Reliability: It’s not great

The CloudFlare folks wrote a good blog post on how they are seeing their customers use Edge compute — latency is far down on the list: https://blog.cloudflare.com/cloudflare-workers-serverless-we...

Hmm, that post is almost three years old -- still accurate?

The US CLOUD Act means a EU customer cannot use a US cloud provider to host PII, even if the server itself is physically in the EU, because US law will still compel the provider to yield the data to US authorities. The European Commission is trying to paper over the cracks with a fig leaf of judicial review, but it's only a matter of time until a Schrems III decision from the CJEU invalidates that polite fiction.

The amount of EU companies following this law is exactly 0.

I know I've personally spent a large portion of my time updating systems to be compliant in the last few years, in North American companies.

It’s not true. I know people who lost contracts because they were using Azure and the customer wanted to respect the law.

I can attest that there are a lot more than zero in Germany.

Please tell the legal department of our uni. I’m stuck with a home-made Kubernetes cluster where I have to mail the admins for provisioning, SSL and domain management. Would love to switch to Fly or Render

This simply isn't true. At least not for EEC(Norway).

might well have been yak shaving. If a company is under US jurisdiction it simply cannot comply to EU data protection.

... Are those North American companies prepared to willingly break EU laws then? Because in my (amateur) understanding it’s logically impossible to satisfy both CLOUD Act requirements and EU data protection ones (not just GDPR, but general due-process rights the CJEU considers required for privacy violations and US courts deny noncitizens).

Yes, especially as compliance and regulatory frameworks continue to evolve and become more difficult to adhere to as mentioned elsewhere in the comments.

We're inherently faster than other "serverless" platforms due to the scale and homogeneous design of our network, and that network has presence in nearly 50% more cities than it did just 3 years ago. We were plenty fast enough then and we're even faster now.

Other things that customers (still) really care about: developer experience, ease of use, and cost. Nobody likes paying the AWS tax to move data around—they just want to use the best solution from the best cloud provider. Workers and the associated storage primitives allow them to pick and choose from the best that AWS, Azure, Cloudflare, GCP, et al. have to offer.

(Disclaimer: I'm a long time Cloudflare employee focused on App Sec, and I speak to customers regularly who look to Workers largely for compliance reasons, but I don't work on the Developer Platform business. Am sure my Dev Platform peers will chime in with more nuanced answers!)

I would be glad to be shown a company with AWS, Google Chrome, Google Search, Slack and all the usual suspects.

I have never seen a company without Google Search, Google Chrome, AWS, Microsoft 360 and the lot.

Which alternatives are they based on?

I've talked with companies like that as well and they start with strict rules and end up allowing clouds because no solution is compliant anyway.

Those would not contain PII from your users though, unless you have terrible policies about copying personal information in random Google Docs.

Yes.

Whenever a US law and a foreign law conflict, the US law always wins when you are in the United States. Complying with US laws is also a perfectly valid defense if a European citizen or state ends up bringing action against you in a US court.

You're assuming that the US doesn't respond to political pressure and come up with an agreement with the EC to enable the flows. The wiretap act already goes beyond the fourth amendment in protection.

Assuming best practices are followed, AWS would have have to crack into multiple systems to offer up data for EU residents from AWS machines in the EU. Is there any record of them being required to do so?

Not exactly related to the OP, but: I think I speak for a large number of folks when I say that we don't care. The EU keeps passing all sorts of absurd laws that require dedicated auditors to comply with. It's just not going to happen. If they decide to actively enforce these things, they'll just isolate themselves from the rest of the world.

Companies have to guess what is PII and what is not, the EU have no idea (other than they know which companies they want to punish)

As an EEUU resident, we also don't care. We can survive without youtube and instagram and the whole surveillance industry. Some of the laws place a heavy burden on giant tech companies, but for good reason.

They place a burden on everyone. A burden that's going to create a two-tier internet where service is immediately refused to EU citizens by every provider except the giant tech companies that can afford to comply.

The GDPR is quite clear on defining PII, I don't understand why you would claim otherwise?

That's a nice theory, but it may not survive the next few decades of regulatory capture by the same type of company you believe it's intended to act against.

All of these will absolutely contain PII every time.

European states simply sue in their own territory or in front of the European Union Court of Justice.

I got burned by this. I spent a lot of time researching and planning for this, only to discover there is no demand for solving this problem (yet?).

You don't speak for me. I don't want to live without YouTube.

Where are you from that you use EEUU as an acronym?

I guess it works when you don't have any compliant competitor.

That is exactly the problem at hand.

It's a combination of low to no enforcement, competitivity-killing laws and unrealistic efforts for said companies to take on.

Interesting that "EEUU" from my knowledge mostly refers to the US (Estados Unidos) in a Spanish context. The abbreviation for European Union would be UE (Unión Europea) right.

Hetzner or OVH would be compliant.

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.” — Upton Sinclair

Defense and government is a huge sector. You can live very well off it.

They are not going to skimp on the rules. A large part of banking won't, either.

The problem is the European Commission is not applying political pressure because it rolls over for every fig leaf the US offers. It then takes Max Schrems to sue and several years before the CJEU overturns the "compromise".

That said, the Biden administration's latest proposal might pass muster if the proposed redress mechanism were truly independent as part of the Judicial Branch of the United States as opposed to the current proposal which is still part of the Executive and thus conflicted in ruling against surveillance decisions of the Executive Branch and its agencies:

https://www.whitehouse.gov/briefing-room/statements-releases...

https://noyb.eu/en/open-letter-future-eu-us-data-transfers

That said, even US citizens don't enjoy meaningful protection against warrantless wiretapping that clearly violates the Fourth Amendment due to the deference the judiciary has given to the executive, so I am not optimistic.

Oops. Late-night brainfart, I'm a portuguese speaker and got things a bit mixed up :)

Yep. The real question is how long until we get one.

Scaleway seems to go in the right direction but still a bit of work needed

They are however far from service parity with AWS, Azure and GCP.

I can't speak for Hetzner but OVH has also availability issues.

Why exactly is it seemingly so expensive not to sell your customer data?

So there is nothing in eu laws preventing you from opting into using these services. What _is_ prohibited is having a EU based product/service where your users are not aware that by using a service their data will be stored under us jurisdiction.

That is not the same as using us based products

Nice bit of FUD you got there.

You can use Google Search and be 100% compliant, because Google doesn't see any customer data. Google chrome isn't even a service, I can't imagine how you'd manage to stick customer data in there.

And if you think there are no companies without AWS and Microsoft 360, you need to expand your horizon. I work for one such company, and so do many of my peers.

I haven't put much thought in this, but is a Frankfurt data center provided by Amazon Web Services EMEA SARL (a Luxembourg-based company) considered a US cloud provider or a EU one? I mean, being wholly owned by a foreign owner doesn't generally change your jurisdiction, and employees of that wholly owned subsidiary (including its directors) are not required to obey USA laws or court orders but are required to comply with EU legislation.

> giant tech companies that can afford to comply

Where does this sentiment come from? Cost of compliance for Facebook is many orders of magnitude higher than cost of compliance for a website for your hairdresser or a restaurant.

In my startup, GDPR was barely a blip on our radar. We had to delete website logs and that's about that. You have to keep record of customers/payment information for laws that supersede GDPR, and that's it if you run a legitimate business not reliant on stealing.

There are also lots of companies that use AWS etc. for everything but customer PII and keep that in some SAP system on-prem.

Google Chrome through telemetry and account history synchronisation which log PII in URLs and searched.

Google Search will see PII go by if your marketing team is researching leads on LinkedIn for example.

> And if you think there are no companies without AWS and Microsoft 360, you need to expand your horizon. I work for one such company, and so do many of my peers.

And that's great.

What is the services stack your company is implementing?

What kind of alternatives do you use for your email, browser, centralised data storage, etc. ?

Close, the giant tech companies may or may not comply but they surely can afford the fines that the various EU Data Protection authorities dream into reality by twisting an ever-changing body of interpretation of ambiguously written rules.

My understanding is that the distinction hinges on whether the data is available to a US based employee. Can the NSA show up at a US address and tell the people there to hand over the data? Can this data transfer happen without an EU based person taking some action? If the answer to both questions is yes, the data handling is not compliant.

Of course, IANAL, do your own research, etc.

This simply isn't true. Look at the absurdity of all the cookie banners just to support basic login functionality. I'm all for internet privacy, but these laws are so sweeping that it's impossible to be compliant without a dedicated function for it.

That's not the issue. I don't want to see personal data sold either. It's all the little rules. There are hundreds of pages just in GDPR. You need a banner and explicit opt-in just to support login/logout functionality.

No need for cookie banners for functionality like login. Ref: https://law.stackexchange.com/a/32157

Yup. Which is basically a no-op. You need a court having jurisdiction over the defendant to have any relief. Even if you receive a financial judgement, international law does not put much weight in absentia cases.

If you have customers in the EU than the court has jurisdiction.

If the company doesn't comply, fines will be directly taken from customer payments for example.

Again - regardless of if a domestic court believes they have jurisdiction, any court case not brought in the venue of the defendant is effectively meaningless as you cannot be granted meaningful relief.

If the destination bank account is outside the EU, they can't touch it without cooperation from the defendant countries courts - which requires you to file in the defendants venue. If an EU country unilaterally seized intra-bank remittance they would be cut off from the international banking system without hesitation.

You seem to really be grasping at straws here, but the EU is not some all powerful entity that can enforce its laws outside its jurisdiction.

I honestly can't tell if you're trolling or you said 'AWS' and 'Microsoft 360' and meant cloud and managed email.

> What kind of alternatives do you use for your email, browser, centralised data storage, etc. ?

There are plenty of browser alternatives (firefox, safari, vivaldi, even chromium).

There are dozens if not hundreds of email providers, and you can even provide your own.

You can 'centralize data storage' on disks on hardware you own, on premises or colocated. You could even use one of the dozens to hundreds of managed service and cloud providers.

> Again - regardless of if a domestic court believes they have jurisdiction, any court case not brought in the venue of the defendant is effectively meaningless as you cannot be granted meaningful relief.

Of course you can, you simply reach for assets within the border of said member country or the EU. As I mentioned in my previous comment, you can for example get the funds from outgoing payments by customers of said company. You can also freeze accounts, prevent ownership or investments by any citizen of that country as well.

> If the destination bank account is outside the EU, they can't touch it without cooperation from the defendant countries courts - which requires you to file in the defendants venue. If an EU country unilaterally seized intra-bank remittance they would be cut off from the international banking system without hesitation.

There is nothing unilateral about a country seising money as payment of a fine from a company. This is a standard tool that every countries' IRS equivalent agency have in their tool belt.

> You seem to really be grasping at straws here, but the EU is not some all powerful entity that can enforce its laws outside its jurisdiction.

I never said that EU is all powerful, however, if business is done within the EU, EU countries have the power to access any and all funds going to the US for companies that do not comply.

They can also decide to block said service as a punitive measure.

> I honestly can't tell if you're trolling or you said 'AWS' and 'Microsoft 360' and meant cloud and managed email.

I meant both clouds and managed email / storages services.

> safari

Don't both Firefox and Safari have telemetry and various ping back services?

> There are dozens if not hundreds of email providers, and you can even provide your own.

> You can 'centralize data storage' on disks on hardware you own, on premises or colocated. You could even use one of the dozens to hundreds of managed service and cloud providers.

Sure you can, I'm just saying that it is rarely if ever done in medium to large companies.

> Of course you can, you simply reach for assets within the border of said member country or the EU.

Which is exactly what I said. If the US company has an EU subsidiary you sue in that venue that can grant you relief. There are US tax implications of holding foreign assets, so the 1% of US companies with overseas interests create a foreign subsidiary, the other 99% have absolutely nothing within the reach of the EU.

> There is nothing unilateral about a country seising money as payment of a fine from a company.

Funds in transit belong to the sender until they arrive in the destination account. The EU would be seizing the funds of an innocent third party (the customer), and the target company would just shrug and say "your payment didn't arrive send it again." The EU cannot seize a transaction in flight and also compel the target company to honor it against their books.

> if business is done within the EU, EU countries have the power to access any and all funds going to the US for companies that do not comply.

See above. Taking money from random EU customers I guess is something they could do, but I imagine their citizenry would be none too pleased about it.

Let me try to simplify it for you: the EU cannot take what is not in EU jurisdiction without the cooperation of the foreign court. If a company says they were complying with their domestic law which violated EU law, they would likely not receive the cooperation of domestic courts to grant relief.

Let me make it simpler for you.

If say Google were to not follow the GDPR for example, even if they didn't have any European subsidiaries, the EU or a member country would simply make all Google customers pay their subscription fees to them instead of Google as fine payment for the fine. Customers would see no service disruption.

In your example Google would not receive the funds and credit the customers account. How would they differentiate an EU government stealing the money from a customer who just didn't pay and say they did?

Feel free to call up your credit card or power company and ask them what happens if you send them a payment but it gets seized by the government along the way. Their answer will be that you still owe them money.

In your example the EU customers would be out the money, not Google. With no EU nexus (in your hypothetical) they cannot compel Google to provide services they were not paid for.

Can you explain why you believe this to be the case? Let's say you log the user in. Yes, you need consent to store a login cookie, but that doesn't mean you need "a banner and explicit opt-in". You only need explicit opt-in, which you can do by... putting a "remember me" box next to your login form[1]. Is that really so hard?

[1] https://law.stackexchange.com/a/32157

> How would they differentiate an EU government stealing the money from a customer who just didn't pay and say they did?

Because they would have been notified by a court beforehand and the fine would constitute an outstanding debt linked to a lost lawsuit.

Once that happens, the national collection agencies would take over and use the tools at their disposal, like collecting from customers directly, which is the equivalent of garnishing wages but for companies.

They would then receive regular updates about the remaining debt and what was already paid and by whom.

> Feel free to call up your credit card or power company and ask them what happens if you send them a payment but it gets seized by the government along the way. Their answer will be that you still owe them money.

If Google then refused service to the customers who's payments were redirected to that country's collection agencies, then additional punitive measure would be taken by the country.

Some of the punitive measure could be:

- growing interests on the outstanding debt

- blocking the service within the country or EU

- advertise that Google is delinquent and is refusing to pay it's debt to financial institutions

- prevent banks and financial institutions from loaning money or investing in Google

- configure an embargo for imports and exports towards Google

- extradition requests for C-suite or adding them to Interpol and Europol wanted people list

- etc.

> In your example the EU customers would be out the money, not Google. With no EU nexus (in your hypothetical) they cannot compel Google to provide services they were not paid for.

They can't force Google to provide services but Google will also lose that market (for the EU that's 450M people) and increasing punitive measures.

Also, Google refusing to pay would probably discourage financial institutions anywhere from servicing Google in the future and other countries from authorising Google on it's national market.