Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Practically speaking, I don't think that's true. Many EU companies use Microsoft's cloud offerings.


If PII transfer to MS servers is part of that, there are certain situations and necessary steps to take to make that not a violation. Moving from one provider to the other can not be done legally without properly informing the individuals involved and (depending on the nature of the data and its purpose and use) getting the right explicit consent.

Taking an extract including PII (names, usernames, IP addresses, or email addresses for example) from your customer prod db and dumping it in a csv in a private repo on GH is most likely a violation unless you have prior explicit consent for that very purpose and use.

This is true even if it's "pseudo-anonmized" in a way that the original PII can be deduced by combination with other datasets.

Finally, I wouldn't be surprised if many of those companies are operating illegally. Drinking and driving doesn't become legal just because a threshold of people start doing it. There is a lot of ignorance (willful or not) among EU businesses even today.


I thought you needed consent for usage, not for technical details? As in "we use your purchase history to generate recommendations", not "we store you purchase history on these systems and run these algorithms on it". Are you arguing that if my colo provider burned down I'd need to get explicit informed consent from every user before restore a db backup somewhere else?


> Are you arguing that if my colo provider burned down I'd need to get explicit informed consent from every user before restore a db backup somewhere else?

AIUI, it could swing either way depending on several factors, such as: the format and usage of the data; how and where the data is transferred, processed, stored and exposed; what access and role the colo provider has (are you purely renting a dedicated server in a DC with FDE that you unlock remotely with an HSM or is the data processed by one of their managed services?); how the consent you already acquired was formulated.

If the colo provider has an outsourced support engineer in Asia looking at logs/coredump or temporarily transferring a backup where the PII appears, that would constitute a transfer, for example, and full compliance needs to be guaranteed throughout.

It's years since I considered myself to have a clear and deep understanding of it and it's gotten a bit fuzzy since, so someone else might chime in with a more clear answer.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: