Open Rights Group. The Court of Appeal on grace periods, the consequences of judicial review and remedies for breach of (supreme) retained EU law.

A posting that is long overdue but over at GAVC law  we have lots of things coming our way and the inevitable consequence is a bit of a queue on the blog. Open Rights Group & Anor, R (On the Application Of) v Secretary of State for the Home Department & Anor [2021] EWCA Civ 1573 was held end of October and discussed remedies for breach of retained EU law, that is in essence, EU law which has force in law in the UK by virtue of the Government’s copy /paste exercise following Brexit.

In April 2021 the CA had held that that the “Immigration Exemption” (which disapplies some data protection rights where their application would be likely to prejudice immigration control) of the UK Data Protection Act 2018 is contrary to Article 23 GDPR and Article 23 of the UK GDPR: [2021] EWCA Civ 800.  However in that judgment the CA had not specified at that stage what form of relief should be granted. It does now.

The claim form sought a declaratory order, the effect of which would be to “disapply” the Immigration Exemption. The Government argue it be granted a grace period to make regulations adding to or varying the provisions. The complicating factor is that even retained EU law enjoys supremacy (not by virtue of EU law but by virtue of the Government’s choice to do so). That means that any conflict between the GDPR and domestic legislation (including primary legislation) must be resolved in favour of the former: the domestic legislation must be overridden, treated as invalid or, in the conventional language, disapplied.

[15] A quashing order would not meet with the UK constitutional understanding and its limits to the rule of judges. However must supremacy, post Brexit, mean the courts must inevitably make an immediately binding order? Warby LJ sets out the principles of EU retained law as they follow from domestic legislation (the ‘EUWA’) at [23]:

(1) A UK court must now decide any question as to the validity, meaning or effect of any retained EU law for itself: it is no longer possible to refer any matter to the CJEU: EUWA s 6(1)(b).

(2) But the general rule is that the court must decide any such question in accordance with any retained case law and any retained general principles of EU law that are relevant: EUWA s 6(3). “Retained EU case law” and “retained general principles” mean principles laid down and decisions made by the CJEU before IP completion day.

(3) When it comes to principles laid down or decisions made by the CJEU after IP completion day, the court is not bound (EUWA s 6(1)) but “may have regard” to them (EUWA s 6(2)).

(4) The position is different in a “relevant court”, which includes the Court of Appeal. Subject to an exception that does not apply here, a relevant court is not absolutely bound by any retained EU case law: EUWA s 6(4)(ba) and Regulations 1 and 4. It can depart from that law; but the test to be applied in deciding whether to do so is “the same test as the Supreme Court would apply in deciding whether to depart from the case law of the Supreme Court”: EUWA 6(5A)(c) and Regulation 5.

(5) The test the Supreme Court applies is the one laid down by the House of Lords in its Practice Statement [1966] 1 WLR 1234, when Lord Gardiner LC said

“Their Lordships regard the use of precedent as an indispensable foundation upon which to decide what is the law and its application to individual cases. It provides at least some degree of certainty upon which individuals can rely in the conduct of their affairs, as well as a basis for orderly development of legal rules. Their Lordships nevertheless recognise that too rigid adherence to precedent may lead to injustice in a particular case and also unduly restrict the proper development of the law. They propose, therefore, to modify their present practice and, while treating former decisions of this House as normally binding, to depart from a previous decision when it appears right to do so. In this connection they will bear in mind the danger of disturbing retrospectively the basis on which contracts, settlements of property and fiscal arrangements have been entered into and also the especial need for certainty as to the criminal law. This announcement is not intended to affect the use of precedent elsewhere than in this House.”

Relevant CJEU authority is LibertyLa Quadrature, A v Gewestelijke Stedenbouwkundige Ambtenaar van het Department ruimte Vlaanderen (Case C-24/19) (“Gewestelijke”), and B v Latvijas Republikas Saeima Case C-439/19, EU-C-2021-504 (“B v Latvia”). [24] Gewestelijke was decided before IP completion day. We are not absolutely bound by them, but we should decide this case in accordance with the principles they set out, unless we think it right to depart from those cases for the reasons set out by Lord Gardiner. B v Latvia was decided after IP completion day, so we can “have regard” to it.

[26] Warby LJ suggests 3 options:

One is to hold that since the power to suspend relief in respect of substantive laws that is identified in Gewestelijke is one that can only be exercised by the CJEU, it cannot be exercised at all in E&W. This is rejected [27] as an unduly mechanistic and literal approach, tending to subvert rather than promote the legal policy that underlies this aspect of the CJEU jurisprudence: it would remove from the judicial armoury a power that is, by definition, essential. 

