Posts Tagged Data protection

One of those groundhog days. The Brussels Court of First instance on Facebook, privacy, Belgium and jurisdiction.

I have flagged once or twice that the blog is a touch behind on reporting – I hope to be on top soon.

I blogged a little while ago that the Brussels Court of Appeal had sided with Facebook in their appeal against the Court of first instance’s finding of Belgian jurisdiction. I had earlier argued that the latter was wrong. These earlier skirmishes were in interim proceedings. Then, in February, the Court of First instance, unsurprisingly, reinstated its earlier finding, this time with a bit more substantial flesh to the bone.

First, a bit of Belgian surrealism. In an interlocutory ruling the court had requested FB to produce full copy of the Court of Appeal’s judgment upon which it relied for some of its arguments. Perhaps given the appalling state of reporting of Belgian case-law, this finding should not surprise. Yet it remains an absurd notion that parties should produce copies at all of Belgian judgments, not in the least copies of a Court of Appeal which is literally one floor up from the Court of first instance.

Now to the judgment. The court first of all confirms that the case does not relate to private international law for the privacy commission acts iure imperii (I summarise). Then follows a very lengthy and exhaustive analysis of Belgium’s jurisdiction on the basis of public international law. Particularly given the excellent input of a number of my public international law colleagues, this part of the judgment is academically interesting nay exciting – but also entirely superfluous. For any Belgian jurisdiction grounded in public international law surely is now exhausted regulated by European law, Directive 95/46 in particular.

In finally reviewing the application of that Directive, and inevitably of course with reference to Weltimmo etc. the Court essentially assesses whether Facebook Belgium (the jurisdictional anchor) carries out activities beyond mere representation vis-a-vis the EU institutions, and finds that it does carry out commercial activities directed at Belgian users. That of course is a factual finding which requires au faitness which the employees’ activities.

Judgment is being appealed by Facebook – rightly so I believe. Of note is also that once the GDPR applies, exclusive Irish jurisdiction is clear.

Geert.

 

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

1 Comment

Planet49: pre-ticked agreement with clauses in terms and conditions.

A quick flag to those of you following consumer protection and the Directive (2002/58) on privacy and electronic communications. In Case C-673/17 Planet49 the Court of Justice is being asked to clarify to what extent a website which pre-ticks boxes in general terms and conditions (here: to share relevant personal data) is compatible with relevant EU laws.

File of the case here (in Dutch only).

Geert.

 

, , , , , , , , , , , ,

Leave a comment

Extraterritorial application of warrants: Our amicus curiae brief in the Microsoft Ireland case.

Update 3 April 2018 Recently, the so-called “CLOUD Act” was passed by Congress and signed into law.  This new law amends the Stored Communications Act to give it a potentially extraterritorial reach.  Following this development, the U.S. Government has moved to have the Microsoft case dismissed as moot, and to have the Second Circuit’s decision vacated. [Technically, Congress has enacted, and the President has signed,
the Consolidated Appropriations Act, 2018, H.R. 1625, 115th Cong., 2d Sess. (2018). Division V of that Act is called the Clarifying Lawful Overseas Use of Data Act, or the CLOUD Act. TheCLOUD Act amends the Stored Communications Act, 18 U.S.C. 2701-2712, by adding 18 U.S.C. 2713, which now states:
A provider of electronic communication service or remote computing service shall
comply with the obligations of this chapter to preserve, backup, or disclose the contents
of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.]

For background to the Microsoft  Ireland case under the Stored Communications Act (SCA), see here. The issue is essentially whether the US Justice Department may force Microsoft to grant access to e-mails stored on Irish servers.

With a group of EU data protection and conflicts lawyers, we have filed an amicus curiae brief in the case at the United States Supreme Court last week, arguing that the Court should interpret the SCA to apply only to data stored within the United States, leaving to Congress the decision whether and under what circumstances to authorize the collection of data stored in other countries.

There is not much point in me rehashing the arguments here: happy reading.

Geert.

 

 

, , , , , , , , , , , , , ,

Leave a comment

‘Right to be forgotten’ /data protection laws and the internet referred to CJEU.

Update 23 May 2017 the Case is C-136/17 and the relevant  dossier (partially in Dutch) is here, on the unparalleled website of the Dutch foreign ministry. Update 1 February 2018 for a recent English case see [2018] EWHC 137 (QB) ABC v Google. Order to block access was denied for no permisison to serve out of jurisdiction had been sought (Google been incorporated in Delaware.

