This is changing somehow. At least on a surface. For example Amazon have created European subsidiary completely managed by Europeans under European company thus under it's local jurisdiction.
1. the 2018 CLOUD Act mandates US companies — and their subsidiaries — to provide information to the US government on demand, regardless of where the data is stored
2. FISA secret courts prevent companies from even saying they where summoned, or telling anyone who or what the case was about (including canaries).
So you won't ever know if your data was handed over to the US government.
The whole point of setting up the EU subsidiary as a separate company that is incorporated in the EU and is managed and staffed by EU citizens is to avoid this.
The purpose of the CLOUD Act was to get at data that was stored outside the US but that was "in the custody, control, or possession of communications-service providers that are subject to the jurisdiction of the United States".
It arose from a situation where an email provider in the US used cloud storage services in several countries to store emails. They were asked for the email of a particular customer and said they did not have to provide it because they had happened to store that customer's mail at a non-US cloud provider.
What the CLOUD Act requires is that:
> A provider of electronic communication service or remote
computing service shall comply with the obligations of this chapter to
preserve, backup, or disclose the contents of a wire or electronic
communication and any record or other information pertaining to a
customer or subscriber within such provider's possession, custody, or
control, regardless of whether such communication, record, or other
information is located within or outside of the United States.
A company incorporated in the EU, even if it is owned by an entity in the US, is not subject to US jurisdiction and so that does not apply. The US owner is subject to US jurisdiction but the data of EU customers of the EU company is not in the US owner's possession, custody, or control.
> The US owner is subject to US jurisdiction but the data of EU customers of the EU company is not in the US owner's possession, custody, or control.
No? Certainly sounds like it is in the US owner's control to me.
But even disregarding that fact. Given that the US government also started hiding what it was doing with FISA courts and forbidding that anyone, including the companies themselves, checks what actually happens ... do you think anyone will believe this? We HAD evidence of US companies refusing to hand over data before CLOUD and FISA, we do not see that anymore. (And that's before we start taking into account more some recent administration's respect for ...)
Of course this is also pretty hypocritical since EU countries have been caught more than once capturing communications of non-citizens. The problem that usually gets mentioned: the Boeing - Airbus fight wasn't a one sided US being untrustworthy to help Boeing.
They should be legally and physically separated and these actions should be then potentially illegal for Europeans so I do not think I'm at least infactual.
But assuming the owner is US company abiding US laws it's safe to assume that data would be transferred to US one way or the another.
The US intelligence machinery spied on Angela Merkel's phone. Do you suppose secretly demanding cooperation for Lawful intercept capabilities in Amazon GmbH is somehow beyond or beneath them?
Also consider that all communication between the European subsidiaries to the HQ is fair game under FISA.
The European leaders would have have no say in it. If the software from Seattle is designed to covertly exfiltrate information, they won't even know it. Even if they review the individual code changes, it can be an obfuscated attack similar to XZ where the code itself is clean, but not so much for the network fabric firmware binary test data.
That's why I used the "somehow". But abiding your logic nothing is ever secured, which is ultimately true, but it could be illegal so detergent here is not the impossibility it self but potentional harsh punishment for breaking the law.
> So Mistral is developing its own data centers, starting with one outside Paris. Mensch projects it will have 200 megawatts of capacity by the end of 2027. Power from France’s state-owned nuclear plants will help, but the buildout could still cost an estimated $5 billion. Mensch tapped oil-rich Abu Dhabi and reportedly sought debt financing to help pay for it.
Though to your point it won't be running until 2027.
Yes, I think the EU is going to be dependent on US tech (other than EUV lithography machines, very cool) for very long time. Even those data centres, while run by Europeans, are still being made with almost entirely US tech. But at least the EU companies can borrow some oil money and buy in the stuff developed by someone else's R&D spend, which is a nice shortcut to have available.
>I think the EU is going to be dependent on US tech (other than EUV lithography machines, very cool
Well, ASML's EUV light sources are based on licensed US IP from Sandia Labs, and manufactured in the US by CYMER, which ASML bought, but they still operate and manufacture out of California, so the EU is not sovereign/independent here (neither is any country).
This doesn't mean much anyway, since despite ASML being European, their machines all go to export and EU doesn't put any of those machine to good use domestically, with the most cutting edge semiconductor fabs on EU soil being the Germany based TSMC fabs on the much older 16 and 12nm nodes, far bigger than the 3nm that Taiwan and US operate domestically.