undefined | Better HN

0 pointsDave3of54y ago0 comments

Is that the case for any data that is passed into the USA then rather than just GA?

So if I hosted my servers in any of the AWS US regions that too would be illegal if they have any personal data in them. In this case personal data is a randomised unique id. So say I have a table of users and all I have is a username and a password and a unique id for the record that's personal data and the customer is not allowed to give their permission for me to store that in a US data center ?

0 comments

iamacyborg4y ago

Potentially, yes, though this hasn't been tested in court yet.

Dave3of5OP4y ago

Wouldn't that cut off a vast swath of the internet from France though ? Some of the main big providers of internet services use US based data centres. I'm meaning:

* Amazon

* Google

* Facebook

* Netflix

* Microsoft

* Twitter

* Uber

I mean the list goes on but these are a really big part of the internet.

qualudeheart4y ago

That might be a good thing. New data centers would be constructed in France and the french people would have more jobs. It’d also be a national security boost because France would be less reliant on external data centre providers.

2 more replies

zelphirkalt4y ago

The differentiation is probably, that some data is required for offering a service, that people choose to use, but GA data is not.

shafyy4y ago

Yes, of course. It's possible that the they will sue every single big company, but quite possible. I think it's a good way for the EU to build pressure against the US to revise the CLOUD act.

1 more reply

numpad04y ago

If enforced thoroughly and by the letters of law. But the authorities in EU has control over selective enforcement of laws(that there potentially won't be by 26th century) letting the law spun as an open negotiation.

cowl4y ago

a randomised unique ID and username/password are not personal data if they can't be used to identify a person. IF you associate that uniqueID or username with something that can identify the user (like IP/ Personal name etc) than yes it's illegal for you to store that data in US even with the consent of the user.

themanmaran4y ago

I feel like this is either a mis-interpretation, or the scope of this law would prevent 95% of websites from existing in the EU (including hackernews which stores your email).

So any US company cannot store PII on an EU citizen? If someone from the EU comes to my site to make a purchase, I can't allow them to do that?

theptip4y ago

The key is consent and right to deletion. GDPR is ok with you storing data if the user consents, you list all the data, you list who you share it with, and you have a contract with anyone you share data with so you can comply with a deletion request.

The US government won’t honor deletion requests for any IPs it requests from GA, therefore you can’t comply with GDPR if you use GA.

If you don’t share data it’s much simpler. You collect just what you need to do the processing the user consented to. And you delete it when a user asks.

Edited to add: I should say the 2nd paragraph seems to be the regulator's position. It seems a bit extreme to me and I don’t fully endorse it. But my main point was to try to highlight why most essential and consented processing is unaffected by this ruling.

cowl4y ago

Yes that is my interpretation of it. The whole point being that any data stored in US can not be guaranteed to respect GDPR because the US government can request access to that data and the EU citizens don't have a recourse to that. any US buisness that want to have EU citizens PI needs to have a host in EU.

1 more reply

RIMR4y ago

Yes, that's exactly right. Makes perfect sense to me.

nomercy4004y ago

It will likely become even worse: it is not just AWS US regions, but any region. AWS is a US based company falling under US legislation, and (as far as I know) also owns its EU regions. So basically you cannot use AWS to store content of EU citizens.

You know any other US based companies? They have to follow the same reasoning.

It might even be if you are a US based company, you have to follow the same reasoning.

As a US company, you are not allowed to store or transfer data considered personal by GDPR of EU citizens, as your company can be compelled by the US government to hand over that data through an opaque/secret order where the EU citizen is not notified nor has the option to challenge this.

j / k navigate · click thread line to collapse

0 comments

iamacyborg4y ago

Potentially, yes, though this hasn't been tested in court yet.

Dave3of5OP4y ago

Wouldn't that cut off a vast swath of the internet from France though ? Some of the main big providers of internet services use US based data centres. I'm meaning:

* Amazon

* Google

* Facebook

* Netflix

* Microsoft

* Twitter

* Uber

I mean the list goes on but these are a really big part of the internet.

qualudeheart4y ago

2 more replies

zelphirkalt4y ago

The differentiation is probably, that some data is required for offering a service, that people choose to use, but GA data is not.

shafyy4y ago

Yes, of course. It's possible that the they will sue every single big company, but quite possible. I think it's a good way for the EU to build pressure against the US to revise the CLOUD act.

1 more reply

numpad04y ago

cowl4y ago

themanmaran4y ago

I feel like this is either a mis-interpretation, or the scope of this law would prevent 95% of websites from existing in the EU (including hackernews which stores your email).

So any US company cannot store PII on an EU citizen? If someone from the EU comes to my site to make a purchase, I can't allow them to do that?

theptip4y ago

The US government won’t honor deletion requests for any IPs it requests from GA, therefore you can’t comply with GDPR if you use GA.

If you don’t share data it’s much simpler. You collect just what you need to do the processing the user consented to. And you delete it when a user asks.

cowl4y ago

1 more reply

RIMR4y ago

Yes, that's exactly right. Makes perfect sense to me.

nomercy4004y ago

You know any other US based companies? They have to follow the same reasoning.

It might even be if you are a US based company, you have to follow the same reasoning.

j / k navigate · click thread line to collapse