An alternative would be what Warby LJ called “the Regulation 5 approach”: to apply the principles laid down in the 1966 HoL Practice Statement and depart from the CJEU case-law, holding that the power which, in that jurisprudence, is reserved to the CJEU should now be treated as available to at least some UK Courts. This [28] enable a court to perform one of its essential tasks: averting legal disorder and is an option which Warby LJ suggests is open to the Court of Appeal.

A third option is to follow and apply the CJEU jurisprudence as to the existence and limits of the power to suspend, but not that aspect of the case-law that reserves the exercise of that power to the European Court. That [31] is Warby LJ’s preferred route however he decides (and the other LJs agree) that there is at this time no need to choose between both options for in essence they lead to the same result in the case at issue. The Court concludes that the Government were given time until 31 January 2022 for the Data Protection Act 2018 to be amended so as to remedy the incompatibility. Whether the Government have done so, I leave to data privacy lawyers to verify.

Underhill LJ emphasises one point [57] ‘that, as Warby LJ says at para. 13 of his judgment, our power to suspend our declaration – in practice, to suspend the disapplication of the Immigration Exemption – derives entirely from retained EU law. It was not argued that the Court had any equivalent power at common law.’

This is an important judgment viz the application of retained EU law but also wider, viz the consequences of judicial review which is a hot topic at the moment in more than just the UK.

Geert.

Lloyd v Google. More on the tort gateway and ‘damage’ under data protection law.

The UK Supreme Court in Lloyd v Google [2021] UKSC 50 held a few weeks back. It allowed the appeal, meaning the Court of Appeal‘s judgment is no longer good law and the High Court‘s approach is now the rule. The judgment essentially means that loss of control over private data is not considered ‘damage’ within the data protection Act 1998. The issue is one of statutory interpretation: on its proper interpretation, the SC understands the term “damage” in s. 13 to mean material damage (financial loss for instance) or mental distress, and not just unlawful processing. Loss of control therefore may still play a role in the common law tort of misuse of private information, and ‘damage’ was of course also considered flexibly in the context of consequential losses (Brownlie).

On class actions, the SC’s judgment is a set-back, too, with the judgment [80] holding

What limits the scope for claiming damages in representative proceedings is the compensatory principle on which damages for a civil wrong are awarded with the object of putting the claimant – as an individual – in the same position, as best money can do it, as if the wrong had not occurred. In the ordinary course, this necessitates an individualised assessment which raises no common issue and cannot fairly or effectively be carried out without the participation in the proceedings of the individuals concerned. A representative  action is therefore not a suitable vehicle for such an exercise.

Geert.

 

The CJEU in Reliantco on’consumers’ and complex financial markets. And again on contracts and tort.

C-500/18 AU v Reliantco was held by the CJEU on 2 April, in the early fog of the current pandemic. Reliantco is a company incorporated in Cyprus offering financial products and services through an online trading platform under the ‘UFX’ trade name – readers will recognise this from [2019] EWHC 879 (Comm) Ang v Reliantco. Claimant AU is an individual. The litigation concerns limit orders speculating on a fall in the price of petrol, placed by AU on an online platform owned by the defendants in the main proceedings, following which AU lost the entire sum being held in the frozen trading account, that is, 1 919 720 US dollars (USD) (around EUR 1 804 345).

Choice of court and law was made pro Cyprus.

The case brings to the fore the more or less dense relationship between secondary EU consumer law such as in particular the unfair terms Directive 93/13 and, here, Directive 2004/39 on markets in financial instruments (particularly viz the notion of ‘retail client’ and ‘consumer’).

First up is the consumer title under Brussels Ia: Must A17(1) BIa be interpreted as meaning that a natural person who under a contract concluded with a financial company, carries out financial transactions through that company may be classified as a ‘consumer’ in particular whether it is appropriate, for the purposes of that classification, to take into consideration factors such as the fact that that person carried out a high volume of transactions within a relatively short period or that he or she invested significant sums in those transactions, or that that person is a ‘retail client’ within the meaning of A4(1) point 12 Directive 2004/39?

The Court had the benefit of course of C-208/18 Petruchová – which Baker J did not have in Ang v ReliantcoIt is probably for that reason that the case went ahead without an Opinion of the AG. In Petruchová the Court had already held that factors such as

  • the value of transactions carried out under contracts such as CFDs,
  • the extent of the risks of financial loss associated with the conclusion of such contracts,
  • any knowledge or expertise that person has in the field of financial instruments or his or her active conduct in the context of such transactions
  • the fact that a person is classified as a ‘retail client’ within the meaning of Directive 2004/39 is, as such, in principle irrelevant for the purposes of classifying him or her as a ‘consumer’ within the meaning of BIa,

are, as such, in principle irrelevant to determine the qualification as a ‘consumer’. In Reliantco it now adds at 54 that ‘(t)he same is true of a situation in which the consumer carried out a high volume of transactions within a relatively short period or invested significant sums in those transactions.’

