I don't mean to be confrontational, but as an American with websites in the US- why would I care? The most basic tenet of sovereignty is that a country's laws stop at their border, unless otherwise agreed in a treaty. I may be violating GPDR, I may be violating some Internet content laws in Zimbabwe and Cambodia as well, but laws don't cross borders.
Just as an example off the top of my head- in Thailand, it's illegal to insult their king. Would anyone here refrain from posting anti-Thai monarch content on their website, in fear of breaking the laws in Thailand? If not, why would I care about GPDR? Imagine what a non-sequitur it would be if if someone told an American employer based here in the states, that you're violating EU employment law. By definition it.... doesn't apply.
I do understand that if I ran a business with European customers, I would need to be in compliance with EU law- I get that- but genuinely confused why I would care otherwise. Are your websites in compliance with Zimbabwean Internet law?
You and your business are crossing borders when you serve traffic to foreign customers, and are thus party to their laws.
No I'm not a lawyer, but if you really never intend to have any customers in Europe you'll probably be fine (ask a lawyer, not the Internet) but if you do or might then you're playing a game with whether or not you'll be caught or if the consequences will be more advantageous than mitigating them.
America projects it's laws worldwide with the global financial system and anything with even a remote connection to the states is a poison pill that is used to prosecute behavior which is almost exclusively outside its borders. Other legal entities can do the same, but to a lesser extent.
> You and your business are crossing borders when you serve traffic
I’d argue that if the request originates outside my country, the customer has crossed the border with the intent to bring the content back to their country
I'm not sure GDPR applies if they're not using any third party services. That's the thing with GDPR compliance, if you're already doing things right it doesn't really change anything, you don't even need to ask about cookies (because cookies are actually ok under GDPR if they're used the way they were originally intended.)
well, it seems that the EU has already decided that is not going to be the interpretation they will accept so argue away.
There are also thousands of different analogies like yours that one might choose that would put the benefit on the EU side, for example, someone might argue your website is like a product and as such is open to all sorts of regulations and taxes when it gets 'imported'.
I agree there, but also there is the perspective that the consumer of the content did not ask your server to take their data for analytics purposes. So it goes both ways
AFAIK the IP from requests doesn't necessarily need to be logged or stored anywhere, does it? Perhaps this comes from my lack of understanding of GDPR but I thought the issue was from storage where it could be retrieved or shared
The problem is that the US CLOUD act compels US companies to provide data access to US agencies, regardless of where the data flows. It could even be servers on EU soil. EU courts hold that these kind of acts violate the data rights of individuals located in the EU.
It's not actually about serving traffic across borders, it's about what you collect. If you collect PII, according to EU courts, you are responsible for it and will be held responsible if you plan to do business in the EU.
Sure, but while you're post comes across as the American being dismissive of others, you're post also comes across as dismissive of a valid question from the American. Let me rephrase:
If I as an American build a retail site for a side hustle that I have no intention of doing international business, do I still need to concern myself with international rules? It's "easy enough" to not allow sales to international locations, but not allowing the website to be viewed internationally is just too much damn work and goes above and beyond sane expectations.
IANAL so I honestly can't answer that, and I can totally understand some US sites blocking EU IP ranges because of their business model as an ad outlet for Google or whatever third-party ads.
But even if you don't agree with EU privacy regulations, I hope you can understand that the race to the bottom we've seen in the last decade or so when it comes to online content must somehow be stopped, especially if it is only benefitting very few quasi-monopolies.
My hope would be that we could see a return to direct sponsoring or other first-party ad model, but perhaps I'm being naive here, and I'd appreciate insights from others. Personally, I don't have a problem with ads per se at all, provided they're respecting my privacy and don't come in the form of a JavaScript bomb.
The law applies to websites, not businesses. If your website has European visitors, then it is making the relevant interaction even without business happening. I’ve come across websites that simply deny me access, guaranteeing they don’t have any European visitors. US law spreads in a few ways, eg licence to use the dollar, though that may be broader than the exact wording.
Not to be repetitive, but- let's say your website has visitors from Thailand, and you do something to defame their monarch. Are you in compliance with Thai law? What if you have Chinese visitors, are you subject to Chinese law? What if the Central African Republic passes some completely out-there law and you have CAE visitors- do you feel like you need to comply with the laws of the Central African Republic? If not, why not?
Let's just think this out- seeing as your visitors can come from any of the 300+ countries on Earth, you are saying that by hosting a website, you must simultaneously comply with the Internet laws of every country on the planet. Please just consider how ridiculous that is for a moment
If you speak in your country and someone hears it where it's illegal then that's of no interest to you. But if you visit someone's home and they add your name to their guestbook you may care that you're in the records. Yes, it's reaching beyond borders, but I like this one more than any of the other examples of that.
I could repetitively make up new analogies to explain my opinion (and subsequent actions in democracy), but after a moment's consideration that would be ridiculous.
I'm sure they wouldn't, as it's not a US law. But a local company may be small enough not to have to bother, just as they don't have to provide certain US law based employer benefits.
> The second exception is for organizations with fewer than 250 employees. Small- and medium-sized enterprises (SMEs) are not totally exempt from the GDPR, but the regulation does free them from record-keeping obligations in most cases (see Article 30.5).
I don't actually see any way that your local neighborhood restaurant, assuming your local neighborhood is not in the EU, will in any way be covered by the GDPR.
It will for the first be too small to require much record keeping.
Second, it is unlikely to be keeping any personally identifying information from someone using the site while in the EU because nobody is ordering food from a pizza place in NYC while sitting in Napoli. IP address is sometimes PII but more often not.
Thirdly, as your local restaurant does not have any business operations in the EU any potential fines levied against them would probably be unenforceable.
Those are just the top three things that spring to my mind though, pretty sure that there are other reasons the worry is nonsensical.
It doesn't matter whether you are there or not. If you are an EU citizen, and you're in the US, and you visit a US website and make an order from that website, that website is now supposedly required to obey EU law.
"GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer protected by GDPR."
It was quite a common misconception when GDPR was first being formalized that it would apply to EU citizens physically located outside of the EU, indeed if you go back about 6 years you would probably find me making the same incorrect argument on HN.
"When an individual leaves an EU country and travels to a non-EU country, they are no longer protected by GDPR."
and
"If an EU citizen travelled to the United States and interacted with an EU business, which required the collection of their personal data, their data rights and freedoms would be dictated by US federal and state laws. GDPR would not apply."
true, this is inside a section where the headline refers to people 'living' in the US (which of course implies taking up a long term residence there), but the text of the body makes clear that just traveling to the US means that, as one would normally expect, the laws of the US pertain and not the laws of the EU.
It makes zero sense to suddenly say that it matters where the company is if the EU citizen isn't in the EU anymore, but it doesn't matter where the company is if the EU citizen is in the EU.
Either the EU can make a law apply to my website, or it can't. If it can, why does it not do it all the time? If it can't why does it claim it does?
I'm personally of the opinion that they can't, and I'm going to keep acting accordingly.
And I'm willing to bet so are the vast majority of other websites. If anybody sees a drastic drop in Google Fonts usage, let me know. Otherwise I'll just keep saying, "I told you so." Nobody actually believes the EU can do this.
Every time I have ever bought flowers internationally it has been through some big international floral delivery company that handles the actual contact to the local florist, hence I do not believe that any of the florists that actually delivered the flowers to their recipient was in possession of any personal information.
Thus a small florist does not operate the same way as a small local restaurant, the big international company with my personal information however will be on the hook for it and should have processes in place to handle that.
Ok, well in that case if they did that and the restaurant decided to save the personal data longer than was necessary to fulfill their legitimate business purposes then I guess they would be under GDPR. Legitimate business purposes might be (just guessing as I am not a restaurateur)- IP addresses kept for a week until profile of website visitors report for that week made, credit card and name kept until payment received.
Even if you don't think GDPR compliance is important, you probably need to consider the California Consumer Privacy Act and California Privacy Rights Act, if you are running a business that's big enough to be subject to them. These laws are broadly similar to GDPR.
Yeah, the GDPR is basically irrelevant to Americans unless you're a multinational corporation. But unless you're a VERY local business, you will want to take the CCPA into account, because California will be very happy to fine a business located in other states.
CCPA is a little more reasonable than the GDPR, but if you're abiding by the CCPA you're probably good enough.
The GDPR explicitly only affects businesses selling to Europeans¹, so you're correct: you don't have to care about it.
