[ben_w]

I’m not a lawyer, so take the following with a pinch of salt.

My GDPR compliance training said that data strictly necessary for the provision of a service is something a business can freely use to that end without explicit consent. This is why GitHub doesn’t show cookie popups: https://github.blog/2020-12-17-no-cookie-for-you/

So “User @Alice sent $message to user @Bob” is necessary for a chat platform, but “Notice to advertisers: User @Alice posts a lot about cars, cats, and funny shaped carrots” isn’t even though advertisers pay for the continued existence of the service.

[likpok]

Is answering subpoenas in the US strictly necessary for the provision of a service? I believe that's the wrinkle with Privacy Shield.

[ben_w]

I sincerely doubt that I understand enough about the topic to apply what little I’ve heard through the media about the Schrems judgements and the decision to invalidate the Privacy Shield framework and its predecessor to answer that.