Tag: Facebook

Posted on

Google and the jurisdictional reach of the Belgian DPA in right to be forgotten cases. Another piece misplaced in the puzzle?

Thank you Nathalie Smuha for first signalling the €600,000.00 fine which the Belgian Data Protection Authority (DPA) issued on Tuesday against Google Belgium, together with a delisting order of uncertain reach (see below) and an order to amend the public’s complaint forms. The decision will eventually be back up here I am assume (at vanished yesterday) however I have copy here.

Nauta Dutilh’s Peter Craddock and Vincent Wellens have very good summary and analysis up already, and I am happy to refer. Let me add a few things of additional note:

  • The one-stop shop principle of the GDPR must now be under severe strain. CNIL v Google already put it to the test and this Belgian decision further questions its operationalisation – without even without for the CJEU to answer the questions of the Brussels Court of Appeal in the Facebook case. At 31, the DPA refers to a letter which Google LLC had sent on 23 June 2020 (a few days therefore after the French decision) to the Irish DPA saying that it would no longer object to national DPAs exercising jurisdiction in right to be forgotten cases. Of note is that in ordinary litigation, deep-pocket claimants seeking mozaik jurisdiction seldom do that because it serves the general interest.
  • Having said that, the Belgian DPA still had to establish jurisdiction against Google Belgium. Here, CJEU Google v Spain, Google v CNIL, and Wirtschaftsakademie led the DPA to take a ‘realistic’ /business plan approach (such as Jääskinen AG in Google Spain) rather than a legally pure approach: at 80 following extensive reference to CJEU authority, and to the effet utile of the GDPR, the DPA holds that it matters little whether the actual processing of the date takes places outside of the EU, by Google employees ex-EU, and that Google Belgium’s activities are supportive only. A Belgian resident’s right to be forgotten has been infringed; a Google entity is available there: that would seem to suffice.
  • That left the issue of the territorial reach of the delisting request. The DPA arguably cuts a few corners on the Google Belgium issue; here, it is simply most vague: at 81 ff it refers to the jurisdictional decision in e-Date Advertising, that for infringement of privacy within Brussels Ia, the courts of the person’s centre of interests are best placed to hear the case in its entirety, holding this should be applied mutatis mutandis in GDPR cases and removal orders. It then holds at 85 that neither Google v CNIL nor Belgian law give it specific power to impose a worldwide delisting order, yet at 91 that an EU-wide delisting order would seem an effective means of redress, to end up in its final order (p.48-49) not identifying a territorial scope for delisting.

I am confused. I suspect I am not the only one.

Geert.

(Handbook of) EU private international law, 2nd ed.2016, chapter 2, Heading 2.2.8.2.5.

 

Posted on

Yelp and Facebook. The German and Dutch courts on reputational damage, jurisdiction and applicable law.

Thank you Matthias Lehmann for flagging X v Yelp , held 14 January 2020 at the Bundesgerichthof (German federal court) and to Jef Ausloos for drawing our attention to X and Avrotros v Facebook BV and Facebook Ireland ltd held 15 May 2020. An English summary of that case is here. Note that the Dutch case is one in interlocutory proceedings. Both concern the application of Article 7(2) Brussels IA at the jurisdictional level, and Rome II at the applicable law level, with respect to reputational damage.

In the German Yelp case, a German gym had complained that Yelp’s review algorithm had created a distorted picture of its business. Jurisdiction was established under Article 7(2) Brussels Ia per CJEU Bolagsupplysningen: centre of interests in Germany.  As to applicable law, the pickle is A1(2)(g) Rome II which excludes from its scope of application, “non-contractual obligations arising out of violations of privacy and rights relating to personality, including defamation”.

Under residual German PIL, claimant has a choice between lex locus damni or lex locus delicti commissi. Matthias points to the difficulty: if companies have ‘personality rights’ within the meaning of Rome II (Bolagsupplysningen clearly suggests they do; but that is a jurisdictional case) then the issue ought to be held exempt from Rome II. Except, a big chunk of unfair trading practices consists of thrashing a competitor’s reputation – and A6 Rome II has a specific lex causae for unfair trading practices.

The German court does not address the issue directly for it held that claimant had made an implicit choice for lex locus damni – German law: the same result as Rome II would have had.

In the Dutch case, the Court likewise holds jurisdiction on the basis of centre of interests,  and then squarely applies A4 Rome II’s general lex locus damni rule (the action was based against Facebook, arguing that FB was not taking enough measures to block fake/fraudulent bitcoin ads on its platform).

On the choice of court suggestion of Facebook, the court holds that current dispute is not of a contractual nature and that FB’s contractual choice of court and law does not extend to same; it leaves undecided whether the celebrity at issue can be considered a ‘consumer’ for jurisdictional purposes (their FB use I imagine potentially having developed into, or even started as professional use: see the dynamic nature per CJEU C-498/16 Schrems). There must be more argument in there.

Interesting cases, with both courts cutting corners.

Geert.

Posted on

A reminder: Austrian courts apply CJEU Eva Glawischnig-Piesczek v Facebook ruling. Limits removal to national territory only but does not rule out worldwide removal on principle.

I had already reported in March on the first application of the CJEU C-18/18 Eva Glawischnig-Piesczek v Facebook ruling in an update to my post on the latter. I thought I’ld add a separate post on the ruling for it, well, deserves it: the court held that orders based on Austrian copyright are limited to Austria (given copyright’s territorial limitations), but if they are based on personal rights, the claimant has to specify the requested territorial reach (so potentially global).

IPKat have further analysis here. As one or two of us discussed at the time of the CJEU ruling: the infringement of personality rights angle is an important one.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Posted on

Swamdi Ramdev v Facebook, Google, Youtube et al at the Delhi High Court: Worldwide removal ordered without much hesitation.

Update 14 November 2019 the judgment is, unsurprisingly, being appealed.

‘The race between technology and the law could be termed as a hare and tortoise race – As technology gallops, the law tries to keep pace.’ (see further below).

Thank you Daphne Keller for flagging CS (OS) 27/2019 Swami Ramdev et al v Facebook et al at the Delhi High Court on 23 October. Defendants are Facebook Inc, Google Inc, YouTube LLC, Twitter etc. The allegation of Plaintiffs is that various defamatory remarks and information including videos, found earlier to have been defamatory (a judgment currently before the Supreme Court without having been stayed), are being disseminated over the Defendants’ platforms.

At 6 Prathiba M Singh J summarises the parties’ position: None of the Defendants have any objection to blocking the URLs and disabling the same, insofar as access in India is concerned. However, all the Defendant platforms have raised objections to removal/blocking/disabling the impugned content on a global basis. On the other hand, the Plaintiffs argued that blocking merely for the Indian territory alone is not sufficient as the content would be accessible through international websites, which can be accessed in India. Thus, according to the Plaintiffs, for the remedy to be effective, a global blocking order ought to be passed.

Particularly in the review of plaintiff’s submission at 8 ff, the parallel is clear with the discussions on the role of intermediaries in Eva Glawischnig-Piesczek v Facebook. Reference of course is also made to Equustek and, at 64, to the CJEU in Google v CNIL. Facebook refers to the material difference between defamation laws across the globe: at 10: ‘Defamation laws differs from jurisdiction to jurisdiction, and therefore, passing of a global disabling order would be contrary to the principle of comity of Courts and would result in conflict of laws.’

At 44 ff Prathiba M Singh J extensively reviews global precedent, and, at 69, to Eva Glawischnig-Piesczek v Facebook. At 88 ff this leads justice Singh

Firstly, to uphold fairly straightforwardly the court’s power to order global delisting given the origin in India of the original act of uploading: ‘The act of uploading vests jurisdiction in the Courts where the uploading takes place. If any information or data has been uploaded from India on to a computer resource which has resulted in residing of the data on the network and global dissemination of the said information or data, then the platforms are liable to remove or disable access to the said information and data from that very computer resource. The removal or disabling cannot be restricted to a part of that resource, serving a geographical location.’

>>>Clearly the authority of the finding (likely to be appealed) may therefore be limited to situations of content uploading from inside the jurisdiction.

Further, at 99, to make an effectiveness argument: ‘it is clear that any order passed by the Court has to be effective. The parties before this Court i.e. the platforms are sufficiently capable to enforce an order of global blocking. Further, it is not disputed that the platforms are subject to in personam jurisdiction of this Court.’

>>>The latter element, again, may limit the authority of the judgment. I am not au fait with the ground for jurisdiction in the case at issue.

Finally, at 91: ‘The race between technology and the law could be termed as a hare and tortoise race – As technology gallops, the law tries to keep pace’. This does not imply the law simply laying down to have its belly rubbed. Exactly my sentiment in my post on the UK AI case.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5

 

 

 

Posted on

Steady now. Eva Glawischnig-Piesczek v Facebook. The CJEU on jurisdiction and removal of hate speech.

Update 12 November 2020 the court in the Glawischnig case has now reportedly ordered worldwide removal.

Update 5 May 2020 see the report of the first application of the criteria by the Austrian courts on 30 March 2020 here: the court held that orders based on Austrian copyright are limited to Austria, but if they are based on personal rights, the claimant has to specify the requested territorial reach (so potentially global).

My interest in C-18/18 Eva Glawischnig-Piesczek v Facebook as I noted in my short first review of the case, concerns mostly the territorial reach of any measures taken by data protection authorities against hosting providers. The Court held last week and o boy did it provoke a lot of comment.

The case to a large degree illustrates the relationship between secondary and primary law, and the art of reading EU secondary law. Here: Article 15 of the e-commerce Directive 2001/31 which limits what can be imposed upon a provider; and the recitals of the Directive which seem to leave more leeway to the Member States. Scant harmonisation of tort law in the EU does not assist the Institutions in their attempts to impose a co-ordinated approach.

The crucial issue in the case was whether Article 15 prohibits the imposition on a hosting provider (Facebook, in this case) of an obligation to remove not only notified illegal content, but also identical and similar content, at a national or worldwide level? The Court held the Directive does not as such preclude such order, and that as to the worldwide injunctive issue, EU law has not harmonised and that it is up to the Member States to direct in any such orders in compliance with public international law.

The judgment to a large degree concerns statutory interpretation on filtering content, which Daphne Keller has already reviewed pre the judgment succinctly here, Dan Svantesson post the judgment here, as did Lorna Woods, and a frenzied Twitter on the day of the judgment e.g. in this thread. A most balanced analysis is provided by Andrej Savin here. e-Commerce law is not the focus of this blog, neither my professed area of expertise (choices, choices). I do want to emphasise though

  • that as always it pays to bear in mind the CJEU’s judicial economy. Here: the need to interpret its judgment in line with the circumstances of the case. As Steve Peers noted, the Austrian court had ruled that the post was defamatory, which is a recognised basis for limiting freedom of expression; see also at 40: ‘In that regard, it should be made clear that the illegality of the content of information does not in itself stem from the use of certain terms combined in a certain way, but from the fact that the message conveyed by that content is held to be illegal, when, as in the present case, it concerns defamatory statements made against a specific person.‘ Nota bene, the same need to read the judgment in context goes for the earlier Google v CNIL case, applying Directive 95/46 and the GDPR, which I review here.
  • that speaking strictly as a member of the public who has seen the devastating effect of ‘social’ media on people close to me, the technical discussions on filtering (‘what filter does the CJEU think might possibly ever be available to FB to remove content in the way the Court wishes’) are emphatically beside the point. The public justifiably are not interested in the how. A service is offered which clearly has negative effects on EU citisens. Remedy those effects, or remove the service from those citisens. That is true for the negative impacts of goods (in 25 years of regulatory Bar practice I have seen plenty of that). There is no reason it should be any less true for services.

The jurisdictional issues are what interest me more from the blog’s point of view: the territorial scope of any removal or filtering obligation. In Google viz the GDPR and the data protection Directive, the Court confirmed my reading, against that of most others’, of Szpunar AG’s Opinion. EU law does not harmonise the worldwide removal issue. Reasons of personal indemnification may argue in specific circumstances for universal jurisdiction and ditto reach of injunctive relief on ‘right to be forgotten’ issues. Public international law and EU primary law are the ultimate benchmark (Google V CNIL). It is little surprise the Court held similarly in Eva Glawischnig-Piesczek, even if unlike in Google, it did not flag the arguments that might speak against such order. As I noted in my review of Google, for the GDPR and the data protection Directive, it is not entirely clear whether the Court suggests EU secondary law simply did not address extraterritoriality or decided against it. For the e-commerce Directive in Eva Glawischnig-Piesczek the Court notes at 50-52

Directive 2000/31 does not preclude those injunction measures from producing effects worldwide. However, it is apparent from recitals 58 and 60 of that directive that, in view of the global dimension of electronic commerce, the EU legislature considered it necessary to ensure that EU rules in that area are consistent with the rules applicable at international level.  It is up to Member States to ensure that the measures which they adopt and which produce effects worldwide take due account of those rules.

In conclusion, Member States may order a host provider to remove information covered by the injunction or to block access to that information worldwide within the framework of the relevant international law. To my knowledge, the Brussels Court of Appeal is the only national court so far to consider public international law extensively viz the issue of jurisdiction, and decided against it, nota bene in a case against Facebook Inc.

Any suggestion that the floodgates are open underestimates the sophisticated engagement of national courts with public international law.

In general, the CJEU’s approach is very much aligned with the US (SCOTUS in particular) judicial approach in similar extraterritoriality issues (sanctions law; export controls; ATS;…). There is no madness to the CJEU’s approach. Incomplete: sure (see deference to national courts and the clear lack of EU law-making up its legislative mind on the issues). Challenging and work in progress: undoubtedly. But far from mad.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Posted on

Comparative US /EU jurisdiction material: Mitchell v. DePuy Orthopaedics (Missouri); and KGS v Facebook (Alabama).

Thank you Stephen McConnell for flagging Mitchell v. DePuy Orthopaedics, Inc., 2019 U.S. Dist. (Missouri) and Alani Golanski for doing the same for KGS v Facebook at the Alabama Supreme Court,

Both cases have plenty of scope for comparative analysis viz EU law and non-US common law. Which is why I had pondered them for use in exam essays but in the end did not – they might come in handy at a later stage. 

Readers best refer to the reports linked above for a full picture. In short, Mitchell involves the minimum contacts rule as well as ‘directing activities towards forum residents’: both have clear echos (and differences) in EU jurisdictional rules. On neither ground was specific (what the EU would call ‘special’) jurisdiction upheld.

In the Facebook case, Facebook argument is included on p.10-11. Claimant put forward a case for jurisdiction on p.13-14. She argues i.a. effects doctrine. Bryan J discussed both extensively p.15 ff and held that doing business in Alabama is not sufficient for personal jur., and (p.39) Facebook engagement with complaints not enough for specific jurisdiction.

In both cases the US Supreme Court’s decision in Bristol-Myers Squibb is cited as highly relevant authority.

Geert.

Posted on

Brussels Court of Appeal rejects jurisdiction against Facebook Inc, Facebook Ireland in privacy, data protection case.

Update 17 June 2021 for analysis of the CJEU judgment in same see Lorna Woods here.

Update 10 September 2020 the case at the CJEU is listed as C-645/19.

The Brussels Court of Appeal held early May in a lengthy and scholarly judgment that it sees no ground in either public international law, or European law, for jurisdiction of the Belgian courts against Facebook Ireland and Facebook Inc (Palo Alto, California). I reported on the litigation inter alia here. I believe the Court is right, as readers of the blog know from my earlier postings.

Belgium’s Data Protection Authority (DPA) does not signal the rejection of jurisdiction against FB Ireland and FB Inc in its press release, however even its 3 page extract from the 121 page judgment clearly shows it (first bullet-point).

The questions which the Court of Appeal has sent up to Luxembourg concern Facebook Belgium only. The Court in the full judgment does not qualify FB Belgium’s activities as data processing. However it has very specific questions on the existence and extent of powers for DPAs other than the leading authority under the GDPR, including the question whether there is any relevance to the fact that action has started prior to the entry into force of the GDPR (25 May 2018). The Court is minded to interpret the one-stop shop principle extensively however it has doubt given the CJEU’s judgment in Fanpages

Crucial and so far, I believe, fairly unreported. (My delay explained by the possibility for use as an essay exam question – which eventually I have not).

Geert.

(Handbook of) EU private international law, 2nd ed.2016, chapter 2, Heading 2.2.8.2.5.

Posted on

The internet’s not written in pencil, it’s written in ink. Szpunar AG in Eva Glawischnig-Piesczek v Facebook, re i.a. jurisdiction and removal of hate speech. (As well as confirming my reading of his Opinion in Google).

Case C-18/18 Eva Glawischnig-Piesczek v Facebook as I noted in my short first review of the case, revolves around Article 15 of the E-Commerce Directive. Does Article 15 prohibit the imposition on a hosting provider (Facebook, in this case) of an obligation to remove not only notified illegal content, but also identical and similar content, at a national or worldwide level?

Szpunar AG in his Opinion kicks off with a memorable Erica Albright quote from The Social Network:  The internet’s not written in pencil, [Mark], it’s written in ink’. 

His Opinion to a large degree concerns statutory interpretation on filtering content, which Daphne Keller has already reviewed succinctly here and which is not the focus of this blog. The jurisdictional issues are what interest me more: the territorial scope of any removal obligation.

Firstly, Szpunar AG matter of factly confirms my reading, against that of most others’, of his Opinion in C-505/17 Google: at 79:

‘in my Opinion in that case I did not exclude the possibility that there might be situations in which the interest of the Union requires the application of the provisions of that directive beyond the territory of the European Union.’

Injunctions (ordering removal) are necessarily based on substantive considerations of national law (in the absence of EU harmonisation of defamation law); which law applies is subject to national, residual conflicts rules (in the absence of EU harmonisation at the applicable law, level, too): at 78. Consequently, a Court’s finding of illegality (because of its defamatory nature) of information posted may well have been different had the case been heard by a court in another Member State. What is however harmonised at the EU level, is the jurisdiction for the civil and commercial damage following from defamation: see e-Date, in particular its centre of interests rule which leads to an all-encompassing, universal’ jurisdiction for the damages resulting from the defamation.

Separate from that is the consideration of the territorial extent of the removal obligation. Here, the AG kicks off his analysis at 88 ff by clearly laying out the limits of existing EU harmonisation: the GDPR and data protection Directive harmonise issues of personal data /privacy: not what claimant relies on. Directive 2000/31 does not regulate the territorial effects of injunctions addressed to information society service providers. Next, it is difficult, in the absence of regulation by the Union with respect to harm to private life and personality rights, to justify the territorial effects of an injunction by relying on the protection of fundamental rights guaranteed in Articles 1, 7 and 8 of the Charter: the scope of the Charter follows the scope of EU law and not vice versa. In the present case, as regards its substance, the applicant’s action is not based on EU law. Finally, Brussels Ia does not regulate the extra-EU effects of injunctions.

In conclusion therefore EU law does not regulate the question of extraterritorial reach in casu.

For the sake of completeness, the AG does offer at 94 ff ‘a few additional observations’ as regards the removal of information disseminated worldwide via a social network platform. At 96 he refers to the CJEU’s judgment in Bolagsupplysningen which might implicitly have acknowledged universal jurisdiction, to conclude at 100 (references omitted)

the court of a Member State may, in theory, adjudicate on the removal worldwide of information disseminated via the internet. However, owing to the differences between, on the one hand, national laws and, on the other, the protection of the private life and personality rights provided for in those laws, and in order to respect the widely recognised fundamental rights, such a court must, rather, adopt an approach of self-limitation. Therefore, in the interest of international comity…, that court should, as far as possible, limit the extraterritorial effects of its junctions concerning harm to private life and personality rights. The implementation of a removal obligation should not go beyond what is necessary to achieve the protection of the injured person. Thus, instead of removing the content, that court might, in an appropriate case, order that access to that information be disabled with the help of geo-blocking.

There are very sound and extensive references to scholarship in the footnotes to the Opinion, including papers on the public /private international law divide and the shifting nature of same (the Brussels Court of Appeal recently in the Facebook case justifiably found jurisdictional grounds in neither public nor private international law, to discipline Facebook Ireland and Facebook Inc for its datr-cookies placed on Belgian users of FB).

I find the AG’s Opinion convincing and complete even in its conciseness. One can analyse the jurisdictional issues until the cows come home. However, in reality reasons of personal indemnification may argue in specific circumstances for universal jurisdiction and ditto reach of injunctive relief. However these bump both into the substantial trade-off which needs to be made between different fundamental rights (interest in having freedom removed v freedom of information), and good old principles of comitas gentium aka comity. That is not unlike the US judicial approach in similar issues.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Posted on

Eva Glawischnig-Piesczek v Facebook. Hate speech at the CJEU.

In Case C-18/18, Eva Glawischnig-Piesczek v Facebook, the Austrian Supreme Court has referred a ‘hate speech’ case to Luxembourg – hearing will be tomorrow, 12 February. The Case revolves around Article 15 of the E-Commerce Directive: one sentence Twitter summary comes courtesy of Tito Rendas: does Article 15 prohibit the imposition on a hosting provider (Facebook, in this case) of an obligation to remove not only notified illegal content, but also identical and similar content, at a national or worldwide level?

Mirko Brüß has more extensive analysis here. I used the case in my class with American University (my students will be at the hearing tomorrow), to illustrate the relationship between secondary and primary law, but also the art in reading EU secondary law (here: A15 which limits what can be imposed upon a provider; and the recitals of the Directive which seem to leave more leeway to the Member States; particularly in the light of the scant harmonisation of tort law in the EU). To readers of the blog the case is probably more relevant in light of the questions on territorial scope: if a duty to remove may be imposed, how wide may the order reach? It is in this respect that the case is reminiscent of the Google etc. cases.

Yet another one to look out for.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Posted on

Protection of privacy and private international law. Interim ILA report.

A short post effectively to deposit relevant documentation on the issue of privacy and private international law – which I frequently report on on the blog (e.g. use tag ‘rtbf’, or ‘internet’, or ‘privacy’, ‘Facebook’, or ‘Google’; see i.a. my recent posts re Facebook, Google , Schrems, etc.

Max Planck Luxembourg have the interim report on the International Law Association’s draft guidelines on jurisdiction and applicable law re privacy on their website, featuring many of the cases I have reported on over the years.

Happy reading.

Geert.

 

%d bloggers like this: