Posts Tagged Data protection

On soggy grounds. The GDPR and jurisdiction for infringement of privacy.

Many thanks to Julien Juret for asking me contribute to l’Observateur de Bruxelles, the review of the French Bar representation in Brussels (la Délégation des barreaux de France). I wrote this piece on the rather problematic implications of the GDPR, the General Data Protection Regulation, on jurisdictional grounds for invasion of privacy.

I conclude that the Commission’s introduction of Article 79 GDPR without much debate or justification, will lead to a patchwork of fora for infringement of personality rights. Not only will it take a while to settle the many complex issues which arise in their precise application. Their very existence arguably will distract from harmonised compliance of the GDPR rules.

I owe Julien and his colleagues the French translation (as well as their patience in my late delivery) for I wrote the piece initially in English. Readers who would like to receive a copy of that EN original, please just send me an e-mail. (Or try here, which if it works should have both the FR and the EN version).

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.5.

, , , , , , , , , ,

1 Comment

One of those groundhog days. The Brussels Court of First instance on Facebook, privacy, Belgium and jurisdiction.

I have flagged once or twice that the blog is a touch behind on reporting – I hope to be on top soon.

I blogged a little while ago that the Brussels Court of Appeal had sided with Facebook in their appeal against the Court of first instance’s finding of Belgian jurisdiction. I had earlier argued that the latter was wrong. These earlier skirmishes were in interim proceedings. Then, in February, the Court of First instance, unsurprisingly, reinstated its earlier finding, this time with a bit more substantial flesh to the bone.

First, a bit of Belgian surrealism. In an interlocutory ruling the court had requested FB to produce full copy of the Court of Appeal’s judgment upon which it relied for some of its arguments. Perhaps given the appalling state of reporting of Belgian case-law, this finding should not surprise. Yet it remains an absurd notion that parties should produce copies at all of Belgian judgments, not in the least copies of a Court of Appeal which is literally one floor up from the Court of first instance.

Now to the judgment. The court first of all confirms that the case does not relate to private international law for the privacy commission acts iure imperii (I summarise). Then follows a very lengthy and exhaustive analysis of Belgium’s jurisdiction on the basis of public international law. Particularly given the excellent input of a number of my public international law colleagues, this part of the judgment is academically interesting nay exciting – but also entirely superfluous. For any Belgian jurisdiction grounded in public international law surely is now exhausted regulated by European law, Directive 95/46 in particular.

In finally reviewing the application of that Directive, and inevitably of course with reference to Weltimmo etc. the Court essentially assesses whether Facebook Belgium (the jurisdictional anchor) carries out activities beyond mere representation vis-a-vis the EU institutions, and finds that it does carry out commercial activities directed at Belgian users. That of course is a factual finding which requires au faitness which the employees’ activities.

Judgment is being appealed by Facebook – rightly so I believe. Of note is also that once the GDPR applies, exclusive Irish jurisdiction is clear.

Geert.

 

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

1 Comment

Planet49: pre-ticked agreement with clauses in terms and conditions.

A quick flag to those of you following consumer protection and the Directive (2002/58) on privacy and electronic communications. In Case C-673/17 Planet49 the Court of Justice is being asked to clarify to what extent a website which pre-ticks boxes in general terms and conditions (here: to share relevant personal data) is compatible with relevant EU laws.

File of the case here (in Dutch only).

Geert.

 

, , , , , , , , , , , ,

Leave a comment

Extraterritorial application of warrants: Our amicus curiae brief in the Microsoft Ireland case.

Update 3 April 2018 Recently, the so-called “CLOUD Act” was passed by Congress and signed into law.  This new law amends the Stored Communications Act to give it a potentially extraterritorial reach.  Following this development, the U.S. Government has moved to have the Microsoft case dismissed as moot, and to have the Second Circuit’s decision vacated. [Technically, Congress has enacted, and the President has signed,
the Consolidated Appropriations Act, 2018, H.R. 1625, 115th Cong., 2d Sess. (2018). Division V of that Act is called the Clarifying Lawful Overseas Use of Data Act, or the CLOUD Act. TheCLOUD Act amends the Stored Communications Act, 18 U.S.C. 2701-2712, by adding 18 U.S.C. 2713, which now states:
A provider of electronic communication service or remote computing service shall
comply with the obligations of this chapter to preserve, backup, or disclose the contents
of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.]

For background to the Microsoft  Ireland case under the Stored Communications Act (SCA), see here. The issue is essentially whether the US Justice Department may force Microsoft to grant access to e-mails stored on Irish servers.

With a group of EU data protection and conflicts lawyers, we have filed an amicus curiae brief in the case at the United States Supreme Court last week, arguing that the Court should interpret the SCA to apply only to data stored within the United States, leaving to Congress the decision whether and under what circumstances to authorize the collection of data stored in other countries.

There is not much point in me rehashing the arguments here: happy reading.

Geert.

 

 

, , , , , , , , , , , , , ,

Leave a comment

‘Right to be forgotten’ /data protection laws and the internet referred to CJEU.

Update 23 May 2017 the Case is C-136/17 and the relevant  dossier (partially in Dutch) is here, on the unparalleled website of the Dutch foreign ministry. Update 1 February 2018 for a recent English case see [2018] EWHC 137 (QB) ABC v Google. Order to block access was denied for no permisison to serve out of jurisdiction had been sought (Google been incorporated in Delaware.

Many thanks to KU Leuven law student Dzsenifer Orosz (she is writing a paper on the issues for one of my conflict of laws courses) for alerting me to the French Conseil D’Etat having referred ‘right to be forgotten’ issues to the European Court of Justice.  I have of course on occasion reported the application of data protection laws /privacy issues on this blog (try ‘Google’ as a search on the blog’s search function). I also have a paper out on the case against applying the right to be forgotten to the .com domain, and with co-authors, one where we catalogue the application of RTBF until December 2016. See also my post on the Koln courts refusing application to .com.

The Conseil d’Etat has referred one or two specific Qs but also, just to be sure, has also asked the Court of Justice for general insight into how data protection laws apply to the internet. The Court is unlikely to offer such tutorial (not that it would not be useful). However any Advocate General’s opinion of course will offer 360 insight.

One to look forward to.

Geert.

 

, , , , , , , , , , , , , ,

Leave a comment

VKI v Amazon. Readers who read this item should also read plenty of others.

C-191/15 Verein für Konsumenteninformation v Amazon SarL is one of those spaghetti bowl cases, with plenty of secondary law having a say on the outcome. In the EU purchasing from Amazon (on whichever of its extensions) generally implies contracting with the Luxembourg company (Amazon EU) and agreeing to Luxembourg law as applicable law. Amazon has no registered office or establishment in Austria. VKI is a consumer organisation which acted on behalf of Austrian consumers, seeking an injunction prohibiting terms in Amazon’s GTCs (general terms and conditions), specifically those which did not comply with Austrian data protection law and which identified Luxembourg law as applicable law.

Rather than untangle the bowl for you here myself, I am happy to refer to masterchef Lorna Woods who can take you through the Court’s decision (with plenty of reference to Saugmandsgaard Øe’s Opinion of early June). After readers have consulted Lorna’s piece, let me point out that digital economy and applicable EU law is fast becoming a quagmire. Those among you who read Dutch can read a piece of mine on it here. Depending on whether one deals with customs legislation, data protection, or intellectual property, different triggers apply. And even in a pure data protection context, as prof Woods points out, there now seems to be a different trigger depending on whether one looks intra-EU (Weltimmo; Amazon) or extra-EU (Google Spain).

The divide between the many issues addressed by the Advocate General and the more narrow analysis by the CJEU, undoubtedly indeed announces further referral.

Geert.

(Handbook of) European Private International Law, 2016, Chapter 2, Heading 2.2.8.2.5.

, , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

The Brussels Court of Appeal is spot on on Facebook, privacy, Belgium and jurisdiction.

The Brussels Court of Appeal has sided with Facebook  on 29 June. This post I am going to keep very, very simple: told you so. Geert.

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

%d bloggers like this: