> Incorporating a subsidiary in a foreign country doesn't make the parent company immune to the legal obligations it has in it's home country.
We're not talking about legal obligations in its home country though. I can buy Jack Daniels at age 19 in my country from their local subsidiary, and no-one thinks that this should be a crime for their US parent company because the US drinking age is higher. (Of course it would be a crime for either the parent or the subsidiary to sell to 19 year olds in the US)
(No-one is blaming Dell or Let's Encrypt here, to be clear, it's the US' excessive extraterritorial laws that are the problem)
If you are in the US you must ensure that your local company, and any sub-entity you control abroad complies with sanctions law. That is US law, and the US can apply that law to Dell the parent company, because it is in the US and controls the subsidary.
> I can buy Jack Daniels at age 19 in my country from their local subsidiary, and no-one thinks that this should be a crime for their US parent company because the US drinking age is higher.
Because there is no US law that says you cannot sell alcohol to people abroad under 19. Heck, there's no US federal law that says Jack Daniels can't sell to people in the US under 19, either. And in fact, there are some places in the US where you can legally drink at 18, e.g. Puerto Rico. But if the US congress wanted to pass one of these laws and enforce it, it could.
US sanctions law saying that you must not transfer X from the US to Iran, directly or indirectly, is reasonable. US sanctions law saying that you must not transfer X from Brazil to Iran is gross overreach. Yes, of course the US can apply its absurdly extraterritorial laws to any parent company in the US, just as Iran could penalise any Iranian company whose US subsidiary distributed a depiction of the prophet or whatever, but that doesn't make it good law or good practice.
That's a fair opinion to have.
But the US isn't really unique in applying their laws extraterritorially. See GDPR, Universal jurisdiction laws, China's National Security Law, etc... Every jurisdiction with sizable power does it. Some of these are even more extraterritorial in scope than US sanctions are.
> GDPR
Only applies to EU citizens' personal data, so while technically extraterritorial it doesn't feel like overreach in the same way.
> Universal jurisdiction laws
Rightly controversial when applied beyond things that are internationally agreed to be crimes against humanity, like torture or genocide.
> China's National Security Law
A perfect example of the kind of thing that the US used to define itself in opposition to.
Nations are sovereign and those with the might to push their requirements on others can do so. But I liked it better when we had a sense of the value of an open international order, where things like internet protocols were shared standards that everyone would collaborate on other than a handful of pariah states.
The difference between any of these is just a matter of opinion on what sovereignty means, what or who or where it applies to, what is a “human rights violation”, and who has the bigger britches to back it up. /shrug
Meh. You can fall back on might makes right and a Hobbesian war of all against all, or you can recognise that the Westphalian system has brought immense value to humanity and is worth trying to preserve and build on. There will always be disputes about how to extend our principles into new domains, but that doesn't mean those disputes are insoluble or that a few disagreements mean we should tear down the whole project.