Next however comes the peculiarity that although AU claim jurisdiction for the Romanian courts against Reliantco Investments per the consumer title (which requires a ‘contract’ to be concluded), it bases its action on non-contractual liability, with applicable law to be determined by Rome II. (The action against the Cypriot subsidiary, with whom no contract has been concluded, must be one in tort. The Court does not go into analysis of the jurisdictional basis against that subsidiary, whose branch or independent basis or domicile is not entirely clear; anyone ready to clarify, please do).

At 68 the CJEU holds that the culpa in contrahendo action is indissociably linked to the contract concluded between the consumer and the seller or supplier, and at 71 that this conclusion is reinforced by A12(1) Rome II which makes the putative lex contractus, the lex causae for culpa in contrahendo. At 72 it emphasises the need for consistency between Rome II and Brussels IA in that both the law applicable to a non-contractual obligation arising out of dealings prior to the conclusion of a contract and the court having jurisdiction to hear an action concerning such an obligation, are determined by taking into consideration the proposed contract the conclusion of which is envisaged.

Interesting.

Geert.

(Handbook of) EU private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.

 

 

A reminder: Austrian courts apply CJEU Eva Glawischnig-Piesczek v Facebook ruling. Limits removal to national territory only but does not rule out worldwide removal on principle.

I had already reported in March on the first application of the CJEU C-18/18 Eva Glawischnig-Piesczek v Facebook ruling in an update to my post on the latter. I thought I’ld add a separate post on the ruling for it, well, deserves it: the court held that orders based on Austrian copyright are limited to Austria (given copyright’s territorial limitations), but if they are based on personal rights, the claimant has to specify the requested territorial reach (so potentially global).

IPKat have further analysis here. As one or two of us discussed at the time of the CJEU ruling: the infringement of personality rights angle is an important one.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Lloyd v Google. Court of Appeal overturns High Court, establishes jurisdiction viz US defendant. Takes a wider approach to loss of control over personal (browser-generated information) data constituting ‘damage’.

Update 4 June 2021 see a reference by the Austrian Supreme Court here, on the issue of whether loss of date control constitutes damage.

Update 16 July 2020 the Supreme Court has granted leave to appeal.

I reported earlier on Lloyd v Google at the High Court. The case involves Google’s alleged unlawful and clandestine tracking of iPhone users in 2011 and 2012 without their consent through the use of third party cookies.

The Court of Appeal in [2019] EWCA Civ 1599 has now overturned the High Court’s approach, nota bene just a day before the CJEU’s Eva Glawischnig-Piesczek v Facebook judgment.

Warby J in  [2018] EWHC 2599 (QB) Lloyd v Google (a class action suit with third party financing) had rejected jurisdiction against Google Inc (domiciled in the US) following careful consideration (and distinction) of the Vidal Hall (‘Safari users) precedent. In essence, Warby J held that both EU law (reference is made to CJEU precedent under Directive 90/314) and national law tends to suggest that “damage” has been extended in various contexts to cover “non-material damage” but only on the proviso that “genuine quantifiable damage has occurred”. This did not mean that misuse of personal data could not be disciplined under data protection laws (typically: by the data protection authorities) or other relevant national courses of action. But where it entails a non-EU domiciled party, and the jurisdictional gateway of ‘tort’ is to be followed, ‘damage’ has to be shown.

The Court of Appeal has now overturned. A first question it considered was whether control over data is an asset that has value. Sir Geoffrey Vos C at 47 held ‘a person’s control over data or over their BGI (browser-generated information, GAVC) does have a value, so that the loss of that control must also have a value’. Sir Geoffrey did not even have to resort to metanalysis to support this:  at 46: ‘The underlying reality of this case is that Google was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value.’ And at 57: ‘the EU law principles of equivalence and effectiveness (‘effet utile’, GAVC) point to the same approach being adopted to the legal definition of damage in the two torts which both derive from a common European right to privacy.’

(The remainder of the judgment concerns issues of reflection of damage on the class).

Conclusion: permission granted to serve the proceedings on Google outside the jurisdiction of the court.

All in all an important few days for digital media corporations.

Geert.

Steady now. Eva Glawischnig-Piesczek v Facebook. The CJEU on jurisdiction and removal of hate speech.

Update 12 November 2020 the court in the Glawischnig case has now reportedly ordered worldwide removal.

