Does the US have juristriction over the whole world?

Peter Fairbrother zenadsl6186 at
Sun Nov 27 00:09:59 GMT 2011

Ben Liddicott wrote:
> The first principle is it must be "processed fairly and lawfully" and 
> "shall not be processed unless(...)".
> But if it is under an exemption, schedule 1 does not apply, 

Schedule 1, or part of it,  still applies under most exemptions.  For 
instance, under the Crime and Taxation exemptions, the only part of 
Schedule 1 which is exempted is the first principle, and even that is 
only partly voided.

However the exemptions are all different. It's verra complicated, Captain.

> and it is 
> lawful to process it in any manner whether fair or not and whether the 
> conditions are met or not.

No - for instance, under the Crime and Taxation exemption data must 
still be processed in accordance with Schedules 2 and 3. And again, it's 
different for the different exemptions. None of them are blanket 
exemptions however.

> The seventh principle requires the data controller to protect the data 
> against:
> "unauthorised or unlawful processing of personal data and against 
> accidental loss or destruction of, or damage to, personal data"
> That does not include "lawful" processing allowed by the exemptions 
> listed, if "authorised" by the data controller. So he has to protect 
> against MI9 black-cyber-ops hackers, 

and that was my point. If the data is in a cloud he can't do that, so he 
can't keep personal data in a cloud. QED.

As a sidenote, the DPA does not distinguish between encrypted data and 
unencrypted data. Perhaps encrypting data has no legal effect here - cf 
the rather unique stance taken about encrypted data in part 2 of RIPA, 
where the encrypted data apparently is the data, and if the police etc 
have it then demanding a key isn't self-incrimination, as they already 
have the evidence/data.

> but if MI9 ask nicely there is nothing stopping him giving it to them.

Actually. there is.

Here I am talking about the national security exemption in S.28, and not 
any of the other exemptions - so for instance if MI5 asked for data in a 
criminal investigation, as opposed to a national security investigation 
(MI5 do both types of investigation), the S.28 exemption would not apply 
(though a different exemption, under s.29, which has different 
conditions and different exemptions, would).

The exemption in s.28 is only valid if the processing is "required for 
the purpose of safeguarding national security". If it isn't, the data 
controller would be committing an offence.

Now the minimum standard of how the data controller is supposed to know 
whether the processing is required for the purpose of safeguarding 
national security isn't addressed in the Act, though a maximum, in the 
form of a certificate signed by a minister is.

Presumably if the controller reasonably believes the processing is 
required for the purpose of safeguarding national security then he can 
take a chance and give out the data - but he might get in trouble for it 
if he hasn't seen a certificate.

> The data protection act does not provide any obligation on the data 
> controller to resist any overreaching on the part of the state.

I rather think it does, as above: a data controller can't give out data 
if eg the state are overreaching and falsely claimimg a national 
security exemption.

-- Peter Fairbrother

More information about the ukcrypto mailing list