Microsoft capitulates, announces German data centres Call it “safe harbour” in action: Microsoft has announced it's going to go along with Germany's data privacy concerns and start hosting Azure, Office 365, and Dynamics CRM Online in that country. The decision comes hard on the heels of the company's decision to spin up some rust in the UK, with the Ministry of Defence as an …
As the article says:
"The German operator's T-Systems subsidiary will handle the data trustee functions, managing all access to customer data in the Microsoft data centres. “Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision”, the announcement states.
Since Microsoft won't be in charge of the data, even an unfavourable decision in its US court case (in which the Feds want access to e-mails stored in Ireland) won't expose German customer data to American courts or law enforcement."
............"“Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision."................
Don't make me laugh. This is utterly unenforceable.... "Can we come in? Ok, yes!"....In all of this, where are local EU competitors? .... Why are M$, Google and Amazon still so dominant in the EU's strongest economic zone?
After everything that's happened post Snowden, with Germans directly affected by NSA spying... I have to ask where is everyone now? Germans are world renowned for building tech and their political elite called out for home-grown protected infrastructure. So what happened? Is everyone too busy with cheating on pollution tests???..
The devil will be in the detail, but if the setup is done in such a way that T-Systems's permission is required under German law, then it should be safe as Microsoft Germany will not be able to break German law to satisfy Microsoft US's requests.
The devil is in the detail though. I'd be interested to know how they intend to prove compliance.
The US courts do not seem to recognize any limits to their jurisdiction, hence requesting MS to hand over data in Ireland.
However I think the key difference here is that even though MS can technically access the data they can claim (if they so wish) that the data is not held by them so any court order requesting access to the data becomes a court order telling them to hack a third party. Not even the US legal system should be able to force a company to perform an illegal act so MS can appeal the order saying the court should make the request of DT instead getting MS off the hook without showing contempt for the court. Under US law (which seems to have no problem claiming jurisdiction over the entire universe) DT might also be required to hand over the data as well but it is in a much better position to fight such a request.
I suspect the premium change might be necessary to strengthen this claim and avoid DT being ruled a MS subcontractor,
MS could do something similar by spinning off their Irish datacenters as local businesses except that might unravel a lot of their current tax avoidance schemes.
"MS could do something similar by spinning off their Irish datacenters as local businesses except that might unravel a lot of their current tax avoidance schemes."
I doubt it would unravel it by much. The obvious approach would be to have an Irish company, not owned by MS - repeat for the hard of reading NOT OWNED BY MS - as the intermediary operating as a franchise. Franchise operations seem to have worked pretty well for Starbucks as a mechanism for handling tax avoidance. I'm sure MS can find a few lawyers not too far from home who can advise them on such details.
Yes, but Microsoft Ireland is owned by Microsoft US - and they are being ordered to make Microsoft Ireland break Irish law. With a 3rd party custodian Microsoft US can be ordered by the US courts to tell them to hand over the data but the 3rd party wouldn't be forced to comply.
The scheme only works if the custodian has no business interests in the US so can't be coerced into volunteering to break EU law.
ACHTUNG! Alles touristen und non-technischen peepers!
Das machine control is nicht fur gerfinger-poken und mittengrabben. Oderwise is easy schnappen der springenwerk, blowen fuse, und poppencorken mit spitzensparken.
Der machine is diggen by experten only. Is nicht fur geverken by das dummkopfen. Das rubbernecken sightseenen keepen das cotten picken hands in das pockets, so relaxen und watchen das blinkenlights.
(Gotta love the classics!)
When the details of the UK data centre are revealed I wouldn't be surprised to see something similar, at least in principle. As I've written here a number of times since the MS/Ireland case started, it's the obvious solution - set up a legal firebreak. A franchise operation is the one that comes to mind but presumably the trustee arrangement is one appropriate to Germany.
As MoD are being talked about as an initial customer for the UK site it seems likely that they've looked at what's proposed. Unfortunately they might be comfortable with an arrangement that gave GCHQ access so it might not be ideal for everyone else. If I were in a business looking for a secure hosting company I'd still be looking at Switzerland as a preferred location.
"But even if it did do you really think that the Home Secretary and minions will not be making a MITM attack as soon as it goes live?"
That's the problem with any country whose govt doesn't grok privacy. It'll probably need someone to take them to the ECJ. I think we'll probably see a few iterations of that before govts. start to get the idea.
Gotta love smoke & mirrors - all this will do is make access to data even more secretive than it already is. Instead of the transparency of court orders, data will instead be requested via non-public international data sharing agreements.
The BND must be ecstatic as they now have all the excuses necessary to go trolling through anyone's data...
"Financial Times says customers will have to pay a premium to have their data guarded by the trustee."
I forsee two things happening. The US Govt will continue to lean on M$ until they offer up a workaround... Or even worse, customers will find that their premium policy lapsed for a day and was downgraded without their consent (honest mistake mister)... And during that phase all juicy data was hoovered up and sent westward!
Ya know, where are all the European competitors to these American giants, with their own EU based data centers?
This is just as useful as that bit of paper that a certain brit PM waved in the air upon his return from Germany.
What, the bit of paper that bought us a further year to rearm? Whilst the rationale for appeasement was questionable, the simple reality is that Allied forces got defeated in France in 1940, and the inadequacy of older aircraft types was shown. At the time of the Munich crisis, the RAF had only five squadrons of Hurricanes, and no completely operational Spitfire squadrons. The bulk of RAF fighter power in 1938 was biplanes. And not only did the Luftwaffe have better aircraft, its crews had seen active duty in Spain since 1937, whereas the RAF crews had no worthwhile combat training.
Without the bit of paper, the outcome of a war started in 1938 would almost certainly have been the military defeat of Britain through the destruction of its air force (an objective almost achieved in 1940). And having been militarily defeated, the best the country could hope for would be having to sign a non-aggression, non-rearmament pact in return for not being occupied.
Indeed, it is a positive start. The idea of a trustee protecting the data is genius in its simplicity.
The trustee does, however, need to be totally independent from any US influence to be efficient. And it needs to remain untouched by any insider corruption - such as NSA agents infiltrating themselves in the trustee's organization.
So great idea, but expanding the issue to ensure data protection from everyone for everyone is going to be one hell of a headache.
This post has been deleted by its author
The use of non-US intermediaries has been on the cards for a good while now. Customers are starting to be concerned about security from spying, hence the the appearance of end-to-end encryption, Google pushing for HTTPS everywhere and so on.
The Irish access case has been a wake-up call for MS who must have been thinking about it since before the ECJ decision on Safe Harbour. The only surprise is that they now seem to be looking at establishing data centres to serve individual EU countries rather than just setting up a fire break for the Irish operation. Given the amount of time they've had, however, they've probably taken a lot of legal advice as to the best way to achieve their objective under German law. They may take different approaches in other countries.
I think we'll see other US corporations looking at similar solutions. There's been a window of opportunity for EU companies to get a slice of the action as well. I hope some of them take it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
