1. the 2018 CLOUD Act mandates US companies — and their subsidiaries — to provide information to the US government on demand, regardless of where the data is stored
2. FISA secret courts prevent companies from even saying they where summoned, or telling anyone who or what the case was about (including canaries).
So you won't ever know if your data was handed over to the US government.
The purpose of the CLOUD Act was to get at data that was stored outside the US but that was "in the custody, control, or possession of communications-service providers that are subject to the jurisdiction of the United States".
It arose from a situation where an email provider in the US used cloud storage services in several countries to store emails. They were asked for the email of a particular customer and said they did not have to provide it because they had happened to store that customer's mail at a non-US cloud provider.
What the CLOUD Act requires is that:
> A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
A company incorporated in the EU, even if it is owned by an entity in the US, is not subject to US jurisdiction and so that does not apply. The US owner is subject to US jurisdiction but the data of EU customers of the EU company is not in the US owner's possession, custody, or control.
No? Certainly sounds like it is in the US owner's control to me.
But even disregarding that fact. Given that the US government also started hiding what it was doing with FISA courts and forbidding that anyone, including the companies themselves, checks what actually happens ... do you think anyone will believe this? We HAD evidence of US companies refusing to hand over data before CLOUD and FISA, we do not see that anymore. (And that's before we start taking into account more some recent administration's respect for ...)
Of course this is also pretty hypocritical since EU countries have been caught more than once capturing communications of non-citizens. The problem that usually gets mentioned: the Boeing - Airbus fight wasn't a one sided US being untrustworthy to help Boeing.
Incorrect, this is EXACTLY the scenario that the Cloud Act was introduced to to handle.
What happened is in 2013 Microsoft Ireland refused an FBI warrant for information held on EU servers, under the control of MS Ireland.
Microsoft USA refused the warrant on the grounds on the jurisdiction grounds you mentioned above.
So the Cloud Act was passed: US law for access to digital information applies to any subsidiary anywhere on earth.
Sorry.
But assuming the owner is US company abiding US laws it's safe to assume that data would be transferred to US one way or the another.
Also consider that all communication between the European subsidiaries to the HQ is fair game under FISA.
