Posts Tagged GDPR

Territoriality and delisting. Google score (cautious) French points ahead of Thursday’s AG Opinion in CJEU case.

On Thursday the Advocate-General will opine in C-136/17 G.C. e.a. and  C-507/17 Google (FR) – on which I reported ia here. The issue is, in the main, the territorial scope of EU data protection laws.

X v Google LLC at the Tribunal de grande instance de Paris on 14 November 2018 is a good warm-up, forwarded to me (for which many thanks) by Jef Ausloos (I have copy for those interested). The case concerns an article in Le Monde linking a French resident, active in international hotel management, to a Moroccan enquiry into pedophilia. The court’s review of the facts suggests an unsubstantiated link between X and the case – yet the damage to claimant’s reputation evidently is done nevertheless. Claimant requests delinking not just for searches performed in France on all Google extensions, but rather for all searches performed globally.

The court first of all observes that for searches performed in France, delisting of many of the identified urls has already happened – and orders on the basis of French law (which it applies, it suggests, per the GDPR) Google LLC to carry out delisting for the others in as far as searches are carried out from French territory. X’s privacy is given priority over freedom of expression and Google LLC’s US domicile is not mentioned as being relevant (no verbatim discussion of same is recorded in the judgment. X’s French nationality and domicile however, are, hence presumably it is the infamous Article 14  Code Civil which is at play here). Google’s argument that the as listed urls link to articles in languages other than French and relating to facts taking place outside of France is dismissed as irrelevant.

Claimant however had requested global delisting, regardless of the user’s geographical location. That, the court holds, is a request it cannot grant. Its refusal is justified in one sentence only: a global delisting order would be disproportionate in the case of a French national and resident, simply because his employment record is international:

‘une telle mesure apparaît ici disproportionnée, s’agissant d’un résident français, le seul caractère international de ces démarches d’emploi ne pouvant justifier d’une telle restriction, qui conduirait in fine à soumettre le réseau internet à une injonction de portée globale.’ 

The judgment therefore does not tackle the conceptual issues surrounding jurisdiction (which the Belgian courts, for instance, have been tempted into in the Facebook case), neither does it rule out global injunctions in cases which have more than just a fleeting international element.

Happy 2019.

Geert.

 

 

, , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

EDPB guidelines on the territorial reach of the GDPR: Some clear conflicts overlap.

GDPR (General Data Protection Regulation) aficionados will have already seen the draft guidelines published by the EDPB – the European data protection board – on the territorial scope of the Regulation.

Of particular interest to conflicts lawyers is the Heading on the application of the ‘targeting’ criterion of GDPR’s Article 3(2). There are clear overlaps here between Brussels I, Rome I, and the GDPR and indeed the EDPB refers to relevant case-law in the ‘directed at’ criterion in Brussels and Rome.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.3, Heading 2.2.8.2.5.

 

, , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

Facebook appeal against UK fine puts territoriality of data protection in the spotlight.

I have an ever-updated post on Google’s efforts to pinpoint the exact territorial dimension of the EU’s data protection regime, GDPR etc. Now, Facebook are reportedly (see also here) appealing a fine imposed by the UK’s data protection authority in the wake of the Cambridge Analytica scandal. Facebook’s point at least as reported is that the breach did not impact UK users.

The issue I am sure exposes Facebook in the immediate term to PR challenges. However in the longer term it highlights the need to clarify the proper territorial reach of both data protection laws and their enforcement.

One to look out for.

Geert.

 

, , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

Lloyd v Google. High Court rejects jurisdiction viz US defendant, interprets ‘damage’ in the context of data protection narrowly.

Update 11 December 2018 leave to appeal applied for.

Warby J in  [2018] EWHC 2599 (QB) Lloyd v Google (a class action suit with third party financing) considers, and rejects, jurisdiction against Google Inc (domiciled in the US) following careful consideration (and distinction) of the Vidal Hall (‘Safari users) precedent.

Of note is that the jurisdictional gateway used is the one in tort, which requires among others an indication of damage. In Vidal Hall, Warby J emphasises, that damage consisted of specific material loss or emotional harm which claimants had detailed in confidential court findings (all related to Google’s former Safari turnaround, which enabled Google to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.

In essence, Warby J suggests that both EU law (reference is made to CJEU precedent under Directive 90/314) and national law tends to suggest that “damage” has been extended in various contexts to cover “non-material damage” but only on the proviso that “genuine quantifiable damage has occurred”.

Wrapping up, at 74: “Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party. Not everybody objects to every non-consensual disclosure or use of private information about them. Lasting relationships can be formed on the basis of contact first made via a phone number disclosed by a mutual friend, without asking first. Some are quite happy to have their personal information collected online, and to receive advertising or marketing or other information as a result. Others are indifferent. Neither category suffers from “loss of control” in the same way as someone who objects to such use of their information, and neither in my judgment suffers any, or any material, diminution in the value of their right to control the use of their information. Both classes would have consented if asked. In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case. The bare facts pleaded in this case, which are in no way individualised, do not in my judgment assert any case of harm to the value of any claimant’s right of autonomy that amounts to “damage”…”

The judgment does not mean that misuse of personal data cannot be disciplined under data protection laws (typically: by the data protection authorities) or other relevant national courses of action. But where it entails a non-EU domiciled party, and the jurisdictional gateway of ‘tort’ is to be followed, ‘damage’ has to be shown.

Geert.

 

, , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

On soggy grounds. The GDPR and jurisdiction for infringement of privacy.

Update 25 March 2019 See also Lydia Lundstedt’s paper on the same issues here. See also Max Schrems’ report on the courts at Vienna applying A79 here, and the excellent chapter by prof Hess on the troublesome matrix of jurisdictional rules in his gem of a book ‘The private-Public divide in international dispute resolution‘.

Many thanks to Julien Juret for asking me contribute to l’Observateur de Bruxelles, the review of the French Bar representation in Brussels (la Délégation des barreaux de France). I wrote this piece on the rather problematic implications of the GDPR, the General Data Protection Regulation, on jurisdictional grounds for invasion of privacy.

I conclude that the Commission’s introduction of Article 79 GDPR without much debate or justification, will lead to a patchwork of fora for infringement of personality rights. Not only will it take a while to settle the many complex issues which arise in their precise application. Their very existence arguably will distract from harmonised compliance of the GDPR rules.

I owe Julien and his colleagues the French translation (as well as their patience in my late delivery) for I wrote the piece initially in English. Readers who would like to receive a copy of that EN original, please just send me an e-mail. (Or try here, which if it works should have both the FR and the EN version).

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.5.

, , , , , , , , , , ,

1 Comment

Handing over. ‘Joint control’ in Fansites /Wirtschaftsakademie.

Choices, choices. I will continue to follow the GDPR for jurisdictional purposes, including territorial scope. (And I have a paper coming up on conflict of laws issues in the private enforcement of same). But for much of the GDPR enforcement debate, I am handing over to others. Johannes Marosi, for instance, who reviews the CJEU judgment this week in Fansites /Wirtschaftsakademie, over at Verfassungsblog. I reviewed the AG’s Opinion here.

Judgment in Grand Chamber but with small room for cheering.

As Johannes’ post explains, there are many loose ends in the judgment, and little reference to the GDPR (technically correct but from a compliance point of view wanting). (As an aside: have a look at Merlin Gömann’s paper, in CMLREv, on the territorial scope of the GDPR).

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.5.

 

 

, , , , , , , , , , , , , , ,

3 Comments

US Iran sanctions renew the spotlight on the EU’s blocking regulation: A rare EU harmonised approach to enforcement and recognition from third States.

Ross Denton at Baker & McKenzie has a gem of a briefing on the EU’s ‘blocking Regulation’ and what it would mean in light of the US’ mooted sanctions on Iran. Steptoe had earlier also pondered the impact of the US withdrawal from the ‘Joint Comprehensive Plan of Action’ or JCPOA, on the Regulation.

Regulation 2271/96 provides essentially for protection against, and counteracts the effects of the extra-territorial application of the laws of third States. WTO lawyers will remember it mostly from the days of Helms-Burton. As Ross points out, the European Commission now have delegated power to populate the Annex to the list (which details the sanctions the Regulation acts against).

Potentially extra-territorial are in particular US ‘secondary’ sanctions: i.e. those against non-US individuals (or companies) for actions undertaken outside the US.

Of particular interest to readers of the blog – including researchers I would imagine, are Articles 4, 5 and 6, which I have copy-pasted in full below. They deal with recognition and enforcement, co-operation with foreign courts, and recovery of expenses. These Articles are a rare instance where the EU adopt a harmonised approach to recognition and enforcement of judgments originating ex-EU (awaiting the potential Hague Judgments project). [Update 22 May 11:30 AM. As Enio Piovezani comments below, the GDPR, too, includes a relevant rule: See Article 48: ‘Transfers or disclosures not authorised by Union law. Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.’]

 

As Ross points out, however, the proverbial US rock is harder than the equally proverbial EU stone, hence in practice many companies choose to abide by the US sanctions, anyways.

My fingers are itching to launch yet another interesting PhD topic on this issue…Takers?

Geert.

 

Article 4

No judgment of a court or tribunal and no decision of an administrative authority located outside the Community giving effect, directly or indirectly, to the laws specified in the Annex or to actions based thereon or resulting there from, shall be recognized or be enforceable in any manner.

Article 5

No person referred to in Article 11 shall comply, whether directly or through a subsidiary or other intermediary person, actively or by deliberate omission, with any requirement or prohibition, including requests of foreign courts, based on or resulting, directly or indirectly, from the laws specified in the Annex or from actions based thereon or resulting therefrom.

Persons may be authorized, in accordance with the procedures provided in Articles 7 and 8, to comply fully or partially to the extent that non-compliance would seriously damage their interests or those of the Community. The criteria for the application of this provision shall be established in accordance with the procedure set out in Article 8. When there is sufficient evidence that non-compliance would cause serious damage to a natural or legal person, the Commission shall expeditiously submit to the committee referred to in Article 8 a draft of the appropriate measures to be taken under the terms of the Regulation.

Article 6

Any person referred to in Article 11, who is engaging in an activity referred to in Article 1 shall be entitled to recover any damages, including legal costs, caused to that person by the application of the laws specified in the Annex or by actions based thereon or resulting therefrom.

Such recovery may be obtained from the natural or legal person or any other entity causing the damages or from any person acting on its behalf or intermediary.

The Brussels Convention of 27 September 1968 on jurisdiction and the enforcement of judgments in civil and commercial matters shall apply to proceedings brought and judgments given under this Article. Recovery may be obtained on the basis of the provisions of Sections 2 to 6 of Title II of that Convention, as well as, in accordance with Article 57 (3) of that Convention, through judicial proceedings instituted in the Courts of any Member State where that person, entity, person acting on its behalf or intermediary holds assets.

Without prejudice to other means available and in accordance with applicable law, the recovery could take the form of seizure and sale of assets held by those persons, entities, persons acting on their behalf or intermediaries within the Community, including shares held in a legal person incorporated within the Community.

, , , , , , , , , , , , ,

1 Comment

%d bloggers like this: