I am far from someone who can evaluate the legal questions here. However, two notes:
- Legalweb, which OP references, sells services for GDPR compliance. While that may make them familiar with these rules, I wouldn't view them as an impartial perspective.
- The jsdelivr post quotes actual attorneys. While they are certainly not impartial, I’d feel a bit more confident with their interpretation given that the firm is actually named. I could not find anything on Legalweb on who’s actually behind it, though I did see this quote: ”As a software manufacturer, we are not allowed to offer individual legal advice.”
If someone can find a more independent interpretation, that would probably be ideal.
It doesn't seem like there's any reason to be suspicious about Legalweb. The attorneys in jsDelivr's post can be lifted up without putting Legalweb down.
There isn't much said editorially in the jsDelivr post. They didn't use a blockquote but it appears to be quoted until the last paragraph where it says "In conclusion". There are no editorial assertions in the intro. The conclusion appears not to match up with what the attorneys say.
What the attorney says is that jsDelivr, the service, is safe. It doesn't say that about sites that use it.
I agree with both the article and with jsDelivr's posts except the conclusion. jsDelivr will not be shut down just because of this ruling, but site owners may want to stop using it.
Here's the conclusion:
> In conclusion, the ruling that has been so controversial recently does not seem to fully address the factual and technical circumstances of how jsDelivr works, and at this point as a single ruling should not lead to any real concerns about using CDN's services. The arguments for extending to other online services a single ruling strongly emphasizing Google's failure to adequately protect personal data are insufficient and lack substance.
"should not lead to any real concerns" doesn't inspire confidence
Huh, that didn't show up in my searches at all.
Legalweb, one of the sources i referenced, doesn't seem to agree, and is recommending removing JSdelivr completely.
Even if this PR statement was correct, do we really need legislation to know leaking user data to third parties/CDNs is unethical and generally a bad idea?
The GDPR laws have brought so much complexity. I'm currently navigating this for my current EU startup.
Don't get me wrong, I'm all for privacy, I agree these laws are needed and that privacy is a fundamental human right.
But there are so many nuances and technicalities. The GDPR is clearly making things more difficult for small companies that cannot afford a team of lawyers.
GDPR is also putting EU companies at a disadvantage vs companies from the US. I'm aware GDPR laws apply to any company from any country handling personal data from EU citizens... but realistically the EU will probably not chase down small companies from other countries.
It only seems complex because everyone has been implementing user-hostile datamining operations for years before GDPR was enacted. So for every external service you use, you must make sure that they implemented GDPR compliance or not. If GDPR had been a law since the beginning, it would be much simpler.
Although I'd like to know, what difficulties have you been facing in your startup, exactly?
I have dozens of matters that I don't even know if they are related to GDPR.
Our main DB is physically hosted in a EU data center by a US company (not AWS). Is this GDPR compliant? Because, as I understand it, US companies can be required to share their data with the US govt. Does that mean I should be looking to host my DB with a non US company? Does signing a DPA and putting some clause in our privacy terms be enough to be compliant?
What if we're using a cache with Redis at the edge. Would I be breaking GDPR laws if a EU user was traveling outside the EU and this triggered a cache into a Redis outside the EU?
What is considered sufficient security to store email addresses of our users? Should I be encrypting email addresses in the database even though this would be a massive pita and would prevent certain features from even existing?
Etc.
I could be here all day with lots of nuances.
Every time I read more on this matter it opens up a can of worms.
Disclaimer: this is obviously not legal advice, but I have been involved in similar GDPR adventures at my company.
> Does that mean I should be looking to host my DB with a non US company?
Yes, if you want to isolate yourself from any ramifications in the Safe Harbour/Privacy Shield/Paper Tiger #3 diplomatic processes.
> Does signing a DPA and putting some clause in our privacy terms be enough to be compliant?
Probably not (assuming you're referring to a DPA with a US-based company), but not having a DPA is not an option. In any case, the fallout from a total breakdown of transatlantic data transfers will be sufficiently large that fines will probably not be given without sufficient notice.
> Would I be breaking GDPR laws if a EU user was traveling outside the EU and this triggered a cache into a Redis outside the EU?
No, unless your outside-EU Redis is controlled by a different company than the inside-EU Redis. In which case you should sign a DPA with the outside-EU provider as well, with the same caveat as above.
> What is considered sufficient security to store email addresses of our users? Should I be encrypting email addresses in the database
No, but you will want to set up data access auditing for such fields, and possibly something like dynamic data masking so employees can not easily access the raw data. Normal at-rest data encryption of the entire datastore (and backups!) should be sufficient.
> Yes, if you want to isolate yourself from any ramifications in the Safe Harbour/Privacy Shield/Paper Tiger #3 diplomatic processes.
But if said US hosting company doesn't have the DB password then would this also apply? Do you think it would change anything if the data was encrypted at rest?
Strictly speaking, if said hosting company has access to the unencrypted data store they don't need any passwords. And if said hosting company has access to the encryption keys, any encrypted data store might just as well be considered unencrypted. So your question then becomes: how much effort should we spend on making it hard for our business partners to exfiltrate our data?
The problem with these kinds of questions is that the GDPR does not define any threat models, it only mentions "proper processes" and "adequate safeguards". Whether active subversion (by law or by greed) by your service provider should be included in your data loss exposure/risk assessments is very much an open question. At my company we decided to exclude such questions from the GDPR compliance process, and only include these scenario's in the threat models for our security assessments (note: that's not to say they are treated in isolation -- the results from our security assessments do inform our GDPR decisions like which data can be hosted where, but we do not repeat those same risk assessments in the GDPR survey).
To give a more direct answer to your question: I would consider encryption-at-rest a minimal requirement for a company hosting our internal data. Regardless of whether they're inside or outside the EU, and whether we're looking to host internal data, sales data or customer data; not being able to offer encryption at rest would mean my company won't use your hosting services for non-public data. For us, this specific ability is a supplier maturity test: if you haven't given serious thought about securing your customer's data, maybe we shouldn't be in business together.
But that decision is driven more by a defense-in-depth strategy about overall data security than by a specific GDPR requirement.
Encrypted at rest or not, the hosting company could easily dump the encryption keys out of memory while the server is running. If you're an American citizen, the government can just directly go after you or your company. If American law enforcement can get access to the data (i.e. by plugging the server into a UPS and carting it out of the data center) you're violating the GDPR at the very least; both attempts at skirting around the lack of American privacy guarantees were defeated by the American government refusing to provide sufficient data protection laws for European citizens, after all, choosing to uphold the PATRIOT ACT (and other such laws) over the digital business of EU customers.
Something as simple as a database password definitely doesn't fly as far as I know based on reading through the GDPR. Maybe it's legal if you apply enough tricks, you should consult a lawyer if you want to know your workaround is sufficient.
However, by default, storing PII of EU citizens (+UK citizens, I believe, they've implemented the GDPR before they left) with American companies is not legal. I can see how in theory a remote disk drive with fully end-to-end encrypted traffic (encrypted inside the EU, merely stored abroad, the decryption key never leaving the EU) may be allowed, but if the data gets decrypted on the American end I'm pretty sure you're out of luck. Otherwise, any form of TLS would be enough to avoid the GDPR, and that's definitely not the case.
Encryption at rest doesn't protect you. In fact, may even be legally required, regardless of where you store your data. The GDPR doesn't specify any exact security measures, but you do have to try your hardest to secure any PII you may process or store and encryption at rest is one of the easiest steps you can take to do so. You should make a conscious decision of what data may leak to where, the impact of the leak, and ways to counteract such problems.
In this case it's not enough just to be GDPR compliant, the website admin has to have Data processing agreement with the CDN, which you won't get from a free CDN such as JSdelivr.
It's complex because 'personally identifying information' is not a thing outside the digital. You can't enforce these rights on physical businesses for exampple (e.g. can't request from your local bakery to forget that you existed)
You can request they expunge all records of your purchases.
Not exactly a new idea either. Doctors have been subject to rules around record keeping for a long time. Its not really all that different between physical and digital - the cost of making and (ab)using records is just way lower in digital.
Sure, but the same thing applies in the digital world. If you're an important customer, its likely some employees know information about you. You can demand the company erase records, but you can't erase it from the employees' mind.
Why wouldn't a "agreement" already be in place by the mere fact that those URLs are open to the entire world on purpose? Why can't EU citizens decide they WANT to contact google to download fonts? Banning that automatically doesn't sound very freedom-like.
> There is no legitimate interest for using CDNs when the assets could be self-hosted instead.
I disagree with this because there are several reasons not to host it yourself, especially when you do not have the network/computing capacity to serve your users all of the content by yourself.
And what about loading resources from other third parties that aren't CDNs? Or just accessing any non-EU site in general. Is that now illegal too? It makes no sense to me. This seems wide open for massive abuse.
> Why wouldn't a "agreement" already be in place by the mere fact that those URLs are open to the entire world on purpose?
An agreement is in place, it often just isn't sufficient to cover what the third party is going to do with the data it gains access to. In those cases an explicit agreement is required.
> Why can't EU citizens decide they WANT to contact google to download fonts? Banning that automatically doesn't sound very freedom-like.
And how would an EU citizen make that choice? This is something the web designer decides, if the choice was presented to the user this would not be a problem.
"Legitimate interest" is not a common expression, but a term of law related to data processing and defined under GDPR:
> “[where] processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”
> It makes no sense to me. This seems wide open for massive abuse.
That the true purpose of the web - to harvest information about consumers and citizens, and, soon, to train very advanced language models - doesn't make sense to you doesn't make it any better. Despite your condescending comments, GDPR legislation turned out necessary to even make an attempt to prevent actual "massive abuse". In fact, the emergent generative AI armageddon is calling for urgent GDPR legislation updates, such as a requirement for explicit consent to use your comments, code, and other contributions online as input to ML.
Actually no, the GDPR applies to all European citizens around the world.
And if your website targets a global audience, then by extension you target EU users, which means you have to comply with the GDPR too.
> if your website targets a global audience, then by extension you target EU users
This is nonsense. The GDPR only applies if you actively target users in the EU, such as by offering French/German/Swedish translations, or supporting the Euro currency in your shop.
the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention
Well, that's just nonsense though. They have no way to really enforce that.
And I've actually put that to the test. For some medium size websites I manage that get about 30% of traffic from EU countries, instead of an annoying cookie banner, I have a banner saying the GDPR does not apply as the server is not hosted in the EU, they are free to adjust their browser settings as they like, and they're free to file a GDPR complaint and take action. And there's only an 'I accept' button, by design.
So far, nothing has happened, and I doubt it ever will.
You're right that foreign laws don't apply to you if you're not doing anything inside the laws' jurisdiction (physically or digitally, like using European TLDs or doing business with European companies).
As long as you never go to Europe for any reason, there's no way for the EU to get you. At worst your website will get blocked inside the EU. And, of course, any companies using your services to service EU countries would be violating the GDPR themselves so may lose out on some potential customers.
I don't see the point in claiming the law doesn't apply to you, though. If it doesn't, you don't need a cookie banner.
That is my point though. It's up to the EU to block sites they don't feel are compliant with the laws they have passed, which they don't have control over.
What is the point in claiming a law applies if they can't enforce it?
Would it not make much more sense for the GDPR to have a provision blocking sites they can't control, or to allow for treaties between countries? It may allow both of those things already, in which case, it's even more perplexing to try and claim global jurisdiction as they do.
And I don't need a cookie banner. The one I have is a subverion to make a point.
Under the GDPR IPs are considered personal data. If you have EU users visiting your site, then you are receiving their IPs, correct?
"The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”"
Oh, I understand the EU says the law applies, I just disagree that it does.
Does Chinese law apply in France to Chinese citizens that have emigrated there? China would say yes, they even set up secret police stations to enforce it. But does that make it so?
IANAL but it seems like a totally different scenario.
Regarding the censorship, obviously the laws apply inside Chinese territory. France is not China so the laws do not apply.
But regarding GDPR, the EU user is still inside EU territory when visiting your website and giving you his personal data. If this user was, I don't know, in Indonesia while visiting your website, then Indonesian laws would probably apply. Which is why the analogy of a foreign company doing some activity in the EU (like selling a product) seems more apt.
Again, IANAL and this is just my superficial impression.
> Regarding the censorship, obviously the laws apply inside Chinese territory. France is not China so the laws do not apply.
This is exactly my point! EU laws apply within the EU. The US is not the EU, so EU laws do not apply.
> Again, IANAL and this is just my superficial impression.
Fair enough, I see your position now, thank you for explaining.
I think it's a pretty terrible precedent to try and enforce laws from the visitor's country on to the hosting providers country though.
It's not that far-fetched to think some countries with poor human rights records could post some laws that would work the same way you describe, and I don't think you would want them upheld.
The only thing that makes sense to me is enforcing laws for users within their own borders, and same for hosts. If the EU doesn't like something outside of their control, they should setup the Great European Firewall.
Ireland is the biggest one in terms of money fined because Google etc have their subsidiaries incorporated there. But I don't see any fines directly to a US company.
My real issue with such legislation like that (assuming I do have a point), is that it lessons the seriousness and impact of the legislation.
If it can't be enforced uniformly, then it's fine for people to not take it seriously, or for it to be enforced selectively, both of which I think are problems.
> Actually no, the GDPR applies to all European citizens around the world.
Actually, GDPR applies to (1) people who are "in the Union", and (2) people whose data is being processed by processors who are "in the Union". Citizenship has nothing to do with it.
Betteridge's law apparently fails... according to this non-lawer, at least.
In any case, I'm not a fan of free CDNs- they're an extra point of failure, and if you're not using subresource integrity with them, you're just asking for trouble.
Additional edit. If jsdelivr is illegal in Germany, it’s going to come as quite a surprise to many prominent sites: https://trends.builtwith.com/websitelist/jsDelivr/Germany
I know nothing more than I’ve found with a few minutes of web searching, but what I have found makes me skeptical of the OPs conclusions.