back to article Supreme Court to rule on whether US has right to data stored overseas

The US Supreme Court has agreed to hear a dispute over whether Microsoft should release personal emails stored in Ireland to America's federal government. In 2014, the US Department of Justice took Microsoft to court because the software giant refused to give up emails stored on its data centres in Ireland, which would …

Silver badge

Re: If it's in Ireland ...

"The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office. "

They can if it's illegal under irish law.

Head office might rail about it, but if they sack the refusniks they'll not only be in trouble for attempted illegal activities, they'll also be in deeper trouble for unjustified dismissal.

4
0

Re: If it's in Ireland ...

"The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office."

If the US parent company instructs its offshore subsidiary to break local law, wouldn't the local management threaten to resign, sue for constructive dismissal and inform the local authorities? It would then be difficult for the parent company to find new management, when their first task would be to break the law while the local authorities were watching.

1
0
Anonymous Coward

Re: If it's in Ireland ...

"could tell its Irish office"

Its not just an Irish office, for tax reasons Microsoft Ireland is a completely separate company registered in Ireland and governed by Irish Law. Its sole shareholder is MS US.

Its a small distinction, but an important one.

0
0
Silver badge

Re: If it's in Ireland ...

"On the contrary, local employees would be expected to refuse a request if it in anyway risked contravention of local laws. It's illegal to ask an employee to break the law. And there would be little Microsoft US could do about it unless they want to break EU employment laws and pay out compensation. And still not get the data."

This actually follows on nicley from a comment I just posted about MS ie being a seperate legal entity.. it has its own directors who are legally responsible for ensuring that MS IE does not contravene any laws... If they just handed the data over without a valid warrant the Management of MS IE could be looking (at best) at a hefty fine or (at worst) prison time.

1
0
Silver badge

Re: If it's in Ireland ...

"It's about data held by an American company (where ever)."

Lets simplify this. I (a UK/EU citizen) dump some dodgy data on a portable hard disk and drive from Manchester to somewhere in France and put that disk in a safe.

So that's data which the UK police want held by me (a UK/EU citizen) in France...

Can the UK police retrieve that drive without a french warrant?

No, they cant, not legally anyway.

0
0
Silver badge

Interesting tussle coming up ...

between the supreme court of the USA and the Irish courts.

IMHO it is all in Ireland, so it is up to their courts.

9
1
Silver badge

Re: Interesting tussle coming up ...

The US has a long (and proud?) tradition of extra-territoriality, which is what this is really about. As noted above, if the Supreme Court rules in favour of the government then sanctions can be applied to any company that trades in the US.

Trying to enforce this could, however, really foul up lots of trade agreements. The US could offer reciprocity but has a tradition of not doing this because legally foreign governments are, well, foreign powers. Expect companies to look at implementing additional technical mechanisms that will give them plausible deniability when served with orders. If things get difficult enough the DoJ might even get round to requesting a warrant in the other country. It's not as if this would be technically difficult as the procedures are already in place for this.

13
0
Silver badge

Re: Interesting tussle coming up ...

"If things get difficult enough the DoJ might even get round to requesting a warrant in the other country. It's not as if this would be technically difficult as the procedures are already in place for this."

And they should be asked to explain why they didn't do so in the first place.

5
0
Anonymous Coward

Re: Interesting tussle coming up ...

"Because they would say no."?

2
0
Silver badge
Childcatcher

Re: Interesting tussle coming up ...

The US has a long (and proud?) tradition of extra-territoriality...

As opposed to the British, who have absolutely no history* of such behaviour.

* Because they opted to go the other route, viz. simply declaring any plot of earth which caught their fancy as part of their empire**.

** In spite of*** any objection from the poor people who happened to be living there.

***And often, to pour salt in the wound, ostensibly for the benefit**** of said people.

**** The benefit being, of course, to teach them Proper English Manners*****.

***** Up to, but not including, of course, the manners found in *.

4
3
Silver badge

Re: Interesting tussle coming up ...

Which is, rather interestingly, exactly why the national language in the general area of the USA isn't Choctaw, or Navajo, or...

5
0
Anonymous Coward

Of course, the DoJ will win

The trumpster will throw a hissy fit if they don't.

After all,

- Americans rule the world (Doh!)

- Make America Great and them means that everyone else has to roll over and give them what they want

- And there is already a law that proclaims that US Law applies everwhere on the planet.

10
2
Silver badge

Re: Of course, the DoJ will win

The trumpster will throw a hissy fit if they don't.

Irrelevant. The DOJ is under Trump's control, but the SCUSA is actually supposed to serve as a check and balance on his power. In other words, it's their job to tell him when he's overstepping his boundaries, and no amount of hissy fit he throws can affect them (in theory, of course).

- Americans rule the world (Doh!)

No we don't, despite how much the extreme right might wish it so.

Make America Great and them means that everyone else has to roll over and give them what they want

Judging by his actions in office so far I think "Make America Great" in Trumpese translates to "Make Donald Trump richer and more powerful" in English.

And there is already a law that proclaims that US Law applies everwhere on the planet.

So far as I know that law's never been challenged in SCUSA, and given that I'm pretty sure it violates international law I wouldn't expect it to hold up to scrutiny.

7
0
Anonymous Coward

Re: Of course, the DoJ will win

Its SCOTUS not SCUSA

3
0
Silver badge

Re: Of course, the DoJ will win

"Its SCOTUS not SCUSA"

The DoJ are looking for a good exSCUSA to trample all over Irish sovereignty.

5
0
Silver badge

Re: Of course, the DoJ will win

This case preexists Trump becoming President. I think it started in the Obama administration. As I understand the Slurp case, Slurp has overseas operating companies set up for issues like EU privacy requirements. The Irish data center is run by Irish company that is ultimately owned Slurp. The key is that Irish company is legally an independent company governed by Irish/EU laws. Thus serving warrant on Slurp US is idiotic as the warrant has to come from an Irish/EU court with territorial jurisdiction over the operating company. Proper procedure is ask the local courts to issue a warrant based as there are treaties in place for just this purpose. But given feral privacy law and EU/Irish privacy laws are very different that amount of information an EU/Irish court will allow to be turned over is less than what a feral court will allow.

If a case reaches the Nine Seniles, it has been kicking around the feral courts for a number of years. This is one Trump inherited.

2
3

Re: Of course, the DoJ will win

If the case originated with Obama's administration, can't we be almost 100% sure that Trump will be against it?

0
0
Anonymous Coward

Re: Of course, the DoJ will win

This is one Trump inherited.

True, but the change to the legal system wrought by the Trump administration have changed the paying field considerably. As I said before, when it started I would have though MS would win this, or it would get settled out of sight because neither side winning does the US overall any favour.

In the light of the games that Trump is getting away with I am no longer certain. There is no sign that Congress or House are even *thinking* about holding Trump to a normal rule of law standard. With those checks failing, all bets are off. You might as well roll the dice instead.

0
0
Silver badge

Re: Of course, the DoJ will win

@a_yank_lurker

I stopped reading when you said "Slurp", I don't care if the rest of your comment was pure gold, calling them "slurp" is immature and about as funny as having genital warts.

0
0
Anonymous Coward

Re: Of course, the DoJ will win

What, you stop reading because of an accurate one-word summary of what Windows 10 is, a term heard in quite a few places that have to deal with this foul mix of uncontrolled backdoor intelligence gathering and zero day exposures?

Tsk tsk tsk, what is the world coming to?

And yes, I'm pulling your leg. Have a beer. Relax. If it wasn't sh*t you'd be out of a job.

0
0
Silver badge

Re: Of course, the DoJ will win

> Judging by his actions in office so far I think "Make America Great" in Trumpese translates to "Make Donald Trump richer and more powerful" in English.

and "Making America Grate" for the rest of the world.

0
0
Silver badge

Wouldn’t it be great if there were some significant European email provider for people to switch to instead of US gmail, hotmail, outlook, yahoo, icloud etc. I think the closest we get is gmx.de.

(Hilariously, my iPad autocorrected gmx.de to gmail.com!)

5
0

GMX, really?

FYI, they give fulltime, direct read access to everything you give them to the BND. It's even in their TOS, somwhere between pages 4000 and 5000 (in 3pt comic sans)

3
0

Try ProtonMail

Based in Switzerland.

Don't get much mail storage for a free account compared to the "You are the Product"..ahem..free email systems, but for a few bob per day you can get some serious storage, with ProtonVPN thrown in for the top level account.

1
0
Anonymous Coward

Re: Try ProtonMail

Everyone in Europe should really just own a domain and have their own email.

There are plenty of European domain providers who'll give you plenty of storage and easy email setup for hardly any money at all.

Use the domain for emails for the whole family and a shared hosting for images.

3
0
Anonymous Coward

Re: Try ProtonMail

Re: Try ProtonMail

Tried it, terminated that fairly quickly. It's too complicated for normal use, nor can you have data picked up automatically. It's definitely geek compatible, but not very useable for your average end user.

There is nothing wrong with good old IMAP/SMTP/carddav/caldav (well, other than for Microsoft Outlook, which only supports IMAP/SMTP because they really would like you to blow money on Exchange), and you can get that from quite a few providers.

I guess what you're asking is FREE services, and that does indeed get more difficult. What you were offered as "free" was just a big lie, you just didn't pay with money but with personal details of yourself as well as of your friends. That's harder to do in Europe, exactly because prevailing privacy laws.

0
0
Silver badge

Tutanota

Tutanota is another European email provider.

2
0
Silver badge
Facepalm

Technical Ben to rule...

if he owns the sweets in other peoples pockets...

Fat lot of good that will do?

0
0
Silver badge

Personally, I would think this is an open and shut case. I would think it rather obvious that the government of one nation cannot require a company to violate laws in another nation regarding servers in that nation

5
0
Anonymous Coward

I think it's pretty clear which way this is going to go.

The endpoint is in America, i.e. Microsoft or the User whose data they are trying to get are in America. Sure, the data is in Ireland but it originated in America and was moved by an American company off-shore so they can order that company to bring it back through a warrant.

Do I agree with this? No, but I don't see it going any other way.

0
1

How far should an American warrant go?

As far as US borders. Land marked borders.

Pretty simple really. However being a simple minded, KISS kind of person, I am probably not over analysing the situation and extending said borders into places where the US has a financial or military interest. Regardless of their judiciary (zero imho) in those areas outside of said borders

3
0
Anonymous Coward

The DoJ has every right to rule on how American companies behave - and punish them if they don't comply. This has nothing to do with the Irish state.

0
14
Anonymous Coward

"This has nothing to do with the Irish state"

On the contrary the data is in the EU, and therefore EU data protection laws apply. The sanctions coming under the GDPR regulations make any potential US fine look like peanuts...

13
0
Silver badge

The DOJ has every right to rule on how American companies behave, subject to the courts. This case is about which courts are applicable.

Forget about "data" for a moment, let's talk about something physical. Consider, e.g., ExxonMobil's operations in, say, Australia. Those are governed firmly by Australian law: no US court can order the company to drill here or move something there, in violation of Australian law.

This remains true even if all the actual humans involved are American, and all the equipment was manufactured in America and transported on American ships (none of which conditions are likely to be true, but it makes no difference).

9
0
Silver badge

"The DoJ has every right to rule on how American companies behave - and punish them if they don't comply."

This is wrong on so many levels, starting with the fact that the DoJ has no right to rule on how American companies behave. It's the courts that have that right. They have no right to punish anyone. It's the courts that have that right.

Then we continue with the situation that the data is actually held by an Irish company. A Microsoft subsidiary it's true but still an Irish company operating on Irish soil under Irish law. A US court could order the Irish parent to order the Irish subsidiary to take certain actions. The Irish subsidiary has the right to take legal advice to determine whether it can legally obey that order.

