From my understanding it comes from a law passed that allows unlimited access by state intelligence services in China to any firms customer data.
"The most controversial sections of the law include Article 7 which potentially compels businesses registered or operating in the People's Republic of China to hand over information to Chinese intelligence agencies such as the MSS and to conceal the fact that they do so." [1]
The same laws apply to American companies for American data requested by American agencies, is that better? And likely Norwegian too, but I don't know the specifics there.
Actually, the Chinese government holding my data is probably better than my own government holding and using it to incriminate me. I'm pretty sure China doesn't share the data they're collecting with their adversaries or even allies.
Which like yeah, but the US doesn't exactly come out smelling like a rose here. The whole EU-US transatlantic data transfer spat surrounding Facebook was because of PRISM which EU courts ruled gave the US the same level of access.
If you're in the US you could make an argument that it's fine because it's your own government -- which I don't really buy because China can't arrest you over here -- but to everyone else US tech and business should be just as toxic as China if that's the real motivation.
The CLOUD act has provisions that allow a company to challenge a warrant if the target is not a US person and obtaining the data would violate local laws.
