Jurisdiction Over or Law Applicable to Personal Information

Is anybody – any international body – studying the legal basis for jurisdiction over personal information as it crosses national borders, or considering the law that should be applicable to such PI?

This could be thought of as ‘law applicable to the cloud’ in these days of cloud computing, though I don’t think it’s limited to that.

The Hague Conference on Private International Law in April 2010 noted [PDF p.18] as an ‘additional subject’ for work, more I think in the lines of a watching brief:

The Council invited the Permanent Bureau to continue to follow developments in the following areas –
a) questions of private international law raised by the information society, including electronic commerce, e-justice and data protection;

Is the phenomenon of cloud computing sufficiently fixed that it makes sense to talk about international agreements on applicable law? I know that one of the first legal issues that comes up in discussing cloud computing is where the data are (business and personal data) and whose law applies to the operator of the cloud – meaning often what governmental authorities might have a right to get access to the data.

It is also a commonplace that entities that hold personal data are always responsible for complying with their own local laws about its treatment. Cloud computing raises the question is whether having the data in the cloud could prevent them from complying with those laws, or exposes the data to contrary laws.

From there to having a topic that an international body can usefully talk about may be quite a step … or not. What do you think? Is it time some body started a project on this, or should people be content to watch, for the time being?

Comments are closed.