Slashdot Mirror
Supreme Court Wrestles With Microsoft Data Privacy Fight (reuters.com)
Supreme Court justices on Tuesday wrestled with Microsoft's dispute with the U.S. Justice Department over whether prosecutors can force technology companies to hand over data stored overseas, with some signaling support for the government and others urging Congress to pass a law to resolve the issue. From a report: Chief Justice John Roberts and Justice Samuel Alito, both conservatives, hinted during an hour-long argument in the case at support for the Justice Department's stance that because Microsoft is based in the United States it was obligated to turn over data sought by prosecutors in a U.S. warrant. As the nine justices grappled with the technological complexities of email data storage, liberals Ruth Bader Ginsburg and Sonia Sotomayor questioned whether the court needed to act in the data privacy case in light of Congress now considering bipartisan legislation that would resolve the legal issue. A ruling is due by the end of June.
You should assume the answer is "yes" no matter what the court says. If you have data, don't give it to a corporation in the cloud.
If the US basically tries to assert that their laws trump the national laws in which these US companies operate, then those US companies will pretty much lose business.
The only logical conclusion would be that MS is now effectively an agent of the US government, and the use of their cloud stuff would be illegal in other countries or for certain kinds of data.
AND, this would be reciprocal, as MS would have no choice but to hand over data on US citizens to those local governments.
Don't give me the bullshit answer that it's OK for the US but not for anybody else, because we don't give a fuck.
So good luck when Iran wants to subpoena US records from MS. This is basically setting up a scenario in which the US wants their laws to be extraterritorial, in which case everyone else gets to do it.
Sorry, America, but you can't have it both ways.
It says they are probably going to pass a law to resolve the issue. Maybe this is just a preemptive strike.
(Except for when there is a treaty of course.)
As that would put them legal jeopardy in the EU, and the EU "government" imposes actual fines, while the US government is staffed by employees aka lobbyists aka TV experts aka politicians from Microsoft. (Among others wo mostly agree.)
Don't worry though, Murica, as the corps are hard on guaranteeing this is the case in the EU too. So you will soon be number one again. All we need is a more catchy redneck name for the lands of just enough corporate oligarchy. How about 'Rope?
Consider the physical space, if a bank has headquarters in the USA would that mean the US government is entitled to access a safety deposit box in a foreign country?
If they are granted access then this is effectively the end of the use of US based tech companies for cloud services by a wide variety of industries (e.g. government, medical, legal). One also wonders whether the access would even be illegal in the foreign jurisdiction.
Could it not be argued that it is Microsoft Europe, Microsoft Europe is a European company, and it must adhere to European laws?
Assuming there is indeed a European entity.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Most companies function in other countries as subsidies or foreign branches. Both for most legal cases act as an independent entity which is how Enron hid their losses from US audits and how many companies get out of paying tax. If this is yes, there is no reason the IRS could not ask/demand for a complete set of books in all countries and tax accordingly.
Likely they will have to reorganize at a further arms length with some sort of trust or functional representative owning the foreign entities. This is still possible, but it gets ridiculous quickly. The whole point is there is a legal understanding of 'entity' that limits the responsiveness of a corporation. Saying yes will blow it away with many consequences initially, but lawyers and even other countries will quickly construct a more separate entity. This is a stupid grasp by the government way outside established law and it becomes team america world police or the company with more effort still gets their separate entity protections.
Except, any Microsoft entity would likely be a wholly owned subsidiary. Unless they set up an independent company and license everything, but even then I'd be the courts wouldn't let them get away with that either since it's obviously just set up to get around the law.
Perhaps if they had a truly independent company they purchased services from and then had to way to actually get the data. Otherwise, if they have access to it and they are a steward of the data, they'll likely have to provide it. IANAL.
Apple's work in China may provide some intersection options down the road.
I don't know, but it works for me.
there is, and that is indeed the argument. The counterargument is that MS USA completely controls MS EU and therefore should be able and required to force MS EU to pony up despite European laws.
Microsoft owns that data, thus it is Microsoft property, and since Microsoft is an american citizen, it must adhere to American laws.
