This article reminded me of a question that's been nagging at the back of my mind ever since the ECJ ruling came out, striking down the Safe Harbor pact: what, exactly, does "personal data" *mean*?
I mean, the Safe Harbor thing is a fairly real and immediate question for me: Querki, like most cloud systems, is trying to be international in scope, and I'd prefer that folks from Europe be able to use it without difficulty. The question is, am I going to have to tie myself in knots architecturally to do so?
And that comes down to the definition of "personal data". By many definitions, I think we're free and clear -- one advantage of my firm "Querki is not another freaking social network" stance is that it contains precious little of the sort of personally-identifying information that is often the lightning rod for these arguments. I have no intention of recording credit card information or anything like that (that's what third-party payment processors are for). Querki follows LJ's attitude towards identity: we not only don't require wallet names, I'm kind of biased in favor of pseudonyms in general. In the medium term, we probably won't even require email addresses or passwords -- we'll allow OAuth2 login by linking to a Facebook/Google/Twitter/etc account.
That said, Querki is all *about* creating and storing information as you choose. If you create a Space in Querki, is that "personal data"? If you comment in someone *else's* Space, is that "personal data"? Trying to separate that sort of stuff based on country of origin is, to say the least, a nightmarish prospect.
In all the news coverage I've seen so far, none of it has clarified this. Does anyone have a pointer or two to the legal definitions in question? It would be useful to know now whether any of this actually affects the running of my company...