Posts Tagged GDPR

Lloyd v Google. High Court rejects jurisdiction viz US defendant, interprets ‘damage’ in the context of data protection narrowly.

Warby J in  [2018] EWHC 2599 (QB) Lloyd v Google (a class action suit with third party financing) considers, and rejects, jurisdiction against Google Inc (domiciled in the US) following careful consideration (and distinction) of the Vidal Hall (‘Safari users) precedent.

Of note is that the jurisdictional gateway used is the one in tort, which requires among others an indication of damage. In Vidal Hall, Warby J emphasises, that damage consisted of specific material loss or emotional harm which claimants had detailed in confidential court findings (all related to Google’s former Safari turnaround, which enabled Google to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.

In essence, Warby J suggests that both EU law (reference is made to CJEU precedent under Directive 90/314) and national law tends to suggest that “damage” has been extended in various contexts to cover “non-material damage” but only on the proviso that “genuine quantifiable damage has occurred”.

Wrapping up, at 74: “Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party. Not everybody objects to every non-consensual disclosure or use of private information about them. Lasting relationships can be formed on the basis of contact first made via a phone number disclosed by a mutual friend, without asking first. Some are quite happy to have their personal information collected online, and to receive advertising or marketing or other information as a result. Others are indifferent. Neither category suffers from “loss of control” in the same way as someone who objects to such use of their information, and neither in my judgment suffers any, or any material, diminution in the value of their right to control the use of their information. Both classes would have consented if asked. In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case. The bare facts pleaded in this case, which are in no way individualised, do not in my judgment assert any case of harm to the value of any claimant’s right of autonomy that amounts to “damage”…”

The judgment does not mean that misuse of personal data cannot be disciplined under data protection laws (typically: by the data protection authorities) or other relevant national courses of action. But where it entails a non-EU domiciled party, and the jurisdictional gateway of ‘tort’ is to be followed, ‘damage’ has to be shown.

Geert.

 

, , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

On soggy grounds. The GDPR and jurisdiction for infringement of privacy.

Many thanks to Julien Juret for asking me contribute to l’Observateur de Bruxelles, the review of the French Bar representation in Brussels (la Délégation des barreaux de France). I wrote this piece on the rather problematic implications of the GDPR, the General Data Protection Regulation, on jurisdictional grounds for invasion of privacy.

I conclude that the Commission’s introduction of Article 79 GDPR without much debate or justification, will lead to a patchwork of fora for infringement of personality rights. Not only will it take a while to settle the many complex issues which arise in their precise application. Their very existence arguably will distract from harmonised compliance of the GDPR rules.

I owe Julien and his colleagues the French translation (as well as their patience in my late delivery) for I wrote the piece initially in English. Readers who would like to receive a copy of that EN original, please just send me an e-mail. (Or try here, which if it works should have both the FR and the EN version).

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.5.

, , , , , , , , , ,

1 Comment

Handing over. ‘Joint control’ in Fansites.

Choices, choices. I will continue to follow the GDPR for jurisdictional purposes, including territorial scope. (And I have a paper coming up on conflict of laws issues in the private enforcement of same). But for much of the GDPR enforcement debate, I am handing over to others. Johannes Marosi, for instance, who reviews the CJEU judgment this week in Fansites, over at Verfassungsblog. I reviewed the AG’s Opinion here.

Judgment in Grand Chamber but with small room for cheering.

As Johannes’ post explains, there are many loose ends in the judgment, and little reference to the GDPR (technically correct but from a compliance point of view wanting). (As an aside: have a look at Merlin Gömann’s paper, in CMLREv, on the territorial scope of the GDPR).

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.5.

 

 

, , , , , , , , , , , , , , ,

3 Comments

US Iran sanctions renew the spotlight on the EU’s blocking regulation: A rare EU harmonised approach to enforcement and recognition from third States.

Ross Denton at Baker & McKenzie has a gem of a briefing on the EU’s ‘blocking Regulation’ and what it would mean in light of the US’ mooted sanctions on Iran. Steptoe had earlier also pondered the impact of the US withdrawal from the ‘Joint Comprehensive Plan of Action’ or JCPOA, on the Regulation.

Regulation 2271/96 provides essentially for protection against, and counteracts the effects of the extra-territorial application of the laws of third States. WTO lawyers will remember it mostly from the days of Helms-Burton. As Ross points out, the European Commission now have delegated power to populate the Annex to the list (which details the sanctions the Regulation acts against).

Potentially extra-territorial are in particular US ‘secondary’ sanctions: i.e. those against non-US individuals (or companies) for actions undertaken outside the US.

Of particular interest to readers of the blog – including researchers I would imagine, are Articles 4, 5 and 6, which I have copy-pasted in full below. They deal with recognition and enforcement, co-operation with foreign courts, and recovery of expenses. These Articles are a rare instance where the EU adopt a harmonised approach to recognition and enforcement of judgments originating ex-EU (awaiting the potential Hague Judgments project). [Update 22 May 11:30 AM. As Enio Piovezani comments below, the GDPR, too, includes a relevant rule: See Article 48: ‘Transfers or disclosures not authorised by Union law. Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.’]

 

As Ross points out, however, the proverbial US rock is harder than the equally proverbial EU stone, hence in practice many companies choose to abide by the US sanctions, anyways.

My fingers are itching to launch yet another interesting PhD topic on this issue…Takers?

Geert.

 

Article 4

No judgment of a court or tribunal and no decision of an administrative authority located outside the Community giving effect, directly or indirectly, to the laws specified in the Annex or to actions based thereon or resulting there from, shall be recognized or be enforceable in any manner.

Article 5

No person referred to in Article 11 shall comply, whether directly or through a subsidiary or other intermediary person, actively or by deliberate omission, with any requirement or prohibition, including requests of foreign courts, based on or resulting, directly or indirectly, from the laws specified in the Annex or from actions based thereon or resulting therefrom.

Persons may be authorized, in accordance with the procedures provided in Articles 7 and 8, to comply fully or partially to the extent that non-compliance would seriously damage their interests or those of the Community. The criteria for the application of this provision shall be established in accordance with the procedure set out in Article 8. When there is sufficient evidence that non-compliance would cause serious damage to a natural or legal person, the Commission shall expeditiously submit to the committee referred to in Article 8 a draft of the appropriate measures to be taken under the terms of the Regulation.

Article 6

Any person referred to in Article 11, who is engaging in an activity referred to in Article 1 shall be entitled to recover any damages, including legal costs, caused to that person by the application of the laws specified in the Annex or by actions based thereon or resulting therefrom.

Such recovery may be obtained from the natural or legal person or any other entity causing the damages or from any person acting on its behalf or intermediary.

The Brussels Convention of 27 September 1968 on jurisdiction and the enforcement of judgments in civil and commercial matters shall apply to proceedings brought and judgments given under this Article. Recovery may be obtained on the basis of the provisions of Sections 2 to 6 of Title II of that Convention, as well as, in accordance with Article 57 (3) of that Convention, through judicial proceedings instituted in the Courts of any Member State where that person, entity, person acting on its behalf or intermediary holds assets.

Without prejudice to other means available and in accordance with applicable law, the recovery could take the form of seizure and sale of assets held by those persons, entities, persons acting on their behalf or intermediaries within the Community, including shares held in a legal person incorporated within the Community.

, , , , , , , , , , , , ,

1 Comment

One of those groundhog days. The Brussels Court of First instance on Facebook, privacy, Belgium and jurisdiction.

I have flagged once or twice that the blog is a touch behind on reporting – I hope to be on top soon.

I blogged a little while ago that the Brussels Court of Appeal had sided with Facebook in their appeal against the Court of first instance’s finding of Belgian jurisdiction. I had earlier argued that the latter was wrong. These earlier skirmishes were in interim proceedings. Then, in February, the Court of First instance, unsurprisingly, reinstated its earlier finding, this time with a bit more substantial flesh to the bone.

