Comments on: International transfers of personal data http://www.website-law.co.uk/blog/data-protection/international-transfers-of-personal-data/ The web law blog Mon, 23 Jan 2012 09:56:43 +0000 hourly 1 http://wordpress.org/?v=3.0.4 By: Rick http://www.website-law.co.uk/blog/data-protection/international-transfers-of-personal-data/#comment-12172 Rick Wed, 10 Sep 2008 16:35:21 +0000 http://www.website-law.co.uk/blog/data-protection/international-transfers-of-personal-data/#comment-12172 This subject is a tricky one if only for the grey areas that it leaves unclarified. I'm thinking about all those thousands, perhaps millions, of websites employing a commented blog system -- much like this one, in fact. Here I am, leaving a comment at the end of this blog entry. I've just given my first name but I could just as easily have used my full name. I've supplied an email address and a web site URL. Now, would that be considered to be Personal Data and thus fall under the scope of the DPA? Could I be identified from that information? Probably, if you cross reference my first name with a visit to the URL, even without the email address (which is not published). So it could be argued that Personal Data is being published to a web page. And if I were to access that page from inside, say, the US, that would therefore constitute a breach of the DPA. As would the web sites of every single UK company that employs a blog and permits a similar commenting system. The situation is clearly ludicrous. Since the database that drives the site would also store my email address, it would presumably be considered illegal for the site owner to consider using a web host based in the USA. Or would it? If a web-based database is storing medical records or credit card numbers linked to names and addresses then of course the legal situation is pretty clear cut. But the far more common situation of a company blog with comments described above is far greyer and without clarification a lot of people will have no idea whether or not they are in breach of the DPA. This subject is a tricky one if only for the grey areas that it leaves unclarified. I’m thinking about all those thousands, perhaps millions, of websites employing a commented blog system — much like this one, in fact. Here I am, leaving a comment at the end of this blog entry. I’ve just given my first name but I could just as easily have used my full name. I’ve supplied an email address and a web site URL.

Now, would that be considered to be Personal Data and thus fall under the scope of the DPA? Could I be identified from that information? Probably, if you cross reference my first name with a visit to the URL, even without the email address (which is not published). So it could be argued that Personal Data is being published to a web page. And if I were to access that page from inside, say, the US, that would therefore constitute a breach of the DPA. As would the web sites of every single UK company that employs a blog and permits a similar commenting system. The situation is clearly ludicrous.

Since the database that drives the site would also store my email address, it would presumably be considered illegal for the site owner to consider using a web host based in the USA.

Or would it?
If a web-based database is storing medical records or credit card numbers linked to names and addresses then of course the legal situation is pretty clear cut. But the far more common situation of a company blog with comments described above is far greyer and without clarification a lot of people will have no idea whether or not they are in breach of the DPA.

]]>