I'm the VP / Distinguished Engineer leading the design, delivery, and operations of the European Sovereign Cloud. I'm in Hamburg right now for the AWS Summit tomorrow.
To answer some questions here in one go - for the European Sovereign Cloud, EU laws always apply. The only people with operational control or access (physical, or logical) are EU people in the EU, and decisions about how lawful orders are handled are also made by EU people in the EU. This is one of the biggest pieces of what it means to be a "Sovereign Cloud" and comes directly from the requirements of our customers. Another is that there are no technical dependencies on non-EU infrastructure.
Of course another answer is that for data access it's also great to build systems like KMS, Nitro, Wickr, CMK encryption, etc ... where we as an operator simply have no access to customer data in the first place. And those protections stand too.
> Regardless of Amazon's data sovereignty pledge, the parent company remains under American ownership, and may still be subject to the Cloud Act, which requires US companies to turn over data to law enforcement authorities with the proper warrants, no matter where that data is stored.
How does that work with "decisions about how lawful orders are handled are also made by EU people in the EU"? Will the EU cloud division go rogue once the US attempts to use the CLOUD Act or something?
I always take it as a very bad sign when someone senior working on a project comes to defend their company in a public forum and then mysteriously loses access to their keyboard when half a dozen people immediately raise an objection.
Could you point to a source, please? I’m not super well versed in the history and lore of cloud and AWS, but interested in and invested in arguing for and supporting adoption of (real) sovereign European computing.
"The General Court orders the Commission to pay damages to a visitor to its
‘Conference on the Future of Europe’ website as a result of the transfer of
personal data to the United States" - https://curia.europa.eu/jcms/upload/docs/application/pdf/202...
From further research, it looks like the Amazon data transfer issue was litigated and resolved at the EU level, with the court finding Amazon's practices were lawful under the contracts in place.
Doesn't an EU brach of a foreign company has to comply with EU laws anyhow. The problem is the parent company being US based and susceptible to US government bullying. As long as it is still Amazon owned nothing fundamental changes really.
Thanks for being here. Hopefully you can answer some more questions.
If company is owned by US entity (AWS/Amazon), can it also block customers by the US government request, similar to how MSFT blocked ICC access to its email service?
Perhaps if Amazon.com Inc. own 100% of the shares as a financial holding but not as a corporate subsidiary, no voting rights, no board seat, no influence whatsoever etc. then there is a chance US requests would have to go via EU courts ...
Similarly to how it would work if a shareholder had a conflict of interest - the directors are required to govern in the companies best interest not the (conflicted) shareholders interests.
On paper (aka the laws of the United State) FISA applies to things that physically reside in the US.
"The FISA Court’s only jurisdiction is “to hear applications for and grant orders approving electronic surveillance anywhere within the United States.” 50 U.S.C. § 1803 (a) (1)."
No technical dependencies on non-EU infrastructure seems very unlikely. Does the EU edition not rely on the same software that American AWS owns? Isn't it owned by AWS?
under the US Cloud Act: if the company is owned or operated by a US company, or it is majority controlled by US citizens then "sovereign" is simply not true
just like airlines: the licensing regime for very large cloud providers should require majority control by european shareholders
hopefully those writing the "sovereign service audit checklists" are competent enough to see through this subterfuge
The goal is to design the services and corporate structure in such a way that, if the parent company was forced by US law to try to get ESC data, the operator would be forced by EU law to not comply. In extremis, the partition would be shut down, rather than release the data.
Need managed services beyond scope of the above? There will be plenty of business (smaller and larger) offer you managed solution on top of other cloud providers.
But are they really a sensible alternative to AWS/azure when it comes to developer support etc.? Based on the offerings of European alternatives it seems that everything upto IAAS and limited PAAS offerings can be sourced European, but the real value-add is in development tooling, pipeline support etc. (e.g. AWS CDK) The lock-in on those tools are huge and Europe really need to step up to provide an alternative to that. Love to be proven wrong though.
That all sounds nice, but if the government (US) doesn't honor it's own laws, what
s to stop it from using unreasonable measures to coerce Amazon into doing what it wants?
This whole setup collapses when Bezos calls someone and says "you're fired if you don't do as I say", which he might if Trump leans heavily on him or threatens to take control.
> AWS will establish an independent advisory board for the AWS European Sovereign Cloud, legally obligated to act in the best interest of the AWS European Sovereign Cloud.
The above quote implies that the threat from Bezos should have no effect. Then again, I have no experience in corporate politics. Are you saying that even with that quote the "AWS European Sovereign Cloud" setup is pointless in practice?
"Independent" does not really change anything about the advisory/governance thing.
And tech companies are very well known for breaking laws, especially privacy related ones, so I don't see the point either, yes.
> What about "independent" and "legally obligated"?
What about them? It can be as independent and legally obligated to focus on whatever set of interests you want, if its only an advisory board, then it has no real power. (And, unless there is some guarantee of information other than what the management of the main org feels like giving it to support its advisory function, it can't even serve as a reliable canary.)
Trump doesn't need to be so heavy handed in your imaginary scenario as this is covered by The Cloud Act. The data is still hosted by an American company so with a proper warrant, Amazon will be legally required to hand over data.
In this scenario, the US parent company does not have physical access to the data, so it needs to request it from the EU subsidiary. The subsidiary then refuses the transfer to comply with German law.
The bigger point here is that this is a generational loss of trust. Even if there is some overwhelming political change that pushes Trump and the GOP out by a massive margin, the trust that this won't happen again is gone. Nobody believes that the US can make a promise for more than the length of a presidential term now.
This week here are AWS summits all over Europe. It's a good time to show up wherever AWS representatives stand and ask questions about this initiative, maybe give them some praise (may help their little hearts to hue slightly less black). And ask about IAM, and about legal guaranties, and if it comes to that, what (legal and otherwise) remedies are in place for breach of European regulations by USA authorities.
A particular question I'll ask is if they see tariffs potentially increasing the price of their services both in USA and worldwide. After all, if tariffs make goods more expensive in USA, that could propagate to the services they export.
I'm not an expert on trade and tariffs, but my basic understanding from is that tariffs only apply to goods that cross borders. At the moment, most customers outside of the US have experienced a decrease in price because the dollar has lost strength. Most cloud services are priced in dollars.
At AWS it runs really deep that we don't increase prices. We're like Costco with the hot dog. I've been amazed at the lengths we've gone to over the last few years. As all of our fundamental costs like energy, land, salaries, have experienced inflation globally, we've prioritized cost-savings and efficiency programs that meant we haven't had to pass that on as price increases. We did introduce a new fixed-price for IPv4 addresses, but it's not a significant charge for most customers and is just driven by the finite and now dwindling availability of IPv4 addresses.
By saying "EU imposes something on a non-EU company", are you in fact referring to enforcing laws that are publicly known about? That seems like a totally different scenario to someone in the U.S. deciding that they need access to data in the EU due to some nebulous concern about national security and the company involved not even being allowed to openly discuss it.
Companies must adhere to the law where they are headquartered and where they are physically doing business. In particular court orders apply to them from either/both jurisdictions.
To answer some questions here in one go - for the European Sovereign Cloud, EU laws always apply. The only people with operational control or access (physical, or logical) are EU people in the EU, and decisions about how lawful orders are handled are also made by EU people in the EU. This is one of the biggest pieces of what it means to be a "Sovereign Cloud" and comes directly from the requirements of our customers. Another is that there are no technical dependencies on non-EU infrastructure.
Of course another answer is that for data access it's also great to build systems like KMS, Nitro, Wickr, CMK encryption, etc ... where we as an operator simply have no access to customer data in the first place. And those protections stand too.