When whistleblower Edward Snowden shocked the world in 2013 by revealing that the NSA was allegedly siphoning data from U.S. internet companies, pundits proclaimed that winter was coming for American cloud vendors in Europe. Evidence now suggests those fears may have been overblown.
IDC said this month that U.S. cloud vendors have increased their combined cloud infrastructure revenue two-and-a-half-times in Western Europe, topping $2 billion since the Snowden Effect was supposed to freeze the market. Amazon Web Services (AWS), Microsoft, Alphabet’s Google and IBM increased their market share by a third in the region, hitting 40 percent in 2015.
AWS's cloud picture is rosy, even in Europe
AWS, with its $11 billion revenue run rate in 2016 and market dominance, has steadily increased its geographic footprint, operating data centers in 13 regions, with 35 availability zones. "We'll continue to roll out more regions, giving you local access and local access to your customers as well," Werner Vogels, CTO at AWS, said during his keynote at AWS' customer event in New York City last month.
Speaking to CIO.com on the sidelines of the customer event, Vogels said that prior to Snowden, AWS struggled to motivate its European customers to encrypt their data. “Now that has Snowden has happened, that conversation is a lot easier with our customers.”
Vogels says European companies, which can choose to consume AWS services exclusively in its data centers in Germany or Ireland, have also acquired a greater awareness over who has control over their data and are more careful about compliance processes.
But many of the 190 countries in which AWS operates request data protection guarantees, often based on their localization laws. This means AWS must cater to some very specific requirements.
For example, AWS won energy giant Enel’s business by promising that the company’s data would be housed in a German facility. AWS also gained the trust of the Indonesia government, which decreed that it would allow its companies to operate in Singapore provided that they keep a copy of any personally identifiable information (PII) inside Indonesia. To address this requirement, AWS partnered with NetApp to give Indonesian companies a physical appliance on which to store PII in Indonesia. “You work with your regulator [within each country] and you find solutions that are practical for customers,” Vogels says.
“Just the fact that we have these discussions tells me… that you can’t just run it all from U.S. soil,” says Gartner analyst Carsten Casper, who is based in Germany and regularly advises U.S. cloud providers about their go-to-market strategies in Europe.
Casper says common questions from clients include whether vendors must establish a new subsidiary or build a data center to meet data residency and sovereignty requirements. He pointed to the deliberate expansion of data center facilities by AWS, Microsoft and Google in recent years.
But even that sometimes isn’t enough. In one scenario, which Casper calls the most extreme of its kind, Microsoft owns a data center in Germany that is actually operated by Deutsche Telecom. “Providers must adapt,” he says. “Because of Snowden, Safe Harbor and so forth they have to adapt to the market somehow.”
U.S. cloud companies should be killing it in Europe
IDC’s data suggest U.S. cloud vendors have finally gained a solid footing in Europe. But the reality is that vendors could be performing much better in Europe if it weren’t for collective distrust of U.S. technology firms, which dates back as far as the U.S. Patriot Act in 2001, says Casper.
These concerns have persisted through Snowden's revelations, the defunct Safe Harbor Framework and its replacement, Privacy Shield, which governs the processing of personal information of EU citizens on servers in the U.S.
More than 200 companies, including Microsoft and Salesforce.com have been certified under Privacy Shield. AWS is still in the certification process, though it is more of a formality. AWS customers have full control of the movement of their data and have always had the choice of the region in which their data is kept, wrote AWS CISO Stephen Schmidt in a blog post last month.
Vogels says AWS provides customers data protection agreements via contract clauses that have been vetted by the European Commission's Article 29 Data Protection Working Party.
Casper says that the privacy concerns and associated EU regulations have perennially dampened market forecasts for U.S. technology vendors in Europe.
"Without any of these factors [Patriot Act, Snowden, Privacy Shield], the cloud would have taken off stronger in Europe than it actually did," Casper says. "It is an ongoing discussion: How much power do U.S. cloud providers have over European content?"