Posts Tagged Case C-131/12
Forget Facebook and Safe Harbour. CJEU in Weltimmo confirms wide prescriptive but finds limited executive jurisdiction in EU data protection.
A lot of attention last week went to the CJEU’s annulment of the EC’s ‘Safe Harbour’ decision in Schrems v Facebook (aka Austrian student takes on internet giant). I will not detail that finding for I assume, for once, that readers will be au fait with that judgment. For those who are not: please refer to Steve Peers for excellent analysis as per usual. It is noteworthy though that the CJEU’s finding in Schrems is based in the main on a finding of ultra vires: often easily remedied, as those with a background in public law will know.
Schrems (held 6 October) confirmed the Court’s approach to the EU’s prescriptive jurisdiction in data protection laws, as in Google Spain. However the Thursday before, on 1 October, the Court took a more restrictive view on ‘executive’ or ‘enforcement’ jurisdiction in Case C-230/14 Weltimmo. Lorna Woods has the general context and findings over at EU Law analysis. The essence in my view is that the Court insists on internal limitations to enforcement. It discussed the scope of national supervisory authority’s power in the context of Directive 95/4, the same directive which was at issue in Google Spain. The Court held
Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.
In other words, the supervisory authority in a Member State can examine the complaints it receives even if the law that applies to the data processing is the law of another Member State. However the scope of its sanctioning power is limited by its national borders.
This finding (I appreciate there are caveats) has important implications for the discussion on the territorial reach of the so-called ‘righ to be forgotten’. It supports in my view, the argument that the EU cannot extend its right to be forgotten rule to websites outside the EU’s domain. I have a paper forthcoming which discusses the various jurisdictional issues at stake here and the impact of Weltimmo on same.
In Google v Agencia Española de Protección de Datos, the Spanish High Court (Audiencia Nacional) has asked assistance with a number of essential questions under the EU’s flagship Directive on the protection of personal data, Directive 95/46. The case is relevant not just for the particular context of the data protection Directive: it generally addresses the million dollar question of ‘location’ in an internet context.
Mario Costeja González had requested Google to remove from its search results, an advertisement which had appeared in print, relating to the sale of property as a result of a former (and meanwhile resolved) debt. Google refused. Complaints to the Spanish data protection agency led i.a. to the question whether Spain at all has jurisdiction over the subsidiary, or whether California is the only acceptable forum, the Spanish subsidiary not trading in and of its own right, but rather providing collected data to its mother company.
Article 4 of the Directive is the crucial provision. It effectively links applicable law to jurisdiction (putting the horse before the cart, one could say):
National law applicable
1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;
(b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;
(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.
2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.
Whence ‘carried out in the context of the activities of an establishment of the controller on the territory of the Member State‘
‘makes use of equipment (…) , situated on the territory of the said Member State‘
are the crucial connecting factors. It led the High Court to the following questions (I have only selected those with a specific conflicts relevance):