Many thanks to KU Leuven law student Dzsenifer Orosz (she is writing a paper on the issues for one of my conflict of laws courses) for alerting me to the French Conseil D’Etat having referred ‘right to be forgotten’ issues to the European Court of Justice.  I have of course on occasion reported the application of data protection laws /privacy issues on this blog (try ‘Google’ as a search on the blog’s search function). I also have a paper out on the case against applying the right to be forgotten to the .com domain, and with co-authors, one where we catalogue the application of RTBF until December 2016. See also my post on the Koln courts refusing application to .com.

The Conseil d’Etat has referred one or two specific Qs but also, just to be sure, has also asked the Court of Justice for general insight into how data protection laws apply to the internet. The Court is unlikely to offer such tutorial (not that it would not be useful). However any Advocate General’s opinion of course will offer 360 insight.

One to look forward to.

Geert.

 

, , , , , , , , , , , , , ,

Leave a comment

VKI v Amazon. Readers who read this item should also read plenty of others.

C-191/15 Verein für Konsumenteninformation v Amazon SarL is one of those spaghetti bowl cases, with plenty of secondary law having a say on the outcome. In the EU purchasing from Amazon (on whichever of its extensions) generally implies contracting with the Luxembourg company (Amazon EU) and agreeing to Luxembourg law as applicable law. Amazon has no registered office or establishment in Austria. VKI is a consumer organisation which acted on behalf of Austrian consumers, seeking an injunction prohibiting terms in Amazon’s GTCs (general terms and conditions), specifically those which did not comply with Austrian data protection law and which identified Luxembourg law as applicable law.

Rather than untangle the bowl for you here myself, I am happy to refer to masterchef Lorna Woods who can take you through the Court’s decision (with plenty of reference to Saugmandsgaard Øe’s Opinion of early June). After readers have consulted Lorna’s piece, let me point out that digital economy and applicable EU law is fast becoming a quagmire. Those among you who read Dutch can read a piece of mine on it here. Depending on whether one deals with customs legislation, data protection, or intellectual property, different triggers apply. And even in a pure data protection context, as prof Woods points out, there now seems to be a different trigger depending on whether one looks intra-EU (Weltimmo; Amazon) or extra-EU (Google Spain).

The divide between the many issues addressed by the Advocate General and the more narrow analysis by the CJEU, undoubtedly indeed announces further referral.

Geert.

(Handbook of) European Private International Law, 2016, Chapter 2, Heading 2.2.8.2.5.

, , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

The Brussels Court of Appeal is spot on on Facebook, privacy, Belgium and jurisdiction.

The Brussels Court of Appeal has sided with Facebook  on 29 June. This post I am going to keep very, very simple: told you so. Geert.

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

It’s true! Belgian Supreme Court confirms order for Yahoo! to hand over IP-addresses.

Jurisdiction and the internet is a topic which has featured once or twice on this blog recently (and in a  paper which I have already referred to in those earlier postings). Belgian’s Supreme Court in ordinary (the Hof van Cassatie /Cour de Cassation) employed the objective territoriality principle in a case with roots going back to 2007 (the fraudulent purchase of and subsequent failure to pay for electronic equipment from a shop in Dendermonde, Belgium), Yahoo! was requested to hand over the IP addresses associated with e-mail accounts registered to Yahoo!’s e-mail service. Yahoo! Inc, domiciled in California, refused to comply, triggering fines under criminal law.

Responding to Yahoo!s claims that Belgium was imposing its criminal laws extraterritorially, the Court of Appeal had held that Yahoo! is territorially present in Belgium, hereby voluntarily submitting itself to the jurisdiction of the Belgian authorities: it takes an active part in economic life in Belgium, among others by use of the domain name http://www.yahoo.be, the use of the local language(s) on that website, pop-up of advertisements based on the location of the users, and accessibility in Belgium of Belgium-focussed customer services (among others: a ‘Belgian’ Q&A, FAQ, and post box). [Notice the similarity with the Pammer /Alpenhof criteria]. The Court of Appeal had suggested that the accusations of extraterritoriality could only be accepted had there been a request for the handover of data or objects which are located in the USA, with which there is no Belgian territorial link whatsoever, and if the holder of these objects or data is not accessible in Belgium (either physically or virtually).

The Supreme Court on 1 December confirmed all of the Court of Appeal’s arguments, essentially linking them to the objective territoriality principle. Yahoo! actively directs its activities towards consumers present in Belgium.

Even though the case involves a criminal proceeding, the Court’s judgment inevitably (not necessarily justifiably) will be used as further support for the Belgian tussle with Facebook.

Geert.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

%d bloggers like this: