Posts Tagged C-131/12

One of those groundhog days. The Brussels Court of First instance on Facebook, privacy, Belgium and jurisdiction.

I have flagged once or twice that the blog is a touch behind on reporting – I hope to be on top soon.

I blogged a little while ago that the Brussels Court of Appeal had sided with Facebook in their appeal against the Court of first instance’s finding of Belgian jurisdiction. I had earlier argued that the latter was wrong. These earlier skirmishes were in interim proceedings. Then, in February, the Court of First instance, unsurprisingly, reinstated its earlier finding, this time with a bit more substantial flesh to the bone.

First, a bit of Belgian surrealism. In an interlocutory ruling the court had requested FB to produce full copy of the Court of Appeal’s judgment upon which it relied for some of its arguments. Perhaps given the appalling state of reporting of Belgian case-law, this finding should not surprise. Yet it remains an absurd notion that parties should produce copies at all of Belgian judgments, not in the least copies of a Court of Appeal which is literally one floor up from the Court of first instance.

Now to the judgment. The court first of all confirms that the case does not relate to private international law for the privacy commission acts iure imperii (I summarise). Then follows a very lengthy and exhaustive analysis of Belgium’s jurisdiction on the basis of public international law. Particularly given the excellent input of a number of my public international law colleagues, this part of the judgment is academically interesting nay exciting – but also entirely superfluous. For any Belgian jurisdiction grounded in public international law surely is now exhausted regulated by European law, Directive 95/46 in particular.

In finally reviewing the application of that Directive, and inevitably of course with reference to Weltimmo etc. the Court essentially assesses whether Facebook Belgium (the jurisdictional anchor) carries out activities beyond mere representation vis-a-vis the EU institutions, and finds that it does carry out commercial activities directed at Belgian users. That of course is a factual finding which requires au faitness which the employees’ activities.

Judgment is being appealed by Facebook – rightly so I believe. Of note is also that once the GDPR applies, exclusive Irish jurisdiction is clear.

Geert.

 

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

1 Comment

The Brussels Court of Appeal is spot on on Facebook, privacy, Belgium and jurisdiction.

The Brussels Court of Appeal has sided with Facebook  on 29 June. This post I am going to keep very, very simple: told you so. Geert.

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

It’s true! Belgian Supreme Court confirms order for Yahoo! to hand over IP-addresses.

Jurisdiction and the internet is a topic which has featured once or twice on this blog recently (and in a  paper which I have already referred to in those earlier postings). Belgian’s Supreme Court in ordinary (the Hof van Cassatie /Cour de Cassation) employed the objective territoriality principle in a case with roots going back to 2007 (the fraudulent purchase of and subsequent failure to pay for electronic equipment from a shop in Dendermonde, Belgium), Yahoo! was requested to hand over the IP addresses associated with e-mail accounts registered to Yahoo!’s e-mail service. Yahoo! Inc, domiciled in California, refused to comply, triggering fines under criminal law.

Responding to Yahoo!s claims that Belgium was imposing its criminal laws extraterritorially, the Court of Appeal had held that Yahoo! is territorially present in Belgium, hereby voluntarily submitting itself to the jurisdiction of the Belgian authorities: it takes an active part in economic life in Belgium, among others by use of the domain name http://www.yahoo.be, the use of the local language(s) on that website, pop-up of advertisements based on the location of the users, and accessibility in Belgium of Belgium-focussed customer services (among others: a ‘Belgian’ Q&A, FAQ, and post box). [Notice the similarity with the Pammer /Alpenhof criteria]. The Court of Appeal had suggested that the accusations of extraterritoriality could only be accepted had there been a request for the handover of data or objects which are located in the USA, with which there is no Belgian territorial link whatsoever, and if the holder of these objects or data is not accessible in Belgium (either physically or virtually).

The Supreme Court on 1 December confirmed all of the Court of Appeal’s arguments, essentially linking them to the objective territoriality principle. Yahoo! actively directs its activities towards consumers present in Belgium.

Even though the case involves a criminal proceeding, the Court’s judgment inevitably (not necessarily justifiably) will be used as further support for the Belgian tussle with Facebook.

Geert.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

Not the way the datr cookie crumbles. Belgian courts on soggy jurisdictional grounds in Facebook privacy ruling.

Update 27 June 2017 Before the CJEU Case C-210/16 Wirtschaftsakademie Schleswig-Holstein GmbH v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein relates to some issues with relevance for the case at hand: in particular the respective powers of various authorities in the Member States with the parent company outside of the EU and one one of the data protection authorities based in the Member State where the company’s establishment is responsible for data processing under the group’s internal division of tasks and responsibilities.

Update 11 July 2016 the Court of Appeal has sided with FB on 29 June. No surprises there! Update 27 June 2017 both initial ruling and the CA’s judgment relate to the provisionary measures. The case is now going through the same courts in ordinary (non-urgent) fashion.

Update 9 February 2016 the French privacy commission has now mirrored the Belgian action

Quite a lot of attention has been going to a Belgian court ordering Facebook to stop collecting data from non-users through the use of so-called datr cookies.  Applicant is Willem Debeuckelaere, the chairman of the Belgian privacy commission, in his capacity as chairman (not, therefore, as a private individual). Our interest here is of course in the court’s finding that it has jurisdiction to hear the case, and that it can apply Belgian law. The judgment is drafted in Dutch – an English (succinct) summary is available here.

Defendants are three parties: Facebook Inc, domiciled in California; Facebook Belgium BVBA, domiciled in Brussels; and Facebook Ireland Ltd., domiciled in Dublin. Facebook Belgium essentially is FB’s public affairs office in the EU. FB Ireland delivers FB services to the EU market.

Directive 95/46 and the Brussels I Recast Regulation operate in a parallel universe. The former dictates jurisdiction and applicable law at the level of the relationship between data protection authorities (DPAs), and data processors (the FBs, Googles etc. of this world). The latter concerns the relation between private individuals and both authorities and processors alike. That parallelism explains, for instance, why Mr Schrems is pursuing the Irish DPA in the Irish Courts, and additionally, FB in the Austrian courts.

Current litigation against FB lies squarely in the context of Directive 95/46. This need not have been the case: Mr Debeuckelaere, aforementioned, could have sued in his personal capacity. If he is not a FB customer, at the least vis-a-vis FB Ireland, this could have easily established jurisdiction on the basis of Article 7(2)’s jurisdiction for tort (here: invasion of privacy): with Belgium as the locus damni. Jurisdiction against FB Inc can not so be established in the basis of Article 7(2) (it does not apply to defendants based outside the EU). If the chairman qq natural person is a FB customer, jurisdiction for the Belgian courts may be based on the consumer contracts provisions of Regulation 1215/2012 – however that would have defeated the purpose of addressing FB’s policy vis-a-vis non-users, which I understand is what datr cookies are about.

Instead, the decision was taken (whether informed or not) to sue purely on the basis of the data protection Directive. This of course requires application of the jurisdictional trigger clarified in Google Spain. German precedent prior to the Google Spain judgment, did not look promising (Schleswig-Holstein v Facebook).

At the least, the Belgian court’s application of the Google Spain test, is debatable: as I note in the previous post,

Article 4(1)(a) of Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment (at 52): that is the case if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable (at 55). The very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory (at 57).

Google Spain’s task was providing support to the Google group’s advertising activity which is separate from its search engine service. Per the formula recalled above, this sufficed to trigger jurisdiction for the Spanish DPA. Google Spain is tasked to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable. The Belgian court accepts jurisdiction on the basis of Facebook Belgium’s activities being ‘inseparably linked’ (at p.15) to Facebook’s activities. With respect, I do not think this was the intention of the CJEU in Google Spain. At the very least, the court’s finding undermines the one stop principle of the data protection Directive, for Belgium’s position viz the EU Institutions means that almost all data processors have some form of public interest representation in Belgium, often indeed taking the form of a BVBA or a VZW (the latter meaning a not for profit association).

The court further justifies (p.16) its jurisdiction on the basis of the measures being provisionary. Provisionary measures fall outside the jurisdictional matrix of the Brussels I (Recast), provided they are indeed provisionary, and provided there is a link between the territory concerned and the provisional measures imposed. How exactly such jurisdiction can be upheld vis-a-vis Facebook Ireland and Facebook Inc, is not clarified by the court.

The court does limit the provisionary measures territorially: FB is only ordered to stop using datr cookies tracking data of non-FB users ‘vis-a-vis internetusers on Belgian territory’, lest these be informed of same.

I mentioned above that the data protection Directive and the Brussels I recast can be quite clearly distinguished at the level of jurisdiction. However findings of courts or public authorities on the basis of either of them, do still face the hurdle of enforcement. That is no different in this case. Recognition and enforcement of the judgment vis-a-vis FB Inc will have to follow a rather complex route, and it is not inconceivable that the US (in particular, the State of California) will refuse recognition on the basis of perceived extraterritorial jurisdictional claims (see here for a pondering of the issues). Even vis-a-vis Facebook Ireland, however, one can imagine enforcement difficulties. Even if these provisionary measures are covered by the Brussels I Recast (which may not be the case given the public character of plaintiff), such measures issued by courts which lack jurisdiction as to the substance of the matter, are not covered by the enforcement Title of the Regulation.

All in all, plenty to be discussed in appeal.

Geert.

 

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

A bar to ‘extraterritorial’ EU law. Landgericht Koln refuses to extend ‘right to be forgotten’ to .com domain .

Postcript 11 March 2016 Google have announced a new policy which  goes some way to addressing the EU’s concerns. An unusually conciliatory move.

An inevitable consequence of the rulings in Google Spain, Weltimmo and Schrems /Facebook /Safe harbour, is whether courts in the EU can or perhaps even must insist on extending EU data protection rules to websites outside of EU domain. The case has led to suggestions of ‘exterritorial reach’ of Google Spain or the ‘global reach’ of the RTBF, coupled with accusations that the EU oversteps its ‘jurisdictional boundaries’. This follows especially the order or at least intention, by the French and other data protection agencies, that Google extend its compliance policy to the .com webdomain.

The Landgericht Köln mid September (the case has only now reached the relevant databases) in my view justifiably withheld enforcement jurisdiction in a libel case only against Google.de for that is the website aimed at the German market. It rejected extension of the removal order vis-à-vis Google.com, in spite of a possibility for German residents to reach Google.com, because that service is not intended for the German speaking area and anyone wanting to reach it, has to do so intentionally. (See the ruling under 1, para 3 and 4).

I have further context to this issue in a paper which is on SSRN and which is being peer reviewed as we speak (I count readers of this blog as peers hence do please forward any comments).

Geert.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

ECJ in Google Spain confirms reach of EU Data Protection Directive. Right to be forgotten not withheld verbatim but may be realised in practice.

I reported earlier on the AG’s Opinion in Google Spain. The Court held this morning. It broadly confirms the AG’s view on jurisdiction however it did effectively read a (conditional and incrimental) right to be forgotten in the current Directive, in contrast with the AG.

The ECJ confirmed earlier case-law in which it held that the operation of loading personal data on an internet page must be considered to be such ‘processing’ within the meaning of Article 2(b) of Directive 95/46. This finding is not affected  by the fact that those data have already been published on the internet and are not altered by the search engine.

Who is the ‘controller’ of these data?  The activity of a search engine is liable to affect significantly, and additionally compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data. The operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of Directive 95/46 in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.  It is this operator who is the ‘controller’ within the meaning of the Directive.

The territorial scope of the Directive is the most relevant to the conflicts community: It is noteworthy that in the current version of the data protection directive, targeting of consumers is not a jurisdictional criterion for providers established outside of the EU.

The referring court had stated that Google Search is operated and managed by Google Inc. and that it has not been established that Google Spain carries out in Spain an activity directly linked to the indexing or storage of information or data contained on third parties’ websites. Nevertheless, according to the referring court, the promotion and sale of advertising space, which Google Spain attends to in respect of Spain, constitutes the bulk of the Google group’s commercial activity and may be regarded as closely linked to Google Search.

The ECJ notes that Google Spain engages in the effective and real exercise of activity through stable arrangements in Spain. As it moreover has separate legal personality, it constitutes a subsidiary of Google Inc. on Spanish territory and, therefore, an ‘establishment’ within the meaning of Article 4(1)(a) of Directive 95/46. However, is the processing of personal data by the controller ‘carried out in the context of the activities’ of an establishment of the controller on the territory of a Member State (necessary to trigger application of the Directive)?

Google Spain and Google Inc. dispute that this is the case since the processing of personal data at issue in the main proceedings is carried out exclusively by Google Inc., which operates Google Search without any intervention on the part of Google Spain; the latter’s activity is limited to providing support to the Google group’s advertising activity which is separate from its search engine service.

The court disagreed: Article 4(1)(a) of Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment (at 52): that is the case if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable (at 55). The very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory (at 57).

This view confirms broadly the AG’s use of Google’s ‘business model’ as a jurisdictional trigger.

 

The AG had also opined on the supposed ‘right to be forgotten’ concluding that it does not exist in current EU law (neither directive nor Charter). The ECJ’s findings work towards such right (without mentioning it specifically)  following a thorough review of the requirements of the Directive and the proportionality test implied, and by holding that given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites.

The operator of a search engine may therefore be obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful (at 88). The right to privacy however has to be assessed vis-a-vis the right of the public to information, in an ad hoc manner.

The judgment has plenty for the data protection community to chew over (sse e.g. Orla Linskey over at the EU law blog). For those of us who are conflicts lawyers, the jurisdictional trigger is most interesting (and will feed into the review of the Directive, one imagines).

Geert.

