The full ruling is available here:
<a href="http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf" rel="nofollow">http://www.politico.eu/wp-content/uploads/2015/10/schrems-ju...</a><p>These bit jumped out at me:
>Furthermore, national security, public interest and law enforcement
requirements of the United States prevail over the safe harbour scheme, so that United States
undertakings are bound to disregard, without limitation, the protective rules laid down by that
scheme where they conflict with such requirements. The United States safe harbour scheme
thus enables interference, by United States public authorities, with the fundamental rights of
persons, and the Commission decision does not refer either to the existence, in the United States,
of rules intended to limit any such interference or to the existence of effective legal protection
against the interference.<p>>This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’
complaint with all due diligence and, at the conclusion of its investigation, is to decide
whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers
to the United States should be suspended on the ground that that country does not afford
an adequate level of protection of personal data.<p>My reading (not a legal expert) is that data residency is the important bit here. Which in my view is a small step but not sufficient.
Meanwhile, TPP prohibits countries from having data sovereignty laws, <a href="http://www.zdnet.com/article/tpp-moves-toward-killing-off-government-mandated-data-sovereignty/" rel="nofollow">http://www.zdnet.com/article/tpp-moves-toward-killing-off-go...</a>, with similar prohibitions sought in TTIP and TISA, <a href="https://blog.ffii.org/a-license-to-spy-cross-border-data-flows-in-ttip/" rel="nofollow">https://blog.ffii.org/a-license-to-spy-cross-border-data-flo...</a><p><i>"Governments in Australia, the United States, New Zealand, Canada, Singapore, Vietnam, Malaysia, Japan, Mexico, Peru, Brunei, and Chile will be unable to force companies from those countries to store government data in local datacentres ... governments will not only be prevented from mandating data sovereignty provision, they will also be unable to demand access to source code from companies incorporated in TPP territories."</i>
This is good, and a direct result of the Snowden revelations - without those, the US would still considered to be a safe harbor for your data. I'm hopeful that this will create the kick that the US needed, now that actual income (and high income, at that) is becoming threatened by the NSA. Of course this isn't the end to their data theft. They're likely to get the data from their Five Eyes European friends instead, but still - a good victory.<p>Amazing to see what one determined person can do!
Its been asked by multiple people in the thread, but I'm not clear on the answer.<p>If I host a website that has user accounts in the US, and do not stop people from the EU from registering, do I, with no offices outside the US, need to do something different because of this ruling?
Edit: I'm reacting to "Facebook and Twitter [...] could be forced to host European user data in Europe"<p>Border control with data is the worst idea ever.<p>Think of it: my Facebook friends lists has EU and US people in it. This list can't reside in EU or US. This webpage can't be served by either a EU or US web-server. By law. LOL<p>Plus I'm a EU citizen, and I can choose to give my data to whoever I want... no more. That's sad.<p>This ruling only shows the dismal tech knowledge of lawyers and lawmakers. It's impossible to implement Facebook with data spread between EU and US. Same for Tweeter and others. Say goodbye to social networks. Because of model denormalization, because of network latency and intercontinental bandwidth.<p>Some mention cloud zones, but they're only useful with replication, which IS data transfer.<p>OR... social networks will cheat. And one day, they'll be sued for cheating the impossible regulations (think VW...)
European citizen here, and as much as i welcome a step like this, it's also pretty interesting to see, what this means for smaller (online) businesses outside of europe.<p>Sure, you want to host customer data from europe in europe (latency-wise) anyways, but now that this will be more or less required it will be interesting to see how people will solve this. The good thing is, with "the cloud" you have a lot of option (locations) to choose from.
It's interesting how this is described as a potential "bureaucratic nightmare". Having to follow the law of the country your doing business in has been standard operating procedure for, well, basically all of human history.<p>Somehow the tech industry seems to think it should be exempt from that, even if it means being allowed to piss all over the basic civil rights of citizens of modern Western democracies.<p>Yes, this is a problem that needs to be solved given the reality modern cross-border online services. But it can't be solved by the corrupt political elite simply selling their citizens hard fought rights to corporations operating from countries that lack respect for such rights.
Does this effectively render any Parse or Firebase application (they only have US servers) that stores user information (e.g. email account) illegal in the EU?
I wonder if there are additional ramifications of this, even for European companies dealing with European customers. For example, what happens when personal data from a European datacentre to a European customer transits a US network on the way (such routing diversions are fairly common)? In the light of Snowden's revelations, this would seem incompatible with EU privacy regulations unless the data were encrypted. Of course personal data should always be encrypted, but where are the CAs located? Is a European company negligent if they don't use a European CA and do certificate pinning? Interesting times.
This sounds great! Though if the owning company is in the US, then the US views this as reason to be able to access customer data no matter where its stored. More fun to come mm?<p>Question: Why do companies HQ themselves in the US? Why not pick a friendlier country, then turn their US parts into a simple contractor that supplies software development and engineering resources? Then the US company would not have actual ownership of any data. Forcing them to reveal customer records would be the same as forcing an individual to steal data right?
> The average consumer will not see any restrictions in daily use, but will hopefully soon be able to use
online services without potentially being subject to mass surveillance<p>> However, US companies that obviously aided US mass surveillance (e.g. Apple, Google, Facebook,
Microsoft and Yahoo) may face serious legal consequences from this ruling when data protection
authorities of 28 member states review their cooperation with US spy agencies.<p>Can't wait. This is going to be good.<p><a href="http://www.europe-v-facebook.org/CJEU_IR.pdf" rel="nofollow">http://www.europe-v-facebook.org/CJEU_IR.pdf</a>
So this is what I think will happen: a lot of companies (maybe even the likes of facebook and google) will move out of europe and just serve everything from the US. There is not really an alternative to that, how could my EU-hosted facebook profile not be transferred to the US so my friends can see my book favourites?
