back to article Supreme Court to rule on whether US has right to data stored overseas

The US Supreme Court has agreed to hear a dispute over whether Microsoft should release personal emails stored in Ireland to America's federal government. In 2014, the US Department of Justice took Microsoft to court because the software giant refused to give up emails stored on its data centres in Ireland, which would …

  1. d3vy Silver badge

    "This is an important case that people around the world will watch."

    Watch and laugh I expect.

    What do they plan to do if MS say "no you can't have it"... invade?

    1. Throatwarbler Mangrove Silver badge
      Holmes

      Sanction Microsoft in the US, I'd expect.

      1. d3vy Silver badge

        "Sanction Microsoft in the US, I'd expect"

        Very well and good, but surely the law in Ireland will override that and if that law prohibits the extraction of data to the US* then they cant really do anything...

        * I seriously doubt that there are any laws that prohibit this, if anything I'd expect we** have agreements in place to allow it.

        ** Thats the collective we, Im not in Ireland.

    2. Anonymous Coward
      Anonymous Coward

      Microsoft with this case (and EU law) in mind have already designed their security so that to obtain access to cross border data requires local approval. So if Microsoft US requested say Irish data, and it was illegal under Irish law then the local approver would simply refuse. So even if Microsoft loose, then the DOJ are not likely to get data like this. Also you can bring your own encryption keys that are stored on Thales HSMs that not even Microsoft have access to...

      So worst case they will get fined.

    3. Ian Michael Gumby Silver badge
      Boffin

      @d3vy ... WTF?

      Seriously you need to think about the issue.

      US citizen data taken offshore to Ireland. This would be similar to either German bank data laws or Swiss Data Laws concerning how to handle data.

      What we should expect is that the rights of the country of origination will prevail.

      Think of it this way. UK data is going to be placed under new rules/regs starting next year. Imagine if Google moved that data in to the US and told you that your data is no longer protected under UK laws because it now resides in the US?

      1. Doctor Syntax Silver badge

        Re: @d3vy ... WTF?

        "US citizen data taken offshore to Ireland."

        Do we know that (a) the data subject is a US citizen and (b) that the email in question did not originate in the EU?

        Do we know why the DoJ didn't use the existing international agreement to get an Irish warrant? Could it be that they don't have a prima facie case that would stand up in an Irish court?

        "Imagine if Google moved that data in to the US and told you that your data is no longer protected under UK laws because it now resides in the US?"

        Then Google could be fined up to 4% of global turnover. It wants to do business in Europe and must, therefore abide by European law - and exactly the same applies to Microsoft.

        1. tfewster Silver badge
          Facepalm

          Re: @d3vy ... WTF?

          Yep, it's an EU citizen

          https://www.theregister.co.uk/2016/07/14/microsoft_wins_landmark_irish_warrant_case_against_usa/

          And the DOJ have had 3 years to get an Irish warrant, but continued this fight - Which, of course would have put and en to MS & Google cloud services in the EU if the DOJ had won.

          IIRC, in another case Google migrated a US citizens data to Ireland but gave it up to the DOJ as that move was for their convenience rather than to move the data out of US jurisdiction

          1. Adam 1 Silver badge

            Re: @d3vy ... WTF?

            > And the DOJ have had 3 years to get an Irish warrant, but continued this fight

            What is their angle. I would get if it was some backwater country under a military junta every other week, or if it was an openly hostile Iran or North Korea or something, but Ireland? Just fax the form just to them and as long as there are reasonable standards met, the cd with the data will be in the post (metaphorically). You wouldn't tolerate the argument in reverse. That should tell you something.

      2. Aitor 1 Silver badge

        Re: @d3vy ... WTF?

        If you are in Ireland, the irish law should prevail, anything else is ridiculous.

        Same way the other way arround.

        The only thing to consider is that there are agreements to respect each others individuals and companies rights, but no obligations that would trump on local law.

      3. d3vy Silver badge

        Re: @d3vy ... WTF?

        @Ian

        "US citizen data taken offshore to Ireland. This would be similar to either German bank data laws or Swiss Data Laws concerning how to handle data."

        Where to start?

        First, its not a US citizens data as others have pointed out.

        Second, We are not talking about MS, we are talking about an Irish subsidiary of MS, which is registered and operated from Ireland, For all intents and purposes its an Irish company which happens to be owned by Microsoft (for tax reasons).

        The law of the country where the servers are located trumps the law of where the users originate.

        1. Anonymous Coward
          Anonymous Coward

          Re: @d3vy ... WTF?

          The law of the country where the servers are located trumps the law of where the users originate.

          No such luck. That's actually the main issue with companies hosting their data across the border and then proclaiming they have magically acquired new rights.

          1 - you yourself are still beholden to your local legal system. NOBODY can protect you from that (because if they could they were running an operation that would by definition illegal), so if you get served with a warrant you have to cough up or face the consequences, irrespective of where you have stored your data.

          2 - a business hosting its data abroad will find that their data is still beholden to the laws of where the data originates. That's a frequent mistake made in connection with Switzerland: companies go host there and then loudly proclaim they're safe. Anyone who actually knows the laws involved will always check company ownership first.

          Getting online privacy right requires expertise in multiple disciplines. Few have.

    4. big_D Silver badge

      It isn't a laughing matter. If the US DOJ wins, it means the end of cloud services with a presence in the USA.

      The story is also a little misleading, the problem is that Microsoft USA is refusing to hand over data held on an Irish companies servers (Microsoft Ireland), which is a separate legal entity and beholden to Irish and EU law, which would make it illegal for them to hand over the data without an Irish or EU warrant.

