Does the US have juristriction over the whole world?
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sat Nov 26 18:33:07 GMT 2011
Roland Perry wrote:
> In article <4ED123C2.1070700 at zen.co.uk>, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> writes
>>>> It's long past time that the UK and EU/EAA Information Commissioners
>>>> gave clear guidance that personal data cannot be stored in clouds.
>>>> Full stop.
>>> Cloud vendors are aware of these issues and have different products
>>> for different markets. If you need a cloud-based solution that
>>> "stays in the EU" or even "stays in the UK" you can probably find
>>> one, but don't expect it to be one of the mass market consumer ones.
>>
>> The problem isn't just staying in the UK/EU, though that is a part of it.
>>
>> It's also that the operators of the cloud - and by that I mean
>> everyone who controls any of the machinery (or even the networking
>> services) in the cloud, not just the people who sell the cloud service
>> - are data processors, and the data controller has a responsibility to
>> ensure that they "provid[e] sufficient guarantees in respect of the
>> technical and organisational security measures governing the
>> processing to be carried out".
>>
>> Also they data controller must "take reasonable steps to ensure
>> compliance with those measures"
>>
>> If the data controller doesn't even know who is hosting the data he is
>> responsible for, how can he be performing either of these duties?
>
> If the data "stays in the EU/UK" then the assumption is that the various
> parties are acting lawfully, and thus complying with the relevant data
> protection requirements.
You may be able to make that assumption IF you know who all the parties
are, and have some assurance that they are technically competent,
responsible and law-abiding parties - but in a cloud situation you won't
even know who the parties are, nevermind whether they are responsible or
law-abiding people.
The duty on a data controller must surely include a requirement to check
whether the parties are at least outwardly law-abiding and responsible -
otherwise a data controller could store data at Crooks-and-Spammers Ltd
without penalty.
>>> At a Council of Europe conference last year ago the MS rep said that
>>> their standard cloud might not be what you needed in these
>>> circumstances (but they might have changed their stance/product in
>>> the mean time).
>>
>> Not sure what MS meant by "these circumstances",
>
> That you want the data to be guaranteed to stay within an EU/UK
> jurisdiction.
I doubt whether a cloud can do this. A dedicated data processing
outsourcing company, yes perhaps, but a cloud? I doubt it.
Btw, I can't conceive of many situations where staying in the UK/EU was
a requirement and the other requirements for processing personal data
weren't.
-- Peter Fairbrother
More information about the ukcrypto
mailing list