WingNews logo WingNews
top | item 43611199

(no title)

BjoernKW | 10 months ago

It might be relatively easy to read, but for SMBs it's hard to actually implement in real life, because GDPR and the EU's stance so far often doesn't take economic reality into account. For small businesses, GDPR in many regards created a legal limbo while large corporations scoff at that regulation and have their legal departments deal with it however they see fit.

For instance, there's this tiny, gnarly aspect of where you are allowed to store your customer data.

Hosting data on servers located in the EU isn't required by GDPR in and of itself, as long as you have a valid data processing agreement with the provider stating how and according to which provisions customer data is protected on their machines.

However, according to a 2020 European Court of Justice ruling you're not allowed to transfer any personally identifiable information to companies that are in any way affiliated with a US-based entity (e.g., by virtue of having a US-based parent company) anymore. Just being physically located in the EU isn't sufficient according to this ruling.

The reason for this is that with FISA US law enforcement can force US-based companies to hand over any data, even if that data is stored with an international subsidiary under a completely different jurisdiction.

This basically invalidates all of the provisions and legal frameworks for interacting with non-EU entities that used to be acceptable under GDPR before (e.g., Privacy Shield).

However, not interacting with any US-based or US-related entities at all anymore would be tantamount to ceasing almost all economic activity. So, until (or more pessimistically: unless) the US and the EU come to terms on a new agreement regarding privacy rules, there probably isn't anything a business can do on its own to completely address this issue. At this point, merely hosting data on servers physically located in the EU perhaps amounts to little more than window dressing.

As soon as a business has dealings with a US-based company or an EU-based company owned by a US-based company that potentially might have access to user data that business technically is in violation of GDPR. As of now, as a business you essentially have three alternatives:

1. Run the entire infrastructure you need yourself or have it run by EU-based companies guaranteed to have no relations with US-based entities whatsoever (Good luck with finding those ...). This, for example, includes payment systems and banking infrastructure, because guess where many EU-based banks host their infrastructure? That's right, AWS.

2. Go out of business.

3. Ignore this aspect of GDPR for now, document everything, continue to do your own due diligence, and hope for the best.

discuss

order

No comments yet.