EU screams foul over Microsoft data privacy case... three years too late

EU screams foul over Microsoft data privacy case... three years too late

Summary: European officials are only now are expressing concern over a US court ruling that can allow the FBI and NSA to grab oversees data. But Europe knew the risks at least three years prior.

SHARE:
datacenter-hero
(Image: stock photo)

If anyone's ever late to the party, you can count on Europe to drag its feet.

The European Commission, the executive body of the 28 European member states, has reportedly expressed extreme concern about a court decision, forcing Microsoft to hand over data it stores overseas.

The US Justice Department wants the Redmond, Wash.-based software and services giant to hand over data it stores overseas in a Dublin-based datacenter. That data, however, falls under Irish and European data protection and privacy laws.

But the US doesn't see it that way. Because Microsoft owns the overseas datacenter, the Justice Department believes it has carte blanche over that data — which it needs for a law enforcement investigation.

The greater concern for Microsoft (and the wider US technology industry) isn't just the civil liberties for its customers, but also the affect it will have on US businesses. If the US government can grab data these companies store overseas, nobody outside the fifty states will want to do business with Silicon Valley.

Which is fair enough, really.

Now, according to eWeek, European officials are calling out the US government. While both parties, the US and EU, are not publicly commenting on the case due to the legal restrictions on the case, one European official told the publication:

"The Commission has raised this issue with the U.S. government on a number of occasions. The Commission remains of the view that where governments need to request personal data held by private companies and located in the EU, requests should not be directly addressed to the companies but should proceed via agreed formal channels of cooperation between public authorities, such as the mutual legal assistance agreements."

Which is a nice way of saying, "use the existing international channels." That squares up with sources speaking to ZDNet over the last few months as part of a wider story (which can wait for another day). 

Those channels, known as mutual legal assistance treaties (MLAT), allow one government to go to another and share information across borders. 

But the trouble is that MLAT can be slow — and in some cases, requests can be outright refused.

US Magistrate Judge James Francis called the MLAT process "burdensome and uncertain," while the second justice in the case, US District Judge Loretta Preska, said access to the data "is a question of control, not a question of the location of that information."

"As burdensome and uncertain as the MLAT process is, it is entirely unavailable where no treaty is in place." —
US Judge James Francis

The Justice Department can take what it wants, when it wants — so long as the data is loosely associated with a US company. The Commission told eWeek in response to the ruling that in order to "avoid these potential conflicts of laws," such treaties should be honored.

The US government has been bypassing MLAT for years — the Edward Snowden disclosures showed this. But long before June 2013 when the first leaks began to trickle out, the Commission was fully aware of the risks to its laws, jurisdictional rights, and its citizens' data — not to mention the risks from extraterritorial effects of US law.

It's exhausting having to go over this again, and again, and again. But here it goes.

Back in 2011, Microsoft's then UK managing director said it "could not provide guarantees" that EU-based cloud data would not leave Europe under any circumstances.

Members of the European Parliament (MEPs) were not pleased. They had suspected it for a while but not until then had any US technology giant said it.

And the Commission? It did nothing. It actively stonewalled MEPs by shutting them out of discussions and not answering key questions posed in relation to the scope of US law in Europe.

For months and years, the European Commission was, however, working the back channels to prevent the snooping, by pushing the Justice Department to use the existing MLAT process. Meanwhile, the Justice Department always had its array of cards at its disposal, seen in the recent case that embroiled Microsoft into the row even deeper.

Eventually, European Justice Commissioner Viviane Reding admitted that though US law should not overrule EU law, there could be further clarification on the issue.

That will ultimately come from the International Court of Justice in The Hague, Netherlands, where governments take other nation states to court.

After the Snowden leaks came to light, the Commission finally broke its silence and warned of the risks to the US-EU relationship amid claims European data was being vacuumed up by the clandestine and classified PRISM program.

By this point, Europe had already dished out the latest proposals to its data protection and privacy laws, but the Snowden leaks showed that almost two-decades worth of existing laws were essentially ineffective against the US surveillance state.

One European source said a few weeks ago that while Reding was "not naive" to think that friends don't spy on each other, the scope in which the US was conducting massive surveillance on her fellow citizens was far beyond her, or anybody's expectations.

Reding was furious, but remained state-like through the PRISM scandal — even when she met US Attorney General Eric Holder in Dublin just days after the story broke.

"The meetings we've had — and there have been plenty — the sticking point is judicial redress," according to a senior European official who spoke on the phone a few weeks ago on the condition of anonymity, regarding the conflict between US and EU law.

