from Hacker News

Shopify Is Illegal in Germany

by wusel on 11/11/22, 2:31 PM with 337 comments

  • by shafyy on 11/11/22, 3:28 PM

    All EU companies sending any PII to US-owned companies, regardless if the actual data stays in the EU or not, are in danger to be sued similarly to the author of this post. This is, among other laws, because of the US CLOUD act:

    > The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.

    So, it's not a Shopify specific issue.

    https://en.wikipedia.org/wiki/CLOUD_Act

  • by fxtentacle on 11/11/22, 3:22 PM

    I believe the authorities are correct here.

    Shopify is sending all personal data to CloudFlare, CloudFront (Amazon) and Fastly, so 3 US companies. They could sign so-called "data processing agreements" where they promise to safeguard personal data. But the Shopify FAQ explicitly states that they are unwilling to do so.

    As the result, Shopify is legally considered to not be processing data under the instructions of the shop owner, because they didn't sign the processing agreement. Instead, Shopify is legally considered to be the owner of the user data. And that's a problem with EU clients because they are a US company working with US CDNs.

    Still, all of this could easily be rectified by Shopify if they would just care enough to sign the correct paperwork.

  • by ghoward on 11/11/22, 3:50 PM

    Mini Ask HN: How would a small company, say a code forge, that is based in the US ensure that it is operating such that it is legal to have EU customers?

    All operations will be in the US (interaction only through a website). The forge will be designed to allow all of a user's data to be downloaded by that user (easy access to all data). It will also allow wiping away any reference to a user in commits (right to be forgotten).

    But PII does need to be collected, such as username, password, IP address, public keys, etc. There are zero plans to collect anything that is not needed; only the minimum data needed will be collected.

    Edit: Oh, and the forge would not send data to third parties at all, unless such third parties are cloning code, but then they would be users, right?

    Would it be legal to accept EU customers? If not, would there be anything to do to make it legal?

  • by generationP on 11/11/22, 3:30 PM

    Wait, does this imply that running a website behind CloudFlare is illegal in the EU? After all, webshop or not, IPs will be transmitted...

    Or are IPs only a problem in connection with getting user data like name and address? Or is it the IP+cookie combo?

  • by wusel on 11/11/22, 2:31 PM

    Sorry for the German only link, but this is from today and didn't make the rounds yet. It is not really about Shopify itself, but about the use of CDNs - which would be even more worrisome. Shopify Support couldn't help the shop owner.

  • by TekMol on 11/11/22, 4:35 PM

    If using a CDN that is owned by a US company is illegal in Germany, then how can Germans run international websites?

    How would it be possible to hide a host that is behind CloudFront from Germans? I don't think is it possible. Even if you run an extra host like www.yourdomain.de for Germans, they could still type www.yourdomain.com into their browser and this alone would cause tcp packets to flow from their machin to CloudFront. There is no way to avoid this.

    What can German indiemakers do now? Register a company outside of the EU?

  • by still_grokking on 11/12/22, 4:55 AM

    This is a tempest in a teapot.

    We (still) don't have any court ruling here.

    Of course more or less all US based cloud services are illegal in the EU currently. At least in theory. That's no news. (CLOUD Act & Co. was pointed out already by others).

    But until we don't have some crystal clear rulings form the highest courts that get actually enforced this makes no difference.

    The main point why this illegality does not mater in practice: Our own governments are using AWS and MS products, and all such stuff. They're completely in vendor lock-in there, and they could not change that for (at least) the next one or two decade, even if they would start right now trying to replace this stuff. But of course nobody even thinks about changing anything in this regard…

    They put hopes in the next, also clearly illegal, version of the "safe harbor" regulations that's about to surface "soonish". When implemented it will take again 5 to 10 years to go through all legal instances to finally find out that a "safe harbor" agreement, no matter how you call it this time, is still fundamentally incompatible with EU law. But they will win this way another 5 to 10 years!

