Earlier this week I shared my thoughts on why Zenimax/Bethesda decided to physically move their European mega-server to Frankfurt, Germany. To summarize they did it to avoid the brewing data privacy war between the United States and the rest of the world. It was pointed out to me in the comments that the U.S. considers any data held anywhere by U.S. companies to be subject to U.S. law, but that is incorrect. I will tell you why in a moment.
First, I want to acknowledge there was a ruling in the U.S. Federal Appeals court this week that seems to support what those readers were telling me. You can read a great write-up about it, by British ZDNet journalist Zack Whittaker, titled How one judge single-handedly killed trust in the US technology industry. Please go read that article. I guarantee it won't waste your time unless you don't really give a rat's ass about this whole privacy issue.
Now that you've read the article, it still does not confirm the supposition that foreign data is subject to U.S. laws. The reason is this isn't about the data. It's about U.S. law and how that law applies to U.S. companies. The data in question is not the point - though it is the objective. Laws apply to persons. You don't give a ticket to the car for speeding. You give it to the driver. That understood, understand Microsoft is a U.S. company. It has the rights of a person under U.S. law - yeah, I didn't like that ruling any more than you do. However, there is a bright side to that ruling. Since Microsoft has the privileges afforded to persons under U.S. law, it also has the obligations. That means it must comply with lawfully obtained U.S. subpoenas. This is true of any U.S. citizen. And just because we don't agree with how or why those subpoenas were granted, until Congress changes the law of the U.S., we have no recourse but to comply or pay the penalty. And believe me, the penalties will be severe in the current environment - like it or not.
But at no time does this law apply to the data in question (it is not a person,) the data center it is currently housed in (it is not a U.S. company and thus not a person under U.S. law,) or the country where that data center is located (that's a derp.) It does not apply to the originator of that data so long as that person is not a U.S. citizen. And please, please, please stop assuming laws apply to inanimate objects. That's just silly.
Now, in that previous paragraph notice I did not say owner, but originator. That's a fine point that needs elaboration. In the U.S., the originator is not necessarily (and probably isn't) legally the owner. As gamers you all know about that End User License Agreement (EULA) stuff we all agree to when we play a game. Did you think that only applied to games? Seriously? It applies to any service you have ever signed up to use. It's this legally binding contract that says you agree to certain things in return for certain considerations. That's a fancy legal term for services and or payment. In this case it means services. Microsoft gives you a service called email, and in return you give up some (many?) of your legal rights over whatever you submit to that service - to wit, your email.
And to make matters more complicated, U.S. companies aren't the only ones to use an EULA. I know I agreed to one when I started playing Assassin's Creed IV: Black Flag and Ubisoft is a French company. In fact, all companies world-wide use them as standard procedure. It's a devilishly sticky widget. How can you really hold yourself apart from all this Europe when you use the same legal agreements U.S> companies do? Isn't that a little like wanting your cake and eating it too? You can't have it both ways.
But seriously my European friends, this is not about you. This ruling has no jurisdiction outside the United States. It only applies to Microsoft, a U.S. company. It has no compulsory jurisdiction over non-U.S. citizens or companies doing business not in the United States. Do you grok what I'm saying?
Let me spell it out. If this worries you, stop using U.S. companies for your private stuff. Use a company that is headquartered in a country whose laws you approve, where that company is not considered a person. But for gods sake, stop bashing the U.S. because you don't like our laws. We are not forcing you to use our companies. And for the record, there are lots of U.S. citizens who don't like these laws either. You at least get a choice in all this. Feel lucky. I don't get a choice even if I use a European company that provides unbreakable encryption. If subpoenaed my choices are divulge my encryption keys or go to jail. Be thankful you are not so unfortunate.
And as for those who are afraid Microsoft, or any other U.S. company, won't fall on their sword for the sake of your privacy, don't forget the data center in question is not within the U.S. The sovereign nation of Ireland could cut power to that data center at any time, and no one would get the data that resides on those servers. And there are less drastic measures Ireland and/or its citizens could take to keep your private stuff private. Start pestering them to do something about it rather than try to change a situation in the U.S. that even its voters haven't been able to change. Capish piezano? Squawking your heads off about how F@#$ up this is... well, frankly it's dumb. You have so many options for dealing with this I am honestly envious of you. What have you to complain about? Can't you see it from my perspective even a little? If you did, you'd know how lucky you have it.