It's not about saying where the data is / warning your customer, it's about protecting the data.
You need to protect it under EU court / jurisdiction, and the US broke that and said they have jurisdiction over any piece of data your company ever touches.
That's why the US now wants some sort of privacy shield 2.
As an actual solution you can use: find another company, an EU company, one that you don't own, to handle your PII data for you, so you never store that data yourself.
Also, be sure to read in the GDPR exactly what is and isn't PII under it, a lot of companies can work just fine without much or any PII, and a lot of people think "any" data is PII.
> So we basically need to migrate to a EU based could provider ASAP?
Sadly no because you still own the data, which is the criteria the US has decided on.
> Would this privacy shield 2 fix this problem?
No idea since at this point it's merely a name for a vague demand being asked by the US.
I'm sorry for the trouble this whole situation causes to your company, though to be honest as you can imagine I am very glad that my representative in the EU didn't back down and protect my rights.
> to be honest as you can imagine I am very glad that my representative in the EU didn't back down and protect my rights.
I'm the asker of the question that started this discussion. I'm a US citizen.
I'm actually on the side of the EU here. There needs to be privacy protections for consumers. Even though the requirement for a rep in the EU is impossible for me to fulfill, I admire the fact that they prioritized native EU companies over foreign ones because that is what's best for the EU inside the EU.
I'm mad at the US government for the CLOUD Act, which is egregarious and doesn't serve the interests of the US; it only serves the interests of the US government.
Actually maybe it wasn’t clear because of the parent comment I commented in, but we are a EU company, but for our server hosting we use a US provider.
Do you know if that that makes any difference?
As a EU resident myself I completely understand, it just is a bit tough to make the changes as a small company, but if it’s legally required we’ll make them ASAP.
Oh yes then, you are fine if you migrate to a EU provider as long as you respect the general provisions of the GDPR (inform the user, allow access and deletion of PII, don't share it outside the EU, etc ...) ! Sorry I assumed you were a US citizen with a US company
To ensure you don't have problem down the line, make sure they themselves store their data in the EU (for exemple, french OVH allows you to chose where you data is stored, their french datacenters are fine, but I would not go with their canadian datacenters).
Allow me to remind you that it's not just the hosting but anything that touches that data, eg analytics and error reporting services are concerned too
Thanks a lot this is super helpful, much appreciated.
I was just thinking about the other services, for example would Cloudflare be ok? We proxy all our traffic through them, and they are key for DDOS prevention, I suppose data goes encrypted to them.
I cannot answer your subcomment I believe the thread might be too deep ?
Anyway sadly no Cloudflare isn't ok, it's specifically one of the three provider that got Shopify convicted in the parent article (other two being Cloudfront and Fastly).
You need to protect it under EU court / jurisdiction, and the US broke that and said they have jurisdiction over any piece of data your company ever touches.
That's why the US now wants some sort of privacy shield 2.
As an actual solution you can use: find another company, an EU company, one that you don't own, to handle your PII data for you, so you never store that data yourself.
Also, be sure to read in the GDPR exactly what is and isn't PII under it, a lot of companies can work just fine without much or any PII, and a lot of people think "any" data is PII.