Please detail your claim that implementing Gopher in a GDPR-compliant way is “tricky”. It’s difficult to tell if you seriously believe this or if you’re exaggerating for polemic effect, and those details will help evaluate the merit of your viewpoint.

I am both exaggerating and serious. Say you are a US company and you run a gopher site. You are not allowed to have the IP addresses of European visitors transmitted to you, that is what this decision is saying right? You are not allowed to allow them to establish a connection to you at all. This seems impossible, but this is how I am reading this. I would (honestly) like to for someone to point out my error here, without any "they probably won't do this because it doesn't make sense" arguments.

I don't know what makes a US company eligible to be sued in a EU member court. I guess you have to be doing some kind of business with European customers, so a non profit blog may be ok?

How do you solve this? You have to create a legal entity not connected to you that can purchase a server within the EU and then somehow syndicate your content to them without establishing a strong legal connection.

(Apologies, a medical event delayed my reply by a week. I appreciate the time you spent replying, and I’ll try to keep it brief.)

I think this only impacts EU providers who sublicense to US providers, if/when they record any ephemeral data collected prior to the user consenting.

So an EU business logging the IP addresses of visitors might be not-okay until they consent, though GDPR has some flexibility around “IPs power the Internet”, so long as you don’t try to convert them into personal identifiers.

That applies whether US or EU providers are involved, but as the courts point out, any non-ephemeral data within US territory or corporate boundaries is an automatic GDPR violation for an EU company.

So, in the gopher example, as a US provider you can do whatever you want, and as long as you’re approximately complying with CCPA, you’ve got GDPR in the bag as well, especially if you just offer the same rights to all users (to not be tracked by default).

But as an EU provider, if you host your Gopher server in the US, you may well be violating GDPR as a citizen of a signatory country, since a U.S. provider can’t honor the choice to not record ephemeral data, and therefore compliance is impossible even if the provider currently honors it.

This means that AWS is probably not a legal provider for GDPR purposes, since they can be compelled to ignore GDPR, unless the US signs a new treaty. And that’s the terrifying reality of that safe harbor agreement expiring that may result in Amazon having to restructure itself to avoid losing the market; the US entity would have to become a subsidiary of a parent in a treaty-signed country.