Tag: Case C-131/12

Posted on

It’s true! Belgian Supreme Court confirms order for Yahoo! to hand over IP-addresses.

Jurisdiction and the internet is a topic which has featured once or twice on this blog recently (and in a  paper which I have already referred to in those earlier postings). Belgian’s Supreme Court in ordinary (the Hof van Cassatie /Cour de Cassation) employed the objective territoriality principle in a case with roots going back to 2007 (the fraudulent purchase of and subsequent failure to pay for electronic equipment from a shop in Dendermonde, Belgium), Yahoo! was requested to hand over the IP addresses associated with e-mail accounts registered to Yahoo!’s e-mail service. Yahoo! Inc, domiciled in California, refused to comply, triggering fines under criminal law. (It’s corporate slogan btw used to be ‘it’s true!’ Hence the title of the post).

Responding to Yahoo!s claims that Belgium was imposing its criminal laws extraterritorially, the Court of Appeal had held that Yahoo! is territorially present in Belgium, hereby voluntarily submitting itself to the jurisdiction of the Belgian authorities: it takes an active part in economic life in Belgium, among others by use of the domain name http://www.yahoo.be, the use of the local language(s) on that website, pop-up of advertisements based on the location of the users, and accessibility in Belgium of Belgium-focussed customer services (among others: a ‘Belgian’ Q&A, FAQ, and post box). [Notice the similarity with the Pammer /Alpenhof criteria]. The Court of Appeal had suggested that the accusations of extraterritoriality could only be accepted had there been a request for the handover of data or objects which are located in the USA, with which there is no Belgian territorial link whatsoever, and if the holder of these objects or data is not accessible in Belgium (either physically or virtually).

The Supreme Court on 1 December confirmed all of the Court of Appeal’s arguments, essentially linking them to the objective territoriality principle. Yahoo! actively directs its activities towards consumers present in Belgium.

Even though the case involves a criminal proceeding, the Court’s judgment inevitably (not necessarily justifiably) will be used as further support for the Belgian tussle with Facebook.

Geert.

Posted on

A bar to ‘extraterritorial’ EU law. Landgericht Koln refuses to extend ‘right to be forgotten’ to .com domain .

Postcript 11 March 2016 Google have announced a new policy which  goes some way to addressing the EU’s concerns. An unusually conciliatory move.

An inevitable consequence of the rulings in Google Spain, Weltimmo and Schrems /Facebook /Safe harbour, is whether courts in the EU can or perhaps even must insist on extending EU data protection rules to websites outside of EU domain. The case has led to suggestions of ‘exterritorial reach’ of Google Spain or the ‘global reach’ of the RTBF, coupled with accusations that the EU oversteps its ‘jurisdictional boundaries’. This follows especially the order or at least intention, by the French and other data protection agencies, that Google extend its compliance policy to the .com webdomain.

The Landgericht Köln mid September (the case has only now reached the relevant databases) in my view justifiably upheld enforcement jurisdiction in a libel case only against Google.de for that is the website aimed at the German market. It rejected extension of the removal order vis-à-vis Google.com, in spite of a possibility for German residents to reach Google.com, because that service is not intended for the German speaking area and anyone wanting to reach it, has to do so intentionally. (See the ruling under 1, para 3 and 4).

I have further context to this issue in a paper which is on SSRN and which is being peer reviewed as we speak (I count readers of this blog as peers hence do please forward any comments).

Geert.

Posted on

Forget Facebook and Safe Harbour. CJEU in Weltimmo confirms wide prescriptive but finds limited executive jurisdiction in EU data protection.

A lot of attention last week went to the CJEU’s annulment of the EC’s ‘Safe Harbour’ decision in Schrems v Facebook  (aka Austrian student takes on internet giant). I will not detail that finding for I assume, for once, that readers will be au fait with that judgment. For those who are not: please refer to Steve Peers for excellent analysis as per usual. It is noteworthy though that the CJEU’s finding in Schrems is based in the main on a finding of ultra vires: often easily remedied, as those with a background in public law will know.

Schrems (held 6 October) confirmed the Court’s approach to the EU’s prescriptive jurisdiction in data protection laws, as in Google Spain. However the Thursday before, on 1 October, the Court took a more restrictive view on ‘executive’ or ‘enforcement’ jurisdiction in Case C-230/14 Weltimmo. Lorna Woods has the general context and findings over at EU Law analysis. The essence in my view is that the Court insists on internal limitations to enforcement. It discussed the scope of national supervisory authority’s power in the context of Directive 95/4, the same directive which was at issue in Google Spain. The Court held

Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

In other words, the supervisory authority in a Member State can examine the complaints it receives even if the law that applies to the data processing is the law of another Member State. However the scope of its sanctioning power is limited by its national borders.

