Hacker News new | ask | show | jobs
by Rebelgecko 1423 days ago
Wouldn't Amazon still have access to metadata, e.g. connection info, IP addresses, etc?
1 comments
darkwater 1423 days ago
Yes, that's absolutely right, and in fact about that I don't really know how the GDPR applies, and it's an interesting question to ask.
link
srrr 1423 days ago
IP addresses (for connection setup) are personal data: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

You can process IP addresses without consent only if it is technically necessary: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph b)

But you always (!) need consent to transfer personal data to a non GDPR compliant entity: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph f)

link
srrr 1423 days ago
To add: The reason why US companies can't be GDPR complaint is because of Article 5 and the conflict with the Cloud Act: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph f)

"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

See also Schrems II: https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II

link
darkwater 1422 days ago
Thanks, I'll scale this up to our compliance department, I'm curious about their answer now.
link
Rebelgecko 1421 days ago
That last bit seems incompatible with how TCPIP works? Unless opening a connection in considered consent?
link
srrr 1421 days ago
No, opening a connection and exchanging IPs falls under "technically necessary" processing of personal data.

But from a legal point of view we, as a European company, are forbidden to use any US infrastructure provider. We can't ask for consent to transfer data to an US based entity if our consent form itself is already hosted by an US based entity. And even if we did find a solution, like hosting the main infrastructure with a European company and asking for consent for some later data transfer, we are most likely forbidden to transfer data to US based entities at all.

From what my lawyer told me the ruling from https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-... applies to all services from AWS, Google Cloud, ...

There will be many rulings that follow. Everybody is just waiting for the Irish Data Protection Commission to actually do its work, but the Irish DPC does not seem to be much in favor of data protection: https://noyb.eu/en/irish-dpc-handles-9993-gdpr-complaints-wi... & https://bigbrotherawards.de/en/2022/lifetime-achievement-iri...

This will change soon. From what I heard work is underway to let national data protection offices handle cases without the Irish DPC or force the Irish CPC to work.

link