A US company can decalare themselves whatever they want, that doesn't make it legal in the EU. They don't get in trouble for saying this, EU companies are those that get in trouble when they believe the link you have provided.
> Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. ยง 1881)
It might not be just a matter of where the data is stored, but also who can get access to it. From my reading, any US based conpany would be affected.
This feels like a super huge impact that would have made more waves, but the ruling also seems recent. And perhaps there will be more twists and turns yet ?
As described in the Wikipedia article, the contract has been thrown out by the European Court of Justice for exactly the reasons stated by the parent comment.
> [Standard contractual clauses] do not necessarily protect data in countries where the law is fundamentally incompatible with the Charter of Fundamental Rights of the EU and the GDPR, like the US.
They would need to a have an independent legal entity in the EU on top of hosting data in the EU, perhaps only owning shares in that entity. The construct would need to be setup in a way that three letter agencies in the US (and courts) would have no way of forcing the US company to hand over data - not sure this is possible IANAL.
Wait, is that really the standard? Wouldn't that imply that virtually any service doing business with EU customers would need to be either a multinational business or based in the EU? And just buying server hosting in the EU won't actually change that much about data access; if I'm a purely American business and I buy hosting in the EU, I think I'm still subject to US data requests. None of that goes away as far as I know, so I don't see how a hosting restriction would even help unless I literally move my business to the EU.
I thought that I understood GDPR at least reasonably well: be specific about what data you collect, don't collect unneeded data, allow deletion of data, and a couple other minor caveats. But if I sell software in multiple countries, and part of my account process is collecting an email address or other PII, is that not GDPR compliant unless I set up offices in the EU?
That can't possibly be what the law actually says; nobody except the biggest US companies would be able to do any business online with EU customers if that was the case. What am I missing?
It's most specific to the US because of CLOUD ACT and FISA courts. It would be the same for countries that have a similar structure in place.
If you're an US company you would at least need to setup a independent EU subsidiary that you do not directly operationally control (perhaps owning shares works).
So what are the full implications of that? I hate FISA too, but most non-EU countries have FISA-like structures in place as far as I know.
Sublime Text 4 just came out. That's based in Australia, where courts have similar data access, including the ability to require companies to circumvent encryption. Part of the purchasing process requires providing an email and other billing information.
Is it legal to sell Sublime Text 4 to a European? If Sublime Text was based in the US, would it be legal to sell it to a European citizen? What you're implying is that the EU can't legally have access to the majority of US-based Internet services, and that just seems so extreme that I feel like I wouldn't be hearing about it on Hackernews if that was the case.
But I don't know, I can't really confidently say you're wrong. Maybe it's just been under-covered, or I'm just not paying attention to the right news sources. At the very least, this can't apply to business-necessary information, right? Otherwise, it seems like you're saying that EU data in general can't be legally exported from the EU to most of the world, which seems like it would be a massive problem for the majority of the software industry.
There are a lot of software services based in countries with intrusive government data access: Fastmail (Australia), DuckDuckGo (US), Github (US), Itch.io (US). You're claiming EU residents don't legally have access to them? Again, I don't have any basis to argue that you're wrong, it's just... why wouldn't that be covered on basically every single tech blog if that was the case?
If the EU customer is a company and not a private citizen and if it does involve storing personal information of the EU customer customers.
"What you're implying is that the EU can't legally have access to the majority of US-based Internet services"
No. You as an EU company can't transfer customer data to or redirect customers to US companies in a legal way.
"Otherwise, it seems like you're saying that EU data in general can't be legally exported from the EU to most of the world"
It depends on who does the "exporting" and what the "exporting" includes. But in general yes, it can't if the citizen whos data is exported can't be guaranteed to have the same rights as with the data in the EU.
That is the core of it, Facebook can't offer a website in the US that is open to the EU and take information on the website "exporting" the data by POST HTTP requests to it's servers in the US (which they don't because Ireland, but in general yes).
There is much more to it, like "Can I store customer data in Google for Business spreadsheets?"
You're probably fine with Gmail because people know that this is an US company and sending an email to an US company is something a EU citizen might want to do. It's not as clear with Fastmail. It's not clear at all if you use custom domains with both. If you use a custom domain, where the customer can't see that it's outside the EU, do you export email addresses outside of the EU e.g. to Australia? But data protection agencies in the EU will take some more time to arrive at all these finer nuances. For now they are focused on Facebook and Google, and in 2021 went one level deeper with acknowledging that it's illegal to use Mailchimp in the EU (currently, I assume Mailchimp will create an EU legal entity and host EU data in the EU in the future when pressure rises).
For large enterprise that have subsidiaries in the EU it's already illegal to transfer EU employee data to the US for processing.
"You're claiming EU residents don't legally have access to them?"
As an EU citizen you can do whatever you want with your data, so "EU residents don't legally have access to them?" is misleading, because it would not be illegal for the citizen but - if - for the company.
The company has a problem if it can't prevent three letter agencies from accessing the data. If you have no assets in the EU and do not plan on visiting the EU there is not much to fear though probably. I think it might be legal - not sure I've read something about it - to process data e.g. as a hotel for EU tourists, if you delete the data afterwards. Yes the GDPR is broad.
"But if I sell software in multiple countries, and part of my account process is collecting an email address or other PII, is that not GDPR compliant unless I set up offices in the EU?"
If you sell drugs to the US you're in trouble, even if it is legal to sell drugs in the country you live in.
You as a US company probably can sell to EU citizens but IANAL. The bigger problem for the EU if you sell to EU citizens from the US is VAT. If you send physical goods then your customer needs to pay VAT at customs - as many people in the EU found out after Brexit, if you send digital goods then the customer usually doesn't pay VAT. This is what agonizes the EU more than the GDPR and is the base for France to charge digital taxes to US companies.
"I wouldn't be hearing about it on Hackernews if that was the case."
Well I've lost 100+ karma for pointing out in the last years that it is illegal for EU companies to use Mailchimp. Today is the first discussion where people agree - still I lost 10 karma.
> So the problem is that an US company cannot be GDPR compliant, because that conflicts with US law.
This is completely not true. First, most US companies are GDPR-compliant because they don't gather, store and process personal data of EU citizens. Now, those that do - mainly Internet companies - they need to abide by the terms of the GDPR (or not to serve EU customers, which for some is the easiest way - like New York Daily News). If you decide to store personal data of EU citizens, you need to do it using servers located in the EU, which, depending on the nature of your business, might or might not be easy, but companies had several years to prepare for that. There is no any conflict with US law anywhere.
Personally I was in a similar position and instead of choosing Mailchimp I choose Mailerlite, which is Europe-based and, being less popular than Mailchimp, (much) less expensive for the customers I have (with mailing lists in the range of 5k-50k contacts). It has its quirks but it works and I have no much reasons to complain.