As I mentioned yesterday, the European Court of Justice ruled yesterday that the US-EU Safe Harbor pact is illegal under European law:
The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.
The court said data protection regulators in each of the European Union’s 28 countries should have oversight over how companies collect and use online information of their countries’ citizens. European countries have widely varying stances toward privacy.
The Electronic Frontier Foundation examines the implications:
[I]f those reviews [of individual companies' transfers] continue to run against the fundamental incompatibility of U.S. mass surveillance with European data protection principles, the end result may well be a growing restriction of the commercial processing of European users' data to within the bounds of the European Union.
That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you'll find the NSA—or other European states, or even your own government— breaking into those systems to extract it.
Harvard law student Alex Loomis highlighted the uncertainties for US-based companies:
But ultimately it is still hard to predict how national and EU authorities will try to enforce the ECJ decision in the short-run because, as one tech lobbyist put it, “[c]ompanies will be working in a legal vacuum.” Industry insiders are already calling for more guidance on how to act lawfully. That’s hard, because the EU Commission’s decision is no longer controlling and each individual country thus can now enforce EU law on its own. Industry experts suggest that the turmoil will hurt smaller tech companies the most, as the latter lack separate data centers and accordingly are more likely to rely on transferring data back to the United States. As I pointed out last week, that might have some anticompetitive effects.
In short, data transfers between the EU and US are now a problem. A big one. Fortunately at my company, we don't keep any personal information—but we still may have a heck of a time convincing our European partners of that, especially if Germany and France go off the deep end on privacy.