GDPR new European privacy laws compliance?

[opoloko]

Hi

I have two managed VPS SSD on Knownhost, and both for European based companies with some personal data.

Is Knownhost GDRP compliant on US Data Centres or I need to move those VPS to European Data Centre? It would be a quite laborious process as he have loads of personalised configurations, so I'm wondering if it's needed or the US data centres will be anyway GDRP compliant in terms of personal data.

Thanks!

 

[KH-DanielP]

Hi there,

Thanks for your question. We are in the process of completing our US-EU privacy shield registration which covers the transfer of data from the EU to the US so there should be no issue with your data remaining on our US servers.

The only personal data we "control" would be that of your billing account. Any data you load onto our servers is 100% yours to control and handle as you see fit. This places us in the eyes of the GDPR as a 'processor' and not a 'controller' as we do not determine what is done with the data on your VPS, you do as a customer. We do not use any data loaded on your VPS and during the process of registering with the Privacy Shield our Privacy policy will be amended to address this specifically for our European customers.

As the GDPR is still very new, and not actually law yet things may change, and I do expect them to as companies across the globe begin to challenge the GDPR in courts but only time will tell for that regard.

 

[opoloko]

Hi Daniel,

thanks a lot for your detailed reply.

You are right saying that you are only a processor not a controller. I think one of the problems as processor is to be sure that if for any reason US government ask to access this data (of which we are controllers) then you have the means to refuse as they are protected under GDPR.

Will you post an update here on this thread or on your website or via email for your European customers about US-EU privacy shield for GDPR compliance?

Do you have any ETA considering that the new law will be officially valid on 25th of May?


Thanks again, I think this might help lots of existing or new EU customers of your great company.

 

[KH-DanielP]

I think one of the problems as processor is to be sure that if for any reason US government ask to access this data (of which we are controllers) then you have the means to refuse as they are protected under GDPR.

The GDPR specifically allows for MLAT treaties to be used when requesting the data, without notice being provided to the customer. The US has this agreement with many European countries but not all. This also only deals with PII from members of the EU and not run of the mill data and/or data not concerning EU members so the situations will vary depending upon the target of the data, the request etc. While I cannot give exact numbers, and it doesn't bypass the fact of the GDPR, but we deal with very very few such requests in general, and I can only think of a hand full that would revolve around EU data.

One also has to consider the CLOUD act which has passed in the US. This is what we are waiting on resolution for concerning any GDPR compliance. As it stands, any US company, be it Microsoft, Google, Facebook, Amazon, Cloudflare etc, regardless of where the data is stored around the globe, must disclose it if the criteria of the CLOUD act have been met. This does put sections of the GDPR at direct odds with US law and any company that has headquarters or a significant branch within the US (Basically meaning there's very few companies globally that aren't impacted by this). We expect this to be addressed between the EU and US with a special agreement in this regards but only time will tell.

We do treat our customers data with the utmost respect and our internal policies do align mostly with the GDPR especially as a processor we will continue to evaluate things. I do anticipate the Privacy Shield to be in place before the 25th of May and/or shortly there-after. We'll likely do a forum post or similar and Privacy Shield details will be listed on our website, privacy policy etc.

 

[Marcel Lamers]

From what I understand is that we as data controllers have to sign an agreement with you as data processors.
Are you willing to sign such an agreement?
regards,
Marcel Lamers

 

[KH-DanielP]

Hi Marcel,

Our privacy policy will act as that agreement which is included with the TOS that are agreed upon for continued usage of services. The GDPR is very vague on those agreements and we do fully expect many changes to come to the GDPR within the next few years as they attempt to put the law into practical use so we will keep an eye on things as it develops.

 

[Marcel Lamers]

OK, would have to check if the privacy policy legally holds as a controller-processor agreement.
Thanks,
Marcel and not Michael

 

[KH-DanielP]

OK, would have to check if the privacy policy legally holds as a controller-processor agreement.
Thanks,
Marcel and not Michael

@Marcel Lamers

Apparently I needed more coffee this morning, apologies for that

From the advice we have been given, and how the industry is moving as a whole, everything is being included with the terms of service and/or privacy policy in regards to that agreement.

 

[Marcel Lamers]

That would be great since you are the best webhoster I ever met!

 

[KH-DanielP]

That would be great since you are the best webhoster I ever met!

GDPR is this big spindly mess of rules and regulations that's for sure. But at the heart of it, is simply how user data is handled. Simply put, aside from limited storage backups that we take of your account (be it shared, vps, cloud) we don't do anything with the user data you upload to your VPS. So for our side of things it keeps it fairly simple. We also already list how long backups are kept for in our TOS for each service so in a nut shell our TOS as-is should suffice with the privacy policy changes going into place.

We will of course keep an eye on things moving forward as well.

Disclaimer* I am not a lawyer and the above is not legal advice

 

[waiheke5]

Hi there,
is there any update on this from KnownHost, regarding the Privacy Shield application?

Thanks.

 

[KH-DanielP]

Howdy @waiheke5 We're basically awaiting the final confirmation from PrivacyShield.gov, everything else is done on our part it just seems they like to sit on applications for a while.

 

[GreatMarko]

According to the official Privacy Shield website, KnownHost were Privacy Shield certified on 7/3/18, however, this has expired/been withdrawn/is inactive since 8/2/19. Is there any reason for this @KH-DanielP

 

[KH-DanielP]

According to the official Privacy Shield website, KnownHost were Privacy Shield certified on 7/3/18, however, this has expired/been withdrawn/is inactive since 8/2/19. Is there any reason for this @KH-DanielP

@GreatMarko that is correct. The EU-US Privacy shield for the most part turned out to be a sham to allow a select few certification companies to profit greatly while providing no real benefit and very little regulatory coverage.

KnownHost always has and always will hold it's customers data in the highest regard and does not disseminate any customer uploaded data outside of the KnownHost network. We stand behind our commitment to our customers and our privacy policy in that regard.

Thanks

 

[GreatMarko]

So it's been 3 years since this was last discussed, but it seems that the UK/EU's GDPR position in relation to the US has shifted somewhat, so it would be really useful to understand Knownhost's current position.

Now, my understanding a few years ago was that The European Commission had made an "adequacy decision" with respect to the data protection laws of other countries, including the US, and so if UK/EU customers hosted with KnownHost in the US, they were covered by this exception.

However, revisiting this a few years later, it appears that this original "adequacy decision" in respect to the US has since been revoked.

Back in 2015, the original US "Safe Harbor" framework was declared invalid by the European Court of Justice (ECJ) following a ruling in the Schrems v Data Protection Commissioner case. The central issue identified in the case was that the US failed adequately to protect personal data from interference by US national surveillance authorities.

The Safe Harbor Framework was then replaced in 2016 by the EU-US Privacy Shield (which as mentioned earlier in this thread, KnownHost originally signed up to, and then withdrew from).

However, in July 2020, the ECJ declared the Privacy Shield to be invalid in its ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. Again, the ECJ highlighted shortcomings in the protection from interference with personal data in US national security laws, specifically noting that the rights of data subjects were not actionable before the courts.

Accordingly, there is presently no EU-US or UK-US "adequacy decision" in place in regards to GDPR.

On 25 March 2022, the European Commission and the United States announced that they have agreed in principle on a new "Trans-Atlantic Data Privacy Framework", however this is still only in an "agreement in principle" stage, so it has not yet come into affect.

So in short, how can UK/EU based customers hosting with KnownHost in either the Atlanta or Seattle data centers be compliant with GDPR currently?

 

[The German]

Why is it KH's responsibility to support EU customers with their efforts to be GDPR compliant? The customers control their environment and who has access to it, they decide how to encrypt data, how to enable data removal out of their software etc. From a KH perspective, they should not even care about GDPR as it is not applicable to them.