First, a bit of Belgian surrealism. In an interlocutory ruling the court had requested FB to produce full copy of the Court of Appeal’s judgment upon which it relied for some of its arguments. Perhaps given the appalling state of reporting of Belgian case-law, this finding should not surprise. Yet it remains an absurd notion that parties should produce copies at all of Belgian judgments, not in the least copies of a Court of Appeal which is literally one floor up from the Court of first instance.

Now to the judgment. The court first of all confirms that the case does not relate to private international law for the privacy commission acts iure imperii (I summarise). Then follows a very lengthy and exhaustive analysis of Belgium’s jurisdiction on the basis of public international law. Particularly given the excellent input of a number of my public international law colleagues, this part of the judgment is academically interesting nay exciting – but also entirely superfluous. For any Belgian jurisdiction grounded in public international law surely is now exhausted regulated by European law, Directive 95/46 in particular.

In finally reviewing the application of that Directive, and inevitably of course with reference to Weltimmo etc. the Court essentially assesses whether Facebook Belgium (the jurisdictional anchor) carries out activities beyond mere representation vis-a-vis the EU institutions, and finds that it does carry out commercial activities directed at Belgian users. That of course is a factual finding which requires au faitness which the employees’ activities.

Judgment is being appealed by Facebook – rightly so I believe. Of note is also that once the GDPR applies, exclusive Irish jurisdiction is clear.

Geert.

 

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

1 Comment

The High Court on the right to be forgotten. Precise terms of delisting order to be finalised.

In  [2018] EWHC 799 (QB) the High Court granted one and refused another delisting request, otherwise known as the ‘right to be forgotten’ (rtbf or RTBF) following the CJEU’s judgment in Google Spain.

Of interest to data protection lawyers is Warby J’s excellent review of the test to be applied (particularly within the common law context of misuse of private information). Of interest to readers of this blog, is what is not yet part of the High Court’s ruling: the precise wording of the delisting order. Particularly: defendant is Google LLC, a US-based company. Will the eventual delisting order in the one case in which it was granted, include worldwide wording? For our discussion of relevant case-law worldwide, see here.

Geert.

, , , , , , , , ,

Leave a comment

Extraterritorial application of warrants: Our amicus curiae brief in the Microsoft Ireland case.

Update 3 April 2018 Recently, the so-called “CLOUD Act” was passed by Congress and signed into law.  This new law amends the Stored Communications Act to give it a potentially extraterritorial reach.  Following this development, the U.S. Government has moved to have the Microsoft case dismissed as moot, and to have the Second Circuit’s decision vacated. [Technically, Congress has enacted, and the President has signed,
the Consolidated Appropriations Act, 2018, H.R. 1625, 115th Cong., 2d Sess. (2018). Division V of that Act is called the Clarifying Lawful Overseas Use of Data Act, or the CLOUD Act. TheCLOUD Act amends the Stored Communications Act, 18 U.S.C. 2701-2712, by adding 18 U.S.C. 2713, which now states:
A provider of electronic communication service or remote computing service shall
comply with the obligations of this chapter to preserve, backup, or disclose the contents
of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.]

For background to the Microsoft  Ireland case under the Stored Communications Act (SCA), see here. The issue is essentially whether the US Justice Department may force Microsoft to grant access to e-mails stored on Irish servers.

With a group of EU data protection and conflicts lawyers, we have filed an amicus curiae brief in the case at the United States Supreme Court last week, arguing that the Court should interpret the SCA to apply only to data stored within the United States, leaving to Congress the decision whether and under what circumstances to authorize the collection of data stored in other countries.

There is not much point in me rehashing the arguments here: happy reading.

Geert.

 

 

, , , , , , , , , , , , , ,

Leave a comment

%d bloggers like this: