team.

reply
jeroenhd
1 hour ago
[-]
The US supreme court is correcting the lies the American government made when they assured the EU and its citizens that they can be trusted with their data. It's not just the EU lying, both sides are awful at this.

I don't know why the EU wants to trust the USA so bad, it's clearly unwise. It makes sense, because banning EU companies from using AWS/GCP/etc. would bankrupt the EU into a recession, but the way they're going about these things is very annoying.

That said, if the USA would actually keep its promises and adopt legislation that solves the reasons why the EU cannot give out a decent competency decision, the problem would go away entirely.

The Biden administration set up a precarious body within the government to resolve the issue rather than go through the normal lawmaking process, probably because it wouldn't go through.

reply
dgellow
52 minutes ago
[-]
> I don't know why the EU wants to trust the USA so bad, it's clearly unwise

We are too afraid of change and having to take responsibilities. Delegating to the US worked for decades, and it’s very hard to accept that we’ve done a mistake and need to take some risks ourselves. I feel it’s the same issue we have at European countries level.

But also, the EU is still a patchwork of entities that do not have a common vision of what the future should be. Hopefully losing our largest ally will push towards a closer, more federalist union. There is still so much work to do to unify the single market. I’m watching closely what is going on with the 28th regime[0] for that purpose

0: https://the28thregime.eu/

reply
jeroenhd
10 minutes ago
[-]
> the EU is still a patchwork of entities that do not have a common vision of what the future should be

For many, that's a feature, not a bug. The EU follows a democratic system consisting of many different countries with different types of government and different ideologies. It's not a unified federal government, as much as some people would like it to be.

The whole 28th regime concept seems extremely flawed to me. I understand the desire from a business perspective, but as a citizen I do not want a company to opt out of national legal protections and obligations by operating under some fantasy government. Unless this concept will be subject to the strongest, best-enforced regulations and tax rates equivalent to the highest tax rates within the Union, I do not want this project to happen, and I predict I'm far from the only one.

reply
watwut
45 minutes ago
[-]
> The US supreme court is correcting the lies

Nah. They are simply giving more power to Trump, power that he did not used to have and should not have. That is it. Supreme court is are advancing their own ideological goals and rewriting parts of constitution they don't like.

reply
jeroenhd
25 minutes ago
[-]
It has a tendency of doing so, but in this case the body that was supposed to patch over the requirements for EU data transfer was flawed in its design.

The reason this house of cards was necessary in the first place is that the American government does not want to grant foreign citizens the rights necessary to ensure the privacy guarantees the EU requires.

American courts deciding that institutional independence is bad now is awful for American citizens, but it's not supposed to be very relevant to the EU like this.

reply
xiphias2
2 hours ago
[-]
EU needs to decide if it wants to do data processing or not.

If it’s a yes, it needs datacenters and get a lot more energy.

If no, it needs to transfer data to US for training/inferencing on it.

reply
joe_mamba
2 hours ago
[-]
>If it’s a yes, it needs datacenters and get a lot more energy.

It can outsource its data centers abroad too like it did with its manufacturing industry.

reply
ShinyLeftPad
1 hour ago
[-]
or wait for the bubble to burst and come out on top.
reply
noosphr
1 hour ago
[-]
The internet is a fad and will pass any day now.
reply
general1465
1 hour ago
[-]
Current AI companies with trillion USD valuations, models which costed them billions USD to train and now have total addressable market few hundred approved entities are very close to being a fad.
reply
drstewart
1 hour ago
[-]
This. The US is playing the right move with solar panels, wait for the bubble to burst and then swoop in. Let China take the early losses.
reply
hahahaa
1 hour ago
[-]
Lol that is like saying let's wait AI out, not build fabs, TMSC will sell em cheap in 2030!
reply