Full Disclosure
Charles Lindsey
ukcrypto at chiark.greenend.org.uk
Tue, 29 Apr 2008 16:30:19 +0100
On Tue, 29 Apr 2008 11:36:47 +0100, Joel Harrison
<joeldharrison@googlemail.com> wrote:
> On 4/29/08, Charles Lindsey <chl@clerew.man.ac.uk> wrote:
>> > If I (as data controller) make a permitted controller-to-processor
>> > transfer outside the EEA then, again, I'm responsible for whatever the
>> > processor does. But that's no different from a transfer to a
>> > processor in another EEA member state, or indeed if the data remains
>> > within the same EEA member state....
>> >
>>
>> But here we are talking about a cookie that resides on Joe User's
>> machine
>> and which he transfers to a website (possibly in Peru). So Joe User is
>> the
>> data conmtroller here (though he might be able to claim in court that
>> Phorm
>> had incited him to make that unlawful transfer).
>>
>
> Joe User is the data subject, because the data relates to him. He's
> not ending up in court, except possibly as a claimant.
In which case he may lawfully transfer it to a website in Peru if he sees
fit.
The problem is that he has not the opportunity to "see fit" because he is
not aware it is being sent (it doesn't get sent when he is plugged into
his BT ADSL at home, so why would be expect it to get sent just because he
has pluffed his laptop in at home). In any case, Phorm has publicly
assured everyone that this "won't happen".
So yes, even though he is still (technically) the data controller as well
as the data subject (since he owns the machine on which the cookie is
held), he is still entitled to be greatly miffed because Phorm had mislead
him.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5