Governments are not exempt from Cloud Act and US providers can be under gag order, so from EU or UK government perspective, they will never know if data has been accessed by 3rd country and what happened to it.
This is actually amazing that all the tenders have not been rejected under national security grounds or simply security services (yet again) have not done the job tax payers pay them to do.
I wouldn't think "sovereign" EU data would be protected from US snooping either, unless the Five Eyes Plus alliance is going to be dissolved. Even then...
An inevitable consequence of this administration destroying US foreign influence and power at an unprecedented rate is that (IMHO) it is inevitable that the EU builds their own cloud and mandates its use for EU data. It is becoming a matter of national security.
The interesting thing is that the US is acting in the exact way that they accuse China of acting. Companies like Huawei are forbidden from installing telecom infrastructure for "national security" reasons [1]. One of justifications for first banning then forcing a sale of Tiktok was because of possible Chinese government interference. It's only a matter of time before the EU and China start making the same determination against US tech giants (eg Meta executive brags about silencing dissent [2]).
This administration really is killing the golden goose.
Your home country can tell you "Give us your data" and you have to comply.
"I will never give up customer data" is a very tough promise to keep, if the government threatens you with your business license being revoked, your servers and domains being forcibly seized by the police, and you personally going to jail.
(Under the current US administration, we can add "A close examination of the immigration status of all foreign nationals employed by your company, followed by probable deportation or jail" to the list of potential consequences for resisting the government.)
Your home country can tell you "Give us your data" and you have to comply
Not according to both Amazon's and Microsoft's historic marketing materials. They have always claimed that data stored in your local jurisdiction is not accessible to law enforcement abroad. And the US judiciary initially agreed with that: https://petri.com/microsoft-wins-appeal-data-stored-abroad-s...
...which then led to the US CLOUD act and here we are, once again, proving that the past is alterable; just like Oceania has always been at war with Eurasia.
In theory, there is rule of law, the intention of which is to prevent government's access to your property and body without a court order and any emergency access such as use of force at crime scenes being subject to public scrutiny.
I guess that was the idea when the USA was established as a country, but people forgot what their ancestors where fighting for.
Anyone who's read the law has known this for years.
The GDPR is incompatible with the Cloud Act, and so the only legal (or so it should be) way to use US companies is to treat them like unsafe third countries - no matter the data center location.
But everyone wants to continue like before. Having to ensure that Amazon and Azure never touches unincrypted personal data is hard. So one "compromise" after another has been tried - never solving the actual problem.
As a EU citizen I think it's entirely embarrassing. Either the EU should have the power to force European subsidiaries to be exempted from the cloud act, or everyone should be forced to abide the law, which would greatly boost EU tech. Instead we are just rolling over.
US cloud act is definitely an overreach. Suddenly private infrastructure is now an extension of the government surveillance complex. This is the equivalent of the govt being able to put a camera on your building because they want to observe the public/private area around it.
Maybe I’m misunderstanding something - if I store my data elsewhere , am I not supposed to encrypt it anyway, with my keys ? If the crypto is strong enough then surely cloud providers can’t do anything with it ?
26 comments
[ 1.4 ms ] story [ 55.7 ms ] threadThat's what he would say if the company was under a gag order in the US. So I would take anything they say with a mountain of salt.
This is actually amazing that all the tenders have not been rejected under national security grounds or simply security services (yet again) have not done the job tax payers pay them to do.
The interesting thing is that the US is acting in the exact way that they accuse China of acting. Companies like Huawei are forbidden from installing telecom infrastructure for "national security" reasons [1]. One of justifications for first banning then forcing a sale of Tiktok was because of possible Chinese government interference. It's only a matter of time before the EU and China start making the same determination against US tech giants (eg Meta executive brags about silencing dissent [2]).
This administration really is killing the golden goose.
[1]: https://www.reuters.com/business/media-telecom/us-fcc-bans-e...
[2]: https://www.youtube.com/watch?v=7eO8byuv6PE
If they can make successful tax shelters they can architect the entities and the architecture to remove this option.
There's some 9-eyes thing where this is a feature not a bug
1. https://us.ovhcloud.com/legal/faqs/cloud-act/
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id...
Every AWS employee knows where his bread is buttered - Seattle not Brussels
Your home country can tell you "Give us your data" and you have to comply.
"I will never give up customer data" is a very tough promise to keep, if the government threatens you with your business license being revoked, your servers and domains being forcibly seized by the police, and you personally going to jail.
(Under the current US administration, we can add "A close examination of the immigration status of all foreign nationals employed by your company, followed by probable deportation or jail" to the list of potential consequences for resisting the government.)
Not according to both Amazon's and Microsoft's historic marketing materials. They have always claimed that data stored in your local jurisdiction is not accessible to law enforcement abroad. And the US judiciary initially agreed with that: https://petri.com/microsoft-wins-appeal-data-stored-abroad-s...
...which then led to the US CLOUD act and here we are, once again, proving that the past is alterable; just like Oceania has always been at war with Eurasia.
The GDPR is incompatible with the Cloud Act, and so the only legal (or so it should be) way to use US companies is to treat them like unsafe third countries - no matter the data center location.
But everyone wants to continue like before. Having to ensure that Amazon and Azure never touches unincrypted personal data is hard. So one "compromise" after another has been tried - never solving the actual problem.
As a EU citizen I think it's entirely embarrassing. Either the EU should have the power to force European subsidiaries to be exempted from the cloud act, or everyone should be forced to abide the law, which would greatly boost EU tech. Instead we are just rolling over.
s/U.S./Chinese/
Tomato <=> Tomato
I'm sure if you asked the current administration what they think of France, they'd reply, "all they do is wine!"
At the same time a massive migration from US cloud in EU to EU cloud would be a massive pain for a lot of companies in the EU.