This should be of interest to all American startups: if the court agrees with this assessment, you will have to store European user data on European servers and cannot transfer these to the US. Probably not even for data analysis. AWS and others will likely set up something quickly, but you'll still have to keep that in mind when trying to establish a presence in the EU.
So ultimately the NSA will have broken up the internet into separate regional entities.
It's not just that, EU startups who currently depend on US-based services are going to be in quite a bit of trouble unless they got consent from their users to put their data in the US.
And the alerts are naturally extra annoying if you don't actually use cookies, since the acceptance status isn't saved and you'll see the warning again and again.
And the law doesn’t even mandate popups like they are used – the law was intended to avoid sites using cookies for tracking. Not for personal settings.
As a user, that sounds pretty awesome. Of course in practice it will probably mean that they will throw this in the "privacy" policy, where they also enumerate all the ways in which they can track you and share your information.
"By the way, we're also sending this data to US government-accessible servers. By reading or not reading this you hereby consent to us doing that. Oh - and did we mention how much we care about your privacy and security? We just wanted to make sure you got that."
Hopefully the EU will also mandate some kind of real (but usable) consent mechanism to this sort of stuff, that's unlike the whole cookie story.
Yeah, "I hereby refuse to use any American social networks" is going to be a popular phrase among EU teenagers.
The problem with EULAs is not just that we don't read them, it's also that in order to live a normal life you have to agree to all kinds of EULAs whether you want to or not. Consent is always given.
In medical industry, there is the idea of "informed consent", which attempts to make sure both parties are aware of the consent given. (Mainly in regards to treatments.)
At least in Germany it's not possible to override laws by writing something different in a privacy policy or EULA. Even EULAs are mostly invalid. I guess it's the same in most European countries.
US companies would simply not be able to work with that data e.g. via a browser while sitting in the US to perform any form of data analysis, customer support and what not.
They would require a local presence, local staffing.
I suspect this ruling will work out very well for Ireland. US multinationals already see Ireland as an "Atlantic bridge" for getting a foothold in Europe often by placing their EMEA HQ in Dublin.
Ireland is playing up to this role and this ruling sort of hammers home the status quo that if international tech companies want to deal with the EU they will have to have separate facilities to house European data as they can't ship it all back to California.
Ireland will become the EUs primary data centre -- it has the right combination of climate, tax rates, tech presence, political diplomacy and data protection laws.
In many cases though the ruling will probably just result in an extra line on the EULA.
Ireland's tax deals are under heavy scrutiny right now. They may not survive the year. Without the benefits of 3% tax rates, I don't see why some companies won't prefer southern England or maybe Berlin or Paris – your endorsement of Ireland's climate notwithstanding.
Having lived in Ireland for 4 years, I can say that the physical environment was a mixed bag. Yes, it's beautifully green everywhere, but at the cost of tons of rain and cold, clammy days.
Or maybe you were referring to the political climate?
The soft rain and mild climate is good for data centres in a physical sense because of its stability. Irelands temperature range is like 25C degrees from trough to peak in winter and summer and even the daily change in temperature is slow.
Safe harbor is sadly more of a guideline/joke. Smaller companies that do not have to hand over data to the nsa get training for it which is basically :
Change nothing of what you do, keep mishandling user data, but if ever eu sues us we will sue employees back.
So in the end data is not protected anyway and safe harbor is a smoke screen at best.
29 comments
[ 3.6 ms ] story [ 76.8 ms ] threadSo ultimately the NSA will have broken up the internet into separate regional entities.
Disclaimer: Not a lawyer, never wanted to be one.
"By the way, we're also sending this data to US government-accessible servers. By reading or not reading this you hereby consent to us doing that. Oh - and did we mention how much we care about your privacy and security? We just wanted to make sure you got that."
Hopefully the EU will also mandate some kind of real (but usable) consent mechanism to this sort of stuff, that's unlike the whole cookie story.
The problem with EULAs is not just that we don't read them, it's also that in order to live a normal life you have to agree to all kinds of EULAs whether you want to or not. Consent is always given.
In medical industry, there is the idea of "informed consent", which attempts to make sure both parties are aware of the consent given. (Mainly in regards to treatments.)
As a German law professor phrased it "I never read the fine print. It's either fair or invalid"
https://www.citizensadvice.org.uk/consumer/protection-for-th...
AWS already has two datacenters in Europe (Ireland and Germany). Wouldn't it be enough to use those data centers for European users?
They would require a local presence, local staffing.
Edit. fixed typo.
Especially for data analysis (and not limited to it).
Ireland is playing up to this role and this ruling sort of hammers home the status quo that if international tech companies want to deal with the EU they will have to have separate facilities to house European data as they can't ship it all back to California.
Ireland will become the EUs primary data centre -- it has the right combination of climate, tax rates, tech presence, political diplomacy and data protection laws.
In many cases though the ruling will probably just result in an extra line on the EULA.
Or maybe you were referring to the political climate?
https://en.wikipedia.org/wiki/Climate_of_Ireland#Climate_cha...
If you lived in Ireland I'm sure you'll agree the weather is "very consistent" in a sense.
( https://news.ycombinator.com/item?id=10264410 )
Change nothing of what you do, keep mishandling user data, but if ever eu sues us we will sue employees back.
So in the end data is not protected anyway and safe harbor is a smoke screen at best.
And yes i get the yearly joke training.