With all the "IANAL" answers here, let me give you a different one:

if it's viable, I would try to host all data in the EU for all your EU customers regardless of the legal situation. Because the legal situation is likely to change further - just plain and simple, it's a risk, and if your cost in avoiding that risk is sufficiently low, that might be worth it. And you can advertise it as a benefit to your customers.

Yeah, this is probably the most pragmatic answer.

It's a pain to implement and only adds more complexity to my setup for a tiny percentage of customers; but on the other hand the more I dig into the answers, the more unclear things get with recent rulings overturning common practices.

It's unfortunate that finding the answer to such a simple question seems to require lawyers, especially for a small business like mine. I wish we could protect data and privacy without opening Pandora's box.

Spending a lot of money on something you don't need to do is not 'pragamatic'.

"It's unfortunate that finding the answer to such a simple question seems to require lawyers, "

Yes, and it's the a problem for the EU. While there is definitely a need to have some kind of regulatory elements in place, the degree of complexity involved creates considerable constraints and overhead for ultimately very little gain.

There is probably a version of this legislation, or even better, some kind of 'data treaty' between WTO or OECD nations that makes this work out with a lot less overhead.

Whether I "need" it or not depends on how much of my future customer base I estimate will be EU-based.

Believe me, I don't think these laws are very well structured (they're not even clear enough that you have to dig through 15 different sources and recent court rulings to figure out what to do) and I don't want to add complexity to my setup, but I am trying to grow my business: if it works out financially with enough new EU customers, then the headache could be worth it.

"I don't think these laws are very well structured (they're not even clear enough that you have to dig through 15 different sources and recent court rulings to figure out what to do) "

"The headache will be worth it"

Those are contradictory, which is my point.

What if it turns out you really don't need to host your data in the EU? Then it definitely 'will not have been worth it'.

Unless there is some timing risk whereby you risk actually damaging your business because you're under threat of service degradation or litigation because you're 'behind the ball' in which case there might be some rationale for doing it ahead of time.

We don't even know for sure what bits of data might need to be moved to be compliant, or that the 're-architecture' itself may not be sufficient and will require 'another rearchitecture' ...

Do something when it's clear that it needs to be done, otherwise, I don't see how there is any upside at all.

I agree. It makes for good marketing, and it means lower-latency access for European customers.

I interpret the law as requiring it anyway, but I view this as carrot-and-stick.

As I have understood it from a lawyer: US laws require a company to hand over the data wherever the data is located. EU, Japan, whatever. You are a US company, so hand it over.

EU law states: EU data shall not leave the EU.

Those two bite each other, and the result is that a company can _never_ bow to both laws.

So, if EU data must be kept in the EU, choose a (hosting) company with no ties to the US. Vice versa is no problem, the EU law _does_ respect data locality.

It is the reason why we had to move away from Hetzner, when they opened a US office/branch.

(https://docs.hetzner.com/general/general-terms-and-condition...

If you require a web hosting company that has absolutely no connections to the USA, then unfortunately, we may no longer be the best choice for you)

This is a bit fantastical.

Splitting up operations from a single data centre (vast majority of situations) is quite costly and adds a lot of complexity.

'You can advertise to your customers' - except that nobody really cares that much, or at least care enough to the point it makes a difference in terms of purchasing behaviour. I mean - everyone would 'like to know that their data is local' but that does not translate into purchasing behaviour or pricing intent in most cases.

Aside from 'real costs' of doing such a thing, opportunity costs are always high. There are always '10 critical things' to work on right now, who has an extra team of Engineers to work on 'maybe it will be useful someday features?'.

Finally - it's not a hugely helpful exercise in the end: it doesn't mater that-that much 'where' the data is.

People want to know that their data is protected and that's that. So just do that, which everyone should do.

> This is a bit fantastical.

That's a very generic statement on a situation that can have a zillion factors ;)

> 'You can advertise to your customers' - except that nobody really cares that much,

I do know quite a bunch of people who care, so "nobody" is demonstrably wrong. That said, the people I associate with tend to be tech-savvy, privacy conscious and have disposable income, so I'll agree it's probably not a large percentage. But I don't know what OP's target audience is either...

"That's a very generic statement on a situation that can have a zillion factors ;"

There is 'one factor' that's relevant, and that is there is no apparent need to move data to the EU, and even not that basis it's not clear if that would be sufficient.

The 'factor' is that it's a fuzzy requirement at best that definitely will require investment and opportunity cost.

" so "nobody" is demonstrably wrong. "

It's besides the point, there are almost 0 products on the market for which 'hosted in EU' will move the needle on customer acquisition. Maybe some SaaS here and there, but even in that case, it would be a feature that could be researched and then one could write a material business case around 'moving it to the EU to acquire customer segment X which is worth $Y in revenue. And that's definitely something that would start coming back from the sales team i.e. 'Big EU Co. asked about this, it's going to be key in the sale' - which is how regular product operations are done.

But without needing to do it, it makes little sense.

How do you protect customer data from US government if you process it (not just store) in AWS/GCP/Azure?

The whole situation is confusing for me. We set up a few project with kubernetes clusters for local governments in the Netherlands. They denied DigitalOcean because even though they have servers in Amsterdam, the company is in the US, so we went with a much higher priced custom K8s cluster from a local provider.

So not really sure if they were right, but according to them even just having your servers run by a US company is a potential legal risk with GDPR.

But at the same time other departments in the same organization run on Azure.

Any US based company can be forced to give up the data of European customers and be silent about it (see CLOUD act) so as far as I see it any US based company that adheres to the CLOUD act can not be GDPR compliant.

Yeah that's there arguing as well. Although local govs for some reason have no problem working with Azure.

EU cloud hosting companies however are not as mature as the big US players so makes it more of a pain.

Yup. The spirit of GDPR is "do the right thing."

The spirit of the GDPR is "do what we think is right even if we don't really understand what you really are doing - we have very fancy principles but no idea how to implement those, so we'll impose a ton of crazy measures hoping to move the needle, and failing miserably".

As a European, I don't really care of the spacetime position of the magnetic moment encoding if I clicked in the big red button or not. It does not change anything to my life. What I do care is that my sensitive data are kept securely. And even my government if failing to do that, so before they impose anything to the latest SAAS I subscribed to, they have a ton of work to do in-house.

I also care about what people post about me, but GDPR has an exemption for public data, so I am not more protected today than I was yesterday.

I am sure someone, somewhere feels all warms and fuzzy about "protecting" the European citizen, but boy did he miss the mark.

>the spacetime position of the magnetic moment encoding if I clicked in the big red button or not.

That's not what it's about, it's about weather you consent to third party cookies or not.

IANAL.

You can store them outside the EU and/or with US companies, but that provider/country needs to provide the same level of data protection as they would have in the EU.

Practically, this excludes anything related to the US due to the CLOUD Act.

They've tried making this whole with the Safe Harbor and later Privacy Shield framework, but that was overturned by the European Court of Justice.

Note that this is not (only) about the physical location, but also on the legal side who can access the data.

Even if the US company runs the servers in Europe it doesn't matter. U.S. government can request compliance with the CLOUD Act.

Larger companies try to Dona little legal firewalling, by having European customers being customers of an Irish company, not the American HQ. However there are doubts whether such a setup is enough.

On the extreme there are attempts like the Microsoft-T-Systems cooperation, where Deutsche Telekom / T-Systems was running a Azure Cloud Region in Germany, however too few customers where willing to pay the premium and accept the restrictions of being bound to a single region.

Everybody is playing the waiting game, how privacy agencies, courts, ... are going to deal with that and whether there will be a new attempt of a privacy agreement between EU and US.

If this is true, then no American company can do business in EU.

Because the US government can always request compliance with CLOUD act.

Yes, if a company can't follow law, it can't do business. In this case US law and RU law contradict each other. If the governments can't find a compromise (previous attempts for compromise habe been overturned by courts) or won't change legislation companies have to pick how much legal risk they are willing to take. And GDPR-enforcement slowly increases.

See for instance https://www.cnbc.com/2022/02/07/meta-threatens-to-shut-down-...

If your engineering patterns can support isolated customer instances in different data centers around the world then there is absolutely no reason to go for the centralized approach. Regardless of data laws, it is beneficial for so many other reasons - better performance for international customers, easier scaling, more redundancy.

Also remember that GDPR isn't the only law of its kind out there. Different countries, industry sectors, regulators and even companies themselves have their own laws and policies around data storage and processing, and as a service provider it is going to be impossible to stay on top of all of them. So, if a potential customer asks you for this feature the ideal response isn't "well actually GDPR doesn't require us to do that", but "yes we will accommodate you in whatever way you want".

In this case (data in google cloud) would it be enough to use a GCP region in the EU?

If you are on the big cloud providers, can't you consider flipping the problem and move ALL your data to the EU and apply all the requirements to all users as if they are ALL protected by European law?

You will have a one-time cost to migrate things, and depend on how many customers you have it may require you to add some automation to your systems (e.g, for the cases where a customer requests to get a copy of all their data, or to delete all the stored PII), but speaking as someone who had to deal with this in two different projects, I still think that taking this route was easier than trying to special-case everything based on user-specific citizenship.

Until you run into data locality laws in India.

I think if you are trying to future proof your application for data locality regimes you are just going to have to think about region shards. It makes application architecture more difficult but it seems like the days of treating the internet as non-region specific is over.

Interesting suggestion but most of my customers are US-based so I feel like the impact on speed might outweigh the reduction in complexity?

As someone currently working at a German startup I can tell you that there is a growing movement away from using any provider that moves data outside the EU.

Our largest customer, a German enterprise, just told us that if we don't remove all US based providers from our stack they will leave us, regardless of where the data is hosted. They gave us 90 days.

Thankfully I saw this coming and we have been moving to EU providers already.

IANAL.

It is not an absolute requirement. It is often preferred from EU-based customers to store their data in EU-based data centers because then that data is subject to EU law, which can make things easier for your customers with their own legal compliance.

edit because I was incorrect It is a requirement for EU users for their data to be subject to GDPR. It is not a requirement to store that data in the EU to be compliant with the law.

Just to clarify, it is not just a preference, it is a legal requirement to store data of all EU citizens according to the GDPR.

https://gdpr.eu/what-is-gdpr/#:~:text=The%20regulation%20was....

https://www.cnbc.com/2022/01/18/fines-for-breaches-of-eu-gdp...

https://www.enforcementtracker.com/

It has also been ruled recently that pop-ups asking EU users to opt-in or opt-out of data sharing, where cookies etc can pass their data to the U.S., are also outside the GDPR.

https://www.forbes.com/sites/martyswant/2022/02/02/europes-n...

https://www.brookings.edu/research/the-court-of-justice-of-t...

There were updates by Meta, Google etc based on recent ruling to update their terms and to change where & how they were storing data. The recent rulings could have major impact on Google Analyitics etc

It's not a legal requirement to store all that data in the EU.

Although it might be pragmatic to do so given the last few agreements with the US on this were shot down in court.

If your customer is in the public sector that is probably the case.

Mandatory reading is some info on Schrems II. Starting point: https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II

Also can be useful for keeping track of these rulings

https://noyb.eu/en/statement-max-schrems-schrems-ii-annivers...

Nyob is one of the roups raising these issues with the EU data protections groups

Great! Rulings are one thing. I can however add that despite rulings, there's extensive work being done at Sweden's governmental agencies and municipalities to replace USA hosted services. The city of Stockholm (40 000 workers and countless students) just recently said no to Office 365 partly because of Schrems II.

Similar things are happening in other countries:

https://techcrunch.com/2021/08/17/stop-using-zoom-hamburgs-d...

https://edri.org/our-work/microsoft-office-365-banned-from-g...

If you want to stay ahead and will have customers in the public sector in the EU, you should probably consider hosting within the EU.

I've been looking into this for my app. There's a lot of outdated or misinformed opinions out there (any info from before Schrems II in July 2020 should be ignored), but here's what I've concluded:

At this time, it looks like it's probably not legal to routinely store European data in the US under GDPR. There are limited exceptions (see below), but I don't think you can just host everything in the US.

GDPR requires you to only transfer (i.e., hosting, also viewing) European data to places with GDPR-equivalent data rights. Initially, the US qualified under Safe Harbor, but that was invalidated with the Schrems I ruling. Then the US qualified under Privacy Shield, but that was invalidated in Schrems II.

