The agreement that was in place allowed US businesses to self certify and then sign a voluntary list at the US Dept. of Commerce which made them untouchable in the EU.
Why? Well, because the agreement says so and because any legal proceedings would be in the US according to the agreement and enforced "primarily by the private sector". Because that makes sense right? Courts, lawyers and laws are so boring anyways...
This change means that EU countries can now question the claim and act if it's a lie. Since EU is moving to harmonize data storage laws among it's member countries there won't be any bureaucratic mess only a return of citizen rights.
[EDIT]
Ah, yes, the data storage location thing. That's mainly a consequence of the NSA thingy. Thanks to that no US company can any longer fully claim that any data stored in the US can be kept private. It's kind of silly since everybody spies on everybody else but the US got caught.
If intent and actual effects of EU cookie law are anything to go by, EU Safe Harbor is going to create:
- a "value-add" or middleman opportunity on service provider side (think hosting companies differentiating themselves as compliant, like in discussed piece, or offers of "one stop EU compliance", and similar check-box ticking);
- more annoying popups for users ("this service is not available in your country", "click here to acknowledge you are outside EU", etc).
is it really just that? I don't think so.
Safe harbor has always been a joke to begin with. A promise of good conducts with no checks whatsoever, that's not how humans work.
Forcing the data to be in the EU makes it much harder for the US govt to look at the data in bulk and non-obvious ways, as they now have to either backdoor remote systems or transmit data back, instead of just having their little machine in the datacenter.
Of course, EU will have their own little machine in the EU datacenter, but at least the intelligence gathering is then split (which helps protect EU companies from US companies - in case you did not notice and you're born yesterday, companies govern the world, not the government per se.)
Now to implement user-side and end to end crypto in everything regardless..
Have you forgot about the GHCQ and their "illegal" data exchange to overcome legal hurdles? And I wouldn't vouch for other friends of the USA who exchanges data >10%
(the self-imposed german limit) en bulk. Denmark, Sweden and the Neitherlands would come to my mind. In almost every european country are huge US listening posts.
So even inside the EU there's not a safe harbor as you don't know the percentage and the filters in place, the secret interpretation of laws, and cooperation, infiltration and hacking into the main exchanges and cables.
I think focusing on the intelligence aspects is a bit of a distraction. The court in question was asked whether there was a case to be heard at all ("does this safe harbor thing really do what it says on the tin?") and the outcome as we know was "no", but not (only) due to vague undocumented (by court standards) foreign intelligence activities, but because rather simply the plain fact that unlike an EU operator, EU citizens have no legal recourse against companies in the US in the event of disputes such as the one in question.
It's this lack of legal process which means that the safe harbor agreement did not provide equivalent protections required by the charter, without even considering the spying angle.
That's the key take-away. This is a massive advantage for entrenched, larger companies. They're getting a special political protection order, which is unlikely to be available to everyone. It's a big lose for pretty much everyone else until a better framework is found, which could take years. The EU is handing AWS a leg up.
Why? Well, because the agreement says so and because any legal proceedings would be in the US according to the agreement and enforced "primarily by the private sector". Because that makes sense right? Courts, lawyers and laws are so boring anyways...
This change means that EU countries can now question the claim and act if it's a lie. Since EU is moving to harmonize data storage laws among it's member countries there won't be any bureaucratic mess only a return of citizen rights.
[0] http://www.export.gov/safeharbor/eu/eg_main_018476.asp
[EDIT] Ah, yes, the data storage location thing. That's mainly a consequence of the NSA thingy. Thanks to that no US company can any longer fully claim that any data stored in the US can be kept private. It's kind of silly since everybody spies on everybody else but the US got caught.