EU-US Privacy Shield

My biggest customer is warning me, that he won’t use any XOJO made Software in 2018 as long as XOJO Inc. is not certified for EU-US Privacy Shield: https://www.privacyshield.gov/list

@XOJO Staff: Any information on this topic?

You need to educate your client! Data sharing has nothing to do with the language an application is written. Unless for some bizarre reason your client intends to share his data with the XOJO corp. it makes no sense.

[quote=345775:@Tomas Jakobs]My biggest customer is warning me, that he won’t use any XOJO made Software in 2018 as long as XOJO Inc. is not certified for EU-US Privacy Shield: https://www.privacyshield.gov/list

@XOJO Staff: Any information on this topic?[/quote]
How about filing a feature request so we can have it looked at properly.

It’s not so bizarre. It’s about rights and trust. They use Xojo IDE to review code and making fine adjustments I am adopting back into the software (creating compiled software with my license). I can’t tell you much more but their policy is set, no chance to “educate” anybody.

At what point are they an EU entity sharing data with a US entity? Or better still how are they handling JavaScript, HTML, CSS etc.

If it’s a really big Company, Thomas may not be able to discuss this Topic with them. And if they say they won’t allow any Software made with Frameworks not certified within the Shield, Thomas may be out of luck.

BTW: I once worked in a big CallCenter Company and was allowed to create Tools for our (so called) Agents, with Xojo (REALbasic back then). From time to time, i had to deal with new restrictions or a simple “No, not like this”. There were People i could talk to about those restrictions, but never had a chance to be involved in such descisions. I just had to deal with them… :wink:

done…

Well, I am afraid I am too small for this…

[quote=345791:@Sascha S]If it’s a really big Company, Thomas may not be able to discuss this Topic with them. And if they say they won’t allow any Software made with Frameworks not certified within the Shield, Thomas may be out of luck.
[/quote]

The point is that you can’t certify a framework nor any other software for that matter because that is not what it is about. A company can be certified as meeting the requirements, but unless you are actually going to share data with them it makes no difference.

To be come certified XOJO will need to look at its business practices, the way it stores and processes personal data and so. And possibly make changes to the way they do business. And that includes all our registrations etc… expecting all that 'cause someone’s client got it wrong is a big ask.

And yes I’ve had plenty of experience of having to sit down with corporate lawyers in big companies to explain to the just how wrong they had got on topics such as open source licensing, data protection etc.

I am on your side @James Dooley, but if @Tomas has no chance to change their mind, he needs an answer to his question.

Seems odd, are they going to ask Free Software Foundation Inc to join for the use of gcc ? You’d be hard pressed to use any computer without the inclusion of that.

Are they going to stop using their computers because Intel isnt on the list, and their BIOS might be sharing data gasp… or gigabyte/asus etc depending on the mobo vendor.

Unlucky Tomas.

[quote=345775:@Tomas Jakobs]My biggest customer is warning me, that he won’t use any XOJO made Software in 2018 as long as XOJO Inc. is not certified for EU-US Privacy Shield: https://www.privacyshield.gov/list

@XOJO Staff: Any information on this topic?[/quote]

Its not clear to me from this post whether they are worried about

  1. information the IDE might send back to Xojo Inc. ?
  2. information that an app COMPILED with Xojo might send somewhere ? Since the framework DOES NOT send anything back to us or anyone else - you would have to write the code to do that and then its not Xojo thats involved.
  3. information saved on Xojo cloud hosted servers ?

@Norman: 3) is not a factor. I guess it’s a combination of both 1) and 2) but more 2) in particular. I am not a law expert nor I am able to discuss this topic. It’s more “eat or leave”. My rough guess: They try to minimize any possible legal infringements. They already have sources and using free IDE internally. But their admins and developers are not allowed to buy nor to use it in the future if the legal stage or foundation (EU Privacy and Data Protection laws) is missing.

#2 wont involve Xojo inc in any way since the framework won’t just send data randomly to anywhere
If its not in your code then data doesn’t get sent anywhere. Period.

The privacy shield framework is to
lay out a set of requirements governing participating organizations’ use and treatment of personal data received from the EU

Since there is no information sent from whatever software YOU write & give them to use there’s no reason they need Xojo Inc to register for this
We’re literally “not involved” as far as I can tell - at least not because of whatever software you give them

However IF you’re sending them source code instead of compiled executables and they RUN this code in a free copy of the IDE , which is what your post made it sound like, then they could be insistent.
Send them compiled binaries & Xojo is out of the picture entirely since there’s no personal data received by us (unless you’re sending it in your software?)

Or just have them opt out of sending us any data.

I think the thing is that Xojo Inc. could just declare that they conform.
As you don’t do bad things (as far as I know), there is nothing needed to change, just to say you do thing correctly.

I believe Christian is right. An organiztion can “self-certify” and the “Privacy Shield Principles” are here:

http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision-annex-2_en.pdf

Basically, clearly state you are not doing anything bad, make it easy to contact someone when concerns arise, etc. Just a cursory read, but it didn’t strike me a very difficult to do.

[quote=345890:@Christian Schmitz]I think the thing is that Xojo Inc. could just declare that they conform.
As you don’t do bad things (as far as I know), there is nothing needed to change, just to say you do thing correctly.[/quote]

Its not as simple as declaring you comply
There’s a fair bit of bureaucracy and fees to get registered

Well, some things needs to be done.
Like the stuff I went through to become registered supplier for parts of USA and Canadian governments.

You make your apps, what data they send- or don’t send- is entirely up to you. We don’t control/direct/see it whatsoever.

With that said, if it does somehow impact you- favorite the case that was filed: <https://xojo.com/issue/49182> If there’s enough interest or demand, we’ll consider it.

Reading between the lines here, I think @Tomas Jakobs is a contractor for this client. He writes the code, but it sounds like the client has their own copy of Xojo where they can build, edit, and so on. Since the client is not willing to use Xojo any longer themselves, Tomas cannot either.