[lmkg]

What makes it illegal is that the visitor data is available to US law enforcement without any safeguards.

The scenario that you posit, the most troublesome part is AWS because Amazon is also subject to US law enforcement. It depends on a few specifics, most significantly 1) does the user connect directly to an AWS service, exposing their IP address? 2) does AWS manage the keys to your database?

If you were to instead self-host your DB or use an EU-located hosting provider, then the problems would not apply. You still have some homework to achieve GDPR compliance, but the tools don't require obtuse work-arounds.

[ec109685]

If you are a US based company how could it ever be possible to operate since you will be collecting data like IPs and therefor have a way to get access to it?

[robin_reala]

Have a holding company outside US jurisdiction that owns both a US subsidiary and an EU subsidiary, then make sure the US subsidiary never gets EU users’ data.

Or lobby to rescind the CLOUD act.

[anonymousab]

The CLOUD act is not the only problem. FISA itself would also need to change.

There is essentially a level of control over its citizens that the US government would need to cede to ever become compliant, but that it certainly never would.

[robin_reala]

That’s fine then. They’ll just have to deal with the consequences of chunks of the world with better privacy legislation cleaving away from the US, with the consequent loss of business. And, presumably, data, unless they want to go on a hacking spree.

[closewith]

Even that is not enough, as the US reserves the right to extraterritorial personal jurisdiction over companies on a case-by-case basis, depending on the nature of the company's dealings with the US and business interests in the US.

[robin_reala]

Yeah, you’d definitely have to be willing to close the US subsidiary in that situation.

This is similar to the FATCA situation, where it’s extremely difficult for US citizens to get bank accounts in Europe.

(Edit: if you’re not aware: FATCA is a US law that forces non-US banks to provide info about US citizens banking with them on request to US authorities. The threat is the removal of US banking licenses for any subsidiaries of the bank’s owners. Rather than providing info to the US, most banks are taking the safer route of asking if a person is a US citizen up front, and refusing to open an account if they say yes.)

[pelorat]

But why do you collect IP addresses, what's the point in doing so. Your services can most likely be configured to not log IP addresses, so simply turn it off?