| HN Mirror

An EU company, even if it is owned by a US company, would not be subject to the Cloud Act and so should not find itself on the spot. The Cloud Act applies to whoever owns the data on the server, not to whoever owns the server.

Here's the situation it was designed to deal with. You've got a US company that has some documents. Law enforcement gets a subpoena requiring the company to turn over copies of those documents.

If the company has used some third party cloud storage provider to store those documents it has to retrieve them. It does this using the exact same procedure it would use if it was retrieving the documents for its own use. To the cloud storage provider this is just a routine data retrieval of a customer's data by the customer.

As far as I know if someone outside the EU buys cloud storage from an EU cloud storage provider, stores some files there, and later retrieves those files the EU provider will not get in trouble if that customer later did something with the files that would not be legal in the EU.

I'd be surprised if most countries don't have something equivalent. For example when German prosecutors were investigating VW after VW's emissions test cheating came to light if they had used whatever the German equivalent of a subpoena is to ask for copies of the emission system source code, would VW have been able to say "Sorry, we've got those in a private Github repository which happens to be hosted outside of the EU, so we can't get them for you"?

I suspect that the only reason the US actually had to have something like the Cloud Act and others don't is because only in the US could you have actually had a chance to succeed in saying that you cannot be compelled to turn over a document that you control and can legally retrieve at any time just because you happen to have it currently stored somewhere that the compelling government does not have jurisdiction over.