Perhaps you were missing school on the day your civics class explained due process of law.

I do feel somewhat sorry for Microsoft being in this situation (not a very frequent feeling towards them on my part) but they do seem to be trying to do the right thing in this case.

9
0
Silver badge

"Perhaps you were missing school on the day your civics class explained due process of law."

But what happens when two sovereign due processes clash? If Microsoft USA is ordered by the courts (under the law) to divulge the data on penalty of contempt, but the only copy is stored on foreign sovereign soil whose law prohibits divulging the data on a different penalty, then Microsoft can possibly claim entrapment: they break a law either way AND claim it's through no fault of their own.

0
0
Silver badge

A US court could order the parent to order the Irish subsidiary to take certain actions.

What if the US parent has direct technical access?

Can the US court order a US sysadmin in the USA to access the servers in Ireland in contravention of Eu law? The US employee wouldn't be breaking any US law if they complied but might be breaking US law if they refused.

1
0
Silver badge

"If Microsoft USA is ordered by the courts (under the law) to divulge the data on penalty of contempt, but the only copy is stored on foreign sovereign soil whose law prohibits divulging the data on a different penalty,"

What I said. The US court can order Microsoft to order the Irish subsidiary to turn over the data. The Irish company takes legal advice on Irish law. If that advice is that they can't turn over the data they tell Microsoft US that they can't. Microsoft US goes back to court, gives evidence of why it wasn't possible to obtain that data.

If a US court ordered you, Charles 9, to divulge that data under penalty of contempt, could you oblige?

3
0
Silver badge

"The US employee wouldn't be breaking any US law if they complied but might be breaking US law if they refused."

Consider that employee's liability under Irish law. I expect Ireland has legislation broadly similar to the UK Computer Misuse Act. A US-based employee accessing a server on Irish soil to commit an act illegal in Ireland might well be guilty of breaking such a law even if the server is ultimately owned by his employer under whose instructions he does this. If so then Ireland ought to be able to expect that employee to be extradited in exactly the same way that the US expects European citizens to be extradited for hacking US computers.

There are all sorts of other fun possibilities coming down the line. If this case runs out until GDPR becomes operative anyone who suspects that they might be the data subject, or anyone else whose email is held by Microsoft in the EU can invoke their "right to be forgotten". As the US have neglected to put in an official request to Ireland (and assuming they continue to do so) then I can't see how the various exclusions in the GDPR can come into play and Microsoft would be obliged to comply. Although the terms of the regulations don't oblige them to delete the data from backups I also can't see how they'd be able to legally restore them. There would also be the situation that Microsoft could be penalised under GDPR at up to 4% of global turnover if they complied with the US courts.

3
0
Silver badge

If the US won't extradite terrorists over-enthusiastic users of N. Irish cultural weapons, I can't see them handing over a sysadmin obeying a US warrant

5
0
Silver badge

"If a US court ordered you, Charles 9, to divulge that data under penalty of contempt, could you oblige?"

Other side of the coin, if an Ireland court rules that divulging that data counts as a privacy violation under penalty of a huge fine, could I NOT oblige?

This is what I mean by a no-win situation. If I follow the US, Ireland and the EU fine me, if I don't, the US fines me, and there's no in-between. If I were Microsoft, I'd be bitching to BOTH of them, "COME ON! It's impossible for me to stay legal with BOTH of you! One of you's gotta give!"

"Consider that employee's liability under Irish law. I expect Ireland has legislation broadly similar to the UK Computer Misuse Act."

But then the US can counter that attemtping to extradite would violate existing US policy. And in extraditions, the housing country takes precedence and they reserve the right to refuse. Again, no-win situation because of diametrically-opposed standing laws separated by sovereignty.

1
0
Bronze badge

"What if the US parent has direct technical access?"

