Regardless of how ridiculous it seems this is a result of the isolationist policies of the US government and there will be traction to invest in such things in EU, Asia and beyond even if the whole thing becomes a complete non-event.
> What's the benefit here (other than the usual nebulous 'because data protection and politics', that is)?
One of the few working privacy guarantees Transatlantic Data Privacy Framework (TDPF), relied on a U.S. watchdog called the Privacy and Civil Liberties Oversight Board (PCLOB). And Donald Trump defunded the PCLOB on January 28.
But even fully functioning TDPF was not without legal troubles.
> Where do you want to move previously cloud-based applications to?
A vast majority of migrations to the cloud that I am aware of were life-and-shift migrations. Putting software back in the locally hosted data centres is often quite feasible, as nothing gets rewritten, really.
> Who is going to maintain that non-cloud infrastructure?
It's the EU, mind you. People stick to jobs much longer than in US. From what I can see, there are still bright engineers inside organizations.
Also... it does not have to be non-cloud. Just non-US.
> How do you address and mitigate the risks involved (e.g., security, resilience)?
I guess that's very project-specific.
> That said, there are companies such as VMware that sell "local cloud" setups. Their customers seem like your likely customers
There is a whole "off Broadcom" movement since well over a year, and the winners are often EU companies.
That's not true. At least not based on their R&D locations back then. Most of those were in Russia. They quickly - and rightfully so - closed these locations down when the war started and moved their activities elsewhere.
It might be relatively easy to read, but for SMBs it's hard to actually implement in real life, because GDPR and the EU's stance so far often doesn't take economic reality into account. For small businesses, GDPR in many regards created a legal limbo while large corporations scoff at that regulation and have their legal departments deal with it however they see fit.
For instance, there's this tiny, gnarly aspect of where you are allowed to store your customer data.
Hosting data on servers located in the EU isn't required by GDPR in and of itself, as long as you have a valid data processing agreement with the provider stating how and according to which provisions customer data is protected on their machines.
However, according to a 2020 European Court of Justice ruling you're not allowed to transfer any personally identifiable information to companies that are in any way affiliated with a US-based entity (e.g., by virtue of having a US-based parent company) anymore. Just being physically located in the EU isn't sufficient according to this ruling.
The reason for this is that with FISA US law enforcement can force US-based companies to hand over any data, even if that data is stored with an international subsidiary under a completely different jurisdiction.
This basically invalidates all of the provisions and legal frameworks for interacting with non-EU entities that used to be acceptable under GDPR before (e.g., Privacy Shield).
However, not interacting with any US-based or US-related entities at all anymore would be tantamount to ceasing almost all economic activity. So, until (or more pessimistically: unless) the US and the EU come to terms on a new agreement regarding privacy rules, there probably isn't anything a business can do on its own to completely address this issue. At this point, merely hosting data on servers physically located in the EU perhaps amounts to little more than window dressing.
As soon as a business has dealings with a US-based company or an EU-based company owned by a US-based company that potentially might have access to user data that business technically is in violation of GDPR.
As of now, as a business you essentially have three alternatives:
1. Run the entire infrastructure you need yourself or have it run by EU-based companies guaranteed to have no relations with US-based entities whatsoever (Good luck with finding those ...). This, for example, includes payment systems and banking infrastructure, because guess where many EU-based banks host their infrastructure? That's right, AWS.
2. Go out of business.
3. Ignore this aspect of GDPR for now, document everything, continue to do your own due diligence, and hope for the best.
Moving towards a "European cloud" remains an eternal pipe dream, simply because such a thing doesn't exist, the reason being the EU actively regulating against businesses trying to innovate in this and other seminal areas.
You're right that a "European Cloud" has been a 'dream' for a long
time. But I don't see the reasons you cite (regulation) as a cause of
impediment.
And you slightly mis-parsed my words. A migration of cloud services
from US providers isn't the same as to a "European Cloud".
Canada, Australia, India, Vietnam, South Africa... there's a whole
world of nominally friendly and economically viable suppliers out
there. What matters is moving from Microsoft, AWS, Google and other
services that cannot be considered "safe" any longer.
I notice from your profile you're an AWS disciple. You must know AWS
want to build a "Euro Sovereign" division? Not that I think it will be
successful, but look at which way the wind is blowing.
> Canada, Australia, India, Vietnam, South Africa... there's a whole world of nominally friendly and economically viable suppliers out there
Where generally EU-based businesses aren't allowed to move their cloud infrastructure either.
With the US and Privacy Shield there at least used to be an agreement in place. While that agreement was frivolously nullified by EU courts, at least so far authorities haven't been overly eager to enforce that, probably because they know that'd put pretty much every EU-based company out of business.
Have fun trying to convince zealous bureaucrats and lawyers that hosting your customer data in Vietnam is fine for an EU-based business, though.
> the reason being the EU actively regulating against businesses trying to innovate
Oh come on, can we stop with that? Not having regulations results in quasi-monopolies and oligarchs. Preaching against regulation is only worth it if you are Google, Amazon & Co. Regulations don't prevent fairly big companies from existing.
Maybe the lack of regulations in the US pushes EU companies to move there. But right now maybe non-Americans will start looking for non-US alternatives, and that's good.
Funny thing is, due to overly complex regulations such as GDPR, there are no EU-based alternatives to speak of and as an EU-based company moving your cloud-based business to other countries mentioned in this thread often isn't legal according to GDPR either.
With the US and Privacy Shield there at least was an attempt to come to some sort of reasonable real-life solution (which of course was shot down by EU courts, so as of 2020 pretty much every EU-based business is in a legal limbo).
> due to overly complex regulations such as GDPR, there are no EU-based alternatives to speak of
You're talking specifically about AWS competitors, right? I don't think it's related to GDPR. It's really that everybody uses AWS. Would you say that Canada doesn't have a competitor to AWS because of their regulations, too?
Regulations like the GDPR precisely try to give incentives for competitors. Which is hard to do because people/companies fight to use the US solutions and don't care about privacy, just convenience.
> Regulations like the GDPR precisely try to give incentives for competitors.
It failed miserably at that, too. Apart from Plausible there's hardly any business worth mentioning that used GDPR as a competitive advantage. GDPR for the most part has been a stimulus program for lawyers and government busybodies.
> You can't take the GDPR, and conclude that regulations as an idea is bad.
Though I didn't make that claim, in fact I precisely think that more often than not that's indeed the case. Regulations often serve no other purpose than to create yet more red tape procedures and self-serving structures.
The privacy shield was 'shot down' because it would allow the US unprecedented access to personal data of EU civilians (including unlimited surveillance).
GDPR is not that bad. It has downsides but it is not overly complex.
Companies (including cloud services) have to comply if they want to have business in Europe.
Fines by EU:
Meta: 1.5 billion
Amazon: 750 million
TikTok: 350 million
Clearview: 30 million
Apple: 1.5 billion
That's just a perspective from reality, where people are doing business rather than contriving impractical regulations out of thin air .
> GDPR is not that bad. It has downsides but it is not overly complex.
It might seem simple to consumers or politicians who claim they could implement it in a day, but it is highly complex once you have to implement it as a small or medium-sized business.
> Companies (including cloud services) have to comply if they want to have business in Europe
Large corporations - i.e. the supposed target of that regulation - scoff at GDPR. They have legal departments and the funds necessary to deal with GDPR however they see fit, while small and medium-sized business bear the brunt.
While this might sound reasonable on the surface, here's the thing: Not only are there hardly any homegrown options in the EU, but the EU is actively regulating against such homegrown alternatives.
At the same time, people regularly call for the authorities to pitch in and provide such alternatives.
There are numerous ridiculously expensive - and now defunct - projects (e.g., Quaero and Theseus, just to mention two of those) that have tried to achieve something to that effect already, with little - if anything - to show for.
Why people seem to think this is going to work this time around is beyond me.
> The EU is going to be thinking long and hard about the future of NATO now.
Thinking long and hard apparently is all the EU is capable of.
Trump's first term should have been more than enough to make the EU come to their senses. Now, we have tethered caps and the AI Act, but the EU still has no coherent vision or just even the slightest idea of how to move the continent forward instead of keeping it in the past.
reply