> It's not about data is sent to where, it's about what happens when it arrives to the physical servers, who has access to these files, and what can they do with it.
Right, but the EU can only enforce its laws on companies that have a presence in the EU. A company that doesn't do business in the EU and never will do business in the EU will not obey EU law regardless of what those laws say.
Meanwhile, a company that does business in the EU would be subject to fines by the EU and wouldn't be able to dodge them without just stopping doing business in the EU. So why do the laws not just say "here's how you have to treat data belonging to our citizens if you want to continue to do business in the EU"? Why does the physical location of the data that is being thus protected matter at all?
That works fine if the company itself stores the data, but becomes difficult to enforce when 3rd parties store the data. Imagine a company with an EU presence stores it's EU data in US, with a hypothetical cloud provider that doesn't have an EU presence.
The company would need to have a DPA with it's cloud provider. That cloud provider technically would also need a corresponding DPA with any 3rd parties that they themselves use, except without an EU presence that is hard to enforce.
In this case where there is one hop you could argue that it's the companies responsibility to ensure that their service providers are operating in compliance. Imagine the same scenario, but with one, two or more middlemen and the whole thing becomes an unenforceable mess of jurisdictions for the company to do meaningful due diligence on their service providers.
It's much easier for the EU to say EU data has to be stored in the EU, and know that any party touching the data is likely to be in compliance, and significantly easier to investigate if they are not.
There's also the Cloud act, which makes it illegal for US cloud providers to refuse data access requests from the US government.
As far as I understand, the EU is fine with you sending data to other countries, as long as those countries have the same standards for data protection. In the EU's opinion, the Cloud act, as well as the whole NSA situation, mean that the US doesn't fulfill this definition.
Right, but the EU can only enforce its laws on companies that have a presence in the EU. A company that doesn't do business in the EU and never will do business in the EU will not obey EU law regardless of what those laws say.
Meanwhile, a company that does business in the EU would be subject to fines by the EU and wouldn't be able to dodge them without just stopping doing business in the EU. So why do the laws not just say "here's how you have to treat data belonging to our citizens if you want to continue to do business in the EU"? Why does the physical location of the data that is being thus protected matter at all?