At $employer we process lots of PII on behalf of customers which is covered by additional domain-specific privacy laws on top of the general ones.

Compliance is important and because we occasionally have to handle production data inhouse this has far-reaching consequences.

It's not just that we can't use US-based cloud services for production. We can't use them for anything. Anything like slack, gsuite, jira cloud are not suitable for handling the sensitive data. Even something as simple as using recaptcha required vetting by our data protection officer.

It's almost like, if you need your data to remain private, you shouldn't send it to someone else's computer.

Do you keep your money under a couch?

I understand that there are more risks to moving data around but some companies will be better than you are at a thing.

It's very dependent on what your risks are. Data integrity is a big one, though non-siezability by US govt is important to others.

If I want my money (rather, the amount of money I have, and when I spend it) to remain private, I sure do!

Out of curiosity, what doesn’t AWS comply with? I was under the impression they were certified for almost every use case involving PII.

Starting from May 2018, no US-based company can possibly comply under the strict interpretation of EU data protection laws. If an US court can possibly legally compel you to hand over the data, you cannot host any private data on EU citizens on behalf of an EU company. Next year, I cannot even legally store things like names and email addresses belonging to EU citizens on a server ran by a US company, without exposing myself to major legal liability. Many companies in the EU are now scrambling to get away from us service providers.

The text is very broad, and it has been argued that it's a stealth protectionism measure. For me to be able to do business with US-based cloud providers next year, the US law needs to change so that if an account has a "this refers to an EU citizen" bit set, that completely prevents US courts and law enforcement from acquiring any information about it without proving probable cause at an EU court of a specific crime that is of sufficient severity and criminal in both EU and the US. I don't believe that will happen.

There's two parts of concern when using AWS:

1. They comply with quite a number of information requests [0], even if they seem to oppose the weakening of legislation in place or overly-broad requests.

The NSLs under FISA are particularly concerning, because they can't even report the number they receive, only "within certain ranges set by the government". This is the same for all US companies, and Amazon are more upfront than most, but it's also a reason for avoiding a US company like Amazon.

2. Location. Where is your data? AWS' regions are quite broad in the legal sense, and sometimes crosses borders that your data would not be allowed to (X-data must remain in Y-region, cannot be copied or transferred). However, determining whether or not your data would cross such a border can be quite difficult.

[0] https://aws.amazon.com/compliance/amazon-information-request...

Limiting things to EU-region AWS might have worked on paper. But in practice there is a lot of conservativism in play. It's not just about doing the bare minimum to pass the certification audits. Some customers also demand detailed data-flow breakdowns, a manifest of data processing agreements and lengthy check lists to comply with their internal data protection policy. Combine that with with the CJEU toppling safe harbor, the Microsoft case, the snowden leaks etc. it's simply a lot easier to pass customer audits when you run on an exclusive EU-soil, EU-jurisdiction policy. And forward-looking it provides some certitude, i.e. we won't just pass the audits today, we're reasonably sure that if Privacy Shield falls too we'll still be fine.

Basically, if you provide SaaS for corporate customers and handle their PII (HR records, occasionally some medical data attached) then the intersection of various demands ends up fairly restrictive.

Not just European companies. Not being notified when the government gets their hands on your data is one reason not to put your data in a cloud service. By itself that's probably not enough to win over on-prem solutions, but it's one less con for cloud.

The 99% is lucky to be in a situation where this is possible. Imagine a world fully globalized under colluding bureaucraitc powers, and an oligarchy of tech competitors.

Don't have to strain our imaginations too hard do we?

Not naturally. EU privacy law will force them.

Even without EU privacy laws, a variety of laws in the USA have made various organizations outside the US wary about storing data in the US.