, , , , , , , , , , , , , , , , , , , ,

Leave a comment

‘Where law and new technology meet’ – JÄÄSKINEN AG turns to business model in Google Spain to establish scope of application of the data protection Directive. No right to be forgotten under the Directive or Charter.

As announced on the blog earlier, JÄÄSKINEN AG has opined this morning in Case C-131/12 Google Spain. The Opinion covers a lot of issues in relatively condensed space – one of these Opinions where you should not trust the summary of a blogger, for invariably the blog posting does not do justice to all issues addressed. Below my highlights on the basis of diagonal reading: for I find this too important an Opinion not to flag it immediately.

As summarised by the AG, according to Article 4(1) of the Directive, the primary factor that gives rise to the territorial applicability of the national data protection legislation is the processing of personal data carried out in the context of the activities of an establishment of the controller on the territory of the Member State. Further, when a controller is not established on EU territory but uses means or equipment situated on the territory of the Member State for processing of personal data, the legislation of that Member State applies unless such equipment or means is used only for purposes of transit through the territory of the EU. The territorial scope of application of the Directive and the national implementing legislation is triggered therefore either by the location of the establishment of the controller, or the location of the means or equipment being used when the controller is established outside the EEA. Nationality or place of habitual residence of data subjects is not decisive, nor is the physical location of the personal data – at least not in the current versions of the Directive. The AG points out that in future legislation relevant targeting of individuals could be taken into account in relation to controllers not established in the EU. Such an approach, attaching the territorial applicability of EU legislation to the targeted public, is consistent with the Court’s case-law on the applicability of the e-commerce Directive 2000/31, the Brussels I (‘jurisdiction’) Regulation and Directive 2001/29, the on copyright and related rights in the information society to cross-border situations. Again, though, it is not a criterion in the current version of the data protection Directive, with respect to providers established outside of the EU.

The AG turns to the business model of a company to assist him in establishing applicability of the Directive for the case at issue, where Google (domiciled in California) does have establishments in the EU (the establishment of the controller therefore being the trigger), as well as at least two known data centres:

‘Google Inc. is a Californian firm with subsidiaries in various EU Member States. Its European operations are to a certain extent coordinated by its Irish subsidiary. It currently has data centres at least in Belgium and Finland. Information on the exact geographical location of the functions relating to its search engine is not made public. Google claims that no processing of personal data relating to its search engine takes place in Spain. Google Spain acts as commercial representative of Google for its advertising functions. In this capacity is has taken responsibility for the processing of personal data relating to its Spanish advertising customers. Google denies that its search engine performs any operations on the host servers of the source web pages, or that it collects information by means of cookies of non registered users of its search engine.’ (at 62).

‘In my opinion the Court should approach the question of territorial applicability from the perspective of the business model of internet search engine service providers. This, as I have mentioned, normally relies on keyword advertising which is the source of income and, as such, the economic raison d’être for the provision of a free information location tool in the form of a search engine. The entity in charge of keyword advertising (called ‘referencing service provider’ in the Court’s case-law) is linked to the internet search engine. This entity needs presence on national advertising markets. For this reason Google has established subsidiaries in many Member States which clearly constitute establishments within the meaning of Article 4(1)(a) of the Directive. It also provides national web domains such as google.es or google.fi. The activity of the search engine takes this national diversification into account in various ways relating to the display of the search results because the normal financing model of keyword advertising follows the pay-per-click principle.’ (…) ‘In conclusion, processing of personal data takes place within the context of a controller’s establishment if that establishment acts as the bridge for the referencing service to the advertising market of that Member State, even if the technical data processing operations are situated in other Member States or third countries.’ (…)

‘For this reason, I propose that the Court should answer the first group of preliminary questions in the sense that processing of personal data is carried out in the context of the activities of an ‘establishment’ of the controller within the meaning of Article 4(1)(a) of the Directive when the undertaking providing the search engine sets up in a Member State for the purpose of promoting and selling advertising space on the search engine, an office or subsidiary which orientates its activity towards the inhabitants of that State.’  [footnotes omitted]

The AG uses the terms ‘targeted at’ [cf in this respect ‘intended target of information’ in Football Dataco] and ‘oriented at’ – not, as had become custom, ‘directed at’: presumably to emphasise the contrast with the other Directives mentioned above.

The AG then turns his attention inter alia to the alleged ‘right to be forgotten’: not one, he suggests, which exists under the current Directive, not even when read in conjunction with the Charter on Fundamental Rights and Freedoms (the EU’s version of the Human Rights Act). That surely is an important observation.

Much to chew on – not quite all digested above, however I do hope these first impressions may act as an appetizer for discussion elsewhere.

Geert.

, , , , , , , , , , , , , , , , , , ,

1 Comment

%d bloggers like this: