Supreme Court punts on Microsoft email seizure decision after Cloud Act passes US Congress The US Supreme Court has dodged a critical legal question about the reach of America's courts in the internet era, deciding to drop a test case between Microsoft and the Department of Justice. In a decision [PDF] on Monday, the Justices decided that the case, in which Microsoft refused to hand over to the Feds emails held on …
"If the objection previously was violation of another country's law"
No the objection was that they could and should get the data via a court order in Ireland. I am dubious that releasing the data was legal in Irish law, but they just made it before the GDPR to effect when it would definitely have been illegal.
The data has been handed over. The new legislation is what Microsoft was angling for all along - it can now claim to be acting within the law regarding data held overseas.
Places such as Ireland might well want to assert the supremacy of of both Irish and EU law, but is it man enough to risk the potential consequences to the profitable hosting services? Any nation that might try to hold-out against the new USA law might find itself getting the same treatment as Tax Havens give the strength of opinion on the topic in the USA.
"Any nation that might try to hold-out against the new USA law might find itself getting the same treatment as Tax Havens give the strength of opinion on the topic in the USA."
Just think that statement out again. We're talking about hosting of EU residents' personal data. Why should any EU country give a damn about what the US thinks? Either they play by EU law or someone else takes their business. It's not the US treating the EU countries the same way as the US treats tax havens. It's the EU treating the US the same way as the US treats tax havens. If the US hasn't the wit to realise that it's their loss, not Europe's and on present evidence it doesn't. Either the US corporations set up their own arm's length operations or there'll be EU businesses eating their lunch in a few years' time. Possibly some of those EU businesses will be ex-US.
Unfortunately, here in the UK, thanks to the numpties, we'll be stuck in the middle.
Sorry, I just don't get it. - Surely this news will hurt their Cloud business, or that was the perception hinted at before in past articles. A new law gets passed, it invalidates Microsoft's perceived right to protest. So MS recants and hands over the emails, and now Redmond are happy about it. WTF?
They would be. The CLOUD act *will* be challenged sooner or later, but with the new DoJ seizure request under the act, they had a small window of opportunity to settle this without loss of face to either side. US politics being the minefield that it is at the moment, MS would *far* prefer the politically expedient solution than getting ready for another round on the barricades against the DoJ and everything else trying to wade in.
This way they can claim "duress" even when CLOUD gets shot down eventually. And they can let other companies take up the Rock/Hard Place fight against the ....impossibilities.. within CLOUD without soaking up the initial costs. Until then they've dodged a particularly nasty bullet. Until the next shot is fired, of course.
Not that I *agree* with the way they've solved this, but I can see where they can be happy about it, in a mercenary kind of way. It's 50/50 that the EU will get involved in this now, eiher directly, or by Asking Pointed Questions in the direction of Microsoft Ireland.
"US politics being the minefield that it is at the moment, MS would *far* prefer the politically expedient solution than getting ready for another round on the barricades against the DoJ and everything else trying to wade in."
It could be a very short term solution. MS are selling Azure to European govts - certainly to the UK govt. Are they serious about wanting that business to continue? The US govt can come along demanding Top Secret information from the UK Azure cloud if a US citizen is involved somewhere along the line, however peripherally. Surely somebody's going to realise that isn't a good idea.
If you read the CLOUD Act (only a couple of pages) it's actually not that bad. In this case I believe it was data belonging to a US citizen and therefore (acording to the act) Ireland didn't get a say because it's "US internal business". If MS wasn't a US company it would have been different. GDPR will override that for personal data, but pretty much every other regulation overrides GDPR so it's likely that most juristictions will end up with provision for complying with CLOUD Act anyway and many already do. After all, Ireland all along were saying "just ask nicely and it's yours".
Do bear in mind that Microsoft employ a LOT of legal folk in every jurisdiction. The Irish authorities will almost certainly have been consulted locally before Microsoft complied.
My main disapointment here is that this process wasn't a bit more public as we're all now left making guesses and assumptions as to what happenned and why MS complied.
So Uncle Sams over-reach (and legal reach-around) continues to show what little respect they have for the rest of the world Team America basically claim it's their way or the highway and every other Sovereign State isn't worthy. Legislation and Rulings like this are not just going to hurt Microsoft, but any other US based company doing business in overseas jurisdictions and makes a mockery of Data Sovereignty laws. You know sure as shit that the US would scream blue murder if they were on the receiving end of something like this from a Chinese or Russian Corporation (well, actually given the current incumbent in the White House who knows...)
MS already seems to have a model for operations overseas though. At least I recall in Germany the MS cloud is operated by a german telco and MS has no access to it at all.
Another option is to use client side encryption. So you can give all of the data but the client has the key to unlock it (MS does not).
I don't really care either way myself, I would not expect MS to be happy for the same reasons though.
If anything it should hopefully boost the business going to smaller local service providers in europe and slow the progress of amazon/google/MS clouds. (I say this as an American, though I do really not like any of those clouds anyway).
Anyone who truly cares about secure communication should not trust Microsoft or any government to protect it. That necessarily entails the parties to the communication taking care of encryption and key security for themselves. Every method or procedure that relies on other people or organizations reduces security.
But ultimately, if the data is on your kit, in your buildings, you have the recourse of air gapping it, turning it off, putting it through a crusher et. al. which will prevent any further data loss. Try getting any of the cloud providers to surrender or destroy the disks or tapes that have held your data when you move away from their service.
You also have much more control about how the data is protected, rather than relying on the promises of one or more third parties, possibly in other countries.
For example, you get to choose the number and type of security boundaries so that you are not so reliant on one single firewall, OS or network router/switch supplier, and you can vet your staff, and take appropriate disciplinary action if they go astray.
"Imagining that unencrypted on-premises data is secure indicates too much faith in your OS, your router/firewall software, your operational security an the trustworthiness of your staff"
That's a much shorter list than it would be for off-premises where you have to repeat that for your vendor's - or vendors' - premises and all the communications in between.
IT companies have let the USA Government open a can of worms.
It has been common practice for a company (call it Amazapple) to create shell companies around the world in order to avoid paying taxes. The only reason this works is because, as a legal fiction, each company is supposedly a separate entity. So Amazapple USA can charge Amazapple UK for "using its services" which means Amazapple UK, come tax time, suddenly has little or no income to tax thanks to all those pesky fees.
But if the USA DoJ now tries to maintain that it can force Microsoft USA into handing over data held by Microsoft IE, then the whole legal fiction comes crumbling down: the DoJ has, a priory, stated that MS USA and MS IE are the same entity as far as they are concerned.
This means the Tax-evasion pass-the-buck cookie crumbles as Amazapple USA can now, de rigeur, be considered the same company as Amazapple UK and thus cannot charge itself in order to avoid paying taxes.
IAMAL, so YMMV.
What I fail to understand is how the Tax Office can accept that MS USA pay fees to "another entity", while MS lumps profits and cash flow from all entities when it makes its earnings declaration to Wall Street.
Sorry, if it's "another entity" for tax purposes, then you don't the right to rope in that entity's profits for your earnings statement.
Either that, or it's the same entity and your "fees" are bunkus.
Come on, Tax Man, wake up !
"What I fail to understand is how the Tax Office (IRS) can accept that MS USA pay fees to "another entity", while MS lumps profits and cash flow from all entities when it makes its earnings declaration to Wall Street."
Interesting, as it would seem the IRS has accepted it doesn't have jurisdiction outside of the USA; perhaps the Fed's have yet to learn this simple lesson...
"This means the Tax-evasion pass-the-buck cookie crumbles as Amazapple USA can now, de rigeur, be considered the same company as Amazapple UK and thus cannot charge itself in order to avoid paying taxes."
An alternative take on this is that Amazapple UK* is a ready-made structure for a reverse takeover so that Amazapple US is left as a local sales operation, maybe, for arm's length sake, an independent franchise, and the real business has left the US to do business with the rest of the world.
* Other non-US countries are available
It was bad enough when it was only screwing US citizens, but now it would seem to really be affecting everyone around the world. At the state level, you expect it. (Though it would be nice to normalize a tad more.) At the federal level however, one would expect better than this. One really wonders for just how much longer the Un-united States of America can continue to operate in this manner in today's global economy.
No one seems to know on that one. Certainly it WOULD be illegal under EU law once GDPR kicks in.
The Irish Government seemed happy enough to cooperate but they wanted the warrant filed under the MLAT system as it would have been for physical evidence. MS obviously don't think it is illegal or they wouldn't have complied.
This reminds me to ask you clever lot; as a UK miniscule micro business owner trying to work out GDPR and reading lots of guides but not really understanding Which bits apply to me or not, if I, and my colleague have our main business email accounts on a US hosted server provided by a US company, are we obliged to migrate it all to an EU based server / provider by the 25 May to comply with GDPR, or do we just need to inform clients via our privacy policy that client data is stored or processed in the USA ?
Much appreciated.
AIUI, it effectively becomes illegal to use non-EU providers come 25th May.
At a previous place, I asked several times of the MD whether he discussed this issue with customers he was pushing over to Office 365. He just shrugged it off with "no problem, you can choose where the data is located". Given that MS has just handed over personal data held on a server in Ireland - thus proving that they DO have access to it - this becomes something of an issue.
But even if MS did have the legal separation that they have claimed to have, with the US company physically unable to access data on Irish servers, access to them by customers involves elements under the control of the US parent.
But until Privacy ShieldFigleaf gets struck down (which it will eventually), then companies will cite the protections in that to get away with it.
It's going to get very interesting - as in the Chinese curse.
"AIUI, it effectively becomes illegal to use non-EU providers come 25th May."
Where does it say that?
It says what your responsibilities are. If you think you can meet those with non-EU providers then fine. If you think you can't then find an EU provider. If your EU provider is breached and spills your customers' PII then you're in violation. If you take a contact email purely to arrange delivery and then, without explicit permission, use it to spam customers then you're in violation no matter where your provider is; in fact your marketing pestering department might be a bigger threat to your business than a non-EU provider.
Where does it say that?
It doesn't explicitly say that - but the inconvenient fact is that under US law it is IMPOSSIBLE for a US based business to (truthfully) provide the assurances required. Given what we now know about how the US authorities can, and do, tell businesses to "hand over this data, and BTW you cannot tell anyone" with what appears to be no effective oversight/control - it's just no possible for those businesses to provide realistic assurances about where the data may end up or what it may be used for.
The fact that MS suddenly (as it seems) said "OK then, here's this data you wanted off our servers in Ireland" to the DoJ should be a big hint. They previously claimed that they could not physically access it - so were they lying about that ?
"I, and my colleague have our main business email accounts on a US hosted server provided by a US company, are we obliged to migrate it all to an EU based server / provider by the 25 May to comply with GDPR, or do we just need to inform clients via our privacy policy that client data is stored or processed in the USA ?"
You are required to process data in such a way as to keep it safe, not collect data you don't need,* don't keep it for longer than you need** and don't subsequently process it in some other way (e.g. being daft enough to spam your customers) for which you don't have the data subject's explicit informed consent.
It's up to you to work out how best to achieve that. Presumably you're primarily concerned with the safe-keeping aspect. You need to assure yourself that your email provider has adequate safeguards in that respect. Can you do that, to your own satisfaction with your existing provider? Does you contract with your existing provider indemnify you for any fines you might experience under GDPR for any shortcomings on their side? (It's not the only way to reassure you but if they're prepared to sign up to that it indicates that they believe their systems are good enough or at least they have good insurance). Note that you'd have to assure yourself in the same way in respect of an EU provider but you might feel that the different legal frameworks make that assurance easier.
But the bottom line is that GDPR determines your responsibilities in processing personal data of EU residents. How you fulfil those responsibilities is up to you and your skill and judgement. In that respect it's no different to any other aspect of your business, say taking customers' money in advance of providing goods and services, if that's what you do, are taking delivery from your suppliers before paying them. In each of those cases you, like any other business, have a responsibility not to defraud your customers but how you manage your financial affairs is up to you. Processing customer data within GDPR is going to be just another aspect of being in business.
* The need is in terms of providing the goods or service which the data was collected, not what your customer pestering department thinks they need.
** Ditto.
...another company in the country you're in and call it your "data arm". So if MS really gave a shit they could start up "Storage Stuff (tm)-Steviebuk)". It would be a company registered only in Ireland and ONLY subject to their laws. Then MS can use it as their data centre (obviously it would just be their current data centre that they sold to Storage Stuff). Then the American government surely can't ask for shit. As MS could say "Yes, it maybe a sister company but it is its own thing and was never registered as a company in America".
Bit companies do stuff like this all the time. Wasn't a certain company called Alphabet started up just to avoid tax? Or am I wrong about that? Hmm.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
