DPAs do not protect against ramifications of the CLOUD act. See this thread (mainly the reply to it)[0]:
SCC = standard contractual clauses, aka DPA/GDPR clauses that govern when and how data transferred to the US is used.
> The ruling on Schrems II (the court case that struck down Privacy Shield) did not state that SCCs on their own would be sufficient. It said that SCCs + "additional safeguards" would be allowable. There have been several rulings already that SCCs on their own are not sufficient.
> The "additional safeguards" must include a risk analysis of US access to EU residents' data. Every court case I've seen from Schrems II onward identifies the US CLOUD Act as the privacy risk to address. CNIL is basically ruling that you cannot transfer data to a US company subject to the CLOUD Act, and an SCC cannot deal with that. This still leaves open the possibility of using US services that are not subject to the CLOUD Act. This is consistent with all rulings to date.
In summary, Schrems II + this ruling[1] mean that US corporations can't be involved with EU at all besides via licensing software to a completely independent EU corporation (which isn't a given either, though, since the US company could threaten withholding software updates/revoking the software license to pressure the EU corporation to hand over EU citizen data to US Law Enforcement - or otherwise implement a backdoor at the request of US Law Enforcement).
If this is required I would think Cloudflare would have some ready agreement for everyone to sign / agree to wouldn't they?
This is one of those EU rules where if it is so universal everyone should have thi right? But rather I'm not sure how widespread it is... is anyone doing it or are they all just waiting out the situation?
