← Back to context

Comment by q-base

3 years ago

From here: https://docs.hetzner.com/general/general-terms-and-condition...

Conclusion:

In summary, you as a customer do have influence - to a certain extent - on shaping who has access to the data on your servers. EU and US authorities do have to follow the laws and legal procedures in requesting data. However, this may give you a false sense of security since some authorities have been known to stretch or violate agreements. If you require a web hosting company that has absolutely no connections to the USA, then unfortunately, we may no longer be the best choice for you. Since Hetzner US LLC is part of the Hetzner Group, there certainly is a connection. We hope that we have explained things clearly from our point of view using the two above case studies.

18 comments

q-base

Reply
shafyy  3 years ago

Ok, but: "US authorities do not have direct access to your server or its content in the EU. US authorities have to comply with the regulations of the EU legislation.".

So, because Hetzner is not owned by a US company, stuff like the CLOUD act doesn't apply to them. So, if you have a contract with the German entity of Hetzner and use a German server, you should be fine in terms of GDPR.

  • q-base  3 years ago

    I think it depends on how you read the Schrems II ruling and how you read Hetzners words.

    Any of the big cloud providers can claim that they comply with EU legislation, but they also have to comply with US-legislation and if 3-letter agency wants to have some data from one of their subsidiaries in EU, then they can/will decide which contract to breach.

    I read Hetzners statements as being that they can no longer guarantee that they will not be forced to do the same - but that can be my reading of their statement that is wrong.

    If I already had them as hosting-partner for a solution that fell under Schrems II, I would have them confirm this, to be sure.

  • zelphirkalt  3 years ago

    But what does "direct" mean here? Indirect could still be ordering them to give US authorities data and to keep silent about being ordered. Maybe (hopefully) that would be against EU regulations?

    • fulafel  3 years ago

      Lots of EU countries have their intelligence agencies doing close cooperation with five eyes (NSA and equivalent agencies of the smaller countries) and willing to turn a blind eye or actively collude in compromising security of IT infra in the EU. Or going further, a oft reported pattern is that when they want to spy on their own citizens but are forbidden by law, they ask the foreign allies to do the dirty work of spying on their soil and pass back the intelligence.

      3 replies →

piperswe  3 years ago

The way I read that is:

Hetzner Europe is owned by Hetzner Group, a German company. Hetzner US is also owned by that German company. Hetzner Europe isn't owned by a US company, it's just a sibling to one.

cstpdk  3 years ago

The content of that link sounds fine in terms of GDPR if one only uses the EU servers. Am I missing something?

  • q-base  3 years ago

    I read it differently, especially in light of Schrems II. EU-datacenters from any of the big US-based providers does not automatically make you comply either.

    • Vespasian  3 years ago

      As I read it the issue is that the American HQ can order their European subsidiary to provide the data.

      Hetzner US does not have a European subsidary and therefore cannot violate GDPR (assuming US personal can't access EU customer data).

      Hetzner HQ is in Germany and is not allowed to enforce the CLOUD Act outside the US

      6 replies →