So it's been 3 years since this was last discussed, but it seems that the UK/EU's GDPR position in relation to the US has shifted somewhat, so it would be really useful to understand Knownhost's current position.
Now, my understanding a few years ago was that The European Commission had made an "adequacy decision
" with respect to the data protection laws of other countries, including the US, and so if UK/EU customers hosted with KnownHost in the US, they were covered by this exception.
However, revisiting this a few years later, it appears that this original "adequacy decision" in respect to the US has since been revoked.
Back in 2015, the original US "Safe Harbor" framework was declared invalid by the European Court of Justice (ECJ) following a ruling in the Schrems v Data Protection Commissioner case. The central issue identified in the case was that the US failed adequately to protect personal data from interference by US national surveillance authorities.
The Safe Harbor Framework was then replaced in 2016 by the EU-US Privacy Shield (which as mentioned earlier in this thread, KnownHost originally signed up to, and then withdrew from).
However, in July 2020, the ECJ declared the Privacy Shield to be invalid
in its ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. Again, the ECJ highlighted shortcomings in the protection from interference with personal data in US national security laws, specifically noting that the rights of data subjects were not actionable before the courts.
Accordingly, there is presently no EU-US or UK-US "adequacy decision" in place in regards to GDPR.
On 25 March 2022, the European Commission and the United States announced that they have agreed in principle on a new "Trans-Atlantic Data Privacy Framework
", however this is still only in an "agreement in principle" stage, so it has not yet come into affect.
So in short, how can UK/EU based customers hosting with KnownHost in either the Atlanta or Seattle data centers be compliant with GDPR currently?