¹GDPR Article 3, section 2a. A broad reading would assume that any use of a site by Europeans is also covered (section 2b), but IIRC the various data protection authorities issued guidance that you're fine so long as your material isn't aimed at Europeans: e.g., no European pricing, etc.. https://gdpr-info.eu/art-3-gdpr/
You are absolutely right. Unfortunately, the European lawmakers doesn't understand how international law works, so they created a "worldwide" law without any possibility to enforce that law outside of the EU. For that reason some people call GDPR a paper tiger.
Yes! I thought about that but had a few issues with storing URLs in the sharable URL and don’t want to store any information to create an unique id for every url.
To provide further assurances to users, all of the code[1] to run the service is made available to the public, including logging/analytics functionality[2].
It's (currently?) hard to guarantee to end users that there aren't any other tricks going on, and to match the version running in production (on a single computer in my office room) to the relevant git commit, but the goal is to incrementally move in the direction of additional (verifiable) transparency for the service.
The most recent court rulings that that because of the US CLOUD Act, all transfers of personal data to the United States are unlawful. Personal data includes IP addresses. These rulings are under appeal, but at the end of the day it's basically true that GDPR and CLOUD are fundamentally incompatible.
> ... at the end of the day it's basically true that GDPR and CLOUD are fundamentally incompatible.
There are going to be a shitload of companies trying to offer EU-only cloud services that are going to comply with the GDPR (I'm not saying they'll all succeed, but there's obviously a market now). I don't see how the GDPR and the cloud are incompatible. I do however see how GDPR and american companies offering cloud services from servers based outside the EU are incompatible.
I didn't say GDPR is incompatible with cloud. I said it's incompatible with CLOUD, which is the name of the American law that causes problems. Cloud services are totally compatible with GDPR, so long as you stick to one side of the Controller/Processor divide.
Hm, this seems to work incorrectly. The login website of https://www.personio.de/login/ after you specify a company to login for does load Google Fonts and those do not show up in the results as violation or at all.
Yes. It doesn’t pick up everything. I’m just parsing the dom and checking for apparent things like script tags etc. I could have used puppeteer or similar to check all requests made, but the user experience became very slow, so I skipped that.
After reading that German court has ruled that embedding Google Fonts violates GDPR because IP addresses are sent to the US, I made a webtool to check which servers websites requests.
It told me my site is probably violating GDPR. It's a static blog and doesn't collect any information or use any cookies, but it's hosted in the US. There would be ip addresses in the nginx logs, but those would be the ips of the proxy load balancer from my cloud provider.
The problem here is the IP address is classified as personal data.
So, it might be illegal to allow an EU residents browser to even request a website hosted by e.g. AWS Ireland in Region Germany as AWS belongs to Amazon US.
We're actually thinking to serve EU customers via Hetzner and Bunny.net CDN to guarantee GDPR compliance.
Hmm. My site itself is hosted in the US, so it catches my site as one of the violations. Does GDPR differentiate between first-party and third-party servers in this case?
The solution doesn’t differentiate between first-party or third-party servers. As long as any servers are outside Europe, it marks the site as in violation.
You explain this in the "how does this website work?" FAQ, but you could be even more up front about it. I expected this to try to do something interesting about cookie management or privacy policies (which is pretty hard TBH).
You're asserting that embedding any content hosted outside the EU is a GDPR violation. That is HUGE NEWS. I had no idea. That seems crazy.
It’s a violation if it happens without consent. If PII (which IP address counts as) is shared (for example by fetching Google Fonts from a US-based CDN) regardless of consent, that is a violation.
Many sites have a consent wall but will throw out third-party requests even if consent is not explicitly given.
If you do those requests only for logged in users who have individually consented (oh, and grandfathering in old users who did not consent will require the same new consent), that does not in itself count as a violation.
Also, explicit consent is not required for strictly necessary things. "Because this way is easier and cheaper and almost everyone else in our industry is doing it" is not sufficient reason.
It always feels like the failed EU cookie policy and the GDPR would be better served by an "EU mode browser". It would have third party cookies disabled and first party cookies would prompt for approval the way all browsers used to work. It would disable third party image, css, js, and font hosting without prompting for approval and warning of privacy implications, since all of those can be used to take IP addresses by the third parties. It could even serve up a 'do not track' style indicator for certain privacy settings.
Either the customers who care about privacy trust you, or they don't. Let n cases show up in the news where US-companies are ignoring the respective rulings and the US-market will simply lose any attraction it still has left for european customers. If I have the choice between an american service and a european one, I'll choose the latter every single time, because I wouldn't trust american companies, the american government, or american citizens at all. Your comment isn't the reason why, but very likely stems from the same causes.
