At this point, virtually no digital service - or in fact in business - can be considered to be compliant with GDPR. The reason for this is an ECJ case ruling informally known as Schrems II (https://www.gdprsummary.com/schrems-ii/ ).
That ruling not only invalidated the Privacy Shield agreement, but in fact prohibits the transfer of any data to any company affiliated with a US-based company in any way (including subsidiaries or even mere suppliers or customers), which comprises pretty much every company out there - US-based or not - because in today's globalized economy you'd be hard-pressed to find a company that doesn't in some way at least transitively deal with US-based companies.
Technically, the reason for this is the US CLOUD Act (https://en.wikipedia.org/wiki/CLOUD_Act ), which requires US-based companies to hand over any data, regardless of where that data is stored geographically. This also means that the common naïve assumption that you're safe in terms of GDPR as long as your data is stored in EU-based data centres is false as well.
So, when following GDPR and this court ruling to the letter, we'd (as in "everyone") pretty much have to stop trading and doing business altogether. Since that's (hopefully) not going to happen, none of this is enforced, at least not consistently or according to the rule of law (which in a way is even worse because at that point law and law enforcement becomes arbitrary and fines will be imposed based on how eagerly local authorities pursue these matters rather than universal principle).
Now, it can be argued that the EU and GDPR really aren't to blame because it's the US CLOUD Act that created this issue, after all. That CLOUD Act indeed is hugely problematic, to say the least.
However, the problem remains and it's on the EU to negotiate an agreement with the US that allows companies to legally do business in the real world (as opposed to an ideal world according to GDPR) again.
it's on the EU to negotiate an agreement with the US
Wouldn't it be equally on the US to negotiate an agreement with the EU to maintain the global dominance their tech sector currently enjoys? I don't see a categoric reason why the EU should blink first.
The EU's relevance and clout is notoriously overestimated, particularly when it comes to the digital economy. There's this pipe dream that GDPR would somehow jumpstart a privacy-focused digital economy with viable alternatives to US-based services, cloud providers in particular. By and large, these ideas so far have proven to be unrealistic, delusional even.
Let's consider the possibly ways this might play out:
1. The US maintains its position and the CLOUD Act, specifically. The EU maintains its position and GDPR and the Schrems II ruling, but doesn't strictly enforce those.
So, pretty much the status quo as it is today. In that scenario, the EU and local authorities will keep pestering EU-based businesses here and there, but overall prove they're a paper tiger with lofty ideals but no power or will to back those up with action.
From a US perspective, that's an not only an acceptable but even a desirable outcome, because a relevant international party decided to deliberately hamper themselves and their economy with no repercussions for the US. So, no need for the US to blink first, or at all, as a matter of fact.
2. The US maintains its position. The EU maintains its position, too, but contrary to the first scenario does suddenly decide to strictly enforce GDPR and crack down on any business that doesn't comply.
Since, as outlined above, this would mean pretty much every business under EU jurisdiction, the entire economy of the EU would come to a grinding halt within weeks, which in turn would probably lead to major insurrections and the EU ceasing to exist within a matter of weeks as well.
This of course would entail major turmoil and crisis for the world economy as a whole as well, but the EU and EU countries what suffer the most.
So, not exactly a desirable outcome for the US. However, there'd be no need for the US to blink first in this scenario either. If a player decides to commit economic suicide, why should the other player indulge them?
3. The US maintains its position. Again, the EU maintains its position, too, but contrary to scenario #1 and #2 not only decides to strictly enforce GDPR, but first entirely extricates itself from the US economy (i.e. mercantilism 2.0) by not only requiring businesses under EU jurisdiction to cut all ties to the US but by managing to provide viable alternatives to US-based services first.
As pointed out above, so far this hasn't been happening and there's no obvious reason why that would change all of a sudden.
Still, even if such a scenario were realistic, the economic consequences probably would be more severe for the EU than for the US, too.
So, again, no need for the US to blink first.
Hence, in any possible scenario - however likely or unlikely - the US can simply wait it out and it's on the EU to make the first move.
<< the entire economy of the EU would come to a grinding halt within weeks,
You may have a better insight into this, but could you elaborate a little further? Is entirety of EU running everything on AWS the way US seems to be and thus making it a vulnerable monoculture of sorts? For example, I can see some heavily digitized countries suffer( Germany, Estonia ), but not all of them seem that independent of paper documentation.
As outlined above, simply having a US-based supplier or customer might be enough for a business to be in violation of GDPR.
Even if your entire business is offline and all your processes are still paper-based (which today would be highly unusual, even in less digitized countries such as Germany, where quite a few businesses actually still rely on paper and - indeed - fax for at least some of their processes), that might still be the case.
More realistically, any run-of-the-mill SMB will use at least some digital tools, e.g., for accounting or for running their website. Relying on EU-based suppliers and EU data centres exclusively or even going all the way and storing everything on-premises doesn't necessarily mean you're compliant with GDPR.
If only one of those EU-based suppliers has any dealings whatsoever with just one US-based company you're technically in violation of GDPR again.
>. There's this pipe dream that GDPR would somehow jumpstart a privacy-focused digital economy with viable alternatives to US-based services
I would like to see this, but given the extremely shitty track record of European software projects (400 million Euro wasted on a search engine, just as an example), I can only agree that this is very unrealistic.
it dates back at least to the warrantless wiretapping authorized by Bush with the 2001 Patriot Act and legalized with the 2008 update of the US Foreign Intelligence Surveillance Act,
being incompatible with the 2000-2010 Charter of Fundamental Rights of the European Union,
making the 1998-2000 Safe Harbor agreements between the US and the EU null and void,
as first judged by the Court of Justice of the European Union in 2015 (Schrems I).
GDPR (2016-2018) and the CLOUD Act (2018) are basically just the EU and the US digging deeper into their respective positions.
That ruling not only invalidated the Privacy Shield agreement, but in fact prohibits the transfer of any data to any company affiliated with a US-based company in any way (including subsidiaries or even mere suppliers or customers), which comprises pretty much every company out there - US-based or not - because in today's globalized economy you'd be hard-pressed to find a company that doesn't in some way at least transitively deal with US-based companies.
Technically, the reason for this is the US CLOUD Act (https://en.wikipedia.org/wiki/CLOUD_Act ), which requires US-based companies to hand over any data, regardless of where that data is stored geographically. This also means that the common naïve assumption that you're safe in terms of GDPR as long as your data is stored in EU-based data centres is false as well.
So, when following GDPR and this court ruling to the letter, we'd (as in "everyone") pretty much have to stop trading and doing business altogether. Since that's (hopefully) not going to happen, none of this is enforced, at least not consistently or according to the rule of law (which in a way is even worse because at that point law and law enforcement becomes arbitrary and fines will be imposed based on how eagerly local authorities pursue these matters rather than universal principle).
Now, it can be argued that the EU and GDPR really aren't to blame because it's the US CLOUD Act that created this issue, after all. That CLOUD Act indeed is hugely problematic, to say the least.
However, the problem remains and it's on the EU to negotiate an agreement with the US that allows companies to legally do business in the real world (as opposed to an ideal world according to GDPR) again.