Canadian data order risks blowing a hole in EU sovereignty

Re: Hang on

Even if the legal tools did not presently exist, it would be possible to create them. I guess you could put protections into the MLATs to discourage this kind of end-around, but, if a jurisdiction is sufficiently motivated it will find the means to coerce one way or another.

Re: Hang on

Is it not the case that

The Canadian court goes to OVHC and demands the data.

OVHC say, sorry mate that data is the property of someone else (OVHF) and we have no physical access to it - go and talk to them.

Canadian court goes to OVHF and demands the data, and OVHF point out that the data is in France under French law and that thay can only release it if ordered by a French court.

The court can get stroppy with OVHC but ultimatly a subsidiary has no leverage over the parent that resides in a completly seperate juristiction. You cannot hold someone in contempt of court when they have no responsibility and no way of implementing the request even if they wanted to. The only circumstance a sovereign countries court can impose its will in this context is if the country (Canadal) is going to back the court up and bully OVHF and France.

That sort of approach is more the perogative of the good ol' USA under the Donald (Duck) Dictatorship..... (Sound of angry duck noise on the right.)

Re: Hang on

Somehow Canada has the legal tools to force OVH's Canadian subsidiary to give up data in the EU but the US doesn't?

I think what we were told back then was not strictly the vérité.

The US subsidiary is more technically and legally separated, presumably because of the PATRIOT/CLOUD acts.

IIRC an account on OVH US can only spin up services in their US regions. A regular OVH account anywhere else can spin up services in any region except the US. It's an entirely separate entity running parallel infrastructure.

I'm still surprised that an order against OVH Canada is met with anything other than "We do not have the technical ability to access data held by our parent company on another continent.", but it sounds like there's insufficient separation (either an internal policy matter, which the Canadian court is ordering them to ignore, or none at all). Any contempt of court prosecution would be contentious - every executive in every Canadian subsidiary of a foreign firm would suddenly be very nervous about potentially being ordered to leak information from their parent, or being prosecuted for "refusing" to hand over information they literally don't have access to. The business associations would riot.

As Charlie Clark mentions though, it doesn't need to go to full CoC charges. It's a matter of whether they can pressure OVHC/F with threats of sanctioning OVH in Canada.

It's more complicated than that with multinational companies and their subsidiaries. The courts in Canada know very well that they can apply pressure on the subsidiary to get the parent to comply. The threat of contempt is initially not that serious, but it could escalate to sanctioning the whole business.

However, the OVH as a French company must comply with French and EU law and France could easily turn this into a matter of "national sovereignty" in which case, the contempt case would be dropped. But nobody wants it to go that far. I suspect, some kind of fudge where a French judge is asked to decide on whether the data can be released, and under what conditions it is made available.

Re: This sort of thing makes the law irrelevant

They absolutely could - if they went through the correct international law enforcement cooperation channels. But not directly.

However, they could revoke your visa/residents permit or whatever so that you could be marched out of Canada, never to return.

Re: Treaties

Exactly. We have these treaties, and the bureaucrats can and do talk to each other, and the paperwork can totally be filed for this.

Use. The. Bloody. Procedures.

Re: Treaties

Its not about treaties; it is about bad business behaviour.

If OVH capitulates, the story is over.

If OVH asserts that it has a spine ( which is why you are reading this ), the RCMP will have to do some actual investigation, rather than merely fishing.

Its a bit of an epidemic here; Canada has relatively tight rules about information, but that doesn't stop banks from handing over financial records without a shred of process.

Re: Treaties

"Seems like time Politicians got off their arse and spoke to each other to ensure these requests go via the agreed route?"

My guess is that it's probably rather like the case that brought about the US CLOUD Act, a fishing expedition which wouldn't be allowed under the treaties.

Re: A clear case of not doing your homework

>> shutting down their Canadian subsidiary.

It may come to that. We need to do the same for every American and Canadian company in Europe too.

Re: A clear case of not doing your homework

"Surely OVH's legal department should be aware of the risks of having subsidiaries in countries outside the EU?"

You could say the same about all the big US companies and the EU or anywhere else that has reasonable privacy laws.

Re: Who can the Canadian courts make do things ?

"This is likely to spark an international incident."

Whether this particular case is the one that does it this needs to happen. Governments have allowed the whole issue to fester for far too long with privacy fig-leaves and the like. It needs to be sorted out by international agreements which bind national courts as to what they can and can't do.

Re: This should be judicial overreach.

Why on Earth not? If you are a Chinese entity, you are PRIMARILY subject to Chinese law. Why should a Latvian judge care about what a Maltese law says when ordering a Latvian entity?

You've got the concept of sovereignty backwards.

If the legally-Canadian business doesn't legally have access to data where it's held in a legally-French business it's not so simple.

You got a bunch of downvotes but you’re one of the few people here that get it.

Canada can get what they want by putting pressure on OVHC, which they will do on whichever way is most effective. The impact this has on OVH or France or anyone else is not their problem.

I don’t know what the short term answer is but the long term answer is use a different corporate structure.

Re: obvious solution

Just get the DGSE involved.

What sink a couple of Canadian ships in harbours?

Re: Be careful what you wish for indeed...

Maybe but that doesn't change the main point that Canadian subsidiary has no legal access to the data. Even if they technically could access it which is questionable at best it would probably be illegal even under Canadian law and certainly under French law. To me this sound like state sponsored mob tactics, commit a crime for us or else... The subsidiaries are there to limit liabilities for situations like this where one overreaching government thinks they rule the planet. Sadly most companies fold under pressure of financial loss in that country and governments get what they want, here at least the EU legislative wont let them just bend over openly because GDPR fines are also insanely large if the person of interest is EU citizen.

If I project the same situation on Canadian mother and Russian subsidiary you wont like the situation one bit. How would you like if for example Russian court ordered Canadian bank that also operates in Russia via a subsidiary to release all your personal data to them with dubious explanation of why they need them? Not very much I would imagine. Most people would be probably angry at the company and demand how could they give uncontrolled access to the subsidiary they as a client have no contractual relationship with, followed by screams about how that cant be legal.

For me at least this is the preferred outcome and the democratically elected government can go sulk in corner. I am by no means defending corporate interest only advocating for personal freedoms of citizens from overreaching foreign government apparatus.

Re: Be careful what you wish for indeed...

"So why are people instinctively siding with a multinational money grubber over and against a limited popular government?"

Because it's about due process of law. There is a process whereby the RCMP can try and get the information. They haven't done. They've tried to take a short cut.* They're trying coercion.

I do not believe short cuts and coercion in law enforcement are a good thing.

It's also about data and trust in suppliers to safeguard customers' data that they're paid to look after.

Put those two things together and they're trying to crate a precedent that could, in the end, be harmful to any one of us if the protection of due process of law is weakened. They're trying to put what remains of Magna Carta in the shredder.

* I suspect this is because they don't have a case that meets the criteria for access. There will be safeguards built in.

"This whole attempt seems to be as much against the long term interests of Canadian sovereignty as it is for French sovereignty."

Nailed it. We don't even know what the Canadian govt. thinks of the actions of it.

Re: The RCMP got it wrong to start with.

Definitely.

There seems to be a presumption that "subscriber and account data linked to four IP addresses on OVH servers " are static and have been static over time. Given the way we know hosting companiies work, there is a reasonable chance the requested IP addresses are or have been shared between multiple subscribers.

It would thus make sense for the Canadian police to not only directly request information from the French police but more probably involve Interpol, given their investigation also (at the time of reporting) involves systems and data located in the UK and Australia.