Storing European User Data on USA Servers Apparently not allowed anymore


I have a WordPress blog hosted on my own VPS (soon will have comments powered by a discourse forum) and am subscribed to a WordPress Security newsletter from WordFence.
Today I saw this post Storing European User Data on USA Servers? Better read this…
The article seems to say that storing any visitor information from European Users on a USA Server violates the EU Law because of a US-EU Safe Harbor Agreement that was recently invalidated.
I’m wondering how this news could affect Discourse. It seems like something fairly hard to comply with as you may not know where users are located so if they are in Europe, then how would someone handle this with a Server located in the USA.

(Matt Palmer) #2

As with most things legal (and even moreso for “international legal”), the situation is… messy. If you are an EU citizen or company, failing to comply with EU law is going to end very badly. If you’re outside the EU, it’s less clear as to whether EU law meaningfully applies to you, however the more substantive operations you have within the EU, the more at risk you are. The DoJ vs Microsoft case (regarding the subpoena of records stored within the EU, under the control of a US company) just muddies the waters even more.

At the moment, I don’t think anyone can give any sort of reasonable recommendations. If you’re at all worried, you’d be best served by engaging an attorney in your jurisdiction who is familiar with this area of international law, and taking their advice as to what to do (advice which will, undoubtedly, change, as the ramifications of this decision and its followups are fully realised). Any advice you receive here is likely to be either wrong, incomplete, or not pertinent to your jurisdiction or circumstances, and hence ranging from irrelevant to dangerous.


It appears you are correct.
I was also wondering though if their was an software related things that Discourse could do when installed on a US Server such as ask the user if they live in the EU when they sign up and either storing their data on another server or telling them they can’t use the site because of legal reasons (I know these are impractical ideas for a many reasons, they were just some ideas I thought of and not something I would want).

(Matt Palmer) #4

None of those things would necessarily be useful, and without the advice of a competent lawyer licenced to practice in a relevant jurisdiction, there wouldn’t be any point in doing it. Transmission of data through a US-based machine can fall under the realm of EU privacy protection, and telling someone they can’t use your service because they’re in the EU may not be considered sufficient to protect you from legal proceedings in the event that someone decides to get litigious.

(omfg) #5

Yes, that’s quite interesting.
For at least some US businesses it will make sense to terminate EU presence and continue serving EU users from the US, assuming they get assurances they can be safe from the EU harassment that way.

(Joe Seyfried) #6

My bad, that’s the worst nightmare you can infer from that court ruling. There’s a good Ars techinca article on this thing if you’re interested in some of the backgrounds here. First, no new laws have been passed. A transatlantic agreement has been ruled to be illegal in the EU, yes.

The primary implications are political ones: the Safe Harbour agreement needs to be re-negotiated. The main problem is a transatlantic one: EU politicians and citizens aren’t that fond of the idea that the NSA has free and unlimited access to all their data stored in the US (or, even worse: stored anywhere, as long as the data is stored by a US-based company) - and this access is immune to all standard legal actions you can take.

So, this might seem logical from a US point of view:

…but in the longer run, the EU and US will have to figure this out somehow.

To advocate any actions right now is just fear-mongering - especially trying to set up more geo-fences (which we already have enough - not being able to watch movies from service providers on the Internet in another country just doesn’t make any sense at all, either…).

Big players like Amazon with their attempts using model clauses are trying to take evasive actions before anyone can sue them - but if you take a look at the underlying problem, that’s completely pointless: a US company can be forced to hand over data to the NSA, no matter which contracts they have with other parties (I know: GHCQ and the UK are quite a similar thing over here…).

So let’s just wait and see what happens…