I learned from the communication about the security incident from 2022, that the data that has been copied was a backup of the vaults. Does this include backups from customers that have chosen to move their Vault Data to the data centers in Europe?
So, I talked to the customer support. They confirmed that the data has been copied from the development environment, which is "in the cloud" and NOT data residence-aware. As long as a LastPass representative tells me something other, I need to assume that this means:
My data is being transferred into non-EU-countries on a regular basis - not respecting my needs to keep the data inside the EU
My data is being copied to a development environment to be processed there without my consent for a not previously published purposes (debugging, other things I don't know)
My understanding of this is that LastPass has directly violated REGULATION (EU) 2016/679 (aka GDPR) even before the incident. Since the URLs are not encrypted, problematic and sensitive data is directly processed in clear text outside the EU and has been processed by people that don't need to process it (developers), which violates the principle of need to know. Since such URLs also might include email addresses (which makes them PII) and hints about the health status (e.g. when the URL is one for the forum about specific health issues), as well as religious beliefs or sexual orientation (both might be revealed by the websites the user has accounts for), the information is not only "Personally Identifiable Information", but "sensitive data".
One of the criteria we had to select our provider for a password management solution was: NO data should be transferred to a country outside the EU. Another one was NO sensitive information can be seen by employees of the provider.