Consent has to be at least 1. freely given, 2. specific, 3. informed and 4. unambiguous under Directive 95/46/EC.
...
Users would have to be informed about the specific situation. So just saying that “data is transferred outside of the EEA”, as the Facebook terms currently do, will clearly not be sufficient to make an average users understand that his data may end up at the NSA. At the same time Facebook is still publicly claiming that it has never heard of any of any US spy program.
...
To get a valid consent Facebook in our example would have to be very upfront and explain that all data that is used on facebook.com is subject to mass and indiscriminate surveillance by the US government.
...
A legally binding consent under EU law can be done technically, but very likely Facebook would automatically violate the “gag order” that applies to them under US law. So basically they are trapped between US “gag orders” prohibiting proper information and EU law demanding exactly that.
...
Bottom line: We will see a hand full of lawyers advising client to simply put some additional disclaimer in their privacy policy – maybe just to have some additional argument in the public debate or before DPAs that are known to be “business friendly”, but this will not be a legally stable solution when data is processed at US companies that are subject to ‘mass surveillance’.
It's going to get complicated for companies working together with US mass surveillance programs like PRISM. US secret services violate the essence of human rights of the EU and therefore it is unacceptable to transfer personal data to the US.
Up until this decision there was somewhat of an excuse for companies like Facebook, Apple, Microsoft, etc. since there was this Safe Harbor agreement that basically just stated that 'everything is fine.'
But now, Safe Harbor is dead. And making another Safe Harbor agreement will probably fail.
This is not something that can be resolved by Facebook with an update to the Terms of Service. Probably because it would be anyway invalid according to EU law but also because they are bound by gag orders from secret services that explicitly forbid them to state what exactly they're doing to the data. At this point, it is completely unclear what will happen and what Facebook and other US companies will do.
One possibility is to store data in the EU, effectively hiding it from US mass surveillance. However, there are most likely significant costs involved with such an approach.
We need to wait and see. These are interesting times.
If Facebook had EU servers, then they would need access to the data on those servers from the USA. Technically the NSA can still force everything out of Facebook in the USA, I guess.
But this will again be incompatible with EU law. According to the ruling of the CJEU (at least what I understood from it), any company collecting data cannot hand this data over to an entity which is suspected to take part in a system of mass surveillance. Thus, as long as the NSA can reach Facebook's EU servers, it shouldn't legally be possible to have Facebook in the EU.
So I'm really interested in what kind of solutions they will find. If I needed to guess, and the CJEU ruling is the guideline, I'd say that this is a thing that Facebook, Apple, Microsoft, etc. can't really solve by themselves. Rather, the US government needs to take action. There needs to be some agreement.
But, if the EU insists on its stance, that agreement had to be really weird since not even US citizens have that kind of protection from their own secret services.
I used to be product manager of a popular online dating site serving the German-speaking countries in Europe. I and my team were in New York, the developers were in the UK, and who knows where the servers were. Safe Harbor made it very easy for us to work this way, but if we had to locate the servers locally today I don't think that would be a big deal.
It didn't matter to us where the data was, and for that reason I don't think it's going to make a difference to customers either. You have safe harbor because the organization gives a shit about keeping the data safe, not because a regulation makes it so.
