>Microsoft admits in French court it can't keep EU data safe from US authorities

Snowden leaked that fact before Microsoft made the admission. But it's good that it's coming from them officially nonetheless.

It kind felt like the ramifications of Snowden's leak were so wast that everyone just chose to forget about it.

IIUC Snowden sent complete trove to two publications only, and one of the computers containing the trove is destroyed through and through, disabling that publication for Snowden leaks.

Moreover, again as I understand, after a certain point the leaks are stopped, because the message was sent, and people now know the most important bits behind the curtain.

There's definitely a political game of pretending that the US clouds are somehow compatible with GDPR.

There were ruled incompatible every time, this was brought to the courts.

They are most likely compatible until a national security letter arrives. An American company then has to choose which law to comply with, and it's an easy choice.

That's what makes them incompatible.

But companies can be a lot shadier than we give them credit for. Like, remember that "wink payment" contract between Google and Israel? If Google knew what they were doing, they accepted the contract to do the illegal thing, so they'd sell their product and get money, but they were planning to simply not do the illegal thing, breaking the contract (the customer would never know and if they somehow did, you can't stop using a cloud on a dime) but not breaking any laws.

If Microsoft knows what they're doing, they'll accept contracts from EU customers that say "we will never give your data to US authorities", they break it immediately, don't tell the customer and the customer never finds out.

Alternatively, they can give the US government a bunch of nothing, in order to comply with the EU customer contract, and pretend this is all the data the customer had on their account. I doubt this will happen though.

Theres a difference between as an intelligence organisation having access to data, and "someone in power is angry because they watched a TV advert, I want to see what they know"

but, your over all picture is still, sadly correct.

For most of my life I also used to think there was a difference between the two. But now I realized they are actually just the same.

I understand the disillusionment. The gutting of the US machinery of state is disheartening to see.

it’s all just people at the end of the day.

Without oversight, abuse is inevitable.

You have two choices:

* Limit the damage that a person can do- IE; don’t aggregate everything in the hands of one person.

* Tonnes of oversight into who accesses the data and why.

In theory the US chooses the latter, but only for nationals and the snowden leaks were proving that this was basically just a rubber stamp and constantly was bypassed on technicalities..

.. outside of the US, there’s no legal framework to protect your data from US authorities, no matter who they are, at all.

They couldn’t be more different. One is doing it in secrecy and for a “reason”, to spy on someone. The other one will do it in public because he can and doesn’t like your name.

> One is doing it in secrecy and for a “reason”, to spy on someone.

When it's secret, how can you ever check? Even if it was just because the person on top or in the middle had a personal judge, they'll always say it was for legitimate spying purposes and no-one has any way to call them out.

Which of these is meant to represent the current regime in power in the U.S.?

does it matter if you are the one on the receiving end?

I don’t understand why this is the case though.

Could MS create a new EU based company in which it just owns shares ?

Or is the US cloud act so wide that they can demand data from all the companies a us based company has equity in?

MSFT already operates in Europe via subsidiaries for a whole host of reasons. But hiving certain assets off in a subsidiary is very rarely effective to avoid laws and regulations that apply to the parent. The parent controls the subsidiary so a court or regulator having jurisdiction over the parent could order it to get what it needs from the subsidiary. This is particularly so in the US, which is kind of known for enacting overreaching extraterritorial laws.

> The parent controls the subsidiary so a court or regulator having jurisdiction over the parent could order it to get what it needs from the subsidiary.

But what if the parent’s jurisdiction orders the parent to order the subsidiary to do something illegal in the subsidiary’s jurisdiction? If local management obey the order, they risk being prosecuted by their jurisdiction’s authorities-so they’ll likely refuse. What is the parent going to do then? Fire them? But will any replacement act any differently? “Is this job worth going to prison over?” Most people answer “no”, and people who answer “yes” won’t last, because you can’t run a subsidiary from a prison cell.

I think the real issue here is that the US gets away with it because the EU is still so dependent on the US (see NATO) they can’t push back fully, at some point a political calculation takes over. So it could be that the US parent orders the subsidiary to do something illegal under EU law, and then the EU authorities choose to ignore it.

Well, firing someone because he refuses to do something illegal is itself illegal.

So let’s say I am eu citizen I own a data center company in Brussels.

I sell 1 stock to MS USA. Can they at any point demand all my data ?

They can try, but presumably as a tiny shareholder you would tell them to go f themselves. Subsidiaries don't have that luxury.

The laws I have read used the term “effective control”; if a shareholder is able to control the org (eg can replace the CEO or board), they are obliged to comply with government orders regarding that org.

There are attempts to lösen the control from the U.S. side like a cooperation between Microsoft/Azure and SAP or Google and T-Systems (deutsche Telekom) where the German side would run an "air gapped" region of those cloud stacks.

However I believe the rates in the end were too high to win notable contracts, but I haven't followed along in a while.

https://www.heise.de/news/Digitale-Souveraenitaet-Microsoft-...

https://t3n.de/news/t-systems-sovereign-cloud-google-verwalt...

I'd be surprised if this isn't already the case. The extent to which you can do business in the EU without legal presence is limited.

It is not a huge amount of protection though. I mean we've already established that selling to 'terrorists' can be sanctioned even when selling through an intermediary. So what's stopping the US from ordering Microsoft to stop selling licenses to the ICC?

And then we've not touched on who is in control of the closed source of the many proprietary applications.

It's not about having a subsidiary, it's about the technical structure of 365 meaning Microsoft US has access to Microsoft EU servers and thus US employees can be compelled to follow US court orders.

They simply don't separate the infrastructure this way AFAIK.

Oh I see the point. So MS US has credentials for the infra in EU.

So no reason to deal with any European citizen or court. You just threaten the US IT guy to give you the EU credentials.

Yes, and the Cloud Act pretty much forces upper management to ensure that there is always a US IT guy that can be compelled to implement the wishes of The US Federal Government, as the penalties apply to executives of US companies, too.

We can quibble about whether the term "threaten", which implies some moral wrong doing, is correct though. It's a law with defined criminal penalties. That's how criminal law works

> Could MS create a new EU based company in which it just owns shares ?

That would be a seperate company, plus if its licensing tech from MS then it's still vulnerable to supply chain attacks.

If you’re Microsoft do you really want to anger the federal government? Companies aren’t as cavalier about taking them on as they used to be. They’re likely Microsoft’s largest customer by far, and they have the power to end you (which they nearly did once).