Posts Tagged Extraterritoriality
US Iran sanctions renew the spotlight on the EU’s blocking regulation: A rare EU harmonised approach to enforcement and recognition from third States.
Ross Denton at Baker & McKenzie has a gem of a briefing on the EU’s ‘blocking Regulation’ and what it would mean in light of the US’ mooted sanctions on Iran. Steptoe had earlier also pondered the impact of the US withdrawal from the ‘Joint Comprehensive Plan of Action’ or JCPOA, on the Regulation.
Regulation 2271/96 provides essentially for protection against, and counteracts the effects of the extra-territorial application of the laws of third States. WTO lawyers will remember it mostly from the days of Helms-Burton. As Ross points out, the European Commission now have delegated power to populate the Annex to the list (which details the sanctions the Regulation acts against).
Potentially extra-territorial are in particular US ‘secondary’ sanctions: i.e. those against non-US individuals (or companies) for actions undertaken outside the US.
Of particular interest to readers of the blog – including researchers I would imagine, are Articles 4, 5 and 6, which I have copy-pasted in full below. They deal with recognition and enforcement, co-operation with foreign courts, and recovery of expenses. These Articles are a rare instance where the EU adopt a harmonised approach to recognition and enforcement of judgments originating ex-EU (awaiting the potential Hague Judgments project). [Update 22 May 11:30 AM. As Enio Piovezani comments below, the GDPR, too, includes a relevant rule: See Article 48: ‘Transfers or disclosures not authorised by Union law. Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.’]
As Ross points out, however, the proverbial US rock is harder than the equally proverbial EU stone, hence in practice many companies choose to abide by the US sanctions, anyways.
My fingers are itching to launch yet another interesting PhD topic on this issue…Takers?
No judgment of a court or tribunal and no decision of an administrative authority located outside the Community giving effect, directly or indirectly, to the laws specified in the Annex or to actions based thereon or resulting there from, shall be recognized or be enforceable in any manner.
No person referred to in Article 11 shall comply, whether directly or through a subsidiary or other intermediary person, actively or by deliberate omission, with any requirement or prohibition, including requests of foreign courts, based on or resulting, directly or indirectly, from the laws specified in the Annex or from actions based thereon or resulting therefrom.
Persons may be authorized, in accordance with the procedures provided in Articles 7 and 8, to comply fully or partially to the extent that non-compliance would seriously damage their interests or those of the Community. The criteria for the application of this provision shall be established in accordance with the procedure set out in Article 8. When there is sufficient evidence that non-compliance would cause serious damage to a natural or legal person, the Commission shall expeditiously submit to the committee referred to in Article 8 a draft of the appropriate measures to be taken under the terms of the Regulation.
Any person referred to in Article 11, who is engaging in an activity referred to in Article 1 shall be entitled to recover any damages, including legal costs, caused to that person by the application of the laws specified in the Annex or by actions based thereon or resulting therefrom.
Such recovery may be obtained from the natural or legal person or any other entity causing the damages or from any person acting on its behalf or intermediary.
The Brussels Convention of 27 September 1968 on jurisdiction and the enforcement of judgments in civil and commercial matters shall apply to proceedings brought and judgments given under this Article. Recovery may be obtained on the basis of the provisions of Sections 2 to 6 of Title II of that Convention, as well as, in accordance with Article 57 (3) of that Convention, through judicial proceedings instituted in the Courts of any Member State where that person, entity, person acting on its behalf or intermediary holds assets.
Without prejudice to other means available and in accordance with applicable law, the recovery could take the form of seizure and sale of assets held by those persons, entities, persons acting on their behalf or intermediaries within the Community, including shares held in a legal person incorporated within the Community.
Of interest to data protection lawyers is Warby J’s excellent review of the test to be applied (particularly within the common law context of misuse of private information). Of interest to readers of this blog, is what is not yet part of the High Court’s ruling: the precise wording of the delisting order. Particularly: defendant is Google LLC, a US-based company. Will the eventual delisting order in the one case in which it was granted, include worldwide wording? For our discussion of relevant case-law worldwide, see here.
Update 3 April 2018 Recently, the so-called “CLOUD Act” was passed by Congress and signed into law. This new law amends the Stored Communications Act to give it a potentially extraterritorial reach. Following this development, the U.S. Government has moved to have the Microsoft case dismissed as moot, and to have the Second Circuit’s decision vacated. [Technically, Congress has enacted, and the President has signed,
the Consolidated Appropriations Act, 2018, H.R. 1625, 115th Cong., 2d Sess. (2018). Division V of that Act is called the Clarifying Lawful Overseas Use of Data Act, or the CLOUD Act. TheCLOUD Act amends the Stored Communications Act, 18 U.S.C. 2701-2712, by adding 18 U.S.C. 2713, which now states:
A provider of electronic communication service or remote computing service shall
comply with the obligations of this chapter to preserve, backup, or disclose the contents
of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.]
For background to the Microsoft Ireland case under the Stored Communications Act (SCA), see here. The issue is essentially whether the US Justice Department may force Microsoft to grant access to e-mails stored on Irish servers.
