
If you use a U.S.-based sub processor (even for data processed in the EU), you lose, the German administrative court of Wiesbaden said in an interim decision.
No transfer. No worries. TIA anyway.
Even if the server is possibly located in the EU, the US company has access to it and the U.S. Cloud Act applies.
According to the Cloud Act, U.S. government agencies could unilaterally request personal data from U.S. companies without a court order and without a legal aid agreement.
The U.S. law allows initial suspicion of any criminal act to be sufficient, whereas the EU: suspicion of serious crime only.
Therefore, personal data is risk of unauthorized access, which constitutes a breach of confidentiality in accordance with Article 32 (1) (b) GDPR.
Even if a service only transmits an unabridged IP address when it is loaded for the first time, this is still processing that is significant in terms of data protection law.
Under Art 48 GDPR, transfer of personal data on the basis of a decision by a foreign court or a foreign administrative authority may in principle only take place if it is based on an international agreement in force such as a mutual assistance agreement between the requesting third country and the European Union or a member state can be supported, and no such agreement exists between the EU and the USA.
The Court also considered Art 49 derogations, but decided, based on the facts, they weren’t met.