
Ask HN: Follow the law based on server location or company location? - jamesponddotco
I have been working on the hosting industry for about a decade now, and recently started to work on an idea for my own company, a managed WordPress hosting company with a certain focus on privacy and open source.<p>While working on our business plan, something occurred to me that did not occurred before: as a hosting provider, do I follow the laws where my servers are located or the ones where my company is located? We are looking to keep our servers in Germany — price to performance ratio — or Iceland, while the company will be incorporated in Brazil or Panama — because moving to the EU is not an option, unfortunately —, depending on whatever my wife and I decide to move to Panama or not this year.<p>In Brazil we have a data retention law — the laws mention ISPs, but I am guessing a hosting provider would be on the hook too —, but Iceland does not — as far as I know. So if we were hosting our servers in Iceland, but the company itself was registered in Brazil, which law would take priority?<p>Right now our servers are configured to keep access logs — with anonymised IP addresses — for seven days, and no backups of those logs are kept. We also have a few VPNs for personal use and logs are disabled on those machines, so in Iceland that would not be a problem... but I think it would in Brazil? Data retention logs usually have &quot;ISP&quot; written here and there, but it seems to be a blanked statement that means any company with a server.<p>I am looking for a lawyer with a privacy and hosting focus to get everything sorted, as laws are obviously not my forte, but the search has been frustrating so far.
======
tlb
You have to follow all the laws of all the countries that you or any of your
employees or contractors have any presence in.

Even if a prosecutor of a country you've never set foot in decides you've done
something wrong and wants to make the effort, they can create trouble for you.
Ultimately they can ask your government to extradite you, and you have to
defend yourself against it. You may succeed, but it'll be expensive and you'll
be living under a cloud for years.

If privacy against governments is a focus, you should have ties with only one
carefully chosen jurisdiction.

~~~
jamesponddotco
Hm, I might need to register the company in Germany, then — Switzerland needs
a partner living there. While Panama would be perfect for privacy, living and
running the company, the few dedicated server providers I saw do not come
close to the price to performance ratio I found in Germany.

I really wanted to live where the company is registered, though, to make
things easier. Might look into getting in Germany through Portugal.

Thanks!