The guidance from the European Data Protection Board following Schrems II is more or less this:

- You may transfer data to the a country not officially recognized as GDPR-compliant (a "third country") if the transfer is necessary to do what your customers asked you to do. But only if the transfer is occasional, and objectively necessary.

- You can transfer if the user gives you consent, but consent can only be granted for specific transfers. You can't ask for perpetual consent to host everything in the US. Consent must also be explicit (an obvious, opt-in checkbox, not a EULA), and the user must be informed about the risks of sending data to America.

- Transfers under SCCs & BCRs are still valid in principle, but only if you confirm the destination country has GDPR-equivalent data rights. If they don't (which America doesn't right now), you can transfer only if you take measures to counter the risk of government interference, and only if the government can't subvert those measures (including by court order). Schrems II is also widely interpreted as forbidding "sign & forget" - you can't delegate your responsibility to certify the safety customer data to your cloud vendors.

EDPB FAQ on Schrems II: https://edpb.europa.eu/sites/default/files/files/file1/20200...

Article describing the impact of Schrems II: https://www.lexology.com/library/detail.aspx?g=86e3448e-2f32...

This is one of the best answers I've read to this question.

It's not only the Cloud act but also the FISA act and the executive order nr.12333

The EU data protection head has made it clear that Standard Contractual Clauses do not suffice, as a workaround. EU and US administrations are trying to work out a working compromise, but no progress yet (and frankly, not likely to happen soon, as there are more relevant priorities)

Courts are slow, but they are starting to affirm the EU law.

For example,

the Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics and thetransfer of personal data to the US violates the GDPR.

the French data protection authority (CNIL) also confirmed that these personal data transfers to the US are a violation of the GDPR.

These are the first decisions from EU data protection authorities in response to 101 complaints filed by https://noyb.eu/en , so more to follow...

Quite obviously, the same principle applies to any service that sends data to the US. (for example, fonts can be used to track user; IMHO push notifications might be next, because, even if encrypted, provide data^Hmetadata that combined with other data reveal a lot about users behaviour...)

The Portuguese Data Protection Authority ruled re. data processing carried out by Cloudflare for the Portuguese National Statistics Institute. Cloudflare declared to use its own servers in the European Union, but CNPD noted that Cloudflare had data centers all over the world and there was no evidence that, in the event of an emergency situation or legal order, personal data could not be transferred outside the EU in jurisdictions that don't provide equivalent protections.

The CNPD had ordered the immediate suspension of data flows to the United States despite the adoption of the standard contractual clauses.

Expect more of these decisions in the coming months.

You'd might want to check out how AWS handles it via Standard Contractual Clauses:

https://aws.amazon.com/compliance/eu-us-privacy-shield-faq/

It should be noted that American companies that fall under laws like the CLOUD act can't fix their noncompliance with contracts. American law always overrules contracts for American businesses. Storing data on AWS is risky, and it's only a matter of time before some judge will rule it completely illegal.

Tons of companies and government agencies in the EU depend on Microsoft, Google and Amazon, and undoubtedly these companies also make a lot of money this way. The scenario you sketch is a possibility, but I think both the EU and US will do everything in their power to avoid this.

I had to do a deep dive on all of this and I found the actual letter of the law to be readable and in some cases surprisingly well written. You're surely looking for a quick one way or another answer and there's lots of comments with their own takes so I won't rehash any of that.

Just a plug for reading the actual law like you would read the source code. There are entire sections you can skip about requirements the regulators are under and you can focus on the burdens on data processors and controllers which is effectively what you would be classified as.

Have fun, it's really not so bad.

https://gdpr-info.eu/

We are in the same case. Our servers are in the US hosted by gcloud, from what I could find, until the end of the year at least, it is not mandatory to have your servers in EU as long as there are some additional securities (source : https://ec.europa.eu/info/law/law-topic/data-protection/inte...) But our client keep asking for the servers to be in Europe anyway

I believe if you encrypt your data securely (client-side encryption, so only you have the key to it, and not the cloud provider) you can store your data everywhere.