      The whole thing is a farce, there are decades old treaties in place for doing exactly this, the DOJ just needs to work with the Irish authorities and provide the evidence before a court in Ireland and if it has any merit, the Irish court will tell Microsoft Ireland to hand over the data.

      That the DOJ hasn't done this makes it sound like they don't actually have a enough evidence to present to the court to get them to provide a warrant...

  2. Thomas Wolf

    What data did DOJ seek?

    It seems to me that if the DOJ was seeking personal data, access to it should be governed by the person(s) country of citizenship. If it’s any other data, then access to it should be governed by the countries in which the business does business. Seems straight-forward.

    1. aks

      Re: What data did DOJ seek?

      The USA want to be able to fish around in the data, without a warrent.

      Ireland have always offered access once a warrent is issued.

      The USA Supreme Court can decide whatever it likes, but Ireland doesn't have to comply. It's a sovereign country and has it's own laws and Supreme Court.

    2. aks

      Re: What data did DOJ seek?

      They're not after specific data about a specific individual but open access to the servers.

      I wonder whether if the USA Supreme Court decides that any data in the world must be made available to them that they'll have a reciprocal agreement that the Irish, British, Germans, Russians, Chinese have the same rights for data stored in the USA.

      1. Alan Brown Silver badge

        Re: What data did DOJ seek?

        "They're not after specific data about a specific individual but open access to the servers."

        There's the companion thought to this, that the US Ferals are only going for this because they haven't been able to rummage around quietly already.

        Perhaps MS have improved their security.

        1. Anonymous Coward
          Anonymous Coward

          Re: What data did DOJ seek?

          Perhaps MS have improved their security.

          Yeah. Just got a call from Hell, they have some burst water pipes after they froze..

    3. Suricou Raven

      Re: What data did DOJ seek?

      What happens when the business does business in multiple countries, with contradictory laws?

    4. This post has been deleted by its author

    5. Anonymous Coward
      Anonymous Coward

      Re: What data did DOJ seek?

      The DoJ is not really seeking access to that data, that's not their motive. Their aim is to set legal precedent.

      If the DoJ were truly interested in the data itself data they could already have established international mechanisms for law enforcement collaboration. If there was anything to it, MS would have already been served in Ireland with a local warrant and the whole show would have ended there and then as it should, respecting sovereign borders and law.

      Instead, they chose an altogether more precarious route which could have fairly major consequences either way. If the DoJ wins this, it's game over for US service providers trying to sell services in Europe because it destroys the basis for renewing the Privacy Shield concept. I am not saying that I considered that basis valid to start with, but it makes it more clear that it's pure BS.

      1. Suricou Raven

        Re: What data did DOJ seek?

        It's obviously a precedent thing, because after three years I doubt the data is of any value to an investigation.

        I'm surprised they only used a run-of-the-mill drugs case, rather than try to find some juicy child abuse imagery. MS wouldn't wan't to fight that one too hard in court, it's just terrible press.

        1. Anonymous Coward
          Anonymous Coward

          Re: What data did DOJ seek?

          I'm surprised they only used a run-of-the-mill drugs case, rather than try to find some juicy child abuse imagery. MS wouldn't wan't to fight that one too hard in court, it's just terrible press.

          The problem with CP cases is that it tends to push towards an exception status because of all the emotion and politics involved. The fact that the DoJ have indeed avoided that easy route suggests they're seeking to establish a fairly low bar for the international overreach they're trying to engineer.

          In my opinion, if we consider the current makeup of the Supreme Court and the dire state of the US Presidency I reckon the DoJ is going to win this one. If you haven't already (to remove any risk of non-GDPR compliance), I would recommend considering other facilities than, for instance, Microsoft of Google mail - going local instead also leaves some of your money in your own economy.

          In the case of Gmail, the good news is that if you know what you're doing, it's actually cheaper if you have more than 4 members of staff enrolled. Don't know about Microsoft, as we detected alleged "EU only" traffic spooling via US resources we didn't even bother trying any further.

          1. Alan Brown Silver badge

            Re: What data did DOJ seek?

            "I reckon the DoJ is going to win this one."

            If they do, it may trigger electronic trade wars which will have lots of unforseen results.

            Like the USA no longer being the hub of our communications electronic universe(*)

            (*) That's already happening, but the difference will be traffic actively routing _around_ the USA and US_based multinationals being shunned everywhere.

            1. Anonymous Coward
              Anonymous Coward

              Re: What data did DOJ seek?

              If they do, it may trigger electronic trade wars which will have lots of unforseen results.

              I know, that's exactly what is bothering me about this case. I have the impression that either side has set themselves up for an adversarial stance that will result in harm either way, which is why I had assumed this would have already somehow been settled out of sight.

              I would have held a DoJ win for unlikely until the Trump administration started messing with every legal process going and planted their nominee in a Supreme Court position that was left unfulfilled by the previous administration by frankly shocking tactics. Add to that that the Trump administration is not that friendly with Silicon Valley other than for offering service and party contributions and wants to desperately establish a grip on the legal system before the results of the Russia investigation emerge, and I recon this could end badly - with the exact consequences you predicted because the EU is not going to accept that change in law for its citizens.

              That said, there's also a Trump argument for Microsoft winning this, because if MS wins it opens the door for any organisation to put data beyond the reach of US investigators other than by normal international process. Set up a subsidiary abroad and move data there and presto, an end to all those pesky law enforcement investigations. In that case I am bettering Trump Inc would be the first to move, followed by all of Wall Street. You would basically end up legally validating the approach exposed by the Panama Papers.

              Thus, either victory is at its heart rather pyrrhic for the US.

          2. Alan Brown Silver badge

            Re: What data did DOJ seek?

            "Don't know about Microsoft, as we detected alleged "EU only" traffic spooling via US resources we didn't even bother trying any further."

            Google won't offer any guarantees whatsoever that EU data stays in the EU. (in fact they pretty much guaranteed it won't)

            If you have some documented evidence of MS pulling this, then a number of places I know would like to see it.

            1. Anonymous Coward
              Anonymous Coward

              Re: What data did DOJ seek?

              If you have some documented evidence of MS pulling this, then a number of places I know would like to see it.

              I have. Worse, the specific entity involved makes what we found even more egregious - especially since they have so far refused to take any action on these findings on account of senior level Microsoft fandom. We do privacy consulting at quite a deep level, so digging out these sort of issues is pretty much the first thing we teach anyone seeking to franchise what we're doing.

              It is not just Microsoft, by the way. We found fun stuff when examining the service of another alleged "EU based" service of US origin too, but at least that was just an inactive potential.

              Happy to organise a day session for your audience. If I tell you that we scare lawyers with this stuff there will be at least 3 people here who will instantly know who I am :).

    6. veti Silver badge

      Re: What data did DOJ seek?

      What if "citizenship" is part of the data that you're looking for?

      Besides, legal discrimination on grounds of citizenship is unconstitutional in itself. Check the 14th amendment.

      1. Alan Brown Silver badge

        Re: What data did DOJ seek?

        "legal discrimination on grounds of citizenship is unconstitutional in itself. Check the 14th amendment."

        And yet it's not only routine in the USA, it's condoned by most levels of government.

        A bit like the 15th amendment is widely ignored.

  3. Mark 85 Silver badge

    So, if the DoJ wins, than corporations like MS will probably lose customers in Europe and elsewhere ? If MS wins, then they don't lose customers but also don't dare ever to move any data to the US.

    Whatever happened to law enforcement following law. treaty agreements, and practice to get evidence from another country?

    1. A Non e-mouse Silver badge

      It's issues such as this (and the EU ruling that Safe Harbour wasn't very safe) that's prompted companies such as Microsoft to start operating services in Europe via arms length companies. E.g. In Germany, the data centres are run by T-Systems. See Ars.

      1. Anonymous Coward
        Anonymous Coward

        that's prompted companies such as Microsoft to start operating services in Europe via arms length companies. E.g. In Germany, the data centres are run by T-Systems.

        Ah, a couple of caveats here.

        (1) It depends on how the contracts have been structured if that isolation has any actual value (especially since Microsoft vs DoJ may end up rewriting the legal landscape involved)

        (2) As T-Systems is running Microsoft code it probably is exposed via yet-another-zero-day already, either accidentally or deliberately.

        (3) this "isolation" has as yet not been tested in court. At present it's still only theory.

        As stated before, it is in my opinion clear that the DoJ is seeking to set precedent. Once they have that precedent (which is likely unless, of course, the IT industry quickly book lots of the Trump venues that are presently losing business hand over fist*)...

        * You say cynic, I say realist..

    2. Anonymous Coward
      Anonymous Coward

      Whatever happened to law enforcement following law. treaty agreements, and practice to get evidence from another country?

      As soon as the authorities in the US granted themselves free and open access without a warrant to their own citizens data, and they noticed that the UK were doing the same, it seemed only logical to help themselves to anybody's data anywhere in the world.

  4. Christoph Silver badge

    "We have the legal right to take it because we are the biggest bully in the playground."

    1. bombastic bob Silver badge
      Devil

      "We have the legal right to take it because we are the biggest bully in the playground."

      That's why we have courts, elected legislators, and written constitutions, to put the reigns on an otherwise power-hungry out-of-control oppressive gummint. Mostly it works, but sometimes you end up with cases like THIS one where it's not so clear, and is likely to go too far if you don't stop it NOW.

      HOPEFULLY the Supreme Court "gets it right". This will be a nice test. There are details about this case that I do not know, and no doubt all of that will be included in the decision (which is generally made public).

      From what it sounds like, the D.O.J. is going on a fishing expedition. Otherwise, wouldn't an Irish court tell Microsoft to "cough it up" ? Then this would have been over with and done.

      anyway, the actual decision should be an interesting read.

      1. Charles 9 Silver badge

        Unless the Irish court is not cooperating, in which case it's this way or bust.

        1. Doctor Syntax Silver badge

          "Unless the Irish court is not cooperating"

          I've never read anything which suggested that the Irish courts have ever been approached. There are mechanisms for doing that. If they haven't been used this ought to be a fact to be taken into consideration - was it an oversight on the original prosecutor's part or a lack of a case to be put before such a court?

          If push comes to shove it's unlikely that the Irish courts are going to be receptive to attempts to go above their heads and trample on Irish sovereignty.

      2. big_D Silver badge

        This case is very clear. The data is held in Ireland and subject to Irish law and there have been treaties in place for decades to allow the DOJ to apply for access to the data.

        The DOJ said screw that, we don't have enough to get a warrant, so we'll force Microsoft to break the law.

  5. oiseau
    Flame

    If it's in Ireland ...

    I'm not a lawyer, much less a person knowledgeable in constitutional matters and could be simplifying things a bit, but ...

    Isn't this an issue where just plain common sense applies?

    You see, unless I missed something really important recently, Ireland is still a sovereign state.

    I really cannot see what in f*cks' name the US Supreme Court has to do with respect to whatever goes on in Ireland.

    Isn't it enough with the crap they deal/have dealt to their own citizens at home?

    I think that if the servers are located in Ireland and belong to a company working in Ireland, under Irish law and Irish regulations, I'd say that the servers (and whatever is held inside them) fall exclusively under Irish jurisdiction.

    More so if the 'whatever' held in the servers belongs to Irish citizens.

    All this unless some Irish court decides otherwise (which I think is a bit of a strech) or there's already a provision in place for events such as this.

    It's not impossible, strange things happen these days.

    It could also be that MS backs up their overseas servers in US facilities and this is so, then it would seem to be another matter altogether.

    Cheers.

    1. Anonymous Coward
      Anonymous Coward

      Re: If it's in Ireland ...

      In this case yes.

      The other Google case is less clear. The data was uploaded by a US customer to Google in the USA who happened to ship it around the world to different data centers for load balancing / cost saving / redundancy reasons that the user had no idea about. When a warrant was served the data happened to be outside the USA so they refused the warrant.

      Does this mean that the US have to get a warrant for where the data is at exactly that time?

      If Google move the data between the warrant being issued and executed is that contempt?

      Does Google have to inform the US DOJ everytime data is moved?

      Does Google have to get an export license every time it moves US customer data?

      Can users store different bytes of the data stream in different countries to stop any investigation?\

      Do you feel the same about any of the above if the "customer" is Enron or GoldmanSachs rather than Wikileaks?

      1. Anonymous Coward
        Anonymous Coward

        Re: If it's in Ireland ...

        The other Google case is less clear. The data was uploaded by a US customer to Google in the USA who happened to ship it around the world to different data centers for load balancing / cost saving / redundancy reasons that the user had no idea about. When a warrant was served the data happened to be outside the USA so they refused the warrant.

        Ah, but this is one of the gotcha's of most Data Protection laws. If you are an entity in country X and you elect to store your data in country Y, your data is actually considered still to be under the jurisdiction of country X. You can only affect that "connection" if you create a separate legal entity/subsidiary in country Y which hosts that data, that's the first layer of isolation. This is also why Microsoft GERMANY (or any other non-US subsidiary) should host data with T-Systems, not MS US.

        But that's not where legal leverage ends, so I'm watching this case with interest. Its outcome will tell us a lot about the current state of US law. At present, it's not looking good.

    2. Cynic_999 Silver badge

      Re: If it's in Ireland ...

      "

      You see, unless I missed something really important recently, Ireland is still a sovereign state.

      I really cannot see what in f*cks' name the US Supreme Court has to do with respect to whatever goes on in Ireland.

      "

      It is Microsoft, a U.S. company that has been ordered to provide the data. The question is a valid one - does US law apply to data that is being held by a U.S. company, even if that data is physically located elsewhere?

      The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office. That's assuming that nobody in Microsoft U.S. has admin access to the Irish servers and so could just help themselves if they were so inclined.

      1. Orv Silver badge

        Re: If it's in Ireland ...

        Yes, exactly. It's tricky because there's potential for mischief on both sides. If it's ruled that the US can't get access to the data, every major corporation that's engaging in shady practices will move their email servers offshore, making their email correspondence unavailable as evidence in US investigations and trials. It'll be a lot like hiding money in foreign bank accounts.

        1. Doctor Syntax Silver badge

          Re: If it's in Ireland ...

          " If it's ruled that the US can't get access to the data"

          There are existing procedures, internationally agreed, for getting this by applying for a warrant in Ireland. For reasons best known to themselves the US have decided to to use this.

          Was it ignorance of the availability of this route by whoever started this, or arrogance or indolence, then coupled by an unwillingness to retreat? Or did they not have sufficient cause to apply for a warrant and have decided to trample Ireland's sovereignty to make up for it?

          Ideally the Supremes will simply tell the DoJ to go and use the existing procedures. If they don't then it will become more and more difficult for data-hungry US corporations to do business with the rest of the world.

          1. Anonymous Coward
            Anonymous Coward

            Re: If it's in Ireland ...

            For reasons best known to themselves the US have decided to to use this.

            I presume you mean declined :)

            Was it ignorance of the availability of this route by whoever started this, or arrogance or indolence, then coupled by an unwillingness to retreat?

            I think the reasons are far more nefarious, and this started to surface with DoJ vs Apple. It appears that people high up at the DoJ appear to have decided that they are better placed to write law than Congress, so they are attempting to rewrite law via precedent.

            In "normal" circumstances I would expect the Supremes to slap this down with a handbag (They're the Supremes, after all), but their makeup (sorry) as well as the Presidency have made some unprecedented shifts which may result in decisions that break the traditional separation of justice and politics. I am a lot less certain of the outcome as I would have been under the previous presidency.

        2. oiseau
          Stop

          Re: If it's in Ireland ...

          "It'll be a lot like hiding money in foreign bank accounts."

          Hmmm ...

          Yes.

          Like it is not something that has been happening (at least) since the mid 1940's.

          And as of late, has anyone heard of the 'Panama Papers' thing?

          *Every* major transnational corporation does it (hiding money) and has been doing it for ages.

          Of course, the hidden data associated to this practise is *also* hidden and/or moved around.

          But, you surely understand that it's not *them* they are after.

          Cheers.

      2. DavCrav Silver badge

        Re: If it's in Ireland ...

        "The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office."

        I'm sorry? So if head office says "go out and kill a bunch of people", you could hardly refuse it? If it is a crime in Irish law, I would imagine that excuse won't go down well in their court.

        "That's assuming that nobody in Microsoft U.S. has admin access to the Irish servers and so could just help themselves if they were so inclined."

        If they want to commit a crime in Ireland then that's their business. Accessing a computer to perform illegal acts is still a crime. Whether the US would extradite is one thing, but local Microsoft employees would be in the dock for abetting a crime.

      3. Anonymous Coward
        Anonymous Coward

        Re: If it's in Ireland ...

        "The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office"

        On the contrary, local employees would be expected to refuse a request if it in anyway risked contravention of local laws. It's illegal to ask an employee to break the law. And there would be little Microsoft US could do about it unless they want to break EU employment laws and pay out compensation. And still not get the data.

        1. d3vy Silver badge

          Re: If it's in Ireland ...

          "On the contrary, local employees would be expected to refuse a request if it in anyway risked contravention of local laws. It's illegal to ask an employee to break the law. And there would be little Microsoft US could do about it unless they want to break EU employment laws and pay out compensation. And still not get the data."

          This actually follows on nicley from a comment I just posted about MS ie being a seperate legal entity.. it has its own directors who are legally responsible for ensuring that MS IE does not contravene any laws... If they just handed the data over without a valid warrant the Management of MS IE could be looking (at best) at a hefty fine or (at worst) prison time.

      4. Alan Brown Silver badge

        Re: If it's in Ireland ...

        "The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office. "

        They can if it's illegal under irish law.

        Head office might rail about it, but if they sack the refusniks they'll not only be in trouble for attempted illegal activities, they'll also be in deeper trouble for unjustified dismissal.

      5. Red Bren

        Re: If it's in Ireland ...

        "The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office."

        If the US parent company instructs its offshore subsidiary to break local law, wouldn't the local management threaten to resign, sue for constructive dismissal and inform the local authorities? It would then be difficult for the parent company to find new management, when their first task would be to break the law while the local authorities were watching.

      6. Anonymous Coward
        Anonymous Coward

        Re: If it's in Ireland ...

        "could tell its Irish office"

        Its not just an Irish office, for tax reasons Microsoft Ireland is a completely separate company registered in Ireland and governed by Irish Law. Its sole shareholder is MS US.

        Its a small distinction, but an important one.

    3. Captain DaFt

      Re: If it's in Ireland ...

      Isn't this an issue where just plain common sense applies?

      We're talking US Federal Government here.

      It and common sense parted ways about a century ago.

    4. Lars Silver badge
      Coat

      Re: If it's in Ireland ...

      "I really cannot see what in f*cks' name the US Supreme Court has to do with respect to whatever goes on in Ireland.".

      It's about data held by an American company (where ever). As far as I remember it was originally data about an American too, or was it, not sure anymore. This thing has gone on for several years now.

      1. d3vy Silver badge

        Re: If it's in Ireland ...

        "It's about data held by an American company (where ever)."

        Lets simplify this. I (a UK/EU citizen) dump some dodgy data on a portable hard disk and drive from Manchester to somewhere in France and put that disk in a safe.

        So that's data which the UK police want held by me (a UK/EU citizen) in France...

        Can the UK police retrieve that drive without a french warrant?

        No, they cant, not legally anyway.

    5. Alan Brown Silver badge

      Re: If it's in Ireland ...

      "unless I missed something really important recently, Ireland is still a sovereign state."

      Historically that's never bothered the US much when it's wanted something.

  6. alain williams Silver badge

    Interesting tussle coming up ...

    between the supreme court of the USA and the Irish courts.

    IMHO it is all in Ireland, so it is up to their courts.

    1. Charlie Clark Silver badge

      Re: Interesting tussle coming up ...

      The US has a long (and proud?) tradition of extra-territoriality, which is what this is really about. As noted above, if the Supreme Court rules in favour of the government then sanctions can be applied to any company that trades in the US.

      Trying to enforce this could, however, really foul up lots of trade agreements. The US could offer reciprocity but has a tradition of not doing this because legally foreign governments are, well, foreign powers. Expect companies to look at implementing additional technical mechanisms that will give them plausible deniability when served with orders. If things get difficult enough the DoJ might even get round to requesting a warrant in the other country. It's not as if this would be technically difficult as the procedures are already in place for this.

      1. Doctor Syntax Silver badge

        Re: Interesting tussle coming up ...

        "If things get difficult enough the DoJ might even get round to requesting a warrant in the other country. It's not as if this would be technically difficult as the procedures are already in place for this."

        And they should be asked to explain why they didn't do so in the first place.

        1. Anonymous Coward
          Anonymous Coward

          Re: Interesting tussle coming up ...

          "Because they would say no."?

      2. Steve Knox Silver badge
        Childcatcher

        Re: Interesting tussle coming up ...

        The US has a long (and proud?) tradition of extra-territoriality...

        As opposed to the British, who have absolutely no history* of such behaviour.

        * Because they opted to go the other route, viz. simply declaring any plot of earth which caught their fancy as part of their empire**.

        ** In spite of*** any objection from the poor people who happened to be living there.

        ***And often, to pour salt in the wound, ostensibly for the benefit**** of said people.

        **** The benefit being, of course, to teach them Proper English Manners*****.

        ***** Up to, but not including, of course, the manners found in *.

        1. Neil Barnes Silver badge

          Re: Interesting tussle coming up ...

          Which is, rather interestingly, exactly why the national language in the general area of the USA isn't Choctaw, or Navajo, or...

  7. Anonymous Coward
    Anonymous Coward

    Of course, the DoJ will win

    The trumpster will throw a hissy fit if they don't.

    After all,

    - Americans rule the world (Doh!)

    - Make America Great and them means that everyone else has to roll over and give them what they want

    - And there is already a law that proclaims that US Law applies everwhere on the planet.

    1. sisk Silver badge

      Re: Of course, the DoJ will win

      The trumpster will throw a hissy fit if they don't.

      Irrelevant. The DOJ is under Trump's control, but the SCUSA is actually supposed to serve as a check and balance on his power. In other words, it's their job to tell him when he's overstepping his boundaries, and no amount of hissy fit he throws can affect them (in theory, of course).

      - Americans rule the world (Doh!)

      No we don't, despite how much the extreme right might wish it so.

      Make America Great and them means that everyone else has to roll over and give them what they want

      Judging by his actions in office so far I think "Make America Great" in Trumpese translates to "Make Donald Trump richer and more powerful" in English.

      And there is already a law that proclaims that US Law applies everwhere on the planet.

      So far as I know that law's never been challenged in SCUSA, and given that I'm pretty sure it violates international law I wouldn't expect it to hold up to scrutiny.

      1. Anonymous Coward
        Anonymous Coward

        Re: Of course, the DoJ will win

        Its SCOTUS not SCUSA

        1. Doctor Syntax Silver badge

          Re: Of course, the DoJ will win

          "Its SCOTUS not SCUSA"

          The DoJ are looking for a good exSCUSA to trample all over Irish sovereignty.

      2. Alan Brown Silver badge

        Re: Of course, the DoJ will win

        > Judging by his actions in office so far I think "Make America Great" in Trumpese translates to "Make Donald Trump richer and more powerful" in English.

        and "Making America Grate" for the rest of the world.

    2. a_yank_lurker Silver badge

      Re: Of course, the DoJ will win

      This case preexists Trump becoming President. I think it started in the Obama administration. As I understand the Slurp case, Slurp has overseas operating companies set up for issues like EU privacy requirements. The Irish data center is run by Irish company that is ultimately owned Slurp. The key is that Irish company is legally an independent company governed by Irish/EU laws. Thus serving warrant on Slurp US is idiotic as the warrant has to come from an Irish/EU court with territorial jurisdiction over the operating company. Proper procedure is ask the local courts to issue a warrant based as there are treaties in place for just this purpose. But given feral privacy law and EU/Irish privacy laws are very different that amount of information an EU/Irish court will allow to be turned over is less than what a feral court will allow.

      If a case reaches the Nine Seniles, it has been kicking around the feral courts for a number of years. This is one Trump inherited.

      1. Eguro

        Re: Of course, the DoJ will win

        If the case originated with Obama's administration, can't we be almost 100% sure that Trump will be against it?

      2. Anonymous Coward
        Anonymous Coward

        Re: Of course, the DoJ will win

        This is one Trump inherited.

        True, but the change to the legal system wrought by the Trump administration have changed the paying field considerably. As I said before, when it started I would have though MS would win this, or it would get settled out of sight because neither side winning does the US overall any favour.

        In the light of the games that Trump is getting away with I am no longer certain. There is no sign that Congress or House are even *thinking* about holding Trump to a normal rule of law standard. With those checks failing, all bets are off. You might as well roll the dice instead.

      3. d3vy Silver badge

        Re: Of course, the DoJ will win

        @a_yank_lurker

        I stopped reading when you said "Slurp", I don't care if the rest of your comment was pure gold, calling them "slurp" is immature and about as funny as having genital warts.

        1. Anonymous Coward
          Anonymous Coward

          Re: Of course, the DoJ will win

          What, you stop reading because of an accurate one-word summary of what Windows 10 is, a term heard in quite a few places that have to deal with this foul mix of uncontrolled backdoor intelligence gathering and zero day exposures?

          Tsk tsk tsk, what is the world coming to?

          And yes, I'm pulling your leg. Have a beer. Relax. If it wasn't sh*t you'd be out of a job.

  8. Phil Endecott Silver badge

    Wouldn’t it be great if there were some significant European email provider for people to switch to instead of US gmail, hotmail, outlook, yahoo, icloud etc. I think the closest we get is gmx.de.

    (Hilariously, my iPad autocorrected gmx.de to gmail.com!)

    1. LeoP

      GMX, really?

      FYI, they give fulltime, direct read access to everything you give them to the BND. It's even in their TOS, somwhere between pages 4000 and 5000 (in 3pt comic sans)

    2. MrDamage

      Try ProtonMail

      Based in Switzerland.

      Don't get much mail storage for a free account compared to the "You are the Product"..ahem..free email systems, but for a few bob per day you can get some serious storage, with ProtonVPN thrown in for the top level account.

      1. Anonymous Coward
        Anonymous Coward

        Re: Try ProtonMail

        Everyone in Europe should really just own a domain and have their own email.

        There are plenty of European domain providers who'll give you plenty of storage and easy email setup for hardly any money at all.

        Use the domain for emails for the whole family and a shared hosting for images.

      2. Anonymous Coward
        Anonymous Coward

        Re: Try ProtonMail

        Re: Try ProtonMail

        Tried it, terminated that fairly quickly. It's too complicated for normal use, nor can you have data picked up automatically. It's definitely geek compatible, but not very useable for your average end user.

        There is nothing wrong with good old IMAP/SMTP/carddav/caldav (well, other than for Microsoft Outlook, which only supports IMAP/SMTP because they really would like you to blow money on Exchange), and you can get that from quite a few providers.

        I guess what you're asking is FREE services, and that does indeed get more difficult. What you were offered as "free" was just a big lie, you just didn't pay with money but with personal details of yourself as well as of your friends. That's harder to do in Europe, exactly because prevailing privacy laws.

    3. Roj Blake Silver badge

      Tutanota

      Tutanota is another European email provider.

  9. TechnicalBen Silver badge
    Facepalm

    Technical Ben to rule...

    if he owns the sweets in other peoples pockets...

    Fat lot of good that will do?

  10. sisk Silver badge

    Personally, I would think this is an open and shut case. I would think it rather obvious that the government of one nation cannot require a company to violate laws in another nation regarding servers in that nation

  11. Anonymous Coward
    Anonymous Coward

    I think it's pretty clear which way this is going to go.

    The endpoint is in America, i.e. Microsoft or the User whose data they are trying to get are in America. Sure, the data is in Ireland but it originated in America and was moved by an American company off-shore so they can order that company to bring it back through a warrant.

    Do I agree with this? No, but I don't see it going any other way.

  12. adnim Silver badge

    How far should an American warrant go?

    As far as US borders. Land marked borders.

    Pretty simple really. However being a simple minded, KISS kind of person, I am probably not over analysing the situation and extending said borders into places where the US has a financial or military interest. Regardless of their judiciary (zero imho) in those areas outside of said borders

  13. Anonymous Coward
    Anonymous Coward

    The DoJ has every right to rule on how American companies behave - and punish them if they don't comply. This has nothing to do with the Irish state.

    1. Anonymous Coward
      Anonymous Coward

      "This has nothing to do with the Irish state"

      On the contrary the data is in the EU, and therefore EU data protection laws apply. The sanctions coming under the GDPR regulations make any potential US fine look like peanuts...

    2. veti Silver badge

      The DOJ has every right to rule on how American companies behave, subject to the courts. This case is about which courts are applicable.

      Forget about "data" for a moment, let's talk about something physical. Consider, e.g., ExxonMobil's operations in, say, Australia. Those are governed firmly by Australian law: no US court can order the company to drill here or move something there, in violation of Australian law.

      This remains true even if all the actual humans involved are American, and all the equipment was manufactured in America and transported on American ships (none of which conditions are likely to be true, but it makes no difference).

    3. Doctor Syntax Silver badge

      "The DoJ has every right to rule on how American companies behave - and punish them if they don't comply."

      This is wrong on so many levels, starting with the fact that the DoJ has no right to rule on how American companies behave. It's the courts that have that right. They have no right to punish anyone. It's the courts that have that right.

      Then we continue with the situation that the data is actually held by an Irish company. A Microsoft subsidiary it's true but still an Irish company operating on Irish soil under Irish law. A US court could order the Irish parent to order the Irish subsidiary to take certain actions. The Irish subsidiary has the right to take legal advice to determine whether it can legally obey that order.

      Perhaps you were missing school on the day your civics class explained due process of law.

      I do feel somewhat sorry for Microsoft being in this situation (not a very frequent feeling towards them on my part) but they do seem to be trying to do the right thing in this case.

      1. Charles 9 Silver badge

        "Perhaps you were missing school on the day your civics class explained due process of law."

        But what happens when two sovereign due processes clash? If Microsoft USA is ordered by the courts (under the law) to divulge the data on penalty of contempt, but the only copy is stored on foreign sovereign soil whose law prohibits divulging the data on a different penalty, then Microsoft can possibly claim entrapment: they break a law either way AND claim it's through no fault of their own.

        1. Doctor Syntax Silver badge

          "If Microsoft USA is ordered by the courts (under the law) to divulge the data on penalty of contempt, but the only copy is stored on foreign sovereign soil whose law prohibits divulging the data on a different penalty,"

          What I said. The US court can order Microsoft to order the Irish subsidiary to turn over the data. The Irish company takes legal advice on Irish law. If that advice is that they can't turn over the data they tell Microsoft US that they can't. Microsoft US goes back to court, gives evidence of why it wasn't possible to obtain that data.

          If a US court ordered you, Charles 9, to divulge that data under penalty of contempt, could you oblige?

          1. Charles 9 Silver badge

            "If a US court ordered you, Charles 9, to divulge that data under penalty of contempt, could you oblige?"

            Other side of the coin, if an Ireland court rules that divulging that data counts as a privacy violation under penalty of a huge fine, could I NOT oblige?

            This is what I mean by a no-win situation. If I follow the US, Ireland and the EU fine me, if I don't, the US fines me, and there's no in-between. If I were Microsoft, I'd be bitching to BOTH of them, "COME ON! It's impossible for me to stay legal with BOTH of you! One of you's gotta give!"

            "Consider that employee's liability under Irish law. I expect Ireland has legislation broadly similar to the UK Computer Misuse Act."

            But then the US can counter that attemtping to extradite would violate existing US policy. And in extraditions, the housing country takes precedence and they reserve the right to refuse. Again, no-win situation because of diametrically-opposed standing laws separated by sovereignty.

      2. Yet Another Anonymous coward Silver badge

        A US court could order the parent to order the Irish subsidiary to take certain actions.

        What if the US parent has direct technical access?

        Can the US court order a US sysadmin in the USA to access the servers in Ireland in contravention of Eu law? The US employee wouldn't be breaking any US law if they complied but might be breaking US law if they refused.

        1. Doctor Syntax Silver badge

          "The US employee wouldn't be breaking any US law if they complied but might be breaking US law if they refused."

          Consider that employee's liability under Irish law. I expect Ireland has legislation broadly similar to the UK Computer Misuse Act. A US-based employee accessing a server on Irish soil to commit an act illegal in Ireland might well be guilty of breaking such a law even if the server is ultimately owned by his employer under whose instructions he does this. If so then Ireland ought to be able to expect that employee to be extradited in exactly the same way that the US expects European citizens to be extradited for hacking US computers.

