[lukejduncan]

Dumb question: can someone explain to me the implications on startups and side projects? Does data mean, any data? If I’m reading that correctly it’s illegal to allow EU users to use any website with a DB that isn’t hosted in the EU. That can’t be correct, can it?

[x0x0]

EU residents enjoy a right to data protection.

US residents do not.

EU allows export of their residents' personal data to the US under different sets of rules or methods, one of which is (was?) Privacy Shield. Another is Contractual Clauses. The crucial fact for Privacy Shield is it was supposed to provide "equivalent" protections (ie protection for EU data hosted in the US equivalent to that data being entirely in the EU). It did not.

My take is that Privacy Shield was a sop to the fact that the US never had anything like equivalent privacy laws, but we are (were?) too big a trading partner to apply the law to. This realpolitik appears now to be in question.

So yes, one of the ways to legally allow a US-based company to process EU resident data has now been removed.

[IAmEveryone]

It's never illegal for the user to create an account. It can be for the company.

As a heuristic: a website such as HN that is available in the EU but doesn't specifically target EU "customers", and that isn't itself or via some subsidiary registered within in the EU is perfectly fine.

I believe the same is also true if you allow EU customers to buy in your online store as long as it's implemented as just a "country" form field and, again, you are not registered in the EU/have no distribution warehouse there, and so on.

I've seen the New York Times being cited as a sort of goalpost of what's still ok: even though they have journalists in Europe, they have no sales presence, and are clearly aimed at the US market.

No idea about Amazon, though.

[M2Ys4U]

It's personal data. Which is defined in the GDPR as:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

[lukejduncan]

I’m sure the true answer is ambiguous, but “personal data” by that definition seems to imply almost any form of account creation. For sure, that seems to imply you can’t use email addresses as identifiers. Maybe it implies that so long as the data isn’t de facto joinable with side data (phone numbers, email addresses) it may be ok.