It depends. I understand that ad networks for example take identifying data (such as IP addresses) without consent. But if I sign up to Facebook and I put there my name and my face, it's because I want to. No one has put a gun to my head. And I don't see that it matters whether that data is in a hard disk in the US or the EU. These regulations seem a power move more than anything else.

The proof of a problem isn't "someone put a gun to my head" - its a meaningful part of our society put behind a rich man's walled garden because only he had enough money to bribe every telecom and buy every competing platform.

Every competing platform? I can think of a few alternatives, starting with this one we are on right now. But some people are still choosing Facebook, and they are choosing it willingly, happy they do not have to pay for it with anything more than some targeted ads...

This is not a competing platform by any stretch of the imagination.

If I send a US citizen a letter, can I expect that it will not be (legally) intercepted and read by anyone else (except under a specific warrant)?

If I send a US citizen a private Facebook message, is it not normal to expect the same?

> But if I sign up to Facebook and I put there my name and my face, it's because I want to

Facebook wouldn't have all its negativity around privacy if they only captured & used data that the user explicitly entered. The problem is that Facebook collects much more data that what you knowingly & willingly give it.

You might have uploaded your name and face willingly to Facebook in order to set up your profile, but without proper safeguards and legislation, the data might be used to train an AI model to use your face to identify your relations with other user using photos, which they also willingly upload, to power features such as people you might know and of course, advertising. The data might also be sold or transferred to third-parities like Cambridge Analytica for political advertising or government agencies for "national security" -- all without your explicit consent.

It is true that it does not matter if a piece of data is stored in either side of the Atlantic, but this is not a engineering problem about data locality and latency. As someone who spent months working on a global distributed GDPR-compliance identity store, my life will be much easier if the problem can simply be solved by paying a slightly higher inter-region data transfer fee.

Unfortunately, US and EU here are not referring to cloud regions, but as jurisdictions because different laws on data protection apply. None of us likes this kind of complexity, but "power move" would be an overly-simplified abstraction of this problem.