Also, the public sector matters a lot here: they can't risk to have the data going to the US when they are legally mandated to keep it in Europe. This demand already exists and won't go anywhere, leading to all kinds of services being re-engineered on european soil.
Eventually any company who doesn't respect their users privacy will probably be phased out by a european alternative - at least for the customers who care about that sort of thing. Europe made very clear that it does, but sure, time will tell what disrespecting that market segment will do to market shares.
You do realize the vast majority of websites don’t even have customers, right?
Ask me how much I care whether my non-existent customers decide they don’t want to be my customer.
And I’ll ask you how in the world a visitor to my website is supposed to know or care whether my site is hosted in the US or EU. I’m not even 100% sure myself.
>And I’ll ask you how in the world a visitor to my website is supposed to know or care whether my site is hosted in the US or EU. I’m not even 100% sure myself.
Pretty sure we'll see indicators for that in browsers in the foreseeable future. The internet will be a much more zoned-space in the future, so much seems obvious.
> You do realize the vast majority of websites don’t even have customers, right?
This path leads towards the balkanization of the web, which is a step backward in my estimation. This tool reports that static sites with no JS, no cookies, and no third-party requests are in violation because they are hosted in a place other than the EU. That surprises me greatly. It seems from your comments downthread that this is the direction you see things going (i.e. a more fragmented internet), and that may be correct, but I see it as a huge loss, and I _highly_ doubt it will solve any of the privacy problems we have.
Now that I think about it, if an IP address is PII, and leaking PII outside of the EU is a violation, I wonder if any P2P network can be legal in the EU, since P2P networks leak IPs globally. How would IPFS or Bittorrent work?
A quick search shows that this is indeed an issue, and the most P2P networks don't support the necessary revocation of PII necessary. IEEE has an early access paper[0] about exactly this issue:
> To comply with the criteria of the European Union's General Data Protection Regulation, it is important to ensure that personal data can be completely removed by their owners. To improve the privacy and security of the P2P file-sharing system, we propose a revocable and monitorable P2P file-sharing system over a consortium blockchain to achieve revocation of files in the decentralized environment.
So, for everyone who said blockchain is a solution in search of a problem, I present GDPR-compliant P2P networks! I'm mostly kidding, my brief read through the abstract suggests this also requires a bunch of other heavy-handed measures, like securely verifying the P2P executable using Intel SGX. It's hard for me to imagine such a system gaining any sort of widespread use, but I've been wrong before.
Yep. Now everybody has to decide if they actually believe the government where they live has the ability to tell them exactly when and who, if anyone they are allowed to murder for no reason at all.
The EU says it is illegal for anybody in the world to use Google Fonts. Guess how many people outside the EU care what the EU says they can and can’t do on their website. How many millions of websites are there using Google Fonts right now? How many were there last week? How many will there be next week? That tells you everything you need to know.
When you sell chicken in the EU it cant be washed in chlorie. That does not mean that the EU have banned anyone in the world from bathing their chickens in chlorine, but if you present your goods to the block it must comply with the laws of the block. Likewise when you present your website to people within the block, you must comply with the laws of the block.
btw when you factory farm animals 10 high and they live their entire lives covered in the faeces from the 9 layers of chickens above is actually a good idea to give them a wash and disinfect them.
> 2. A court has now determined that using Google Fonts on a site will make it noncompliant with GDPR.
Sure thing.
> 3. Thus,
I sense a wild extrapolation inbound....
> any site that currently uses Google Fonts is currently in violation of that EU law called GDPR.
No, any site that currently uses Google Fonts AND IS HOSTED IN OR VIEWED FROM THE EU is currently in violation of that EU law called GDPR.
GDPR is not international law, its not a global law, its not Europe telling the US what to do, its actually not about you at all. On the other hand, if you would like to do business with europe, we have some things we would like you to do, if you do not wish to do them, you are free (we all know americans love their freedom fries) to not do any of the things we require and stay out of our jurisdiction.
If you have a website in the US, and a person in the US visits it, unlike your repeated claims - the EU neither wants nor needs nor considers it to be anything to do with anything that they give the slightest of shits about. You, me and the brick wall all know this to be true.
So it requires every website in the world to interact a certain way with every single EU visitor.
So you’ve confirmed that it applies to every website in the world. I don’t see how I can put a website up without being affected by GDPR. If I am affected the moment I put a site up, then it applies to every site.
The internet is worldwide by default. I have no ability to prohibit people in the EU from seeing my site.
> So it requires every website in the world to interact a certain way with every single EU visitor.
Yes
> So you’ve confirmed that it applies to every website in the world.
Here we go again
> I don’t see how I can put a website up without being affected by GDPR.
Dont serve it into the EU. So we have firmly established it does not apply to every site in the entire galaxy.
> If I am affected the moment I put a site up, then it applies to every site.
It doesnt apply if you dont serve it into the EU, so no it doesnt apply to every site in the entire galaxy.
> The internet is worldwide by default.
The default is 0.0.0.0 - the default is also unencrypted - the default is no password - the default is a lot of things that nobody in the world would do.
> I have no ability to prohibit people in the EU from seeing my site.
So you have the ability to publish a site, but not the ability to control that site, why am I not shocked. A bit like having a car and blaming everyone for not getting out of the way when you use it.
Do you have any idea how contrary this is to the philosophy of the web? It's called the "internet" because everybody is interconnected on it. It's called the "World Wide Web" because when you post, it's available to the whole world.
And somehow I'm an idiot because I expect 99.99999% of websites, including my own, to be available anywhere in the world?
Go live in China if you like Great Firewalls so much.
> Do you have any idea how contrary this is to the philosophy of the web?
wtf is the philosophy of the web? Is this the laws of the internet? I dont live on the internet so the internet doest have jurisdiction over me.
> It's called the "internet" because everybody is interconnected on it.
internet - 1970s (denoting a computer network connecting two or more smaller networks): from inter- ‘reciprocal, mutual’ + network. So no, thats not why its called the internet.
> It's called the "World Wide Web" because when you post, it's available to the whole world.
Its like the world series of baseball then? it was actually called mesh first. Its called the world wide web now because tbl came up with that name for the first browser program to browse the mesh which for years only existed in europe.
> Go live in China if you like Great Firewalls so much.
So now you are now saying you dont expect 99.99999% of websites, including my own, to be available anywhere in the world. Why only 99.99999%? You want to exclude some? Which in particular? Why? Who gets to decide?
You are proposing a bizarre situation whereby no country would have control over their own laws, if something is illegal in the US, say child porn, you just go to a website from a country where it is legal (and somehow that is legal now??). Somehow you seem to suggest it is a moral obligation that it be available to the entire world as well for fear of falling foul of the philosophy of the internet.
If the EU thinks my site is illegal, then the EU can block it. Or, alternatively, they can arrest people in the EU who they actually have authority over for visiting it.
LOL
Have fun on your little power trip. And good luck with it. Let me know once just 5% of the websites available in the EU stop using Google fonts. Lol
Show me where GDPR only applies if I specifically target EU citizens. I was under the impression that it applied if somebody in the EU visited my website.
Generally, GDPR prohibits the transfers of personal data from the European Union to a country that does not meet the same privacy protection standards as those provided by the European Union. Due to a lack of uniform privacy laws that provide significant privacy rights to individuals and the surveillance of United States intelligence agencies, the European Union has long held that the United States does not provide adequate privacy protections to individuals.
So it seems that if you are an individual located in the European Economic Area then the GDPR attempts to preserve your data privacy rights. A US website can't void those rights in exchange for some fonts.
Yep. So every website in the world that is using Google fonts and doesn’t somehow magically prevent every person in the EU from ever seeing their site is in violation of GDPR.
If a website irresponsibly collects and stores information from individuals located in the EU, then they are violating the individual's data rights.
It seems like e.g. the US CLOUD act requires US businesses to provide their agencies access to any data, whether that data is hosted in the US or not. IANAL but this looks to me like even if Google uses EU based servers to host fonts, they would still be required to provide PII to US agencies.
There are other non-EU countries in the world with GDPR compatible regulations.
I'm tilted more towards the US being in the wrong here and should repeal some acts. I do agree with you that it applies to every website in the world when it collects info on individuals located in the EU. Penalties only seem to occur if your business operates in the EU. So some subset of websites could ignore it I guess? IANAL.
Edit: Also the more I read about the GDPR (and the CLOUD act), the more I'm in favor of it.
