Ok, but: "US authorities do not have direct access to your server or its content in the EU. US authorities have to comply with the regulations of the EU legislation.".

So, because Hetzner is not owned by a US company, stuff like the CLOUD act doesn't apply to them. So, if you have a contract with the German entity of Hetzner and use a German server, you should be fine in terms of GDPR.

I think it depends on how you read the Schrems II ruling and how you read Hetzners words.

Any of the big cloud providers can claim that they comply with EU legislation, but they also have to comply with US-legislation and if 3-letter agency wants to have some data from one of their subsidiaries in EU, then they can/will decide which contract to breach.

I read Hetzners statements as being that they can no longer guarantee that they will not be forced to do the same - but that can be my reading of their statement that is wrong.

If I already had them as hosting-partner for a solution that fell under Schrems II, I would have them confirm this, to be sure.

But what does "direct" mean here? Indirect could still be ordering them to give US authorities data and to keep silent about being ordered. Maybe (hopefully) that would be against EU regulations?

Lots of EU countries have their intelligence agencies doing close cooperation with five eyes (NSA and equivalent agencies of the smaller countries) and willing to turn a blind eye or actively collude in compromising security of IT infra in the EU. Or going further, a oft reported pattern is that when they want to spy on their own citizens but are forbidden by law, they ask the foreign allies to do the dirty work of spying on their soil and pass back the intelligence.

OK, be that as it may, in IT stuff, the question often becomes "Who is responsible?". If a state or its institutions violate the law, at least no one can blame you for GDPR violations, which you did not commit.

Exactly this, and I think this is granted with Hetzner.

The GDPR largely came about as a response to the Snowden revelations of pervasive surveillance of netizens globally, and it says you need to protect PI from non-EU state actors. So you're possibly right as far as EU state adversaries go but you for defending against foreign state actors it's different.

The way I read that is:

Hetzner Europe is owned by Hetzner Group, a German company. Hetzner US is also owned by that German company. Hetzner Europe isn't owned by a US company, it's just a sibling to one.

The content of that link sounds fine in terms of GDPR if one only uses the EU servers. Am I missing something?

I read it differently, especially in light of Schrems II. EU-datacenters from any of the big US-based providers does not automatically make you comply either.

As I read it the issue is that the American HQ can order their European subsidiary to provide the data.

Hetzner US does not have a European subsidary and therefore cannot violate GDPR (assuming US personal can't access EU customer data).

Hetzner HQ is in Germany and is not allowed to enforce the CLOUD Act outside the US

That could also be correct.

But if I was under legal/contractual obligations, with Hetzner as my hosting provider, I would have their legal department confirm this.

Since Hetzner found the need for appending the paragraph I referenced, they must have become aware of something.

True.

Now that they are entangled with US law there might be an incentive to be as a cooperative as possible.

Yet, Hetzner is still a "better" option (with regards to data protection) than any of the big US-based cloud providers.

Not sure I follow, in what way are they better?

Imho, as soon as you do business with the US or trade in US Dollars, you need to play nice with the relevant authorities.

If I understood it correctly, Hetzner is now "infected" in the same way as the three US cloud providers are. The Schrems II verdict and Cloud ACT basically concludes that no European company can exist in the US and vice versa without having to deal with the same pesky legislation.

An alternative could of course be that Hetzner created a new US based company where the EU parent Hetzner company only holds a minority ownership in the new US-based company. The EU based parent company in turn then "sells" its technology to the new US company. This way, the arrangement becomes more reminiscent of how IBM has sold its mainframe to European companies...

Why would it matter at all if it's a minority or majority stake in the ownership of the US subsidiary? As far as I understood it the combination of GDPR and CLOUD act only disallows the combination of US mother-company with EU subsidiary, but the inverse should be fine, since the US has no legal influence over the parent company?

The US-based cloud providers also have European subsidiaries. But that doesn't help because they are bound by US law. That is the root of the problem.

What makes you think that a European company operating within US jurisdiction would not be subject to the same laws?

If the European company receives a request from the US authorities for information, they need to follow the same legislation as the US companies do. Just because it's a subsidiary won't help. The authority will say "we want to know everything you know about the following person, please give us the information, otherwise...". The authority will not distinguish whether it is a subsidiary or the parent company.

Of course have the choice to just ignore the request from US authorities, but then you have to be aware of the consequences, i.e. quickly give up and shut down the subsidiary and stop trading with US dollars.

This is the root of the problem. CLOUD act has been ruled illegal in the EU just as you said, but it is also illegal not to comply with CLOUD act in the US. And companies operating on both continents in practice need to comply with both laws, regardless of whether it is a parent company or a subsidiary.

At least that's how I interpret it...

Are there any cases of the US nationalizing/seizing companies outside of sanction/war-related acts? Which would probably the only consequence the government can directly levy against the European company (the indirect ones they can also apply to pure European companies, so they don't really matter for this discussion).

But it really depends on how infectious just owning a company is, which I have no idea. But my gut-feeling is that it shouldn't be too infectious, since otherwise just buying a single share of a company operating in another country would put you into legal peril (who controls the subsidiary here is not really relevant, since the Cloud act wants to swim in the opposite direction in your scenario, therefore it shouldn't matter if it's 0.01% or 100%).