How so? Amazon, Google and Microsoft need access to your unencrypted data in order to provide most of their services (such as databases, analytics, machine learning). There's not much they can do with encrypted data. They can store it. They can pass it through. That's it.
This problem has to be solved on a political level. There is no technical fix and the legal workarounds appear to be exhausted.
My RDS data is stored encrypted on disks with a private key AWS operators has no access to [1] (or at least that's what they tell you), and the application layer connection is controlled by a password transmitted over a TLS-only connection, whose private key - again - AWS has no access to.
You're decrypting data on Amazon's hardware using software provided by Amazon. Of course they can access your unencrypted data if they have to.
It comes down to the details of the legal obligation they have under U.S law. Are there limits to what they have to do to help U.S law enforcement, and what exactly are those limits?
The data in memory in that server is not encrypted. Amazon owning the server can log in it and read whatever part of the memory they want. I don't see how encrypting data at rest helps you in this scenario.
If GDPR makes all the cloud services provided by American companies illegal, what alternatives European companies have? Services like OVH and Hetzner are great as a low cost but they don't provide the same services at all.
How about Netsuite (Oracle), Netsuite, etc.?
My guess is that ~100% of European companies use some kind of US service and there are no realistic alternatives, are they going to rule all companies are doing something illegal?
Creating "competing"* services does not solve the problem of how Europeans can continue to use U.S. services if and when they (we) prefer to do so based on technical merit.
I don't think it's a good idea to let the world (and the internet) fragment into ever smaller jurisdictions that can no longer find a way to trade with each other.
We need a legal agreement to sort this out or everyone will be worse off.
* They wouldn't actually have to compete at all if U.S services were banned.
"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
No, opening a connection and exchanging IPs falls under "technically necessary" processing of personal data.
But from a legal point of view we, as a European company, are forbidden to use any US infrastructure provider. We can't ask for consent to transfer data to an US based entity if our consent form itself is already hosted by an US based entity. And even if we did find a solution, like hosting the main infrastructure with a European company and asking for consent for some later data transfer, we are most likely forbidden to transfer data to US based entities at all.
This will change soon. From what I heard work is underway to let national data protection offices handle cases without the Irish DPC or force the Irish CPC to work.
It depends how much credence you put in the standard contractual clauses (SCC) added by these companies after the privacy shield was ruled invalid by the EU.
The idea with the SCC is that instead of all data transfers being covered by a single adequacy decision, each company adds SCCs to it's contracts with customers promising that data of EU citizens will be handled in a way that's compliant with GDPR.
Reading this piece from CNIL, I can't see how a US company is going to be able to use SCCs to protect EU citizens from data access by the US government. Non US citizens typically don't have a lot of rights in the eyes of the US gov and they've traditionally been pretty happy to rifle through the data of those people at will.
ed: the point by another commenter about using your own encryption key is a good one. However, the view of CNIL essentially seems to be that transferring any data to the US is risky so to me it feels like you'd be swimming against the tide.
If you encrypt the data with your own key, they should not be able to access it.