Does the US have juristriction over the whole world?

Roland Perry lists at internetpolicyagency.com
Sun Nov 27 14:37:22 GMT 2011 

In article <4ED235F0.2040403 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes

>>  You seem to be wanting a degree of micro-management of the supplier 
>>(and  their subcontractors etc) far in excess of a normal contractual 
>>relationship
>
>Yes, indeed I do.
>
>I have a legal duty to ensure the supplier of data processing services 
>is competent, honest and responsible - he is after all in possession of 
>something I am responsible for.

Do you do the same for your accountants and bankers? Lots of your money 
and personal data (self and employees) in their possession. Or do you 
trust them to act lawfully, given that they clearly understand their 
responsibilities (as would the people offering one of these specialist 
clouds).

>>> The duty on a data controller must surely include a requirement to 
>>>check whether the parties are at least outwardly law-abiding and 
>>>responsible - otherwise a data controller could store data at 
>>>Crooks-and-Spammers Ltd without penalty.
>>  And you do that outwardly check by dealing with a reputable company 
>>offering a "local cloud" that you can reasonably expect to be law 
>>abiding in this respect (and imposing suitable controls on their chain 
>>of supply).
>
>That might work - but I've never come across such a beast.

I'm assured there are a range of cloud services available, including the 
type I described.

>Hmmm, "imposing suitable controls on their chain of supply" sounds very 
>much like "a degree of micro-management of the supplier (and their 
>subcontractors etc) far in excess of a normal contractual relationship".

Their suppliers are one stage removed compared to yourself. So while 
they should be expected to check out the people they rent rackspace 
from, you shouldn't need to. Similarly, while the people they rent 
rackspace from should vet their cleaners, they (or you) shouldn't need 
to, and so on.

>I meant that if the data has to stay in the EU, in most situations it 
>also has to protected as personal data, ie follow the principles etc.

Yes, that's why I'm saying a cloud that stays in the EU should be 
automatically protected because of the harmonisation of DP law.
-- 
Roland Perry

More information about the ukcrypto mailing list