One of the most important privacy court rulings in recent history was delivered two weeks ago when EU Court stroke down the EU-US Privacy Shield agreement. Privacy Shield agreement between EU and the United States allowed American companies to store and process EU user data within the United States.
But EU Court ruled that because United States allowed its intelligence agencies to access such data, the agreement between EU and US had to be terminated immediately. Since then, basically all American companies that maintained the user databases in U.S. soil and had EU users, were breaking EU legislation.
Problem is massive: Companies wishing to maintain unified user database must basically move it out of the United States - or United States as a country to change its national laws that permit its intelligence agencies to do surveillance on its own soil. Obviously the latter option is highly unlikely to happen.
Technically splitting user database into two separate sets, with separate rules, processes and data location would be a massive technical challenge to the Internet gients like Google, Facebook and Microsoft.
EU privacy legislation is much stricter than that of United States' similar laws are. EU citizens have, for example, "right to be forgotten", which means that upon a personal request, company has to remove all identifiable data of the user from its records, logs and so on. EU's privacy legislation, dubbed as GDPR, applies to all EU citizens and it doesn't matter if the company handling the data is not EU company - in order to collect EU citizens' data, all companies must obey the legislation.
The EU-US Privacy Shield agreement covered more than 5'000 companies, which included startups, but also the largest Internet companies of the world.
Currently all those companies are basically in legal limbo - they have to figure out a way to avoid U.S. intelligence agencies snooping EU users' data, but also to find a way to keep their services running similarly to all their global users. Companies can, to certain extend, still transfer data between U.S. and European Union, under so-called Standard Contractual Clauses, but all such data is within EU's GDPR's reach, too.
Typically a massive court rulings like this comes with a grace period, but in this particular case, the ruling Privacy Shield agreement was terminated immediately.
Problem is massive: Companies wishing to maintain unified user database must basically move it out of the United States - or United States as a country to change its national laws that permit its intelligence agencies to do surveillance on its own soil. Obviously the latter option is highly unlikely to happen.
Technically splitting user database into two separate sets, with separate rules, processes and data location would be a massive technical challenge to the Internet gients like Google, Facebook and Microsoft.
EU privacy legislation is much stricter than that of United States' similar laws are. EU citizens have, for example, "right to be forgotten", which means that upon a personal request, company has to remove all identifiable data of the user from its records, logs and so on. EU's privacy legislation, dubbed as GDPR, applies to all EU citizens and it doesn't matter if the company handling the data is not EU company - in order to collect EU citizens' data, all companies must obey the legislation.
The EU-US Privacy Shield agreement covered more than 5'000 companies, which included startups, but also the largest Internet companies of the world.
Currently all those companies are basically in legal limbo - they have to figure out a way to avoid U.S. intelligence agencies snooping EU users' data, but also to find a way to keep their services running similarly to all their global users. Companies can, to certain extend, still transfer data between U.S. and European Union, under so-called Standard Contractual Clauses, but all such data is within EU's GDPR's reach, too.
Typically a massive court rulings like this comes with a grace period, but in this particular case, the ruling Privacy Shield agreement was terminated immediately.
