Ian,
This area get very complex, particularly when you start to consider issues
like the location of processing equipment and the manner in which the French
(in particular) have interpreted this requirement of 95/46/EC.
But, there is some clarity that emerges from principle 4 of 95/46/EC.
For a data controller 'established' in the EU, neither the location nor the
nationality of the data subject determines the jurisdiction; it is the
location of, or 'principle place of economic activity' of, the data
controller which determines the law that applies. In this way, an American
citizen, whose data is processed by a UK data controller, would be protected
by our DPA98.
Your question is the reverse of this however i.e. a data controller not
established in the EU, but in the US. In this instance, 95/46/EC and
subsequent legislation has no jurisdiction in the US and thus 'our fair
processing rules' would not apply.
That's not to say the EU citizen is without protection though; the US data
controller must abide by the (ever growing) body of privacy related
legislation in the US and in particular the Federal Trade Commission Act.
There are more than 700 state and federal laws on privacy and surveillance!
One interesting piece of US legislation, the Children's Online Privacy
Protection Act (COPPA), does appear to have longer arms than even Mr Tickle
(not got kids? - take a look here
http://www.mrsneeze.com/mrmen/meetmrmen.html). Coverage under COPPA extends
to operators of commercial web sites and online services directed to U.S.
children under the age of 13; this may be interpreted as including non-US
sites directing their attention to the US market place.
Hope this helps
Regards,
Duncan Smith
Director
iCompli Limited
---------------------------------------------
COMPLIANCE IN YOUR LANGUAGE....
---------------------------------------------
Contact Details:
48 West End | Silverstone | Northants | NN12 8UY
Phone: +44 (0) 8707 70 48 66
Fax: +44 (0) 8707 70 48 69
Mobile: +44 (0) 7775 56 81 80
Email: [log in to unmask]
Web: www.icompli.co.uk
Blog: www.compliancespeak.blogspot.com
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Ian Welton
Sent: Sunday, August 14, 2005 9:04 PM
To: [log in to unmask]
Subject: [data-protection] Fairly Obtaining
Whilst away on a break and prior to returning to a real flood of e-mail the
following point arose which I wonder if the group could assist with.
Where data is collected from a data subject located within the EU by a
commercial data controller located outside the EU and the data is intended
specifically for commercial purposes; do the EU fair obtaining rules apply
or should the data controller apply only any local rules which may exist?
Ian W
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|