How about I put up a huge privacy theater alert box on my site like all the other stupid websites that decided to make a morality play out of following GDPR? Are they all going to add another popover box saying “WE DON’T A USE GOOGLE FONTS! YOU CAN TRUST US WITH YOUR PERSONAL DATA! WE PROMISE!”?
If it's a US site, I know that's a promise that it can't really make, due to US laws. If it's a EU site, then I could hold them legally responsible if it's just theater.
This hits the heart of the issue: how would you know if it's "just theater"? And if you did somehow find out, holding a random site legally responsible (I'm assuming you mean suing them?) will be dicey...even notable European sites don't comply with GDPR (the one example mentioned elsewhere in this thread was https://www.consilium.europa.eu/en/, but I'm sure that's not an isolated instance).
For larger businesses, relying on whistleblowers or auditing might be one way. For smaller ones using tools like the one discussed here. Or maybe a browser plugin that automatically notifies visitors.
https://www.enforcementtracker.com/
"... is an overview of fines and penalties which data protection authorities within the EU have imposed under the EU [GDPR]"
Ah, I see, I think we're talking past one another. I was critiquing this approach from a technical perspective, since once data is sent over the wire, I don't know of any good way to figure out what's being done with it, and whether in complies with any given policy (including GDPR). E.g. we can see if the _browser_ is connecting to Cloudflare in the US, but what if a connection to a US server is happening on the backend?
If I'm understanding your point, it's more along the lines of: "Lots of people are looking into this sort of thing, and we can aggregate resources about their findings." This makes sense to me, but wasn't what I was intending to critique.
On 24 July 2018 the MHRA had executed a search warrant at the premises of
Doorstep Dispensaree under the Human Medicines Regulations. In
the course of its search, the MHRA discovered, stored in a rear
courtyard, 47 crates, 2 disposal bags and 1 cardboard box full of
documents containing personal data. MHRA estimated
approximately 500,000 documents but cannot estimate the
number of data subjects.
MHRA have inspected the crates and the information contains:
a. Names
b. Addresses
c. Dates of Birth
d. NHS Numbers
e. Medical Information
f. Prescriptions
The dates on the documents range from January 2016 - June 2018.
The documents were not secure and they were not marked as
confidential waste. Some of the documents were soaking wet,
indicating that they had been stored in this way for some time.
I doubt there is a purely technical solution to finding this kind of problem :)
Edit: to be clear, the violation type here seems to have been "Insufficient technical and organisational measures to ensure information security"
Actually, it could be applied in an extraterritorial way.
The GDPR applies to processing of data of individuals located in the EU/EEU and states the rights of these "data subjects". If your business violates the GDPR and wishes to also operate within the European Economic Area, it could face fines and penalties.
Yes, it does a very superficial job. But to check for third-party cookies and if they are being set without consent is very difficult to normalize and check for.
For now, this is just a simple tool to check where a website fetches its information. However, it takes a shortcut by only traversing the DOM. It would be more precise if it checked all network activity from a site, but then it would have to fire up a browser for every search, and the loading times would be much, much longer (yes, I tried).
But if people find this helpful, I could work more on it to add more features as you suggest.
I know some folks really like GDPR but I think it overreaches in a number of areas which probably were not fully recognized before the law was created.
It's interesting that people begin to realize now to which ridiculous conclusions GDPR taken at its word leads:
- IP addresses are personally identifiable information (PII), and hence require consent to process
- Transferring PII to servers outside of Europe, or servers owned by organizations with legal residence outside of Europe (aka American tech companies), is not allowed
That means it is non-compliant to host your website at e.g. AWS, because it would mean AWS has technical means of accessing your customer's IP addresses, and AWS is owned by an American company. It doesn't matter whether you use a EU-based data center, because he jurisdiction of the parent company matters. This effectively rules out AWS, Google Cloud, Azure, and of course pretty much all CDN providers.
> - IP addresses are personally identifiable information
I really thought you were going to go in a different direction than this. This is very obvious and there's nothing ridiculous about it. To most people in the EU, an IP address gives a very high resolution to a person.
> That means it is non-compliant to host your website at e.g. AWS
Yes, this is correct. AWS, Azure and GCP cannot possibly be compliant. It's taking everyone a while to figure this out. There's nothing wrong with that, privacy-sensitive information should never touch the US. No US-based company can guarantee your privacy.
> effectively everyone is non-compliant.
