Does the US have juristriction over the whole world?

Peter Fairbrother zenadsl6186 at
Sun Nov 27 13:06:56 GMT 2011

Roland Perry wrote:
> In article <4ED130E3.6060802 at>, Peter Fairbrother 
>> You may be able to make that assumption IF you know who all the 
>> parties are, and have some assurance that they are technically 
>> competent, responsible and law-abiding parties - but in a cloud 
>> situation you won't even know who the parties are, nevermind whether 
>> they are responsible or law-abiding people.
> You seem to be wanting a degree of micro-management of the supplier (and 
> their subcontractors etc) far in excess of a normal contractual 
> relationship 

Yes, indeed I do.

I have a legal duty to ensure the supplier of data processing services 
is competent, honest and responsible - he is after all in possession of 
something I am responsible for.

I have no such duty regarding the supplier of office copier paper. I am 
not responsible for the copier paper in his possession.

An analogous situation exists regarding pressure vessels. If I sell new 
pressure vessels by way of trade, I am legally required to be able to 
produce documentation as to who made the steel they are made from. Not 
just who made the pressure vessels, who made the steel.


>> The duty on a data controller must surely include a requirement to 
>> check whether the parties are at least outwardly law-abiding and 
>> responsible - otherwise a data controller could store data at 
>> Crooks-and-Spammers Ltd without penalty.
> And you do that outwardly check by dealing with a reputable company 
> offering a "local cloud" that you can reasonably expect to be law 
> abiding in this respect (and imposing suitable controls on their chain 
> of supply).

That might work - but I've never come across such a beast.

Hmmm, "imposing suitable controls on their chain of supply" sounds very 
much like "a degree of micro-management of the supplier (and their 
subcontractors etc) far in excess of a normal contractual relationship".


>> Btw, I can't conceive of many situations where staying in the UK/EU 
>> was a requirement
>> and the other requirements for processing personal data weren't.
> Sorry, I can't parse that.

perhaps "the other normal conditions for processing personal data 
weren't a requirement", but that's clumsy too.

I meant that if the data has to stay in the EU, in most situations it 
also has to protected as personal data, ie follow the principles etc.

-- Peter Fairbrother

More information about the ukcrypto mailing list