The UK data Protection law was drafted at the basic minimum required by the
Directive, 95/46/EC, apart from the sections on special purposes [Art 9].
It would therefore seem reasonable to approach the thing from the Directive
[Art 14(b)] and the general expectations across the EU.  Why not do the
thing properly and minimise the irritation from direct marketing by going
opt-in?  Alternatively, you could find out what the ICX consortium are doing
in this regard as they are trying to address the problems of multi-national
processing and cross-border transfers.

Barry Barber

Health Data Protection Ltd
Great Malvern
tel +44-1684-566-220
fax +44-1684-566-770

NOTICE
This email is addressed to the individuals listed in the header and it is
normally confidential to them.  If this email arrives in any other mailbox
please advise me so that I can investigate this potential breach of
confidentiality and the requirements of the UK Data Protection Act 1998  in
compliance with the European Data Protection Directive, 95/46/EC, of the
European Parliament and the Council [24 October 1995] "On the protection of
Individuals with regard to the processing of personal data and on the free
movement of such data".




On 30/3/2001 11:34, "Duncan Smith" <[log in to unmask]> wrote:

> I am currently working with a number of pan European and global clients, who
> have all posed the same (similar) questions, to which I am struggling to
> provide a succinct and consistent answer.
> 
> "Who's law applies!" they all cry.
> 
> This issue is of particular importance to those organisations that direct
> market to European countries where opt-in national legislation applies, as
> opposed to opt-out legislation as current in the UK.
> 
> My first thoughts were;
> 
> The law that applies, is the law of the land of residence of the data
> controller. So, if I am a UK data controller carrying out DM to Germany, I
> manage my personal data in accordance with the DPA 1998, affording the
> German resident all the protection that UK law provides. The discrepancy
> between the two sets of National legislation (opt-in versus opt-out) is
> resolved by the fact that I am a UK data controller and not a German data
> controller.
> 
> This may not be good for CRM (the German expecting opt-in rules to apply)
> but at least I am not acting illegally; or am I?
> 
> I posed a similar question to the Group earlier in the year about an
> American suing a UK data controller over misuse of their personal data, and
> those who responded, agreed that S.5 of DPA 1998 suggested that any
> individual, regardless of their nationality, would be protected by DPA 1998
> if their data were processed by a UK data controller.
> 
> So, does this mean that the aggrieved German, who wants to take me (a UK
> data controller) to court over an alleged breach of German data protection
> legislation, is barking up the wrong tree?
> 
> 
> 
> 
> And if you are wondering what advice we have from OIC, their 8thprin.doc
> gives the following confusing example:
> 
> "A UK based bank has a branch in India which collects personal data on local
> customers. The data are transferred to the UK where they are processed and
> then transferred from the UK back to India. The customers’ expectations will
> be that their data are treated in accordance with Indian law. Given the
> source of the data and that the Bank has no reason to suppose the data will
> be misused after transfer, a conclusion of adequacy is reasonable"
> 
> Interpreting this paragraph raises all kinds of questions, for example;
> 
> Suppose I sent one of my UK employees with a clipboard to Hamburg, and got
> them to stop hapless passer-bys, ask some questions and collect e-mail
> addresses. They return to the UK, where we carry out a direct marketing
> campaign using the personal data collected in Hamburg.
> 
> The OIC example above seems to suggest that German law would apply, not UK
> law.
> 
> Or how about this variation:
> 
> "A UK based bank has a branch in India which collects personal data on local
> customers via a web terminal set up in the lobby of the bank
> (www.seconddirect.co.uk). The data are transferred to the UK where they are
> processed and then transferred from the UK back to India. The customers’
> expectations will be that their data are treated in accordance with Indian
> law. Given the source of the data and that the Bank has no reason to suppose
> the data will be misused after transfer, a conclusion of adequacy is
> reasonable"
> 
> So, as long as I identify customers are outside of the UK, ya boo sucks to
> DPA 1998.
> 
> HELP!!
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   If you wish to leave this list please send the command
>      leave data-protection to [log in to unmask]
>           All user commands can be found at : -
>   www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^