          There are all sorts of other fun possibilities coming down the line. If this case runs out until GDPR becomes operative anyone who suspects that they might be the data subject, or anyone else whose email is held by Microsoft in the EU can invoke their "right to be forgotten". As the US have neglected to put in an official request to Ireland (and assuming they continue to do so) then I can't see how the various exclusions in the GDPR can come into play and Microsoft would be obliged to comply. Although the terms of the regulations don't oblige them to delete the data from backups I also can't see how they'd be able to legally restore them. There would also be the situation that Microsoft could be penalised under GDPR at up to 4% of global turnover if they complied with the US courts.

          1. Yet Another Anonymous coward Silver badge

            If the US won't extradite terrorists over-enthusiastic users of N. Irish cultural weapons, I can't see them handing over a sysadmin obeying a US warrant

          2. SImon Hobson Silver badge

            The US employee wouldn't be breaking any US law if they complied but might be breaking US law if they refused.

            And here is the nub.

            In the Google case, Google employees in the USA did have access as they controlled the servers and the data was moved purely for Google's convenience.

            This case is very different. Microsoft have thought this through in advance, and setup a system which (it is claimed*) means that employees of Microsoft USA do not have access to the servers run by a legally separate company in Ireland. So the situation wasn't so much MS saying "we won't provide the data", it's more a case of "we cannot provide this data".

            At best, MS USA can instruct MS in Ireland to send the data over - but that will get a fat rasperry in response because MS in Ireland will obey the local law.

            Where it would get interesting is that if the DoJ win this case, a court could issue warrants for all the MS Ireland employees who have refused to hand over the data - effectively preventing them from ever travelling to the USA, or to any country "friendly" to the USA, on penalty of arrest and imprisonment.

            * I have certain doubts that this is the case given that AIUI some of the authentication stuff can or is routed via US based servers (and certainly could be as it uses a domain name controlled from the US). Given that authentication can be routed via the US, it's hard to ignore the possibility of that being subverted to allow access.

        2. Tim Seventh

          "What if the US parent has direct technical access?"

          No one in the "US" has "direct access" to things not in "US". Cloud is just someone else's computer. 'Someone else over there' gave you 'permission' to access it. If the Irish employee took the server down, you will no longer have access. No matter how hard you yell or do in the "US", the server will still be down because the "US" don't have "direct access" to that computer. The internet line, the power, the resource and the jurisdiction are all under Ireland.

          The only time it is "direct access" is when you have physical access or within country land reach (one state to another), which in this case, they don't.

        3. d3vy Silver badge

          "Can the US court order a US sysadmin in the USA to access the servers in Ireland in contravention of Eu law?"

          Probably... but then ireland could ask for that sysadmin to be extradited... I know it sounds ridiculous but the US did it with Gary McKinnon so we should be able to do it the other way round!

    4. Anonymous Coward
      Anonymous Coward

      DoJ is insane.

      "The DoJ has every right to rule on how American companies behave"

      Yes, but this company isn't American company, at all.

      It's Irish company owned by American company and yes, that is a different thing. Irish company can't break the law because some owner tells to do so it's irrelevant what DoJ wants.

      That's basically same thing as putting car owner in jail because someone who leased it, broke the law. Even when the person who leased, is known.

      It's obvious that DoJ isn't after the data itself, they are after _everything_ in those servers and that's totally illegal by any European law. And of course DoJ knows this, they aren't stupid. But they are insane, basically starting a trade war just to extend their own power to global.

      That's literal power-hungry insanity.

      1. Charles 9 Silver badge

        Re: DoJ is insane.

        "That's basically same thing as putting car owner in jail because someone who leased it, broke the law. Even when the person who leased, is known."

        UNLESS the owner leased the car knowing that doing so would result in a crime. It's called Complicity.

  14. Tom 7 Silver badge

    This could require a bowl of freshly made popcorn

    The US says MS has to cough up, and the EU fines them out of existence in Europe if they do.

    Might be worth shorting a few shares here.

    1. steward

      Re: This could require a bowl of freshly made popcorn

      MS and every other major computer company from the US West Coast relocates to Ireland. Simple, really.

      1. Doctor Syntax Silver badge

        Re: This could require a bowl of freshly made popcorn

        "MS and every other major computer company from the US West Coast relocates to Ireland."

        Not necessarily Ireland. I'm sure there are some really hi-tech centres on Caribbean islands or other places with a warmer climate than Ireland's. It would be a terrible imposition on senior management to have to live in such places but I'm sure a hefty pay rise would take care of that.

        Seriously, the shutters could well start to come down on data transfers to US companies, especially where the EU is involved. When Schrems 2.0 deals with the Privacy Figleaf it could become very difficult to cobble together a replacement. Companies based in the US would have to start looking at the longest possible arm's length arrangements. Leaving the US could well be an option. Cue nostalgia for the days when the US had a tech industry before Trump made America great again.

        1. Anonymous Coward
          Anonymous Coward

          Re: This could require a bowl of freshly made popcorn

          What happens if they decide to leave the EU instead because they might run afoul of Asian companies or whatnot? Leave 1 billion or leave 3 billion?

  15. Marketing Hack Silver badge

    Good luck, MS!

    Jeez, am I really wishing MS well? Politics and strange bedfellows I guess.

    I'd really rather not have a world where every government can fire off warrants and letters to get access to data on overseas servers. That would get chaotic and tyrannical pretty quickly. So I hope The Supremes say no to this request from the Do J.

  16. Anonymous Coward
    Anonymous Coward

    All your base...

    ... are belong to US(of A)

  17. razorfishsl

    Yep the Americans, using American law to gain access to the data,

    then saying since it is NOT America they don't need to follow the law and get an American warrent to read the data.

  18. asdfasdfasdf2015

    mega?

    didn't they already do this when they shut down mega? some of their stuff was in canada

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019