    Than this game will start anew, and they will first ignore the law and the court ruling (like they do currently with the last one), than the EU government will try to implement the next version of "safe harbor", or something like that, to "avoid further legal uncertainty", and than it will take another 5 to 10 years to sue that into oblivion. And so forth. (We're currently already in round three of this shit show!)

    The linked post would be much more interesting if this case would actually go to court.

    But of course Shopify is not interested in this. They're just waiting for the next "safe harbor"; like everybody else.

    Of course they won't stop doing business in the EU. Exactly like MS, AWS, Apple, Meta, and this like, won't. Because there is just nobody to actually enforce the law as more or less all EU governments are also violating it.

  • by notamy on 11/11/22, 3:16 PM

  • by Aerroon on 11/11/22, 3:43 PM

    With all of this popping up: how are you even supposed to run an internet service in the EU? Do you have to write all pieces of the software yourself or what? Since all the big services seem to be off-limits.

  • by gok on 11/11/22, 3:58 PM

    The EU is try to copying China's playbook of propping up local service providers by imposing impossible-to-follow rules on foreign tech companies.

    In both cases, the rest of the world should retaliate by limiting access to advanced technology until laws change.

  • by blueflow on 11/11/22, 3:34 PM

    Not unsurprising. At work (Germany) we are forbidden to use any US cloud services, i wonder why this hasn't been the new normal yet.

  • by lagrange77 on 11/11/22, 3:44 PM

    Does this generalize to every US hoster, when used by an EU publisher? I mean, it's impossible to get consent or even information disclosure for the exposure of IP info, since the consent banner logically is loaded over that IP connection.

  • by photochemsyn on 11/11/22, 3:58 PM

    Corporations are increasingly multinational, and the stated 'national affiliation' is really just 'flag-of-convenience' (a notion that probably arose in the global marine shipping industry, but which has spread everywhere). Look at the number of businesses incorporated in Delaware or other states that provide additional layers of legal shields as another example.

    As far as this, it's probably related to this story from one month ago (Oct 7 2022):

    https://www.reuters.com/business/retail-consumer/eu-says-sho...

    > "Shopify committed to change the design of its templates to include fields for company information and contact details, to provide clear guidance to traders on relevant EU consumer law and to provide company details about any EU trader when requested by any national consumer authority. The company also agreed to take down web shops in breach of EU consumer law, as well as to provide the relevant company details."

  • by Barrin92 on 11/11/22, 3:31 PM

    two issues are mentioned in the post. One is a rather boring cookie consent issue which the user was able to solve, the thornier one is that Shopify's use of American CDNs runs into privacy issues. A user in the comments points out that the Trans-Atlantic Data Privacy Framework, which is basically the next iteration of Privacy Shield (which was canned in 2020) will probably alleviate these issues.

    Personally I think though the onus should be on Shopify. Although only 20% of their revenue appears to be in the EU region I think that warrants managing user s private data locally.

  • by openplatypus on 11/13/22, 7:04 PM

    That's why we host everything in the EU, with EU cloud.

    Cloud: OVH. CDN: OVH. Email/support: HKN. ... and few other smaller ones.

    You do not need AWS/GCP to be successful.

    Just shop around. Solutions we picked, ended up being cheaper and friendlier (human support) than US counter parts.

    https://wideangle.co/blog/saas-business-without-us-cloud

  • by throwaway13337 on 11/11/22, 3:46 PM

    Though the intentions of GDPR were good, Following the GDPR to the letter is not feasible for any company that isn't a monopoly. We're in a situation where no one is following it all the way as it's not even clear what that means.

    More of the same will continue and the GDPR will only be used coercively as an attack against competition or companies others don't like.

    It's really a major blow for small businesses that want to work in the EU. EU desperately needs more small tech business so it's quite sad.

    I would love a law that said what people think GDPR says. That you have to tell people if you were selling their data to third parties and to please not do that. This is simply not what GDPR is in practice.

    The road to hell is paved with good intention.

  • by erik1332 on 11/11/22, 4:12 PM

    When this google-font stuff came up here in Germany, I was wondering if using CDNs also need permission first. I did some googeling for my ghost blog with no clear solution (ths standard gost blog uses jsdelivr). After reading the text: you need permission to load scrips etc. through CDNS.

    This is bad, since most of the software does not offer to locally host the required scripts.

  • by someweirdperson on 11/11/22, 4:14 PM

    While reading this story, the TV running in the background was showing an ad from shopify (german TV channel).

  • by keewee7 on 11/11/22, 5:15 PM

    As an EU citizen I support EU legalisation to protect our privacy.

    However can some Americans tell when your law makers will consider this to be protectionism and throw retaliatory measures against EU companies? Because I don't think they're going to repel the CLOUD Act anytime soon.

  • by kypro on 11/11/22, 5:22 PM

    Last time I checked half the internet is either illegal or blocked in the EU - is this even news?

    It's kind of ingenious. If you make practically every online service illegal then instead of taxing your citizens you can just fine foreign companies for doing business with you.

  • by captainmuon on 11/11/22, 4:07 PM

    It is ridiculous that data protection officials focus on CDNs, third party resources and cookies. And at the same time it is totally legal for Google to collect advertizing data from some random websites so they can create a profile that follows you around. All that sites have to do is to put up obnoxious cookie banners that nobody reads.

    If they were really concerned about my privacy, they would ban creating cross-product profiles for advertizing purposes. I don't care at all that some CDN gets my IP, or that some website uses cookies to count users.

    Also I don't care if somebody stores my data on Google Docs or Office365. If Google or MS go rouge and employees there so shenenigans with my data, we have bigger problems. They control the OS anyway. It makes more sense to regulate the "happy path" assuming they are law abiding, and just say you can't do targeted ads for European users.

  • by whywhywhydude on 11/11/22, 3:42 PM

    For people who are unaware, Shopify is a Canadian company and they use CDNs just like most of the highly trafficked websites in the world. Most CDNs just happen to by owned by US based companies.

  • by RcouF1uZ4gsC on 11/11/22, 4:31 PM

    This is getting ridiculous. The EU is waging a protectionist war on US tech companies.

    The US should ban all EU produced cars from the US until the EU figures out a solution.

  • by keewee7 on 11/11/22, 5:06 PM

    What are the current options for EU companies that use Cloudflare? Can we keep using Cloudflare?

  • by OJFord on 11/11/22, 5:53 PM

    Doesn't this reduce (from the slightly convoluted shop->Shopify->CDN case here) to simply using say AWS as an EU company, or just being a US company?

    Assuming you have some kind of PII to store, the US CLOUD Act essentially means AWS (or whatever US company) can't possibly (no matter which region you use or anything like that) GDPR-compliantly act as a third-party data processor or whatever the terminology is?

    In which case... someone (as in country, legislation) is clearly going to back down? UK government sites take plenty of PII and run on AWS...

  • by sleepybrett on 11/11/22, 5:26 PM

    My American bank has been rejecting payments to shopify for the last few weeks because of some kind of fraud spike revolving around them.

  • by jmartens on 11/11/22, 4:41 PM

    Europe is ruining the internet.

  • by 6510 on 11/11/22, 3:38 PM

    Pretty incompetent to communicate the issues with the shop rather than the platform.

  • by TekMol on 11/11/22, 5:12 PM

    Who decides what is legal and what is illegal?

    The politicians, the courts or agencies like the one that send letter to the author of this article.

    I would say it is the politicians. By making laws.

    Since the GDPR is the same in all EU countries, Shopify is either illegal in all EU countries or in none, right?

  • by Fire-Dragon-DoL on 11/11/22, 4:36 PM

    I'm somewhat concerned about an app I host.

    It's on Digitalocean and serves only EU customers. DigitalOcean says they are full GDPR compliant, but given the cloud act this seems impossible.

    What alternatives are available in Europe? It will be really frustrating to migrate

  • by thejoeflow on 11/11/22, 5:14 PM

    TG;DR?