| This is one of the best answers I've read to this question. It's not only the Cloud act but also the FISA act and the executive order nr.12333 The EU data protection head has made it clear that Standard Contractual Clauses do not suffice, as a workaround.
EU and US administrations are trying to work out a working compromise, but no progress yet (and frankly, not likely to happen soon, as there are more relevant priorities) Courts are slow, but they are starting to affirm the EU law. For example, the Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics and thetransfer of personal data to the US violates the GDPR. the French data protection authority (CNIL) also confirmed that these personal data transfers to the US are a violation of the GDPR. These are the first decisions from EU data protection authorities in response to 101 complaints filed by https://noyb.eu/en , so more to follow... Quite obviously, the same principle applies to any service that sends data to the US. (for example, fonts can be used to track user; IMHO push notifications might be next, because, even if encrypted, provide data^Hmetadata that combined with other data reveal a lot about users behaviour...) The Portuguese Data Protection Authority ruled re. data processing carried out by Cloudflare for the Portuguese National Statistics Institute. Cloudflare declared to use its own servers in the European Union, but CNPD noted that Cloudflare had data centers all over the world and there was no evidence that, in the event of an emergency situation or legal order, personal data could not be transferred outside the EU in jurisdictions that don't provide equivalent protections. The CNPD had ordered the immediate suspension of data flows to the United States despite the adoption of the standard contractual clauses. Expect more of these decisions in the coming months. |