As a CISO from Germany I can tell you the problems we have, if we want to use US-based services. As soon as we want to transfer PII to such services we have to write down a full Data Protection Impact Assessment for our legal regulators. Since the USA isn't a "safe destination country" under EU laws (especially EU GDPR), we have to ensure that the data is transferred and stored encrypted by the services. In addition we need a written(!) Data Processing Agreement, that ensures the services are not transferring any data to third parties including intelligence agencies and that all data is only processed within the limitations of GDPR. This contract also must ensure, that the provider informs us, if any intelligence agency asks for our data. So, it's a lot of paperwork and bureaucracy to handle. And finally we need an entry in our data processing index that defines a security contact at the service provider together with details about the kind of data we transfer to the service. However, it doesn't make any difference if your servers are located in the EU or in the US, at least from the legal perspective. If we transfer data to US-based companies we have to do all that. But it makes European companies feel better if the servers at least can't be seized by U.S. intelligence agencies. ;) But... we'll get a better latency if the servers are located in the EU. And as far as I know GCP also offers data centers in the EU.

Hosting data on servers located in the EU isn't required by GDPR in and of itself, as long as you have a valid data processing agreement with the provider stating how and according to which provisions customer data is protected on their machines.

However, according to a relatively recent European Court of Justice ruling you're not allowed to transfer any personally identifiable information to companies that are in any way affiliated with a US-based entity (e.g., by virtue of having a US-based parent company) anymore. Just being physically located in the EU isn't sufficient according to this ruling.

The reason for this is that with FISA US law enforcement can force US-based companies to hand over any data, even if that data is stored with an international subsidiary under a completely different jurisdiction.

This basically invalidates all of the provisions and legal frameworks for interacting with non-EU entities that used to be acceptable under GDPR before (e.g., Privacy Shield).

However, not interacting with any US-based or US-related entities at all anymore would be tantamount to ceasing almost all economic activity. So, until (or more pessimistically: unless) the US and the EU come to terms on a new agreement regarding privacy rules, there probably isn't anything a business can do on its own to completely address this issue. At this point, merely hosting data on servers physically located in the EU perhaps amounts to little more than window dressing.

Realistically, as of now your best option probably is to continue to put in your best effort to protect customer data (which might include hosting data exclusively in the EU) and document everything in the process.

It's a problem using US services, coz customer IP which is protected gets leaked to an organization subject to Cloud Act.

Encrypt your network logs and storage with a customer managed key and keep that in your control. It matters less where the data is then.

IANAL, but you will need to get opt-in permission from EU users to transfer their data outside of the EU unless you can apply standard contractual clauses (SCCs) or get an EU representative.

Source: https://gdpr-info.eu/art-44-gdpr/

Example of an EU rep for hire: https://edpo.com/

The really scary thing with this is that bandwidth isn't free. There may be privacy preserving CDNs now that comply, but will there still be in 10 years? How would they make money besides spying?

P2P tech is also hard under the GDPR. Isn't this eventually going to cause more services to become paid?

Hi @oliv__17, I am a DPO (PHD in law) and a developer, the best advice I could give you is to host your data in EU, of course, but also only by using the services of a company that is European itself, and not controlled or owned by a US company or person. This means that you can no longer rely on AWS or G Cloud. This is due to the fact that there is the Cloud Act, that is not compatible with GDPR requirements about data transfers outside EU (for more details you can also check decisions of the CNIL, the french authority for data protection, or even the one of the Austrian equivalent, ruling about the new prohibited use of Google Analytics).

A related question: if you encrypt data client side and store encrypted data in servers of American companies, do you still violate GDPR?

Also, what are security and privacy risks of storing encrypted data?

You can store outside of the EU and keep them fully encrypted with encryption keys are only in the EU.

Which will make things immensely complicated though.

And of course, both data at rest and data in transit encryption.

GDPR's main point is data protection. Some 3rd world countries stealing idea and converting rules to "turn the data in (decrypted form) so I can see who's doing what".

Hello,

DPO for a small UK charity here. The UK GDPR, which is now a separate article of legislation to the EU GDPR by the way, specifies in Article 3 that it applies; "to the [(F2) relevant] processing of personal data of data subjects who are in [(F3) the United Kingdom] by a controller or processor not established in [(F3) the United Kingdom]..." Link to source; https://www.legislation.gov.uk/eur/2016/679/article/3

This to me suggests that even a US citizen, who happens to be in a UK airport at the time, who has data collected, falls under the UK GDPR. But it's more likely that it applies to people resident in the country, rather than just transiting.

However, the law is irrespective of nationality, opting instead to apply depending on where the data-subject is. I believe the only changes to the UK GDPR from the EU GDPR, is the territory to which it applies. So if your data-subject are in the EU, their data is subject to the EU GDPR, or if they're in the UK, the UK GDPR.

Note also, that the UK GDPR does not make the UK Data Protection Act (DPA) redundant, but just adds a layer on top of it. So you may want to look at the UK DPA if you're going to be handling UK data-subjects data. Also, the UK legislation can be found at; GDPR: https://www.legislation.gov.uk/eur/2016/679/contents UK DPA: https://www.legislation.gov.uk/ukpga/2018/12/contents

No, the GDPR does not apply to EU citizens wherever they might be. That would be completely unworkable.

The GDPR applies to anyone located in the EU.

I partially agree.

https://gdpr-info.eu/art-3-gdpr/

3-1: if you're EU citizen in the US using only a US service then GDPR does not apply it falls under US data protection however if that US service is using an EU subprocessor then GDPR does apply

3-2: if you're a US citizen in EU you're under GDPR regardless of the service you're using

Also https://gdpr-info.eu/recitals/no-23/ if you're a US company targeting EU residents you fall under GDPR

> Customers don't have to be in EU for GDPR to apply, it applies everywhere as long as the data subject is an EU citizen.

I’ve only read articles that said that the GDPR applies to EU residents (not necessarily citizens).

IANAL. I do have a certification data privacy, although it is for US and not Europe.

tl;dr EU-located servers are neither necessary, nor sufficient.

Recent decisions by courts and regulators (many in the past month or so) have clarified how and which data transfers from the EU to the US are in violation of GDPR. The current landscape this is: a transfer of personal data to a Controller subject to the US CLOUD Act is in violation of GDPR.

Let me go through several important things you should know:

* EU-located servers are insufficient. A fine was issued to Cookiebot (Danish) for using Akamai CDN, even though the court acknowledged the servers were located in the EU and the contract was with Akamai's EU subsidiary. A server owned by a US company is subject to US warrants, which is what violates GDPR.

* Every rulings I've read mentions the CLOUD Act explicitly. As far as I'm aware, US companies not subject to the CLOUD Act might be GDPR-compliant. Maybe. At the least, it hasn't been found illegal yet. The CLOUD Act applies to 'telecom' companies, a definition which includes Google and Amazon.

* BREXIT: The EU has an adequacy decision with the UK, meaning no special protections are needed. The UK still has an adequacy decision with the US. So if you're in the UK and only dealing with data subjects in the UK, this is not necessary for UK-GDPR compliance. In the EU, a UK-based hosting provider is totally fine, assuming they're not subject to CLOUD Act.

* The GDPR definition of "Personal Data" is nowhere in the same league as "PII, " and thinking they're similar is generally a mistake. To a first approximation, PII only refers to plaintext data that can be used to commit identity theft. Personal Data is any data point that can be connected to an individual. Examples of things the courts have ruled are personal data included IP addresses, and the randomly-generated first-party cookie that Google Analytics uses to tell that two hits came from the same user (and nothing else). GDPR explicitly contrasts anonymous data with pseudonymous data, and the latter is (usually) personal data.

* There are a handful of other countries which do have an adequacy decision in place, including Isreal, Japan, Canada, and New Zealand. Using companies based in those countries is easy to do from a GDPR perspective.

If you want to find more about the current legal state of data transfers to the US (which is in a period of serious flux right now), the place to start searching is Schrems II, which is the lawsuit that forced legal recognition by the EU of the state of data privacy in the US. The recent wave of rulings (which is still ongoing) were part of 101 lawsuits filed by noyb, the non-profit started by Max Schrems to press this issue.

The definition of PII can be a bit grey, some have deemed that IP addresses of the service provider, although not identifiable to a specific customer, can also be seen as PII as they can all people to be identified within a small group of users (where the IP does not resolve to a specific user). Even companies within the EU are being told that they need to be cautious how and when they collect data, and how it needs to be stored in a secure way.

It is quite easy really. If you are not able to identify a person by IP it is not PII. It MAY be PII for ISPs for example if they are able to associate the IPs to customers so they would have to treat it as such.

The definition is:

>personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

The lack of an actor in the sentence is key. In other words, just because you can't identify the person with the data you have doesn't mean it's not PII. If a piece of data can theoretically be traced back to a person then it's PII.

GPDR is extraordinary in its attempts to be as broad as possible. As written it covers effectively every bit of data you collect.

This was the finding of the case Patrick Breyer vs Germany in 2016

https://www.whitecase.com/publications/alert/court-confirms-...

  What makes a dynamic IP address personal data?

The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:

there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual. On the facts, if the BRD has the legal power to compel the relevant ISP to disclose sufficient information to identify Mr Breyer, then Mr Breyer's IP address will be personal data in the hands of the BRD.

The CJEU also did not ask the specific question in that case - Were the BRD LIKELY to identify Mr Breyer? If this is something that you have never done before or will do in the future then it is not likely that you will try to identify someone by their IP.

From your cite:

>Where a piece of information (such as an IP address) does not directly identify a person, that piece of information will nevertheless be personal data in the hands of any party that can lawfully obtain sufficient additional data to link the information to a person's real world identity

In a world of data brokers that makes IP addresses PII. The only way it's not is if you verify that there is no way you can lawfully obtain additional data to link the IP to a person. I don't see how you can practically do that.

In UK it is not even a requirement for an ISP to keep those records but that is not the topic to address, so who is able to legally obtain that data and is it something that you are reasonably likely to do?

You can see why people err on the side of caution.

>who is able to legally obtain that data and is it something that you are reasonably likely to do?

Any other 3rd party that has obtained their IP address and can legally share it with you. That's the problem. How do you ensure that something doesn't exist? Practically it's impossible.

No. IP addresses are considered PII. PII that in many use cases don't need consent (logging, spam prevention, etc.), but still PII.

> the GDPR only protects personally identifiable data

Be very careful with this - the GDPR is not just about PII. It covers any data related to someone who could be identified directly (e.g., a name) or indirectly (several anonymous traits that realistically could only be one person).

Any data related to such a person is covered, even if that data itself isn't PII. The data they've uploaded, your logs of their system activity, the support tickets they've filed, it's all covered.

The wording in GDPR Article 4.1 is "‘personal data’ means any information relating to an identified or identifiable natural person ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

GDPR - no.

Country specific / regulation specific - depends. You'll need to make sure what their request pertains to...effectively answering "why do you want it in the EU?".

IANAL - but no, you definitely don't. What you do need to have in place is safeguards that any data on EU customers not hosted in the EU/EEA is subject to the same safeguards/level of protection outside the EU that it would be inside the EU. There are "standard contractual clauses" (SCCs) provided by the EU which are the easiest thing to adopt as part of (or an appendix to) your terms of service. However there is doubt that it's possible for a US-based firm to comply with the SCCs due to some US national security laws, which you probably do need a lawyer to review based on your specific context (data you're collecting, etc)

I wonder what the case precedents look like around things like telemetry and BI data.

I've working for someone who has had a hard time expanding outside of NA, so it feels like I'm living on a mountaintop, and I'm still not clear on what data can live say in a central accounts database.

Sharding is a solution whose scope has been diminished substantially by consistent hashing, but with all of these provenance laws it sounds like we need something that is a hybrid of the two. Irish users' data can be stored in Ireland, Germany, Greece, and Spain, but if they're sitting in a hotel room in Chicago realizing that when people said, "it's cold in Chicago in the winter" they meant, "don't go to Chicago in the winter," not, "pack your scarf and wool socks", and so they're complaining to their friends online instead of going to MoMA in the sludge, we can't pull their user data from Ontario, we have so schlep all the way back to Cork or Brest to get their account information. Which means you have some sort of hashing of shards or shards of hashing...

In my opinion even hosting a server in Europe is not sufficient thanks to the PATRIOT act and GDPR. However it seems to me that this is the current generally acknowledged practice until it is sorted out by governments and courts.