I don't even want your data. I use no Google Analytics, don't collect anything not required for operation of the services, and also don't sell the non-existent data to anyone.
But the thing is these laws keep escalating. Now it's apparently illegal for EU companies to use any American services _at all_ because your IP must be protected? Even though that's required for basic operation of any web based service? Even though there is little to nothing dangerous the other side can actually do with this information?
For example, Cloudflare services are absolutely essential for cost-effective delivery of content. As far as I'm aware, there are no EU based competitors with pricing in the same order of magnitude. It'd make my company non-viable if I couldn't use it.
It's more subtle than that. There are six possible bases for processing personal data, one of which is:
> processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
So you can use the IP address to serve a webpage, operate a proxy, etc. You just can't use the IP address for any other purpose unless there's a lawful basis for it (ie, you can't send it to Google Analytics without first getting user consent).
It does force a change in mindset, but it's not the burden you might think.
Ironically, the legislative problem we're facing now is not the GDPR, it's the US CLOUD Act, which allows the US Government to be able to force US-controlled companies to transfer data from anywhere in the world.
This applies to you processing the personal data, but not you transferring it to an American provider, which is entirely illegal even if necessary for the operation of your service.
The "trans-atlantic data privacy framework" can't come soon enough to finally end this farce. In the mean time, it seems like the most useful thing to do is just ignore all this.
Ain't nobody got time for all this uncertainty. And chance of any of these regulators suddenly caring about your particular company before it's solved for good is quite low.
> This applies to you processing the personal data, but not you transferring it to an American provider, which is entirely illegal even if necessary for the operation of your service.
At worst unlawful, not illegal, but even then, there's subtlety. Most transfers to the US rely on Standard Contractual Clauses, which are being invalidated, but on a case-by-case basis.
No, using an american service provider is not illegal. However, feel free to ignore all this, be one more line in https://www.enforcementtracker.com/, it brings europeans great joy.
Insane parts like being unable to use any American services, even though there are no EU based competitors that are viable to use, don't. Or perhaps it's now actually impossible for an American company to be compliant, in which case oh well. Good luck enforcing that against half of the internet.
I quite like the spirit of the original GDPR, but some of the more recent execution is just bad.
> perhaps it's now actually impossible for an American company to be compliant
If they store and process PII, then this has been the case since the CLOUD Act.
They can be compliant by not dealing with PII.
> I quite like the spirit of the original GDPR, but some of the more recent execution is just bad.
This particular bit of it is fantastic IMO. I'm still waiting for big fines or other punishments to happen though. Hopefully soon but I'm not holding my breath.
> even though there are no EU based competitors that are viable to use
Hopefully this will open up the market for companies based everywhere to compete against the US giants. Not just in the EU -- like I said, this is not about where the company is based, except in the case of the US where the CLOUD Act exists. That would be very healthy for the Internet.
Sure, if your company provides no web services, and doesn't actually have any customers, this is possible. For everyone else however, that is a ridiculous suggestion.
Of course every country prefers their own companies etc., but countries like France just take it to another level. The USA is not going to force a radio station focused on Japanese anime music to play music made in America at least 40% of the time.
You are talking about the « French Cultural Exception » which, like its name implies, is an exception to protect French culture and arts from the free markets.
We know that we will never be as strong as US majors in cinema, music, arts, … so what this exception is trying to achieve is to preserve the French culture and values (including moral values) through arts. While implementation is falling apart those days and the rules are clearly abused by a lot of companies, I truly think it was a great idea when it was imagined.
For instance, Hollywoodian cinema (and don’t get me wrong, we love most of it as an art) naturally promotes US values such as paid education, paid healthcare, free carrying of weapons, strong Christian values, neoliberalism, the idea that US is the center of the civilized world … (I randomly chose those ideas with no judgment whatsoever, just because we have different visions on those topics, so don’t blame me). Those ideas are clearly infusing into young generation as the normality so I do think the idea of this exception was genius. The idea was not to ban anything US (we love US arts) but to keep it in the context of « this is US art, so that’s why [insert_something_different] » instead of « this is mainstream art depicting the world as is should be ».
Maybe it’s hard to see it from the US side because you are in the powerful side but imagine if China invested billions in (good) arts and surpassed Hollywood with (really good) movies promoting the Chinese system moral values. I’m pretty sure the US would react immediately and I think it would be normal.
But this is just … an exception. And don’t be afraid, our current government is really happy to play the free markets game, including in healthcare.
