It is not unusual for US law and US Courts to claim jurisdiction anywhere in the world, eg they do this over the taxpaying requirements of US citizens.
Microsoft's statement is probably true in terms of US law, but it isn't quite as straightforward as it might seem.
I imagine it goes something like this: Suppose a US Government demand fopr data is made, and a Court order is made. The US branch office cannot obtain the data themselves, and they ask the UK office. The UK office says no.
What can a US Court do to enforce the order? A very long story, but in the end, nothing substantial. So while they may claim jurisdiction, it doesn't mean much.
To address the wider issue, what Microsoft are _really_ upset about is clouds. First, some law:
Data Protection Act, Schedule 1 part 1, principle 7:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Data Protection Act, Schedule 1 part 2 section 11: Interpretation of the seventh principle,
Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.
Another bit of law, about the WTO, but I don't have details to hand - if measures are taken by one country for the purpose of providing data security, they are not actionable under the WTO, even if they restrain trade etc.
And what it comes down to is this: Microsoft say that encryption and their "best practices" provide better security against unauthorised processing than let's say only keeping the data in a local office.
(the data controller is the only person capable of granting authorisation, as the requirement to follow the principles is upon him and no-one else, that's DPA section 4(4) I think offhand).
Which, if Microsoft were correct about the US Government's ability to demand data, would be immediately obvious nonsense - rather than the slightly-less-obvious nonsense it is.
(a UK data controller is required by law to protect personal data in his control against the US government as well as spammers and identity thieves. He's also required to protect it against the UK Government, who if they want it must get it through him).
It's long past time that the UK (and EU/EEA) Information Commissioners gave clear guidance that personal data cannot be stored in clouds. Full stop.