back to article Microsoft: Yes, we agree that Irish email dispute is moot... now what's this new warrant about?

The four-year court battle between the US government and Microsoft over the release of emails held in the software giant's data centre in Ireland has come to an end – of sorts. Microsoft HQ in Redmond issued a motion with the Supreme Court late yesterday backing the government's request that the case be dismissed as moot, …

  1. Clockworkseer

    Malicious Compliance

    "Yes, we agree our old objection no longer applies, but as this is a new request, you must now jump through all our usual hoops again."

    Like most things, the power can be used for good or evil (see also: filibustering.)

  2. }{amis}{
    Flame

    Shots Heard

    And the CLOUD was dragged out behind the barn shots heard......

    Seriously I cant see how its possible to resolve GPDR and the CLOUD act.

    If my boss asked me tomorrow about migrating to the cloud i would have to say i wont touch that legal mire with a 17' battle lance.

    Given the potential company slaying fines of GPDR VS the possible (and much smaller than amazon and co would say) cloud savings are just not worth it.

    1. JohnFen

      Re: Shots Heard

      Yes. Nothing screams "avoid the cloud at all costs" like the CLOUD act does.

    2. Adam 52 Silver badge

      Re: Shots Heard

      "Seriously I cant see how its possible to resolve GPDR and the CLOUD act."

      Then you really should read the GDPR, because your problem is explicitly resolved in it - see Article 48.

      But better would be the UK Data Protection Act which takes the national opt-out allowing the US (or any other country) to ask for data without breaching GDPR.

      1. Rob D.

        Re: Shots Heard

        But doesn't Article 48 confirm rather than resolve a conflict between GDPR (the third country can go take a running jump) and third country legislation like CLOUD (don't care which country it's in, as a company operating in the US you have to cough up the data).

        Get the popcorn out for that first defence (should that be defense): "Sorry, US Supreme Court, but I can't provide the information for this warrant because the Europeans wouldn't be happy."

  3. big_D Silver badge

    The new warrant was still issued in America and the data is held on Irish soil and beholden to Irish and EU laws, therefore it is irrelevant what the CLOUD Act says, the local laws have priority and if Microsoft hand over the data, they will be in breach of EU data protection laws and the Microsoft Ireland executive, who own the servers and the responsibility for the data on them, will face heavy fines (possibly multiple billion dollar) and possible imprisonment...

    1. EricM

      and the Microsoft Ireland executive, who own the servers and the responsibility for the data on them, will face heavy fines

      Probably not only the executive, but maybe also employees involved in what is - from en EU legal perspective, where the employees are living - violation of EU law.

    2. Ben Tasker

      Plus, if MS take a while to evaluate the warrant, and then object to some or all of it, it drags the timeline out.

      Meaning, GDPR would likely be in force when they complied with the warrant. The only way they could avoid that, would be to comply swiftly and fully, but they've then set a precedent for themselves with any future warrants.

      Rock and a hard place I'd say

    3. ACZ

      I seem to recall that part of the reason why MS were able to resist the original warrant (and why e.g. Google weren't in other cases) was that they had compartmentalized things and that MS (USA) wasn't actually in control of the data.

      Irrespective, the Data Controller at MS (Republic of Ireland) is responsible for safeguarding the data located in the RoI under local (EU) laws, and so they should be able to block any request for the data from the US Gov via MS (USA).

      It'll be interesting to see how this one pans out...

  4. Roj Blake Silver badge

    What Does This Mean in Practice?

    Are MS going to hand over the data, or aren't they?

    1. Anonymous Coward
      Anonymous Coward

      Re: What Does This Mean in Practice?

      Perhaps they already have. Quietly of course, as they can't be seen to have openly violated any EU laws.

      If the data was regarding someone who is not an EU citizen, then they presumably repatriated the data back to the USA, then obeyed the warrant.

    2. Mike Ozanne

      Re: What Does This Mean in Practice?

      "Are MS going to hand over the data, or aren't they?"

      They'll state that the legal entity holding the data is not the legal entity on which the CLOUD warrant is served and that Irish/EU law prevents any data being released unless and until the DoJ goes to an Irish court and obtains an Irish warrant by Irish standards of reasonable suspicion/probable cause against the correct legal entity. Just like they should have done 4 shagging years ago.

      1. Keith Langmead

        Re: What Does This Mean in Practice?

        "Just like they should have done 4 shagging years ago."

        I wonder if the legal separation is the same now as it was four years ago, or has been made more legally water tight in the mean time. If it's changed then presumably with the previous warrant they'd still have needed to argue in court based on the state of things when it was issued. Now it's a new warrant then that resets, and any legal arguments can be made on how things are done now rather than years ago.

      2. Dr. Mouse

        Re: What Does This Mean in Practice?

        "goes to an Irish court and obtains an Irish warrant by Irish standards of reasonable suspicion/probable cause against the correct legal entity. Just like they should have done 4 shagging years ago."

        This is the galling thing about it all*. If they want the data and have a good reason for it, all they had to do is follow due process and asked the Irish government to get it for them. By now, they would probably have had it (assuming they did have a good enough reason, of course).

        Instead, what they're doing is saying "We want it, so we'll change our own laws and assume that makes it OK by every other country". Cockwombles, the lot of 'em!

        * Although not at all surprising, seeing as Murkha always seems to think it's above everyone else's laws.

        1. onefang

          Re: What Does This Mean in Practice?

          'Instead, what they're doing is saying "We wants it, we needs it. Must have the precious. They stole it from us. Sneaky little Microsoftses. We will be wicked, tricksy, false!". '

          FTFY

      3. scrubber

        Re: What Does This Mean in Practice?

        "Just like they should have done 4 shagging years ago."

        Indeed, however they don't give a damn about this data, what they want is the ability to tell American (owned) companies to pony up any data they have without having to go through unfriendly foreign courts.

        This could cause a few ripples in the banking world. It may even mean companies leaving America as their nominal country in order to avoid this law.

  5. Anonymous Coward
    Anonymous Coward

    Don't expect the EU to save us:

    "But the EU is pressing for similar powers in its forthcoming proposal despite wider reforms launched by the Council of Europe, a human rights watchdog, to streamline MLATs."

    Source:

    https://euobserver.com/justice/141446

    1. EricM

      But the EU is pressing for similar powers

      *shrug*

      Every country can assume its laws to apply globally. Or even make a new law to that effect.

      The question is how much inclined other countries are to share that viewpoint and act accordingly.

      The cloud act basically puts foreign employees of US companies in a conflict between following company direction or local laws.

      I would recommend everyone involved to see a lawyer before following one of the two in case of a conflict.

      Similar dumb legislation on EU side will just have similar effects.

      1. Velv

        The cloud act basically puts foreign employees of US companies in a conflict between following company direction or local laws.

        Most countries have laws that protect employees from the company ordering them to undertake illegal activity.

        1. Anonymous Coward
          Anonymous Coward

          "The cloud act basically puts foreign employees of US companies in a conflict between following company direction or local laws"

          Perhaps more interesting is the dilemma facing US citizens employed at data centres in foreign countries - break local law by giving up the data or break US law by refusing to do so. Nothing in between (apart from resigning, I suppose).

      2. Voland's right hand Silver badge

        Every country can assume its laws to apply globally. Or even make a new law to that effect

        Not every country has nuclear aircraft carriers. Ever heard of gunboat diplomacy?

  6. mark l 2 Silver badge

    I wonder what is actually happening with the person who the data is actually referring to during all this? Are they currently locked up waiting for the police to get the data to see if there is any evidence to convict them in court or are they out on bail?

  7. wallaby

    whilst companies are run by .......

    accountants \ idiots \ both (delete as applicable), they will still continue to farm out data storage into the "Cloud".

    Its bout time companies realise that saving a few quid today could cost them heavily in the future.

