> How would a small company, say a code forge, that is based in the US ensure that it is operating such that it is legal to have EU customers?
Do not store any kind of PII as defined by the GDPR, ever, anywhere.
If you do, the PII data you store about your companies must be in respect of the GDPR and in particular access to it by law enforcement has to go through EU court.
Because the US has decided with the CLOUD Act that US access to all data from US companies, or any company owned by a US company, only had to go through US court, it is not possible to comply at the moment.
(before the CLOUD Act, storing the PII data within the EU and owned by a EU subsidiary was the best solution)
The correct solution would be to set up as a EU company that is in charge and runs everything and controls all the EU data, which only uses cloud services operated by companies that do not have any US based parent company, grandparent company, etc. (Ideally only using crowd services from EU companies whose whole ownsership chain remains in the EU, as that keeps things simple).
One could retain a US subsidiary, which might handle US or even all non-EU data.
Unfortunately it is not clear if an American individual could own or control the EU parent company. It depends on if the owner could be considered "A provider of electronic communication service or remote computing service", because if so, they could subpena you personally, on basis that you control the EU company and thus the information is within your control.
The relevant part of the law is:
> A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
It's not about saying where the data is / warning your customer, it's about protecting the data.
You need to protect it under EU court / jurisdiction, and the US broke that and said they have jurisdiction over any piece of data your company ever touches.
That's why the US now wants some sort of privacy shield 2.
As an actual solution you can use: find another company, an EU company, one that you don't own, to handle your PII data for you, so you never store that data yourself.
Also, be sure to read in the GDPR exactly what is and isn't PII under it, a lot of companies can work just fine without much or any PII, and a lot of people think "any" data is PII.
> So we basically need to migrate to a EU based could provider ASAP?
Sadly no because you still own the data, which is the criteria the US has decided on.
> Would this privacy shield 2 fix this problem?
No idea since at this point it's merely a name for a vague demand being asked by the US.
I'm sorry for the trouble this whole situation causes to your company, though to be honest as you can imagine I am very glad that my representative in the EU didn't back down and protect my rights.
> to be honest as you can imagine I am very glad that my representative in the EU didn't back down and protect my rights.
I'm the asker of the question that started this discussion. I'm a US citizen.
I'm actually on the side of the EU here. There needs to be privacy protections for consumers. Even though the requirement for a rep in the EU is impossible for me to fulfill, I admire the fact that they prioritized native EU companies over foreign ones because that is what's best for the EU inside the EU.
I'm mad at the US government for the CLOUD Act, which is egregarious and doesn't serve the interests of the US; it only serves the interests of the US government.
Actually maybe it wasn’t clear because of the parent comment I commented in, but we are a EU company, but for our server hosting we use a US provider.
Do you know if that that makes any difference?
As a EU resident myself I completely understand, it just is a bit tough to make the changes as a small company, but if it’s legally required we’ll make them ASAP.
Oh yes then, you are fine if you migrate to a EU provider as long as you respect the general provisions of the GDPR (inform the user, allow access and deletion of PII, don't share it outside the EU, etc ...) ! Sorry I assumed you were a US citizen with a US company
To ensure you don't have problem down the line, make sure they themselves store their data in the EU (for exemple, french OVH allows you to chose where you data is stored, their french datacenters are fine, but I would not go with their canadian datacenters).
Allow me to remind you that it's not just the hosting but anything that touches that data, eg analytics and error reporting services are concerned too
Thanks a lot this is super helpful, much appreciated.
I was just thinking about the other services, for example would Cloudflare be ok? We proxy all our traffic through them, and they are key for DDOS prevention, I suppose data goes encrypted to them.
I cannot answer your subcomment I believe the thread might be too deep ?
Anyway sadly no Cloudflare isn't ok, it's specifically one of the three provider that got Shopify convicted in the parent article (other two being Cloudfront and Fastly).
Do not store any kind of PII as defined by the GDPR, ever, anywhere.
If you do, the PII data you store about your companies must be in respect of the GDPR and in particular access to it by law enforcement has to go through EU court.
Because the US has decided with the CLOUD Act that US access to all data from US companies, or any company owned by a US company, only had to go through US court, it is not possible to comply at the moment.
(before the CLOUD Act, storing the PII data within the EU and owned by a EU subsidiary was the best solution)