[Vespasian]

As I read it the issue is that the American HQ can order their European subsidiary to provide the data.

Hetzner US does not have a European subsidary and therefore cannot violate GDPR (assuming US personal can't access EU customer data).

Hetzner HQ is in Germany and is not allowed to enforce the CLOUD Act outside the US

[q-base]

That could also be correct.

But if I was under legal/contractual obligations, with Hetzner as my hosting provider, I would have their legal department confirm this.

Since Hetzner found the need for appending the paragraph I referenced, they must have become aware of something.

[Vespasian]

True.

Now that they are entangled with US law there might be an incentive to be as a cooperative as possible.

Yet, Hetzner is still a "better" option (with regards to data protection) than any of the big US-based cloud providers.

[baridbelmedar]

Not sure I follow, in what way are they better?

Imho, as soon as you do business with the US or trade in US Dollars, you need to play nice with the relevant authorities.

If I understood it correctly, Hetzner is now "infected" in the same way as the three US cloud providers are. The Schrems II verdict and Cloud ACT basically concludes that no European company can exist in the US and vice versa without having to deal with the same pesky legislation.

An alternative could of course be that Hetzner created a new US based company where the EU parent Hetzner company only holds a minority ownership in the new US-based company. The EU based parent company in turn then "sells" its technology to the new US company. This way, the arrangement becomes more reminiscent of how IBM has sold its mainframe to European companies...

[welterde]

Why would it matter at all if it's a minority or majority stake in the ownership of the US subsidiary? As far as I understood it the combination of GDPR and CLOUD act only disallows the combination of US mother-company with EU subsidiary, but the inverse should be fine, since the US has no legal influence over the parent company?

[baridbelmedar]

The US-based cloud providers also have European subsidiaries. But that doesn't help because they are bound by US law. That is the root of the problem.

What makes you think that a European company operating within US jurisdiction would not be subject to the same laws?

If the European company receives a request from the US authorities for information, they need to follow the same legislation as the US companies do. Just because it's a subsidiary won't help. The authority will say "we want to know everything you know about the following person, please give us the information, otherwise...". The authority will not distinguish whether it is a subsidiary or the parent company.

Of course have the choice to just ignore the request from US authorities, but then you have to be aware of the consequences, i.e. quickly give up and shut down the subsidiary and stop trading with US dollars.

This is the root of the problem. CLOUD act has been ruled illegal in the EU just as you said, but it is also illegal not to comply with CLOUD act in the US. And companies operating on both continents in practice need to comply with both laws, regardless of whether it is a parent company or a subsidiary.

At least that's how I interpret it...

[welterde]

Are there any cases of the US nationalizing/seizing companies outside of sanction/war-related acts? Which would probably the only consequence the government can directly levy against the European company (the indirect ones they can also apply to pure European companies, so they don't really matter for this discussion).

But it really depends on how infectious just owning a company is, which I have no idea. But my gut-feeling is that it shouldn't be too infectious, since otherwise just buying a single share of a company operating in another country would put you into legal peril (who controls the subsidiary here is not really relevant, since the Cloud act wants to swim in the opposite direction in your scenario, therefore it shouldn't matter if it's 0.01% or 100%).