Jurisdictional data control question

YellowFeather

Hi all

I haven't been able to come up with a conclusive answer on this one. Also, I'm going to be saying "jurisdiction" a lot, so bear with me.

If a jurisdiction has a tight data control law, whereby no data is allowed leave the, um, jurisdiction - what would be the view if somebody from outside the jurisdiction were to remotely connect to a database via (for example) a WebEx and view said data.

Would this be classed as removing data from the... wait for it... jurisdiction?

I would say that yes - it would. But, I would appreciate your views - reality vs. legality.

Thanks!

Manach

My 2c/offhand understanding is based on what the EU data protection direction seems to direct on this. If the data is in EU country A, then the transfer of data (ie viewing/FTP transfer/Database API etc) to country B is legislated for under the data transfer rules. So it is up to the data controller to ensure the rules are followed.
There could be a bi-lateral agreement, such as the Safe Harbour between the EU/US, or a non-EU country could be judged to have sufficient standards so the data transfer is allowed (offhand countries like Iceland). If not, then the transfer is a breach of the data protection rights.

YellowFeather

Thanks - and I agree.

This is related to the remote viewing of data - so it would not be transferred by FTP/SFT or any other method. It would simply be viewed by a remote connection. Is viewing specifically legislated against?

Manach

YellowFeather wrote: »

Thanks - and I agree.

This is related to the remote viewing of data - so it would not be transferred by FTP/SFT or any other method. It would simply be viewed by a remote connection. Is viewing specifically legislated against?

My understanding is that given when the directive was crafted on 1995 it was tech neutral. What it did was lay a responsibilty on the data controller to properly oversee personal data. So even it were not explicitly mentioned, transferring personal data by any such means would breach the protection. Where it might get interesting is when the legal authorities in the other country demand the data held in the EU. This is currently an issue as per a U.S. judge asking for email data held in Dublin servers.

Johnboy1951

YellowFeather wrote: »

Thanks - and I agree.

This is related to the remote viewing of data - so it would not be transferred by FTP/SFT or any other method. It would simply be viewed by a remote connection. Is viewing specifically legislated against?

If by viewing, you mean viewing remotely, then that data has first to travel to the location of the viewer before it can be viewed.

Whether that transfer is by FTP/SFTP or any other means is hardly likely to be pertinent .......... ?

amen

Johnboy1951 wrote: »

If by viewing, you mean viewing remotely, then that data has first to travel to the location of the viewer before it can be viewed.

Whether that transfer is by FTP/SFTP or any other means is hardly likely to be pertinent .......... ?

Say the data was on the desk of a user in country A. I was on a ship outside the boarder of country A and I had really long/powerful telescope such that I could stand on the ship and view the data.

Has the data left the country ?

Manach

Data transfer is fairly much dependant on the facts of a specific case and very broadly drawn definition within the EU directive. That AFAIR was the upshot from a book "Transborder Data Flows" by Kuner, drawing on the key case of Lindqvist. So offhand - that how likely was it that the Data Controller knew of potential data transfer could occur (either by their own carelessness or the actions of a cracker) to another country would be a main consideration.