|
There is some precedent for how things might unfold in the kerfuffles that have resulted from the U.S. government's attempts to enforce its trade sanctions against countries like Cuba, Iran, and North Korea. Under the Helms-Burton Act [0], the United States expanded its embargo on trade with Cuba to authorize sanctions against foreign firms that trade with Cuba. Mexico and the European Union responded [1] by forbidding their companies from complying with the U.S. law. This left those firms in the impossible situation of violating either U.S. or domestic law no matter what they did. After abortive attempts to negotiate a solution, nothing was done to resolve the situation, so Mexican and E.U. firms that trade with Cuba are still in a tricky situation. As another example, the Office of Foreign Assets Control, a bureau of the Treasury Department tasked with enforcing U.S. embargoes, for decades operated under the interpretation that foreign subsidiaries of U.S. corporations were not subject to limits on trade under U.S. sanctions laws so long as no U.S. persons were involved in conducting the banned trade.† But this past February, to strengthen U.S. sanctions against Iran, President Obama issued an executive order [2] that for the first time extended the U.S. government's claimed legal jurisdiction to encompass the actions of foreign subsidiaries of U.S. corporations: All property and interests in property that are in the
United States, that hereafter come within the United States,
or that are or hereafter come within the possession or
control of any United States person, INCLUDING ANY FOREIGN
BRANCH, of the following persons are blocked and may not be
transferred, paid, exported, withdrawn, or otherwise dealt
in ... [my emphasis]
Prior to that executive order, there was no indication that the U.S. government, even in matters of national security, claimed that foreign subsidiaries of U.S. corporations must comply with U.S. law. Under that longstanding interpretation, I would not have been surprised to see companies like Google make an effort to store foreign users' data in foreign data-centers owned and operated by foreign subsidiaries. That way, the data would not be subject to seizure under FISA (or whatever other authorization the NSA claims), and Google could comply with foreign privacy laws and U.S. law at the same time.But now, it seems, that may be out the window. It may well be that the U.S. government claims jurisdiction over data held by foreign subsidiaries of U.S. tech companies, in which case those companies will truly be between a rock and a hard place. Unlike the situation with Helms-Burton, however, things will surely come to a head; these major corporations have extensive operations both in the United States and in the E.U., where domestic privacy laws would outlaw compliance with U.S. laws requiring that they turn over data to the NSA. So this should be fun. ... † — In this matter and others, the U.S. government claims jurisdiction over U.S. persons—citizens, greencard-holders, and companies incorporated in the United States—no matter where they are in the world. 0. http://en.wikipedia.org/wiki/Helms%E2%80%93Burton_Act 1. http://europa.eu/rapid/press-release_IP-96-732_en.htm 2. http://www.treasury.gov/resource-center/sanctions/Programs/D... [PDF] |
Can confirm that while working on the EU rollout for Office 365 a few years ago, this was certainly the case. EU customer data had to stay in Ireland, and there were even rules/debates about how much of the 'metadata' (i.e. to answer "does this user exist?") that could come back to the US.
At the time the reasoning was for EU Privacy Directive and not explicitly based on US law or precedents, but I bet a few realized the alignment and ensured the engineers stayed on this path.