By Dennis Holmes
Westin Research Fellow
In two European cases making headlines this week, U.S. online powerhouses successfully claimed European data protection regulators lacked jurisdiction to regulate their activity. One case involved the ongoing dispute between Facebook and the data protection authority (DPA) for the German state of Schleswig-Holstein. A German court overturned an order by the Schleswig-Holstein DPA requiring German companies to deactivate their Facebook fan pages, holding that German companies had no effective control over the data hosted by Facebook, whose European base is in Ireland. The other case involved Netflix, which was exempted from enforcement by the Dutch DPA on account of its European establishment being in Luxembourg.
These cases join a long line of disputes pitting global online companies against national privacy regulators and raising to the fore the thorny questions of personal jurisdiction and applicable law on the Internet. Google is involved in several such cases, disputing jurisdiction of UK courts in a matter involving alleged circumvention of Safari privacy settings; and claiming the Spanish DPA lacks competence to regulate its global online search engine activities.
Where is the online “there”?
The Internet has disrupted traditional notions of applicable law and jurisdiction. Individuals and companies can now become subject to the law of a foreign country even without a physical presence. Under Article 4(1)(a) of the European Data Protection Directive (DPD), European law applies where “the processing [of personal data] is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”. Alternatively, under Article 4(1)(c) of the DPD, European law applies even in the absence of a European establishment, if—for the processing of personal data—the controller “makes use of equipment … situated on the territory of that Member State”.
With respect to U.S.-based online companies, the questions consistently raised are whether (and where) such companies are “established” in the EU; whether their processing of personal data takes place “in the context of the activities of an establishment” in a Member State; and—if the answer to these questions is negative—whether they “make use of equipment” situated in the EU.
The “use of equipment” test is compounded by the fact that, on the one hand, European DPAs have interpreted it broadly, deeming the dropping of a cookie on an EU user’s web browser “use of equipment” in the EU; and on the other hand, they have warned against jurisdictional overextension resulting in “undesirable consequences, such as a possible universal application of EU law.” To address the legal complexity, U.S. companies are deploying different legal strategies, with Google typically disputing EU jurisdiction, arguing that it is established in the U.S., while Facebook concedes European jurisdiction but argues that it is established in Ireland and should therefore litigate and be regulated there, as opposed to in other member states.
Two impending developments are likely to help clarify the legal situation. The first is the European Court of Justice (“ECJ”) case pitting Google against the Spanish DPA (AEPD). The second is the slow but steady advancement in Brussels of the General Data Protection Regulation (GDPR), which is set to replace the DPD.
The ECJ Case: Google v. AEPD
A case currently pending before the ECJ involves a request by a Spanish individual to have Google delete search results presenting him in a negative light, despite those results pointing to accurate, publicly available information. The AEPD ordered Google to remove the data. Google challenged the order arguing that AEPD lacks jurisdiction over its search operation, which is based in the U.S. The Spanish High Court referred the jurisdictional question (along with additional issues) to the ECJ.
While the ECJ has yet to issue a formal decision, the Advocate General (AG) has issued an advisory opinion addressing the jurisdiction issue. The AG noted that Google’s national offices in Europe act as commercial representatives for the company’s advertising functions and are “to a certain extent coordinated by its Irish subsidiary.” It stated that Google has data centers in Belgium and Finland, but does not disclose information concerning the exact geographical location of functions relating to its search engine activity. Google claimed that no processing of personal data relating to its search engine took place in Spain.
In his opinion, the AG rejected Google’s arguments, holding that where Google sets up a branch office or subsidiary in a Member State for the purpose of promoting and selling advertising space on its search engine, such an office or subsidiary orientates its activity towards the inhabitants of that State and therefore subjects Google to local jurisdiction. The final decision of the ECJ, expected to be released in December, will have broad implications for online companies with a European presence.
In its 2010 opinion on applicable law, the Article 29 Working Party proposed that in any future legislation, relevant targeting of individuals would be taken into account in relation to controllers not established in the EU. This approach is reflected in the European Commission Proposal for the GDPR. Under Article 3(2) of the GDPR, the application of European law would extend to the processing of personal data by a controller not established in the EU, where “the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behavior.” Critics argue that this extension of extraterritorial application constitutes a dramatic shift from a “country of origin” to a “country of destination” approach and portends general application of the GDPR to the entire Internet.
While expanding international application, the GDPR would simplify jurisdiction and applicable law for controllers established in the EU, by introducing a “one-stop-shop” lead regulator. The one-stop-shop concept remains hotly debated, however, with European Parliament members pushing a watered down version of a lead regulator as a single point of contact as opposed to a sole competent authority. Moreover, under the existing text, the one-stop-shop concept would not apply to companies not established within the EU. This means that if such companies are caught by the expanding scope of EU regulation, they would have to dealing with as many as 28 national (and additional state level) regulators. In various statements, the European Commission has clarified that this result does not reflect legislative oversight, but rather a conscious effort to provide an incentive for global businesses to establish a EU base as a locus for applicable data protection law and jurisdiction.