Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.

Is this true for ownership by individuals too?

If I, an American citizen & resident, owned and operated a company registered to a European nation to serve my European customers (with European hosting), does that make me compliant? Does an American solo founder have a path to compliance at all, or would I be required to collaborate with a completely separate workforce that has no ties to America?



If you are subject to the cloud act in the US then you are not compliant or in anyway can be compelled by the US to hand over data on EU citizens.

As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.

Another way to be compliant is to not collect PII.


> Another way to be compliant is to not collect PII.

The GDPR extends far beyond the US notion of PII. As I understand it, it covers basically all user-submitted or user-related data if it's possible for that data to be hypothetically tied to an individual in the EU (even if that can be done without your service holding traditional PII).

> As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.

Yeah, a federal agent with a wrench can do anything they want to me (https://xkcd.com/538/), but I'm trying to figure out my options.


> The GDPR extends far beyond the US notion of PII.

That's a good thing. The US notion of PII is ridiculously naive.


It includes IP address... the fundamental glue that makes routing to and from said servers possible. Good luck being able to resolve web requests without knowing where to send the response.


IP address is both personally-identifying information and also technically required to provide computational service.

Just like your name is personally-identifying information and (usually) required to provide medical service.

But being required for service doesn't automatically mean that it can be shared with third parties. You can't share names with third parties. Why would you share IP addresses?


A name is not a requirement to render medical service, so I don't see how that example is relevant. A practioner is capable of treating patients without knowing their name. Laws may compel them to keep track of that data, but it's not strictly necessary.

And the act of connecting to a server hosted in another jurisdiction (e.g. America) would require sharing your IP. This could be directly (the entire web service hosted in the USA), or indirectly (some of the web service's assets are hosted in the USA).

If you put a CDN in-front of your web service, then that CDN will most likely be sharing your IP with the host server too. Especially if the web service wants to do something non-cacheable that they can't offer from behind the CDN.


There are many (!) types of medical treatments. Some require multiple visits. A medical practitioner needs some way to ensure that progress is maintained across multiple visits.

The internet has multiple visits too. They're just called packets instead.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: