I work in a sector with a requirement to keep data out of the US. It is VERY hard to find providers who can promise not to do this. Even when servers exist in the EU, many provider's contracts have clauses that allow transfer to the US, as they have staff there who may access the data.
I can see company legal departments taking this ruling to prohibit transfers, even with a DPA in place, and causing havoc around the EU.
I worked on fintech projects in Europe, with German banks as our main clients. Their requirements went as far as refusing any service that would have their support teams (or part of it) located in the US. It was quite challenging to fulfill their demands, and increased the development and maintenance cost by A LOT, but definitely possible.
And once you have a working system and solutions in place that becomes a quite good sale argument.
And yes, the EU is really lacking providers that can follow those requirements. At some point Microsoft had a German cloud completely distinct from their other offering and managed by Telekom, but they stopped a few years ago (and it wasn't really in a production ready state IMHO...).
I'd be surprised and saddened if it were legal for a company to offer a contract that they couldn't legally commit to, like saying they'd keep the data out of the U.S. but also give it to the U.S. gov if asked. I guess the legality of offering a contract that they can't commit to is a local legal question, but I'd hope that it's an uncommon thing to allow.
In the US a contract is voidable if it would be illegal to carry it out, and it might open you up to liability if you knew that at the time of signing, but it's not a crime.
Sounds like a golden opportunity for someone to set up an EU company that is EU law compliant and start marketing themselves to banks and bodies that need this.
Problem is banks and similar institutions that "need" this don't really believe they need it, and see such rulings as more anti-American BS. So they find ways to comply that are absurdly minimal, like using Azure datacenters that are only in the EU. This achieves nothing, it's all still a software stack written in the USA, but it lets them tick the box that says "data resident in <European jurisdiction>".
There are ways to run operations in a way that comply with the spirit of these rulings. Hetzner, OVH and other cheap mini-clouds are EU based and have only EU datacenters. Guess where banks want to go? "The cloud" because "the cloud" is "the future" and they institutionally suck at running IT departments of any kind. So they ignore those offerings and find workarounds that let them outsource it all to the Americans who for various reasons just seem culturally better at making software companies.
The other problem that discourages people making EU compliant companies is the term is meaningless. EU is famous for rather weak rule of law. The courts have a history of "discovering" entirely new laws in vaguely written rights or regulations, like the famous right to be forgotten that caused and still causes endless operational pain. Not a law written by any lawmaker, not even the unelected opaquely appointed bureaucrats that write laws in the EU. A law literally invented in the courts themselves.
Because these laws are effectively invented by the courts or by a quasi-government that doesn't really have its own police forces or much of an enforcement infrastructure, this means many EU regulations aren't really enforced. Compliance is kind of on the honour system. So if you're selling compliance, but it costs a lot more than a US based solution that basically ignores these rules whilst claiming they don't, then you'll lose out to your competitors.
The final problem is, again, all this stuff is just legal posturing. The EU has a long history of having intelligence agencies just as aggressive as the NSA, and cutting deals with the USA to get access to US intelligence in return for data (see the SWIFT transfer programme). The EU and its fans like to claim there's some sort of deep cultural difference between Europe and America with regards to privacy, but when you strip away the press releases and look at the actions these countries/EU really make, there's virtually no difference. This is another reason why banks and other firms don't take it too seriously at their core.
I don't see the problem, buy HP Enterprise Hardware (Support is based in Czech Republic), install Suse for example (but not RedHat), ask a Data-center of your wish, place your Hardware there make your own 'cloud'...profit?
As I said, it’s definitely possible. We did create and maintain our own clusters. That’s way more expensive and time consuming than using existing offering from public clouds, and you are in your own in case of issues. Your competitors who don’t have that kind of requirements can build and iterate on their products way faster.
I had the pure opposite compared to AWS, with own Cloud we safe d around 80% expenses, calculated with additional manpower about 35%...but still 35% is really something.
This. Worst-case you end up being forced to use some terribly implemented private cloud solution which ends up being even more expensive and time consuming than deploying your own hardware.
I don’t know if you’re joking or not, in the case of those fintech projects I’ve been part of a migration to k8s. That was already in progress 3 years ago when I joined the company, and it wasn’t completed when I left beginning of this year.
Managing your own k8s in production isn’t a simple task at all :(
That is true, i was asked to implement k8s in 6 month, they said so i have plenty of time to find all problem (i try'd really hard not to start laughing)
Its not about where some people work, it's what they do under witch legality, so a US citizen working in Germany or for German Customers "could" be a problem.
> so a US citizen working in Germany or for German Customers "could" be a problem.
That's usually fine (related to the "in Germany" part). I'd say you'll only have an issue if you're doing something really high up the government (same as for example SpaceX - which cannot hire non-citizens)
Which area? Hetzner, Leaseweb, OVH and dozens of smaller hosting providers can fill the needs. The only thing US hosting providers have is marketing and easy money.
Hosted Microsoft products mostly, which is what tons of smaller companies want from "the cloud". And some AWS workalike, which usually means AWS, because the stackoverflow answer they found doesn't tell them about the rest.
Haha you are so right!! That i think is the biggest problem with Europe, Microsoft an Apple is just everywhere...probably even more Windows installations on servers than the US.
FWIW, this may also mean avoiding US companies altogether -- the CLOUD act (hey, I don't come up with these names...) requires them to surrender data to US authorities on subpoena, even if it's hosted on facilities they own outside US territorial boundaries. https://en.wikipedia.org/wiki/CLOUD_Act
It's easy to do, just don't do business with the US at all. Any company that touches it is tainted and should therefore not be trusted. I work in a sector with a similar requirement and it really hasn't been difficult to comply with this requirement, given that you keep this in mind.
It's easy to do, just don't do business with the US at all.
Less easy if you need to, for example, accept payment by credit card. Even if some of the businesses along the way are based wherever you are, the major card networks are all headquartered in the US.
It would be great if the international community could get its act together on an alternative and render the deeply flawed card payments industry obsolete, but the fact is that right now cards are the only game in town for a lot of situations.
> render the deeply flawed card payments industry obsolete
Honest question: from a consumer perspective, what is deeply flawed about it?
I realize this isn't available everywhere, but with my cards I can make payments in virtually any country without ever having to deal with local currencies, currency conversion fees, bank account overdrafts, or having the physical card with me as I use my phone for 90% of transactions where I live. All this while getting 2-5% back on every purchase and (if I want to pay an annual fee and deal with more cards) a whole slew of travel benefits and free flights every year or so.
US don't like someone, like Wikileaks? Card processors block all payments to them, so you consumer cannot get your money to them.
US want to profile all your transactions, to figure out where you eat, where you sleep, and what you do? They get all the data and you'll never even know.
Obviously this is not a problem, as long as you stay on good terms with US interests. The minute you become a target (which might simply be because you work at a competitor of a "strategic" US business), it's not so great, to put it mildly.
Honest question: from a consumer perspective, what is deeply flawed about it?
You're not necessarily aware of the inherent insecurity until you are on the wrong side of a breach. You might assume you can charge back if anything goes wrong, but you might have absolutely no guarantee in law that you will be able to do so. As with so much about cards, you are then at the mercy of your card issuer and/or the underlying card network, and they will act in their best interests, which might not coincide with yours.
You might think it's useful to have the credit facility, but the rates you're paying will almost always be far higher than you could get on a competitive loan from a bank. (And if you can't get such a loan, you certainly shouldn't be building up credit card debts either. The model becomes predatory and abusive at this point.)
You might think you're getting a good deal with the cashback schemes, but the merchants are getting hit with higher fees on the other side and they will be pricing that into the amount you were paying in the first place. Worse, since various places now limit or prohibit charging extra fees for card transactions, governments have legislated competition out of the payment methods market and anyone who chooses not to pay with a card is now stuck with the same higher prices.
You might find the automatic conversions for foreign payments useful, but you are almost certainly paying a silly exchange rate and maybe extra fees on top for the privilege.
Card payments are comically unreliable at the best of times. In a "good" case, this just causes some embarrassment when your card is unexpectedly declined at the store and you have to try it again or use something else to pay. In a more serious case, perhaps your card gets blocked because of a false positive on the security checks while you're abroad, and you are left with no easy way to pay for anything for potentially several days until it gets sorted out.
On top of this, there are the indirect effects of all the one-sided obligations imposed on credit card providers by governments and on merchants by credit card providers, where a bunch of people are required to take on potentially severe risks that should be entirely unnecessary just to carry out a simple financial transaction. Much of what is wrong with the industry actually comes down to these effects and what happens when the risk gets passed on or priced in.
In short, the people who benefit the most from card payments are the card networks. For everyone else involved, they are likely inferior to other payment methods in one or probably more important ways, and it is their established infrastructure and ubiquity internationally that keeps them relevant more than anything else. There is no good reason we shouldn't all switch to alternatives today, given the ease of doing so with modern mobile devices and Internet access, but again it comes down to momentum more than anything else.
Debit cards are definitely better than credit cards in several situations, but most of them outside of various national schemes are still using the networks run by VISA, MC, etc.
The thing that bugs me is that we're perfectly capable of doing quick, reliable transactions without any need for cards at all today, particularly in Europe with the SEPA infrastructure, or in other areas that have national debit schemes. We just haven't got around to making this easy for both online and in-person payments yet, though things like the payment methods using smartphones and the consolidation of debit schemes that fintech firms like GoCardless are working on seem like obvious steps in the right direction to me.
> It's easy to do, just don't do business with the US at all.
That's amusing of course because the EU economy is desperately dependent on the US economy. Meanwhile the US economy is far less dependent on the EU economy.
So the plan then must be to do zero business with the US and Chinese economies, the world's two largest. You also can't do business with Canada, Australia or Britain, so there went another $5.7 trillion in economy you can no longer trade with.
The EU would be sent back to third-world living standards within a decade or two. You just lost access to 50% of the world economy. Easy to do, yeah sure.
I missed the point the US and China being the largest economy.
Europe is still ahead of China. And has a much higher and better educated population than the US, and much more exporting small, independent businesses. Meanwhile the US is at third world standards in infrastructure and democracy. Their only strength is military and having the Dollar. This is not sustainable.
Providers of what? SaaS or servers? As far as I know, none of the budget server providers like OVH, Hetzner and Online.net/Scaleway have a US presence.
I can see company legal departments taking this ruling to prohibit transfers, even with a DPA in place, and causing havoc around the EU.