yggdrasil Posted April 2, 2018 Share Posted April 2, 2018 (edited) I wonder what most WHMCS customers are going to do now with WHMCS if they are not hosting in Europe? As far as I know, WHMCS can't split database tables based on the country of the user and last time I checked it does not work in an HA or failover mode. Some users here even complained about sessions and other stuff not working with a load balancer. And this would require an Active <> Active setup. One of the GRPD conditions if memory serves me right (I may be wrong) is that data from EU customers have to be stored in the EU. Sure, no problem, just move your site to an EU server you might say... Now, wait until the US enacts a similar law that forces you to store American customers data in the US. How is your WHMCS installation supposed to work now? Edited April 2, 2018 by yggdrasil Link to comment Share on other sites More sharing options...
brian! Posted April 2, 2018 Share Posted April 2, 2018 24 minutes ago, yggdrasil said: One of the GRPD conditions if memory serves me right (I may be wrong) is that data from EU customers have to be stored in the EU. Sure, no problem, just move your site to an EU server you might say... I don't think that's correct - GDPR applies to wherever in the world the data is stored for an EU Customer. 29 minutes ago, yggdrasil said: Now, wait until the US enacts a similar law that forces you to store American customers data in the US. How is your WHMCS installation supposed to work now? if such a rule was brought in, some solution would be figured out... but it's not going to be, so don't worry about it. Link to comment Share on other sites More sharing options...
yggdrasil Posted April 2, 2018 Author Share Posted April 2, 2018 (edited) I think you are mistaken. The policy requires the data to be stored in the EU, that means EU server and EU datacenter. "The regulation applies if the data controller, an organisation that collects data from EU residents, or processor, an organisation that processes data on behalf of data controller like cloud service providers or the data subject (person) is based in the EU. The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU" Edited April 2, 2018 by yggdrasil Link to comment Share on other sites More sharing options...
brian! Posted April 2, 2018 Share Posted April 2, 2018 it's no good giving a quote without showing it's source.... quick Google search found it was Wikipedia ! there's nothing on there that says the data has to be stored in the EU... if i'm wrong, point it out. would you expect registries to split their whois database into two? Link to comment Share on other sites More sharing options...
yggdrasil Posted April 2, 2018 Author Share Posted April 2, 2018 (edited) I'm not sure why the link was not saved. I did quote it. My bad for not checking after hitting the button. I want to be wrong. I really do. I read this in more than just Wikipedia, that data has to be in the EU. It says the data controller has to be EU based, that means for a company you either have to be legally established in the EU or host data in a company established in the EU. I hope I'm wrong as this is insane. I also have no idea how the EU think its fair or even how they plan to enforce the law for entities outside the EU without agreeing that other countries to the same inside the EU. You can't apply your law to another jurisdiction. As for registries, the WHOIS is destroyed already with this law. Fraudster and spammer are already celebrating because there is one less tool available to detect online fraud. Even if someone used fake details, at least you can still find other the matches. Now no data will be public in the Whois either, its already having severe consequences online. This is a law that comes from the same idiots that brought us the stupid cookie law. Edited April 2, 2018 by yggdrasil Link to comment Share on other sites More sharing options...
brian! Posted April 2, 2018 Share Posted April 2, 2018 1 hour ago, yggdrasil said: I want to be wrong. I really do. I read this in more than just Wikipedia, that data has to be in the EU. https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-4-cross-border-data-transfers/ Quote The GDPR permits personal data transfers to a third country or international organization subject to compliance with set conditions, including conditions for onward transfer. Similar to the framework set forth in the Directive, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations are also permitted under limited additional circumstances. In addition to facilitating international data transfers through new mechanisms, the GDPR also makes clear that it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country. I don't believe the data has to be kept in the EU... but if you do (intend to) move it, you have to tell the end-user that. 1 hour ago, yggdrasil said: It says the data controller has to be EU based, that means for a company you either have to be legally established in the EU or host data in a company established in the EU. in any event, both would be true in my case, so it's not going to affect me. 1 hour ago, yggdrasil said: I also have no idea how the EU think its fair or even how they plan to enforce the law for entities outside the EU without agreeing that other countries to the same inside the EU. You can't apply your law to another jurisdiction. you can... EU VAT would be another example that applies outside of the EU... now you could argue about enforcement, but that's another matter... I daresay the US could pass laws, possibly contractual laws affecting domains, that would affect EU citizens too, though whether the EU would let them get away with it, could be another matter! 1 hour ago, yggdrasil said: This is a law that comes from the same idiots that brought us the stupid cookie law. I don't believe anyone in the UK was ever taken to court about the 'cookie law'... enforcement in the UK was handled informally by the ICO (cajolement - the British way!)... I think I read that someone in Spain was prosecuted, but that's the only one that i'm aware of. GDPR is much more significant that a cookie law, and I suspect ultimately it will be more strongly enforced... probably not initially, but once everyone gets their head around what's involved... but I could well imagine EU going after the big boys, e.g Google, if they felt they weren't complying with it. Link to comment Share on other sites More sharing options...
Recommended Posts