Cant use use any Apple hardware or software either as they aren’t registered
Sucks to be Tomas as this really sounds like an over reaction by his client, or their corporate lawyers, because they don’t understand what is / isn’t being sent in any direction and what they already control and have just issued an edict “thou shalt…” without understanding the ramifications
That Tomas won’t be able to educate them is even worse for him
After two years I bring up this issue, again. Nothing changed as it seems to me or have I missed something?
Just checked on US PrivacyShield Website if Xojo is enlisted.
Then I have to stop using XOJO for this customer. Period. As long as XOJO IDE is communicating back to USA transfering and holding any kind of data or metadata, XOJO Inc must enlist to US Privacy Shield. It’s as simple as it is. The next audit will come and will find me and my tools outside any legal framework. Before I get kicked, I better kick XOJO. Sorry…
[quote=345915:@Norman Palardy]Cant use use any Apple hardware or software either as they aren’t registered
[/quote]
Well, Apple is registred, Microsoft aswell…
[quote=450324:@Tomas Jakobs]After two years I bring up this issue, again. Nothing changed as it seems to me or have I missed something?
Just checked on US PrivacyShield Website if Xojo is enlisted.
Then I have to stop using XOJO for this customer. Period. As long as XOJO IDE is communicating back to USA transfering and holding any kind of data or metadata, XOJO Inc must enlist to US Privacy Shield. It’s as simple as it is. The next audit will come and will find me and my tools outside any legal framework. Before I get kicked, I better kick XOJO. Sorry…[/quote]
Why would you expect anything to change? Your client has a bizarre interpretation of the law and if they persist with it then there is not much you can do about it but adapt their approach or loose the client.
So work arounds you might suggest:
If all they need to do is review your code, would they consider using another editor to do it?
A bizarre interpretation of the law? No I do not believe a state authority has a bizzare interpretation on this issue.
Of course they are registered, they are registered for a totally different reason - they process European data as defined by law, nothing to do with the sale or usage of their specific products. Your client has a basic misunderstanding of the law and an expectation of protections they are not entitled to. So long as the continue to believe this there is not much you can do, the world wont adapt to their view.
Does XOJO sell digital goods in Europe? Does XOJO collect and process data from EU Citizens? (with every start of XOJO IDE?) Then Privacy Shield is mandantory. I am not a laywer nor I am wiling and able to discuss this any further.
You think a state authority cant get it wrong… well I have a legal background and I have read the law and I believe otherwise and on top of this the fact that most other organizations in Europe seem to be able to work with it would suggest their interpretation is very much in the minority.
But at the end of the day it does no matter, you dont seem to have a choice but to accept it and adapt to their requirements if you want to keep the client.
I would not expect XOJO to certify any time soon as they are not obligated to do so. Generally speaking legal advice is not to commit to meeting obligations you dont have to. So unless a lot of developers start to have the issue I doubt youll see movement on it anytime soon.
@Tomas Jakobs: you never had anything to do with police, laywers or judges? Of course, state authorities can get it wrong.
Get the advice of a laywer specialized in your topic.
[quote=450324:@Tomas Jakobs]After two years I bring up this issue, again. Nothing changed as it seems to me or have I missed something?
Just checked on US PrivacyShield Website if Xojo is enlisted.
Then I have to stop using XOJO for this customer. Period. As long as XOJO IDE is communicating back to USA transfering and holding any kind of data or metadata, XOJO Inc must enlist to US Privacy Shield. It’s as simple as it is. The next audit will come and will find me and my tools outside any legal framework. Before I get kicked, I better kick XOJO. Sorry…[/quote]
Well the framework doesn’t phone home. Norman made that perfectly clear. If you suspect otherwise, please use Little Snitch or something to identify any communication you don’t trust or expect.
And that is your basic misunderstanding! The shield only applies in situations where data is collected by an EU entity and subsequently transfers to the US or where a US entity collects data on a US citizen and transfers it to the EU. That is not what happens when you make a purchase from XOJO. Yes they need to comply with the VAT rules and the general data protection laws but that is all.
[quote]The EUUS Privacy Shield is a framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.[1] One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.[2] The EUUS Privacy Shield is a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015.[3]
[/quote]
The law just doesnt matter in this case. As long as the client demands only using software from companies registered with PrivacyShield, Tomas is out of luck. It doesnt matter WHY the client demands this, just that they do.
In this case, yes Tomas youre out of luck. Xojo has bigger fish to fry right now, and even if they had nothing to do, I imagine it would be hard for them to find the motivation to jump through these hoops.
@Beatrix: And to do what? Put my client on trial? Please,come on!
@Alexander: It’s not a problem for me, Of course you may mitigate this with firewalls or Little Snitch. My customer cannot audit and give approval of anything as long as the software I am using is sending data outside any legal framework.
@James: I quote:
[quote]The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection. The adoption of an adequacy decision involves
At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.
The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.
Adequacy talks are ongoing with South Korea.[/quote]
@Thom: I am afraid, you’re right.
I think your client exaggerates and/or misunderstands the problem.
The foundation of this EU rule is that the EU does not want unlimited and unregulated exchange of EU citizens private data with the US. A direct trigger for this was the demand of the US to open up EU airlines reservation systems after 9/11.
I’m a EU citizen and I have no problems whatsoever to use Xojo in my private office or at my customers premises to create apps.
As there is no data exchange between the Xojo IDE and Xojo Inc, and/or the apps you compile with Xojo, this does not apply.
The only data the Xojo IDE verifies is the license information, AFAIC.
This statement is not true. With every start of the IDE, XOJO Software is connecting to xojo.com collecting and processing data. And it is doing so by design and default.
This is correct, but it doesnt matter. The client isnt willing to take Xojos word on it. They want Xojo to prove this to be true to a regulatory agency.
Theres also the potential interpretation of the law that it only applies to the commercial use of the data, as in how the data is sold. Xojo doesnt do that. But again, it just doesnt mater because this is what the client demands. The client could demand the software to be colored orange. Their reasons dont matter to this conversation.
No, it’s about protecting the user, employee or department. I know that the U.S. has a different view of privacy (to paraphrase it gently). And that we in Europe have a Gold Standard. And frankly: I am very proud of it!
The client is not demanding something shiny fancy. He is just demanding a robust legal basis. By the way: Why is XOJO checking license status on its unlicensed free downloads? This is at least violating the recital on data minimisation.
Because its basically just asking the server to send over the license data for the anonymous computer id. Yeah, it could be made a little smarter to only make the request when there are already licenses, since there isnt a way to add a license to a machine remotely. Without being logged in, that is.
If I recall correctly - and I could be mistaken - I coded the update data into the same stream, assuming its turned on.
And no, I didnt mean to imply your client was demanding something outrageous, only that the reasoning doesnt matter.
There is no data exchange because the data isn’t saved in Europe. Privacy Shield is for companies like my former one with a daughter company in Europe and headquarters in the US. The HR data and what not was saved in Europe and transferred to the US.
You don’t want to do a trial with your customer. You talk to your lawyer about the following:
I have to ask why they care about what the IDE does if the apps created with it do not transferee any info… if the IDE has to be on one of their machines, the coding can be done on a isolated machine and the license on it may be activated by a file file that you have download from the Xojo website earlier IIRC.
It could make debugging painful… but still be doable…
Again why, if the apps you create don’t transfer any information , should they care about the IDE - particularly if the IDE is on a machine not connected to the net?
I think you are dealing with a bureaucrat that does not understand technology, unfortunately.
-Karen