Skip to content

Thoughts on Saleforce

A community dedicated to making Salesforce, it's products, and partners better...

Click to register with for a FREE 30-DAY TRIAL!


Login Form

Lost Password?
No account yet? Register

European Customers vs. US Subpoenas?

Between a Rock and a Hard Place?
Between a Rock and a Hard Place?
Sculpture by Nancy Doran

In a previous post I posed the question: Is TRUSTWORTHY? Although I was a bit vague in that post, I had planned to follow up with numerous posts to make several points.

Even though I have yet to return to that theme, the other day "Rup" posed a question that should be of significant concern to current and prospective customers of in Europe and beyond:


Can we trust not to hand over confidential data to a US judge (since the data is hosted in the U.S.) upon request through a subpoena, without them warning the targeted client/user?

This is what has just happened with the SWIFT inter-bank messaging company which is Belgian, but handed over confidential customer data (banking transactions!) to the U.S. without warning these customers.

Handling of personal and confidential business data is viewed very differently in the U.S. and in Europe, and this problem is a concern for European customers of US-hosted on-demand services.

What do you think?


My first thoughts when I read this were simply:

"Wow! That thought takes us in a completely different direction than I had intended. But still, it’s a very valid concern nonetheless!"

Actually, I see it being a symptom of a problem much larger than trusting, and a very difficult problem indeed! The Internet has exacerbated a situation that globalization began less than a century ago. National sovereignty was established along geographic lines for centuries, and the Internet is disrupting that precedence. Today we have companies and even people caught in the crossfire between multiple nations where each nation believes it has jurisdiction often resulting in conflicting edicts.

For example, consider that the France court ruled against Yahoo for allowing Nazi-related material on its auction site yet the USA considers such actions protected under free speech. And what about Google’s decision to censor itself in China to keep the Chinese government off it’s back, ignoring the U.S.’ fundament right of free speech? Or when Yahoo gave the Chinese government of four bloggers names and addresses leading to his arrests and jail time? Or when Microsoft deleted the writings of free-speech blogger Zhao Jing on the Chinese government’s request?

I think the reality is these multiple sovereign nations are putting companies between a rock and a hard place. If you are running a business in a foreign country and that country’s government says "Hand it over!" what do you do? Defy and risk going to jail on principle disrupting your life to protect someone you’ve never met, or worse? Unfortunately, I wish it were different but I think there are too few martyrs left in the world today, and especially not working in a compliance role for multinational corporations.

Though the USA is not a foreign country to, the logistics of your example behave essentially the same. If a U.S. court requires hand over customer information and requires those customers NOT be notified as per our USA Patriot Act (thank you very much, Mr. Bush and gentlemen of PNAC), do you think it is likely (or even realistic) to expect that would notify customers out of some sense of moral obligation? Or would just stay quiet and comply with U.S. law? I think we both know the answer to that one. And honestly, though I hate to say it publicly, I don’t think that I could blame them.

That said, I think I have a potential for to mitigate this situation if they act in advance. However, me not being a lawyer I have no idea whether my suggestions would be feasible. And who knows, maybe they’ve already done it?

So if you take a look at (rather an ironic domain name given the topic du jour, don’t you think?) you’ll see that The server EMEA operates in Europe, Middle East, and Africa according to Kingsley Joseph. In order to avoid U.S. law, could configure itself as multiple companies that do not incur jurisdiction in the other’s jurisdiction but that interoperate via agreements as if they were one. Further, these independent companies could be sewn together by a holding company in a business friendly jurisdiction such as Switzerland. Then when a U.S. court asks for a European customer’s information, USA could rightly say it has no access at all to that information.

Assuming this strategy worked, it would make sense for to create even more independent companies and spread their servers across the world on a more granular basis. Of course as I said, I have no idea if this would even be viable, especially given the fact is already a public company on a U.S. stock exchange. But this is the only scenario I can envision that could protect the customer information of European companies from the potential assault of a Patriot Act-backed U.S. subpoena.

If the above is not possible, it appears there is a really huge opportunity for a competitor to establish a foothold and gain market-share in Europe, and beyond. And if and many other American company’s loose significant customer’s because of this, they can thank those politicians and pundits who played to the predjudices and fears of majority of the American people and deceived them regarding most of the ramifications of the Patriot ACT.

Anyone else got any other thoughts or theories? Even better, does someone from’s legal department want to weigh in?

5 Responses to “European Customers vs. US Subpoenas?”

  • Heretic responded:

    Just a point of clarification so people don’t get confused. You mention, “The server EMEA operates in Europe, Middle East, and Africa according to Kingsley Joseph,” but I don’t think that’s quite what he said in his comment.

    It would be a fair statment to say the EMEA server is for customers located in those regions, but the physical servers and data for all the servers are located in California. (”Mirrorforce” not withstanding).

  • Rup responded:

    Yes, the EMEA server is hosted with the others, in California.

    You suggest :
    “In order to avoid U.S. law, could configure itself as multiple companies that do not incur jurisdiction in the other’s jurisdiction but that interoperate via agreements as if they were one.”

    I think that it would be sufficient for a national subsidiary (eg. EMEA, based in the EU) to host the physical server in the EU for EU law to apply to the hosted data, even if it were a 100% subsidiary of US.

    Subsidiary ownership is a financial problem; basing a company in the EU is sufficient for the law to apply to that company’s activities … and hosted data.


  • Mike Schinkel responded:

    Heretic: Good point. I made an erroneous assumption.

    Rup: I wonder if the hosted server being in EU would be enough to protect the data if it were still ultimately owned by a US company. That only a lawyer can say for sure, and I’d really curious to know the answer.

    As for the financial problem, I am also not qualified to be a CFO so I’m not well versed in those areas either. The rhetorical question, however, is: Is it not a bigger financial problem to loose customers?

  • Michel Bourgeois responded:

    Hello to you,

    as a member of the Marketing department of my company, i’m looking into the possible benefits could bring to our reps. Would anyone have experience, good or bad on the implementation of the ap to an organization, of > 500 people, on > 250 different location, attacking regularly 1.5Mio records ?

    Many thanks for your comments

  • Mike Schinkel responded:

    Michael: Gosh, I wish I could say otherwise, but with > 500 people is outside my scope of expertise. But I’m pretty sure has numerous deployments that large and larger; at their most recent dog & pony show in Atlanta I attended I spoke with several users I think has groups that large. With that many potential users, I’ll bet you could get your sales rep at to walk through broken glass to provide you with reference customers at much larger organizations. I’ll also forward to a consultant I know and ask is he has some input.

Add your own comment...