It's going to get complicated for companies working together with US mass surveillance programs like PRISM. US secret services violate the essence of human rights of the EU and therefore it is unacceptable to transfer personal data to the US.
Up until this decision there was somewhat of an excuse for companies like Facebook, Apple, Microsoft, etc. since there was this Safe Harbor agreement that basically just stated that 'everything is fine.'
But now, Safe Harbor is dead. And making another Safe Harbor agreement will probably fail.
This is not something that can be resolved by Facebook with an update to the Terms of Service. Probably because it would be anyway invalid according to EU law but also because they are bound by gag orders from secret services that explicitly forbid them to state what exactly they're doing to the data. At this point, it is completely unclear what will happen and what Facebook and other US companies will do.
One possibility is to store data in the EU, effectively hiding it from US mass surveillance. However, there are most likely significant costs involved with such an approach.
We need to wait and see. These are interesting times.
If Facebook had EU servers, then they would need access to the data on those servers from the USA. Technically the NSA can still force everything out of Facebook in the USA, I guess.
But this will again be incompatible with EU law. According to the ruling of the CJEU (at least what I understood from it), any company collecting data cannot hand this data over to an entity which is suspected to take part in a system of mass surveillance. Thus, as long as the NSA can reach Facebook's EU servers, it shouldn't legally be possible to have Facebook in the EU.
So I'm really interested in what kind of solutions they will find. If I needed to guess, and the CJEU ruling is the guideline, I'd say that this is a thing that Facebook, Apple, Microsoft, etc. can't really solve by themselves. Rather, the US government needs to take action. There needs to be some agreement.
But, if the EU insists on its stance, that agreement had to be really weird since not even US citizens have that kind of protection from their own secret services.
I used to be product manager of a popular online dating site serving the German-speaking countries in Europe. I and my team were in New York, the developers were in the UK, and who knows where the servers were. Safe Harbor made it very easy for us to work this way, but if we had to locate the servers locally today I don't think that would be a big deal.
It didn't matter to us where the data was, and for that reason I don't think it's going to make a difference to customers either. You have safe harbor because the organization gives a shit about keeping the data safe, not because a regulation makes it so.
Up until this decision there was somewhat of an excuse for companies like Facebook, Apple, Microsoft, etc. since there was this Safe Harbor agreement that basically just stated that 'everything is fine.' But now, Safe Harbor is dead. And making another Safe Harbor agreement will probably fail.
This is not something that can be resolved by Facebook with an update to the Terms of Service. Probably because it would be anyway invalid according to EU law but also because they are bound by gag orders from secret services that explicitly forbid them to state what exactly they're doing to the data. At this point, it is completely unclear what will happen and what Facebook and other US companies will do.
One possibility is to store data in the EU, effectively hiding it from US mass surveillance. However, there are most likely significant costs involved with such an approach.
We need to wait and see. These are interesting times.