[sophrocyne]

Aside from the difficulties in operating effectively without passing any PII (which includes identifiers) across international/org lines, the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US.

The reality that the EU government has recognized is that a FISA order of the parent company could compel a US organization to pull data from the EU servers to provide to the US government; and it’s a valid critique.

[barbazoo]

> passing any PII (which includes identifiers) across international/org lines

My understanding was that it's not about that.

> the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US

Interesting, do you have any source on this particular aspect? I haven't heard this before.

[ascar]

Search for Schrems here on HN. There were a couple of articles recently that in effect have this implication. I was surprised too.

[barbazoo]

Thanks, will do!

[number6]

The cloud act allows US agencies to gain access to all data a US Company has access to regardless the physical location. This in turn means that a EU Company can't guarantee that the data isn't transferred out of the EU. To transfer data out of the EU one either needs a legal framework or consent. Consent has to be given in an informed manner, but since the company does not know for what reasons an US agencie can access the data they can not inform the person correctly under gdpr. A legal framework has to comply with the EU Charta. Indiscriminate access to information is not in compliance with the EU Charta so a framework cannot exist.

It's a legal deadlock.

[philistine]

Which the EU will solve by forcing companies to erect a legal firewall; otherwise they would define their laws as being underneath American laws with anything related to a US company operating in Europe.

[radicalbyte]

And hashes - legally a hash of PII is PII. The definition is literally:

IF [thing] be used to identify [person] from any arbitrary set of [persons] THEN [thing] is PII.