Does the US have juristriction over the whole world?
Roland Perry
lists at internetpolicyagency.com
Sun Nov 27 10:46:50 GMT 2011
In article <4ED130E3.6060802 at zen.co.uk>, Peter Fairbrother
<zenadsl6186 at zen.co.uk> writes
>>> If the data controller doesn't even know who is hosting the data he
>>>is responsible for, how can he be performing either of these duties?
>> If the data "stays in the EU/UK" then the assumption is that the
>>various parties are acting lawfully, and thus complying with the
>>relevant data protection requirements.
>
>You may be able to make that assumption IF you know who all the parties
>are, and have some assurance that they are technically competent,
>responsible and law-abiding parties - but in a cloud situation you
>won't even know who the parties are, nevermind whether they are
>responsible or law-abiding people.
You seem to be wanting a degree of micro-management of the supplier (and
their subcontractors etc) far in excess of a normal contractual
relationship with that supplier. For example, when you buy something
online do you require to know the identity of the co-location facility
housing his ecommerce platform, let alone disclosure of the platform's
vendor and the name of the operating system it's running on?
>The duty on a data controller must surely include a requirement to
>check whether the parties are at least outwardly law-abiding and
>responsible - otherwise a data controller could store data at
>Crooks-and-Spammers Ltd without penalty.
And you do that outwardly check by dealing with a reputable company
offering a "local cloud" that you can reasonably expect to be law
abiding in this respect (and imposing suitable controls on their chain
of supply).
While the contract will doubtless say "the data will stay within $foo
geographical jurisdiction", and it doesn't do any harm for the contract
to say "and we will abide by the DPA", you might raise some eyebrows if
you insist it also says "we won't employ child labour or use stolen PCs
to build our cloud".
>>>> At a Council of Europe conference last year ago the MS rep said
>>>>that their standard cloud might not be what you needed in these
>>>>circumstances (but they might have changed their stance/product in
>>>>the mean time).
>>>
>>> Not sure what MS meant by "these circumstances",
>> That you want the data to be guaranteed to stay within an EU/UK
>>jurisdiction.
>
>I doubt whether a cloud can do this. A dedicated data processing
>outsourcing company, yes perhaps, but a cloud? I doubt it.
A dedicated data processing outsourcing company can implement its
offering by using cloud technology (and be quite capable of defining its
geographical limits). Such a cloud will have many of the good features
customers are looking for - flexibility and resilience for example.
Obviously, if they implement the offering by re-selling a slice of a
consumer-grade international cloud, then that won't be the case. But
that's why there are different offerings, and even the suppliers of
those consumer-grade international clouds are happy to admit that their
technology may not be suitable for all applications.
>Btw, I can't conceive of many situations where staying in the UK/EU was
>a requirement
It's a reaction from risk-averse customers, who believe that if the
cloud offering they buy into has such a restriction, then the supply
chain is answerable to DP law and will therefore be sufficiently robust.
And that they won't have to start drilling down into complex issues like
"safe harbour".
I've seen similar reactions from some public authorities who have bans
on using clearly US-based email systems for what are largely internal
communications, and have to find a UK (or perhaps EU) based email
supplier instead.
>and the other requirements for processing personal data weren't.
Sorry, I can't parse that.
--
Roland Perry
More information about the ukcrypto
mailing list