European Commission intervenes in Microsoft Irish data centre spat The European Commission has stepped into the ongoing battle between Microsoft and the US government to make sure European laws are “correctly understood”. The case, which kicked off in 2014, saw the US Department of Justice take Microsoft to court over the firm’s refusal to hand over emails held on servers in Ireland. The …
Should your cloudy data be accessible by:
- only you,
- your government, based on your residence,
- your government, based on your nationality,
- a government based on the residence of your service provider,
- all the governments that ask nicely, or forcefully,
- everybody?
We used to have some idealistic notions in the 'Western World' that everybody should have a right to privacy and some protection against arbitrary persecution. Our governments now make it quite clear, that their ideal societies don't require such niceties. Fair play, after all, is only important if you want to denounce the other players. Maybe it'll come back when/if China is identified as serious competitor in the international PR wars.
When you see that a random world government is buying and badly deploying cyber-weapons, before what they do next to the journo’s or interested motivated citizens or - let’s just call them ‘targets’
Should targets get privacy? An interesting debate.
https://www.bleepingcomputer.com/news/security/ethiopian-cyber-spies-left-spyware-operational-logs-on-public-web-folder/
(According to the IMF.org, Ethiopia is #169 down the list of world’s richest countries - yet they are able to afford fake digital certificates etc, presumably we could therefore name another 168 nations that are at full cyberwar status with their populace?)
"The DoJ added that, “if an actual conflict of laws were to arise, our judicial system is equipped to handle that scenario."
US courts have a dismal history when it comes to upholding even basic international law.
As well as the many trade disputes they have incorrectly ruled on, think of even fundamental things like the subset of Geneva Conventions the US signed, that the USA pledged its national honor to uphold.
What happened at Mi Lai? To heck with anyone's laws but their own.
I wish the European Commission luck in getting any US court to listen to it.
"I wish the European Commission luck in getting any US court to listen to it."
In this case that's covered by the GDPR. If Microsoft gives up data protected under EU law the fines are massive and executives could be imprisoned. Contempt of court fines in the US would be a tiny blip on the radar in comparison.
And anyway, Microsoft have subsequently adjusted their data access processes so that EU data cant be viewed by US employees without an approval by an EU based employee.
Clearly the US can make any laws it likes, US courts will enforce them, and US entities must follow them.
However, the result of the current laws are that US companies will be unable to do business in Europe (and maybe other parts of the world) due to conflicts of laws. This isn't the first time such laws have been made (for example, in 1977 the US passed a law preventing US companies complying with the Arab boycott of Israel, which impacted US companies' business in Arab countries). Usually these are then fudged. It is pleasing that in this case the DoJ has overplayed its hand and ended up likely to see a Supreme Court judgement supporting it but destroying the current fudge enabling US business in Europe.
I am guessing that as soon as the judgement is delivered, the real US powers (corporations) will call in the government and tell them to fix it.
"However, the result of the current laws are that US companies will be unable to do business in Europe"
I guess they will move to the EU then. It is after all a larger market both in terms of population and GDP.
So so. First, relocating the data to a US server does not violate privacy, because they're not showing the data to anybody yet. Then, revealing data on a US server to the US government happens outside of Europe, so Europe law does not apply? Hmm. I wonder if there should be some kind of contempt of court for claiming such bullshit.
Maybe Europe should simply forbid private data to be stored outside of the EU?
I think they'll find the EU disagrees pretty strongly with that first 'creative' assumption on the part of the Department of Jerks.
It's beyond me why they haven't fired the idiot who keeps pushing this. It's clear international data transfers and privacy are matters to be decided at the diplomatic and treaty level. Indeed in this case I believe the mechanism already exists but instead of using it someone at the DoJ has made a decision to waste millions of US tax payers money persuing it.
Time to go and watch Team America: World Police again!
First, relocating the data to a US server does not violate privacy, because they're not showing the data to anybody yet. Then, revealing data on a US server to the US government happens outside of Europe, so Europe law does not apply?
Extraordinary rendition of data, basically. Given that the USA has admitted using precisely the same logic to facilitate torturing people without the courts finding fault[1], I don't hold out much hope that they'll suddenly have a Damascene conversion faced with a data privacy issue.
[1] That breaking even the most basic laws via jurisdiction shopping is perfectly fine with the US Judiciary is clearly illustrated by the fact that Federal prisons are not currently playing host to half the Bush era CIA.
"First, relocating the data to a US server does not violate privacy, because they're not showing the data to anybody yet."
It breaks EU law already though unless there is specific informed consent from the user to move the data so AND appropriate protection of the data is in place. That's what matters here. Things get very expensive very quickly for US companies that don't obey EU data protection rules under the GDPR.
"It breaks EU law already though unless there is specific informed consent from the user to move the data so AND appropriate protection of the data is in place. "
But isn't this about the US wanting data from a US citizen who is resident in the US but the account and data is held on a server in an MS data centre in Ireland? That get's even more complicated, but the US seems to be indicating that not only is that not a problem, but the implication is that *any* data that get's legally transferred to the US is then fair game.
Privacy Shield (or whatever it's called this week) anyone? I know most of us here know it's a fig leaf and that's it's currently being challenged, but this US court case has the potential to render it null and void anyway.
"But isn't this about the US wanting data from a US citizen who is resident in the US but the account and data is held on a server in an MS data centre in Ireland? "
Quite possibly, but if the data is in the EU then it's protected by EU privacy law.
Moving data outside of the EU without explicit permission is considered under law to be effectively disclosing it. Hence why this European Commission intervention was required as the DOJ obviously haven't even bothered to research the basics.
"The government could exercise discretion to pursue alternate channels, where available.”
What an utterly pathetic excuse. The mechanism was open to them from the start.
The amicus brief should be simple and to the point: if the DoJ wins the Privacy Figleaf is torn down and never replaced.
"Does this include a limited physical presence and facilitation of regime change?"
It involves existing treaties which exist for this purpose and which require TPTB to get a warrant from an Irish court. In order to do that they have to put together a convincing case as to why they think they should get the data.
You may wonder why they haven't done this. They don't have a case? They don't want to disclose their case? Warrants are for little people? Due process of law is for little people?
It involves existing treaties which exist for this purpose and which require TPTB to get a warrant from an Irish court. In order to do that they have to put together a convincing case as to why they think they should get the data.
You may wonder why they haven't done this.
I'd guess that if they (the DOJ) win, for future investigations they will know that they won't need to go through the international hassles and can just force a cloud provider to provide the data under US law. If they win they have set a precedent for the future.
Yes, the USA thinks their laws apply to the World. But only when it suits them (like no level playing field for non-USA companies and ignore rights of non-US people and almost Diplomatic status for US soldiers abroad).
It seems reasonable to me that search warrants should be limited to the jurisdiction of the court making the order. How about an order to perform an action? Could the court order Microsoft, which is in the court's jurisdiction to move something that they control into the court's jurisdiction in order tp make the search warrant valid?
IIRC, MS Ireland (or whatever the company is called) is a separate entity from MS USA and provides services to MS USA but pays licensing fees to call itself MS and use MS IP, but probably to a separate MS company that manages licensing and IP from a tax haven low tax jurisdiction (such as Ireland)
"Could the court order Microsoft, which is in the court's jurisdiction to move something that they control into the court's jurisdiction in order tp make the search warrant valid?"
Well they could order it, but it would break EU law to do it. And they could be fined up to 10% of global turnover per incident! And those actioning it could be imprisoned.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
