I understand that data being sent to the US is perhaps out of Europe's control. But how much do they really know about the treatment of data that stays in European data centers? I'm just surprised that the enforcement is about where the data is stored and not about whether actual (or should I say: other) privacy violations (against European laws) have occurred.
Note that originally a data transfer to the US was not a problem at all. You signed a piece of paper that said "European data privacy protections apply in the US as well" and all was good. There was even Safe Harbour and later Privacy Shield to give a sort of blanket statement that this was true.
Except courts repeatedly mentioned that US law does not provide the necessary protections for non US citizens rendering all these statements invalid. The root of the issue are the FISA courts.
The core of the issue is the CLOUD Act, which was passed very recently -specifically to force US tech companies to comply with subpoenas on data stored in the EU. This is basically the Hague Invasion Act[0] for data privacy. It commandeers nominally private US tech companies into arms of US law enforcement for crimes committed in EU territory.
The non-US citizens thing is a related issue[1], but it's not what started this current row of GDPR export lawsuits. However, I don't see the EU courts letting this go until and unless the US and friends drop the whole "noncitizens don't have rights" shenaniganery.
[1] Five Eyes - effectively the Anglosphere's spymasters - realized that if you say "only citizens are protected by privacy law", then nobody is protected by privacy law, because you can hire your allies to infringe upon your own citizens' privacy.
I think there's a rock and a hard place here because a US company being able to just move their incriminating documents over to a different datacenter to make them untouchable by US law enforcement is a loophole you could drive a yacht through.
TIL that ACLU filed[1] a motion in the FISC to have its pre-2015 precedent-setting decisions released (post-2015 the USAFREEDOM Act makes such release mandatory); FISC denied jurisdiction (aka “go tell Congress to fix their stuff”, which I suppose is OK?), FISCR as well (same), the Supreme Court refused to review that (?!..).
