Posts Tagged Data protection authorities

Lloyd v Google. High Court rejects jurisdiction viz US defendant, interprets ‘damage’ in the context of data protection narrowly.

Update 11 December 2018 leave to appeal applied for.

Warby J in  [2018] EWHC 2599 (QB) Lloyd v Google (a class action suit with third party financing) considers, and rejects, jurisdiction against Google Inc (domiciled in the US) following careful consideration (and distinction) of the Vidal Hall (‘Safari users) precedent.

Of note is that the jurisdictional gateway used is the one in tort, which requires among others an indication of damage. In Vidal Hall, Warby J emphasises, that damage consisted of specific material loss or emotional harm which claimants had detailed in confidential court findings (all related to Google’s former Safari turnaround, which enabled Google to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.

In essence, Warby J suggests that both EU law (reference is made to CJEU precedent under Directive 90/314) and national law tends to suggest that “damage” has been extended in various contexts to cover “non-material damage” but only on the proviso that “genuine quantifiable damage has occurred”.

Wrapping up, at 74: “Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party. Not everybody objects to every non-consensual disclosure or use of private information about them. Lasting relationships can be formed on the basis of contact first made via a phone number disclosed by a mutual friend, without asking first. Some are quite happy to have their personal information collected online, and to receive advertising or marketing or other information as a result. Others are indifferent. Neither category suffers from “loss of control” in the same way as someone who objects to such use of their information, and neither in my judgment suffers any, or any material, diminution in the value of their right to control the use of their information. Both classes would have consented if asked. In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case. The bare facts pleaded in this case, which are in no way individualised, do not in my judgment assert any case of harm to the value of any claimant’s right of autonomy that amounts to “damage”…”

The judgment does not mean that misuse of personal data cannot be disciplined under data protection laws (typically: by the data protection authorities) or other relevant national courses of action. But where it entails a non-EU domiciled party, and the jurisdictional gateway of ‘tort’ is to be followed, ‘damage’ has to be shown.

Geert.

 

, , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

It’s true! Belgian Supreme Court confirms order for Yahoo! to hand over IP-addresses.

Jurisdiction and the internet is a topic which has featured once or twice on this blog recently (and in a  paper which I have already referred to in those earlier postings). Belgian’s Supreme Court in ordinary (the Hof van Cassatie /Cour de Cassation) employed the objective territoriality principle in a case with roots going back to 2007 (the fraudulent purchase of and subsequent failure to pay for electronic equipment from a shop in Dendermonde, Belgium), Yahoo! was requested to hand over the IP addresses associated with e-mail accounts registered to Yahoo!’s e-mail service. Yahoo! Inc, domiciled in California, refused to comply, triggering fines under criminal law.

Responding to Yahoo!s claims that Belgium was imposing its criminal laws extraterritorially, the Court of Appeal had held that Yahoo! is territorially present in Belgium, hereby voluntarily submitting itself to the jurisdiction of the Belgian authorities: it takes an active part in economic life in Belgium, among others by use of the domain name http://www.yahoo.be, the use of the local language(s) on that website, pop-up of advertisements based on the location of the users, and accessibility in Belgium of Belgium-focussed customer services (among others: a ‘Belgian’ Q&A, FAQ, and post box). [Notice the similarity with the Pammer /Alpenhof criteria]. The Court of Appeal had suggested that the accusations of extraterritoriality could only be accepted had there been a request for the handover of data or objects which are located in the USA, with which there is no Belgian territorial link whatsoever, and if the holder of these objects or data is not accessible in Belgium (either physically or virtually).

The Supreme Court on 1 December confirmed all of the Court of Appeal’s arguments, essentially linking them to the objective territoriality principle. Yahoo! actively directs its activities towards consumers present in Belgium.

Even though the case involves a criminal proceeding, the Court’s judgment inevitably (not necessarily justifiably) will be used as further support for the Belgian tussle with Facebook.

Geert.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

A bar to ‘extraterritorial’ EU law. Landgericht Koln refuses to extend ‘right to be forgotten’ to .com domain .

Postcript 11 March 2016 Google have announced a new policy which  goes some way to addressing the EU’s concerns. An unusually conciliatory move.

An inevitable consequence of the rulings in Google Spain, Weltimmo and Schrems /Facebook /Safe harbour, is whether courts in the EU can or perhaps even must insist on extending EU data protection rules to websites outside of EU domain. The case has led to suggestions of ‘exterritorial reach’ of Google Spain or the ‘global reach’ of the RTBF, coupled with accusations that the EU oversteps its ‘jurisdictional boundaries’. This follows especially the order or at least intention, by the French and other data protection agencies, that Google extend its compliance policy to the .com webdomain.

The Landgericht Köln mid September (the case has only now reached the relevant databases) in my view justifiably withheld enforcement jurisdiction in a libel case only against Google.de for that is the website aimed at the German market. It rejected extension of the removal order vis-à-vis Google.com, in spite of a possibility for German residents to reach Google.com, because that service is not intended for the German speaking area and anyone wanting to reach it, has to do so intentionally. (See the ruling under 1, para 3 and 4).

I have further context to this issue in a paper which is on SSRN and which is being peer reviewed as we speak (I count readers of this blog as peers hence do please forward any comments).

Geert.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

ECJ in Google Spain confirms reach of EU Data Protection Directive. Right to be forgotten not withheld verbatim but may be realised in practice.

I reported earlier on the AG’s Opinion in Google Spain. The Court held this morning. It broadly confirms the AG’s view on jurisdiction however it did effectively read a (conditional and incrimental) right to be forgotten in the current Directive, in contrast with the AG.

The ECJ confirmed earlier case-law in which it held that the operation of loading personal data on an internet page must be considered to be such ‘processing’ within the meaning of Article 2(b) of Directive 95/46. This finding is not affected  by the fact that those data have already been published on the internet and are not altered by the search engine.

Who is the ‘controller’ of these data?  The activity of a search engine is liable to affect significantly, and additionally compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data. The operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of Directive 95/46 in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.  It is this operator who is the ‘controller’ within the meaning of the Directive.

The territorial scope of the Directive is the most relevant to the conflicts community: It is noteworthy that in the current version of the data protection directive, targeting of consumers is not a jurisdictional criterion for providers established outside of the EU.

The referring court had stated that Google Search is operated and managed by Google Inc. and that it has not been established that Google Spain carries out in Spain an activity directly linked to the indexing or storage of information or data contained on third parties’ websites. Nevertheless, according to the referring court, the promotion and sale of advertising space, which Google Spain attends to in respect of Spain, constitutes the bulk of the Google group’s commercial activity and may be regarded as closely linked to Google Search.

The ECJ notes that Google Spain engages in the effective and real exercise of activity through stable arrangements in Spain. As it moreover has separate legal personality, it constitutes a subsidiary of Google Inc. on Spanish territory and, therefore, an ‘establishment’ within the meaning of Article 4(1)(a) of Directive 95/46. However, is the processing of personal data by the controller ‘carried out in the context of the activities’ of an establishment of the controller on the territory of a Member State (necessary to trigger application of the Directive)?

Google Spain and Google Inc. dispute that this is the case since the processing of personal data at issue in the main proceedings is carried out exclusively by Google Inc., which operates Google Search without any intervention on the part of Google Spain; the latter’s activity is limited to providing support to the Google group’s advertising activity which is separate from its search engine service.

The court disagreed: Article 4(1)(a) of Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment (at 52): that is the case if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable (at 55). The very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory (at 57).

This view confirms broadly the AG’s use of Google’s ‘business model’ as a jurisdictional trigger.

 

The AG had also opined on the supposed ‘right to be forgotten’ concluding that it does not exist in current EU law (neither directive nor Charter). The ECJ’s findings work towards such right (without mentioning it specifically)  following a thorough review of the requirements of the Directive and the proportionality test implied, and by holding that given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites.

The operator of a search engine may therefore be obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful (at 88). The right to privacy however has to be assessed vis-a-vis the right of the public to information, in an ad hoc manner.

The judgment has plenty for the data protection community to chew over (sse e.g. Orla Linskey over at the EU law blog). For those of us who are conflicts lawyers, the jurisdictional trigger is most interesting (and will feed into the review of the Directive, one imagines).

Geert.

, , , , , , , , , , , , , , , , , , , ,

Leave a comment

The High Court accepts jurisdiction in ‘Safari users’ [Vidal-Hall et al v Google] case. European privacy rules bolstered?

Update October 2018 upon revisting the issues I can now add that the claim was settled before the Supreme Court heard the case.

[Postscript 26 august 2015: the UKSC granted Google leave to appeal on 28 July 2015]

[Postscript 27 March 2015: today the Court of Appeal confirmed the High Court ruling. Emma Cross has immediate analysis here.]

In Vidal-Hall et al v Google Inc, the High Court assessed its jurisdiction against Google Inc and found no reason to apply forum non conveniens. Google UK was not involved, the Jurisdiction Regulation (44/2001) does not apply.

Claimants allege that Google misused their private information, and acted in breach of confidence, and/or in breach of the statutory duties under the Data Protection Act 1998 s.4(4) (“the DPA”), by tracking and collating, without the claimants’ consent or knowledge, information relating to the claimants’ internet usage on the Apple Safari internet browser. Applying the Spiliada criteria, Tugendhat J first of all dismissed the relevance of the location of documents, serving Google a dose of its own medicine: ‘In any event, in the world in which Google Inc operates, the location of documents is likely to be insignificant, since they are likely to be in electronic form, accessible from anywhere in the world. ‘ ‘By contrast, the focus of attention is likely to be on the damage that each Claimant claims to have suffered. They are individuals resident here, for whom bringing proceedings in the USA would be likely to be very burdensome (Google Inc has not suggested which state would be the appropriate one). The issues of English law raised by Google Inc are complicated ones, and in a developing area. If an American court had to resolve these issues no doubt it could do so, aided by expert evidence on English law. But that would be costly for all parties, and it would be better for all parties that the issues of English law be resolved by an English court, with the usual right of appeal, which would not be available if the issues were resolved by an American court deciding English law as a question of fact.’ (at 132-233)

Forum non conveniens dismissed – the case can go ahead.

The judgment, in reviewing the prima facie case on the merits, also bolsters the existence of a tort of ‘misuse of private information’ and surely adds to the growing authority of European-based data protection rules.

(On an aside, note the rather delightful observation by Tugendhat J (at 56) that ‘civil law jurisdictions have managed to develop civil liability for breaches of an obligation of confidence in relation to personal information without the benefit of a historical equivalent of the law of equity.’).

Geert.

, , , , , , , , , , , , , , , , , , , ,

2 Comments

‘Where law and new technology meet’ – JÄÄSKINEN AG turns to business model in Google Spain to establish scope of application of the data protection Directive. No right to be forgotten under the Directive or Charter.

As announced on the blog earlier, JÄÄSKINEN AG has opined this morning in Case C-131/12 Google Spain. The Opinion covers a lot of issues in relatively condensed space – one of these Opinions where you should not trust the summary of a blogger, for invariably the blog posting does not do justice to all issues addressed. Below my highlights on the basis of diagonal reading: for I find this too important an Opinion not to flag it immediately.

As summarised by the AG, according to Article 4(1) of the Directive, the primary factor that gives rise to the territorial applicability of the national data protection legislation is the processing of personal data carried out in the context of the activities of an establishment of the controller on the territory of the Member State. Further, when a controller is not established on EU territory but uses means or equipment situated on the territory of the Member State for processing of personal data, the legislation of that Member State applies unless such equipment or means is used only for purposes of transit through the territory of the EU. The territorial scope of application of the Directive and the national implementing legislation is triggered therefore either by the location of the establishment of the controller, or the location of the means or equipment being used when the controller is established outside the EEA. Nationality or place of habitual residence of data subjects is not decisive, nor is the physical location of the personal data – at least not in the current versions of the Directive. The AG points out that in future legislation relevant targeting of individuals could be taken into account in relation to controllers not established in the EU. Such an approach, attaching the territorial applicability of EU legislation to the targeted public, is consistent with the Court’s case-law on the applicability of the e-commerce Directive 2000/31, the Brussels I (‘jurisdiction’) Regulation and Directive 2001/29, the on copyright and related rights in the information society to cross-border situations. Again, though, it is not a criterion in the current version of the data protection Directive, with respect to providers established outside of the EU.

The AG turns to the business model of a company to assist him in establishing applicability of the Directive for the case at issue, where Google (domiciled in California) does have establishments in the EU (the establishment of the controller therefore being the trigger), as well as at least two known data centres:

‘Google Inc. is a Californian firm with subsidiaries in various EU Member States. Its European operations are to a certain extent coordinated by its Irish subsidiary. It currently has data centres at least in Belgium and Finland. Information on the exact geographical location of the functions relating to its search engine is not made public. Google claims that no processing of personal data relating to its search engine takes place in Spain. Google Spain acts as commercial representative of Google for its advertising functions. In this capacity is has taken responsibility for the processing of personal data relating to its Spanish advertising customers. Google denies that its search engine performs any operations on the host servers of the source web pages, or that it collects information by means of cookies of non registered users of its search engine.’ (at 62).

‘In my opinion the Court should approach the question of territorial applicability from the perspective of the business model of internet search engine service providers. This, as I have mentioned, normally relies on keyword advertising which is the source of income and, as such, the economic raison d’être for the provision of a free information location tool in the form of a search engine. The entity in charge of keyword advertising (called ‘referencing service provider’ in the Court’s case-law) is linked to the internet search engine. This entity needs presence on national advertising markets. For this reason Google has established subsidiaries in many Member States which clearly constitute establishments within the meaning of Article 4(1)(a) of the Directive. It also provides national web domains such as google.es or google.fi. The activity of the search engine takes this national diversification into account in various ways relating to the display of the search results because the normal financing model of keyword advertising follows the pay-per-click principle.’ (…) ‘In conclusion, processing of personal data takes place within the context of a controller’s establishment if that establishment acts as the bridge for the referencing service to the advertising market of that Member State, even if the technical data processing operations are situated in other Member States or third countries.’ (…)

‘For this reason, I propose that the Court should answer the first group of preliminary questions in the sense that processing of personal data is carried out in the context of the activities of an ‘establishment’ of the controller within the meaning of Article 4(1)(a) of the Directive when the undertaking providing the search engine sets up in a Member State for the purpose of promoting and selling advertising space on the search engine, an office or subsidiary which orientates its activity towards the inhabitants of that State.’  [footnotes omitted]

The AG uses the terms ‘targeted at’ [cf in this respect ‘intended target of information’ in Football Dataco] and ‘oriented at’ – not, as had become custom, ‘directed at’: presumably to emphasise the contrast with the other Directives mentioned above.

The AG then turns his attention inter alia to the alleged ‘right to be forgotten’: not one, he suggests, which exists under the current Directive, not even when read in conjunction with the Charter on Fundamental Rights and Freedoms (the EU’s version of the Human Rights Act). That surely is an important observation.

Much to chew on – not quite all digested above, however I do hope these first impressions may act as an appetizer for discussion elsewhere.

Geert.

, , , , , , , , , , , , , , , , , , ,

1 Comment

Getting the hint, punk? European data protection authorities step up fight against Google

Postscript 30 September 2013: see here for the CNIL press release stating that Google has failed to comply and shall be served an official enforcement notice.

 

I reported earlier on the referral to the ECJ of questions surrounding jurisdiction under the data protection Directive: the AG’s Opinion in that case, C-131/17 is due tomorrow (25 June). Last week, the French data protection authority (‘CNIL’)  ordered Google to comply with the French Data Protection Act, within three months. That in itself of course is testimony to the French determination in their own national procedure. However the agency’s action is unusual in that it announces co-ordinated action between a wide variety of European data protection agencies. CNIL notes

The Data Protection Authorities from Germany, Italy, the Netherlands, Spain and the United Kingdom carry on their investigations under their respective national procedures and as part of an international administrative cooperation.

Therefore,

  • The Spanish DPA has issued to Google his decision today to open a sanction procedure for the infringement of key principles of the Spanish Data Protection Law.
  • The UK Information Commissioner’s Office is considering whether Google’s updated privacy policy is compliant with the UK Data Protection Act 1998. ICO will shortly be writing to Google to confirm their preliminary findings.
  • The Data Protection Commissioner of Hamburg has opened a formal procedure against the company. It starts with a formal hearing as required by public administrative law, which may lead to the release of an administrative order requiring Google to implement measures in order to comply with German national data protection legislation.
  • As part of the investigation, the Dutch DPA will first issue a confidential report of preliminary findings, and ask Google to provide its view on the report. The Dutch DPA will use this view in its definite report of findings, after which it may decide to impose a sanction.
  • The Italian Data Protection Authority is awaiting additional clarification from Google Inc. after opening a formal inquiry proceeding at the end of May and will shortly assess the relevant findings to establish possible enforcement measures, including possible sanctions, under the Italian data protection law.’

Other than perhaps in competition law, such co-ordinated action among national authorities is rare. That it should be in data protection, confirms the relevance which Europeans and their legislators attach to the protection of personal data.

Geert.

, , , , , , , , , , , , , ,

1 Comment

%d bloggers like this: