I think this CLOUD Act will basically force internationally operating US companies to split up into a US part and an EU part. This law makes it impossible for any company with access to personal data of EU citizens, to obey both US and EU law. The only solution seems to be to ensure that they are two different companies. The other option is to abandon the EU market.
What still surprises me is that nearly all of the major cloud companies are based in the US. Microsoft, Amazon, Netflix, Google, Apple, all of them US companies. If ever a law is going to create some EU competitors, it's the Cloud Act.
The other option is that either the US or the EU is going to water down their law. I'd be really sad if it's the EU, because that would legitimise and strengthen other countries' extraterritorial grasp over non-citizens' data. Like China with Huawei.
> The only solution seems to be to ensure that they are two different companies.
If the EU comany is a subsiduary of the US company, then it will have to follow its orders and won't really be separate.
Furthermore if people based in the USA have physical access to the servers located in the EU, then if the US government wants that data, it will probably be exfiltrated to the USA, regardless of what EU governments want.
The solution is for EU governments to have control over their own computing infrastructure. This obviously includes cloud computing and datacenters. But it also needs to include operating systems and chips, because otherwise the risk of a foreign power putting a backdoor in them is too great.
>> If the EU comany is a subsiduary of the US company, then it will have to follow its orders and won't really be separate.
Accenture and other US consultancies with global operations faced this problem when bidding for government contracts. They created a global parent corporation (in Accenture's case it was Luxembourg and in many cases it is Bermuda.) The US portion of the business is owned by the global parent. The EU portion of the business is owned by the global parent as well. Same for other subsidiaries.
> Here lies humanity, they tried to do the same things 15 different ways and squandered their resources doing so.
Polities that don't retain control over their computing infrastructure will in the future have effectively ceded independence to others.
Because controlling the full stack from silicon to cloud services is expensive (fabs can cost c. $20 billion), this has geo-political implications: namely that in the future there will only be a small number of loci of independent power. The USA will be one, China another. Does Europe want to make itself a third, or will it be content to be subservient to others?
That does seem to be a common occurrence when there is a sufficiently large number of people. I work for a large Fortune 150 company. At least once a year a new department is created that duplicates what my department has been doing for 15 years. Inevitably someone who knows of us tells the other group and they get in touch with us to find out what we actually do. I can't tell you how many meetings I've been in where the other group finds out that we already do 100% of what they've been tasked to do. They always look at each other with expressions of confused disbelief, wondering what they are supposed to do now. Sometimes they find some niche (on occasion we've thrown them some scraps of things we used to do that we no longer have any interest in pursuing), usually they are quickly dissolved. The worst was a group that had existed for more than a year and had already spent millions of dollars, only to be dissolved as soon as higher ups found out they existed and were trying (unwittingly) to duplicate our mature solution.
Well, yes. Merely duplicate effort is a great improvement over last century's plan to be able to destroy civilization at 45 minutes notice.
Speaking of which, I believe Pakistan had two mutually distrusting nuclear weapons programs, reflecting the internal conflicts between parts of the state security apparatus.
>>If the EU comany is a subsiduary of the US company, then it will have to follow its orders and won't really be separate.
Maybe the US company could be a holding which would "only" own 100% of its independent EU subsidiary (which would be its own legal entity, reporting in EU)?
The question is: does America care about international law and treaties or will they just do whatever they want?
Ten years ago I knew the answer to this question. Today not so much.
This is why the EU should hedge its bets and keep the door open for Chinese companies.
Ten years ago the answer was also no, but with a bit more lip service.
The US hasn't bothered with such things as the ban on landmines, the ICC for war crimes, and the U.N. convention on rights of the child. The U.S. is only interested in law that binds other countries.
> Ten years ago I knew the answer to this question. Today not so much.
10 years ago, the NSA existed., Now the NSA exists.
The USA, like other big powers, is going to want to try to get access to information and computer systems.
> This is why the EU should hedge its bets and keep the door open for Chinese companies.
You appear to be saying that because the USA gets its hands on Europe's data, Europe should let China do so as well. That doesn't make sense to me, so I wonder what it is you are saying.
The USA is by all accounts a 'rogue' state by its own definition of the term (China is too).
It doesn't abide by international conventions or laws, it engages in wars of aggression, it bullies smaller nations into accepting laws and trade agreements favourable to itself. It pushes crap like the DMCA globally.
Of course it doesn't care about international law.
Superpowers get away with this for a time, until everybody else wises up to the fact that nobody is following the rules.
> The only solution seems to be to ensure that they are two different companies. The other option is to abandon the EU market.
> What still surprises me is that nearly all of the major cloud companies are based in the US. Microsoft, Amazon, Netflix, Google, Apple, all of them US companies. If ever a law is going to create some EU competitors, it's the Cloud Act.
Given that e.g. AWS alone "owns"/operates two regions in China and several GovCloud regions, at worst it'll have a slight impact on these cloud provider's business via mainly legal and not technical changes.
What it will do is show the Privacy Shield agreement is a farce, and the US cannot be trusted in these matters - well, hardly new insights, with things like ICANN et al, but these things were largely left unsaid. I suspect US foreign politics and their image will be harmed more than any of these cloud companies.
Precisely. But the code deployed there seems to offer the same functionality as other regions, right? So this is a legal/business trick, not a technical challenge.
The Microsoft response was to have a separate German trustee be the ones that held the data, and MS have access to the data as needed (but I guess MS could not just hand it all over to the US government when demanded to) https://azure.microsoft.com/en-us/global-infrastructure/germ...
"All customer data and related systems reside in Germany
Controlled by a German data trustee"
I don't think it will necessarily create a lot more competition inside the EU. All of those companies already have European data centers; surely it would complicate some technical deployments, but definitely not more so than the effort their legal, HR, accounting and other divisions already have to go through to comply with local regulations. I assume those companies already have multiple legal entities for all sorts of reasons.
I guess all companies ought to start tagging data with a jurisdiction tag of sorts now, if that data doesn't already come with a clear location indicator.
Of course it will, they were already bordering on it before that (see specifically Microsoft USA arguing it could not access Microsoft Ireland data when the US court told them to, which directly leads to the new situation)
Wouldn't the cloud act also apply to subsidiaries? It's be surprised if the giants can at the same time split (for the purposes of the cloud act) and stay one coherent entity with central steering.
I suppose that's going to be the big challenge. You'd want a structure where neither company controls the other, yet they still have every incentive to cooperate closely.
Maybe they should each own 49% of the other's stock?
But someone's gotta own the other 51%. However, you could split it into 3 companies spread across 3 countries each owning 33% of each other. Thus, no company has a majority share.
I talked to a lawyer specializing in data protection a couple of years ago, and according to her, the problem is already there - you cannot satisfy both the GDPR and US law that requires that the US government can snoop whenever they want to.
Currently, the companies are getting away with it, but with people like Max Schrems, they might not be able to in the long run.
The situation you describe (companies "splitting") already exists, and it's also already not a good guarantee of actual privacy. I'm not convinced that this is any kind of solution.
What still surprises me is that nearly all of the major cloud companies are based in the US. Microsoft, Amazon, Netflix, Google, Apple, all of them US companies. If ever a law is going to create some EU competitors, it's the Cloud Act.
The other option is that either the US or the EU is going to water down their law. I'd be really sad if it's the EU, because that would legitimise and strengthen other countries' extraterritorial grasp over non-citizens' data. Like China with Huawei.