Aggravating Ignorance

The Witchfinder points out some potential flaws in the Block Bot team’s reasoning, in light of their claims that hosting data abroad makes them immune from UK Data Protection legislation.


The Block Bot thinks being abroad makes them immune.

Your author will be brief. Some members of the Block Bot team advance the idea that holding the data abroad makes them immune from UK Data Protection law. Funnily enough, UK legislators thought of that.

The Data Protection Act 1998, Schedule 1, provides as follows –

“[…] 8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Now, Block Bot creator James Billingham and for that matter the blocker who added me are based in the UK (although the latter has now resigned). So if they decide to block someone, where is the data? Well they have to write it down on a computer or similar device such as a mobile phone, based wherever they are.

Q. If someone types data into the Twitter client on a mobile phone in the UK, before they click ‘send’ where is the data?

A. In the mobile phone’s memory, in the UK.

Q. If someone types data into the Twitter website on a PC in the UK, before they click ‘send’ where is the data?

A. In the PC’s memory, in the UK.

Q. When they click send what happens?

A. The data is transmitted to the Twitter servers in the United States, thereby transferring it outside the EEA.

 What does the ICO Guidance, here say?

“You will be processing personal data in the UK and transferring it even if:

you collect information relating to individuals on paper, which is not ordered or structured in any way; and”


“Putting personal data on a website will often result in transfers to countries outside the EEA.”

The Claimant rests. (If someone junior from the Information Commissioner’s Officer went along with the ‘abroad’ argument we would only escalate it and ask them to clarify).

Share Button

5 thoughts on “Aggravating Ignorance

  1. Twitter and AWS are part of the Safe Harbor program so there’s nothing wrong with storing data with them.

    But this doesn’t excuse organisations from needing to be registered with the ICO and I think you can take that tweet as proof that they are not registered.

    Additionally when keeping data about someone you need their consent (which is often implicit e.g. they’re your customer) and you are meant to delete their data if they request you to do so (unless you need to keep the data for accounts/taxes/etc). So I don’t know how consent would apply when they’re basically “stealing” your tweets and the UK has no fair use laws.

    But I don’t really know how you can push this to a satisfying conclusion. Even large organisations and the government itself often flagrantly abuse the DPA and I’ve never heard of any fines or anything.

  2. The difference is that the blockbot is containing PII data. If a user uses twitter they are granting permission for twitter to use their PII data. In the case of the block bot, it is storing PII data without the user’s permission.

    This is one of the reasons companies will setup datacenters in the EU so as to avoid violating the law. The blockbot people clearly do not understand the law if they think that it doesnt apply to them because the data is not in the EU nor is twitter.

  3. Since I’m bad with web APIs and would have to read up on a ton of stuff to do this myself:

    It would likely be a good idea to scrape so they can’t take down the evidence from there too like they did with the block bot checker. If you do this it would be great if you could archive the individual pages using too.

Leave a Reply

Your email address will not be published. Required fields are marked *