Does using overseas hosting break GDPR?

That seems to be a bad source and doesn’t align with other sources. The GDPR doesn’t even refer to citizens. It protects subjects based on where they’re located, not based on their citizenship.

You will if you target EU customers - but not merely by one customer from Europe randomly showing up on your doorstep (so to speak):

You can compare that to a U.S. bank or financial service provider opening an account for a European resident or vice versa. No problem if non-resident applicant is actively seeking out these services in a foreign country. But actively offering to citizens of country A from abroad (country B) is a big no-no.

1 Like

Clarification:

GDPR doesn’t apply to any US companies at all (simplification! See further down) - it applies to EU companies who wish to use services provided by companies both outside and inside the EU.

In other words: It doesn’t say that Google isn’t allowed to store personal data about EU citizes; it says that no EU company is allowed to store that data on Google’s servers!

However, it also says that when Google operates IN the EU, it has to follow the same rules - and it turns out Google stores a lot of personal data about EU citizens!
This is handled quite simply, by Google storing EU data in EU datacenters and never giving access to government entities outside the EU.
The problem is that this isn’t allowed by US law - which puts Google in a squeeze - which puts all of Google’s customers in a squeeze - which means that EU cloud vendors have a competitive advantage.

3 Likes

It’s in MS and Google’s best interests not to violate GDPR --at the end of the day the fines would go to them, not the US government. For enterprise solutions, at least I’m pretty sure you can make Google store your Google Workspace company data on EU datacenters.

I think it will probably hurt smaller US-based companies, not the GAFAs. I am currently working for a financial services organization pretty paranoid with cross-border data transfers and, at least using Google Cloud Platform, they are convinced there are no big issues using UK based GCP resources for US/Canadian customers. Of course, the required paperwork and toll gates to cross are unbelievely tedious.

I’m not really sure about that. It applies to any company processing data for EU citizens anywhere in the world. If you happen to violate GDPR, your company can be fined by the EU organisms. One can wonder how the EU would prosecute a smaller US-only operation, but for bigger players its a serious concern.

In response to @svsmailus original post. The questions you need to be asking Amazon are (i) in which jurisdiction are the AWS servers you use physically located; (ii) what legal entity owns and controls those servers; and (iii) what are the terms of the contract between you and that legal entity.

If the servers are physically located within the UK and owned by a UK subsidiary of Amazon, it is unlikely that “foreign” legislation, whether US or EU, could be enforced other than in the case of a specific, UK court approved request in relation to a criminal investigation. The point here is that a UK subsidiary is a separate legal entity from its parent, albeit wholly owned by the parent. The directors of the UK subsidiary cannot be made to break UK law at the instruction of the parent company, so even if a US court told Amazon to pass over data held on the UK servers, the UK company could and, if it wants to avoid prosecution in the UK, should, refuse the instruction from the US parent.

That leaves the “control” issue. Can the US parent directly access the UK servers without the need for someone to sit down at a UK keyboard? That shouldn’t be possible. For the UK subsidiary to give a third party - and being a separate legal entity, the US parent is a third party - access to its servers would breach the UK GDPR unless the contract you have with the UK company to store your data grants them your consent. And you can’t do that in respect of other parties’ (personal) data without their explicit consent.

All as clear as mud.

1 Like

Any company “operating in” the EU, yes, as explained further down.

1 Like

And because karlnyhus googled some article, the statement has to be true, right!?
But unfortunately, this is not how it works.
In Fact, in general the Internet is the most unreliable source for information in the World!
So, if you want to make a statement, based on an article you found on the Internet, you better do an analysis of the source before.
karlnyhus eighter didn’t do this, or he didn’t care for the result.
It is a matter of fact, that the article is just wrong in that point. The GDPR is a law, that has to be followed by all member states. There are small opening rules where a member state could apply rules who are more protective, but there is no way to weaken the rules by the member states.

Why do you think, that a server could only be located in the US?
We have plenty of room to place our own server, and in fact (based on numbers I found out of 2016, and I did just crosscheck with other information, so they seem to be fairly reliable) London had at that time 337 large Serverfarms, while California had only 300!
And, some of the larger Server farms of the world are located within Germany!
So, there is absolutely no need to transfer any stored data outside of Europe.

And, BTW, the Cloud Act has noting to do directly with GDPR!

The EU is NOT applying their law in the US!
They apply it ONLY within Europe!
BUT if a US Company wants to do Business within the EU, they have to comply with the EU-Laws and Regulations.

Sure, but they will force the company within the EU, to grant the access.

Yes, and if the costumer locates within Germany, you will fall also under the Law for “Business taken on the Front Door” (Haustuerwiderrufsgesetz), and many others!
It is the same with a German company doing business with someone located in Texas.

No, the fines go to those, who stored the data there!

And unfortunately, at least the contracts I saw during the last couple of years, all contain a part, where it is granted to the storing company to transfer the data out of Europe.

Again, I don’t see where this is about citizenship. If anything, it’s EU (and, by extension, EEA) residents, or, more broadly, people and their activities in the EU (that could by US, Ugandan or Ukrainian citizens).

If the shop is targeting German customers. For example by offering on ebay.de.

It depends on, whether the shop is delivering toward Germany, or offering his Online-Business for a German IP.

That is my understanding. Google, in their privacy compliance info states, “Google Workspace and Cloud Identity offer the Data Processing Amendment (DPA), which incorporates standard contract clauses (SCCs), as a means of meeting the security, contracting and data transfer requirements under EU, UK and Swiss data protection laws. For customers with HIPAA compliance needs, Google offers a Business Associate Amendment.” And as I recall Microsoft offers similar language.

If I still worked for a Fortune 100 company this is a subject I would refer to the legal department. As an individual I have to rely on statements like the above and the expectation that the various governments will insure compliance.

But as @karlnyhus mentioned, alliances like the Five Eyes, which seems to include directly or indirectly most of the countries represented here, could also be a factor. So if a friendly nation wants access to data held in the US I think it will probably be provided, and vice versa.

3 Likes

As far as I can tell, none of us posting on this topic has claimed anything more than general expertise on data privacy and international law. My experience is limited to an annual module in our corporate training on Safe Harbor agreements that we signed with companies when doing business out of the United States.

If I make a mistake, I accept correction. But some of it is a difference of opinion and not fact. And some comes with apparent animosity based on nationality.

1 Like

Re: @karlnyhus’s article, per the actual GDPR, Article 2, the GDPR flat-out doesn’t apply to a government acting in the process of “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.

This is the context in which the article was discussing the difference in treatment of the EU governments and foreign governments.

The intersection of the CLOUD Act and GDPR is the whole question OP has - does the US government having the CLOUD act cause problems for a business with data on UK servers owned by a US company?

I don’t think a server can only be located in the US. But if a startup exists somewhere with a useful service, and that “somewhere” isn’t a country that the EU likes, we’re in a potential situation where that company will likely - for legal reasons - not want to serve the EU if they’re not big enough to actually run their own EU servers / pay people to handle GDPR compliance.

Which is exactly what the US would be doing under the CLOUD Act, from what I can tell. Hence the comparison.

I can’t think of any examples of the US asking German companies to do things on their behalf. The US taxing jurisdictions do ask the person in Texas to cough up tax that should’ve been paid on whatever the person bought from overseas, but that’s on the person making the purchase - not the company selling to them.

1 Like

Deep breath everybody.

relevant xkcd

4 Likes

I really do not want to get too much involved into this discussion because as we can see, things tend to get heated. There are a lot of misunderstandings regarding GDPR. And no, I will not get into the details.

Only some very short points:

  1. European companies (and companies doing their business in the EU) have to protect personal data of individuals in accordance with GDPR.

  2. If this data leaves the area of the jurisdiction of the EU states, the companies have to make sure that the data still is protected within the requirements of GDPR.

  3. As long as No. 2 is happening, the data can also be stored outside of the EU.

  4. Does the EU tell companies how to do their business in the US? No. Does the EU tell companies how to do their business in the EU? Yes. Every company and individual always has to work in compliance with the laws of the country they are doing their business in.

