Ask HN: Does US law apply to AWS data-centers located outside USA?

12 points by yeleti ↗ HN

9 comments

[ 2.7 ms ] story [ 29.0 ms ] thread
Yes, mozilla mentioned this in a blog post when someone here on HN pointed that they should move persona out of the U.S. Being a U.S. company they have to follow the U.S. law regardless of their servers' location.
I believe this is the relevant thread: https://news.ycombinator.com/item?id=5854813

Its a bit short on specifics though. I'd like to know which laws give the US access to data held on servers that are physically outside its jurisdiction. What happens when they are in conflict with local laws (e.g. EU privacy laws)? I though there were international agreements covering this.

If Apple can successfully use tens of shell companies to declare income outside of the US and thereby avoid taxes, I wonder if Mozilla and others could create shell companies outside the US to avoid surveillance.
I wonder if US laws would apply to foreign corporations entirely owned by US corporations? E.g., if Amazon set up an Irish corporation to own and manage a data center in Ireland, even though Amazon still exercised control, wouldn't that data center be outside the scope of US law?
According to US law, US law applies to any company with a presence in the US or that does business with US companies or serves US customers. Yes, that means pretty much every major corporation in the entire world.

How effective the US gov can enforce its laws depends on how much leverage the US gov can apply against the specific company. For example, it can bar other US companies from interacting with them. It can potentially seize assets. Or it can arrest company officers if they happen to enter US jurisdiction. All these have occurred in the past.

What if there is a conflict between US law and the law of the country in which the owned corporation operates?

To take @ratsbane's example, Amazon Data Services Ireland is the Irish company that manages the data centre that currently comprises the AWS EU West region. It does no business in the US, but its parent company (Amazon.com Inc) does. Amazon Data Services Ireland are subject to Irish and EU laws relating to privacy and data protection. They can't just ship personal/commercial data out of the UK to the US as this would breach local laws. If the US govt demands that Amazon Inc provide it with data that is located in Dublin, what do Amazon Inc actually do? Does US law really mandate that Amazon Inc must force its subsidiary to break local laws?

"It can potentially seize assets. Or it can arrest company officers if they happen to enter US jurisdiction."

I know this has happened with on-line gaming companies - but that is a situation where the foreign company is doing something that the UK considers to be illegal. We're talking about the scope of laws relating to non-US companies engaged in lawful activities.

I suspect that the reach of the US government in these situations actually depends on international agreements with other nations (or groups, like the EU) and not US domestic law.

Ireland is not in the UK. Just to point that out mr andyjohnson05.
Depends on how much money is at stake :)
TOS mention jurisdiction? Im sure its US soil somewhere