Countries hosting the data centres can make it illegal to allow access from outside their area/EU... or specifically to US entities along with making it illegal to move any data out without customer/local gov approval... This isn't rocket science. The company cannot do business if it doesn't follow the law. There are laws like this in places already. The company's local subsidiary tells the American company to politely pound sand and the American company says sorry, we tried, but do not have the capability to do as asked.
America has become China in the eyes of the world.
Everyone banned Huawei products despite the ability to pass laws saying Huawei must respect data sovereignty. They didn't ban US firms, because unlike China the USA was championing the rule of law at the time. Data sovereignty only works if the USA respects the laws of other countries, even though, just like China, they could coerce / bribe citizens and firms to bypass them. Such activity would be largely undetectable. Who is going to know if someone peeked at a secret document stored in Azure? There was a huge amount of trust involved in the arrangement.
The USA has now denounced the rule of law, is withdrawing the the institutions set up to champion it, and has shut down the ICCC's access to some services. The trust has gone.
An American company will always follow US law, no matter the local laws.
It isn't usually an American company doing the local operations, but a local subsidiary. Like Walmart Canada telling Walmart corporate to pound sand in the 1990's over Cuban pajamas. It's illegal for Canadian companies to participate in the US embargo of Cuba.
This is all well within the realm of what governments can and do regulate. Want to do business in a country with their laws or not is the choice.
At some point it comes to a head; Walmart corporate and the USA didn't care enough about Cuban pajamas, but in a situation where they DO care, you quickly get Вкусно – и точка.
The EU (nay, perhaps every country) should be prepared to deal with Microsoft or AWS completely cutting them off from access to all their systems - what would be the cost and impact?
We are rapidly heading to not one Internet, but country-specific internets that may or may not bridge to other ones in some cases.
Apparently AWS sovereign cloud is designed to continue operating even if the US offices cut them off. The servers are in the EU and the people running them are subject to EU laws, not US ones.
Realistically a US executive could be legally required to give an EU engineer a command that they legally couldn’t follow. At that point I guess we find out if the engineers’ national or corporate identities are dominant. I suspect the former in most cases, but who knows?
The US exec probably doesn't want to order them either. So the game would be played and they did their best. There's another article about the US fighting data sovereignty requirements/laws in other countries, but that relies on their quickly dwindling soft power.
Canadian companies can't use Cloud providers at all then? I'm incredulous about that.
Google, AWS & Microsoft all nullroute the countries of Cuba, Iran and North Korea. Google also nullroutes Crimea.
So by using a cloud provider, you are participating in the embargo of Cuba.
Not sure Canada has the leverage/market to get them to sway here. But a body like the EU has the leverage to force local operation and control.
The employees of the actual subsidiary entity follow the laws of the country they're based in.
GDPR give exemption for foreign government for "national security", "important reasons of public interest" or "law enforcement", whatever that meant.