Does the US have juristriction over the whole world?
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sat Nov 26 14:29:53 GMT 2011
Mary Hawking wrote:
> http://www.theregister.co.uk/2011/11/25/ms_threatens_au_gov_over_ehealth/
>
> Does anyone know about this - and whether it is true?
> Apparently it is Microsoft's view that requiring data to be held within a
> national boundary is a breach of WTO regulations - and, worryingly, that any
> data held by any organisation which trades with the US is subject to US law.
>
> "Any company with a presence in the United States of America (not just those
> with headquarters or subsidiaries in that country) may be legally required
> to respond to a valid demand from the United States Government for
> information the company retains custody over or controls, regardless of
> where the data is stored or the existence of any conflicting obligations
> under the laws of the country where the data is located," the submission
> states
It is not unusual for US law and US Courts to claim jurisdiction
anywhere in the world, eg they do this over the taxpaying requirements
of US citizens.
Microsoft's statement is probably true in terms of US law, but it isn't
quite as straightforward as it might seem.
I imagine it goes something like this: Suppose a US Government demand
fopr data is made, and a Court order is made. The US branch office
cannot obtain the data themselves, and they ask the UK office. The UK
office says no.
What can a US Court do to enforce the order? A very long story, but in
the end, in practice, nothing substantial. So while they may claim
jurisdiction, it doesn't mean much.
To address the wider issue, what Microsoft are really upset about is
clouds. First, some law:
-*-
Data Protection Act, Schedule 1 part 1, principle 7:
Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data.
Data Protection Act, Schedule 1 part 2 section 11: Interpretation of the
seventh principle,
Where processing of personal data is carried out by a data processor on
behalf of a data controller, the data controller must in order to comply
with the seventh principle—
(a) choose a data processor providing sufficient guarantees in respect
of the technical and organisational security measures governing the
processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.
-*-
Another bit of law, about the WTO, but I don't have details to hand - if
measures are taken by one country for the purpose of providing data
security, they are not actionable under the WTO, even if they restrain
trade etc.
-*-
And what it comes down to is this: Microsoft say that encryption and
their "best practices" provide better security against unauthorised
processing than let's say only keeping the data in a local office.
(the data controller is the only person capable of granting
authorisation, as the requirement to follow the principles is upon him
and no-one else, that's DPA section 4(4) I think offhand).
Which, if Microsoft were correct about the US Government's ability to
demand data, would be immediately obvious nonsense - rather than the
slightly-less-obvious nonsense it is.
(a UK data controller is required by law to protect personal data in his
control against the US government as well as spammers and identity
thieves. He's also required to protect it against the UK Government, who
if they want it must get it through him).
It's long past time that the UK and EU/EAA Information Commissioners
gave clear guidance that personal data cannot be stored in clouds. Full
stop.
-- Peter Fairbrother
>
> Could any other country pass similar legislation?
> What would happen if, say, Russia or China passed similar legislation: would
> Microsoft be obliged to release the information they held in the USA?
>
> Mary Hawking
> "thinking - independent thinking - is to humans as swimming is to cats: we
> can do it if we really have to." Mark Earles on Radio 4.
>
>
>
More information about the ukcrypto
mailing list