back to article Cheers Ireland! That sorts our Safe Harbour issues out – Dropbox

Following Twitter’s lead, Dropbox will treat Africans, Asians and Australians as Europeans from June 1. The file transfer site has updated its privacy rules so that all accounts outside North America will be managed by Dropbox Ireland. This means that stricter European data protection laws will apply, rather than US rules. …

What good will it do?

Doesn't the patriot act allow the us to order any company with a presence there to hand over any data whereever it's held? Microsoft seems to be in an ongoing battle about something like that (which isn't even a 'real' patriot act case, if I remembe correctly, because nobody would know about it if it was).

So when Safe Harbour is axed, american companies will simply start losing their customers (the ones that have their brains in gear, that is...), whether they store their data outside the us or not.

13
0
Silver badge

Re: What good will it do?

Good for Dropbox. I know of two significant cases where US companies have lost out on deals because of lack of trust that the US government wont just take the data. I'm honestly starting to think that the US government wont be satisfied until they have driven all data business offshore.

In response to the OP's question about what good it will do, it's a legal commitment from the company to protect your data so you have assurance that they're not handing it over to the US government. They COULD hand it over, but just because the US government tells them to, wont mean that they aren't breaking laws in Europe to transfer that data over. It's a pretty clear statement from a company as to what they will and wont do. It's the difference between saying "we make no promises" and "we're making a promise and it will severely damage our business if you catch us breaking it and you can probably sue us for it, too".

Worst case scenario if US government plays really hard, is to take their ball and go home (to Europe). MS would find that really painful as well as it damaging relations with the US government so for them it would be an absolute last resort that I don't know they'd ever do (though they're fighting extremely hard to keep from handing over data so credit to them). A company like Dropbox? Yes - they could relocate.

5
3

Re: What good will it do?

They COULD hand it over, but just because the US government tells them to, wont mean that they aren't breaking laws in Europe to transfer that data over.

Most such demands come with gagging orders. Breaking the law is easy when nobody knows it's happening.

As for data being stored in Ireland, has any assurance been given that employees in the US won't be able to access it remotely? Without that assurance the location of the server or who it's being managed by is irrelevant.

As things stand US company = US law. If safe harbour isn't acceptable then neither is using a US company for services.

2
0
Silver badge

Re: What good will it do?

>>"Most such demands come with gagging orders. Breaking the law is easy when nobody knows it's happening."

Well obviously there are no consequences to breaking the law if you don't get caught, that's not the point. The point is that they would now be breaking the law and they really don't want to do that.

>>"As for data being stored in Ireland, has any assurance been given that employees in the US won't be able to access it remotely"

Access to the data is part of the data protection laws. You don't get around them by simply saying the file the person was reading was on a server in Ireland - you're still granting access to people who shouldn't have it and transmitting it outside the agreed jurisdiction.

1
1

Re: H4rm0ny

This is utter tosh - seriously. If the US gov approach Dropbox with a s215 order (which always comes with a gag attached) are you seriously going to tell me that the executives from Dropbox are going to refuse and go to jail instead? Don't be ridiculous.

This is a PR stunt and nothing more, it makes absolutely zero difference to the US surveillance machine being able to access that data. Furthermore, the Irish DPA can't do jack about it - they don't even have the power to issue fines/penalties.

Please go and educate yourself on the matter, it might save you the 5 minutes it took you to write that nonsense you wrote above.

1
0

Re: Frank

Absolutely correct, in the Microsoft case the DoJ is using the Stored Communications Act because it really is that easy for the US gov to demand data from US companies. Of course s215 of the PATRIOT Act could have been used as well and will probably be the instrument used in these situations where US companies are setting up subsidiaries in Europe (Twitter, Dropbox etc.) as it comes with a gag order.

I wrote about the situation here:

http://itsecurity.co.uk/2015/03/eu-data-centers-are-not-safe-from-us-surveillance/

The problem is there is a huge amount of mis-reporting on the issues in the general press and I am still trying to figure out if that is down to a lack of fact gathering or a vested interest to support the deceptions.

1
0
Silver badge

this sounds oddly familiar

Isn't this just the sort of thing that Worstall has been hammering on about? namely just because you're the bbiggest game in town now doesn't mean that people won't look elsewhere if you make unsuitable to continue to do business with a country.

Also, so much for America's much vaunted freedoms. How do they not see the damage they're doing to they're reputation?

8
0
Gold badge

Re: this sounds oddly familiar

"Also, so much for America's much vaunted freedoms. How do they not see the damage they're doing to they're reputation?"

I think they do, for some values of "they". In fact, the whole affair is shaping up as the irresistable force of money meeting the immovable object of the security hawks. (Given the difficulties of amending the US constitution to turn it into a police state, my money's on the, er, money.)

