Its been asked by multiple people in the thread, but I'm not clear on the answer.
If I host a website that has user accounts in the US, and do not stop people from the EU from registering, do I, with no offices outside the US, need to do something different because of this ruling?
This only applies if you have EU users submitting data to EU servers and then you want to move that data to another jurisdiction, namely the US.
If your user is submitting their own personal information to servers outside the EU, that's their lookout. That's what seems to apply to you. Carry on. Nothing to see here.
But if they're submitting to one of your nodes within the EU, they can consider that the data will continue to benefit from the protections being in the EU affords it. Moving it to the US without their permission does not abide the EU protections.
That's not what my lawyer says. Our servers are only in the US and we were instructed that if we were to accept European customers we needed to go through the Safe Harbor process.
So wait - if Facebook, Google, etc. just made sure that every time an EU user submitted personal data, it was routed to US servers rather than EU ones, they would not be in violation of EU privacy law? What if they then send that data to the EU servers?
Then (from the company's perspective) I've accomplished the same ends, at a cost to the user (latency), and gone from illegal to legal.
I'm not a lawyer, but I think that if you are a US resident or the company you run is incorporated in the US without any offices or hosting in the EU, then you are not bound by EU data protection law.
You ought to obey EU data protection law for EU registered people.
This would perhaps include deleting data that customers ask you to delete, not storing personal data without direct permission, nor when you no longer need it to provide your service, etc.
> (a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
You may just put in your T&C that nobody from EU can use the site. No one will read it. No one will obey it. But it should be enough for lawyers to chase each other's tails in any case.
Perhaps. AFAIK click-through EULA's are not valid in most (all?) EU/European jurisdictions. Not sure about the presumably free blog -- but at least for things like eg: collecting personal data in an application/operating system (like Windows 10) -- you can't just pretend your users are at fault for clicking through a wall of legalese.
If I host a website that has user accounts in the US, and do not stop people from the EU from registering, do I, with no offices outside the US, need to do something different because of this ruling?