Sending data to the US and storing it there, is the very point that is being contested.
People are acting like this is a trivial problem both technically & legally but it’s not. I don’t have sympathy for Facebook but if you are a small company handling data in the EU and other data outside it I have sympathy as it’s going to cost a lot in architectural complexity and compliance costs.
How do SMS/MMS/email/etc. handle this? Are you saying they would all become illegal? Or is this law going to uniquely place requirements on social media that other communication systems do not/would not comply with?
I’m not a lawyer, so take the following with a pinch of salt.
My GDPR compliance training said that data strictly necessary for the provision of a service is something a business can freely use to that end without explicit consent. This is why GitHub doesn’t show cookie popups: https://github.blog/2020-12-17-no-cookie-for-you/
So “User @Alice sent $message to user @Bob” is necessary for a chat platform, but “Notice to advertisers: User @Alice posts a lot about cars, cats, and funny shaped carrots” isn’t even though advertisers pay for the continued existence of the service.
I sincerely doubt that I understand enough about the topic to apply what little I’ve heard through the media about the Schrems judgements and the decision to invalidate the Privacy Shield framework and its predecessor to answer that.
People are acting like this is a trivial problem both technically & legally but it’s not. I don’t have sympathy for Facebook but if you are a small company handling data in the EU and other data outside it I have sympathy as it’s going to cost a lot in architectural complexity and compliance costs.