Is that the case for any data that is passed into the USA then rather than just GA?
So if I hosted my servers in any of the AWS US regions that too would be illegal if they have any personal data in them. In this case personal data is a randomised unique id. So say I have a table of users and all I have is a username and a password and a unique id for the record that's personal data and the customer is not allowed to give their permission for me to store that in a US data center ?
Wouldn't that cut off a vast swath of the internet from France though ? Some of the main big providers of internet services use US based data centres. I'm meaning:
* Amazon
* Google
* Facebook
* Netflix
* Microsoft
* Twitter
* Uber
I mean the list goes on but these are a really big part of the internet.
That might be a good thing. New data centers would be constructed in France and the french people would have more jobs. It’d also be a national security boost because France would be less reliant on external data centre providers.
It’s a geopolitically grounded form of Protectionism.
I don’t like that smaller countries have to rely on larger countries that don’t have their best interests in mind. Not only should France buid its own tech infrastructure but so should every other country that can build it.
In the post-NSA age this is vital if you want your country and its population to be secure against cyberattacks and mass surveillance by great powers.
this isn't just 'jerbs' rhetoric. Having French data on French soil guarantees that if push comes to shove French authorities are in control of their citizens' data. It's a matter of national sovereignty. If companies have billions of dollars worth of physical infrastructure located in the countries they operate you can be sure compliance with local laws will actually happen.
Yes, of course. It's possible that the they will sue every single big company, but quite possible. I think it's a good way for the EU to build pressure against the US to revise the CLOUD act.
This will only happen if the EU makes a true effort to go after as many big US companies as possible. If corporations actually start to lose access to the EU market, the US will follow suit and change its laws.
If enforced thoroughly and by the letters of law. But the authorities in EU has control over selective enforcement of laws(that there potentially won't be by 26th century) letting the law spun as an open negotiation.
a randomised unique ID and username/password are not personal data if they can't be used to identify a person. IF you associate that uniqueID or username with something that can identify the user (like IP/ Personal name etc) than yes it's illegal for you to store that data in US even with the consent of the user.
I feel like this is either a mis-interpretation, or the scope of this law would prevent 95% of websites from existing in the EU (including hackernews which stores your email).
So any US company cannot store PII on an EU citizen?
If someone from the EU comes to my site to make a purchase, I can't allow them to do that?
The key is consent and right to deletion. GDPR is ok with you storing data if the user consents, you list all the data, you list who you share it with, and you have a contract with anyone you share data with so you can comply with a deletion request.
The US government won’t honor deletion requests for any IPs it requests from GA, therefore you can’t comply with GDPR if you use GA.
If you don’t share data it’s much simpler. You collect just what you need to do the processing the user consented to. And you delete it when a user asks.
Edited to add: I should say the 2nd paragraph seems to be the regulator's position. It seems a bit extreme to me and I don’t fully endorse it. But my main point was to try to highlight why most essential and consented processing is unaffected by this ruling.
Yes that is my interpretation of it. The whole point being that any data stored in US can not be guaranteed to respect GDPR because the US government can request access to that data and the EU citizens don't have a recourse to that.
any US buisness that want to have EU citizens PI needs to have a host in EU.
Not just a host, but the corporation in control of the data can't be controlled by a US corporation at all, lest the US corporation be able to pressure the EU subsidiary into handing over that data.
Exactly. Maybe it was intentional in an attempt to get the US to claw back the CLOUD act, which is the point of contention here. Until that happens, US websites (see: big businesses with a legal department) are likely going to block storing any EU citizen data, which might (but probably not measurably) help prop up local EU services.
It will likely become even worse: it is not just AWS US regions, but any region. AWS is a US based company falling under US legislation, and (as far as I know) also owns its EU regions. So basically you cannot use AWS to store content of EU citizens.
You know any other US based companies? They have to follow the same reasoning.
It might even be if you are a US based company, you have to follow the same reasoning.
As a US company, you are not allowed to store or transfer data considered personal by GDPR of EU citizens, as your company can be compelled by the US government to hand over that data through an opaque/secret order where the EU citizen is not notified nor has the option to challenge this.
So if I hosted my servers in any of the AWS US regions that too would be illegal if they have any personal data in them. In this case personal data is a randomised unique id. So say I have a table of users and all I have is a username and a password and a unique id for the record that's personal data and the customer is not allowed to give their permission for me to store that in a US data center ?