[revscat]

I am curious to see if the business case against the NSA's power will have an effect. Right now I think things favor the bureaucracy. But if Apple, Google, Facebook, etc. make a broad push against it, we could see legislative changes which protect them.

A likely scenario is something which indemnifies them against any losses incurred as a result of foreign suits related to privacy breaches, so long as they're in accordance with US law.

[pash]

There is some precedent for how things might unfold in the kerfuffles that have resulted from the U.S. government's attempts to enforce its trade sanctions against countries like Cuba, Iran, and North Korea.

Under the Helms-Burton Act [0], the United States expanded its embargo on trade with Cuba to authorize sanctions against foreign firms that trade with Cuba. Mexico and the European Union responded [1] by forbidding their companies from complying with the U.S. law. This left those firms in the impossible situation of violating either U.S. or domestic law no matter what they did. After abortive attempts to negotiate a solution, nothing was done to resolve the situation, so Mexican and E.U. firms that trade with Cuba are still in a tricky situation.

As another example, the Office of Foreign Assets Control, a bureau of the Treasury Department tasked with enforcing U.S. embargoes, for decades operated under the interpretation that foreign subsidiaries of U.S. corporations were not subject to limits on trade under U.S. sanctions laws so long as no U.S. persons were involved in conducting the banned trade.† But this past February, to strengthen U.S. sanctions against Iran, President Obama issued an executive order [2] that for the first time extended the U.S. government's claimed legal jurisdiction to encompass the actions of foreign subsidiaries of U.S. corporations:

  All property and interests in property that are in the
  United States, that hereafter come within the United States,
  or that are or hereafter come within the possession or
  control of any United States person, INCLUDING ANY FOREIGN
  BRANCH, of the following persons are blocked and may not be
  transferred, paid, exported, withdrawn, or otherwise dealt
  in ... [my emphasis]

Prior to that executive order, there was no indication that the U.S. government, even in matters of national security, claimed that foreign subsidiaries of U.S. corporations must comply with U.S. law. Under that longstanding interpretation, I would not have been surprised to see companies like Google make an effort to store foreign users' data in foreign data-centers owned and operated by foreign subsidiaries. That way, the data would not be subject to seizure under FISA (or whatever other authorization the NSA claims), and Google could comply with foreign privacy laws and U.S. law at the same time.

But now, it seems, that may be out the window. It may well be that the U.S. government claims jurisdiction over data held by foreign subsidiaries of U.S. tech companies, in which case those companies will truly be between a rock and a hard place. Unlike the situation with Helms-Burton, however, things will surely come to a head; these major corporations have extensive operations both in the United States and in the E.U., where domestic privacy laws would outlaw compliance with U.S. laws requiring that they turn over data to the NSA.

So this should be fun. ...

† — In this matter and others, the U.S. government claims jurisdiction over U.S. persons—citizens, greencard-holders, and companies incorporated in the United States—no matter where they are in the world.

0. http://en.wikipedia.org/wiki/Helms%E2%80%93Burton_Act

1. http://europa.eu/rapid/press-release_IP-96-732_en.htm

2. http://www.treasury.gov/resource-center/sanctions/Programs/D... [PDF]

[yajoe]

companies like Google make an effort to store foreign users' data in foreign data-centers owned and operated by foreign subsidiaries.

Can confirm that while working on the EU rollout for Office 365 a few years ago, this was certainly the case. EU customer data had to stay in Ireland, and there were even rules/debates about how much of the 'metadata' (i.e. to answer "does this user exist?") that could come back to the US.

At the time the reasoning was for EU Privacy Directive and not explicitly based on US law or precedents, but I bet a few realized the alignment and ensured the engineers stayed on this path.

[rmc]

A likely scenario is something which indemnifies them against any losses incurred as a result of foreign suits related to privacy breaches, so long as they're in accordance with US law.

But that would only work in USA. What if a court in Germany fines Google Germany Ltd €1,000,000, and €100,000 per day until they stop sharing data with the US Gov? Will the US government give Google €1,000,000 to pay off the fine? What if the court in Germany confiscates the Google Germany Ltd's property? Will the US Gov reimbuse Google? What if a court in Germany forces all German ISPs to block Google? Will the US Gov reimburse Google?

Remember this companies (Google/Apple/Microsoft/Facebook/etc.) have local companies, local offices, local property and local employees. They can ignore local law only if they leave the country.

[pash]

Barring unusual claims of extraterritorial jurisdiction by either the United States or the European Union (or any of its member states), Google and other American tech companies may be able to comply with both US and EU law by handling data on EU users only within the EU, through EU subsidiaries.

Under that arrangement, the EU subsidiaries of US tech companies would not ordinarily be subject to US laws requiring them to hand over data to the NSA, so those subsidiaries could comply with EU privacy laws with no problem; at the same time, EU law would not reach the US parent companies, so they could give all the data to the NSA that they must in compliance with US law.

But because the Obama administration recently expanded the United States' already broad (by international standards) claims of extraterritorial jurisdiction in another matter,† it now looks like the United States might indeed claim the legal power to compel foreign subsidiaries of U.S. tech companies to hand over data they control to the NSA. In that case, those foreign subsidiaries would find themselves in an impossible situation, one in which they would be operating illegally under either EU or US law no matter what they do.

† — See my comment above, at the same level as this one's parent.

[jacalata]

This doesn't seem easy for facebook, at least. I live in the USA and regularly read my European friends facebook pages, and they comment on mine. European facebook users can travel to the USA and access their facebook page while here. How could you implement this kind of separation?

[makomk]

I'm not sure claims of extraterritorial jurisdiction by the US really count as unusual in this day and age.

[furyg3]

It will become a problem when European countries / organisations start requiring that data cannot be stored or managed at a US datacenter or by a US organisation.

You already see this happening with with datacenter locations...

[DanBC]

> It will become a problem when European countries / organisations start requiring that data cannot be stored or managed at a US datacenter

There are already restrictions on exporting personal data outside the EU. This is under the various data protection laws.

(https://en.wikipedia.org/wiki/Data_Protection_Directive)

(https://en.wikipedia.org/wiki/Data_Protection_Directive#Tran...)

I guess the exceptions will be tightened up now, especially if EU consumers press for it.

[narcissus]

If they were paying taxes in the US then maybe they could feel a little annoyed that the US might cause them business troubles elsewhere.

Instead, they're in that awful predicament where the senators they pay are screwing them, but the government as a representation of the people doesn't care.