With a group of EU data protection and conflicts lawyers, we have filed an amicus curiae brief in the case at the United States Supreme Court last week, arguing that the Court should interpret the SCA to apply only to data stored within the United States, leaving to Congress the decision whether and under what circumstances to authorize the collection of data stored in other countries.
There is not much point in me rehashing the arguments here: happy reading.
Apologies for late reporting. Bot AG opined end of October in C‑210/16 Fansites. [The official name of the case is Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht. It’s obvious why one prefers calling it Fansites].
The Advocate-General summarises (para 2-3) the case as involving ‘proceedings between the Wirtschaftsakademie Schleswig-Holstein GmbH, a company governed by private law and specialising in the field of education (‘the Wirtschaftsakademie’), and the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, a regional data-protection authority in Schleswig-Holstein (‘ULD’) concerning the lawfulness of an order issued by the latter against the Wirtschaftsakademie requiring it to deactivate a ‘fan page’ hosted on the website of Facebook Ireland Ltd. The reason for that order was the alleged infringement of the provisions of German law transposing Directive 95/46. Specifically, visitors to the fan page were not warned that their personal data are collected by the social network Facebook (‘Facebook’) by means of cookies that are placed on the visitor’s hard disk, the purpose of that data collection being to compile viewing statistics for the administrator of the fan page and to enable Facebook to publish targeted advertisements.’
The case ought to clarify the extent of the powers of intervention of supervisory authorities such as ULD with regard to the processing of personal data which involves the participation of several parties (at 13). I had flagged earlier that this case is relevant to the jurisdictional and applicable law issues involving datr cookies.
Whatever the outcome of the case, its precedent value will be limited by the imminent entry into force of the new General Data Protection Regulation – GDPR. The GDPR clearly introduces a ‘one-stop principle’ with only one lead authority (in FB’s case, Ireland’s data protection agency) having the authority to act (see also the AG’s observation of same in para 103).
As prof Lorna Woods in excellent analysis observes, the issue comes down to the interpretation of the phrase from Art. 4(1)(a), ‘in the context of the activities of an establishment’. Dan Svantesson has most superb analysis of Article 4(1)(a) here, anyone interested in the issue will find his insight most helpful.
Now, the Advocate-General leans heavily on Weltimmo however I would suggest its precedent value for the Fanpages case is constrained. Weltimmo concerned a company set up in Slovakia but with no relevant activities at all in that Member State. Indeed as the Court itself observed (at 16-18) , the company was effectively male fide (my words, not the CJEU’s) moving its servers and creating fog as to its exact whereabouts. In other words a case of blatant abuse. There is no suggestion of abuse in Fanpages. Moreover according to the CJEU in C-230/14 Weltimmo the phrase ‘in the context of the activities of an establishment’ cannot be interpreted restrictively (AG’s reference in para 87), yet that CJEU holding in Weltimmo cross-refers to Google Spain in which the crucial issue was whether EU data protection laws apply at all. That is very different in Weltimmo and in Fanpages. That EU authorities have jurisdiction and that EU privacy law applies is not at issue.
There is sufficient argument to find in the Directive, even before its transformation into the GDPR, that in cases such as these the same processing operation ought to be governed by the laws of just one Member State. It would be good for the CJEU to recognise that even before the entry into force of the GDPR.
(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 184.108.40.206.5.
This posting is really addressed to those with more of a full-time interest in competition law than yours truly. Particularly in the extraterritorial effect of same. In  EWHC 2420 (Ch) Emerald Supplies et al v British Airways defendants contend that as a matter of law there can be no claim for damages arising from the cartel at issue insofar as it affected freight charges between the EU and third countries on flights before 1 May 2004. That was the date on which air transport between the EU and third countries was brought within the regime implementing the EU competition rules set out in Regulation 1/2003.
Rose J after careful analysis sides with the defendants and rejects reference to the CJEU, citing acte clair (enough analysis of the CJEU on the same and related issues- I believe she is right). Happy reading.
Twitter injunctions – Twinjunctions if you like, rather like Facebook or Google Removal orders, provide classic scenarios for the consideration of the territorial scope of injunctive and enforcement proceedings. Michael Douglas has great review of  NSWSC 1300 X v Twitter. [P.s. 27 November: Michael has more analysis here]. On 28 September 2017, the Supreme Court of New South Wales awarded its final injunction with global reach, directed towards Twitter Inc (based at CAL) and its Irish counterpart, Twitter International Company.
Now, what is refreshing about Pembroke J’s review of the issues is his non-doctrinal analysis of the issue of jurisdiction. He emphasises that there is a long history of courts of equity making in personam orders that are intended to operate extra-territorially (the Court’s jurisdiction is one in equity); (at 40) that Twitter unlike other defendants may disagree with the ruling but will not seek to avoid its social responsibility; that there is a public interest in issuing the worldwide order (and in enforcing it: Pembroke J flags that there are Australia-based assets against which enforcement may be sought); and that given his experience with Twitter, it can be expected to use its best endeavours to give effect to the proposed orders, despite its objection that it is not feasible to pro-actively monitor user content.
Eventually of course the trouble with such an assessment, without consideration of wider issues of public and private international law, is that the issuing, or not, of orders of this kind by the courts, depends on the defendant’s attitude towards compliance. That is hardly a solution serving equal access to the law or indeed equity.