Yes, but any American citizen in Europe must obey European laws. If you happen to be a holocaust denier and get arrested in Germany explaining about the US constitution's protections on free speech will get you nowhere.US companies have the choice not to go to Europe but, if they do, they must follow the law there. European law says that Microsoft cannot hand the data over to foreign (US) authorities. There is no law that the US Congress can pass that can relieve them of this responsibility and, if the US forces MS to hand over the data, it will make it close to impossible for US companies to do business in Europe since they will be unable to follow the law and so be liable for financial and possibly criminal penalties.
If the system would require action from someone in target country to access the data, they could truthfully say they can't get the data. That person would have full authority to refuse obeying any command that is against the local law and in case of firing would win big in court.
Imagine company A being created in North Korea. Imagine company B being a company owned and controlled by A incorporated in the US.
If company A is ordered to do something that is legal in NK should then company B comply even though it is illegal in the US?
Of course not, that is ridiculous.
Shouldn't the so-called "conservative" judges be in favor of personal privacy, against governmental overreach, and pro-business? The definition of conservative seems to get twisted more and more every day.
I'd bet the courts would see though that and start assessing large fines.
I don't know, but it works for me.
Of course it is ridiculous as is international law. Why would NK care if it's legal in the US?
I don't know, but it works for me.
That's Justice Alito, off the top rope! Oh, that had to have hurt! And is that... OH MY GOD IT'S JUSTICE GINSBURG WITH THE STEEL CHAIR! She smacks Alito clear out of the ring! In all my years as an announcer I have never before seen wrestling quite like this, ladies and gentlemen. This is just... savage.
Captcha: prejudge
If the Supreme Court rules that data follows the laws of the nation that it is in, then the EU's data protection laws and right to forget automatically apply to all data in the EU even if held by a US company. I doubt the court will consider that, but that is simply a matter of fact.
If the Supreme Court rules that data follows the laws of the nation of the holding company, then European-based companies in the US automatically follow those aforementioned EU laws. The fact that they're in the US would be incidental. The Supreme Court decision would override all State and Federal rights as they are the supreme arbiters.
There can be only one law on the subject, one rule, one criterion for whose laws matter.
I don't believe for a second that the majority of fans of either side have considered the ramifications. It is human nature to look at things in isolation, even though nothing exists in such a state. So, here's a chance. I'l like people to reply to me with a consequence they hate yet know must be faced if the decision went the way they wanted it to. The inevitable consequence of the dichotomies of an us-v-them political situation. From a systems standpoint rather than in isolation, is it a useful dichotomy? Is it a useful consequence, even if you hate it? There will always be one, but it useful?
If the consequences serve no useful purpose or are even harmful, then maybe the problem is not in who holds jurisdiction but why we're asking that particular question and not something else.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Microsoft owns that data, thus it is Microsoft property, and since Microsoft is an american citizen, it must adhere to American laws.
It's not complicated.
No it is not complicated. American law does not apply outside American territory, period.
If an American company owned elephants in India, and Indian law said that exports of elephants was illegal, should an American judge be able to decide that they must ship their elephants to the US? Does not Indian law apply on Indian soil because it's an American company?
It depends on which country they fear the most. The company or rather it's owners have decided to enter into business in two different countries with different laws. It is up to the company to figure out which direction to go when their is a conflict between those laws, but that doesn't mean they are absolved of the consequences which either or both countries might then implement.
Until MS moves its headquarters to some tax haven that has strong laws about international interference in data. There are probably plenty of tax havens that would craft such a law in order to induce MS to move their HQ to that jurisdiction.
Whatever the outcome, the Justice Department are going to make doing business more difficult in the USA. This was and always will be an own goal by the Justice Department.
The real "Libtards" are the Libertarians!
If you impose that rule, then EU companies in America are embassies protected by the Vienna Convention because they have to be in Europe to be under EU laws and you're saying that they are.
Can you begin to imagine the unintended consequences of that?
For a start, forget immigration controls. They're embassies, they can house whoever they damn well like, under EU laws. The US has no jurisdiction because this is EU turf not US turf by your own rules.
