Similar to the Cookie banner, you'll probably have to indicate to your subscribers that their data will be resident outside the EU and will not be subject to the same data protection. Subscriber proceeding will indicate agreement with that.
No, the data protection directives are not something you can opt out of, even if you nicely ask your users with a banner.
Note that the original point of the cookie banner law was not to ban cookies, but to inform users about it and allow users to avoid websites storing information about them. That consequence of that law is terrible and we all know that with the banners everywhere, but at no point was it "cookie are forbidden, but you can bypass it with user approval", it was "cookie are allowed but require approval".
Storing EU citizen data without respecting the data privacy directive is forbidden, period.
Actually, the fundamental rule of data protection legislation is that an organisation can store data on its subscribers and can not except in limited legally prescribed instances (e.g. lawful intercept, insurance fraud) share it with another organisation.
The issue at the core of the Schrems case is that Facebook for example is not bound to respect this, or any other fundaments of EU data protection law.
However, if you register with a website that is clearly and overtly outside your data protection jurisdiction then it is "you" who is freely providing that data. Just as you might give personal information over a transatlantic phone call.
The EU has no jurisdiction where the company is not in the EU, and cannot prevent an individual from sending their private information outside the jurisdiction if they want to.
But various of these multinationals such as Facebook are in the EU for various operational reasons and as such the EU does have jurisdiction over them.
Perhaps more relevant to the data retention laws, would be a site sharing passport numbers, names and addresses of EU citizens, perhaps collected at stays at motels/hotels across the US? The site might host them for free - but keeping/sharing that data without consent wouldn't be allowed under EU law. The particular example would probably also be illegal according one or more US laws (state or federal) -- but I think it is still more interesting than the rather silly things people get hung up on?
If it's a US organisation (and not a multinational like FB), with data collected in the US, the Data Protection Directive does not apply. The fact it's merely EU citizens is irrelevant.
> The NSA will not stop gathering data on EU citizens
This is precisely the reason for the ruling. US policy will not guarantee that NSA won't snoop on EU citizens, therefore "safe harbour" is null. You're either respecting the other jurisdictions or you're not.
The issue here is not that the "law failed to do what it promised" it's that the "law was not implemented as promised". It can still fail even with the right implementation but at least now such practices facilitating such failures are now understood by everybody to be illegal. It is not "Okay" any more.
As you probably know, you can't comment like this on HN and we ban accounts that do it repeatedly. Please post civilly and substantively or not at all.