    Bring it all back in house, then you only have yourself to blame - data is often the life blood of a company, its too valuable to let someone else have control over it.

  8. IamStillIan

    US legal position

    So complying with a US law will mean violating EU law. That comes with a set of follow up quetsions:

    1. Is there anything in US law which permits "we can't do that, it'd be against someone else's law" as a defence?

    2. If Microsoft refuses to comply, gets fined, and still refuses to comply, can it continue to be punished or is that the end of the matter?

    3. Is there a limit to what they could be fined? Basically, on a pure buiness costs basis, what makes more sense, breaking GDPR or braking CLOUD?

    1. Ben Tasker

      Re: US legal position

      > 3. Is there a limit to what they could be fined? Basically, on a pure buiness costs basis, what makes more sense, breaking GDPR or braking CLOUD?

      I would guess, breaking CLOUD makes more sense. If they breach GDPR then there's obviously the whopping fine, but there's another element to it. If they show that they simply cannot abide by GDPR (due to US domestic laws) there's also the loss of business to factor in.

      No European business could use theire services for anything which might fall under GDPR without putting themselves at risk. Taken to the extreme, it'd essentially push them out of the European market completely.

      1. elgarak1

        Re: US legal position

        This is a good place to reminding everyone that Microsoft already offers special business plans of Office 365 for Germany, with all the cloud stuff located on servers located in Germany, with components removed where data transferral outside of Germany cannot be guaranteed, ostensibly all under German law.

        Would I trust them that this data is safe from US snooping? Hell, no.

        But if were the legal or compliance officer of a German company, or as a German would be forced to get an Office 365 plan, I would as hell get this over the 'normal' Office 365 plans.

    2. Ryan 7

      Re: US legal position

      MS (USA): Hand over the data.

      MS (Ireland): No.

      MS (USA): You're fired.

      EU employment law: No.

      MS (USA), to Mr. FBI: Suggestions?

      1. Anonymous Coward
        Anonymous Coward

        I have complete confidence in Microsoft

        being able to keep data out of the hands of just about anyone, I can only find my own documents on my laptop half the time and I've never found the right publicly available data using Bing.

        1. Alan Brown Silver badge

          Re: I have complete confidence in Microsoft

          " I've never found the right publicly available data using Bing."

          Except when looking up Mr NT1 and Mr NT2, of course.

  9. I am the liquor

    Moot

    You keep using that word. I do not think it means what you think it means.

    1. John H Woods Silver badge

      Re: Moot

      "You keep using that word. I do not think it means what you think it means." -- I am the liquor

      I think it means what I think they think it means, what do you think they think it means, and what do you think it means?

    2. DavCrav

      Re: Moot

      I think it means no longer legally relevant as the law has changed. Do you think it means unable to speak?

      1. I am the liquor

        Re: Moot

        It means debateable or subject to discussion. A moot being a sort of Anglo-Saxon town council meeting.

        Americans like to use it when they mean "irrelevant". It seems unfair to blame Americans for using the English language wrongly; they can't really help it after all. But I don't think Rebecca Hill has that excuse.

        1. John H Woods Silver badge

          Re: Moot

          "It means debateable or subject to discussion. A moot being a sort of Anglo-Saxon town council meeting."

          Not in American Law it doesn't. Pretty sure the Supremes use it in the other sense of having little bearing on the debate, the second sense to which you refer

          "I don't think Rebecca Hill has that excuse."

          On the contrary, it would be perverse for her to insist on the British meaning when she is writing about an American legal case: the actual submission uses the word moot.

          1. sean.fr

            Re: Moot

            The legal sense it is a question suitable for a moot court. Normally an issue not already get determined definitively by a court or a issue without consequence and suitable for debate. A moot court being in effect is a mock court or public debate. Commonly a training lawyer and others. This is sense used in "Friends" making it more popular in the non lawyer world. Sadly the dispute over the word moot occurs as some listener hear mute - silent rather than moot mean public/crowd or some think others confound moot and mute.

            Any online legal dictionary will clarify this easily enough. The original point is moot as it notably for not being settle in court. It is without consequence, because the new law will apply to future cases.

    3. Mephistro
      Coat

      Re: Moot

      "Moot: The noise made by a cow that has swallowed a vuvuzela."

      You're welcome!

  10. Tony J Smith

    Microsoft made $90 bn in revenue last year. Ignoring potential issues with large parts of that being made by subsidiary companies, the maximum fine under the GDPR is 4% of global revenue, which would equate to a potential $3.6 bn (or €2.92 bn) fine, if using the figure for overall revenue. Ouch. I'd imagine there'd be sections of the EU bureaucracy quite happy to levy such a fine as a warning to all others about what happens when you fail to comply with the GDPR. It would make for a very effective message.

    1. P. Lee
      Big Brother

      >Ignoring potential issues with large parts of that being made by subsidiary companies, the maximum fine under the GDPR is 4% of global revenue, which would equate to a potential $3.6 bn (or €2.92 bn) fine, if using the figure for overall revenue.

      My guess would be that they would spin up a completely new company - not a subsidiary - and then use licensing (per end-user fees) or an intermediate sales-only company which just orders services from a "local cloud provider" to extract the revenue.

      I don't think this is difficult. The local cloud company would have a support contract with MS-US but would be managerially and share-wise independent from the US.

  11. scrubber

    CLOUD???

    I wish they'd called this the SUDO Act. Secure Unseen Documents Overseas Act.

    FBI: Give me the data.

    MS: No.

    FBI: SUDO give me the data.

    MS: Here you go.

  12. Franco

    It seems lawmakers (all over the world, not just in the US) are determined to hamstring any form of electronic communication or data storage in the name of preventing crime and/or terrorism (IIRC this case started over drug dealing)

    I'd like to think that EU law would "save" us from this as RIPA has already been found to be illegal at least until we leave the EU, but I am absolutely 100% certain that if the DoJ get their way here GCHQ and every equivalent agency across Europe will have lightbulbs switching on over their heads.

    Meanwhile, as an IT Contractor, I see a bright future undoing all the cloud migrations I've been working on for the past 3 years.

  13. Neoc

    --The DoJ noted this in its motion, complaining that Microsoft had "refused to acknowledge" that the CLOUD Act applied to the existing warrant--

    Well, DUH! The warrant was issued *before* the CLOUD act and thus operates under the provisions of the old set of Laws. It just makes the DoJ look like a bunch of little kids before they (eventually) did the proper thing and issued a *new* warrant under the *new* Laws.

  14. Dodgy Geezer Silver badge

    The way things work with US Extra-Territoriality......

    ... is the same way they apply their tax laws in other jurisdictions.

    " We have passed a law in Congress that says:

    1 - every country in the world has to obey this law

    2 - if they don't then their assets in the US get confiscated, and

    3 - they never get to export or work in the US or on US projects again."

    So... if your business has ANY international connections that include the US, you must obey them. If push comes to shove, the US are quite capable of going after your suppliers, and their suppliers, to ensure that the only work you can do is growing your own food with no agri-chemicals or power tools...

  15. Anonymous Coward
    Anonymous Coward

    I should'a guessed

    Ahhh the old piss around for too long trick

    I should'a guessed

  16. Chairman of the Bored

    I do not understand something

    US Constitution forbids ex post facto laws: see Article 1, Section 9, Clause 3 (federal laws) and Article 1, Section 10 (state laws). Indeed one of the major gripes the colonists had about England was the crown's propensity to retroactively make sundry things illegal and then subject people to judgement... Hence the explicit constitutional language.

    So in this case it sounds like the fed wants Microsoft to bend over and submit to the CLOUD act even though the CLOUD act post dates creation of the data in question? Wouldn't that make any information so obtained a poisoned well for any subsequent criminal charges?

    If anyone wants a perfectly good constitution, go ahead and take ours. We haven't used it in years.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like