Does the US have juristriction over the whole world?

Ben Liddicott ben at
Sat Nov 26 19:35:39 GMT 2011

The first principle is it must be "processed fairly and lawfully" and "shall 
not be processed unless(...)".
But if it is under an exemption, schedule 1 does not apply, and it is lawful 
to process it in any manner whether fair or not and whether the conditions 
are met or not.

The seventh principle requires the data controller to protect the data 
"unauthorised or unlawful processing of personal data and against accidental 
loss or destruction of, or damage to, personal data"

That does not include "lawful" processing allowed by the exemptions listed, 
if "authorised" by the data controller. So he has to protect against MI9 
black-cyber-ops hackers, but if MI9 ask nicely there is nothing stopping him 
giving it to them.

The data protection act does not provide any obligation on the data 
controller to resist any overreaching on the part of the state.


-----Original Message----- 
From: Peter Fairbrother
Sent: Saturday, November 26, 2011 7:06 PM
To: UK Cryptography Policy Discussion Group
Subject: Re: Does the US have juristriction over the whole world?

Ben Liddicott wrote:
>> -----Original Message----- From: Peter Fairbrother Sent: Saturday, 
>> November 26, 2011 2:29 PM
> (...)
>> (a UK data controller is required by law to protect personal data in his 
>> control against the US government as well as spammers and identity 
>> thieves. He's also required to protect it against the UK Government, who 
>> if they want it must get it through him).
> (...)
> He is not required to protect it against the UK government.
> There is a general exception to the Data Protection Act for the prevention 
> and detection of crime. Also one for "historical purposes", i.e. keeping 
> it all forever in case your descendants happen to be interested.
> A partial list of exemptions is:
> 28. National security..
> 29. Crime and taxation..
> 30. Health, education and social work..
> 31. Regulatory activity..
> 32. Journalism, literature and art..
> 33. Research, history and statistics.
> Together they are - a hole the size of a truck for the authorities.
> You didn't think it was there to protect you from the state, did you?
> The Data Controller CAN say no in these circumstances and ask for a court 
> order.
> But he *does not have to*.


However, for 29 Crime and taxation.., 32 Journalism, literature and art
and 33 Research, history and statistics the data controller does have to
ensure that they can't get the data without his authorisation. Those
exemptions specifically do not exempt the seventh principle.

While it is possible that the seventh principle may be voided by 30
Health, education and social work.. and 31, Regulatory activity.. afaik
there are no orders in existence which void the seventh principle for
Health, education and social work reasons, and if it ever happens at all
for Regulatory activity reasons, it doesn't happen often.

The situation in regard to National security matters is more complex,
debatable and not relevant enough to go into in detail here, but in
general the seventh principle is not voided.

So basically he still has a duty to protect the data against the UK
Government's unauthorised access (except maybe in some rare national
security cases, but even this is debatable.)

-- Peter Fairbrother

> Cheers,
> Ben

More information about the ukcrypto mailing list