[DavideNL]

If "company X" (a customer of Amazon) is sharing EU citizens data through amazon AWS to the US, who is sharing the data? Amazon or "company x" ?

Amazon has approval from EU data protection authorities, but "company X" apparently doesn't need approval?

[stingraycharles]

I don't have a concrete answer to that, but my experience in the online advertising industry and the associated laws tells me that it is the end-user facing company that is going to get the blame in case something goes wrong. They might get away with it in case they really, really did their due diligence and were unable to be aware of any wrongdoing, but that's going to be hard to prove.

For example, if a publisher decides to make money using some shady ad network, and that ad network distributes malware / violates privacy rules / whatever, the publisher is the one that's going to hang for it, not the ad network. This will mean that publishers are naturally incentived to get really good guarantees that the ad network (or, more relevant to this point, the hosting company) isn't violating any laws. I suppose there will be some standardized compliancy test that these hosting companies will be doing to give their clients some assurance that it's safe to host their data with them.

In the end, I think this is good for EU citizens, and sucks for the people who have to deal with the laws.