The revelations of Edward Snowden and the US Department of Justice's (USDoJ) position in a recent lawsuit involving data in a Microsoft data center in Ireland make it clear that the US regards any information in the custody of an organization that has US operations, no matter where in the world it is stored, as subject to US jurisdiction. The USDoJ's position is set out here and summarized thus:
In essence, President Barack Obama's administration claims that any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas. ... A magistrate judge has already sided with the government's position, ruling in April that "the basic principle that an entity lawfully obligated to produce information must do so regardless of the location of that information."Although in preparation for a July 31 hearing at which the magistrate judge's ruling was upheld but stayed pending appeal Microsoft very publicly objected, as did other companies that have filed amicus briefs such as AT&T, this is likely just PR from a company that has betrayed its users in the past, for example over the encryption of Skype communications. In upholding the ruling Judge Preska said (emphasis mine):
the warrant lawfully required the company to hand over any data it controlled, regardless of where it was stored. “It is a question of control, not a question of the location of that information,”Note that the Data Retention and Investigatory Powers (DRIP) Act, recently rushed through the UK Parliament, takes the same position. It is already law; it is being challenged in the courts but the process will take years. Thus, asking where the data is stored is no longer relevant, it doesn't tell you whose laws apply to that data. If the organization with custody "has operations" in the US or the UK, US or UK courts will exert jurisdiction.
Given this position, it would be prudent for a national hosting organization (NHO) to ensure not merely that the copies were on their country's soil in a system owned by their country's nationals, but also that the system was exclusively operated by their country's nationals. This would ensure that no-one subject to US jurisdiction would have administrative access to the system, and thus prevent such persons from impairing the operation of the system, for example by removing content from the system in response to an order of a US court. Such orders can be envisaged, for example, in cases where the US government classes information, even after publication, as "sensitive but unclassified", or attempts to secretly rewrite history such as court transcripts, or when copyright claims are made under the US Digital Millennium Copyright Act (DMCA).
The New America Foundation has a fascinating report, Surveillance Costs: The NSA’s Impact on the Economy, Internet Freedom & Cybersecurity (PDF), that provides many details and references for those interested in this area. The German government, more sensitive than others after Angela Merkel's phone was tapped, seems to have figured out that there is a problem:
But since April, any company that cannot guarantee that foreign services or authorities will not obtain any of their data is being excluded from federal contracts in Germany.EU countries are, ironically, in a poor position on principle to oppose extraterritorial application of Internet law on principle:
In March 2014, members of the European Parliament passed the EU’s much-debated Data Protection Regulation and Directive by an enormous margin. The rules impose strict limitations on what can be done with the data of EU citizens. ... The new rules apply to the processing of EU citizens’ data no matter where that data is located, ensuring that personal information from Europe is still protected by EU laws when it travels elsewhere, especially to the United States.A further question that needs to be answered is how any disputes arising from the operation of the national hosting service would be resolved. Two kinds of dispute could be envisaged:
- Unsatisfactory service provision to participating libraries (PLs) using the national hosting facilities:
- In the case of a service provided, for example, by a US-based organization, this would be a dispute about the terms of the contract between the NHO and the service provider. This contract would have been written by the service provider's lawyers and be governed by US law. The aftermath of the financial crisis has shown the USDoJ and the US courts to be less than even-handed as between domestic and foreign litigants. The PLs themselves would not be parties to the dispute. The prospects for a satisfactory resolution would be poor.
- In the case of a service owned and operated by the NHO, the dispute would be between the PLs and the NHO over the terms of their contract. The PLs would be parties to the dispute. The contract would have been written by the NHO's lawyers and governed by national law.
- Failure of publishers to deliver content to the archive:
- In the case of a service provided, for example, by a US-based organization, this would be a dispute over the terms of the contract between the service provider and the publisher, which would be governed by US law. Neither the PLs nor the NHO would be parties to the dispute. They could only hope that their interests would be represented by the service provider.
- In the case of a service owned and operated by the NHO, this would be a dispute over the terms of the contract between the NHO and the publisher, which would be governed by national law. The NHO would be a party to the dispute and would represent the interests of the PLs.
10.7 This Agreement shall be governed by and interpreted and construed according to the laws of the State of New York or United States Federal law, as applicable, excluding any law that might direct the application of the laws of another jurisdiction. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods shall not be applicable to this Agreement. The English language version of this Agreement shall be controlling over any other version.Caveat Emptor. "Agreements" such as these, and the End User License Agreements or click-through Terms Of Service that we accept every day, are carefully constructed to ensure that, regardless of the facts of the case, there is no possibility whatsoever of the customer prevailing in a dispute with the service.
10.8 Any controversy or claim arising out of or relating to this Agreement shall be settled by arbitration conducted in English in New York, New York, in accordance with the Commercial Arbitration Rules of the American Arbitration Association, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof. The parties agree to exclude any right of application or appeal to non-U.S. courts in connection with any question of law arising in the course of the arbitration, or with respect to any award made.
These developments appear to have destroyed any case there might have been for outsourcing archiving across national borders.