I'm the VP / Distinguished Engineer leading the design, delivery, and operations of the European Sovereign Cloud. I'm in Hamburg right now for the AWS Summit tomorrow.
To answer some questions here in one go - for the European Sovereign Cloud, EU laws always apply. The only people with operational control or access (physical, or logical) are EU people in the EU, and decisions about how lawful orders are handled are also made by EU people in the EU. This is one of the biggest pieces of what it means to be a "Sovereign Cloud" and comes directly from the requirements of our customers. Another is that there are no technical dependencies on non-EU infrastructure.
Of course another answer is that for data access it's also great to build systems like KMS, Nitro, Wickr, CMK encryption, etc ... where we as an operator simply have no access to customer data in the first place. And those protections stand too.
> Regardless of Amazon's data sovereignty pledge, the parent company remains under American ownership, and may still be subject to the Cloud Act, which requires US companies to turn over data to law enforcement authorities with the proper warrants, no matter where that data is stored.
How does that work with "decisions about how lawful orders are handled are also made by EU people in the EU"? Will the EU cloud division go rogue once the US attempts to use the CLOUD Act or something?
Could you point to a source, please? I’m not super well versed in the history and lore of cloud and AWS, but interested in and invested in arguing for and supporting adoption of (real) sovereign European computing.
"The General Court orders the Commission to pay damages to a visitor to its
‘Conference on the Future of Europe’ website as a result of the transfer of
personal data to the United States" - https://curia.europa.eu/jcms/upload/docs/application/pdf/202...
From further research, it looks like the Amazon data transfer issue was litigated and resolved at the EU level, with the court finding Amazon's practices were lawful under the contracts in place.
I always take it as a very bad sign when someone senior working on a project comes to defend their company in a public forum and then mysteriously loses access to their keyboard when half a dozen people immediately raise an objection.
Doesn't an EU brach of a foreign company has to comply with EU laws anyhow. The problem is the parent company being US based and susceptible to US government bullying. As long as it is still Amazon owned nothing fundamental changes really.
Thanks for being here. Hopefully you can answer some more questions.
If company is owned by US entity (AWS/Amazon), can it also block customers by the US government request, similar to how MSFT blocked ICC access to its email service?
Perhaps if Amazon.com Inc. own 100% of the shares as a financial holding but not as a corporate subsidiary, no voting rights, no board seat, no influence whatsoever etc. then there is a chance US requests would have to go via EU courts ...
Similarly to how it would work if a shareholder had a conflict of interest - the directors are required to govern in the companies best interest not the (conflicted) shareholders interests.
On paper (aka the laws of the United State) FISA applies to things that physically reside in the US.
"The FISA Court’s only jurisdiction is “to hear applications for and grant orders approving electronic surveillance anywhere within the United States.” 50 U.S.C. § 1803 (a) (1)."
No technical dependencies on non-EU infrastructure seems very unlikely. Does the EU edition not rely on the same software that American AWS owns? Isn't it owned by AWS?
under the US Cloud Act: if the company is owned or operated by a US company, or it is majority controlled by US citizens then "sovereign" is simply not true
just like airlines: the licensing regime for very large cloud providers should require majority control by european shareholders
hopefully those writing the "sovereign service audit checklists" are competent enough to see through this subterfuge
The goal is to design the services and corporate structure in such a way that, if the parent company was forced by US law to try to get ESC data, the operator would be forced by EU law to not comply. In extremis, the partition would be shut down, rather than release the data.
Need managed services beyond scope of the above? There will be plenty of business (smaller and larger) offer you managed solution on top of other cloud providers.
But are they really a sensible alternative to AWS/azure when it comes to developer support etc.? Based on the offerings of European alternatives it seems that everything upto IAAS and limited PAAS offerings can be sourced European, but the real value-add is in development tooling, pipeline support etc. (e.g. AWS CDK) The lock-in on those tools are huge and Europe really need to step up to provide an alternative to that. Love to be proven wrong though.
That all sounds nice, but if the government (US) doesn't honor it's own laws, what
s to stop it from using unreasonable measures to coerce Amazon into doing what it wants?
This whole setup collapses when Bezos calls someone and says "you're fired if you don't do as I say", which he might if Trump leans heavily on him or threatens to take control.
> AWS will establish an independent advisory board for the AWS European Sovereign Cloud, legally obligated to act in the best interest of the AWS European Sovereign Cloud.
The above quote implies that the threat from Bezos should have no effect. Then again, I have no experience in corporate politics. Are you saying that even with that quote the "AWS European Sovereign Cloud" setup is pointless in practice?
"Independent" does not really change anything about the advisory/governance thing.
And tech companies are very well known for breaking laws, especially privacy related ones, so I don't see the point either, yes.
> What about "independent" and "legally obligated"?
What about them? It can be as independent and legally obligated to focus on whatever set of interests you want, if its only an advisory board, then it has no real power. (And, unless there is some guarantee of information other than what the management of the main org feels like giving it to support its advisory function, it can't even serve as a reliable canary.)
Trump doesn't need to be so heavy handed in your imaginary scenario as this is covered by The Cloud Act. The data is still hosted by an American company so with a proper warrant, Amazon will be legally required to hand over data.
In this scenario, the US parent company does not have physical access to the data, so it needs to request it from the EU subsidiary. The subsidiary then refuses the transfer to comply with German law.
The bigger point here is that this is a generational loss of trust. Even if there is some overwhelming political change that pushes Trump and the GOP out by a massive margin, the trust that this won't happen again is gone. Nobody believes that the US can make a promise for more than the length of a presidential term now.
This week here are AWS summits all over Europe. It's a good time to show up wherever AWS representatives stand and ask questions about this initiative, maybe give them some praise (may help their little hearts to hue slightly less black). And ask about IAM, and about legal guaranties, and if it comes to that, what (legal and otherwise) remedies are in place for breach of European regulations by USA authorities.
A particular question I'll ask is if they see tariffs potentially increasing the price of their services both in USA and worldwide. After all, if tariffs make goods more expensive in USA, that could propagate to the services they export.
I'm not an expert on trade and tariffs, but my basic understanding from is that tariffs only apply to goods that cross borders. At the moment, most customers outside of the US have experienced a decrease in price because the dollar has lost strength. Most cloud services are priced in dollars.
At AWS it runs really deep that we don't increase prices. We're like Costco with the hot dog. I've been amazed at the lengths we've gone to over the last few years. As all of our fundamental costs like energy, land, salaries, have experienced inflation globally, we've prioritized cost-savings and efficiency programs that meant we haven't had to pass that on as price increases. We did introduce a new fixed-price for IPv4 addresses, but it's not a significant charge for most customers and is just driven by the finite and now dwindling availability of IPv4 addresses.
Companies must adhere to the law where they are headquartered and where they are physically doing business. In particular court orders apply to them from either/both jurisdictions.
I'm the VP / Distinguished Engineer leading the design, delivery, and operations of the European Sovereign Cloud. I'm in Hamburg right now for the AWS Summit tomorrow.
To answer some questions here in one go - for the European Sovereign Cloud, EU laws always apply. The only people with operational control or access (physical, or logical) are EU people in the EU, and decisions about how lawful orders are handled are also made by EU people in the EU. This is one of the biggest pieces of what it means to be a "Sovereign Cloud" and comes directly from the requirements of our customers. Another is that there are no technical dependencies on non-EU infrastructure.
Of course another answer is that for data access it's also great to build systems like KMS, Nitro, Wickr, CMK encryption, etc ... where we as an operator simply have no access to customer data in the first place. And those protections stand too.
According to the article:
> Regardless of Amazon's data sovereignty pledge, the parent company remains under American ownership, and may still be subject to the Cloud Act, which requires US companies to turn over data to law enforcement authorities with the proper warrants, no matter where that data is stored.
How does that work with "decisions about how lawful orders are handled are also made by EU people in the EU"? Will the EU cloud division go rogue once the US attempts to use the CLOUD Act or something?
Amazon lied about SCCs before. Now they just change vocabulary.
Nothing changed.
Could you point to a source, please? I’m not super well versed in the history and lore of cloud and AWS, but interested in and invested in arguing for and supporting adoption of (real) sovereign European computing.
Its the EU using Cloudfront... :-)
"The General Court orders the Commission to pay damages to a visitor to its ‘Conference on the Future of Europe’ website as a result of the transfer of personal data to the United States" - https://curia.europa.eu/jcms/upload/docs/application/pdf/202...
From further research, it looks like the Amazon data transfer issue was litigated and resolved at the EU level, with the court finding Amazon's practices were lawful under the contracts in place.
I always take it as a very bad sign when someone senior working on a project comes to defend their company in a public forum and then mysteriously loses access to their keyboard when half a dozen people immediately raise an objection.
They will have their own IAM so technically, they could go rogue... :-)
Doesn't an EU brach of a foreign company has to comply with EU laws anyhow. The problem is the parent company being US based and susceptible to US government bullying. As long as it is still Amazon owned nothing fundamental changes really.
Thanks for being here. Hopefully you can answer some more questions.
If company is owned by US entity (AWS/Amazon), can it also block customers by the US government request, similar to how MSFT blocked ICC access to its email service?
Perhaps if Amazon.com Inc. own 100% of the shares as a financial holding but not as a corporate subsidiary, no voting rights, no board seat, no influence whatsoever etc. then there is a chance US requests would have to go via EU courts ...
Disclaimer: Not a lawyer or PR person.
How would corporate governance work if the only shareholder had no voting rights and no board seat?
Similarly to how it would work if a shareholder had a conflict of interest - the directors are required to govern in the companies best interest not the (conflicted) shareholders interests.
As a US subsidiary, you still fall under FISA and therefore you fail adequate protection of Personal Data.
Encryption does not protect data at runtime. Otherwise AWS is just glorified backup storage of e2ee data.
On paper (aka the laws of the United State) FISA applies to things that physically reside in the US.
"The FISA Court’s only jurisdiction is “to hear applications for and grant orders approving electronic surveillance anywhere within the United States.” 50 U.S.C. § 1803 (a) (1)."
No technical dependencies on non-EU infrastructure seems very unlikely. Does the EU edition not rely on the same software that American AWS owns? Isn't it owned by AWS?
Sounds like they have been working on it for a few years..
"AWS re:Invent 2023 - AWS European Sovereign Cloud: A closer look (SEC216)" - https://youtu.be/qNHWeDf-fTQ
So how are you disentangling it from hard dependency on us-east-1?
That would be enough reason for non-EU customers to set up there!
It's a separate "partition", with its own IAM accounts and orgs stack and everything. Similar to how US GovCloud is its own partition.
Are you an EU citizen?
Yes
Are you exclusively an EU citizen?
In certain EU countries, data center sovereignty criteria require the management and beneficiaries to also NOT be citizens of another state.
under the US Cloud Act: if the company is owned or operated by a US company, or it is majority controlled by US citizens then "sovereign" is simply not true
just like airlines: the licensing regime for very large cloud providers should require majority control by european shareholders
hopefully those writing the "sovereign service audit checklists" are competent enough to see through this subterfuge
Still covered by the Cloud Act as the article mentions. This is just performative.
The CIA and NSA exist and have no effective oversight. It's all performative.
The goal is to design the services and corporate structure in such a way that, if the parent company was forced by US law to try to get ESC data, the operator would be forced by EU law to not comply. In extremis, the partition would be shut down, rather than release the data.
Smoke and mirrors. As long as they remain subsidiary of AWS in US no level of protection will be sufficient.
MS tried same with their Azure.
This BS on another level.
In the first place why should EU have a cloud owned by anyone else than EU ?
Exactly.
Use OVH, Hertzner, Scaleway, etc.
Need managed services beyond scope of the above? There will be plenty of business (smaller and larger) offer you managed solution on top of other cloud providers.
But are they really a sensible alternative to AWS/azure when it comes to developer support etc.? Based on the offerings of European alternatives it seems that everything upto IAAS and limited PAAS offerings can be sourced European, but the real value-add is in development tooling, pipeline support etc. (e.g. AWS CDK) The lock-in on those tools are huge and Europe really need to step up to provide an alternative to that. Love to be proven wrong though.
That all sounds nice, but if the government (US) doesn't honor it's own laws, what s to stop it from using unreasonable measures to coerce Amazon into doing what it wants?
This whole setup collapses when Bezos calls someone and says "you're fired if you don't do as I say", which he might if Trump leans heavily on him or threatens to take control.
> AWS will establish an independent advisory board for the AWS European Sovereign Cloud, legally obligated to act in the best interest of the AWS European Sovereign Cloud.
The above quote implies that the threat from Bezos should have no effect. Then again, I have no experience in corporate politics. Are you saying that even with that quote the "AWS European Sovereign Cloud" setup is pointless in practice?
I think you are ignoring the word “advisory” in the phrase “independent advisory board for the AWS European Sovereign Cloud”.
An advisory board is very different from a governing board.
What about "independent" and "legally obligated"?
At worst it sounds like a canary.
"Independent" does not really change anything about the advisory/governance thing. And tech companies are very well known for breaking laws, especially privacy related ones, so I don't see the point either, yes.
> What about "independent" and "legally obligated"?
What about them? It can be as independent and legally obligated to focus on whatever set of interests you want, if its only an advisory board, then it has no real power. (And, unless there is some guarantee of information other than what the management of the main org feels like giving it to support its advisory function, it can't even serve as a reliable canary.)
> setup is pointless in practice?
Depends if PR is pointless.
Trump doesn't need to be so heavy handed in your imaginary scenario as this is covered by The Cloud Act. The data is still hosted by an American company so with a proper warrant, Amazon will be legally required to hand over data.
In this scenario, the US parent company does not have physical access to the data, so it needs to request it from the EU subsidiary. The subsidiary then refuses the transfer to comply with German law.
The bigger point here is that this is a generational loss of trust. Even if there is some overwhelming political change that pushes Trump and the GOP out by a massive margin, the trust that this won't happen again is gone. Nobody believes that the US can make a promise for more than the length of a presidential term now.
This week here are AWS summits all over Europe. It's a good time to show up wherever AWS representatives stand and ask questions about this initiative, maybe give them some praise (may help their little hearts to hue slightly less black). And ask about IAM, and about legal guaranties, and if it comes to that, what (legal and otherwise) remedies are in place for breach of European regulations by USA authorities.
A particular question I'll ask is if they see tariffs potentially increasing the price of their services both in USA and worldwide. After all, if tariffs make goods more expensive in USA, that could propagate to the services they export.
I'm not an expert on trade and tariffs, but my basic understanding from is that tariffs only apply to goods that cross borders. At the moment, most customers outside of the US have experienced a decrease in price because the dollar has lost strength. Most cloud services are priced in dollars.
At AWS it runs really deep that we don't increase prices. We're like Costco with the hot dog. I've been amazed at the lengths we've gone to over the last few years. As all of our fundamental costs like energy, land, salaries, have experienced inflation globally, we've prioritized cost-savings and efficiency programs that meant we haven't had to pass that on as price increases. We did introduce a new fixed-price for IPv4 addresses, but it's not a significant charge for most customers and is just driven by the finite and now dwindling availability of IPv4 addresses.
"EU considers tariffs on digital services Big Tech" - https://www.techzine.eu/news/applications/130228/eu-consider...
"France singles out digital services for EU’s tariff response" - https://www.euractiv.com/section/tech/news/france-singles-ou...
I’m going to get downvoted for stating the obvious but …:
Lots of comments talking about “but US subsidiary, still has to follow US laws if mandated”
If I added the amount of sources where the EU imposes something on a non-EU company here it would crash the server.
Just exclude EU user. Block if from EU access and nobody will touch you.
You want to handle our data?
Obey our rules.
Companies must adhere to the law where they are headquartered and where they are physically doing business. In particular court orders apply to them from either/both jurisdictions.
Always has been, always will be.
To be explicit this is a problem with the system, whereby an arbitrary thing can demand by force something.
I wish EU/US et al wouldn’t do this but they do. Let’s further the comments outside this point.
How is your comment relevant to EU users (the actual topic)?
Customers fret but they aren't leaving (wink wink)...