FAQ on UK law

[Caspar Bowden (lists)]

On 07/05/13 11:29, Clive D.W. Feather wrote:
> Nicholas Cole said:
>> What is much less clear is the question of "export".  Does, for example,
>> hosting a piece of software like PuTTY or ssh or gnupg on a UK-based
>> website count as "export"? What about providing support for such software?
> The European Court, in case C-101/01 ("Lindqvist") decided that
>
>      there is no 'transfer [of data] to a third country' within the meaning
>      of Article 25 of Directive 95/46 where an individual in a Member State
>      loads personal data onto an internet page which is stored with his
>      hosting provider which is established in that State or in another
>      Member State, thereby making those data accessible to anyone who
>      connects to the internet, including people in a third country.
>
> In other words, putting material on a web site is not exporting it as far
> as the Data Protection Act is concerned. Whether this would be accepted as
> precedence by a UK court on an export control matter is another question.
>
> (Yes, I am an academic laywer. No, this is not legal advice.)

(Hi Clive)

(/pace/ original question wasn't about personal data & DP but crypto 
export control)

that's not the ICO's interpretation 
<http://www.ico.org.uk/upload/documents/library/data_protection/detailed_specialist_guides/international_transfers_legal_guidance_v2.0_300606.pdf>

1.3.4 In the case of Bodil Lindqvist v Kammaraklagaren (2003) (Case 
C-101/01), the European Court of Justice held that there was no transfer 
of personal data to a third country where an individual loaded personal 
data onto an internet page in a Member State using a internet hosting 
provider in that Member State, even though the page was accessible via 
the internet by people based in a third country. Instead, a transfer was 
only deemed to have taken place *where the internet page was actually 
accessed* by a person located in a third country. In practice, data are 
often loaded onto the internet with the intention that the data be 
accessed in a third country, and, as this will usually lead to a 
transfer, the principle in the Lindqvist case will not apply in such 
circumstances. However, in situations where there is no intention to 
transfer the data to a third country and no transfer is deemed to have 
taken place as the information has not been accessed in a third country 
(ie. the eighth principle does not apply), data controllers will still 
need to ensure that the processing complies with all of the other 
principles. In particular, data controllers must consider the 
requirement in the first data protection principle that the processing 
must be fair which may be contravened by making the data so widely 
accessible.

(IANAL and this is not legal advice)

In other words ICO is saying that even though ECJ was out-to-lunch on 
this aspect, they will get you on "fairness" principle if you try to 
take p!$$

CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130507/8a7927b0/attachment.html>