[michaelbuckbee]

The context for this: say you're a SaaS and you want to tap into the EU market. Per GDPR, personally identifiable data shouldn't leave the jurisdiction of the EU so you should use EU hosted servers, storage etc.

So you might then split your app to an EU hosted datacenter of your preferred cloud provider.

This ruling says that's insufficient as while the data remains functionally in the EU it's still possible for it to be accessed on the backend by non EU entities.

[CGamesPlay]

> it's still possible for it to be accessed on the backend by non EU entities.

Why is this the case? Why aren't EU employees who allow the data to leave the EU negligent?

[michaelbuckbee]

It's not the employees so much as the legal aspects of it: aka could the FBI compel a cloud provider to give them all the data in the EU datacenter?

[rad_gruchalski]

Do you mean "liable" instead of "negligent"?

[jaywalk]

What if there are no EU employees?