> Ok, but what if you just want to run a website. Not build a billion doller global CDN.
Ah, from the perspective of website owners, not the CDN owner... Well, use a European CDN, they tend to follow European regulation, just like US companies follow US regulation. The two companies that comes first to mind is BunnyCDN and KeyCDN, but I'm sure there are many others. Both of them have global networks.
> According to the GDPR you have to protect the data of your visitors no matter where they are.
Yes, of course, that's the ground truth we're assuming here. Is that some sort of gotcha? I'm not sure I'm understanding if you're arguing against what I said or just adding information on top without disagreeing.
How would BunnyCDN and KeyCDN be able to have endpoints in the US that are beyond the reach of the US government?
The recent rulings say that no packets are allowed to travel to the US because that would enable the US government to access them if it wants to. I don't see how this can be avoided. As soon as a tcp packet enters the US, it is on infrastructure the US government can access if it wants to.
Again, you route people differently depending on the location. The problem is not that the US government can access data for US persons when on US soil, the problem is US government being able to access EU persons data when on EU soil.
The point you are missing is that if I am an EU citizen, in the US, on my US friend’s computer even, your crappy “location detector” just denied me my rights as an EU citizen. No one cares if the IP address was thought to originate in the EU or US or wherever because that has never been enough information to tell if you are dealing with an EU customer.
I think the point you're missing about the GDPR is that it doesn't matter where your citizenship is from, your location is what matters. US persons in the EU is as well protected as EU persons in the EU. No matter where you're from, if you're in the EU, GDPR applies.
Edit: in order to make this discussion a bit more fact based, as some misinformation is starting to leak into it: I'm referring to Article 3 from GDPR, "Territorial scope". It states:
> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union
You managed to miss the one case the grand parent poster actually mentioned: An EU person located in the US. This person is also covered by the GDPR thereby rendering any geo-absed rules and routings useless.
> An EU person located in the US. This person is also covered by the GDPR
They are not, where are you getting this from?
Again, Article 3 from GDPR, "Territorial scope";
> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union
> Even if you run an extra host like www.yourdomain.de for Germans, they could still type www.yourdomain.com into their browser and this alone would cause tcp packets to flow from their machin to CloudFront. There is no way to avoid this.
If you're adamant on running US infrastructure for US users and EU infrastructure for EU users, you can do that by using GeoDNS/Regional Records.
But personally I find it easier to treat everyone as a EU user, and I store no personally identifiable information what so ever except information given by users themselves (like emails for registration), so maximum privacy for my users.
Ok, but what if you just want to run a website and not build a billion doller global CDN.
> GeoDNS
According to the GDPR you have to protect the data of your visitors no matter where they are.