Yang 
Harry SintonenA lot of services that are supposedly running in EU are currently having significant issues due to AWS US-EAST-1 being impacted. But surely this is just some dependencies that are down and all our data is really stored in EU. Right?
In letter, there currently is the "Transatlantic Data Privacy Framework" in place. However, the functionality of Data Protection Review Court (DPRC) in the USA is in question: "Trump then fired the Democrats in the PCLOB, leaving the five-person board with only one Republican, short of the three needed for it to formally make decisions." (*)
So, in effect, even if you were to appeal to this board, there would be no (just) recourse. In practice, there is no EU-US Data Privacy Framework in place. No one seems to care about this fact.
https://www.euractiv.com/news/deafening-commission-silence-with-no-credible-eu-us-data-oversight-left/
EDIT: *) PCLOB are not the same as DPRC, so supposedly DPRC should be functional, still. However, removal of any dissenting voices is worrisome to say the least. Far more detailed information how these entities interact can be found from: https://cdt.org/insights/what-the-pclob-firings-mean-for-the-eu-us-data-privacy-framework/
Ketumbra@harrysintonen and this news is from March - no change since then that I can find :(
@ketumbra The silence is deafening, indeed. There have been attempts to raise this issue but there seems to be reluctance to tackle the issue.
https://www.europarl.europa.eu/doceo/document/E-10-2025-000540_EN.html
https://www.europarl.europa.eu/doceo/document/P-10-2025-000941_EN.html
@harrysintonen You'd think MS, Amazon etc's compliance teams would themselves be lobbying for this to not scare off EU customers.
Alas, I guess until the money stops coming in, they will never care.
Sovereign clouds is the way to go: https://mastodon.world/@nlnews/115406210111661258
https://infosec.exchange/@ketumbra/114563899446637131
Alas, I guess until the money stops coming in, they will never care.
Sovereign clouds is the way to go: https://mastodon.world/@nlnews/115406210111661258
https://infosec.exchange/@ketumbra/114563899446637131
EU courts are naive to the to level of absurd. Here's a recent decision "Data Protection: the General Court dismisses an action for annulment of the new framework for the transfer of personal data between the European Union and the United States": https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf
This bit in specific is quite hilarious:
"As regards, in the first place, the DPRC, the General Court states inter alia that it is apparent from the file that the appointment of judges to the DPRC and the DPRC’s functioning are accompanied by several safeguards and conditions to ensure the independence of its members. Moreover, judges of the DPRC may be dismissed only by the Attorney General and only for cause, and the Attorney General and intelligence agencies may not hinder or improperly influence their work."
Aged like a sour milk, that.
Emil Oppeln-Bronikowski@harrysintonen The script that copies data to US zone is hosted on EU servers.
But I'm also in disbelief (I should have known better) how much stuff dangles from one company's tit. Throw Cloudflair into the mix and you have two choke-points that if down, bring most of the web with them.
Sebastian Bergmann@harrysintonen Thank you that this piece of software of yours does not depend on AWS. ;)
Stefan Eissing@harrysintonen When I was still doing the eBGP daily configuration software for German Telekom, it would have been easy to verify this with a small deny filter.🧐
Claus Cramon Houmann@harrysintonen yes!
Yes.....? Hmm :)
We don't need AI. AI needs us.
Simon ZerafaIf those businesses and organisations are following EU Laws and Directives they had better be storing customer and other business data in the EU 🤔
Tim Hergert
orava@harrysintonen Even if it's just a dependency. Availability is also an important pillar of data security. Unfortunately we often talk only about confidentiality when discussing digital sovereignty and the issues regarding foreign hyper scalers.
DJGummikuh@harrysintonen that's honestly my first thought as well. How can you tell me my data is handled 100% on european servers when nothings working when US-EAST-1 has a hiccup?
But our justice systems are already so far down the road of US buttfuckery that I don't expect anything but a stern look from our regulators...
But our justice systems are already so far down the road of US buttfuckery that I don't expect anything but a stern look from our regulators...
Andrea Corbellini@harrysintonen I don't have details over this particular incident, but many of the core "global" AWS services like IAM live in us-east-1. When that region is down, other regional services will almost surely be impacted. Which means that your data, even if it's not stored in us-east-1, might not be accessible during an outage of that region. I think this is the most likely explanation based on my experience.
(Source: ex-AWS software engineer.)
@andxor Indeed in many (if not most) situations the reason for outages was just some dependant service being unavailable. There's of course need for further discussion whether it's smart to put 1/3 of all your eggs to a single basket in the first place.
@harrysintonen indeed. Also, in relation to data sovereignty: a lot of people focus on where the data is *stored*, but not on where access to the data is *controlled*.
If the US goes rogue and becomes an enemy of the EU, you can cut the overseas network cable between the datacenters, but good luck with recovering all that data encrypted at rest!
rastilinI mean, presumably any half-competent company would have an on-site server whose sole function is to download data from the cloud for local storage.
You can get something like 500TB of storage on a rack for $50,000, which is almost nothing for any reasonably large company.
@rastilin @harrysintonen and do you think companies actually do that? They actually keep periodic, up-to-date copies of their backup? They actually do disaster recovery drills to ensure that the data in those backups is actually complete and stored correctly?
Or do you think they'll do the minimum necessary to be compliant to laws?
HukkaGPT-4o mini
I started thinking about the same thing earlier today: why isn't anything working on the EU servers if there’s some DNS issue in the United States?
Johanna Janiszewski@harrysintonen I always wondered how they would check if its actually stored and processed in the EU 😬
VoidZeroOne 
@harrysintonen people actually trust what companies write in there contracts and there PR departement tells 'em?
We're so fucked.