Does the US have juristriction over the whole world?

Peter Fairbrother zenadsl6186 at zen.co.uk
Sun Nov 27 13:06:56 GMT 2011 

Roland Perry wrote:
> In article <4ED130E3.6060802 at zen.co.uk>, Peter Fairbrother 
[...]
>> You may be able to make that assumption IF you know who all the 
>> parties are, and have some assurance that they are technically 
>> competent, responsible and law-abiding parties - but in a cloud 
>> situation you won't even know who the parties are, nevermind whether 
>> they are responsible or law-abiding people.
> 
> You seem to be wanting a degree of micro-management of the supplier (and 
> their subcontractors etc) far in excess of a normal contractual 
> relationship 


Yes, indeed I do.

I have a legal duty to ensure the supplier of data processing services 
is competent, honest and responsible - he is after all in possession of 
something I am responsible for.

I have no such duty regarding the supplier of office copier paper. I am 
not responsible for the copier paper in his possession.

An analogous situation exists regarding pressure vessels. If I sell new 
pressure vessels by way of trade, I am legally required to be able to 
produce documentation as to who made the steel they are made from. Not 
just who made the pressure vessels, who made the steel.

[...]

>> The duty on a data controller must surely include a requirement to 
>> check whether the parties are at least outwardly law-abiding and 
>> responsible - otherwise a data controller could store data at 
>> Crooks-and-Spammers Ltd without penalty.
> 
> And you do that outwardly check by dealing with a reputable company 
> offering a "local cloud" that you can reasonably expect to be law 
> abiding in this respect (and imposing suitable controls on their chain 
> of supply).

That might work - but I've never come across such a beast.

Hmmm, "imposing suitable controls on their chain of supply" sounds very 
much like "a degree of micro-management of the supplier (and their 
subcontractors etc) far in excess of a normal contractual relationship".

[...]

>> Btw, I can't conceive of many situations where staying in the UK/EU 
>> was a requirement
[..]
>> and the other requirements for processing personal data weren't.
> 
> Sorry, I can't parse that.


perhaps "the other normal conditions for processing personal data 
weren't a requirement", but that's clumsy too.


I meant that if the data has to stay in the EU, in most situations it 
also has to protected as personal data, ie follow the principles etc.

-- Peter Fairbrother

More information about the ukcrypto mailing list