The EU court just invalidated Safe Harbor, and I’m trying to figure out the ramifications & the required changes, as an EU-based B2B SaaS bootstrapper.
Many EU-based SaaS bootstrappers leverage all kind of US-based services (think: Mandrill, Mailchimp, Heroku, AWS, EngineYard, and many more), provided that they were Safe Harbor compliant, to make their current work possible.
Since the Snowden revelations occurred, it became clear to me that Safe Harbor wouldn’t hold too long in its current state, since otherwise it would have been a blatant joke. It “just” took one persistent activist (Maximillian Schrems) and we’re there today.
So now as bootstrappers, I’m left with questions such as (brainstorming):
- Are we indeed required by law to stop using US-based services in their current form?
- Is there a legal way (like asking customers consent explicitely) to still use these services?
- If we start using local alternatives (sometimes less good, or even less secure in a way), won’t that cause issues later for US-customers (I’d expect US to backfire in a way, maybe in a couple of months / years)?
I hope to start a useful discussion (pragmatic takes, no trolling, no “this is all NSA’s fault” & other opinions - let’s keep this usable), a bit like what @rachelandrew did for EU VAT.
If you have interesting facts or understandings, please share
(As a sidenote, I can say I’m seriously considering targeting France only for my next SaaS (at least to get started), because finding Safe Harbor providers, then EU VAT complexities, then now this, is getting tiring).