We are dealing with the consequences of not taking this very seriously for the last decade. It's not good enough to just hope that the Internet will remain free in the face of legitimate concerns.<p>Yes, it's a concern that the Internet won't be global anymore, but it never really was. Up until thing like Firesheep and Snowden, and still to some extent, a lot of Internet traffic was only safe based on not passing any bad actors.
The end result may become a Balkanized internet - you can't share anything outside your country's borders or access them from outside. Each country winds up as a China, a government's dream situation. In the end though we all lose.
If you're a US company and some of your users happen to be European, and you just ignore this and store all users' data in the US, what kinds of sanctions can be imposed by the European Court of Justice or national authorities in individual European countries? Do they have some way to block your site at the national / continental level or go after your users? Can they fine you, send you a bill and ask US authorities to seize your company's assets if you fail to comply, even though you're breaking no US laws?<p>If they can't take any enforcement action against non-compliant companies outside European borders, how does this decision even matter for non-European startups?
Snowden's tweet, to the point: <a href="https://twitter.com/Snowden/status/651383168650604544" rel="nofollow">https://twitter.com/Snowden/status/651383168650604544</a>
I must admit, after the NSA stuff, I feel safer without "Safe Harbor".<p>But I guess a bunch of US companies are pretty scared about the financial implications right now. Kicking out EU citizens or moving their data to the EU.
Good article, but he almost lost me when he started with the passport thing: European privacy laws apply to European <i>residents</i> (regardless of citizenship) and <i>not</i> to European citizens living outside of the European Union.<p>The latter would be unenforceable anyways. In fact, the United States is the only major country exporting laws on their citizens living abroad (e.g. taxes).<p>EDIT: And, in fact, detecting the location of an Internet user (while not perfect) unfortunately works very well for "regular" users not well versed in VPNs and proxying - think YouTube country restrictions or also Google Maps' approach to display different maps depending on the user's location.
As a eurpean I can't help but feel like this is a step to move the internet away from only "adhereing" to US "law" which would be nice change.
So does that rule out a good chunk of US providers for european companies (stripe/braintree/slack etc)?
I could only find mention of Safe Harbor in their privacy policy and not where the data is hosted.
This is great! It gives users lots more privacy rights, rights that come with teeth. See page 105 of [1]. It's going to force many US companies to register with a European data privacy controller.<p>Here are the basic rights of a "data subject":<p>Everyone shall have the right under national law to request from any controller information as to whether the controller is processing his or her data.<p>• Data subjects shall have the right under national law to:<p>• access their own data from any controller who processes such data;<p>• have their data rectified (or blocked, as appropriate) by the controller processing their data, if the data are inaccurate;<p>• have their data deleted or blocked, as appropriate, by the controller if the controller is processing their data illegally.<p>• Additionally, data subjects shall have the right to object to controllers about:<p>• automated decisions (made using personal data processed solely by automatic means);<p>• the processing of their data if it leads to disproportionate results;<p>• the use of their data for direct marketing purposes.<p>What this means is that data collected by a company about an individual belongs to the individual, not the company. The individual can look at it, correct it, and take it back.<p>This isn't a problem if you're not a scumbag. If you're selling your customer list for marketing purposes, or using data you collect about users for marketing purposes, you have a problem.<p>The EU requires explicit consent for such things. A contract of adhesion EULA is <i>not</i> enough. Exceptions to data privacy must be opt-in, not opt-out.<p>Passing data about persons on to another party can cause serious liability. You have to know where the data went, exactly who has it, and be able to delete it even if it's now in the hands of another party.<p>This is EU-wide, and registration with one national data controller (a Government agency which checks for privacy violations) in the EU is usually sufficient. Here's a set of guidelines from the European trade association for online marketing.[2]<p>The biggest practical implication here is that any data you collect and share about individuals must remain within your reach, because you're responsible for correcting it, blocking it, or deleting it. Mailing lists must now contain info as to where the info was originally collected.<p>It's not really that bad. Europe has operated under these rules for decades. Deal with it.<p>[1] <a href="http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf" rel="nofollow">http://www.echr.coe.int/Documents/Handbook_data_protection_E...</a>
[2] <a href="http://www.fedma.org/fileadmin/documents/SelfReg_Codex/FEDMACodeEN.pdf" rel="nofollow">http://www.fedma.org/fileadmin/documents/SelfReg_Codex/FEDMA...</a>
I hear your words and all I can conclude is: What a _great_ ruling. Seriously.<p>Decentralization is a major thing we need right now. Also: the EU gov. agencies are very unlike the US ones in that we have a political power over them.
What are the business implications for this? Does this only matter for businesses registered in Europe operating off US servers? Or does it prevent any US business from storing European customers' data?