<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/05/13 11:29, Clive D.W. Feather
wrote:<br>
</div>
<blockquote cite="mid:20130507102955.GA81557@davros.org" type="cite">
<pre wrap="">Nicholas Cole said:
</pre>
<blockquote type="cite">
<pre wrap="">What is much less clear is the question of "export". Does, for example,
hosting a piece of software like PuTTY or ssh or gnupg on a UK-based
website count as "export"? What about providing support for such software?
</pre>
</blockquote>
<pre wrap="">
The European Court, in case C-101/01 ("Lindqvist") decided that
there is no 'transfer [of data] to a third country' within the meaning
of Article 25 of Directive 95/46 where an individual in a Member State
loads personal data onto an internet page which is stored with his
hosting provider which is established in that State or in another
Member State, thereby making those data accessible to anyone who
connects to the internet, including people in a third country.
In other words, putting material on a web site is not exporting it as far
as the Data Protection Act is concerned. Whether this would be accepted as
precedence by a UK court on an export control matter is another question.
(Yes, I am an academic laywer. No, this is not legal advice.)
</pre>
</blockquote>
<br>
(Hi Clive)<br>
<br>
(<i>pace</i> original question wasn't about personal data & DP
but crypto export control)<br>
<br>
that's not <a
href="http://www.ico.org.uk/upload/documents/library/data_protection/detailed_specialist_guides/international_transfers_legal_guidance_v2.0_300606.pdf">the
ICO's interpretation</a><br>
<br>
1.3.4 In the case of Bodil Lindqvist v Kammaraklagaren (2003) (Case
C-101/01), the European Court of Justice held that there was no
transfer of personal data to a third country where an individual
loaded personal data onto an internet page in a Member State using a
internet hosting provider in that Member State, even though the page
was accessible via the internet by people based in a third country.
Instead, a transfer was only deemed to have taken place <b>where
the internet page was actually accessed</b> by a person located in
a third country. In practice, data are often loaded onto the
internet with the intention that the data be accessed in a third
country, and, as this will usually lead to a transfer, the principle
in the Lindqvist case will not apply in such circumstances. However,
in situations where there is no intention to transfer the data to a
third country and no transfer is deemed to have taken place as the
information has not been accessed in a third country (ie. the eighth
principle does not apply), data controllers will still need to
ensure that the processing complies with all of the other
principles. In particular, data controllers must consider the
requirement in the first data protection principle that the
processing must be fair which may be contravened by making the data
so widely accessible. <br>
<br>
(IANAL and this is not legal advice)<br>
<br>
In other words ICO is saying that even though ECJ was out-to-lunch
on this aspect, they will get you on "fairness" principle if you try
to take p!$$<br>
<br>
CB<br>
</body>
</html>