OVH said [1]here in July:

"OVH Group abides by local laws in the countries it operates in. As such, OVH US may be subject to requests from American authorities within the framework of the Cloud Act as long as these demands are connected to customers of OVH US and are strictly compliant with applicable American law. The French OVH entity (or its European subsidiaries) is not subject to the Cloud Act, the Patriot Act or the FISA."

Somehow Canada has the legal tools to force OVH's Canadian subsidiary to give up data in the EU but the US doesn't?

I think what we were told back then was not strictly the vérité.

[1] https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee/

Even if the legal tools did not presently exist, it would be possible to create them. I guess you could put protections into the MLATs to discourage this kind of end-around, but, if a jurisdiction is sufficiently motivated it will find the means to coerce one way or another.

I'd guess that the end-run was attempted because the case didn't meet the protections in the MLAT.

I'm looking forward to hearing about the Canadian ambassador being called in to the French foreign ministry to explain why a Canadian court is trying to override French law or maybe a French court issuing an arrest warrant and request for extradition of the judge. If "sovereign" is to mean anything then it's got to be defended in this way if need be.

" If "sovereign" is to mean anything then it's got to be defended in this way if need be."

And France are typically the ones to do it. They are very proud of being French and will defend their sovereignty.

It won't do much good, though. Canadian governments have no ability to compel the courts to do anything. As it should be in any functional democracy.

Is it not the case that

The Canadian court goes to OVHC and demands the data.

OVHC say, sorry mate that data is the property of someone else (OVHF) and we have no physical access to it - go and talk to them.

Canadian court goes to OVHF and demands the data, and OVHF point out that the data is in France under French law and that thay can only release it if ordered by a French court.

The court can get stroppy with OVHC but ultimatly a subsidiary has no leverage over the parent that resides in a completly seperate juristiction. You cannot hold someone in contempt of court when they have no responsibility and no way of implementing the request even if they wanted to. The only circumstance a sovereign countries court can impose its will in this context is if the country (Canadal) is going to back the court up and bully OVHF and France.

That sort of approach is more the perogative of the good ol' USA under the Donald (Duck) Dictatorship..... (Sound of angry duck noise on the right.)

It sounds to me that the problem is that OVHC does have physical access to the data held in France, they're just being told by OVHF not to touch it because of internal sovereignty rules.The Canadian courts are ordering OVHC to reach in and grab it anyway.

One option might be for OVHF to firewall off the Canadian subsidiary's acces, if that can be done quickly and in a way that doesn't break their customers' applications. A big if.

Somehow Canada has the legal tools to force OVH's Canadian subsidiary to give up data in the EU but the US doesn't?

...

I think what we were told back then was not strictly the vérité.

The US subsidiary is more technically and legally separated, presumably because of the PATRIOT/CLOUD acts.

IIRC an account on OVH US can only spin up services in their US regions. A regular OVH account anywhere else can spin up services in any region except the US. It's an entirely separate entity running parallel infrastructure.

I'm still surprised that an order against OVH Canada is met with anything other than "We do not have the technical ability to access data held by our parent company on another continent.", but it sounds like there's insufficient separation (either an internal policy matter, which the Canadian court is ordering them to ignore, or none at all). Any contempt of court prosecution would be contentious - every executive in every Canadian subsidiary of a foreign firm would suddenly be very nervous about potentially being ordered to leak information from their parent, or being prosecuted for "refusing" to hand over information they literally don't have access to. The business associations would riot.

As Charlie Clark mentions though, it doesn't need to go to full CoC charges. It's a matter of whether they can pressure OVHC/F with threats of sanctioning OVH in Canada.

"But refusing the Canadian order risks contempt of court charges."

I'd have thought that that would be the easier alternative to defend. The Canadian arm can ask the French HQ for the information and can report refusal. It would surely be up to the prosecution to demonstrate that the local office has authority over HQ to do more, especially as a MLAT route exists.

It's more complicated than that with multinational companies and their subsidiaries. The courts in Canada know very well that they can apply pressure on the subsidiary to get the parent to comply. The threat of contempt is initially not that serious, but it could escalate to sanctioning the whole business.

However, the OVH as a French company must comply with French and EU law and France could easily turn this into a matter of "national sovereignty" in which case, the contempt case would be dropped. But nobody wants it to go that far. I suspect, some kind of fudge where a French judge is asked to decide on whether the data can be released, and under what conditions it is made available.

If I have a house in Canada, can the courts in Canada issue a search warrant for my house in France? I would say a big FU to the Canadian judge.

Next up, don't buy Canadian in Europe.

What's the point in having treaties if local law enforcement think they can ignore them?

Seems like time Politicians got off their arse and spoke to each other to ensure these requests go via the agreed route?

Exactly. We have these treaties, and the bureaucrats can and do talk to each other, and the paperwork can totally be filed for this.

Use. The. Bloody. Procedures.

Its not about treaties; it is about bad business behaviour.

If OVH capitulates, the story is over.

If OVH asserts that it has a spine ( which is why you are reading this ), the RCMP will have to do some actual investigation, rather than merely fishing.

Its a bit of an epidemic here; Canada has relatively tight rules about information, but that doesn't stop banks from handing over financial records without a shred of process.

Or freezing peoples bank accounts because the government is feeling aggrieved

https://www.forbes.com/sites/siladityaray/2022/02/23/canada-begins-to-release-frozen-bank-accounts-of-freedom-convoy-protestors/

"Isabelle Jacques, Canada’s assistant deputy minister of finance, told lawmakers on Tuesday that a vast majority of the locked accounts are now in the process of being released.

Jacques told a parliamentary committee that up to 210 bank accounts linked to the protestors—with cumulative holdings of C$7.8 million ($6.12 million)—had been frozen under the country’s emergencies act."

https://www.jurist.org/news/2024/01/canada-dispatch-federal-court-judge-rules-government-lacked-authority-to-invoke-emergencies-act-over-freedom-convoy-breached-charter-rights/

"Further, the court concluded government violated the Charter rights of convoy participants who had their bank accounts frozen. Mosley ruled that the federal government’s order empowering banks to freeze the accounts of those violating the emergency regulations and directing banks to provide violators’ information to the RCMP constituted an unreasonable search and seizure. The justice reasoned that the freezing of accounts constituted a “seizure” and that the order to provide the RCMP with blockade participants’ banking information was a “search.” Mosley held that the searches and seizures were unreasonable as they were not carried out according to an “objective standard.”".

Surely OVH's legal department should be aware of the risks of having subsidiaries in countries outside the EU?

This is a rather embarrassing case of not having thought things through and examined all the ramifications of opening a foreign subsidiary. There's also a distinct taste of a Canadian judge who likes to throw their weight around and who seems to think her commands should carry weight outside of Canada, just because.

The correct answer from OVH France is "Non", "Use the defined MLAT treaty" and possibly followed by shutting down their Canadian subsidiary.

>> shutting down their Canadian subsidiary.

It may come to that. We need to do the same for every American and Canadian company in Europe too.

.....but multiple state-based bad actors REGULARLY hack anything connected to the internet!

.....or anything connected to the mobile phone network! (Remember Jamal Khashoggi??)

This "sovereignty" chatter is simple misdirection! The operatives at Hubble Road (or Fort Meade) have

the tools to ignore all this "sovereignty" business!!

A Canadian court can order someone in Canada to do things. This can include accessing data that their French bosses have told them to not look at.

So when a Canada resident tachie tries to access data but finds that s/he cannot access it (computer security systems say "no") then that techie has tried to fulfil the order to the best of his ability. That s/he could not get the data is not their fault.

Ball back to the Canadian court, what can it do ?

• Imprison the Canadian techie. But s/he tried his best to obey the order. I suspect that an appeal would get them out (Canada is not Trump's USA).

• Send an order to OVHcloud in France. That will simply say that French laws prevent it from obeying the order; anyway we are not subject to foreign court orders. Take us to court in France, this would go no where.

• Close down OVHcloud in Canada until OVHcloud in France obeys the order. This is likely to spark an international incident.

Me: I will stock up on popcorn until this is resolved.

to financial ones.

This judge is ordering a Canadian entity to break French law. Judicial systems generally don't do that.

Ah now Canada, don't be acting like the Yanks.

If you have a subsidiary in a nation it is subject to that nation's legal system first and foremost. Being a foreign owned business does not escape liability. There's no need to go through treaties for the request because the request is being made of a legally-Canadian business.