In Germany could services are being used by many companies, but the legality is actually dubious if personally identifiable information (PII) is processed (and which corporate documents don't fall into that category?)
The point is that PII receives special protection under German law, among which is that while you may task a third party to handle the data processing, you must keep track of its physical whereabouts and it must not be transferred to countries that do not comply with European privacy standards related to PII. With cloud services you know neither where the data are stored nor do you have firm control over them, and that should be the end of the debate already. Of course, some companies don't care (and one day it'll blow up in their faces).
There is the bittersweet aspect of nations not-US. You don't enjoy the wealth that develops due to hosting Big Web (Google, Amazon, etc.) but you also don't have legislatures that have been thoroughly compromised by said Bigs. I would luvvv for the US to pass some Euro-inspired privacy and DLP laws, but it will never happen. The guys who became billionaires collecting and selling PII can simply buy enough legislators to prevent any restriction on their racket.
I think some time back I read a short article or blurb where prevailing national legislation was used to create a market niche. IOW, host your datacenter here in X and your data must be protected to Y standard. I really like that, lets have nations compete in the global marketplace in terms of beneficial regulations as well as adverse.
Another rather obvious point is that anything transmitted over public IT infrastructure can (and probably will be) intercepted. IT security depends on nobody in the entire chain fucking up, and how likely is that? Add to the mix certain interest groups that have every incentive and interest to not play by the rules, who have the financial and technical means, and whose understanding of their job description is to snoop around without any restrictions whatsoever; parties who are known to have subverted the academic world (as far as cryptography is concerned) as well as parts of the IT world.
Yeah, if we treat a packet like we treat a piece of physical evidence from a crime scene, then the chain of custody thing looks absurdly complicated. Its bad enough in-house, with the number of people who could sniff and store packets. Throw in your Tier III ISP, their Tier I ISP, and the whole staff of a cloud provider, and all bets are off.
Technical aspects are only one thing. But security is a mindset of everybody involved. You need motivated and alert people who will recognize attempts from outsiders to breach security as such, they need to report it, and management needs to act on such reports. If simple, automatized signal intercepts don't work, they will try social engineering to figure out passwords to hack into your databases. So not only is it a question of how secure the transport between end user and cloud server is, or how secure the cloud storage is but also whether Joe Schmoe is willing to help that "new intern" calling who needs the "misplaced" password of Mr. Bigwig for whom he is supposed to "create that Powerpoint presentation until tomorrow morning", or else he's fucked. Mr. Peacounter from purchase department must realize that this special offer for routers that is too good to be true IS too good to be true, and that the big savings he might make will actually cost the company a fortune if he buys those discount hardware backdoors. Very soon people will complain about an atmosphere of paranoia in the company, and they are right: You HAVE to be paranoid when it comes to (IT) security if you take your job seriously, and that's an aspect that the nerds usually overlook. You can't get security without a paranoid mindset, and while the paranoia might make things more secure it's usually detrimental to the quality of work and/or to the quality of work atmosphere/corporate culture.
Yeah, the humans are always the weak spot in the defenses. Riffing on TTK's sermon above, my gut feel is that everyone is lurching madly towards the Next Big Thing with a lot of rationalizations and proof-by-assertion w.r.t. security, rather than careful analysis.