David Heinemeier Hansson

October 28, 2022

American data spies will never care where the servers are

In the two years since the European Court of Justice invalidated the Privacy Shield concept, European companies have been scrambling to pretend to comply with the ruling, without changing anything consequential about how they use American internet services. The erroneous consensus seems to have been that if only they could get an American provider to put their data on servers located in the EU, they'd be set. Or, if they were really fancy, put those servers under the ownership of a (wholly-owned) European subsidiary. But none of these shell games did anything to address the fundamental issue that the European Court of Justice ruled on. It was a total sham.

The reason the court struck down the Privacy Shield agreement was because American intelligence services, like the NSA, have been given legal cover to compel American companies to hand over data on foreigners without as much as a warrant. This is the mass surveillance regime that Snowden revealed to the world back in 2013, and one that largely continues to this day (despite minor amendments on the program's ability to spy on Americans). This regime is propped up by mechanisms like the kangaroo FISA court, which operates under the infamous Section 702.

Those mass surveillance mechanisms don't care in the slightest where the data is physically located. They only care about who controls the data, and whether those entities can be compelled to comply with US law, which sanctions this spying game.

If you're a European company having your email hosted by Microsoft, the FISA court won't care one iota whether the physical email data resides in Redmond or Rotterdam. All it'll care about is whether it can compel Microsoft to let it snoop, and it can, because Microsoft is a US company, and that's really the end of that! No amount of indirection with server placement, legal structures, or other shell games will keep US intelligence services out of your data, if they want in.

Thus, it is impossible for an American company to offer any guarantees of privacy to European companies that sidestep mechanisms like the FISA Section 702. Which is why the European Court of Justice ruled the way it did in the first place!

Now I fully understand why European companies and their American vendors have been keen to find a way to pretend to comply with the ruling without actually complying with the ruling. Because complying in full is essentially an outright ban on European companies using American internet services to store or process their data. It would erect a great privacy wall between Europe and America, which would keep out vast amounts of commerce, in order to protect Europeans from the American intelligence services.

And in typical European fashion, the ruling, and the popular interpretations of the ruling, was coy about these obvious implications. It simply shifted the burden of arriving at the logical conclusion – a ban on most American internet services – onto individual companies. Which created a feast for lawyers all over Europe to concoct bespoke analysis and mitigation strategies on matters that should have been clear and universal. It was European bureaucracy at its worst.

But also European principles at their best! The European Court of Justice must have known that their verdict would be an earthquake for commerce, yet they chose to make it anyway, in respect to higher principles. Leaving both European companies and politicians in the awkward position of figuring out the details from that.

We looked into all these issues at length when the Schrems II verdict arrived back in 2020. Had a whole team of lawyers in the US investigate whether we, 37signals, as an American company, could construct any constellation of subsidiaries, servers in Europe, or whatever, to prevent something like FISA Section 702 from compelling us to hand over data on European citizens in the event the authorities came no-warrant knocking. The answer was clear: no.

Now the executive functions in the US and Europe have come up with Privacy Shield 2.0 called the Trans-Atlantic Data Privacy Framework (EU-U.S. DPF). It includes a laundry list of vague commitments to European privacy principles while offering the Americans so many caveats that they can continue doing whatever the hell they want and have done all along.

In other words, it's another awkward piece of indirection that's highly unlikely to pass muster with the European Court of Justice. But because the wheels of justice turn so slowly with that court, it'll probably offer enough of a pretend cover for many years to come, so Europeans can continue using American services. While American intelligence services continue their mass surveillance regime with the same justification of fighting terrorism as it ever did.

So now we have another wink-wink-nod-nod attempt to pretend to comply with the original Schrems II ruling. One which invalidates the millions of billable hours invoiced by lawyers trying to find a bespoke way out of the uncertain liability since 2020. Brilliant. The perfect illustration of our age of bullshit jobs.

Meanwhile the real winners here are the companies that never bothered to engage in the charade to comply, the lawyers that played their expensive parts in the charade that was performed, and the American data spies who never skipped a byte.

The best part of it all is that we'll probably get a chance to repeat this dance in 2029, or whenever the European Court of Justice rules again. Get your tickets now for Schrems III: Return of the Austrian.

Bottomline: American companies will never be able to resist the demands of American intelligence services. It doesn't matter if their servers are located in Virginia or Paris or on the damn moon. Europe should either come to terms with that reality or raise a real privacy wall despite the costs. But until Europe makes up its mind, European companies would be smart to ignore the whole charade. Like most of them have done anyway.

About David Heinemeier Hansson

Made Basecamp and HEY for the underdogs as co-owner and CTO of 37signals. Created Ruby on Rails. Wrote REWORK, It Doesn't Have to Be Crazy at Work, and REMOTE. Won at Le Mans as a racing driver. Fought the big tech monopolies as an antitrust advocate. Invested in Danish startups.