Basically the EU is creating a PR stunt that in theory could force them to enact some minimum veneer of standards and that PR stunt is going to have higher short term costs for the small private sector players than the large ones.
It is entirely possible the stunt will instead pay off for the other EU governments and against the privacy of their population by getting them invited further into the club.
Collecting data which is routed internationally is a well documented method that NSA et al have used to skirt domestic law and grab/share the data. If you already live in country "C", and by statute your data must never leave country "C", then your data are more protected than if it had been sent outside the legal jurisdiction of country "C"'s courts.
I also didn't talk about startups, i mean small business in general.
This could be a reason not to launch your business in europe, if the cost of "deployment" is to high. Sure, someone else will fill that hole for you, but that's less money in your bank account. :)
There will be an enormous burden on new businesses satisfying these laws - previously we've got away with privacy policies but could still code the same. If we need to maintain N servers for N countries customers could be from, that's a massive operational overhead that is bound to do nothing other than stifle innovation.
Now, I'm all for privacy, but if each country starts fragmenting the internet on country boundaries - to the level of physical servers and data storage locations, bringing a new idea to market is going to much much harder. This is different to, e.g. different tax regulations, etc, because you can still benefit from centralised computation while processing orders for different localities.
And while today this might be just about Europe, it sets a trend. Before it was just Russia and China. How long before all countries want to see the code a la the Chinese?
So the NSA has screwed things up for all of us now who are trying to start businesses.
If my costs go from: developer -> developer + global devops team + legal, etc., that's a massive burden that will affect the "bedroom/garage" startups.
China is good example of how that works: they have their own search engine, blog platforms, website analytics software, video sharing sites, IM software. So Chinese users do not send their data (and money) to USA and goverment can protect personal data from NSA while EU cannot.
Of course I do not approve other things like censorship in China but having local services is a good thing both economy-wise and privacy-wise.
With prevalent encryption on-the-wire, fibre tapping is less useful. So the way people get their privacy leaked is via hacking or other compromises. Saving to disks in a person's country of origin is probably rather far down on threats to their privacy. (Yeah, I know, if you host it all on disks in the US, then the FBI can come steal those disks. But that's less a risk than a hacking group dumping your DB on pastebin.) And a compromise to the company will compromise the data no matter where the disk are.
If countries were really concerned, they'd mandate strong security for personal info. Not like PCI where technical details are spec'd, but somehow offload it so that companies must make reasonable steps. Then have enforcement to fine companies that misbehave. Perhaps make it something where companies will want to get insurance.
That way, a startup, instead of grabbing everything, they'll ask themselves: "Hey, do we really wanna capture this info?" Just like PCI shot a lot of plans to store card numbers and CVV, a strong law could make companies think twice and plan around handling private info.
Location of storage devices might end up on the list of requirements, somewhere. Like once you store info on more than X people, you're required to address how you handle differing jurisdictions or something.
EDIT: fixed wording
