I don't even want your data. I use no Google Analytics, don't collect anything not required for operation of the services, and also don't sell the non-existent data to anyone.
But the thing is these laws keep escalating. Now it's apparently illegal for EU companies to use any American services _at all_ because your IP must be protected? Even though that's required for basic operation of any web based service? Even though there is little to nothing dangerous the other side can actually do with this information?
For example, Cloudflare services are absolutely essential for cost-effective delivery of content. As far as I'm aware, there are no EU based competitors with pricing in the same order of magnitude. It'd make my company non-viable if I couldn't use it.
It's more subtle than that. There are six possible bases for processing personal data, one of which is:
> processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
So you can use the IP address to serve a webpage, operate a proxy, etc. You just can't use the IP address for any other purpose unless there's a lawful basis for it (ie, you can't send it to Google Analytics without first getting user consent).
It does force a change in mindset, but it's not the burden you might think.
Ironically, the legislative problem we're facing now is not the GDPR, it's the US CLOUD Act, which allows the US Government to be able to force US-controlled companies to transfer data from anywhere in the world.
This applies to you processing the personal data, but not you transferring it to an American provider, which is entirely illegal even if necessary for the operation of your service.
The "trans-atlantic data privacy framework" can't come soon enough to finally end this farce. In the mean time, it seems like the most useful thing to do is just ignore all this.
Ain't nobody got time for all this uncertainty. And chance of any of these regulators suddenly caring about your particular company before it's solved for good is quite low.
> This applies to you processing the personal data, but not you transferring it to an American provider, which is entirely illegal even if necessary for the operation of your service.
At worst unlawful, not illegal, but even then, there's subtlety. Most transfers to the US rely on Standard Contractual Clauses, which are being invalidated, but on a case-by-case basis.
No, using an american service provider is not illegal. However, feel free to ignore all this, be one more line in https://www.enforcementtracker.com/, it brings europeans great joy.
But the thing is these laws keep escalating. Now it's apparently illegal for EU companies to use any American services _at all_ because your IP must be protected? Even though that's required for basic operation of any web based service? Even though there is little to nothing dangerous the other side can actually do with this information?
For example, Cloudflare services are absolutely essential for cost-effective delivery of content. As far as I'm aware, there are no EU based competitors with pricing in the same order of magnitude. It'd make my company non-viable if I couldn't use it.