The EU's recent decision stating that Europe's data-transfer pact with the US violates privacy does not immediately impact companies outside of the 4,500 large internet companies that move and store personal data. (Wall Street Journal article discussing this) However, there is some cause to be concerned if you manage a Drupal site that has personal data on European citizens.
Overview of the Impact of This Ruling
Since Edward Snowden's revelations about NSA survelliance, an EU court recently ruled that companies that transfer European's personal information to the US are violating European privacy laws. These companies, like Google, Facebook and Apple, must figure out if they build data centers in Europe, how they identify this data and if/how they wil transfer any data to US servers.
For those of us who do not run one of these large internet sites, there is no immediate impact. However, it doesn't take much to imagine how many more US sites that might have personal data about EU citizens could also be made to comply with a similar ruling.
Most of the Drupal sites that we support are hosted in the US, but there are several degrees of possible exposure.
Possible Areas of Exposure
- Login and password. Small social media or blog sites might require a login and password to post. It would be hard to argue that the site truly has "personal information".
- Registration information. One step higher, some sites might require your name, location and other identifying information to post on the site. Especially given Europe's Right to be Forgotten rulings, sites like this could be impacted.
- E-commerce and membership. If you have a site that accepts payments to ship products or provide special access or downloads, you would have to wonder... Can I store this information on US servers? Can I scoot under the radar and just not be found out? As any security expert will tell you, security by obscurity is no security at all. How would you even configure your Drupal database to comply? For some, it might not even be worth the effort.
Here at Monarch, we have developed a number of membership sites and some of them have international members. Might we need to add a special EU privacy checkbox (along with terms and conditions) explicitly allowing the site to store the membership information on US servers?
Sorry I don't have any real answers. If your site does have data on European citizens, you will want to follow this closely.