This is of course hyperbole. If you don't log or track you are perfectly compliant in every case.
> If you don't log or track you are perfectly compliant in every case.
But that is simply not true, right? If I host my website on AWS and 'log or track' nothing I am still not compliant. It's not about what I do as a website provider, it's effectively outlawing working with companies based in other jurisdictions.
To save you the click, it's Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom and Uruguay.
You can use a provider from anywhere, as long as you know they do not track.
"The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary."
operant words being "without any further safeguard".
> It's weird how the whole "you need to keep your users' data safe and not collect more than is necessary" is such a controversial topic for some on HN.
I think it stems from a long lawless time online where everyone was free to aggressively exploit everyone else. The fact that such behaviour is becoming frowned upon is something that we should expect will generate some friction. That said, I also find it hard to empathise with.
My impression was they can very much be compliant as long as they sign a contract with you that they only process data themselves in manner compliant with GDPR in the services you make available for EU citizens.
> If you don't log or track you are perfectly compliant in every case
The GDPR is not merely a list of bad things not to do. You must also hire people to carry out slow and expensive processes to continually demonstrate compliance, e.g., https://gdpr-info.eu/art-36-gdpr/.
GDPR says IP Addresses are personal data, although this is a clarification of a previous court ruling.
Personal data does NOT need consent to process. Consent is only necessary in a minority of cases, and certainly not regular website access. The idea that GDPR <==> is a misunderstanding. (This is closer to true when dealing with website cookies, because of a different and stupider law.)
GDPR does not prevent transferring data outside of Europe. It just says that data privacy must be respected, in one of a variety of ways. The problem is the US CLOUD Act, which basically says US companies are bound by US law even when operating in other jurisdictions. EU Courts have ruled that US companies bound by the CLOUD Act cannot safeguard data. And they aren't wrong.
By comparison, data transfers to the UK or Japan require nothing more than putting the words "adequacy decision" in your privacy policy. This is because those countries have laws safeguard privacy, as opposed to laws safeguarding law enforcement's access to personal data.
What my original statement meant to convey was not simply disagreement with GDPR, but more that two somewhat unrelated edge case decisions ("do 'just' IP addresses count as PII", and "can one work with American suppliers") gave this regulation a scope that I believe wasn't even intended by the original lawmakers (as evident by their own failure to be compliant, see other comment thread), and that very much goes against the realities of the Internet of the past 25 years.
That being said, your corrections are valid and give a more precise description of the situation rather than my initial comment.
That's a fair point. At the time GDPR was passed, there was an Adequacy Decision in place (Privacy Shield), so the political expectation was that US<->EU data transfers would be OK.
One way of looking at things is that the political landscape ("we can work with the US") were not in alignment with the legal landscape (US law does not prioritize privacy safeguards). Max Schrems & noyb are forcing Europe to reconcile that schism and bring practice into alignment with legal requirements rather than political requirements. This is causing disruption, but I'm of the mind that it's not unjust, it's a matter of finally having to pay the piper.
Choose an EU-based webhosting provider, don't use "the usual suspects" in regards of tracking or run your own Matomo instance and save as little data as necessary.
One data point, that I just found after a few clicks: Homepage of the 'Council of the European Union' (https://www.consilium.europa.eu/en/). On opening, loads resources from 'newsroomcdnakamai.azureedge.net'.
If compliance is such a breeze, I wonder why the very institutions that took part in creating those regulations are not able to comply (after almost 5 years now)?
Are you sure newsroomcdnakamai.azureedge.net is non-compliant?
From client IPs within the EU, that domain resolves to EU-based hosting locations, so it's plausible that all of the PII protections and contracts are in place.
Yes: the point is that it is owned & controlled by Microsoft. The actual location of the data processing doesn't matter if the parent company is bound to US jurisdiction (which Microsoft is).
Just as an example off the top of my head- in Thailand, it's illegal to insult their king. Would anyone here refrain from posting anti-Thai monarch content on their website, in fear of breaking the laws in Thailand? If not, why would I care about GPDR? Imagine what a non-sequitur it would be if if someone told an American employer based here in the states, that you're violating EU employment law. By definition it.... doesn't apply.
I do understand that if I ran a business with European customers, I would need to be in compliance with EU law- I get that- but genuinely confused why I would care otherwise. Are your websites in compliance with Zimbabwean Internet law?