undefined | Better HN

0 pointstjansen4y ago0 comments

Using common services like GA or Stripe (https://noyb.eu/en/edps-sanctions-parliament-over-eu-us-data...), and even more services by smaller companies that don't really care about GDPR. Embedding Facebook or Twitter content.

0 comments

Silhouette4y ago

It's worth noting that the specific objections to using Stripe there seem to be reasonable. Stripe has actively recommended that merchants include their scripts on all pages of the merchant's site and not just the payment pages, so that Stripe could track and analyse visitor behaviour to look for warning signs of high risk transactions. Given that a visitor to the merchant's site might never visit a Stripe-backed payment page or make any purchase using Stripe, this has always seemed a questionable degree of tracking under the EU rules, even if the intentions might have been honest.

Personally I'd be more worried that many payments using cards and other methods rely on underlying US-based infrastructure, so the actual payment processing itself could fall foul of EU data transfer rules. Obviously you can't record financial transactions properly without the various parties involved in implementing the transaction having records that will necessarily include personal data (and potentially sensitive personal data at that, depending on who a payment was being made from and to). And you most likely have all kinds of legal obligations under financial regulation to keep those records. But if there is some sort of blanket ban on processing EU personal data by any US service, that's a big problem.

viraptor4y ago

Tbh, only stripe is surprising. The rest (Ga, FB, twtr) you can easily not include and be safe from the US transfers. They make money from the visitors data, of course they'll be problematic.

The stripe part is the one that will be interesting to watch, because "The EDPS confirmed that the website actually transferred data to the US without ensuring an adequate level of protection for the data". Anyone can easily point out that Stripe claims compliance: https://stripe.com/en-au/guides/general-data-protection-regu... So I hope that that part will die soon.

You can however implement stripe server-side where they can't see more than explicitly provided by the user for the purpose of the checkout. I believe that would have a different result in court. (We'd need to see that tested though)

But! If you're actually worked even able the stripe part, there are EU-based payment processors. More expensive, but they exist.