[danShumway]

Wait, is that really the standard? Wouldn't that imply that virtually any service doing business with EU customers would need to be either a multinational business or based in the EU? And just buying server hosting in the EU won't actually change that much about data access; if I'm a purely American business and I buy hosting in the EU, I think I'm still subject to US data requests. None of that goes away as far as I know, so I don't see how a hosting restriction would even help unless I literally move my business to the EU.

I thought that I understood GDPR at least reasonably well: be specific about what data you collect, don't collect unneeded data, allow deletion of data, and a couple other minor caveats. But if I sell software in multiple countries, and part of my account process is collecting an email address or other PII, is that not GDPR compliant unless I set up offices in the EU?

That can't possibly be what the law actually says; nobody except the biggest US companies would be able to do any business online with EU customers if that was the case. What am I missing?

[KingOfCoders]

It's most specific to the US because of CLOUD ACT and FISA courts. It would be the same for countries that have a similar structure in place.

If you're an US company you would at least need to setup a independent EU subsidiary that you do not directly operationally control (perhaps owning shares works).

[danShumway]

So what are the full implications of that? I hate FISA too, but most non-EU countries have FISA-like structures in place as far as I know.

Sublime Text 4 just came out. That's based in Australia, where courts have similar data access, including the ability to require companies to circumvent encryption. Part of the purchasing process requires providing an email and other billing information.

Is it legal to sell Sublime Text 4 to a European? If Sublime Text was based in the US, would it be legal to sell it to a European citizen? What you're implying is that the EU can't legally have access to the majority of US-based Internet services, and that just seems so extreme that I feel like I wouldn't be hearing about it on Hackernews if that was the case.

But I don't know, I can't really confidently say you're wrong. Maybe it's just been under-covered, or I'm just not paying attention to the right news sources. At the very least, this can't apply to business-necessary information, right? Otherwise, it seems like you're saying that EU data in general can't be legally exported from the EU to most of the world, which seems like it would be a massive problem for the majority of the software industry.

There are a lot of software services based in countries with intrusive government data access: Fastmail (Australia), DuckDuckGo (US), Github (US), Itch.io (US). You're claiming EU residents don't legally have access to them? Again, I don't have any basis to argue that you're wrong, it's just... why wouldn't that be covered on basically every single tech blog if that was the case?

[KingOfCoders]

"service doing business with EU customers "

If the EU customer is a company and not a private citizen and if it does involve storing personal information of the EU customer customers.

"What you're implying is that the EU can't legally have access to the majority of US-based Internet services"

No. You as an EU company can't transfer customer data to or redirect customers to US companies in a legal way.

"Otherwise, it seems like you're saying that EU data in general can't be legally exported from the EU to most of the world"

It depends on who does the "exporting" and what the "exporting" includes. But in general yes, it can't if the citizen whos data is exported can't be guaranteed to have the same rights as with the data in the EU. That is the core of it, Facebook can't offer a website in the US that is open to the EU and take information on the website "exporting" the data by POST HTTP requests to it's servers in the US (which they don't because Ireland, but in general yes).

There is much more to it, like "Can I store customer data in Google for Business spreadsheets?"

You're probably fine with Gmail because people know that this is an US company and sending an email to an US company is something a EU citizen might want to do. It's not as clear with Fastmail. It's not clear at all if you use custom domains with both. If you use a custom domain, where the customer can't see that it's outside the EU, do you export email addresses outside of the EU e.g. to Australia? But data protection agencies in the EU will take some more time to arrive at all these finer nuances. For now they are focused on Facebook and Google, and in 2021 went one level deeper with acknowledging that it's illegal to use Mailchimp in the EU (currently, I assume Mailchimp will create an EU legal entity and host EU data in the EU in the future when pressure rises).

For large enterprise that have subsidiaries in the EU it's already illegal to transfer EU employee data to the US for processing.

"You're claiming EU residents don't legally have access to them?"

As an EU citizen you can do whatever you want with your data, so "EU residents don't legally have access to them?" is misleading, because it would not be illegal for the citizen but - if - for the company. The company has a problem if it can't prevent three letter agencies from accessing the data. If you have no assets in the EU and do not plan on visiting the EU there is not much to fear though probably. I think it might be legal - not sure I've read something about it - to process data e.g. as a hotel for EU tourists, if you delete the data afterwards. Yes the GDPR is broad.

"But if I sell software in multiple countries, and part of my account process is collecting an email address or other PII, is that not GDPR compliant unless I set up offices in the EU?"

If you sell drugs to the US you're in trouble, even if it is legal to sell drugs in the country you live in.

You as a US company probably can sell to EU citizens but IANAL. The bigger problem for the EU if you sell to EU citizens from the US is VAT. If you send physical goods then your customer needs to pay VAT at customs - as many people in the EU found out after Brexit, if you send digital goods then the customer usually doesn't pay VAT. This is what agonizes the EU more than the GDPR and is the base for France to charge digital taxes to US companies.

"I wouldn't be hearing about it on Hackernews if that was the case."

Well I've lost 100+ karma for pointing out in the last years that it is illegal for EU companies to use Mailchimp. Today is the first discussion where people agree - still I lost 10 karma.

[danShumway]

> if you send digital goods then the customer usually doesn't pay VAT.

VAT might be annoying in the sense that it forces me to ask for an address if I'm selling software to someone who lives in the EU, but that's basically fine. I can do that as a US company, and I can pay higher taxes, that's not a problem.

But if I'm building a software company, I don't have the resources to set up a foreign company to handle everyone in the EU who wants to buy a copy of my software. In practice, that requirement would mean that most single-person software teams outside of a few allowed countries can't sell to the EU.

Eventually you just get a lawyer to answer questions like these, but it does kind of sound like if I'm understanding you correctly, I should just be excluding any EU residents from buying anything I make regardless of the privacy policy, unless I have a zero-knowledge product. Which... being zero-knowledge is tricky because VAT exists, and I don't think I can not collect EU resident billing addresses and still pay taxes in an auditable form.

Maybe that's fine though, maybe that just means in practice you have to contract billing to a company that has an EU office, and then the problem is gone.

I should have phrased this differently, I know that GDPR doesn't constrain what EU residents do. But in practice it doesn't really matter to me if it's legal for them, it matters to me if it's legal for me. I don't know, apparently I need to do more research on this.

Interesting though, I appreciate you taking the time to elaborate.