Does the US have juristriction over the whole world?

Peter Fairbrother zenadsl6186 at zen.co.uk
Sat Nov 26 18:33:07 GMT 2011 

Roland Perry wrote:
> In article <4ED123C2.1070700 at zen.co.uk>, Peter Fairbrother 
> <zenadsl6186 at zen.co.uk> writes
>>>> It's long past time that the UK and EU/EAA Information Commissioners 
>>>> gave clear guidance that personal data cannot be stored in clouds. 
>>>> Full stop.
>>>  Cloud vendors are aware of these issues and have different products 
>>> for  different markets. If you need a cloud-based solution that 
>>> "stays in the  EU" or even "stays in the UK" you can probably find 
>>> one, but don't  expect it to be one of the mass market consumer ones.
>>
>> The problem isn't just staying in the UK/EU, though that is a part of it.
>>
>> It's also that the operators of the cloud - and by that I mean 
>> everyone who controls any of the machinery (or even the networking 
>> services) in the cloud, not just the people who sell the cloud service 
>> - are data processors, and the data controller has a responsibility to 
>> ensure that they "provid[e] sufficient guarantees in respect of the 
>> technical and organisational security measures governing the 
>> processing to be carried out".
>>
>> Also they data controller must "take reasonable steps to ensure 
>> compliance with those measures"
>>
>> If the data controller doesn't even know who is hosting the data he is 
>> responsible for, how can he be performing either of these duties?
> 
> If the data "stays in the EU/UK" then the assumption is that the various 
> parties are acting lawfully, and thus complying with the relevant data 
> protection requirements.


You may be able to make that assumption IF you know who all the parties 
are, and have some assurance that they are technically competent, 
responsible and law-abiding parties - but in a cloud situation you won't 
even know who the parties are, nevermind whether they are responsible or 
law-abiding people.


The duty on a data controller must surely include a requirement to check 
whether the parties are at least outwardly law-abiding and responsible - 
otherwise a data controller could store data at Crooks-and-Spammers Ltd 
without penalty.


>>> At a Council of Europe conference last year ago the MS rep said that 
>>> their standard cloud might not be what you needed in these 
>>> circumstances  (but they might have changed their stance/product in 
>>> the mean time).
>>
>> Not sure what MS meant by "these circumstances",
> 
> That you want the data to be guaranteed to stay within an EU/UK 
> jurisdiction. 


I doubt whether a cloud can do this. A dedicated data processing 
outsourcing company, yes perhaps, but a cloud? I doubt it.

Btw, I can't conceive of many situations where staying in the UK/EU was 
a requirement and the other requirements for processing personal data 
weren't.

-- Peter Fairbrother

More information about the ukcrypto mailing list