How so? Amazon, Google and Microsoft need access to your unencrypted data in order to provide most of their services (such as databases, analytics, machine learning). There's not much they can do with encrypted data. They can store it. They can pass it through. That's it.
This problem has to be solved on a political level. There is no technical fix and the legal workarounds appear to be exhausted.
My RDS data is stored encrypted on disks with a private key AWS operators has no access to [1] (or at least that's what they tell you), and the application layer connection is controlled by a password transmitted over a TLS-only connection, whose private key - again - AWS has no access to.
You're decrypting data on Amazon's hardware using software provided by Amazon. Of course they can access your unencrypted data if they have to.
It comes down to the details of the legal obligation they have under U.S law. Are there limits to what they have to do to help U.S law enforcement, and what exactly are those limits?
The data in memory in that server is not encrypted. Amazon owning the server can log in it and read whatever part of the memory they want. I don't see how encrypting data at rest helps you in this scenario.
If GDPR makes all the cloud services provided by American companies illegal, what alternatives European companies have? Services like OVH and Hetzner are great as a low cost but they don't provide the same services at all.
How about Netsuite (Oracle), Netsuite, etc.?
My guess is that ~100% of European companies use some kind of US service and there are no realistic alternatives, are they going to rule all companies are doing something illegal?
Creating "competing"* services does not solve the problem of how Europeans can continue to use U.S. services if and when they (we) prefer to do so based on technical merit.
I don't think it's a good idea to let the world (and the internet) fragment into ever smaller jurisdictions that can no longer find a way to trade with each other.
We need a legal agreement to sort this out or everyone will be worse off.
* They wouldn't actually have to compete at all if U.S services were banned.
"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
No, opening a connection and exchanging IPs falls under "technically necessary" processing of personal data.
But from a legal point of view we, as a European company, are forbidden to use any US infrastructure provider. We can't ask for consent to transfer data to an US based entity if our consent form itself is already hosted by an US based entity. And even if we did find a solution, like hosting the main infrastructure with a European company and asking for consent for some later data transfer, we are most likely forbidden to transfer data to US based entities at all.
This will change soon. From what I heard work is underway to let national data protection offices handle cases without the Irish DPC or force the Irish CPC to work.