All of that is half of the fun
Now add the other half - USA agencies insisting that they have full right to access any data that is _ALREADY_ in Europe if it is held by an American company.
The European Court of Justice’s decision to rule the EU-US safe harbour agreement invalid is causing panic among some companies dependent on keeping data flows going ... but Google and Facebook are probably prepared for it. Much to the satisfaction of those who have long condemned US data collection policies, the landmark …
They seemed to be designed for both 'full employment' for EU data center engineers and making sure that EU law enforcement has full access to the data.
Privacy is just the excuse they are using to justify this, because, strangely enough, EU citizen data would be safer from EU governments if it was in the US....
"With today’s verdict it is clear that these transfers were in breach of the fundamental right to data protection," added Albrecht. "It is now up to the Commission and the Irish data protection commissioner to immediately move to prevent any further data transfers to the US in the framework of Safe Harbor.”
Not precisely Jan Philipp, if I understand the judge correctly; the higher court (I think there was another in between somewhere) indicated that "safe harbour" shouldn't be used as reason not to consider potential breaches, so the Irish DPC should now consider such potential abuse (and perhaps prevent further transfers as part of any remedy). Not quite so cut and dried.
Anyone taking bets on how long the Irish DPC will take to make such consideration?
Most (not all) of the data Facebook and Google use is public information.
All it would restrict is user identification, credentials, and non-public information from being passed. The non-public information is already not passed, except perhaps as a backup.
Using the US for backup might still be possible - if it is bulk encrypted first, with the keys remaining in the EU. (by "bulk encrypted" I mean hundreds/thousands of users in a backup set). Personally, I would prefer multiple layers of encryption...
first a site level encryption for the data, a second level used to send the data, and a third level at the recipient site. The only keys that could then be exposed by government order is the third level... The other two would still protect the data.
Of course, this could have been avoided altogether if the US (govt and companies) had taken the issue - right to privacy in general and its modern aspect data protection in particular - seriously in the first place; ultimately the solution is for the US to adopt proper data protection legislation like just about any other advanced country (this has its origins in the OECD, after all), for US companies operating in the EU the solution is simply making a sincere effort to obey the law there.
"ultimately the solution is for the US to adopt proper data protection legislation"
does not and would not matter. US has anti-terror legislation that trumps any other legislation, meaning that whatever data protection laws are in place, spook agencies can get access to that data with a secret warrant, and whoever the data is being taken from cannot mention it, so all data on US soil is always accessible by potentially hundreds of thousands of people across multiple law enforcement/spook agencies.
In theory of course a particular person's data is only accessed and used if this person is a genuine suspect, but in practice there is a large history of law enforcement identifying the wrong person, or identifying the right person and raiding the wrong address, of use of law enforcement privileges for personal agenda and so on.
When US, related agencies, EU governments etc say "trust us, this will only be used for intended purpose", who can blame the people to NOT trust them, given that historically that trust has zero zilch nada to be based on?
This problem has been around for well over a decade, and it has been allowed to persist because it got a stiff ignoring from US companies instead of an open debate. Of course, this is understandable to a degree because it directly impacts their ability to sell into Europe, but sticking it under the carpet doesn't fix it, only open discussion about it.
The most painful part for US companies is that there is no such thing as a quick fix. Even Safe Harbor was just a badly thought out excuse, it was not a fix. Now the US will have to look at the fundamentals and decide if Europe is worth addressing their legal problems for. Given the amount of money they dragged out of Europe over that decade I suspect it is, but that will not stop them from trying to bullshit their way around the problems first. Let's make sure they can't.
"Even your musical doorbell has been backdoored by GCHQ/NSA"
Day-um! My IoT doorbell will have to go, I really enjoyed the convenience of clicking my smartphone app and having my data fly off to the googleplex to check if anyone had pressed it recently or to change the programmable chimes from a wide selection of low low cost choices in the doorbell app store.
“retaliation from US authorities”
What! Will they leave us all alone with their Ukrainian neocon scheme and suffer exposure to the chtonic evil of P.U.T.I.N. all alone? Will they stop pretending to bomb ISIS? Will they close embassies? Inquiring minds want to know.
The perceived need for Data Protection, and the ineffectiveness of the Safe Harbour agreements in providing that protection are really just symptoms of a more profound underlying problem; who is being served, and by whom i.e. do governments and business exist to serve us, the people, or do we exist to serve government and business?