Update 5 May 2020 see the report of the first application of the criteria by the Austrian courts on 30 March 2020 here: the court held that orders based on Austrian copyright are limited to Austria, but if they are based on personal rights, the claimant has to specify the requested territorial reach (so potentially global).

My interest in C-18/18 Eva Glawischnig-Piesczek v Facebook as I noted in my short first review of the case, concerns mostly the territorial reach of any measures taken by data protection authorities against hosting providers. The Court held last week and o boy did it provoke a lot of comment.

The case to a large degree illustrates the relationship between secondary and primary law, and the art of reading EU secondary law. Here: Article 15 of the e-commerce Directive 2001/31 which limits what can be imposed upon a provider; and the recitals of the Directive which seem to leave more leeway to the Member States. Scant harmonisation of tort law in the EU does not assist the Institutions in their attempts to impose a co-ordinated approach.

The crucial issue in the case was whether Article 15 prohibits the imposition on a hosting provider (Facebook, in this case) of an obligation to remove not only notified illegal content, but also identical and similar content, at a national or worldwide level? The Court held the Directive does not as such preclude such order, and that as to the worldwide injunctive issue, EU law has not harmonised and that it is up to the Member States to direct in any such orders in compliance with public international law.

The judgment to a large degree concerns statutory interpretation on filtering content, which Daphne Keller has already reviewed pre the judgment succinctly here, Dan Svantesson post the judgment here, as did Lorna Woods, and a frenzied Twitter on the day of the judgment e.g. in this thread. A most balanced analysis is provided by Andrej Savin here. e-Commerce law is not the focus of this blog, neither my professed area of expertise (choices, choices). I do want to emphasise though

  • that as always it pays to bear in mind the CJEU’s judicial economy. Here: the need to interpret its judgment in line with the circumstances of the case. As Steve Peers noted, the Austrian court had ruled that the post was defamatory, which is a recognised basis for limiting freedom of expression; see also at 40: ‘In that regard, it should be made clear that the illegality of the content of information does not in itself stem from the use of certain terms combined in a certain way, but from the fact that the message conveyed by that content is held to be illegal, when, as in the present case, it concerns defamatory statements made against a specific person.‘ Nota bene, the same need to read the judgment in context goes for the earlier Google v CNIL case, applying Directive 95/46 and the GDPR, which I review here.
  • that speaking strictly as a member of the public who has seen the devastating effect of ‘social’ media on people close to me, the technical discussions on filtering (‘what filter does the CJEU think might possibly ever be available to FB to remove content in the way the Court wishes’) are emphatically beside the point. The public justifiably are not interested in the how. A service is offered which clearly has negative effects on EU citisens. Remedy those effects, or remove the service from those citisens. That is true for the negative impacts of goods (in 25 years of regulatory Bar practice I have seen plenty of that). There is no reason it should be any less true for services.

The jurisdictional issues are what interest me more from the blog’s point of view: the territorial scope of any removal or filtering obligation. In Google viz the GDPR and the data protection Directive, the Court confirmed my reading, against that of most others’, of Szpunar AG’s Opinion. EU law does not harmonise the worldwide removal issue. Reasons of personal indemnification may argue in specific circumstances for universal jurisdiction and ditto reach of injunctive relief on ‘right to be forgotten’ issues. Public international law and EU primary law are the ultimate benchmark (Google V CNIL). It is little surprise the Court held similarly in Eva Glawischnig-Piesczek, even if unlike in Google, it did not flag the arguments that might speak against such order. As I noted in my review of Google, for the GDPR and the data protection Directive, it is not entirely clear whether the Court suggests EU secondary law simply did not address extraterritoriality or decided against it. For the e-commerce Directive in Eva Glawischnig-Piesczek the Court notes at 50-52

Directive 2000/31 does not preclude those injunction measures from producing effects worldwide. However, it is apparent from recitals 58 and 60 of that directive that, in view of the global dimension of electronic commerce, the EU legislature considered it necessary to ensure that EU rules in that area are consistent with the rules applicable at international level.  It is up to Member States to ensure that the measures which they adopt and which produce effects worldwide take due account of those rules.

In conclusion, Member States may order a host provider to remove information covered by the injunction or to block access to that information worldwide within the framework of the relevant international law. To my knowledge, the Brussels Court of Appeal is the only national court so far to consider public international law extensively viz the issue of jurisdiction, and decided against it, nota bene in a case against Facebook Inc.

Any suggestion that the floodgates are open underestimates the sophisticated engagement of national courts with public international law.

