In summary, you as a customer do have influence - to a certain extent - on shaping who has access to the data on your servers. EU and US authorities do have to follow the laws and legal procedures in requesting data. However, this may give you a false sense of security since some authorities have been known to stretch or violate agreements. If you require a web hosting company that has absolutely no connections to the USA, then unfortunately, we may no longer be the best choice for you. Since Hetzner US LLC is part of the Hetzner Group, there certainly is a connection. We hope that we have explained things clearly from our point of view using the two above case studies.
Ok, but: "US authorities do not have direct access to your server or its content in the EU. US authorities have to comply with the regulations of the EU legislation.".
So, because Hetzner is not owned by a US company, stuff like the CLOUD act doesn't apply to them. So, if you have a contract with the German entity of Hetzner and use a German server, you should be fine in terms of GDPR.
I think it depends on how you read the Schrems II ruling and how you read Hetzners words.
Any of the big cloud providers can claim that they comply with EU legislation, but they also have to comply with US-legislation and if 3-letter agency wants to have some data from one of their subsidiaries in EU, then they can/will decide which contract to breach.
I read Hetzners statements as being that they can no longer guarantee that they will not be forced to do the same - but that can be my reading of their statement that is wrong.
If I already had them as hosting-partner for a solution that fell under Schrems II, I would have them confirm this, to be sure.
But what does "direct" mean here? Indirect could still be ordering them to give US authorities data and to keep silent about being ordered. Maybe (hopefully) that would be against EU regulations?
Hetzner Europe is owned by Hetzner Group, a German company. Hetzner US is also owned by that German company. Hetzner Europe isn't owned by a US company, it's just a sibling to one.
I read it differently, especially in light of Schrems II. EU-datacenters from any of the big US-based providers does not automatically make you comply either.
That seems to be correct. My understanding (IANAL) of Schrems II is that the problem exists when a EU datacenter is under the direct or indirect control of a US company. Indirect in this case meaning operated by a EU company that is the subsidiary of a US company, as is the case with AWS, Google and Microsoft.
Since the EU datacenters seem to be operated by EU companies and the US company is merely a sibling subsidiary of Ensoxx, which itself is also an EU company, this should provide sufficient isolation to prevent interference from US agencies short of direct sabotage or espionage (since the EU staff is not in the chain of command of the US company).
So for a definitive answer you probably want your lawyers to talk to Hetzner's lawyers but at face value this is at least miles ahead of any US-based cloud provider, which in all honesty is still the default solution for most EU-based companies despite this ruling.
From here: https://docs.hetzner.com/general/general-terms-and-condition...
Conclusion:
In summary, you as a customer do have influence - to a certain extent - on shaping who has access to the data on your servers. EU and US authorities do have to follow the laws and legal procedures in requesting data. However, this may give you a false sense of security since some authorities have been known to stretch or violate agreements. If you require a web hosting company that has absolutely no connections to the USA, then unfortunately, we may no longer be the best choice for you. Since Hetzner US LLC is part of the Hetzner Group, there certainly is a connection. We hope that we have explained things clearly from our point of view using the two above case studies.
Ok, but: "US authorities do not have direct access to your server or its content in the EU. US authorities have to comply with the regulations of the EU legislation.".
So, because Hetzner is not owned by a US company, stuff like the CLOUD act doesn't apply to them. So, if you have a contract with the German entity of Hetzner and use a German server, you should be fine in terms of GDPR.
I think it depends on how you read the Schrems II ruling and how you read Hetzners words.
Any of the big cloud providers can claim that they comply with EU legislation, but they also have to comply with US-legislation and if 3-letter agency wants to have some data from one of their subsidiaries in EU, then they can/will decide which contract to breach.
I read Hetzners statements as being that they can no longer guarantee that they will not be forced to do the same - but that can be my reading of their statement that is wrong.
If I already had them as hosting-partner for a solution that fell under Schrems II, I would have them confirm this, to be sure.
1 reply →
But what does "direct" mean here? Indirect could still be ordering them to give US authorities data and to keep silent about being ordered. Maybe (hopefully) that would be against EU regulations?
4 replies →
The way I read that is:
Hetzner Europe is owned by Hetzner Group, a German company. Hetzner US is also owned by that German company. Hetzner Europe isn't owned by a US company, it's just a sibling to one.
The content of that link sounds fine in terms of GDPR if one only uses the EU servers. Am I missing something?
I read it differently, especially in light of Schrems II. EU-datacenters from any of the big US-based providers does not automatically make you comply either.
7 replies →
Hetzner is owned by a holding company owned by Ensoxx and Ensoxx is Martin Hetzner's company as far as I can tell.
That seems to be correct. My understanding (IANAL) of Schrems II is that the problem exists when a EU datacenter is under the direct or indirect control of a US company. Indirect in this case meaning operated by a EU company that is the subsidiary of a US company, as is the case with AWS, Google and Microsoft.
Since the EU datacenters seem to be operated by EU companies and the US company is merely a sibling subsidiary of Ensoxx, which itself is also an EU company, this should provide sufficient isolation to prevent interference from US agencies short of direct sabotage or espionage (since the EU staff is not in the chain of command of the US company).
So for a definitive answer you probably want your lawyers to talk to Hetzner's lawyers but at face value this is at least miles ahead of any US-based cloud provider, which in all honesty is still the default solution for most EU-based companies despite this ruling.