# Storing European User Data on USA Servers



## fred974 (Oct 15, 2015)

Hello all,

I have been reading this article but I am struggling to understand it all.
I have a mail server running in the USA VPS at the moment and I would like to know if I need to find another provider in Europe to host my email or not as my customer are mostly in the UK.

I know its not strictly a FreeBSD question but I am hoping that someone could help me understand it all.

Thank you


----------



## obsigna (Oct 15, 2015)

Well, IMHO, this is an interesting question for FreeBSD, since a large part of the FreeBSD installations are servers, and the services on servers are known to  treat and store user data.

3x breathe deeply 3x and each time read the 1st paragraph of the summary of the article to which you provided the link:


			
				https://www.wordfence.com/blog/2015/10/european-data-on-usa-servers-safe-harbor/?utm_source=list&utm_medium=email&utm_campaign=safehrb said:
			
		

> *Exec summary: *If you are storing European visitor data on servers based in the USA (most busy WordPress sites are), you are exporting “personally identifiable information”, or PII, of users in Europe to the United States. European law does not allow exporting of user PII unless companies can demonstrate they will protect European user’s privacy and data. About 15 years ago the USA and Europe came up with the US-EU Safe Harbor agreement which has allowed US companies to store European data legally. The agreement was invalidated by the European courts last week.



The important exemption condition in the new situation, after the Safe Harbour agreement has been invalidated by the European Court of Justice, is:

*..., unless companies can demonstrate they will protect European user’s privacy and data.*

Depending, on how you set up your VPS, said demonstration might be quite easy or can be somewhat difficult:

If the file systems containing user data are encrypted, and the US provider would not know the keys by any means, then you may easily demonstrate that the user's privacy and data are completely under your control and protected by you, of course adhering to the respective laws in the UK.


If the US provider can access unencrypted data or encrypted data after he obtained somehow access to the keys, then, even if it would violate the service contracts, the situation becomes serious, because for the European Court of Justice and for any European Citizen, the US habit of issuing NSLs combined with gag orders is definitely unacceptable, and IMHO this bad habit is the culprit why Safe Harbour was cancelled. (Wikipedia: "The (US) government has issued hundreds of thousands of such NSLs accompanied with gag orders ").
If the provider can obtain the keys of the encrypted FS or if there is no encryption at all, then either store only encrypted data on the VPS, or go out of the US.

Big companies with a huge user base might want to consider a proactive action for a Declaratory Judgement against the local Data Protection Authority.


----------



## junovitch@ (Oct 16, 2015)

There's no FreeBSD Forum rule that covers this and this is the off topic forum.  With that said please apply common sense here.  I would speculate that there are few if any lawyers who happen to use the forums and the likelihood of them being licensed to practice law where you live is small.  Please keep that in mind and consult a real lawyer before you put your business at risk.


----------



## Deleted member 9563 (Oct 16, 2015)

fred974 said:


> I have a mail server running in the USA VPS at the moment and I would like to know if I need to find another provider in Europe to host my email or not as my customer are mostly in the UK.



It seems to me that you could save a lot of work for yourself, or money for legal advice, if you simply move your server. Then you don't have to worry about it.



junovitch@ said:


> I would speculate that there are few if any lawyers who happen to use the forums and the likelihood of them being licensed to practice law where you live is small.



Agreed, but there may well be people here who operate servers and who have had to deal with this. Their experience could be valuable.


----------



## junovitch@ (Oct 16, 2015)

OJ said:


> ...
> Agreed, but there may well be people here who operate servers and who have had to deal with this. Their experience could be valuable.


Concurred, which is why I just wanted to prefix the discussion with the helpful reminder to make responsible use of the knowledge gained and not get in the way of the conversation.   Please carry on.


----------



## fred974 (Oct 24, 2015)

Thank you very much everyone


----------



## fred974 (Oct 25, 2015)

Hi getopt,

Thank you for pointing out the spelling problem...
I haven't got a firm solution. I am trying to work it out and people on the forum has given me their point of view which I am taking into account.
At the moment obsigna encryption idea is the solution that I am exploring.

If anyone has more to say on this topic, I will reopen the thread.


----------

