[zeroflow]

IANAL.

You can store them outside the EU and/or with US companies, but that provider/country needs to provide the same level of data protection as they would have in the EU.

Practically, this excludes anything related to the US due to the CLOUD Act.

They've tried making this whole with the Safe Harbor and later Privacy Shield framework, but that was overturned by the European Court of Justice.

[johannes1234321]

Note that this is not (only) about the physical location, but also on the legal side who can access the data.

Even if the US company runs the servers in Europe it doesn't matter. U.S. government can request compliance with the CLOUD Act.

Larger companies try to Dona little legal firewalling, by having European customers being customers of an Irish company, not the American HQ. However there are doubts whether such a setup is enough.

On the extreme there are attempts like the Microsoft-T-Systems cooperation, where Deutsche Telekom / T-Systems was running a Azure Cloud Region in Germany, however too few customers where willing to pay the premium and accept the restrictions of being bound to a single region.

Everybody is playing the waiting game, how privacy agencies, courts, ... are going to deal with that and whether there will be a new attempt of a privacy agreement between EU and US.

[j16sdiz]

If this is true, then no American company can do business in EU.

Because the US government can always request compliance with CLOUD act.

[johannes1234321]

Yes, if a company can't follow law, it can't do business. In this case US law and RU law contradict each other. If the governments can't find a compromise (previous attempts for compromise habe been overturned by courts) or won't change legislation companies have to pick how much legal risk they are willing to take. And GDPR-enforcement slowly increases.

See for instance https://www.cnbc.com/2022/02/07/meta-threatens-to-shut-down-...