Posts Tagged Data protection
GDPR (General Data Protection Regulation) aficionados will have already seen the draft guidelines published by the EDPB – the European data protection board – on the territorial scope of the Regulation.
Of particular interest to conflicts lawyers is the Heading on the application of the ‘targeting’ criterion of GDPR’s Article 3(2). There are clear overlaps here between Brussels I, Rome I, and the GDPR and indeed the EDPB refers to relevant case-law in the ‘directed at’ criterion in Brussels and Rome.
(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 188.8.131.52.3, Heading 184.108.40.206.5.
I have an ever-updated post on Google’s efforts to pinpoint the exact territorial dimension of the EU’s data protection regime, GDPR etc. Now, Facebook are reportedly (see also here) appealing a fine imposed by the UK’s data protection authority in the wake of the Cambridge Analytica scandal. Facebook’s point at least as reported is that the breach did not impact UK users.
The issue I am sure exposes Facebook in the immediate term to PR challenges. However in the longer term it highlights the need to clarify the proper territorial reach of both data protection laws and their enforcement.
One to look out for.
Many thanks to Julien Juret for asking me contribute to l’Observateur de Bruxelles, the review of the French Bar representation in Brussels (la Délégation des barreaux de France). I wrote this piece on the rather problematic implications of the GDPR, the General Data Protection Regulation, on jurisdictional grounds for invasion of privacy.
I conclude that the Commission’s introduction of Article 79 GDPR without much debate or justification, will lead to a patchwork of fora for infringement of personality rights. Not only will it take a while to settle the many complex issues which arise in their precise application. Their very existence arguably will distract from harmonised compliance of the GDPR rules.
I owe Julien and his colleagues the French translation (as well as their patience in my late delivery) for I wrote the piece initially in English. Readers who would like to receive a copy of that EN original, please just send me an e-mail. (Or try here, which if it works should have both the FR and the EN version).
(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 220.127.116.11.5.
Update 14 November 2018 Hearing took place yesterday – Opinion AG scheduled for 28 February 2019.
A quick flag to those of you following consumer protection and the Directive (2002/58) on privacy and electronic communications. In Case C-673/17 Planet49 the Court of Justice is being asked to clarify to what extent a website which pre-ticks boxes in general terms and conditions (here: to share relevant personal data) is compatible with relevant EU laws.
File of the case here (in Dutch only).
Update 3 April 2018 Recently, the so-called “CLOUD Act” was passed by Congress and signed into law. This new law amends the Stored Communications Act to give it a potentially extraterritorial reach. Following this development, the U.S. Government has moved to have the Microsoft case dismissed as moot, and to have the Second Circuit’s decision vacated. [Technically, Congress has enacted, and the President has signed,
the Consolidated Appropriations Act, 2018, H.R. 1625, 115th Cong., 2d Sess. (2018). Division V of that Act is called the Clarifying Lawful Overseas Use of Data Act, or the CLOUD Act. TheCLOUD Act amends the Stored Communications Act, 18 U.S.C. 2701-2712, by adding 18 U.S.C. 2713, which now states:
A provider of electronic communication service or remote computing service shall
comply with the obligations of this chapter to preserve, backup, or disclose the contents
of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.]
For background to the Microsoft Ireland case under the Stored Communications Act (SCA), see here. The issue is essentially whether the US Justice Department may force Microsoft to grant access to e-mails stored on Irish servers.
With a group of EU data protection and conflicts lawyers, we have filed an amicus curiae brief in the case at the United States Supreme Court last week, arguing that the Court should interpret the SCA to apply only to data stored within the United States, leaving to Congress the decision whether and under what circumstances to authorize the collection of data stored in other countries.
There is not much point in me rehashing the arguments here: happy reading.