> American law doesn’t apply to someone running a server in Brussels.

Except when the one running and renting out the server is Microsoft, Amazon, or some other US entity and the Patriot Act exists.

True, regrettable, and irrelevant. Host it in a local data center and it’s out America’s control.

I’d have a different opinion about my service if I were hosting my server on Hetzner in Helsinki. Since I’m not, I don’t.

Sorry, but haven't you noticed how many companies and public bodies in Europe are using Azure, AWS and GCP?

I'd say that is rather very relevant.

The Patriot Act is the foremost frontier in the ongoing dispute about the so-called Privacy Shield.

> GDPR and HIPAA are incompatible so we picked the relevant one.

The GDPR explicitly permits "processing [as] necessary for compliance with a legal obligation to which the controller is subject" in Article 6.

Which rules it out almost entirely for HIPAA covered entities. Quick example: right to be forgotten vs record retention laws. A European who receives healthcare in the US can’t demand that the provider delete their medical record afterward because HIPAA says they must retain it.

> Quick example: right to be forgotten vs record retention laws.

Record retention laws win, as explicitly stated in the GDPR.

Same reason a murderer can't (successfully) issue a right-to-be-forgotten request to the cops investigating them.

(There's also "processing is necessary for the purposes of the legitimate interests pursued by the controller" as another exception, which allows, for example, your bank to retain the fact that you owe them $100k on your house still, even if you don't want them to.)

Record retention laws are not the only exception. E.g. you can execute your Hausverbot right only if the person you refuse to serve cannot demand that you forget them. This position was already confirmed by German regulator at least once.

And they couldn't demand that the provider deletes it in EU either, because maintaining medical records is a legal requirement, which overrides the right to be forgotten.

But it does require you to document that requirement and make sure that the data isn't shared beyond that requirement without consent.

HIPAA and GDPR aren't conflicting, they're orthogonal and cover different things.

It doesn't prevent a HIPAA covered entity from needing to delete marketing data that they've collected about you.

Right to be forgotten still applies, there is just some limited data that will still be kept.

The right to be forgotten has an explicit exception for circumstances where there's a legal obligation on retention, although it does reference Union and Member State law and not other international entites. https://gdpr-info.eu/art-17-gdpr/

A European who receives healthcare in the EU can’t demand that the provider delete their medical record if the provider has a legal allowed reason to keep the record.

This is a fundamental aspect of GDPR and part of the central message in the regulation. Companies and organizations are only allowed to keep personal information if they have a legal allowed reason to do so, and must honor requests for deletions unless they have a legal reason not to do so.

What is and what isn't a legit reason depend on circumstance. What companies generally object with GDPR is that generate revenue through personal advertisement is not an legit reason to keep personal data.

> GDPR and HIPAA are incompatible

Out of curiosity, could you give a few examples of incompatibilities?