Does using overseas hosting break GDPR?

BTW, I wish more companies had your cynical/questioning attitude.

The number of times I’ve heard Insert large company use it so it must be ok, and after further checking have found that any of the below is true:

  1. named company doesn’t use it (yes a software provider lied about their customer list)
  2. yes, a small team in said company use it, but the procurement did not go through the right process of due diligence, e.g. someone whacked it on their credit card and put it through expenses
  3. our own due diligence found issues which would have left data at a high risk.

There’s no need for a server to be always located in the EU. A common misconception.

  • If a company in the EU uses a service (Office 365) to handle data, the full GDPR weight falls on them (“data processor”). Clients of Office 365 are companies. They need to make sure, everything is compliant.Which is way easier if the server is in the EU. The server CAN be in the US, but it becomes a hassle (“binding corporate rules”).
  • A personal subscription of Office 365: server location, no issue. Informed consent should be there. “PERSONAL”. If I use my personal license to store client data: see above.
  • Apple Health: B2C. Server can be located in the US.
  • and so on.

As for your “startups”. My company falls into the strictest GDPR category (Article 9). I use TextExpander, 1Password, and a lot of other stuff with a server behind it. With servers “outside the EU”. As long as I don’t store personal data (not mine, clients) in there, absolutely no problem. And no need for them to worry. If a startup creates a “cloud patient data” service, then of course, GDPR applies if they offer their services to EU customers. And if I decide to use that service in my company, I need to double-check it.

Sorry for the over-simplifications. I have to deal a lot with GDPR and don’t feel like writing an endless article. There are many nuances and aspects and difficult to give a yes/no perspective.

3 Likes

My comments trace all the way back to this, way at the top of the thread:

My comment about servers was more intended with that in mind, i.e. “I don’t think all the tech companies are moving to Ireland”. :slight_smile:

Regarding companies vs. consumers, that’s an interesting point about B2B and B2C. Does the B2C “informed consent” relationship negate the GDPR obligations? I.e. let’s say you have an account with a (fictional) new password startup, 2Password. 2Password is entirely US-based, does nothing to screen its customer base, only sells to end-users, and doesn’t know/care where in the world their customers are.

They would theoretically be clear to handle the client’s data, but doesn’t the GDPR also require that companies purge a user’s data upon request? Would 2Password be clear of that type of obligation as well, if they were solely B2C?

I know it was @Shruggie who suggested this rather than @webwalrus, but most big tech companies are already based out of Ireland for their European operations e.g. Apple, Microsoft, Amazon, Dell and Facebook, I’m not sure about Google. This companies can be held liable for any infraction on their part and are solely responsible for the data processed in the EU,

No, 2password would not be clear of any obligation under GDPR regarding Personally Identifiable Information (PII). There’s no Lawful Basis recognised with GDPR of “Informed Consent.” Consent is a lawful basis but can be withdrawn at any time by the Consentor which then means that any PII must be removed unless it is required to be retained by law.

You might start by checking with your hosting companies. In the US financial data has specific rules as does medical data and your hosting companies may restrict some types of information. For example Apple expressly forbids storing “protected health information” on iCloud.

Another possible option is to not store personal information in the cloud. I’ve worked with companies with commercial websites that used a third party to handle checkout and kept customer data in-house. No personal info was kept online.

With GDPR you can go down this route, but you have a legal responsibility to ensure that all personal data is protected from loss. E.g. if it was only stored at one location and that building burned down taking all copies of the data with it, that’s a breach of GDPR. So not using some form of cloud service means you are taking that responsibility on yourself.

2 Likes

You can put encrypted backups online, but that’s a whole new set of risks to analyze and processes to document, validate and verify annually and so on :wink:

1 Like

Again, please excuse a lot of simplifications for the sake of quickly writing a post between meetings.

Let’s create some fictional companies and users:

  • USAwebwalusINC, developer and operator of a cloud based service
  • EULarsGmbH, a company dealing with clients
  • EUDude, a EU citizen

Some use cases:

  • EUDude uses USAwebwalrusINC to store his stamp collection in their cloud service. GDPR does not care. EUDude chose the service. Or 2Password. Or EUDude from Europe (me) uses MacPowerUsers forum. GDPR does not care.
  • EUDude does business with EULarsGmbH: 100% GDPR. Both in the EU. (Also think of Microsoft Europe, Facebook Europe,…).
  • Me, CEO of EULarsGmbH decide to use USAwebwalrusINC to outsource data (including EUDudes name, address,…). EULarsGmbH has legal (GDPR) obligations towards EUDude. EUDude has NO contract with USAwebwalrusINC. EULarsGmbH has to marke sure, that using USAwebwalrusINC maintains their legal obligations towards EUDude. That’s why “EU servers” and so on become interesting… EULarsGmbH would need to inform EUDude of using a data provider, EULarsGmbH would need to make sure GDRP rights (“binding corporate rules”, right of deletion, right of information…) are guaranteed and so on.

Again, sorry for the oversimplified and rough sketch of GDPR. But there’s no need to dive into every nuance of it to roughly explain it.

1 Like

Case 1 is incorrect. If an EU customer uses a US service, that service is considered to be available in the EU, and GDPR applies.

The nuances very much count. This is complicated stuff.

1 Like

It’s oversimplified, not incorrect. Your statement is also oversimplified and incorrect.
There is no “per se application of GDPR” but mechanisms to prevent evading GDPR by just locating the company outside the EU. And “doing business in the EU” is an aspect. Just having some customers in the EU does not meet that requirement. But: if USAwebwalrusINC decides to: translate the HP to Italian, advertise their services in €, run a social media ad campaign targeted at Italian users…it’s considered “doing business in the EU”. (my example “EUDude chose the service” becomes “USAwebwalrusINC was active in the EU” and the whole thing is “turned around”).

I agree with you: the nuances count and it’s complicated.

This will not end well. I agree that it is complicated. :wink:

EUDude uses USAwebwalrusINC (…)

My opinion: the examples @Lars has provided for this scenario do not necessarily lead to GDPR implications.

So, what about first hand information:

It really is about the nuances. And there are experts and authorities out there for dealing with those nuances…

And… I am out of here… :wink:

The bigger complication is for us EU companies. Because we are liable, GDPR is enforceable towards us, etc. If USwebwalrusINC (sorry for using you as a constant example) has a huge GDPR data breach, it’s me they will go after, because I outsourced the data.

And don’t forget: GDPR is just one aspect of international business. You still have United Nations Convention on Contracts for the International Sale of Goods, private international law, IFRS, etc., etc. Cross-border business has always been very complicated. Which is one of the reasons the EU (or ECs) was founded, to remove all that stuff for inter-European business.

1 Like

This is not true, by nature of an EU citizen creating a username and providing an email address (Both Personal Data) and them being stored by the provider, GDPR 100% applies.

Agreed

Broadly correct, Binding Corporate Rules only apply within Multinational organisations, not with companies under different ownership. But there must be a contract between the Data Controller (The company which decides the purpose for which the personal data can be used) and and the Data Processor (The company instructed by the Data controller) which meets GDPR requirements.

Also as @Lars said, the Data Controller must be transparent with the user of their service how their personal data will be used, and the Data Controller cannot just change that purpose without assessing the impact on that individual.

I can’t stress enough that it doesn’t matter where in the world the company is incorporated or operates, if it processes the information of EU citizens, it is covered by and falls within the scope of GDPR.

No, it’s this simple. If a company processes the personal data of an EU Citizen, no matter where it is incorporated or where it operates, it falls under GDPR.

Why do you think that there are still services based in the US which refuse to allow people using EU IP Addresses to access said services? This is 4 years since GDPR came into force. They don’t want to, or can’t comply with GDPR.

1 Like

If EULars can prove that it took appropriate action to protect the data by putting the relevant protections and transfer mechanisms in place and USWalrusINC did not comply with the contract, the relevant Agency in the EU can take action against USWalrusINC, and/or EULars can sue USWalrusINC for breach of contract and any damages they’ve suffered (dependent on the terms agreed in the contract).

I wonder how any government agency knows where data is actually stored when data centers have to be scattered all over to ensure data redundancy and business resilience?

2 Likes

If I’m reading this right, how would the EU penalise a company for breaking GDPR when the company is in another country?

1 Like

I don’t know, and that’s not my problem. :man_shrugging:t2:

2 Likes

If there is a break with the privacy of the data, it will be uncovered.
You can’t cover up a data breach for a longer period of time today.
AND if you try to cover up, you will get an additional Fine for covering up, and not informing your customer immediately!

1 Like

Good question and I think the answer is, at least for the major cloud providers, the agency would have to ask the hosting company.

In 2018 when we were choosing a replacement for our on premises email server I researched Google and Microsoft. I recall reading that user data in Google Workspace is distributed across multiple servers and locations. And (if memory serves) no single server has a complete copy of any file.

So I guess if you specify in your contract you want your data in one of their EU data centers you just have to trust them?

1 Like