This finding (I appreciate there are caveats) has important implications for the discussion on the territorial reach of the so-called ‘righ to be forgotten’. It supports in my view, the argument that the EU cannot extend its right to be forgotten rule to websites outside the EU’s domain. I have a paper forthcoming which discusses the various jurisdictional issues at stake here and the impact of Weltimmo on same.

Geert.

Posted on

ECJ in Google Spain confirms reach of EU Data Protection Directive. Right to be forgotten not upheld verbatim but may be realised in practice.

I reported earlier on the AG’s Opinion in Google Spain. The Court held this morning. It broadly confirms the AG’s view on jurisdiction however it did effectively read a (conditional and incrimental) right to be forgotten in the current Directive, in contrast with the AG.

The ECJ confirmed earlier case-law in which it held that the operation of loading personal data on an internet page must be considered to be such ‘processing’ within the meaning of Article 2(b) of Directive 95/46. This finding is not affected  by the fact that those data have already been published on the internet and are not altered by the search engine.

Who is the ‘controller’ of these data?  The activity of a search engine is liable to affect significantly, and additionally compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data. The operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of Directive 95/46 in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.  It is this operator who is the ‘controller’ within the meaning of the Directive.

The territorial scope of the Directive is the most relevant to the conflicts community: It is noteworthy that in the current version of the data protection directive, targeting of consumers is not a jurisdictional criterion for providers established outside of the EU.

The referring court had stated that Google Search is operated and managed by Google Inc. and that it has not been established that Google Spain carries out in Spain an activity directly linked to the indexing or storage of information or data contained on third parties’ websites. Nevertheless, according to the referring court, the promotion and sale of advertising space, which Google Spain attends to in respect of Spain, constitutes the bulk of the Google group’s commercial activity and may be regarded as closely linked to Google Search.

The ECJ notes that Google Spain engages in the effective and real exercise of activity through stable arrangements in Spain. As it moreover has separate legal personality, it constitutes a subsidiary of Google Inc. on Spanish territory and, therefore, an ‘establishment’ within the meaning of Article 4(1)(a) of Directive 95/46. However, is the processing of personal data by the controller ‘carried out in the context of the activities’ of an establishment of the controller on the territory of a Member State (necessary to trigger application of the Directive)?

Google Spain and Google Inc. dispute that this is the case since the processing of personal data at issue in the main proceedings is carried out exclusively by Google Inc., which operates Google Search without any intervention on the part of Google Spain; the latter’s activity is limited to providing support to the Google group’s advertising activity which is separate from its search engine service.

The court disagreed: Article 4(1)(a) of Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment (at 52): that is the case if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable (at 55). The very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory (at 57).

This view confirms broadly the AG’s use of Google’s ‘business model’ as a jurisdictional trigger.

 

The AG had also opined on the supposed ‘right to be forgotten’ concluding that it does not exist in current EU law (neither directive nor Charter). The ECJ’s findings work towards such right (without mentioning it specifically)  following a thorough review of the requirements of the Directive and the proportionality test implied, and by holding that given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites.

The operator of a search engine may therefore be obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful (at 88). The right to privacy however has to be assessed vis-a-vis the right of the public to information, in an ad hoc manner.

The judgment has plenty for the data protection community to chew over (sse e.g. Orla Linskey over at the EU law blog). For those of us who are conflicts lawyers, the jurisdictional trigger is most interesting (and will feed into the review of the Directive, one imagines).

Geert.

Posted on

‘Where law and new technology meet’ – JÄÄSKINEN AG turns to business model in Google Spain to establish scope of application of the data protection Directive. No right to be forgotten under the Directive or Charter.

As announced on the blog earlier, JÄÄSKINEN AG has opined this morning in Case C-131/12 Google Spain. The Opinion covers a lot of issues in relatively condensed space – one of these Opinions where you should not trust the summary of a blogger, for invariably the blog posting does not do justice to all issues addressed. Below my highlights on the basis of diagonal reading: for I find this too important an Opinion not to flag it immediately.

As summarised by the AG, according to Article 4(1) of the Directive, the primary factor that gives rise to the territorial applicability of the national data protection legislation is the processing of personal data carried out in the context of the activities of an establishment of the controller on the territory of the Member State. Further, when a controller is not established on EU territory but uses means or equipment situated on the territory of the Member State for processing of personal data, the legislation of that Member State applies unless such equipment or means is used only for purposes of transit through the territory of the EU. The territorial scope of application of the Directive and the national implementing legislation is triggered therefore either by the location of the establishment of the controller, or the location of the means or equipment being used when the controller is established outside the EEA. Nationality or place of habitual residence of data subjects is not decisive, nor is the physical location of the personal data – at least not in the current versions of the Directive. The AG points out that in future legislation relevant targeting of individuals could be taken into account in relation to controllers not established in the EU. Such an approach, attaching the territorial applicability of EU legislation to the targeted public, is consistent with the Court’s case-law on the applicability of the e-commerce Directive 2000/31, the Brussels I (‘jurisdiction’) Regulation and Directive 2001/29, the on copyright and related rights in the information society to cross-border situations. Again, though, it is not a criterion in the current version of the data protection Directive, with respect to providers established outside of the EU.

The AG turns to the business model of a company to assist him in establishing applicability of the Directive for the case at issue, where Google (domiciled in California) does have establishments in the EU (the establishment of the controller therefore being the trigger), as well as at least two known data centres:

‘Google Inc. is a Californian firm with subsidiaries in various EU Member States. Its European operations are to a certain extent coordinated by its Irish subsidiary. It currently has data centres at least in Belgium and Finland. Information on the exact geographical location of the functions relating to its search engine is not made public. Google claims that no processing of personal data relating to its search engine takes place in Spain. Google Spain acts as commercial representative of Google for its advertising functions. In this capacity is has taken responsibility for the processing of personal data relating to its Spanish advertising customers. Google denies that its search engine performs any operations on the host servers of the source web pages, or that it collects information by means of cookies of non registered users of its search engine.’ (at 62).

‘In my opinion the Court should approach the question of territorial applicability from the perspective of the business model of internet search engine service providers. This, as I have mentioned, normally relies on keyword advertising which is the source of income and, as such, the economic raison d’être for the provision of a free information location tool in the form of a search engine. The entity in charge of keyword advertising (called ‘referencing service provider’ in the Court’s case-law) is linked to the internet search engine. This entity needs presence on national advertising markets. For this reason Google has established subsidiaries in many Member States which clearly constitute establishments within the meaning of Article 4(1)(a) of the Directive. It also provides national web domains such as google.es or google.fi. The activity of the search engine takes this national diversification into account in various ways relating to the display of the search results because the normal financing model of keyword advertising follows the pay-per-click principle.’ (…) ‘In conclusion, processing of personal data takes place within the context of a controller’s establishment if that establishment acts as the bridge for the referencing service to the advertising market of that Member State, even if the technical data processing operations are situated in other Member States or third countries.’ (…)

‘For this reason, I propose that the Court should answer the first group of preliminary questions in the sense that processing of personal data is carried out in the context of the activities of an ‘establishment’ of the controller within the meaning of Article 4(1)(a) of the Directive when the undertaking providing the search engine sets up in a Member State for the purpose of promoting and selling advertising space on the search engine, an office or subsidiary which orientates its activity towards the inhabitants of that State.’  [footnotes omitted]

The AG uses the terms ‘targeted at’ [cf in this respect ‘intended target of information’ in Football Dataco] and ‘oriented at’ – not, as had become custom, ‘directed at’: presumably to emphasise the contrast with the other Directives mentioned above.

The AG then turns his attention inter alia to the alleged ‘right to be forgotten’: not one, he suggests, which exists under the current Directive, not even when read in conjunction with the Charter on Fundamental Rights and Freedoms (the EU’s version of the Human Rights Act). That surely is an important observation.

Much to chew on – not quite all digested above, however I do hope these first impressions may act as an appetizer for discussion elsewhere.

Geert.

Posted on

Getting the hint, punk? European data protection authorities step up fight against Google

Postscript 30 September 2013: see here for the CNIL press release stating that Google has failed to comply and shall be served an official enforcement notice.

 

I reported earlier on the referral to the ECJ of questions surrounding jurisdiction under the data protection Directive: the AG’s Opinion in that case, C-131/17 is due tomorrow (25 June). Last week, the French data protection authority (‘CNIL’)  ordered Google to comply with the French Data Protection Act, within three months. That in itself of course is testimony to the French determination in their own national procedure. However the agency’s action is unusual in that it announces co-ordinated action between a wide variety of European data protection agencies. CNIL notes

The Data Protection Authorities from Germany, Italy, the Netherlands, Spain and the United Kingdom carry on their investigations under their respective national procedures and as part of an international administrative cooperation.

Therefore,

  • The Spanish DPA has issued to Google his decision today to open a sanction procedure for the infringement of key principles of the Spanish Data Protection Law.
  • The UK Information Commissioner’s Office is considering whether Google’s updated privacy policy is compliant with the UK Data Protection Act 1998. ICO will shortly be writing to Google to confirm their preliminary findings.
  • The Data Protection Commissioner of Hamburg has opened a formal procedure against the company. It starts with a formal hearing as required by public administrative law, which may lead to the release of an administrative order requiring Google to implement measures in order to comply with German national data protection legislation.
  • As part of the investigation, the Dutch DPA will first issue a confidential report of preliminary findings, and ask Google to provide its view on the report. The Dutch DPA will use this view in its definite report of findings, after which it may decide to impose a sanction.
  • The Italian Data Protection Authority is awaiting additional clarification from Google Inc. after opening a formal inquiry proceeding at the end of May and will shortly assess the relevant findings to establish possible enforcement measures, including possible sanctions, under the Italian data protection law.’

Other than perhaps in competition law, such co-ordinated action among national authorities is rare. That it should be in data protection, confirms the relevance which Europeans and their legislators attach to the protection of personal data.

Geert.

Posted on

The ‘location’ of data in the EU: Google’s Spanish tussle referred to the ECJ

In  Google v  Agencia Española de Protección de Datos, the Spanish High Court (Audiencia Nacional) has asked assistance with a number of essential questions under the EU’s flagship Directive on the protection of personal data, Directive 95/46. The case is relevant not just for the particular context of the data protection Directive: it generally addresses the million dollar question of ‘location’ in an internet context.

Mario Costeja González had requested Google to remove from its search results, an advertisement which had appeared in print, relating to the sale of property as a result of a former (and meanwhile resolved) debt. Google refused. Complaints to the Spanish data protection agency led i.a. to the question whether Spain at all has jurisdiction over the subsidiary, or whether California is the only acceptable forum, the Spanish subsidiary not trading in and of its own right, but rather providing collected data to its mother company.

Article 4 of the Directive is the crucial provision. It effectively links applicable law to jurisdiction (putting the horse before the cart, one could say):

Article 4

National law applicable

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.

Whence ‘carried out in the context of the activities of an establishment of the controller on the territory of the Member State

and

makes use of equipment (…) , situated on the territory of the said Member State‘ 

are the crucial connecting factors. It led the High Court to the following questions (I have only selected those with a specific conflicts relevance):

*****
With regard to the territorial application of Directive 95/46/EC and, consequently, of the Spanish data-protection legislation:
1.1. must it be considered that an ‘establishment’, within the meaning of Article 4(1)(a) of Directive 95/46/EC, exists when any one or more of the following circumstances arise:
– when the undertaking providing the search engine sets up in a Member State an office or subsidiary for the purpose of promoting and selling advertising space on the search engine, which orientates its activity towards the inhabitants of that State,
or
– when the parent company designates a subsidiary located in that Member State as its representative and controller for two specific filing systems which relate to the data of customers who have contracted for advertising with that undertaking,
or
– when the office or subsidiary established in a Member State forwards to the parent company, located outside the European Union, requests and requirements addressed to it both by data subjects and by the authorities with responsibility for ensuring observation of the right to data protection, even where such collaboration is engaged in voluntarily?
1.2. Must Article 4(1)(c) of Directive 95/46/EC be interpreted as meaning that there is ‘use of equipment … situated on the territory of that Member State’
when a search engine uses crawlers or robots to locate and index information contained in web pages located on servers in that Member State
or
when it uses a domain name pertaining to a Member State and arranges for searches and the results thereof to be based on the language of that Member State?
1.3. Is it possible to regard as a use of equipment, in the terms of Article 4(1)(c) of Directive 95/46/EC, the temporary storage of the information indexed by internet search engines? If the answer to that question is affirmative, can it be considered that that connecting factor is present when the undertaking refuses to disclose the place where it stores those indexes, invoking reasons of competition?
1.4. Regardless of the answers to the foregoing questions and particularly in the event that the Court of Justice of the European Union considers that the connecting factors referred to in Article 4 of the Directive are not present:
must Directive 95/46/EC on data protection be applied, in the light of Article 8 of the European Charter of Fundamental Rights, in the Member State where the centre of gravity of the conflict is located and more effective protection of the rights of European Union citizens is possible?
*****
The references to the Charter and to ‘centre of gravity’ (in the questions) and to public international law (in the Directive) make this review particularly tantalising. Let’s see which questions the Court will be happy to pick off and chew over.
Geert.
%d bloggers like this: