| (Apologies, a medical event delayed my reply by a week. I appreciate the time you spent replying, and I’ll try to keep it brief.) I think this only impacts EU providers who sublicense to US providers, if/when they record any ephemeral data collected prior to the user consenting. So an EU business logging the IP addresses of visitors might be not-okay until they consent, though GDPR has some flexibility around “IPs power the Internet”, so long as you don’t try to convert them into personal identifiers. That applies whether US or EU providers are involved, but as the courts point out, any non-ephemeral data within US territory or corporate boundaries is an automatic GDPR violation for an EU company. So, in the gopher example, as a US provider you can do whatever you want, and as long as you’re approximately complying with CCPA, you’ve got GDPR in the bag as well, especially if you just offer the same rights to all users (to not be tracked by default). But as an EU provider, if you host your Gopher server in the US, you may well be violating GDPR as a citizen of a signatory country, since a U.S. provider can’t honor the choice to not record ephemeral data, and therefore compliance is impossible even if the provider currently honors it. This means that AWS is probably not a legal provider for GDPR purposes, since they can be compelled to ignore GDPR, unless the US signs a new treaty. And that’s the terrifying reality of that safe harbor agreement expiring that may result in Amazon having to restructure itself to avoid losing the market; the US entity would have to become a subsidiary of a parent in a treaty-signed country. |