Jerry/Stefan,

Thanks for responding, my question though is that even though these EU customers are paying with European credit cards....isnt the nexus where the server is located (possibly where the payment processor is located).

So if BuildingLink locates its servers "in the USA" and its complying with all relevant USA laws, then if European customers choose to purchase an offshore app.....then its their choice and doesn't in effect cause BuildingLink to break EU laws if its customers are located in a different geography as you are providing a server based applications and those servers are located in the USA.

It's a similar issue to the recent Australian "Netflix tax" https://blog.colli...­  - how the ATO (eg Australian version of the IRS) think they are going to get away with jurisdiction is going to be interesting.

I just don't see how EU data laws apply to a server located in the USA.



Regards,

Dean Collins
Cognation Inc
[address removed]
[masked]	New York
[masked]	(Sydney in-dial).
[masked] 	(London in-dial).


-----Original Message-----
From: [address removed] [mailto:[address removed]] On Behalf Of Jerry Kestenbaum
Sent: Thursday, October 08,[masked]:55 AM
To: [address removed]
Subject: Re: [newtech-1] EU US data issues

A belated clarification on  a topic that emerged and was discussed earlier this week:

I've  worked with  many property management companies and condominium boards of directors outside the US, who use or want to use the BuildingLink system for managing their buildings.  My understanding, both in terms of EU data privacy laws and parallel regulations like PIPEDA in Canada, is that the regulations address the people or entities that are holding personal information and who wish to transfer it to another entity.  So for example, even though BuildingLink (or Gmail, for that matter) as a U.S. entity is not subject to these regulations, a French management company or a Canadian condo board of directors who chooses to  use our system, which involves placing a certain amount of personal data which is entrusted to them into our hands or on our servers (resident listing and contact info)  must ensure that in placing it they are compliant with the regulations. 

So what happens with these regulations is that they push EU customers to try to find different service vendors than the free-market would present to them.   It is not the US vendors that are regulated, it is their EU customers. It just affects the vendors as a result.

You may ask - "but don't they all use Gmail, and other cloud providers,  which results in the personal data they may be emailing about or to getting  stored or backed up everywhere?"  and  answer is "Yes" it is fairly impossible for most companies to comply with this, and that's why the "Safe Harbor" provision was important - it was a standard by which US companies could say "okay, based on this certification, you can give us your data and be protected". Without it, very weird situation right now going on.   

U.S.-EU Safe Harbor Framework was  developed by the Department of Commerce in coordination with the European Commission. The U.S.-EU Safe Harbor Framework provides guidance for U.S. organizations on how to provide adequate protection for personal data from the EU as required by the European Union's Directive on Data Protection.

The disconnect is that the privacy laws are meant to protect EU individuals' rights regarding how other entities handle and protect and release that data, and the Safe Harbor provision was put in place to help those EU entities be able to conduct their business which involves working with that personal data and also sharing it with other companies , so the courts said "the Safe Harbor provision is for the EU entity's benefit, but at the expense of the individual's rights and therefore violates the privacy rights of the individual, and the business needs of the EU entities are not the concern of the court". So if this doesn't get reversed,  they'll probably have to legislate a "Safe Harbor" equivalent as a matter of law, and limit individual data privacy rights accordingly.  But that will take time. So for now - technically - most EU companies using Gmail, Google spreadsheets - for storing employee contact info or payroll,  using Salesforce etc. - are probably not in compliance.

You can find the very long list of companies that relied on the Safe Harbor provision here:  https://safeharbor...­ 


Jerry Kestenbaum
BuildingLink.com 
85 Fifth Avenue - 3rd Floor
New York, NY 10003

(212)[masked] ext. 503
[address removed] 
www.buildinglink.com­ 



--------------------­----------------
On Tue, Oct 6, 2015 at 11:07 AM, Stefan Dunkelgrun <[address removed]> wrote: 

My understanding (and I could be wrong) is that if companies generate revenue in the EU, they become subject to EU laws.  That would mean that, while your solution would work on a technical level, it wouldn't work on an economic level. 

--------------------­------------------  

On Oct 6, 2015, at 10:17 AM, Dean Collins <[address removed]> wrote: 

Cant USA based companies just keep their servers here in the USA and then there isn't n issue....eg a USA server is the nexus for the data that is interacted with users in Europe....? 

- https://www.abc.ne...­   

Regards, Dean Collins 
Cognation Inc 
[address removed] 
[masked]    New York 





--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
https://www.meetup...­
This message was sent by Meetup on behalf of Jerry Kestenbaum (https://www.meetup...­) from NY Tech Meetup.
Set my mailing list to email me

As they are sent
https://www.meetup...­

In one daily email
https://www.meetup...­

Don't send me mailing list messages
https://www.meetup...­
Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]