In general, the CJEU’s approach is very much aligned with the US (SCOTUS in particular) judicial approach in similar extraterritoriality issues (sanctions law; export controls; ATS;…). There is no madness to the CJEU’s approach. Incomplete: sure (see deference to national courts and the clear lack of EU law-making up its legislative mind on the issues). Challenging and work in progress: undoubtedly. But far from mad.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Court of Justice in Google v CNIL sees no objection in principle to EU ‘Right to be forgotten’ leading to worldwide delisting orders. Holds that as EU law stands, however, it is limited to EU-wide application, leaves the door open to national authorities holding otherwise.

Many commentators were wrong-footed on reading Advocate-General Szpunar’s Opinion in C-505/17 Google Inc v Commission nationale de l’informatique et des libertés (CNIL), concerning the territorial limits to right to have search results delisted, more popularly referred to as ‘the right to erasure’ or the ‘right to be forgotten’ (‘RTBF’ – a product of the CJEU in Google Spain). Far from ruling out ‘extraterritorial’ or worldwide force of the right, the AG saw no objection to it in principle, even if he suggested non-application to the case at issue (he did so again in his Opinion in C-18/18 Eva Glawischnig-Piesczek v Facebook, which I review here and on which judgment is forthcoming next week; central to that case is private law, in contrast to current case which at its core is a public law issue of enforcement).

The Court yesterday held (the Twitter storm it created was later somewhat drowned by the UK Supreme Court’s decision in the prorogation case) and overall confirmed the AG’s views. As with the AG’s Opinion, it is important to read the Judgment for what it actually says, not just how the headlines saw it. For immediate analysis, readers may also want to read Daphne Keller’s and Michèle Finck’s threads and Dan Svantesson’s impromptu assessment.

It is again important to point out that the French data protection authority’s (CNIL) decision at issue, 2016/054 is a general CNIL instruction to Google to carry out global delisting in instances where natural persons request removal; not a case-specific one. 

I have a case-note on the case and on C-137/17 (judgment also yesterday) forthcoming with Yuliya Miadzvetskaya, but here are my initial thoughts on what I think is of particular note.

1. The Court of Justice (in Grand Chamber) first of all, unusually, examines the questions in the light of both Directive 95/46, applicable to the facts at issue, and the GDPR Regulation ‘in order to ensure that its answers will be of use to the referring court in any event’ (at 41).

2. Next, at 52, the Court dismisses a fanciful distributive approach towards the computing reality of data processing:

Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of personal data processing. The referring court considers that (and the CJEU clearly agrees, GAVC), in those circumstances, that act of processing is carried out within the framework of Google’s establishment in French territory.

3. At 55, the Court points out that de-referencing carried out on all the versions of a search engine would meet the objective of data protection in full, particularly (at 56) given the fact that ‘(t)he internet is a global network without borders and search engines render the information and links contained in a list of results displayed following a search conducted on the basis of an individual’s name ubiquitous (the Court restating here its finding in both Google Spain and Bolagsupplysningen). 

At 58 the Court employs that finding of ubiquitousness to ‘justify the existence of a competence on the part of the EU legislature to lay down the obligation, for a search engine operator, to carry out, when granting a request for de-referencing made by such a person, a de-referencing on all the versions of its search engine.’ No grand statements on public international law’s views on adjudicative extraterritoriality /universality. Just a simple observation.

The Court subsequently however (at 59-60) notes other States’ absence of a right to de-referencing and their different views on the balancing act between privacy and freedom of speech in particular. At 61-62 it then notes

While the EU legislature has, in Article 17(3)(a) of Regulation 2016/679, struck a balance between that right and that freedom so far as the Union is concerned (see, to that effect, today’s judgment, GC and Others (De-referencing of sensitive data), C‑136/17, paragraph 59), it must be found that, by contrast, it has not, to date, struck such a balance as regards the scope of a de-referencing outside the Union.

In particular, it is in no way apparent from the wording of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 or Article 17 of Regulation 2016/679 that the EU legislature would, for the purposes of ensuring that the objective referred to in paragraph 54 above is met, have chosen to confer a scope on the rights enshrined in those provisions which would go beyond the territory of the Member States and that it would have intended to impose on an operator which, like Google, falls within the scope of that directive or that regulation a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States.

In other words the Court has adopted the same approach as the United States Supreme Court has done in Morrison v. National Australia Bank; and Kiobel: there is a presumption against extraterritoriality, however it is not excluded. In the absence of indications of the legislator wish to extend the right to delisting extraterritorially it does not so exist in the current state of the law.

4. At 63 the Court hints at what might be required as part of such future potential extraterritorial extension: EU law does not currently provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the Union – in contrast with the regime it has intra-EU. This also hints at the CJEU taking a more multilateral approach to the issue than its SCOTUS counterpart.

5. At 69 the Court then adds that intra-EU, a delisting order covering all of the search engine’s EU extensions is both possible and may be appropriate: co-operation between authorities may lead to ‘where appropriate, a de-referencing decision which covers all searches conducted from the territory of the Union on the basis of that data subject’s name.’

6. A final twist then follows at 72:

Lastly, it should be emphasised that, while, as noted in paragraph 64 above, EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice. Accordingly, a supervisory or judicial authority of a Member State remains competent to weigh up, in the light of national standards of protection of fundamental rights (references to CJEU authority omitted, GAVC), a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.

Here I do not follow the Court: one could argue that the harmonised EU’s approach is currently not to extend the right to delisting extraterritorially. The Court on the other hand seems to be suggesting that the extraterritoriality issue was not discussed in the Directive or Regulation, that EU law does not occupy (‘pre-empt’) that regulatory space and consequently leaves it up to the Member States to regulate that right. (Update 27 September 2019: Other interpretations are collated here).

I shall need more detailed reading of the GDPR’s preparatory works to form a view as to whether the extraterritorial element was considered, and rejected, or simply not discussed. However I also want to already point out that if the decision is left to the Member States, the case-law and theory of pre-emption clarifies that such national action has to be taken in full compatibility with EU law. including free movement of services, say, which Google may rightfully invoke should there be a disproportionate impact on the Internal Market.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Brussels Court of Appeal rejects jurisdiction against Facebook Inc, Facebook Ireland in privacy, data protection case.

Update 17 June 2021 for analysis of the CJEU judgment in same see Lorna Woods here.

Update 10 September 2020 the case at the CJEU is listed as C-645/19.

The Brussels Court of Appeal held early May in a lengthy and scholarly judgment that it sees no ground in either public international law, or European law, for jurisdiction of the Belgian courts against Facebook Ireland and Facebook Inc (Palo Alto, California). I reported on the litigation inter alia here. I believe the Court is right, as readers of the blog know from my earlier postings.

Belgium’s Data Protection Authority (DPA) does not signal the rejection of jurisdiction against FB Ireland and FB Inc in its press release, however even its 3 page extract from the 121 page judgment clearly shows it (first bullet-point).

The questions which the Court of Appeal has sent up to Luxembourg concern Facebook Belgium only. The Court in the full judgment does not qualify FB Belgium’s activities as data processing. However it has very specific questions on the existence and extent of powers for DPAs other than the leading authority under the GDPR, including the question whether there is any relevance to the fact that action has started prior to the entry into force of the GDPR (25 May 2018). The Court is minded to interpret the one-stop shop principle extensively however it has doubt given the CJEU’s judgment in Fanpages

Crucial and so far, I believe, fairly unreported. (My delay explained by the possibility for use as an essay exam question – which eventually I have not).

Geert.

(Handbook of) EU private international law, 2nd ed.2016, chapter 2, Heading 2.2.8.2.5.

The internet’s not written in pencil, it’s written in ink. Szpunar AG in Eva Glawischnig-Piesczek v Facebook, re i.a. jurisdiction and removal of hate speech. (As well as confirming my reading of his Opinion in Google).

Case C-18/18 Eva Glawischnig-Piesczek v Facebook as I noted in my short first review of the case, revolves around Article 15 of the E-Commerce Directive. Does Article 15 prohibit the imposition on a hosting provider (Facebook, in this case) of an obligation to remove not only notified illegal content, but also identical and similar content, at a national or worldwide level?

Szpunar AG in his Opinion kicks off with a memorable Erica Albright quote from The Social Network:  The internet’s not written in pencil, [Mark], it’s written in ink’. 

His Opinion to a large degree concerns statutory interpretation on filtering content, which Daphne Keller has already reviewed succinctly here and which is not the focus of this blog. The jurisdictional issues are what interest me more: the territorial scope of any removal obligation.

Firstly, Szpunar AG matter of factly confirms my reading, against that of most others’, of his Opinion in C-505/17 Google: at 79:

‘in my Opinion in that case I did not exclude the possibility that there might be situations in which the interest of the Union requires the application of the provisions of that directive beyond the territory of the European Union.’

Injunctions (ordering removal) are necessarily based on substantive considerations of national law (in the absence of EU harmonisation of defamation law); which law applies is subject to national, residual conflicts rules (in the absence of EU harmonisation at the applicable law, level, too): at 78. Consequently, a Court’s finding of illegality (because of its defamatory nature) of information posted may well have been different had the case been heard by a court in another Member State. What is however harmonised at the EU level, is the jurisdiction for the civil and commercial damage following from defamation: see e-Date, in particular its centre of interests rule which leads to an all-encompassing, universal’ jurisdiction for the damages resulting from the defamation.

Separate from that is the consideration of the territorial extent of the removal obligation. Here, the AG kicks off his analysis at 88 ff by clearly laying out the limits of existing EU harmonisation: the GDPR and data protection Directive harmonise issues of personal data /privacy: not what claimant relies on. Directive 2000/31 does not regulate the territorial effects of injunctions addressed to information society service providers. Next, it is difficult, in the absence of regulation by the Union with respect to harm to private life and personality rights, to justify the territorial effects of an injunction by relying on the protection of fundamental rights guaranteed in Articles 1, 7 and 8 of the Charter: the scope of the Charter follows the scope of EU law and not vice versa. In the present case, as regards its substance, the applicant’s action is not based on EU law. Finally, Brussels Ia does not regulate the extra-EU effects of injunctions.

In conclusion therefore EU law does not regulate the question of extraterritorial reach in casu.

For the sake of completeness, the AG does offer at 94 ff ‘a few additional observations’ as regards the removal of information disseminated worldwide via a social network platform. At 96 he refers to the CJEU’s judgment in Bolagsupplysningen which might implicitly have acknowledged universal jurisdiction, to conclude at 100 (references omitted)

the court of a Member State may, in theory, adjudicate on the removal worldwide of information disseminated via the internet. However, owing to the differences between, on the one hand, national laws and, on the other, the protection of the private life and personality rights provided for in those laws, and in order to respect the widely recognised fundamental rights, such a court must, rather, adopt an approach of self-limitation. Therefore, in the interest of international comity…, that court should, as far as possible, limit the extraterritorial effects of its junctions concerning harm to private life and personality rights. The implementation of a removal obligation should not go beyond what is necessary to achieve the protection of the injured person. Thus, instead of removing the content, that court might, in an appropriate case, order that access to that information be disabled with the help of geo-blocking.

There are very sound and extensive references to scholarship in the footnotes to the Opinion, including papers on the public /private international law divide and the shifting nature of same (the Brussels Court of Appeal recently in the Facebook case justifiably found jurisdictional grounds in neither public nor private international law, to discipline Facebook Ireland and Facebook Inc for its datr-cookies placed on Belgian users of FB).

I find the AG’s Opinion convincing and complete even in its conciseness. One can analyse the jurisdictional issues until the cows come home. However, in reality reasons of personal indemnification may argue in specific circumstances for universal jurisdiction and ditto reach of injunctive relief. However these bump both into the substantial trade-off which needs to be made between different fundamental rights (interest in having freedom removed v freedom of information), and good old principles of comitas gentium aka comity. That is not unlike the US judicial approach in similar issues.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Ramona Ang v Reliantco: On bitcoins, choice of court, complex financial markets and ‘consumers’. As well as a first vindication of my GDPR jurisdictional prediction.

Update the merits were held today in Ang v Reliantco Investments Ltd [2020] EWHC 3242 (Comm)

As noted, I have come up for some air after a few hectic weeks – next case to report on is [2019] EWHC 879 (Comm) Ramona v Reliantco, held 12 April. (A similar case is pending with the CJEU against Reliantco as Case C-500/18).

Defendant (‘Reliantco’) is a company incorporated in Cyprus offering financial products and services through an online trading platform under the ‘UFX’ trade name. Claimant, Ms Ang, is an individual of substantial means who invested in Bitcoin futures, on a leveraged basis, through the UFX platform. She claims, essentially and primarily, that Reliantco wrongfully blocked and terminated her UFX account and should compensate her for the loss of her open Bitcoin positions, or at a minimum should refund her cash value invested. She also makes claims for relief in respect of what she says have been breaches of data protection obligations owed by Reliantco in connection with her UFX account.

The judgment does not concern the merits of Ms Ang’s claims but rather an application by Reliantco challenging jurisdiction. Reliantco contends that Ms Ang is bound by its standard terms and conditions, clause 27.1 of which provides that the courts of Cyprus are to have exclusive jurisdiction over “all disputes and controversies arising out of or in connection with” her customer agreement. Reliantco therefore relies on Article 25 Brussels Ia.

Ms Ang says that clause 27.1 is ineffective to require her to bring her claim in Cyprus, either because she is a consumer within Section 4 of Brussels (Recast) or because clause 27.1 was not incorporated into her UFX customer agreement with Reliantco in such a way as to satisfy the requirements of Article 25. Ms Ang says, in the alternative, that her data protection claims may be brought here notwithstanding Article 25 Brussels Ia even if Article 25 applies to her primary substantive claims.

All in all a nice set of jurisdictional issues and no surprise to have prof Jonathan Harris QC involved as counsel.

