Does the US have juristriction over the whole world?

Peter Fairbrother zenadsl6186 at
Sat Nov 26 14:29:53 GMT 2011

Mary Hawking wrote:
> Does anyone know about this - and whether it is true?
> Apparently it is Microsoft's view that requiring data to be held within a
> national boundary is a breach of WTO regulations - and, worryingly, that any
> data held by any organisation which trades with the US is subject to US law.
> "Any company with a presence in the United States of America (not just those
> with headquarters or subsidiaries in that country) may be legally required
> to respond to a valid demand from the United States Government for
> information the company retains custody over or controls, regardless of
> where the data is stored or the existence of any conflicting obligations
> under the laws of the country where the data is located," the submission
> states

It is not unusual for US law and US Courts to claim jurisdiction 
anywhere in the world, eg they do this over the taxpaying requirements 
of US citizens.

Microsoft's statement is probably true in terms of US law, but it isn't 
quite as straightforward as it might seem.

I imagine it goes something like this: Suppose a US Government demand 
fopr data is made, and a Court order is made. The US branch office 
cannot obtain the data themselves, and they ask the UK office. The UK 
office says no.

What can a US Court do to enforce the order? A very long story, but in 
the end, in practice, nothing substantial. So while they may claim 
jurisdiction, it doesn't mean much.

To address the wider issue, what Microsoft are really upset about is 
clouds. First, some law:


Data Protection Act, Schedule 1 part 1, principle 7:

Appropriate technical and organisational measures shall be taken against 
unauthorised or unlawful processing of personal data and against 
accidental loss or destruction of, or damage to, personal data.

Data Protection Act, Schedule 1 part 2 section 11: Interpretation of the 
seventh principle,

Where processing of personal data is carried out by a data processor on 
behalf of a data controller, the data controller must in order to comply 
with the seventh principle—

(a) choose a data processor providing sufficient guarantees in respect 
of the technical and organisational security measures governing the 
processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.


Another bit of law, about the WTO, but I don't have details to hand - if 
measures are taken by one country for the purpose of providing data 
security, they are not actionable under the WTO, even if they restrain 
trade etc.


And what it comes down to is this: Microsoft say that encryption and 
their "best practices" provide better security against unauthorised 
processing  than let's say only keeping the data in a local office.

(the data controller is the only person capable of granting 
authorisation, as the requirement to follow the principles is upon him 
and no-one else, that's DPA section 4(4) I think offhand).

Which, if Microsoft were correct about the US Government's ability to 
demand data, would be immediately obvious nonsense - rather than the 
slightly-less-obvious nonsense it is.

(a UK data controller is required by law to protect personal data in his 
control against the US government as well as spammers and identity 
thieves. He's also required to protect it against the UK Government, who 
if they want it must get it through him).

It's long past time that the UK and EU/EAA Information Commissioners 
gave clear guidance that personal data cannot be stored in clouds. Full 

-- Peter Fairbrother

> Could any other country pass similar legislation?
> What would happen if, say, Russia or China passed similar legislation: would
> Microsoft be obliged to release the information they held in the USA?
> Mary Hawking
> "thinking - independent thinking - is to humans as swimming is to cats: we
> can do it if we really have to."  Mark Earles on Radio 4.  

More information about the ukcrypto mailing list