Does the US have juristriction over the whole world?

[Roland Perry]

In article <4ED130E3.6060802 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes

>>> If the data controller doesn't even know who is hosting the data he 
>>>is  responsible for, how can he be performing either of these duties?
>>  If the data "stays in the EU/UK" then the assumption is that the 
>>various  parties are acting lawfully, and thus complying with the 
>>relevant data  protection requirements.
>
>You may be able to make that assumption IF you know who all the parties 
>are, and have some assurance that they are technically competent, 
>responsible and law-abiding parties - but in a cloud situation you 
>won't even know who the parties are, nevermind whether they are 
>responsible or law-abiding people.

You seem to be wanting a degree of micro-management of the supplier (and 
their subcontractors etc) far in excess of a normal contractual 
relationship with that supplier. For example, when you buy something 
online do you require to know the identity of the co-location facility 
housing his ecommerce platform, let alone disclosure of the platform's 
vendor and the name of the operating system it's running on?

>The duty on a data controller must surely include a requirement to 
>check whether the parties are at least outwardly law-abiding and 
>responsible - otherwise a data controller could store data at 
>Crooks-and-Spammers Ltd without penalty.

And you do that outwardly check by dealing with a reputable company 
offering a "local cloud" that you can reasonably expect to be law 
abiding in this respect (and imposing suitable controls on their chain 
of supply).

While the contract will doubtless say "the data will stay within $foo 
geographical jurisdiction", and it doesn't do any harm for the contract 
to say "and we will abide by the DPA", you might raise some eyebrows if 
you insist it also says "we won't employ child labour or use stolen PCs 
to build our cloud".

>>>> At a Council of Europe conference last year ago the MS rep said 
>>>>that  their standard cloud might not be what you needed in these 
>>>>circumstances  (but they might have changed their stance/product in 
>>>>the mean time).
>>>
>>> Not sure what MS meant by "these circumstances",
>>  That you want the data to be guaranteed to stay within an EU/UK 
>>jurisdiction.
>
>I doubt whether a cloud can do this. A dedicated data processing 
>outsourcing company, yes perhaps, but a cloud? I doubt it.

A dedicated data processing outsourcing company can implement its 
offering by using cloud technology (and be quite capable of defining its 
geographical limits). Such a cloud will have many of the good features 
customers are looking for - flexibility and resilience for example.

Obviously, if they implement the offering by re-selling a slice of a 
consumer-grade international cloud, then that won't be the case. But 
that's why there are different offerings, and even the suppliers of 
those consumer-grade international clouds are happy to admit that their 
technology may not be suitable for all applications.

>Btw, I can't conceive of many situations where staying in the UK/EU was 
>a requirement

It's a reaction from risk-averse customers, who believe that if the 
cloud offering they buy into has such a restriction, then the supply 
chain is answerable to DP law and will therefore be sufficiently robust. 
And that they won't have to start drilling down into complex issues like 
"safe harbour".

I've seen similar reactions from some public authorities who have bans 
on using clearly US-based email systems for what are largely internal 
communications, and have to find a UK (or perhaps EU) based email 
supplier instead.

>and the other requirements for processing personal data weren't.

Sorry, I can't parse that.
-- 
Roland Perry