The official explained that the US would say any significant changes to the transatlantic law enforcement co-operation would require a change in US law, but also cited the "complicated" Congressional scene. To which, the official said Reding told senior Obama administration officials that they must "seek a new mandate" if they can't many any headway during the current Congress.

"In the negotiations, we really thought things would advance," the official said. "But we are still stuck in the same gear, despite nice speeches by the President and the Podesta report."

"So at the end of the day, we keep playing poker but they haven't yet shown their cards," the official said.

After two years of transatlantic negotiations, and the diplomatic double-crossing, she told MEPs, which the Commission is accountable to, to reinstate stronger legal provisions that were taken out. The Commission came under fire after the draft data law was watered down following an extensive US lobbying effort.

European officials were not only aware of the problem, but they systematically avoided the issue and shuttered out parliamentarians to which the Commission is ultimately accountable to. And the Commission's efforts to work the back-channels with their American counterparts in efforts to be treated fairly and equally were mostly unsuccessful, with the exception of finally scoring judicial redress at an agreement-only level for Europeans.

More than three years after it was first made aware of the major flaws in EU data protection and privacy law, the Commission failed to make any significant headway in resolving the differences.

Europe, you can kick and scream all you want now but your long silence made you just as complicit as the US. 

Topics: Privacy, Government US, Security, EU

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Um....

    Didn't all of this come into play with the US Patriot Act years ago?

    The Act states that a US-based companies must divulge records of any user, regardless of the user's locale because the US-based company falls under US jurisdiction, also regardless of the data location of that US company.

    This is why they say US government and business are one and the same. The US gov't just give themselves international rights over the rights of external sovereign nations.
    Joe_Raby
    • the USA = new-age f*scists

      the EU should ban Microsoft, Google, Apple here in EU and these three companies would sue the US to grab billions because of these illegal, anti-freedom, f*scistic, anti-business laws in the US
      Jiří Pavelec
      • Maybe you should lobby EU member states...

        ...to expel the US from NATO and declare war against us (according to you, we're clearly a serious threat to world peace). I do have to warn you, though, that we *will* resist any effort to "liberate" us by force.
        John L. Ries
  • longterm

    I think in the long term, the US is shooting themselves in the foot. Other countries will react by tightning their privacy laws and the rules for european subsidaries of US corporations.

    What scares me is what little outrage there is from the public. Are we that apathetic to these intrusions of our liberties. The US government would make the Stasi proud.
    Panthera son
    • In essence

      if MS USA is forced to follow the court ruling and hand over the data, Microsoft Ireland executives will be in breach of EU data protection laws, for handing the data over to a non-European entity without a valid EU warrant or the written permission of those identifiable in the data.

      The account owner is also liable to prosecution.
      wright_is
  • Oh well...

    The hypocrisy is morally indefensible...
    Owl:Net
    • The US Government

      should go MLAT themselves!
      wright_is
  • You know.. if you're going to pillory someone - at least be consistent.

    "If anyone's ever late to the party, you can count on Europe to drag its feet."

    Then...

    "Back in 2011, Microsoft's then UK managing director said it "could not provide guarantees" that EU-based cloud data would not leave Europe under any circumstances.

    Members of the European Parliament (MEPs) were not pleased. They had suspected it for a while but not until then had any US technology giant said it.

    And the Commission? It did nothing. It actively stonewalled MEPs by shutting them out of discussions and not answering key questions posed in relation to the scope of US law in Europe.

    For months and years, the European Commission was, however, working the back channels to prevent the snooping, by pushing the Justice Department to use the existing MLAT process. Meanwhile, the Justice Department always had its array of cards at its disposal, seen in the recent case that embroiled Microsoft into the row even deeper."

    Well, it seems to me that the EuroParliament reacted quickly and demanded action. It was the EuroCommission that stalled. Except even THEY were acting - just using a less visible channel.

    In other words, Europe wasn't 'late to the party' - they were trying to find a way to deal with this situation - just not as fast as you seem to want them to. Guess what - dealing with the US is a brutally tricky and difficult thing. I know you yanks don't see it - you're on the inside, but being on the outside we see it everyday.

    The US is a country that believes it runs the world. It takes actions unilaterally and can cause immense damage while believing it does good. It's like a drunk man with a big gun - you tend to be careful when confronting him.

    In the end though, you're blaming the victim - it's not Europe's fault for assuming the US would respect international treaties and play by the rules.

    Is it?
    TheWerewolf
  • Microsoft has to repect the law.

    No excuse Microsoft should have known before they violated the laws of the country's they built in that they were working under the laws of the US. As a result they play by US law or else pay the penalty. Who knew Microsoft was ignorant looks like their lawyers should know better. Looks like tax avoidance comes before prudence.
    Altotus