Malicious Compliance
"Yes, we agree our old objection no longer applies, but as this is a new request, you must now jump through all our usual hoops again."
Like most things, the power can be used for good or evil (see also: filibustering.)
The four-year court battle between the US government and Microsoft over the release of emails held in the software giant's data centre in Ireland has come to an end – of sorts. Microsoft HQ in Redmond issued a motion with the Supreme Court late yesterday backing the government's request that the case be dismissed as moot, …
And the CLOUD was dragged out behind the barn shots heard......
Seriously I cant see how its possible to resolve GPDR and the CLOUD act.
If my boss asked me tomorrow about migrating to the cloud i would have to say i wont touch that legal mire with a 17' battle lance.
Given the potential company slaying fines of GPDR VS the possible (and much smaller than amazon and co would say) cloud savings are just not worth it.
"Seriously I cant see how its possible to resolve GPDR and the CLOUD act."
Then you really should read the GDPR, because your problem is explicitly resolved in it - see Article 48.
But better would be the UK Data Protection Act which takes the national opt-out allowing the US (or any other country) to ask for data without breaching GDPR.
But doesn't Article 48 confirm rather than resolve a conflict between GDPR (the third country can go take a running jump) and third country legislation like CLOUD (don't care which country it's in, as a company operating in the US you have to cough up the data).
Get the popcorn out for that first defence (should that be defense): "Sorry, US Supreme Court, but I can't provide the information for this warrant because the Europeans wouldn't be happy."
The new warrant was still issued in America and the data is held on Irish soil and beholden to Irish and EU laws, therefore it is irrelevant what the CLOUD Act says, the local laws have priority and if Microsoft hand over the data, they will be in breach of EU data protection laws and the Microsoft Ireland executive, who own the servers and the responsibility for the data on them, will face heavy fines (possibly multiple billion dollar) and possible imprisonment...
Plus, if MS take a while to evaluate the warrant, and then object to some or all of it, it drags the timeline out.
Meaning, GDPR would likely be in force when they complied with the warrant. The only way they could avoid that, would be to comply swiftly and fully, but they've then set a precedent for themselves with any future warrants.
Rock and a hard place I'd say
I seem to recall that part of the reason why MS were able to resist the original warrant (and why e.g. Google weren't in other cases) was that they had compartmentalized things and that MS (USA) wasn't actually in control of the data.
Irrespective, the Data Controller at MS (Republic of Ireland) is responsible for safeguarding the data located in the RoI under local (EU) laws, and so they should be able to block any request for the data from the US Gov via MS (USA).
It'll be interesting to see how this one pans out...
"Are MS going to hand over the data, or aren't they?"
They'll state that the legal entity holding the data is not the legal entity on which the CLOUD warrant is served and that Irish/EU law prevents any data being released unless and until the DoJ goes to an Irish court and obtains an Irish warrant by Irish standards of reasonable suspicion/probable cause against the correct legal entity. Just like they should have done 4 shagging years ago.
"Just like they should have done 4 shagging years ago."
I wonder if the legal separation is the same now as it was four years ago, or has been made more legally water tight in the mean time. If it's changed then presumably with the previous warrant they'd still have needed to argue in court based on the state of things when it was issued. Now it's a new warrant then that resets, and any legal arguments can be made on how things are done now rather than years ago.
"goes to an Irish court and obtains an Irish warrant by Irish standards of reasonable suspicion/probable cause against the correct legal entity. Just like they should have done 4 shagging years ago."
This is the galling thing about it all*. If they want the data and have a good reason for it, all they had to do is follow due process and asked the Irish government to get it for them. By now, they would probably have had it (assuming they did have a good enough reason, of course).
Instead, what they're doing is saying "We want it, so we'll change our own laws and assume that makes it OK by every other country". Cockwombles, the lot of 'em!
* Although not at all surprising, seeing as Murkha always seems to think it's above everyone else's laws.
"Just like they should have done 4 shagging years ago."
Indeed, however they don't give a damn about this data, what they want is the ability to tell American (owned) companies to pony up any data they have without having to go through unfriendly foreign courts.
This could cause a few ripples in the banking world. It may even mean companies leaving America as their nominal country in order to avoid this law.
But the EU is pressing for similar powers
*shrug*
Every country can assume its laws to apply globally. Or even make a new law to that effect.
The question is how much inclined other countries are to share that viewpoint and act accordingly.
The cloud act basically puts foreign employees of US companies in a conflict between following company direction or local laws.
I would recommend everyone involved to see a lawyer before following one of the two in case of a conflict.
Similar dumb legislation on EU side will just have similar effects.
"The cloud act basically puts foreign employees of US companies in a conflict between following company direction or local laws"
Perhaps more interesting is the dilemma facing US citizens employed at data centres in foreign countries - break local law by giving up the data or break US law by refusing to do so. Nothing in between (apart from resigning, I suppose).
accountants \ idiots \ both (delete as applicable), they will still continue to farm out data storage into the "Cloud".
Its bout time companies realise that saving a few quid today could cost them heavily in the future.
Bring it all back in house, then you only have yourself to blame - data is often the life blood of a company, its too valuable to let someone else have control over it.
So complying with a US law will mean violating EU law. That comes with a set of follow up quetsions:
1. Is there anything in US law which permits "we can't do that, it'd be against someone else's law" as a defence?
2. If Microsoft refuses to comply, gets fined, and still refuses to comply, can it continue to be punished or is that the end of the matter?
3. Is there a limit to what they could be fined? Basically, on a pure buiness costs basis, what makes more sense, breaking GDPR or braking CLOUD?
> 3. Is there a limit to what they could be fined? Basically, on a pure buiness costs basis, what makes more sense, breaking GDPR or braking CLOUD?
I would guess, breaking CLOUD makes more sense. If they breach GDPR then there's obviously the whopping fine, but there's another element to it. If they show that they simply cannot abide by GDPR (due to US domestic laws) there's also the loss of business to factor in.
No European business could use theire services for anything which might fall under GDPR without putting themselves at risk. Taken to the extreme, it'd essentially push them out of the European market completely.
This is a good place to reminding everyone that Microsoft already offers special business plans of Office 365 for Germany, with all the cloud stuff located on servers located in Germany, with components removed where data transferral outside of Germany cannot be guaranteed, ostensibly all under German law.
Would I trust them that this data is safe from US snooping? Hell, no.
But if were the legal or compliance officer of a German company, or as a German would be forced to get an Office 365 plan, I would as hell get this over the 'normal' Office 365 plans.
It means debateable or subject to discussion. A moot being a sort of Anglo-Saxon town council meeting.
Americans like to use it when they mean "irrelevant". It seems unfair to blame Americans for using the English language wrongly; they can't really help it after all. But I don't think Rebecca Hill has that excuse.
"It means debateable or subject to discussion. A moot being a sort of Anglo-Saxon town council meeting."
Not in American Law it doesn't. Pretty sure the Supremes use it in the other sense of having little bearing on the debate, the second sense to which you refer
"I don't think Rebecca Hill has that excuse."
On the contrary, it would be perverse for her to insist on the British meaning when she is writing about an American legal case: the actual submission uses the word moot.
The legal sense it is a question suitable for a moot court. Normally an issue not already get determined definitively by a court or a issue without consequence and suitable for debate. A moot court being in effect is a mock court or public debate. Commonly a training lawyer and others. This is sense used in "Friends" making it more popular in the non lawyer world. Sadly the dispute over the word moot occurs as some listener hear mute - silent rather than moot mean public/crowd or some think others confound moot and mute.
Any online legal dictionary will clarify this easily enough. The original point is moot as it notably for not being settle in court. It is without consequence, because the new law will apply to future cases.
Microsoft made $90 bn in revenue last year. Ignoring potential issues with large parts of that being made by subsidiary companies, the maximum fine under the GDPR is 4% of global revenue, which would equate to a potential $3.6 bn (or €2.92 bn) fine, if using the figure for overall revenue. Ouch. I'd imagine there'd be sections of the EU bureaucracy quite happy to levy such a fine as a warning to all others about what happens when you fail to comply with the GDPR. It would make for a very effective message.
>Ignoring potential issues with large parts of that being made by subsidiary companies, the maximum fine under the GDPR is 4% of global revenue, which would equate to a potential $3.6 bn (or €2.92 bn) fine, if using the figure for overall revenue.
My guess would be that they would spin up a completely new company - not a subsidiary - and then use licensing (per end-user fees) or an intermediate sales-only company which just orders services from a "local cloud provider" to extract the revenue.
I don't think this is difficult. The local cloud company would have a support contract with MS-US but would be managerially and share-wise independent from the US.
It seems lawmakers (all over the world, not just in the US) are determined to hamstring any form of electronic communication or data storage in the name of preventing crime and/or terrorism (IIRC this case started over drug dealing)
I'd like to think that EU law would "save" us from this as RIPA has already been found to be illegal at least until we leave the EU, but I am absolutely 100% certain that if the DoJ get their way here GCHQ and every equivalent agency across Europe will have lightbulbs switching on over their heads.
Meanwhile, as an IT Contractor, I see a bright future undoing all the cloud migrations I've been working on for the past 3 years.
--The DoJ noted this in its motion, complaining that Microsoft had "refused to acknowledge" that the CLOUD Act applied to the existing warrant--
Well, DUH! The warrant was issued *before* the CLOUD act and thus operates under the provisions of the old set of Laws. It just makes the DoJ look like a bunch of little kids before they (eventually) did the proper thing and issued a *new* warrant under the *new* Laws.
... is the same way they apply their tax laws in other jurisdictions.
" We have passed a law in Congress that says:
1 - every country in the world has to obey this law
2 - if they don't then their assets in the US get confiscated, and
3 - they never get to export or work in the US or on US projects again."
So... if your business has ANY international connections that include the US, you must obey them. If push comes to shove, the US are quite capable of going after your suppliers, and their suppliers, to ensure that the only work you can do is growing your own food with no agri-chemicals or power tools...
US Constitution forbids ex post facto laws: see Article 1, Section 9, Clause 3 (federal laws) and Article 1, Section 10 (state laws). Indeed one of the major gripes the colonists had about England was the crown's propensity to retroactively make sundry things illegal and then subject people to judgement... Hence the explicit constitutional language.
So in this case it sounds like the fed wants Microsoft to bend over and submit to the CLOUD act even though the CLOUD act post dates creation of the data in question? Wouldn't that make any information so obtained a poisoned well for any subsequent criminal charges?
If anyone wants a perfectly good constitution, go ahead and take ours. We haven't used it in years.