GDPR and a US hosted site

[Unforgiven]

Any updates on the account deletions issue? You need to be deleting the user's username otherwise you will not be GDPR compliant.

Can someone explain to me how a US company solely hosted on us soil is can be subjected to an EU law? I'm asking out of curiosity and an not speaking for the forum. My read on this would be like an French person flying to the US and buying a product and expecting European consumer protection laws to apply. It just doesn't make sense to me. It isn't like Google or Facebook that have physical presences in Europe where the European web traffic is handled.

FWIW, my thread, so no political posturing about right and wrong, etc, or why things should be one way or another. I just want some understanding of the topic.

 

[lunatic59]

It doesn't. As I understand the GDPR it can only be applied to companies doing business within the EU countries. Since AF is a solely U.S. company only U.S. laws apply. As far as I know a.) no other country can impose laws on U.S. companies (or citizens) within the U.S. without some sort of treaty, and b.) there's no treaty with the EU that requires U.S. companies to comply with the GDPR when dealing with EU citizens.

 

[Deleted User]

Maybe @staz1000 can explain why he thinks AF must comply.

 

[lunatic59]

I think there is a mistaken impression that the GDPR protects EU citizens' privacy/information globally.

 

[Unforgiven]

It doesn't. As I understand the GDPR it can only be applied to companies doing business within the EU countries. Since AF is a solely U.S. company only U.S. laws apply. As far as I know a.) no other country can impose laws on U.S. companies (or citizens) within the U.S. without some sort of treaty, and b.) there's no treaty with the EU that requires U.S. companies to comply with the GDPR when dealing with EU citizens.

That's my understanding too

I've seen it come up a couple times in the nuke my account thread, and @psionandy liked the last post, and I know he is tuned into that sort of thing. It's why I asked. I hope he chimes in.

 

[mikedt]

According to this...
https://www.csoonline.com/article/3...on-gdpr-requirements-deadlines-and-facts.html

• A presence in an EU country.
• No presence in the EU, but it processes personal data of European residents.
• More than 250 employees.
• Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.

I'm pretty sure something like WeChat is affected by GDPR, even though it operates in the PRC and AFAIK has no servers and personal data held in the EU.

 

[lunatic59]

According to this...
https://www.csoonline.com/article/3...on-gdpr-requirements-deadlines-and-facts.html

• A presence in an EU country.
• No presence in the EU, but it processes personal data of European residents.
• More than 250 employees.
• Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.

I understand Trump just signed a bill to tax all members of the EU ... how can they possible expect to enforce the GDPR in the US?

 

[mikedt]

I understand Trump just signed a bill to tax all members of the EU ... how can they possible expect to enforce the GDPR in the US?

Maybe the EU will take a leaf out of the PRC's book and start blocking access to non-EU sites that don't comply with the GDPR?

 

[lunatic59]

I thought the EU was all about net neutrality?

 

[Unforgiven]

I understand Trump just signed a bill to tax all members of the EU ... how can they possible expect to enforce the GDPR in the US?

How can the EU encumber a US based company with no European presence without a treaty enabling that authority. Any country can pass a law, but that doesn't make it enforceable in regions outside of their jurisdiction.

 

[psionandy]

How can the EU encumber a US based company with no European presence without a treaty enabling that authority. Any country can pass a law, but that doesn't make it enforceable in regions outside of their jurisdiction.

Well.... here's the thing...

The Law applies to any provider to services to European citizens. It doesn't matter where it happens to be based. The fact that it is providing services to EU citizens means it is subject to those laws.

Its not really a radical position. If I buy goods from a US retailer... then although I am not a US citizen, I may have to pay US sales tax. Libel Law is tricky as well.. but if I libel a US citizen on here, even though i have never set foot in the states, someone could sue me under us law (or vice-versa, I could sue under UK law, or even australian law where neither party has been, if the post causes them reputation damage in Australia)

And before any US citizens get all high and mighty about the fact that the USA would NEVER do such a thing... they already have. with CLOUD act that was passed earlier in this year, which means the USA claims the right to access data held internationally on servers outside the USA ( if the company involved provides servicesfor US Citizens) the https://blogs.microsoft.com/datalaw...ifying-lawful-overseas-use-of-data-cloud-act/

Now... as to whether these are enforceable.. I'm not a lawyer.. However, the penalties involved under the GDPR, mean that there significant amounts of money involved. And the USA is very clear that it will drag anyone though the US court system to uphold the CLOUD act.

The GDPR bit though seems to be all about good practice... I'm deliberately not going to tell you how to run AF (that would be out of place) but speaking purely about a 'hypothetical web forum' seems easy enough to comply with, by embracing the values that that we'd all hope out forum has.

1. Any data collected must be with the informed consent of the person its being collected from... Simply having massive pages of T&Cs may not be sufficient.. .it needs to be clear and understandable what the user is consenting to.
   
   
2. Data collected for a purpose (such as running a forum etc...) should be for that purpose only. If you're running some sort of data processing system behind it that tracks my every waking minute and sells that information on to advertisers without me knowing and agreeing to that, that isn't cool under the GDPR.
   
   
3. Information shouldn't be kept longer than required... so whilst forum posts can stay up forever, there's no need to retain server log files indefinitely (beyond the need to diagnose problems with the site, and mine them for information from say 10 years ago
   
   
4. If you store information about me, then I have the right to see it if i ask to... which is pretty easy for the web forum here... and if there is hidden information behind the scenes that isn't publically available, then i get to see that as well if requested
   
   
5. I am allowed to withdraw my consent if i choose.. at which point i can ask you to delete information about me... which would mean that you may have to anonymize certain things held, including usernames of ex members... which could be done with a script in the background.
   
   
6. If someone doesn't want to supply services to EU citizens, and decide to lock them out, to prevent any need to interact with the GDPR, then that is an option as well. (in which case goodbye and thanks for all the fish)
   
   
7. You're supposed to keep information safe, and if you have a data breach report it...
   
   
8. You should have someone who is responsible for the above.

These rights give some power to the people... and seem to be in support of the values that i think most people would agree with. They are very much "we the people" rights, as opposed to the governments/corporations taking them away from us.

With all the stories of "big data" removing our freedoms and privacy, this is a bit of good news.

 

[psionandy]

Just so I can finally stop editing the above post, and give people some time to read it... I mentioned the Cloud Act passed earlier this year (March 23, 2018 ) which

" empowers U.S. law enforcement to grab data stored anywhere in the world, without following foreign data privacy rules."

https://www.eff.org/deeplinks/2018/03/new-backdoor-around-fourth-amendment-cloud-act
(oh.. and if you are a US citizen, who cares about the 4th Amendment, then there is a very obvious way that this can be circumvented... read the article... but if you want to discuss this topic, it may be best to spin that discussion off into its own separate thread" )

 

[mikedt]

I thought the EU was all about net neutrality?

Many EU ISPs such as Talk Talk and Sky are already blocking sites that they deem to be breaking the law, like bittorrent trackers and pirate streaming sites. I guess they're using similar methods to the Great FireWall of China.

 

[Unforgiven]

I would say two things about the clout act from what's posted, and I'll be honest I didn't get a chance to read it.

1. It would be unconstitutional here in the US if challenged
2. I don't think the US could enforce it internationally without a treaty, any country could just tell us to piss off. The US may bluster and throw some bloviated hissy fits, but it wouldn't give them the right to the data.

 

[psionandy]

I would say two things about the clout act from what's posted, and I'll be honest I didn't get a chance to read it.

1. It would be unconstitutional here in the US if challenged
2. I don't think the US could enforce it internationally without a treaty, any country could just tell us to piss off. The US may bluster and throw some bloviated hissy fits, but it wouldn't give them the right to the data.

The issues that the cloud act addresses have all gone through the courts.. and as a result of the cloud act being passed, Microsoft withdrew its case against the US government.

so.. 1) its on the statute books right now,
2) Its already been enforced with Microsoft in Ireland. And because of the law being on the books, Microsoft immediately complied with it. Up until that point they had been fighting the US government in court, which is why the bill was written and sneaked through hastily when you weren't looking.

so... er... um... maybe we sit around and wait for a few years for it to get to the supreme court... and maybe at that point they'll give the data back????

[edit... its already been there.... https://www.theregister.co.uk/2018/02/28/us_supreme_court_microsoft_ireland_email/ and following the cloud act, microsofts case was kicked out)

 

[Unforgiven]

I'd say that is also talking about multinational companies, with physical presences in the covered jurisdictions. I'm questioning the site like AF, hosted entirely in one country.

 

[mikedt]

Of course Microsoft, along with Apple, Google, Facebook, etc. are US companies.

What about Cloud Act and GDPR vs something like Alibaba or Tencent or Xiaomi in China, which may have data on US and EU citizens?

 

[Deleted User]

I've been getting a lot of requests from various people recently, asking if I consent to have my personal details retained by them. Is that anything to do with these new data regulations?

I really don't see how this GDPR law would be enforceable in other non-EU countries, unless they'd actively taken measures to sign up to it (treaty?). And AFAIK the USA hasn't done that.

 

[Xyro]

I'd say that is also talking about multinational companies, with physical presences in the covered jurisdictions. I'm questioning the site like AF, hosted entirely in one country.

This Forbes article states that companies based entirely outside of the EU are still expected to follow the GDPR for EU citizens, but only when they are specifically targeting an EU market:

The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.

Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .nl from the Netherlands — would certainly seal the case.

That distinction is the key to enforcing that law globally, as any company specifically targeting an EU market will be motivated to retain access to that market. If a company is found to violate the GDPR, ignoring the fine and losing access to the EU may prove more costly than paying the fine.

I thought the EU was all about net neutrality?

It depends on your motivation for net neutrality. If you take the ideological view of total non-interference, then banning sites for violating the GDPR would be wrong. So would removing sites for violating copyright or containing illegal material, if you wanted to take it to extremes.

The more realistic motivation for net-neutrality (in my opinion), is preventing large companies from monopolising internet access. From that point of view, GDPR and net-neutrality don't contradict each other. Any company is welcome to compete on equal footing, but they must meet a minimum standard when doing so.

 

[mikedt]

I suppose when Brexit and Article 50 finally goes through, the UK will no longer be a party to GDPR.

 

[psionandy]

Android forums is selling directly to EU citizens via its VIP program, selling advertising against EU citizens and processing data from EU citizens... A decent proportion of users and moderators are EU based.

It would hard to make a legitimate argument that they aren't.

As noted above complying with the spirit of the legislation would be relatively easy...

... And I'd like to think it's something that a responsible forum would do in anycase regardless of the penalties

 

[psionandy]

I suppose when Brexit and Article 50 finally goes through, the UK will no longer be a party to GDPR.

One of the few things that the UK government had agreed about Brexit , is that the GDPR regulations will be upheld after this happens.

 

[Hadron]

One of the few things that the UK government had agreed about Brexit , is that the GDPR regulations will be upheld after this happens.

Really, they've agreed on something? And isn't Fox arguing that we should have lower standards, as he does with everything else?

 

[Unforgiven]

That distinction is the key to enforcing that law globally, as any company specifically targeting an EU market will be motivated to retain access to that market. If a company is found to violate the GDPR, ignoring the fine and losing access to the EU may prove more costly than paying the fine

Two thoughts on this. The quoted Forbes article sepcifically states "Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR."

If a company is found to violate the GDPR, ignoring the fine and losing access to the EU may prove more costly than paying the fine

Are you saying a "Great Firewall of Europe?"

Android forums is selling directly to EU citizens via its VIP program, selling advertising against EU citizens and processing data from EU citizens... A decent proportion of users and moderators are EU based.

The transactions are handled in USD on a server in the US with a company registered in Maryland. There is no .fr or .uk domains. Again, from the provided article.

"Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .nl from the Netherlands — would certainly seal the case."

I'm not arguing any of the merits of GDPR, heck, I don't even know what it does. It just strikes me odd that without a treaty one country or bloc of countries can regulate a company outside of its jurisdiction that has no presence within its jurisdiction.

 

[Xyro]

For the record, I probably agree that AF is exempt for the reasons you mention.

Are you saying a "Great Firewall of Europe?"

I don't know if anyone knows how it will be implemented, as it hasn't happened yet. But the GDPR doccument states the powers that the 'Supervisorary Authority' each of each EU state will have, which include "the restriction of data flows" (emphasis mine).

Each supervisory authority shall have all of the following corrective powers:
9) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

10) to order the suspension of data flows to a recipient in a third country or to an international organisation.