[Hanschri]

It is correct that the CLOUD Act complicates things, the issue is that servers located within the EU operated by American companies have some form of remote access to the hypervisor, meaning US intelligence agencies can compel these companies to hand over data and encryption keys for the data, even if it's physically located within the EU/EEA.

Before the Schrems II judgement[0] by the European Court of Justice, companies in the US could use the EU-US Privacy Shield[1] to ensure adequate protection of EU personal data. The Privacy Shield agreement replaced and improved upon it's predecessor, the Safe Harbor agreement, which was invalidated by the Schrems 1 case.

Transfers between the EU and US can still be legal, as long as standard contractual clauses (SCC), although this requires more effort after the Schrems II case than before. Companies are now required to verify the privacy protection in the recipient country in order to use the SCCs.

The first source provided gives insight into what is required by US companies to comply with GDPR when tranferring personal data to third countries. As an anecdote, a guest lecturer for a masters course I took this semester mentioned in passing that transfers to the US are almost as bad as transferring personal data into China.

[0]: https://www.gdprsummary.com/schrems-ii/

[1]: https://www.gdprsummary.com/gdpr-definitions/privacy-shield/