So we are building a messaging product for organizations. I am wondering how this can impact us if an org that uses our product has employees in both EU and US (assuming that national regulators in EU go ahead and bar personal data transfer to US).<p>* Will we need to partition user data based on location, even if they are in the same organization?<p>* What happens when a user in EU sends a message to one in US? So right now the chat history for one-on-one conversation pairs is stored in one place, does this ruling mean that now we have to duplicate this chat history for both the users?<p>* Even worse, what if multiple EU and US users are part of the same chat group? Is there any way we can store the group's chat history in one place?
How is it possible that people don't discuss the GCHQ in the same breath as the NSA? From news reports it seems they may as well be the same agency. Keeping data out of the US isn't enough, and it's dangerous for Europeans to think that their own governments are looking out for their privacy. They should be looking instead to make encryption ubiquitous. This may be limiting corporate data storage, but I don't think this impacts intelligence gathering for the US at all.
My reading of the judgment is that it just throws the decision back to the national courts to decide what constitutes safe harbor. Safe Harbour agreement between US and EU streamlined the process for getting access to EU data. Now it mus be decided in national level.<p><a href="http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf" rel="nofollow">http://www.politico.eu/wp-content/uploads/2015/10/schrems-ju...</a>
If I'm a US company that does business in the EU, is there any reason that personal information collection can't just happen through a US web server? That way it is the user who is transferring the data to the US, not the company.<p>Updating your name, birthday and other personal information would take an extra 100 ms in order to POST to the US, but it could then be replicated back out to the EU for reads if necessary for performance.
Great success! They should try it the other way around. Looking for the set of things they can do that are correct in the European countries and then apply it to the US as well. If the biggest argument is to simplify ruling and management then this approach would be just as good as allowing US rules to overwrite European rules, right?
It's interesting that certain bloggers such as Dustin Curtis and Ben Thompson have claimed that Apple's privacy stance will ultimately hurt them because they'll be at a disadvantage to competitors, but it seems like they've shown some real foresight when you take this ruling into consideration.
This is good for everyone's privacy. By making it difficult for businesses to centralize the storage of US and European data, the European court has incentivized businesses to pressure the US government toward laws that respect our privacy better.
I wonder if some companies have sufficiently complex operations globally, that they end up with mutually incompatible laws and would have to either stop doing business in a country or split itself in two to continue to operate?
While this is a win for individual privacy, it does truly make scaling web services significantly harder and more costly.<p>Being in compliance is fairly easy for large companies, but it's going to be a challenge for startups.
Hosting data locally in EU doesn't solve privacy problem because the servers are still operated by USA companies that can (and obviously will) share the data with NSA. The solution is to create more local services so the data never leave the country. It is also better economy-wise so the money stay in the country too.
While this is a massive ruling, there are valid exceptions that allow companies who have agreed with their clients to transmit their data from EU to US while keeping data separation and with respect to the data protection law.<p>This is not a blanket-panic for all US/EU companies as the media are projecting.
This is just small victory. AFAIK, US government can still ask without a court order Facebook or MS or any other US company to handle them the data of/for european citizens that hosted in Europe.
well, I guess LinkedIn is hosed. and AWS which does global replication. and and and.<p>this ruling ignores the decentralized nature of the internet.<p>worst case is Europe being shut off from any tech advances, while the Pacific region from Cali to China takes off.
No, this is terrible.<p>These countries are demanding we run our services in their countries. This is a money grab.<p>Note that these same countries expect the United States to act as World Police, and do not contribute as much money as they should. They want the US to know about attacks ahead of time. I wonder how the US could possibly know about attacks ahead of time?<p>I deplore mass surveillance. I really do. But I think wiretapping with a warrant is a necessary tool for fighting crime, and terror, and bad state actors.<p>There's a part of me that desperately hopes all major internet services just shut off Europe entirely. Welcome back to the Stone Age.
>That could be a bureaucratic nightmare: In theory, American companies with European customers could now end up trying to follow 20 or more different sets of national data privacy regulations.<p>Good. If you want to be a multinational company, then you should have to obey the laws of each country.
This is good and I see no reason why this cannot be done easily for most corps (except the ones who mine personal data). For why would you not have critical personal data in the specific country table/database that is in that specific country. If you do not provide the service in that country and some one signs up then inform that the data is not safe and give visible warning. Is that really difficult. I used to have DB library layer earlier where based employee location it will direct their data to that location.
The "good" companies should relocate their business central away from USA and come to Europe!<p>Some big companies should finally stop talking and start acting, this is the only chance for a real change.<p>Cut the NSA-Brotherhood ties! These little Hitlers from all the affiliated "Clubs of Distopians" and the War-Industry completely destroyed the most important association of "USA == Freedom" in the world. Face it. Deal with it. Act accordingly.<p>For people interested in history: it might be interesting to look at the post-ww-2 de-Nazification process in germany to understand how hard it is to remove established circles of anti-democratic bureaucrats from power structures. This will take a very long time (if it happens at all).<p>The better immediate reaction would be to support progressive and freedom-oriented societies with your technical powers until "good old USA" is restored. Europe is not perfect, but what happens in USA nowadays is pure distopia, a very unhealthy development that will lead to a negative outcome for all of us.<p>Once people came to The USA because of suppression and lack of freedom in their home countries. Just a few generations later if you have the same sense and longing for freedom like these ancestors of you, it is now time to leave that continent as the suppressors followed your trails - come home to Europe and together we can build a better future!