The Butterfly Effect: Outsourcing, the USA PATRIOT Act and OFAC

As a demonstration of the butterfly effect of chaos theory, changes made to U.S. law after the 9/11 terror attacks are now being raised as blockages on the competitiveness of U.S.-based outsourcing and IT services companies when competing for business in Europe and Asia.

The USA PATRIOT Act contains provisions allowing the U.S. government access to business records for foreign intelligence and international terrorism investigations. The extraterritorial effect of the USA PATRIOT Act means that confidential data of non-U.S. outsourcing customers is potentially open to disclosure to the U.S. authorities via any U.S.-based service provider (or its non-U.S.-based affiliate) handling that data.

This Client Alert examines the effect of the USA PATRIOT Act – and the extraterritorial effect of the U.S. Office of Foreign Assets Control rules – on non-U.S. entities that enter into outsourcing or IT services arrangements with U.S. corporations or their overseas subsidiaries. In particular, it addresses whether a non-U.S. subsidiary or affiliate of a U.S. corporation may be required under the USA PATRIOT Act to disclose to the FBI data belonging to its customers, and what actions non-U.S.-based customers can take to retain control of their data.

THE USA PATRIOT ACT

Section 215 of the USA PATRIOT Act, enacted in the months following the 9/11 terror attacks, provides the U.S. government with the means to access to business records for foreign intelligence and international terrorism investigations.

Specifically, section 215 of the USA PATRIOT Act permits the FBI to apply for an order "requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities." If a U.S. judge finds that an FBI application meets the relevant requirements, the judge must enter an ex parte order approving the release of items sought.

The USA PATRIOT Act is extraterritorial in application: it permits the U.S. authorities to enforce its provisions against non-U.S. entities and non-U.S. data. The extraterritoriality applies via corporate ownership and the location of servers or data. It would not be a defense for a U.S. company which possesses or processes data to say that it does so outside the U.S. It would be harder, but by no means impossible, for the U.S. authorities to enforce disclosure provisions on a non-U.S. entity with operations overseas. The position of a non-U.S. affiliate of a U.S. parent which processes data outside the U.S. is less clear: much would depend on the degree of connection to the U.S.

If the recipient of a section 215 order is, for example, an EU-based entity and the entity chooses to disregard the court order, a judge may attempt to enforce such order against the U.S. parent of the EU-based entity. In addition, the U.S. parent itself may be direct recipient of the section 215 order. These circumstances present a different scenario because the U.S. parent corporation would be within the jurisdiction of the judge that issued the section 215 order. The U.S. parent corporation would need to decide whether to challenge or comply with the order. As a result, whether or not the order would cause the production of the EU-derived...