Does the US have juristriction over the whole world?
zenadsl6186 at zen.co.uk
Sun Nov 27 13:06:56 GMT 2011
Roland Perry wrote:
> In article <4ED130E3.6060802 at zen.co.uk>, Peter Fairbrother
>> You may be able to make that assumption IF you know who all the
>> parties are, and have some assurance that they are technically
>> competent, responsible and law-abiding parties - but in a cloud
>> situation you won't even know who the parties are, nevermind whether
>> they are responsible or law-abiding people.
> You seem to be wanting a degree of micro-management of the supplier (and
> their subcontractors etc) far in excess of a normal contractual
Yes, indeed I do.
I have a legal duty to ensure the supplier of data processing services
is competent, honest and responsible - he is after all in possession of
something I am responsible for.
I have no such duty regarding the supplier of office copier paper. I am
not responsible for the copier paper in his possession.
An analogous situation exists regarding pressure vessels. If I sell new
pressure vessels by way of trade, I am legally required to be able to
produce documentation as to who made the steel they are made from. Not
just who made the pressure vessels, who made the steel.
>> The duty on a data controller must surely include a requirement to
>> check whether the parties are at least outwardly law-abiding and
>> responsible - otherwise a data controller could store data at
>> Crooks-and-Spammers Ltd without penalty.
> And you do that outwardly check by dealing with a reputable company
> offering a "local cloud" that you can reasonably expect to be law
> abiding in this respect (and imposing suitable controls on their chain
> of supply).
That might work - but I've never come across such a beast.
Hmmm, "imposing suitable controls on their chain of supply" sounds very
much like "a degree of micro-management of the supplier (and their
subcontractors etc) far in excess of a normal contractual relationship".
>> Btw, I can't conceive of many situations where staying in the UK/EU
>> was a requirement
>> and the other requirements for processing personal data weren't.
> Sorry, I can't parse that.
perhaps "the other normal conditions for processing personal data
weren't a requirement", but that's clumsy too.
I meant that if the data has to stay in the EU, in most situations it
also has to protected as personal data, ie follow the principles etc.
-- Peter Fairbrother
More information about the ukcrypto