In my main job we provide SaaS services. We get more and more requests for "EU located" services.
A new trend I see is that some customers even rule out using EU located servers that are owned/run by US companies (such as the AWS Dublin or Franfurt locations).
Also EU daughter companies of US tech giants are still legally EU companies (owned by US companies) legally they have to strictly comply with EU law and it matters shit what US law says (from the EU legislative POV) so this puts them into a huge problem spot.
An EU company, even if it is owned by a US company, would not be subject to the Cloud Act and so should not find itself on the spot. The Cloud Act applies to whoever owns the data on the server, not to whoever owns the server.
Here's the situation it was designed to deal with. You've got a US company that has some documents. Law enforcement gets a subpoena requiring the company to turn over copies of those documents.
If the company has used some third party cloud storage provider to store those documents it has to retrieve them. It does this using the exact same procedure it would use if it was retrieving the documents for its own use. To the cloud storage provider this is just a routine data retrieval of a customer's data by the customer.
As far as I know if someone outside the EU buys cloud storage from an EU cloud storage provider, stores some files there, and later retrieves those files the EU provider will not get in trouble if that customer later did something with the files that would not be legal in the EU.
I'd be surprised if most countries don't have something equivalent. For example when German prosecutors were investigating VW after VW's emissions test cheating came to light if they had used whatever the German equivalent of a subpoena is to ask for copies of the emission system source code, would VW have been able to say "Sorry, we've got those in a private Github repository which happens to be hosted outside of the EU, so we can't get them for you"?
I suspect that the only reason the US actually had to have something like the Cloud Act and others don't is because only in the US could you have actually had a chance to succeed in saying that you cannot be compelled to turn over a document that you control and can legally retrieve at any time just because you happen to have it currently stored somewhere that the compelling government does not have jurisdiction over.
At present, no, of course not. No company maintains surplus capacity sufficient to absorb its competitors' business if they withdraw from or are excluded from the market. You'd assume in practice there'd have to be a transition period, during which the likes of Hetzner would be... busy.
(More likely, there's another round of negotiation, and some new bandaid solution is produced; not like it's the first time. No-one, or almost no-one, really _wants_ this to break down entirely; the fallout would be widespread.)
It does seem reasonable to expect that the rate of companies moving stuff out of US-based infrastructure providers will increase, though; the whole thing is very fragile.
You've got to imagine there are limits, tho. I note that Trump backed off most tariffs, at least for now, when the markets got unhappy (I mean, you could believe it was due to symbolic troop movements if you wanted, I suppose?) And cloud services to Europe are _big_ business; it would not be a small market shock.
If there were to be a major migration from AWS and Azure to the likes of Hetzner, OVH and friends, also, that would likely be _permanently_ lost business for US megacorps; no-one does that sort of migration unless they really have to, so it's improbable that anyone would move back if and when the situation was resolved.
I thought he only backed off the Canadian tariffs, and only because there were retaliatory tariffs plus some symbolic concession? The China ones and the de minimis change are still in place.
Bezos turning up at the inauguration and directing the WaPo to not endorse Harris are strong hints that Amazon is probably going to be fine, but I would say that nothing is certain when dealing with someone who's deliberately unpredictable and willing to threaten allies.
Those were completely inevitable, though; the game theory behind all this stuff essentially requires them.
> plus some symbolic concession
A really utterly meaningless one, though. I'm fairly convinced that pissed-off markets were the major factor.
> I thought he only backed off the Canadian tariffs, and only because there were retaliatory tariffs plus some symbolic concession? The China ones and the de minimis change are still in place.
Also Mexico. I'd suspect most of the Chinese ones aren't long for this world, either.
But this isn't just cloud infra / platform like AWS etc right, but also various SaaS products. e.g. Office 365, gsuite, github etc. Are there even equivalent (enough) versions of all those that are not only hosted but owned by EU companies?
Those are also less _critical_/replaceable, though. Up until recently, most companies didn't use cloud-y office things, they used, typically, Microsoft Office 2xxx (ie the non-cloud version). Microsoft's cloud-y Office solution is only 7 years old; while Google's is older, it wasn't taken particularly seriously for a long time. Many companies (actually I would suspect _most_ companies) _still_ use on-prem Office/Sharepoint Server/Exchange Server setups, and Microsoft still sells this stuff (Office 2024 LTSC is the latest one for enterprise, Office 2024 for consumers).
As for Github, self-hosted or vendor-hosted GitLab would be the obvious solution (self-hosted Github _is_ a thing, but only for large enterprises IIRC); other GitHub-like things are available.
I also suspect that Github in particular, and maybe MS, could, if desired, rework their services such that they didn't actually touch personal data in a form that they could disclose to the US government (which is the core issue here). This could be managed via using a third-party auth service (which typically these sort of services already support for enterprise integrations) and, for the Office-y apps, end-to-end encryption.
Replacing AWS and Azure and friends would in many ways be the big problem, especially if all this were to happen quickly (in practice, there'd almost inevitably be a significant grace period if things broke down). There's a big capacity problem there; all of these sorts of services operate basically at capacity, because economically it makes no sense to do anything else. That said, in the doomsday scenario, Amazon et al would presumably end up selling off a lot of data centres in Europe (restricted to only non-personal-data applications, they'd need fewer).
I agree each thing is not difficult to replace, but replace all SaaS products that are used might be more challenging. Some data out there from a quick google is saying companies use on average 300+ SaaS products. Not all of them are going to be from US companies, but probably a large amount is, so we're looking at probably over a hundred or 2 of products that need to be replaced with local or EU ones across all companies in Europe. That seems like a lot of work and disruption.
Oh, yeah, it’d be a complete nightmare for everyone involved. But it’s likely doable; in particular providers would be _strongly_ incentivised to provide compliant solutions (again, many SaaS providers could manage this by avoiding directly touching PII).
According to [1] "Synergy Research Group data indicated that since early 2017, the collective market share of European cloud players including SAP, Deutsche Telekom, OVHcloud, Telecom Italia, Orange has dropped from 27% to just 13% in their home territory. In the past year alone, their share has dropped around two percentage points. In contrast, Amazon, Google and Microsoft now account for 72% of the regional market."
Doing without would be extremely painful in the short/medium term.
Of course if you could instead force AWS to sell the EU arm of their business, that would be a different matter...
What is the time span until it need to be fully enforced? Regulations are rarely if ever instantaneous. For the industry I work in (domain name, hosting, email, and similar services), you start to hear about it when they are being drafted, when they are about to be voted on, when they have been voted on, when it get ratified, when they get a date for when they are going to start being enforced, and once they are being enforced there is a generally a grace period of getting into compliance.
For a lot of stuff this is process that takes 10+ years. A fairly large step is the time between a EU regulation being created and when the same law is ratified by each country, and the span between those two events where the government seeks input from the industry on how to implement the regulation.
A new trend I see is that some customers even rule out using EU located servers that are owned/run by US companies (such as the AWS Dublin or Franfurt locations).