back to article Microsoft Germany emerging from behind Deutsche Telekom cloud

Microsoft's Frankfurt and Berlin data centres will start shipping bits from the fourth quarter of 2019. Azure will be the first service to go live in the new regions, with Office 365 following in Q1 of 2020 and Dynamics later that year. The launch will bring Redmond and its customers into line with Germany's Cloud Computing …

  1. big_D Silver badge

    Not just GDPR

    The data centers in Germany were brought in because of the FISA requests, the Cloud Act and the farce that is Privacy Shield.

    The T-Systems run data center allowed MS personnel no access to the hardware, network or data, which meant that they could comply with US and EU laws - they could tell the US that they had no access to the German data and therefore couldn't hand it over, which in turn stopped them breaking EU law.

    Now, they will have to hand over the data on request, again...

    1. Lee D Silver badge

      Re: Not just GDPR

      Not quite

      Microsoft EU and US are two different companies.

      No formal request was ever filed in an EU court for access.

      The US just "expected" Microsoft US to be able to instruct Microsoft EU (an entirely different company) to comply with their demands even though such demands are illegal in the EU (without a court order saying otherwise).

      The US Supreme Court dropped their action because the Cloud Act came in which basically says "You will go through the proper EU channels if you want EU etc. data":

      https://www.theverge.com/2018/4/5/17203630/us-v-microsoft-scotus-doj-ireland-ruling

      That's something that could have ALWAYS happened.

      Cloud Act: "Principally, it asserts that U.S. data and communication companies must provide stored data for U.S. citizens on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in"

      Microsoft (US) do not own or operate any servers in the EU. Microsoft (EU) do, and aren't subject to US jurisdiction unless an EU court rules as such.

      P.S. The Cloud Act applies only in the US. No other jurisdiction has ever signed up to it, or could, it's just not relevant. Still, Microsoft EU could refuse to produce data stored under EU laws.

      Nothing's changed. Business as usual. But now Microsoft (US) don't have a court case because their position is now clarified in (US) law.

      Ironically, since day one, if the US had just issued a request to the European Court stating their need and purpose for that information (the FBI was involved, so presumably serious), they could have easily obtained access to that data 100% legitimately at any time.

      Nobody has to hand data stored on an EU server to the US without an EU court order. And vice-versa.

      1. big_D Silver badge

        Re: Not just GDPR

        That is what always got me, there were always existing (legal) methods of getting the information, but the FBI seemed too lazy to pick up the phone and talk to their Irish counterparts to get an Irish warrant issued for the data, which would then be handed back.

        As to the Cloud Act, that is what I thought as well, but I keep reading that the clause about foreign laws was going to be dropped at the last minute. If it made it through, that is good news.

        1. Lee D Silver badge

          Re: Not just GDPR

          It doesn't matter.

          US courts can order people to break EU law to their heart's content.

          It still means that ANYONE complicit with that action is chargeable under EU law. Hence nobody stupid enough in the EU with access to such data would ever risk prison just to please their boss.

          Additionally, it's LITERALLY no different to saying "Microsoft US must produce Google South Africa's data". It's a nonsense, it's impossible, it can't be done, and nobody at Google South Africa, or Microsoft EU, could ever or would ever comply.

          It's like drafting a US law saying "It's fine, you can fly over to France and mug Europeans". Maybe the law could make that fine for US people in the US. But the second you go and do that in another jurisdiction, the French are going to have something to say about that, and your US court isn't going to be able to help you with the consequences.

          1. big_D Silver badge

            Re: Not just GDPR

            Theoretically yes. The FBI's position, which the court varyingly upheld and rejected, depending on the instance, in the original action was that Microsoft Eire is a subsidiary of Microsoft US and therefore Microsoft US could obtain the data with a US warrant.

            1. Lee D Silver badge

              Re: Not just GDPR

              And Microsoft Eire disagreed and it would take an EU court ordering them to do anything to make it legal.

              Microsoft US might even *go to jail* for not complying with the US order. But it's an order that's impossible to fulfill for them. Literally, any employee of Microsoft Eire who allowed, facilitated, permitted, assisted or even provided an avenue for Microsoft US to get such data is breaking the law in the country they live in. Whether before, during or after that court case. And as they are separate legal entities, they would not be able to actually co-operate to do anything anyway. No more than Microsoft could ask Google to "just give us your data".

              The US court could rule that Microsoft Eire is now a badger and the property of the US. Nothing would or could happen about that. The legal jurisdiction for such actions always did, still does, and probably always will end at the border of the US. If they want data from an EU company, they can write to the EU court. Or make ridiculous, unenforceable orders to their heart's content.

              And if Microsoft US could obtain the data with a warrant, for damn sure the FBI could apply for the same warrant and get it themselves (which is an argument you could use in court... why am I being required to act as your policeman over a third-party that you could serve yourself?).

              It always was a nonsense case. The Cloud Act doesn't change that in any way - in fact it recognises that position, gives such companies the right of appeal on that basis, and was the reason that the original case was shut down... because the Cloud Act existed to basically say "No, that's not how it works".

              1. Doctor Syntax Silver badge

                Re: Not just GDPR

                "Microsoft US might even *go to jail* for not complying with the US order. But it's an order that's impossible to fulfill for them. Literally, any employee of Microsoft Eire who allowed, facilitated, permitted, assisted or even provided an avenue for Microsoft US to get such data is breaking the law in the country they live in."

                The US court's position seemed to be that a US employee sitting in Redmond could directly access the Irish data centre without involving any Irish staff at all. They seemed to think that it could be mounted as an I: drive or something. The likelihood is that under the CLOUD Act they will assume that to be the case for the German data centre as well. I very much doubt that it will have done anything that makes customers of Microsoft or any other US-owned business safer; more likely just the opposite.

      2. anothercynic Silver badge

        Re: Not just GDPR

        Despite Microsoft EU being a different legal entity to Microsoft USA, the fact remains that even though the CLOUD Act was brought in, the US government will continue to assert that Microsoft EU is a subsidiary and under the ultimate control of Microsoft USA and that Microsoft USA can force Microsoft EU to comply. And the politicians in the zoo that is Congress will happily continue to conflate the issues and play off on this subtle difference despite being wrong just to score cheap points, just like our politicians continue to play off the worn-out idea of taxing turnover, not profit to do the same.

        This is the same overreach the US government likes to employ with its currency: "The fact alone that you quote prices in USD means you use our currency, which means you fall under our sanctions regulations". This is what cost Standard Chartered a LOT of money in US fines (because they facilitated payments in USD between Iran and non-US entities that were not subject to Iran sanction regulations) and why Iran changed all its oil contracts to EUR and CNY. Europe does not have that sanctimonious attitude, neither does China. And it is also this that has effectively forced everyone to stop doing business with Iran in the latest palaver despite the EU claiming it would protect legal entities within its borders.

  2. Mk4

    The US security services and law enforcement have never shown much respect for due process

    I can imagine that US authorities will try to stretch the boundaries of the CLOUD act. They have the foot in the door - now they will try to lever it open. I can imagine that they will try to put pressure on MS US to get data held by MS EU in any way they can.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like