[fxtentacle]

That "disclose customer data to a third party" violates article 44 of the GDPR if there's no matching exemption to allow it. One possible exemption would be if the recipient is also bound by the GDPR. But obviously, the US government is not bound by GDPR. So anything that would allow the US CLOUD act to access a EU customer's data is a GDPR violation.

[mbesto]

"So anything that would allow the US CLOUD act to access a EU customer's data is a GDPR violation"

Which is essentially the argument and is a huge legal grey area right now.

Similar situation here:

The EU’s data protection supervisor (EDPS), which oversees the bloc’s own institutions’ GDPR compliance, has been looking into the European Commission’s use of Microsoft Office 365 since May last year — as well as probing EU bodies’ use of Amazon’s cloud services.

The European Data Protection Board (EDPB) also kicked off a related coordinated enforcement action in February that it said would focus on the public sector’s use of cloud services — which it said would take about a year to report, with the aim for the action to harmonize regulatory interventions in this area.[0]

As you can see, nothing has happened yet and this is all still evolving. It seems pretty clear that the EU is using GDPR as a political wedge to drive business back to their countries (despite company's in those countries clearly having a desire to continue to use those products and services). Again, it's not as black and white as you are making it out to be - it's still be fought.

[0] - https://techcrunch.com/2022/11/28/microsoft-365-faces-darken...