Duncan Smith on Thursday, August 18, 2005 at 4:54 PM said:-
> This area get very complex, particularly when you start to consider issues
> like the location of processing equipment and the manner in which
> the French
> (in particular) have interpreted this requirement of 95/46/EC.
>
> But, there is some clarity that emerges from principle 4 of 95/46/EC.
>
> For a data controller 'established' in the EU, neither the
> location nor the
> nationality of the data subject determines the jurisdiction; it is the
> location of, or 'principle place of economic activity' of, the data
> controller which determines the law that applies. In this way,
> an American
> citizen, whose data is processed by a UK data controller, would
> be protected
> by our DPA98.
It is clear that the jurisdiction so defined relates to the data controller
within the common EU boundaries.
>
> Your question is the reverse of this however i.e. a data controller not
> established in the EU, but in the US. In this instance, 95/46/EC and
> subsequent legislation has no jurisdiction in the US and thus 'our fair
> processing rules' would not apply.
However the directive and the DPA both require 'fair obtaining'.
>
> That's not to say the EU citizen is without protection though; the US data
> controller must abide by the (ever growing) body of privacy related
> legislation in the US and in particular the Federal Trade Commission Act.
> There are more than 700 state and federal laws on privacy and
> surveillance!
Should a US data controller ignore fair obtaining issues relating to
personal data collected from elsewhere, or within the EU though?
i.e. obtain data completely in accordance with the data controllers
legislation but equally completely ignoring any of the data subjects
expectations about the data.
Consider. 1(3) DPA1998 "it is immaterial that it is intended to be so
processed or to form part of such a system only after being transferred to a
country or territory outside the EEA"
>
> One interesting piece of US legislation, the Children's Online Privacy
> Protection Act (COPPA), does appear to have longer arms than even
> Mr Tickle
> (not got kids? - take a look here
> http://www.mrsneeze.com/mrmen/meetmrmen.html). Coverage under
> COPPA extends
> to operators of commercial web sites and online services directed to U.S.
> children under the age of 13; this may be interpreted as including non-US
> sites directing their attention to the US market place.
Aware of COPPA which has some areas of similarity to the fair obtaining
issue of interest.
> Hope this helps
Certainly does.
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Duncan Smith
> Sent: Thursday, August 18, 2005 4:54 PM
> To: [log in to unmask]
> Subject: Re: Fairly Obtaining
>
>
> Ian,
>
> This area get very complex, particularly when you start to consider issues
> like the location of processing equipment and the manner in which
> the French
> (in particular) have interpreted this requirement of 95/46/EC.
>
> But, there is some clarity that emerges from principle 4 of 95/46/EC.
>
> For a data controller 'established' in the EU, neither the
> location nor the
> nationality of the data subject determines the jurisdiction; it is the
> location of, or 'principle place of economic activity' of, the data
> controller which determines the law that applies. In this way,
> an American
> citizen, whose data is processed by a UK data controller, would
> be protected
> by our DPA98.
>
> Your question is the reverse of this however i.e. a data controller not
> established in the EU, but in the US. In this instance, 95/46/EC and
> subsequent legislation has no jurisdiction in the US and thus 'our fair
> processing rules' would not apply.
>
> That's not to say the EU citizen is without protection though; the US data
> controller must abide by the (ever growing) body of privacy related
> legislation in the US and in particular the Federal Trade Commission Act.
> There are more than 700 state and federal laws on privacy and
> surveillance!
>
> One interesting piece of US legislation, the Children's Online Privacy
> Protection Act (COPPA), does appear to have longer arms than even
> Mr Tickle
> (not got kids? - take a look here
> http://www.mrsneeze.com/mrmen/meetmrmen.html). Coverage under
> COPPA extends
> to operators of commercial web sites and online services directed to U.S.
> children under the age of 13; this may be interpreted as including non-US
> sites directing their attention to the US market place.
>
> Hope this helps
>
>
> Regards,
>
> Duncan Smith
> Director
> iCompli Limited
>
> ---------------------------------------------
> COMPLIANCE IN YOUR LANGUAGE....
> ---------------------------------------------
>
> Contact Details:
>
> 48 West End | Silverstone | Northants | NN12 8UY
>
> Phone: +44 (0) 8707 70 48 66
> Fax: +44 (0) 8707 70 48 69
> Mobile: +44 (0) 7775 56 81 80
> Email: [log in to unmask]
> Web: www.icompli.co.uk
> Blog: www.compliancespeak.blogspot.com
>
>
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Ian Welton
> Sent: Sunday, August 14, 2005 9:04 PM
> To: [log in to unmask]
> Subject: [data-protection] Fairly Obtaining
>
>
> Whilst away on a break and prior to returning to a real flood of
> e-mail the
> following point arose which I wonder if the group could assist with.
>
> Where data is collected from a data subject located within the EU by a
> commercial data controller located outside the EU and the data is intended
> specifically for commercial purposes; do the EU fair obtaining rules apply
> or should the data controller apply only any local rules which may exist?
>
> Ian W
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|