At all times material to her claim, Ms Ang was not employed or earning a living in any self-employed trade or profession (unless, which is contentious between the parties and considered below, her activity as a customer of Reliantco via the UFX platform is itself to be so classified). Ms Ang worked in money markets for two months as a trainee, observing US$/DM currency swaps. Other than that, she has no professional currency trading or money market experience (again, that is, unless her use of the UFX platform to invest in Bitcoin futures itself counts as such).

At 9, a little bit of Bitcoin drame enters the scene: Ms Ang’s husband, Craig Wright, is a computer scientist with cybersecurity and blockchain expertise who works as Chief Scientist for nChain Ltd, a blockchain technology company with a corporate vision “to transform how the world conducts all transactions – using the blockchain’s distributed, decentralised ledger that chronologically records transactions in an immutable way“. As a researcher, he publishes prolifically and has developed innovations for which patent protection has been sought. He is the same Craig Wright who has identified himself publicly as being ‘Satoshi Nakamoto’, the online pseudonym associated with the inventor (or a co-inventor) of Bitcoin. Baker J holds that he need not consider whether that claim is true, and on the evidence for this application I would not be in any position to do so.

Was Ms Ang a ‘consumer’? At 52 ff the arguments of Reliantco are summarised; at 55 ff those of Ms Ang.

CJEU precedent discussed by Baker J is C-89/91 Shearson; C-269/95 Benincasa; C-464/01 Gruber; C-498/16 Schremsand the pending cases C‑208/18 Petruchová [I reviewed the AG’s Opinion (issued a day before the High Court’s judgment) yesterday] and C-500/18 Reliantco Investments and Reliantco Investments Limassol Sucursala Bucureşti.

Baker J concludes at 34 ‘the ECJ/CJEU has not decided whether contracts entered into by a wealthy private individual for the purpose of investing her wealth, or particular types of such contract, are not (or can never be) consumer contracts.’

Reference is then made to English precedent along the very lines of the precedent dismissed by Tanchev AG in Petruchová: including AMT Futures v Marzillier, and at 35 ff Standard Bank London Ltd v Apostolakis both through the English and the Greek courts – with differing results. At 44: ‘the disagreement between the English and Greek decisions in Apostolakis turns upon and is constituted by a difference of view as to whether investing private wealth for gain, if it takes the form of buying and selling foreign currency, is by nature a business activity so that an individual investing their wealth in that way cannot when doing so be a ‘consumer’ under Brussels (Recast). Longmore J thought there was no such proposition of law; the Greek court took the contrary view.’ German case-law is also discussed.

At 63 Baker J comes to the core of his reasoning: ‘In my judgment, the investment by a private individual of her personal surplus wealth (i.e. surplus to her immediate needs), in the hope of generating good returns (whether in the form of income on capital, capital growth, or a mix of the two), is not a business activity, generally speaking. It is a private consumption need, in the sense I believe intended by the ECJ in Benincasa, to invest such wealth with such an aim, i.e. that is an ‘end user’ purpose for a private individual and is not exclusively a business activity. That means, as was also Popplewell J’s conclusion in AMT v Marzillier, that it will be a fact-specific issue in any given case whether a particular individual was indeed contracting as a private individual to satisfy that need, i.e. as a consumer, or was doing so for the purpose of an investment business of hers (existing or planned).’

And at 65 in fine: the ‘question of purpose is the question to be asked, and it must be considered upon all of the evidence available to the court and not by reference to any one part of that evidence in isolation.’

At 68 he concludes ‘the purpose of her contract with Reliantco therefore was outside any business of hers’.

Baker J notes that he was not asked to defer any decision in C‑208/18 Petruchová. I believe it would have been of help to determine the issue before him. Tanchev AG (as noted, in an Opinion not available to Baker J at the time of his drafting his judgment) suggests that ‘to determine whether a person must be regarded as a consumer, reference must be made to the nature and objective of the contract, not to the subjective situation of the person concerned.’ 

Obiter, he then reviews Article 25, where CJEU authority discussed is ia Colzanni and Cars on the Web. Ms Ang contended that she was not able to access the standard terms web page at the time she opened her account, and therefore clause 27.1 did not comply with Article 25 B1a. At 78 extensive technical detail is discussed and at 80 Baker J finds that the Cars on the Web criterion of accessibility and durability were met; and at 81 that in any case, the current issue is not one of a click-wrap agreement for a signed hard copy of the GTCs with choice of court in it, had also been sent.

Equally obiter, at 83 ff Baker J summarily discussed the GDPR jurisdictional arguments which would have been more relevant had he not accepted jurisdiction under the consumer title. The brief discussion entirely fulfils my summer 2018 prediction here: Article 79 GDPR will create a lot of issues at the level of jurisdiction.

A very relevant case.

Geert.

(Handbook of) EU private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.

 

 

%d bloggers like this: