Encrypting is a given - obviously you'd want to only be using Saas services in Germany etc that are fully encrypted. The problem in using USA services is that even if everything is fully encrypted, the USA can and will send goons around to take your data. Encryption is simply useless when dealing with a company in the USA who is forced to hand over the keys and whose data-centers can be legally entered and modified by thugs. Once someone has physical access to the server, the game is over.
Germany is a better bet. While they are no doubt tapping lines, Germany and the EU have made no moves to actually perform hostile interventions into data-centers or private servers. This means that encryption is still a very viable security measure for protecting your data in the EU. The EU simply has a far better track record with privacy related issues.
It's not about perfect security, it's about getting the best security you can hope for - and that means moving away from anything USA hosted.
Don't choose Germany. We may have strict privacy laws here, but we also have the BND cooperating with the NSA, tapping directly into the main internet nodes (Frankfurt). And don't forget that part of the method of the NSA is to use a mule inside the target company, which would be very easy in Germany given its status of being a wannabe ally of the USA and the longstanding sympathy of the german public for the USA.
And Germany has also laws which force every mail provider to install an access point to the German authorities and intelligence agencies. I am not sure if also a generic saas platform would have to do it, but it is quite possible.
"And Germany has also laws which force every mail provider to install an access point to the German authorities and intelligence agencies. I am not sure if also a generic saas platform would have to do it, but it is quite possible."
Thanks for the heads up - as I said in the OP, it really is a difficult task. Those kind of laws are exactly what need to be avoided when choosing a country to host in. I don't believe that this kind of thing can be carried out in absolute silence though, so if a country is actively modifying and silencing hosts it's fairly likely that word of it will leak somewhere.
If I get a chance, I might try to put together a red/orange/green overview of known laws and practices in different countries that would affect hosting services there. Unless someone is already working on that and needs a hand?
We have a great privacy commissioner ( http://www.priv.gc.ca/index_e.asp ) but the office holds no power so far as I can see, and the Canadian government has a pretty solid track record of being obsequiously cooperative with u.s. interests
Canada is green simply because nobody familiar with Canada's security politics and policies has chimed in yet and there does not seem to be any evidence of foul play that is visible from an outsider's perspective.
Cooperative with U.S. interests is generally assumed by almost any country - this map is more about the (hopeful) safety of your servers in data centers in different countries.
I think you can pretty much colour the Echelon Five Eyes countries (USA, Canada, UK, Australia, New Zealand) red right off the bat. If they don't have totally intrusive surveillance legislation yet they will have soon - New Zealand is currently trying to implement it.
EU is a very generic term here. There is very little consistency across member states on this topic; UK laws, for example, are probably worse than US ones in most cases. I'm not 100% sure, but I believe Italian ones aren't much better atm.
The short-term answer is to encrypt everything users have to store, and don't handle their keys, but it's a stop-gap: the only real answer is political and that's where things have to be fixed for good.
Then the most obvious answer to me seems to use technology to affect the political landscape.
How that actually manifests itself, depends on how desperate people become to retain some sovereignty over their livelihoods… which begs the question, where are we now and who could provide the resources/environment to foster the type of change that is needed?
The EU has minimum standards for surveillance and most EU member states are clearly American vassals. Even France proved to a vasall in forcing the Bolivian president's aircraft to make an unplanned stopover in Vienna … and even the neutral countries are full in favor of surveillance – Switzerland for example is just revising its surveillance laws and many other legal areas, for example copyright, see an increased level of surveilance too.
Germany is a better bet. While they are no doubt tapping lines, Germany and the EU have made no moves to actually perform hostile interventions into data-centers or private servers. This means that encryption is still a very viable security measure for protecting your data in the EU. The EU simply has a far better track record with privacy related issues.
It's not about perfect security, it's about getting the best security you can hope for - and that means moving away from anything USA hosted.