Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> even sending an IP address (as required by any TCP/IP request) to a US-located or US-controlled server is illegal

Nope. Having the IP for making a TCP/IP connection is a technical requirement, one of the exceptions of GDPR (this also applies for logging, etc as long as you don't keep it forever, etc)

Let's not make up requirements where they don't exist



That is not true. IP addresses are explicitly stated as personal data. That they are a technical requirement for a connection only has repercussions on how you are allowed to store and process this data and the consent you need to get from the user for your data processing.

You are not allowed to send IP addresses (even if they are a technical requirement for connection set up) to companies under US government control before you get full consent from the EU user.

The "technical requirement" exception (to process data without consent) only applies to GDPR complaint data processors which US companies can't be because of the Cloud Act.

https://ec.europa.eu/info/law/law-topic/data-protection/refo...


There is a huge difference between using your IP address in the course of the technical implementation of the IP protocol and the subsequent logging and re-transmission of that address to others, effectively you are agreeing with the GP while starting your comment with 'that is not true'. It is true. And you confirmed it.


From what I understand the legal exception to process personal data without consent is written down in Article 6 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph b)

"(1) Processing shall be lawful only if and to the extent that at least one of the following applies: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;"

This is ok for GDPR complaint data processors. The reason why US companies can't be GDPR complaint is because of Article 5 and the conflict with the Cloud Act: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph f)

"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

See also Schrems II: https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II

It doesn't even matter if you asked for consent or have other reasons to process the data (Article 6) if you are not complying with Article 5.


Since there is no way to give your consent without accessing the server this argument is moot.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: