Storage is processing.

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

https://gdpr-info.eu/art-4-gdpr/

But if the US government access PII without authorization via the cloud act wouldn't it count as a data breech when it comes to GDPR?

Then they should be getting encrypted or pseudoanonymised data, if you are following the regulations.

For services like AWS you can argue that they should be able to get ahold of these encryption keys, but most data protection authorities seems to think this is good enough.

Encryption is useless when you store the keys on the same infrastucture. U.S may ask for keys as well.

Even if you would store the keys on a local service at some point your data will lie/transition decrypted on the remote hardware.

It's not a good idea at all to use hardware controlled by a hostile government regardless of what kind of encryption you plan to use.

Once the attacker gets physical access to your device/computer all bets are off. Not to mention if "your device" is actually provided by a hostile party(i.e amazon/microsoft in collaboration with various US agencies).

A government/state is hostile if it breaks the laws designed to protect the citizens and their freedoms(i.e privacy). I believe it's obvious by now that the U.S government seeks not only to apply its justice system over sovereign states but also to control the politics and get strategic information, even from its "allies".

What's your threat model here? Who's the actor you're protecting yourself from?

A government/state acting under they own laws is still acting under a law so they would never have physical access to something like an HSM located in a DC on another continent. Or even your laptop that's sitting in another country.

A government/state acting around the law makes any discussion about laws superfluous. They will go around them anyway, as per the premise.

> A government/state acting under they own laws is still acting under a law so they would never have physical access to something like an HSM located in a DC on another continent.

A government’s own laws may restrict what it can do outside of its own territory, but those restrictions, if they exist, don't always include following local law, and so it's entirely unjustified to conclude that a government acting under its own laws would not have the described access.

What I meant is if the US government wants to access data in a German datacenter it can either try via a warrant which I imagine would not be legally enforceable in the EU (at least not without the cloud provider breaking EU law), or via hacking which makes any law irrelevant.

The cloud providers provide the access controls for the HSM. Why break the encryption when you can just come through the front door?

That's not how HSMs work or they would be totally useless.

Short of a hidden vulnerability or a manufacturing defect there's no "official" way to physically access data from the device without destroying it. And accessing the data the normal way still requires access the cloud provider doesn't have (a certificate password for example).

If we're talking hackers that could successfully hack an HSM, they don't really care about laws. And if we're talking about acting under some law, that law has to compel the owner of the password to give it up. Not the cloud provider.

So your threat model includes the cloud provider?