> [M]eta are relying on SCCs [...] which was recommended by the CJEU from the Schrems II case[.]
An unofficial summary[1] of Schrems II doesn’t put it quite like that: Schrems II invalidated Privacy Shield, did not invalidate SCCs in general, but said that the latter are only valid insofar as they can provide EU-mandated privacy protections given the legal regime of the destination country.
Arguably, because of the last point, a US company is incapable of entering a contract that provides such protections: they include judicial review of privacy violations, while US law says that noncitizens don’t have standing to sue over those for surveillance under the FISA mandate (expires this December but will probably be renewed).
An unofficial summary[1] of Schrems II doesn’t put it quite like that: Schrems II invalidated Privacy Shield, did not invalidate SCCs in general, but said that the latter are only valid insofar as they can provide EU-mandated privacy protections given the legal regime of the destination country.
Arguably, because of the last point, a US company is incapable of entering a contract that provides such protections: they include judicial review of privacy violations, while US law says that noncitizens don’t have standing to sue over those for surveillance under the FISA mandate (expires this December but will probably be renewed).
[1] https://gdprhub.eu/index.php?title=CJEU_-_C-311/18_-_Schrems...