  5. Is it a problem for EU companies to use US cloud services as long as personal data from other individuals are stored in this cloud? I will not answer this question. Like I said: heated discussion, not only here but also among experts and lawyers. Only one thing: there are many US companies that offer cloud solutions that are hosted within Europe. Why? For several reasons. Not my expertise.

Instead of speculating over here, it may be a good idea to get first hand information:

P.S. @tf2 has made the best point so far… I do not get some of the emotions here… It is not worth it. :wink:

5 Likes

Sorry to have caused problems in posting this question. I do appreciate all your comments and they have certainly helped my thinking process.

I should probably add that in my specific case I’m not in the EU jurisdiction or under EU GDPR as the UK is no longer part of the EU. This is a slightly different can of worms!

My thinking so far has gone down these lines:

  1. Hosting my organisation’s website that collects personal information, outside of the UK is not advisable unless I obtain permission from those who’s data will end up on the hosting account. This is simply because they’ll ask why I can’t use a UK host and that’s a fair point.

  2. Microsoft has recognised the Schrems II ruling and applied it to their data processing. I’m also confident that the UK Information Commissioners Office (ICO) who police our GDPR would not penalise us if our data was stored in the UK, but MS shared it with the US without our permission. The challenge here is reading all the small print to determine if we have already done so. Logic would argue that if even our government use Office 365 so we should be ok, but due diligence means I’ll do some more checking.

  3. Long term, this is simply pointing to using services and businesses registered in your own nation; the UK for me. This could have quite an impact on cross border digital business. In many ways; thinking about it; this was always going to be inevitable with digital data. Governments may not agree to how digital data is protected and therefore keeping all your data in your own legal jurisdiction may become the norm. I’ve been developing websites since the 90’s and once my hosting runs out in the next few months will be the first time that I will use UK hosting and services exclusively. I’m thankful that Microsoft has UK data centres, so all my organisational date is in my legal jurisdiction.

1 Like

Correct. Every company IN the EU is subject to GDPR and privacy has constitutional status. Which makes it easier to outsource stuff. It does not free you from checking/auditing the company, writing a data processing agreement and so on.
You CAN work with a company outside the EU (we work with some US companies), but it gets quite difficult and you need to invest a ton of work.

If those companies outside the EU fully comply with the GDPR, there would be no difference in the handling between them, and companies within the EU.
And, contrary to the said article, the GDPR is a law that is immediately valid within all EU-Member-States. There is no (or very little) difference between the Member-States, and no state is allowed to lower the Standards, set by the GDPR.

No, but it still has it’s own version of GDPR with Minor changes

1 Like

I live in the UK and work in Information Security and Data Protection for a multinational organisation, predominantly focused on the UK, Europe, the USA, Australia and New Zealand.

@svsmailus Your third point is the way to keep things the simplest for yourself and the information you process on behalf of your customers (the data subjects). Work with Vendors who allow you to choose where your data is stored e.g. AWS, Microsoft, Google.

From the UK, It’s perfectly legal to transfer data to the EU and any other entities (countries) judged as adequate by the UK Government. To transfer information to non adequate countries you need to ensure that you have Legal Data Transfer mechanisms in place along with risk assessments to ensure that (for example) the US government cannot have access to the data. To be honest, unless you’re a large company or there’s a clear benefit, I’d keep it as simple as possible and keep your data in the UK.

Regarding the US Government’s assertion that if data is processed by a US company, it doesn’t matter where the data is, that was challenged quite strenuously by Microsoft (I forget when, but it was definitely after 2018) whose arguments were upheld by a US court, and as far as I remember there was no subsequent law since enacted requiring US companies to provide Non US domiciled data to US courts or agencies. This doesn’t (of course) stop US agencies working with other non US agencies on cases to gain access to information, but of course this should go through due process (I think we all know it doesn’t always). If this happens (the US government working via other agencies) then a company could not be held responsible for data leaving the EU.

I don’t know, I step away from the forum for a few days and all hell breaks loose. :wink:

5 Likes

Thanks that very helpful!

1 Like