No one in the "US" has "direct access" to things not in "US". Cloud is just someone else's computer. 'Someone else over there' gave you 'permission' to access it. If the Irish employee took the server down, you will no longer have access. No matter how hard you yell or do in the "US", the server will still be down because the "US" don't have "direct access" to that computer. The internet line, the power, the resource and the jurisdiction are all under Ireland.

The only time it is "direct access" is when you have physical access or within country land reach (one state to another), which in this case, they don't.

2
0
Silver badge

The US employee wouldn't be breaking any US law if they complied but might be breaking US law if they refused.

And here is the nub.

In the Google case, Google employees in the USA did have access as they controlled the servers and the data was moved purely for Google's convenience.

This case is very different. Microsoft have thought this through in advance, and setup a system which (it is claimed*) means that employees of Microsoft USA do not have access to the servers run by a legally separate company in Ireland. So the situation wasn't so much MS saying "we won't provide the data", it's more a case of "we cannot provide this data".

At best, MS USA can instruct MS in Ireland to send the data over - but that will get a fat rasperry in response because MS in Ireland will obey the local law.

Where it would get interesting is that if the DoJ win this case, a court could issue warrants for all the MS Ireland employees who have refused to hand over the data - effectively preventing them from ever travelling to the USA, or to any country "friendly" to the USA, on penalty of arrest and imprisonment.

* I have certain doubts that this is the case given that AIUI some of the authentication stuff can or is routed via US based servers (and certainly could be as it uses a domain name controlled from the US). Given that authentication can be routed via the US, it's hard to ignore the possibility of that being subverted to allow access.

2
0
Anonymous Coward

DoJ is insane.

"The DoJ has every right to rule on how American companies behave"

Yes, but this company isn't American company, at all.

It's Irish company owned by American company and yes, that is a different thing. Irish company can't break the law because some owner tells to do so it's irrelevant what DoJ wants.

That's basically same thing as putting car owner in jail because someone who leased it, broke the law. Even when the person who leased, is known.

It's obvious that DoJ isn't after the data itself, they are after _everything_ in those servers and that's totally illegal by any European law. And of course DoJ knows this, they aren't stupid. But they are insane, basically starting a trade war just to extend their own power to global.

That's literal power-hungry insanity.

3
0
Silver badge

Re: DoJ is insane.

"That's basically same thing as putting car owner in jail because someone who leased it, broke the law. Even when the person who leased, is known."

UNLESS the owner leased the car knowing that doing so would result in a crime. It's called Complicity.

0
0
Silver badge

"Can the US court order a US sysadmin in the USA to access the servers in Ireland in contravention of Eu law?"

Probably... but then ireland could ask for that sysadmin to be extradited... I know it sounds ridiculous but the US did it with Gary McKinnon so we should be able to do it the other way round!

0
0
Silver badge

This could require a bowl of freshly made popcorn

The US says MS has to cough up, and the EU fines them out of existence in Europe if they do.

Might be worth shorting a few shares here.

6
1

Re: This could require a bowl of freshly made popcorn

MS and every other major computer company from the US West Coast relocates to Ireland. Simple, really.

5
0
Silver badge

Re: This could require a bowl of freshly made popcorn

"MS and every other major computer company from the US West Coast relocates to Ireland."

Not necessarily Ireland. I'm sure there are some really hi-tech centres on Caribbean islands or other places with a warmer climate than Ireland's. It would be a terrible imposition on senior management to have to live in such places but I'm sure a hefty pay rise would take care of that.

Seriously, the shutters could well start to come down on data transfers to US companies, especially where the EU is involved. When Schrems 2.0 deals with the Privacy Figleaf it could become very difficult to cobble together a replacement. Companies based in the US would have to start looking at the longest possible arm's length arrangements. Leaving the US could well be an option. Cue nostalgia for the days when the US had a tech industry before Trump made America great again.

8
0
Anonymous Coward

Re: This could require a bowl of freshly made popcorn

What happens if they decide to leave the EU instead because they might run afoul of Asian companies or whatnot? Leave 1 billion or leave 3 billion?

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018