6
0

Re: this sounds oddly familiar

America is highly insular and quite honestly they don't give a rat's behind about how foreigners perceive them. In their mind they are the be all and end all; the alpha and omega.

1
2
Silver badge

Re: this sounds oddly familiar

In fact, the whole affair is shaping up as the irresistable force of money meeting the immovable object of the security hawks.

As it generally does. US history is one long tussle between the public and private sectors for access to resources. As Heilbroner pointed out in 21st Century Capitalism (and it's hardly a novel observation), one advantage liberal capitalism has over centrally-planned economies is this tension between Business and State, which helps obstruct the worst excesses of both.

Of course the surveillance state is good business too, for many, just as other aspects of the Eternal War on Everything are. But as you suggest, it reaches a point of diminishing returns, and then more and more of the moneyed interests start pushing back. Add to that the normal pendulum of public opinion ("We don't know anything, but we don't like whatever's happening right now!") and we'll likely see another period of "reform" where government overreach is trimmed back a bit for a little while, and everyone nods sagely and observes that we've learned our lesson this time.

0
0

Its not clear to me whether...

The move is to do with data legislation, or Dropbox attempting a little tax avoidance. Comments?

3
3

Re: Its not clear to me whether...

I'm in the middle of an ongoing correspondence with Dropbox about this. So far they have been unable to list a single concrete example of the specific benefits that being a customer of Dropbox Ireland will give me.

It's rather suggestive to me of the fact that they're doing it for tax purposes rather than out of the goodness of their hearts and concern for their global customers' privacy.

This article might be absolutely on the money, but it feels more like someone's fishing around for a justification after the fact.

4
2

Re: Its not clear to me whether...

Tax; I can hear the spin from here ! Why would it be anything else.

2
1

Re: Its not clear to me whether...

If it had anything to do with data legislation, then the little clause about dealing with legal issues would point to a european court, instead the T&C's they give for overseas customers still point to all legal issues being dealt with in a Californian court.

3
1
Anonymous Coward

Can Canadians be part of Europe too?

At least the French-speaking part where the Conservatives are kept at bay?

3
1

Already moved to Seafile. Too little too late. Remember who sits on their board.

2
1
Anonymous Coward

Does anyone know the corporate structure?

The problem is that this only works if Dropbox Ireland is entirely independent off Dropbox US, and not a subsidiary because they are otherwise exposed to political and judicial leverage. Ditto if Dropbox Ireland management has US passport holders in it, and if Dropbox Ireland uses US capital.

It's not just about laws, it's also about leverage. Come to think of it, what evidence is there that storage isn't, err, "leaking"?

3
0

Don't think it changes anything

If Dropbox are still transferring data outside of the EU, then they are still going to be relying on SafeHarbor regardless of where the account is managed.

The only way it makes any difference is if Dropbox change the way their system works and they specify that data doesn't leave the EU.

0
0
Silver badge

Re: Don't think it changes anything

The way I read it is that all non-US data will be hosted in the EU. If a customer is non-EU and moves data in/out of that storage there is no problem as it is their data so Safe Harbour does not apply. The problems would only come if Dropbox move it without the customer asking them to.

1
0
Silver badge

Re: Don't think it changes anything

It's not about where your data is hosted, it's about where your legal agreement with the company is hosted.

A legal agreement hosted in Ireland will need to meet different legal requirements and will answer to different courts than a legal agreement hosted in the USofA (according to International law at least, even if the Merkins disagree)

Within that legal agreement will be the terms that cover where your data is hosted and those should be in line with the regulations in force in the country where the legal agreement is hosted.

0
0
Gold badge

Re: Don't think it changes anything

It's not about where your data is hosted, it's about where your legal agreement with the company is hosted.

It's a bit more complex than that, because the company also has to comply with the laws where it is located, and on top of that you also have the jurisdictions of all the countries through which your data travels - a factor you usually have no control over but which could in Europe involve countries such as Sweden where the FRA law was only tuned down a bit after protest.

0
0

Makes ZERO difference to Surveillance

Dropbox irish company is a wholly owned subsidiary of Dropbox in the US as far as I can tell and as such PATRIOT and FISA still apply - US gov can force Dropbox to hand over data/give access to systems with the same secret court orders and gag orders as they could if the data was held in the US.

This is nothing but sleight of hand intended to mislead customers into thinking that their data will no longer be subject to US surveillance laws - it is wholly unethical and intentionally misleading. Personally I trust any company which uses such tactics even less than I trusted them before.

I recently wrote about the situation here:

http://itsecurity.co.uk/2015/04/is-twitter-misleading-its-users-on-data-protection/

I really wish the press would start to make this point clear in their articles - by failing to mention it they are basically complicit in the deception. It is poor reporting at the very least.

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018