Are you collecting personal data from EU online or retail customers on a U.S. server? You should reconsider your data storage policies!
The European Court of Justice – the court that I often refer to on this blog for its VAT rulings – today issued a judgement that basically says that U.S. servers must not store personal data / user data of EU residents.
The reason is that the U.S. legislation does not provide adequate protection from ‘snooping’ government agencies. The NSA security leaks that Edward Snowden exposed are specifically mentioned in the ruling.
I wrote earlier that some countries have bi-lateral treaties with the U.S. that would allow such data sharing. See here: http://www.us-vat.com/blog/?p=1075.
It now seems that these bi-lateral agreements are invalid, at least to the extent that they cover personal data. Company data (like financial data used for the VAT returns) seems safe from what I can read from the judgement (but don’t rely on that!).
Credit card data, IP addresses, email addresses etc. of EU residents is considered personal data and can no longer be stored on U.S. servers. If your company is doing that, for example because your are a online seller of downloads to EU customers, or because your are a retailer that keeps the EU customer data on a U.S. server, you may run into legal trouble soon.
The entire ruling is here: https://tinyurl.com/oogq5zo
And the press release is here:
Download (PDF, 44KB)