I don't see how they can continue the service, even with huge localisation effort. The capital sin is to be a US company. That subjects them to US law, including CLOUD act, which the UE considers to be incompatible with privacy guarantees.

Even if cloud providers use local datacenters they are still in "violation". If the US makes a data request using CLOUD act, they will have to comply, no matter where these servers are sitting.

Ironically, the UE intelligence services are happy to take the anti-terrorist information that the US is extracting with the CLOUD act and sharing with them.

To my understanding, the CLOUD Act is nothing like FISA already because it is about criminal law. Besides, the EU also recently enacted its own quite similar "e-evidence" law, and similar laws are pushed globally through the Budapest Convention. The biggest problem here probably is that the mutual legal assistance system is being replaced internationally by much more opaque practices. (And as for cyber crime, some major "players" are not participating.)

The intelligence services are not advocates for privacy laws.

Don't try to paint the US as the victim here because it's honestly ridiculous.

> which the UE considers to be incompatible with privacy guarantees.

Well, the whole "global jurisdiction" is iffy for the rest of the world.

> May not be a bad thing overall, especially for local players and for national sovereignty evangelists

Yep, especially if they have to play by different rules and have different values then the companies they try to compete against.

> hard to see how they can continue to service global markets without a huge per-country localisation effort

You (the company) could maybe instead protect everyones data equally (or rather, avoid slurping up as much personal data as they possibly could), then you won't have to go through the whole process of making everything per-country localized.

By GDP, the European market is the second largest in the world, it's hard to imagine US companies would try to avoid it without thinking about it for a good while.

You are suggesting two approaches, one (or even both) of which are not feasible.

The problem with protecting everyone's data equally (and the point of why EU courts are rejecting the current regime) is that national laws override company intent. If a US company is served a national interest letter, they are giving up the data and keeping mum about it, or someone is potentially going to jail. And nobody will go to jail to protect the data of a user of a free (or a $8/mo, whatever) service.

This happens similarly in other countries - China, obviously; UK has a similar "national interest" rule; I don't know about the EU but I wouldn't be surprised if their spies and law authorities have also codified access on an as-needed basis for themselves. It's all the other kids that must be kept out of the personal data sandbox.

Avoiding collecting the data in the first place is far more robust against this sort of government behavior. There are organized government efforts to mandate centralized data collection and facilitate access anyway (e.g. UK's attempts to ban end-to-end encryption), so we'll see if that approach holds.

Yes indeed. If you do business in a country, adhere to the rules of this country. Simple.

True globalization (one global rulebook) is a probably not to achieve, considering all the different aspects of societies in this world (degree of capitalism, degree of privacy, degree of social class responsibility, degree of liberal society, degree of ...).

The G7 countries (aka US, EU, JP, Australia) are lucky to have a rough idea on what that should be. When you talk to China then you start banning stuff instead of playing court fines and regulatory alignment.

Not simple because the US CloudAct contradicts EU GDPR

Yes, correct. But that is something they can figure out.

One has to take a step back, a compromise isn't possible.

AWS has zoned services and Amazon has country specific websites. It's not that difficult.