As far as I know it is already an EU law and, as with the vast majority of EU laws, each member state can decide to override with additional restrictions (usually under some limitations).
In this specific case, I think Germany is the only exception, but to me it makes perfectly sense: sensitive personal data like medical records should not circulate outside the country.
Even at EU level, how could Germany as a nation guarantee privacy if data is physically maintained in Ireland, where most of the US companies have offices just because of cheaper taxation...? As a country I would't promise that, and as a citizen I wouldn't trust such a promise (side note, I'm Italian so I have no gain/part into this).
> In this specific case, I think Germany is the only exception, but to me it makes perfectly sense: sensitive personal data like medical records should not circulate outside the country.
Having a computer on German soil does not mean that
1) the packets themselves will not travel outside Germany (hint: AMS-IX);
2) people interested in the data contained in that computer will not read it, store it, use it outside Germany.
From the technology point of view, country borders do not exist. (Unless you force a country-wide firewall).
If sensitive data must be properly encrypted. Once it is encrypted you can store it everywhere you want.
I see your point, but the reality is different. Data stored is not data in transit. Both must be protected, but the attacker models are different.
Unfortunately real-world (meaning, not theoretical) encryption is not perfect, thus the sole fact to encrypt is not sufficient to let you store any data wherever you want. At least not in Germany, and at least not from my pov.
To remain in topic with this specific law, data in transit can exit Germany soil, provided that the recipient gives guarantees on its usage (including not store it). This kind of laws should be seen to regulate sensitive (user) data as managed by (big, multinational) organizations, that are thus required to enforce security for both stored and in transit data.
I understand that this may seem silly, but without such laws the landscape would be way worse (consider, e.g., how many personal data are actually traded across the world for ads reasons).
That's not the point. The point is, how is the US government going to bring a case against a German company based on data they illegally intercepted sniffing traffic? If the data were on US soil, they could simply seize the computers once they knew there was offending data on them, and claim it was through an "anonymous tip" that they caught wind of the illegal activity. If the data is on German soil, they can pound sand.
As far as I know it is already an EU law and, as with the vast majority of EU laws, each member state can decide to override with additional restrictions (usually under some limitations).
Yes, but they usually have minimums. Like "Employees must get at least X weeks paid holiday", or "Customers must have a right to return something within at least X days". In countries where X was 0, or there was lots of exceptions, a minimum brings those laws forward.
In this specific case, I think Germany is the only exception, but to me it makes perfectly sense: sensitive personal data like medical records should not circulate outside the country.
Even at EU level, how could Germany as a nation guarantee privacy if data is physically maintained in Ireland, where most of the US companies have offices just because of cheaper taxation...? As a country I would't promise that, and as a citizen I wouldn't trust such a promise (side note, I'm Italian so I have no gain/part into this).