In TEMPLATES -> configuration -> Checkout, there's a box for "Display a Secure Data Transfer agreement to EU customers", which says:
If you have customers in the European Union, enable this feature so they can opt in to sending their data to our secure servers in the United States.
Until Safe Harbor 2.0 or an equivalent is in place, European customers are required to give their consent to send their data to the United States. This feature adds a required checkbox to your checkout page which they must check in order to complete the transaction.
However, whilst that may be required for US-based customers of FoxyCart, I think it's not necessarily
required for EU folks like me who are bound by the GDPR. My reasoning is as follows.
GDPR Article 45 Section 1 [ https://gdpr-info.eu/art-45-gdpr/
] says that:
A transfer of personal data [from the EU] to a third country or an international organisation may take place where the [European] Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
Now, thanks to FoxyCart's participation in the EU-US Privacy Shield Framework [ https://wiki.foxycart.com/static/foxycart_security#foxy_is_a_member_of_the_eu-us_and_swiss-us_privacy_shield_framework
], an "adequacy decision" by the European Commission exists for FoxyCart's US-based processing and transfer of my EU customers' personal data [ https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
My understanding (and I'm not in any way a lawyer!) is that this puts FoxyCart's data processing in the US on a par with any other data processing that I or my other Data Processors/Controllers do within the EU. In which case, for EU folks like me, the full range of "lawful bases" are available for me to "choose" from when determining the lawful basis for Foxy's processing of my customers' data on my behalf, just like normal. And I choose to use "Legitimate Interests" as the lawful basis for having FoxyCart process my customer's data on my behalf, not "Consent". Consequently, I don't plan to enable that checkbox in my Checkout. What are your thoughts on that?
 GDPR Article 6 Section 1 [ https://gdpr-info.eu/art-6-gdpr/