Should we mention the US CLOUD Act?
Or Schrems II?
Oracle plans to launch new sovereign cloud regions for the European Union next year to ease any concerns about hosting data and applications that are sensitive, regulated, or of strategic regional importance. The 27 members of the European Union operate under harmonized data protection laws characterized by the General Data …
With the US CLOUD Act, any system the is under the direct or indirect control of a US based company can be probed by the US government.
For an EU firm to comply with the GDPR they cannot store personal information in any system that is subject to the US CLOUD Act.
Any words that Oracle says to the contrary are ignoring reality to the same extent as Flat Earthers.
Not totally true. Oracle can staff a local subsidiary wholly with local, single nationality staff only, who have to obey local laws, and follow an employment contract that spells this out.
They will be obligated to tell the US to piss off, and likewise to refuse any contrary direction from the companies owners (Oracle US), who are US citizens and subject to such orders. Everyone gets to obey the laws they are subject to, and your data is only subject to your jurisdiction.
This should be the norm.
> For an EU firm to comply with the GDPR they cannot store personal information in any system that is subject to the US CLOUD Act.
In reality, that is only part of the problem. Schrems II spells out the other part in great detail, but it boils down to violating the right to effective recourse in front of a legally constituted tribunal. In essence, this is because of the relevant US spying "laws" being in reality executive orders, which are not justiciable acts.
In other words: as a non US citizen, if the NSA gets hold of your data, as they do, there is no court that you can go to to protect your rights (forgive the simplification).