You can't have it both ways.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Tell that to the IRS, or to Assange.
If a corporation is a person, this is spot on.
Cheap storage VM.
Wholly owned or not, such companies are set up to enjoy tax advantages but especially to avoid liabilities.
It is very common knowledge when such a company would go bankrupt the parent company never has to pay up.
When this segregation is legally possible, and it is, then it would be the same for access to these mails.
And that's aside from the European point of view the mails are owned by their respective account holders, not the company that stores them.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Which courts and fines from who?
American courts have a fat Zero jurisdiction abroad and EU courts have no issue to act on.
Companies like MS have in anticipation of this problem already build EU based servers to store EU data and put them under EU (often Irish) jurisdiction.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Microsoft owns that data, thus it is Microsoft property
NO, Under EU law Microsoft DOES NOT own the data, a user retains all rights to his data even when housed on a companies server and said company must abide by those laws in handling of the data. The Data is governed within the borders of the EU under EU laws.
It's not complicated.
It is extremely complicated as you proved by getting almost everything wrong in your 2 line comment and the fact that even after several years the US supreme court can't work out the right decision.
There are lawyers specialising in this game, it's called Conflict of Law and it pays very well.
Rest assured MS has consulted these specialists years ago.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
No, Microsoft sells a service to store data for third parties, they most certainly don't own the data.
If that were the case and something illegal was found in this data MS would be liable.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
No it is not complicated. American law does not apply outside American territory, period.
That's simply not true. There is a presumption of non-extraterritoriality in U.S. law which means that if a law doesn't state otherwise, it is presumed to apply only on U.S. soil (or U.S. military bases, etc.), but laws can explicitly state that they apply outside the U.S. and U.S. courts have found them enforceable (usually when a citizen returns to the U.S. after a foreign trip.) Notable examples are the Foreign Corrupt Practices Act which make it a crime to bribe a foreign government. Another example is the Child Protect Act which makes it illegal for American citizens to hire child prostitutes even in countries where the practice is legal (eg. in the Netherlands, 16 years olds can legally work as prostitutes, but if a U.S. citizen hires one while visiting Amsterdam, they can be charged when they return to the U.S.). Another example are violations of certain travel restrictions, such as travel to Cuba, etc. Now, whether or not the search warrant in question is presumed to be non-extraterritorial or not is up to the Supreme Court to decide, but your blanket statement is clearly untrue.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
It is Microsoft Ireland, which has to live by Irish law, regardless of where the parent company is.
It puts Microsoft in a difficult position, because if the US passes a law forcing it to send the data back to the US, it might still be in breach of Irish law, or EU law, and open to prosecution there.
This looks like the US government trying to force it's law on the rest of the world, especially as there is a perfectly good mechanism for asking the Irish for the data, as detailed here.
Very true. I personally do not agree with the counterargument; I was just trying to explain it.
Microsoft Europe is owned by Microsoft US.
People seem to be under the misconception that a company, entity or person can only ever be subject to a single judicial jurisdiction at any single point in time. Thats wrong - they can be subject to multiple judicial jurisdictions, and those jurisdictions dont have to be compatible.
A US court can still require a US entity to do something - regardless of the fact that it requires a subsidiary in another country to act.
They can require all kinds of things but it's just not going to fly when it's against the law of the originating country and that's Ireland.
Because this is not a new issue MS will have put means in place to prevent any illegal access to their customers content in the EU.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
So set up a company in the correct legal way and get to push another nations laws deep into the US legal system?
Enforce blasphemy laws in the USA? No saying bad things about a cult, faith?
Enforce another nations liable laws that are totally different from US free speech protections?
Move in some powerful German laws on the way history is presented and can be talked about in the USA?
Domestic spying is now "Benign Information Gathering"
You seem to be suggesting that American law trumps Irish law because Microsoft is an American company. That may very well be the way that this particular scenario plays out in practice (though I doubt it), but it's not an accurate picture of the legal situation.
Microsoft has a legal obligation as an American company to abide by American law and has a legal obligation as a company operating in Ireland to abide by Irish/EU law. Having legal obligations in different countries usually isn't an issue for companies, since it's generally agreed that American law applies in America and foreign law applies elsewhere (i.e. each country has sovereignty within its own borders). Inasmuch as one set of laws extends beyond that country's borders (e.g. US corporate taxes), it does not—and legally cannot—contravene the law in other jurisdictions.
Which, to be clear, is how it should be, since attempts to force your law in another country may potentially be viewed as an act of war, given that you would be violating that other nation's sovereignty. And nations tend to take their sovereignty pretty seriously, as you might imagine.
Anyway, all of this just means that the US lacks the authority to demand that—while in Ireland—Microsoft engage in activities that are contrary to Irish/EU law. Any attempt on the part of the US to do so would mean that the US is asserting the supremacy of its laws over Irish and EU laws within Ireland's borders, and could be construed as an act of war.
If only there was an avenue through which the US Justice Department could request that data without having to make demands.
Oh wait, there is!
We have treaties for resolving exactly these sorts of situations where one country wants something that they don't have the authority to demand. All the Justice Department needs to do is contact the Irish government and ask for its help in extraditing the data. Simple as that. Doing it that way ensures that no Irish laws are broken, no American laws are broken, that each nation's sovereignty is respected, and that no company is asked to choose between a rock and a hard place. The Irish government may deny America's request, but that's their prerogative, given that it's their country.
Unfortunately for Microsoft, they have to deal with reality, rather than legal theory, and the reality of the situation is that if they lose this appeal they'll have to choose between the rock and the hard place. If I were them, I'd be running the numbers to figure out what they'd be losing each way. Refusing to abide by the US order will likely result in some fines, but I'd imagine little else. Refusing to abide by Irish/EU privacy laws, however, seems like it could carry some significantly more severe consequences, not least of which is that they'd immediately lose a huge number of their European customers.
The laws in the third party country don't matter to the courts in the first party country - people here seem to be under the misconception that its otherwise...
The *only* thing MS can do to break the chain of authority between MS US and MS Ireland is to spin off MS Ireland into its own entirely separate company, with MS US holding no more than a minority share, having no say in how it runs its business etc. Anything less than waving goodbye to MS Ireland isnt good enough.
MS US haven't done that. They still own MS Ireland. They still have owners authority over MS Ireland. They can be ordered by a US court to do *anything* with regard to MS Ireland.
The fact that a US court order directed toward a US entity violates a foreign countries laws does not absolve the US entity from being obligated to fulfil that court order, or suffer consequences.
The conversation keeps revolving around where the company is located and where the server is located. No decision based on those criteria will ever be consistent. Perhaps it makes more sense to assign jurisdiction not based on where the data is held, or where the company headquarters resides, but based on where the individual resides. In that interpretation, the US government could get a warrant to obtain files on American citizens, but not on Irish citizens. This resolves some of the scenarios where someone says "Well, suppose [evil regime X] wants information on an American citizen, then should Microsoft provide it?" It also avoids confusion with applying European data privacy laws to American citizens whose data happens to be on a server in Europe. The case gets even more absurd as data moves around. If a US server has a backup in Europe, whose data privacy law would apply? Oooh, even crazier, what if we stripe the data 3 ways with some bits in America, some in Europe, and the parity bit in Asia? These kinds of problems go away when viewed in terms of residency.
We need a treaty to make this happen.
It is not that simple, They would be compelling an individual to commit a crime on foreign soil, if that isn't a violation of your rights then the US is more fucked up then I thought. Whats worse those countries have extradition treaties which means you can then be arrested in the US and SENT to that country for prosecution.
there is, and that is indeed the argument. The counterargument is that MS USA completely controls MS EU and therefore should be able and required to force MS EU to pony up despite European laws.
So you're saying the USA can compel someone to break laws in another country? How about if that access required the action of someone in the EU - so they'd need to compel a non-US (EU) citizen to break their own local laws?
I see many twisted outcomes from this - mainly companies are going to just get more creative restricting access to data and compartmentalizing it. Also, this stupidity is going to force more and more companies to 'officially' be based somewhere besides the US. Not like they pay their taxes here anyhow... :)
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
in your case, a US judge can certainly order a US entity to do something which would violate another countries laws, and its up to the entity themselves to resolve that conflict.
Which is exactly what they're doing here.
Go read the legal briefs submitted by various nations and international organizations. The European Commission, the government of the United Kingdom, the government of Ireland, the Council of Bars and Law Societies of Europe, the German Chamber of Industry and Commerce, the French Department of Business, and even the United Nations legal arm for data privacy. All of them said that if the US enforced the order they'd be violating all kinds of international, law, including violating treaties made by the US government. The Mutual Legal Assistance Treaty, MLAT, provides a method to get the data legally.
Urgent MLAT requests are handled immediately. Ireland has already said if the DoJ filed an MLAT request they would act immediately. But the DoJ is looking for powers that bypass judicial review and international legal review. It is a power grab, which they readily admit in the transcript linked to above. Scroll down to page 23 when asked why they can't use MLAT requests.
It is rather terrifying that they are so brazen about it in the SCOTUS arguments. They state that they could use MLAT, but they want the ability to bypass the courts; if they win the precedent: "We don't have to go to a court first. We just issue the instrument. The provider has to make disclosures."
//TODO: Think of witty sig statement
That's not true.
Microsoft Ireland can tell Microsoft US that they will not grant illegal access to data.
What are MS US going to do about that? Sack everyone in Ireland? They'd lose every single tribunal case.
The fact that a US court order directed toward a US entity violates a foreign countries laws does not absolve the US entity from being obligated to fulfil that court order, or suffer consequences.
Court orders MS to hand over data. MS says, "We don't have access to data, people in Ireland do. We've told them to hand it over" What consequences would you like?
Of course, we haven't even discussed whether the MS official demanding that MS Ireland break the law should be arrested on their next visit to the EU.
should be able and required to force MS EU
How?
I've worked for multinational companies, and I've never been afraid to tell my US based manager that I can't comply with his request because it would break UK law.
Just how would MS force someone to break the law?
That's fine but it has to spark and evolve there, not adapt from richer climes.
Also 1/100th the atmosphere may be livable but is another monkey wrench the cold desert doesn't come close to duplicating.
Also this claim has been made for extremophiles before, notably antarctic lichen.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Microsoft and Google could've prevented this by doing what Apple and a very small few other cloud providers does: We don't store data unencrypted and we don't have access to our customer's keys. They would've missed out on the advertising dollars but hey, you pick your battles.
Custom electronics and digital signage for your business: www.evcircuits.com
Err ... really? Apple doesn't have a backdoor to encrypted data on the users device, but most things stored in their cloud service are readable to them.
"Unless they set up an independent company and license everything, but even then I'd be the courts wouldn't let them get away with that either since it's obviously just set up to get around the law"
Isn't that exactly how most companies run things for tax reasons ?
As I said, I don't agree with the counterargument, I was just trying to explain it.
As I said elsewhere, I don't agree with the counterargument, I was just trying to explain it.
I wouldn't be surprised if a US court could order a US person in the US to commit something that would be a crime in another country. There are some pretty strange laws all over the globe. Therefore, Microsoft USA has no option but to try to collect the data. Similarly, Microsoft Ireland has no legal option but to not cooperate. If it were a matter of someone in Microsoft USA trying to get someone in Microsoft Ireland to break the law, it would be simple: Microsoft Ireland obeys the local laws.
However, if Microsoft USA has direct access to the Microsoft Ireland data, things get more interesting. The US court has jurisdiction in the US. The action of bringing that data to the US and turning it over would violate Irish law. So, nobody in Ireland broke Irish law in the specific action of getting that data.
Now, whether Microsoft Ireland broke the law by making confidential data automatically available to Microsoft USA is an interesting question.
My guess is that Microsoft is arguing this hard, because they know that, if they are forced to get the data, European countries will start passing laws forbidding private data to be automatically shared outside the EU, and that would complicate things for Microsoft.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes