My understanding of the 2018 CLOUD act is that a US headquartered cloud vendor must hand over subpoenaed customer data even if the datacentre is outside the USA.
This is the rationale between sovereign clouds like Azure Germany, I think. In that case Microsoft provides the software and design, but the whole cloud is operated by EU citizens and no Americans have direct access. The idea being that Microsoft couldn't be compelled to hand over data because it has no access. I'm sure AWS (and maybe GCP) have such things by now.
Disclaimer: I work in Azure but not on this, so my info may be wrong.
This is totally irrelevant to the discussion but I found it amusing that the author of that articles name is Jim Halpert and actually very mildly looks like Jim Halpert
Do we have any evidence that a company has been forced into a situation like this yet? Where they've been required by the US to turn over data but prevented by the GDPR? I feel like that would've been big news, but surely it's happened already.
The joy of NSLs is that you’re not allowed to talk about them. I have no idea what it would look like, but I imagine there would be nervous lawyers talking to both the US DoJ and their local privacy commissioner, quietly trying to find some solution that doesn’t involve the executives going to jail when setting foot in the US.
Disclaimer: I work in Azure but not on this, so my info may be wrong.