GDPR discussion
bikegremlin
ModeratorOGContent Writer
Trying to avoid derailling the offer thread, so continuing the discussion here.
@lowendmeow said:
@bikegremlin said:
@lowendmeow said:
@willie said:
By the way I asked about the company location because some potential users are avoiding US companies for privacy reasons.Yes and that's why I am wondering if I can maybe migrate locations away from US? But does it matter if it's a US company?
It boils down to integrity and trust IMO. Hell, despite everything, I expect a US company to be in a better position to protect free speech and privacy than any EU-regulated company/location. Could be wrong, but that's how I see it.
Oh I'm curious why you think that?
I think it does have a lot to do with the provider and I trust @Francisco and I know frantech/BuyVM has hosted some controversial sites before. But I do worry about the political instability in the US and further overreach and oversight by government authorities against US citizens.
Also it's my understanding that it can be advantageous to have your company outside of the US because then you can reject legal claims that aren't made in your countries jurisdiction. I seem to remember a VPN company leveraging this fact and being based in a smaller country that was harder to throw lawsuits at. There are lots of frivolous legal threats and copyright claims made in the US and often there's pressure to do something about it.
Several points to consider here. First, to clarify that we're discussing EU vs US, not some third, non EU/US "small country" (like Serbia 
).
In terms of privacy, most people use smartphones (camera and microphone and no physical switch to shut off power) and pay with cards. So your hosting/email provider is not the weakest link there.
Gox's article on the technical stuff - GPS, GSM etc.
EU, with its GDPR, puts a lot of paperwork that costs time and money. AFAIK, anyone can ask you to respond what kind of data you have on them, ask to delete all and similar. Keeping in line with the law, in technical terms, can be very costly and confusing - with fines that are painful for small businesses, but nothing for big corporations that are the real culprit.
My article on GDPR
On top of that, I don't see EU as being less eager to infringe citizen privacy and free speech compared to US.
In smaller countries outside of EU and US, there are no guarantees that your privacy will nor be infringed too.
It's also worth remembering that emails can hop over many servers, and your provider can't affect if every single one of those is secure and encrypted. So for emails in particular, it is a very moot point in those terms - while GDPR nonsense still can bite you if you host inside of EU.
I would be happy to be proven wrong - things would be easier for me since I am in Europe, if not in EU. But the way I see it based on the existing info and experience - it's better to stay out of EU completely (with my hosting too) if I'm already out of it with home address and passport.
Comments
I think this is one of those discussions where everyone is a little bit right, but it helps to separate law on paper, law in practice, and operational reality.
A few thoughts reacting to your points:
"Hosting/email isn’t the weakest link"
I agree with this more thæn most people like to admit. Phones, browsers, payment processors, CDNs, analytics, and even users themselves leak vastly more data thæn a typical small hosting provider ever will. A lot of the "avoid US/EU hosting for privacy" argument is more psychological comfort thæn an actual threat model.
GDPR vs reality
This is where the EU really hurts small providers. GDPR in theory is about protecting users; in practice it’s:
Large companies can throw lawyers at it. Small hosts can’t. That alone makes the EU unattractive unless you have to be there.
US vs EU on government overreach
I think this is more "different flavor, same problem" thæn a clear winner.
Neither is clean. Neither is meaningfully "privacy-first" at the state level.
Jurisdictional shielding (non-US/EU countries)
This is often overstated. Being outside the US doesn’t magically make you immune to:
It can help with frivolous US legal threats, but only if the provider is willing to fight, and most aren’t, regardless of country.
Email specifically
100% agree: email is a terrible hill to die on for "privacy via jurisdiction". SMTP hops all over the world, and GDPR obligations still apply if you touch EU residents anyway. You get the downsides with very few upsides.
Where I personally land
For small hosting providers, I think the real differentiator isn’t country, it’s:
A trustworthy US provider beats a random "privacy-friendly" EU or offshore one every time.
So I don’t see "US company" as inherently bad, nor "EU company" as inherently good, but I do see the EU as uniquely hostile to small operators due to regulatory burden alone.
If someone already lives outside the EU, has no legal need to be there, and isn’t specifically targeting EU customers, I completely understand the logic of staying out of it entirely. That’s less about ideology and more about risk management.
In short: jurisdiction matters, but provider behavior matters more.
^What I wrote did not make sense so got AI to dress up my post.
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!
Europe = many many many many laws . Done for rich people who must pay all the burecreacy . Europe is in bad position respect the Asian countries or the North America . laws laws laws try to do whatever and you must pay the bill .....
I believe in good luck. Harder that I work ,luckier i get.
yoursunny.com has no privacy policy since 2006.
By connecting to yoursunny.com servers, you attest that you are neither a EU resident nor a California resident.
Your network packets and mouse movements to our web properties may be logged and saved indefinitely.
No hostname available. affbrr
Tuta mail is a great example of a very, very privacy & GDPR focused marketing:
https://tuta.com/security
With all the privacy and zero knowledge talk, that can not work outside the closed network of Tuta users - sending outside of it is bound to make stuff unencrypted (and the same goes for receiving emails).
So you still end up relying on relay servers outside of your control encryption and security.
Wishful thinking and GDPR won't make our emails or phone calls private. You must set up your own encryption if you wish that.
🔧 BikeGremlin guides & resources
Tangentially related, I never quite understood the (mainly marketing) claim that, somehow, Switzerland was more data privacy centric than elsewhere. Switzerland has no more data privacy than other jurisdictions.
To be fair, GDPR was never about making your emails or phone calls private. It's just a framework to stop companies abusing personal data (not that it's hugely effective, but that's a whole different can of worms)
And it only really becomes onerous if you're trying to hoard PII without good reason, which is - broadly speaking - a good thing.
I don't agree with this statement. You only have additional hops if you use an outbound relay or the recipient uses an inbound filter. If you don't want an outbound relay reading your emails, don't use one. And the inbound filter is no different to a web site using Cloudflare or a similar proxy.
Exactly - you can't affect how recipient configures their infrastructure to begin with.
You need not deliberately add relays. SMTP encryption is hop-by-hop and the sender has no visibility or control over the recipient's internal MTAs, filters, load balancers, or TLS termination. So you can't control what happens with the emails you send out or receive (apart from your very server/infra, but they do need to leave when you're sending and come from "outside" when youre receiving).
Even with direct delivery and TLS enabled, email is not end-to-end encrypted by default. Provider choice or jurisdiction doesn't change that.
That's why email privacy is fundamentally a protocol limitation, not something GDPR or "don't use a relay" can solve.
Today, many people/companies are trying to use email as either messenger (up to one minute delivery expected if not faster) or end-to-end encryption (without relying on PGP on both ends). One not excluding the other. That's not a realistic expectation.
🔧 BikeGremlin guides & resources
Hi thanks for starting the discussion.
I'm actually less worried about privacy per se as I know regardless of GDPR it's up to the company to honor it as we saw in Velox Media's case. And I'm well aware that due to how email works true E2E isn't possible outside of people using the same service as the replies still will get stored on the recipient's end anyway.
My concern right now is the political instability in the US. Say hypothetically I was present at a protest and the US government decided to label everyone who attended "domestic terrorists" and then sends court orders to their email or other service providers. They would be obligated to share the data I believe if they were US companies I think regardless of whether this data is hosted in the EU or not. However if I chose an EU email provider I believe they can ignore this as it's not a court order for that region and indeed I would expect the EU and other countries may be sharing less with the US in the future, especially if NATO breaks down.
I know it's not a very likely scenario but I am thinking about things differently these days. So far I think most of my services are Canada or EU based.
This was clear before Snowden came out - after he came out it was proven (officially).
Situation in my country is very similar in those terms (you can get labeled as criminal/terrorst/foreign mercenary) and put in prison - with or without emails.
I am not sure about EU, but I fear it is similar - or will be very soon.
There is a global trend towards more control, more surveilance, and reduced civil liberties ("if one child can be saved...").
Doubt that we can avoid that by using EU service providers.
🔧 BikeGremlin guides & resources
I think you are right in saying EU service provider as a blanket recommendation. It makes more sense to consider your situation. For example if you are being targeted in the EU by your country's government maybe you then prefer a US provider. But if I'm in the US and have concerns about my government, EU provider seems good.
All these doomsday scenarios may be taking things too far.
I think this has more to do with the provider in particular than it has with the country.
Also, US in particular has a lot of leverage globally. I mean - it is possible that a US or EU provider can easily dismiss a request from Serbia for example (though, even in that case I'm not sure if the request is posted via official channels).
But I would not bet on my provider avoiding a request from the US (or "even" "just" the EU for that matter).
The only real protection is zero-knowledge.
Could be wrong, but that's how I see it.
🔧 BikeGremlin guides & resources
I see your point about GDPR costs, but I'd still argue that the US presents a different set of headaches—specifically DMCA abuse and the Cloud Act.
In the US, providers are often trigger-happy with shutting down services due to frivolous copyright claims to maintain safe harbor status. At least in some EU jurisdictions (or non-EU European countries like Switzerland/Iceland), there's a bit more due process before a server gets pulled.
Asking, not arguing:
My impression is that this boils down to provider's policy and integrity - a lot more than it has to do with their server or business registration location.
Cloudflare vs Italy, for example:
https://x.com/eastdakota/status/2009654937303896492
What am I missing?
🔧 BikeGremlin guides & resources
That's a very valid point regarding Cloudflare. They have the war chest and legal teams to actually fight back against government overreach, which is admirable.
However, I think the dynamic changes when we talk about smaller providers (which makes up a large part of the LES/LET community). A small host might have integrity, but they often lack the resources to fight a court order or a subpoena in their home jurisdiction.
In that context, I view jurisdiction not as a replacement for integrity, but as a 'passive defense'—it sets the default legal difficulty for anyone trying to access that data, especially when the provider serves as the path of least resistance.