"They" in this case is a national authority within a EU country. They are responsible for handing out tax payer's money as subsidies to political parties, and the political parties have to declare and account for how they used this money. The authority refused to give out these declarations, saying it would break GDPR laws because they might be backed up to an American server. Of course it is blatant mis-interpretation of the law, but this is how these laws and other laws get applied in reality. Used when they benefit the rulers and ignored when they would benefit the population.
In the US you don't have this kind of financing I believe, because your political parties pay for themselves by endless fundraising from their voters.
Do you have experience of asking for these type of funding documents before 2016? Was is much easier then?
Because the argument (as you describe it) doesn't make any sense, so I would expect they already have another nonsensical interpretation of some other law at hand from before GDPR applied.
These "data protection authorities" weren't established instantly when the law was written. It took a good few years. But yes and yes, we never had such a problem getting any public documents before they could use the data protection authority to deny giving them out. This was easy, the local politicians just had to put a crooked individual as head of that authority and that person would do their bidding. Before that they didn't have any legal basis for denying public documents, and each time they tried to do that you could threaten court and they'd bend. With a crooked data protection authority to help them, they'd have the support of the law to deny giving out any public document they didn't want to give out.
Not in the field anymore, but I wouldn't be surprised if somebody took the data protection authority to court over this in the near future.
Can you specify which jurisdiction you are talking about? I find it very surprising that the politicians could put in corrupt heads of agencies but not prevent handling out incriminating documents some other ways, sounds like the product of very interesting historical circumstances.
There's probably nothing outright incriminating in those documents, rather that the political party or parties were using their subsidy money to pay for services rendered from companies owned by the party leadership – which is 100% legal, but not very pretty in the public eye.
I don't find it very surprising that they could and did use the GDPR "loophole" to close the public sector from public insight. Before GDPR there were very clear laws of transparency making sure that they could not deny giving out public documents. And if they did, they'd be taken to court and always loose. They would still try denying some public documents and threatening court would work against that.
With a data protection authority on their side, they finally got the law on their side, using tactics such as saying that there is a risk that these documents end up on an American server. While at the same time using Microsoft services and American servers themselves. Which is the subject of the OP article.
Appointing a crooked head of a data protection authority or any authority is easy and it is legal. Circumventing laws is not that easy. But it is easier when you have more laws that are more open for interpretation.
The right thing to do would have been to make transparency laws more powerful than GDPR laws, because it was obvious that they would be abused. Now the EU has GDPR laws enforced on a union-wide basis, but not wholesome transparency laws enforced on a union-wide basis.
most financing in the US for parties come from corporate donations, very much with a condition imposed by the corporation. Kind of acting like a bribe.
So who is 'they' and what were the documents? I'm American so I'm not deeply familiar with this area.