Posts Tagged GDPR
Update 3 April 2018 Recently, the so-called “CLOUD Act” was passed by Congress and signed into law. This new law amends the Stored Communications Act to give it a potentially extraterritorial reach. Following this development, the U.S. Government has moved to have the Microsoft case dismissed as moot, and to have the Second Circuit’s decision vacated. [Technically, Congress has enacted, and the President has signed,
the Consolidated Appropriations Act, 2018, H.R. 1625, 115th Cong., 2d Sess. (2018). Division V of that Act is called the Clarifying Lawful Overseas Use of Data Act, or the CLOUD Act. TheCLOUD Act amends the Stored Communications Act, 18 U.S.C. 2701-2712, by adding 18 U.S.C. 2713, which now states:
A provider of electronic communication service or remote computing service shall
comply with the obligations of this chapter to preserve, backup, or disclose the contents
of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.]
For background to the Microsoft Ireland case under the Stored Communications Act (SCA), see here. The issue is essentially whether the US Justice Department may force Microsoft to grant access to e-mails stored on Irish servers.
With a group of EU data protection and conflicts lawyers, we have filed an amicus curiae brief in the case at the United States Supreme Court last week, arguing that the Court should interpret the SCA to apply only to data stored within the United States, leaving to Congress the decision whether and under what circumstances to authorize the collection of data stored in other countries.
There is not much point in me rehashing the arguments here: happy reading.
Apologies for late reporting. Bot AG opined end of October in C‑210/16 Fansites. [The official name of the case is Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht. It’s obvious why one prefers calling it Fansites].
The Advocate-General summarises (para 2-3) the case as involving ‘proceedings between the Wirtschaftsakademie Schleswig-Holstein GmbH, a company governed by private law and specialising in the field of education (‘the Wirtschaftsakademie’), and the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, a regional data-protection authority in Schleswig-Holstein (‘ULD’) concerning the lawfulness of an order issued by the latter against the Wirtschaftsakademie requiring it to deactivate a ‘fan page’ hosted on the website of Facebook Ireland Ltd. The reason for that order was the alleged infringement of the provisions of German law transposing Directive 95/46. Specifically, visitors to the fan page were not warned that their personal data are collected by the social network Facebook (‘Facebook’) by means of cookies that are placed on the visitor’s hard disk, the purpose of that data collection being to compile viewing statistics for the administrator of the fan page and to enable Facebook to publish targeted advertisements.’
The case ought to clarify the extent of the powers of intervention of supervisory authorities such as ULD with regard to the processing of personal data which involves the participation of several parties (at 13). I had flagged earlier that this case is relevant to the jurisdictional and applicable law issues involving datr cookies.
Whatever the outcome of the case, its precedent value will be limited by the imminent entry into force of the new General Data Protection Regulation – GDPR. The GDPR clearly introduces a ‘one-stop principle’ with only one lead authority (in FB’s case, Ireland’s data protection agency) having the authority to act (see also the AG’s observation of same in para 103).
As prof Lorna Woods in excellent analysis observes, the issue comes down to the interpretation of the phrase from Art. 4(1)(a), ‘in the context of the activities of an establishment’. Dan Svantesson has most superb analysis of Article 4(1)(a) here, anyone interested in the issue will find his insight most helpful.
Now, the Advocate-General leans heavily on Weltimmo however I would suggest its precedent value for the Fanpages case is constrained. Weltimmo concerned a company set up in Slovakia but with no relevant activities at all in that Member State. Indeed as the Court itself observed (at 16-18) , the company was effectively male fide (my words, not the CJEU’s) moving its servers and creating fog as to its exact whereabouts. In other words a case of blatant abuse. There is no suggestion of abuse in Fanpages. Moreover according to the CJEU in C-230/14 Weltimmo the phrase ‘in the context of the activities of an establishment’ cannot be interpreted restrictively (AG’s reference in para 87), yet that CJEU holding in Weltimmo cross-refers to Google Spain in which the crucial issue was whether EU data protection laws apply at all. That is very different in Weltimmo and in Fanpages. That EU authorities have jurisdiction and that EU privacy law applies is not at issue.
There is sufficient argument to find in the Directive, even before its transformation into the GDPR, that in cases such as these the same processing operation ought to be governed by the laws of just one Member State. It would be good for the CJEU to recognise that even before the entry into force of the GDPR.
(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 126.96.36.199.5.
Right to be forgotten v Right to know. In Townsend v Google Inc and Google UK the Northern Irish High Court emphasises public interest in open justice.
In  NIQB 81 Townsend v Google Inc. & Anor the Northern Ireland High Court refused service our of jurisdiction in relation to a request for Google (UK and Inc.) to de-list a number of urls relating to reports on sexual and other criminal offences committed by plaintiff.
Plaintiff seeks an injunction inter alia requiring the defendants and each of them to withdraw and remove personal data relating to the plaintiff, making reference to or tending to reveal sexual offences committed by the plaintiff while a child, from their data processing and indexing systems and to prevent access to such personal data in the future. The Court references ia Vidal-Hall and Google Spain. I will leave readers to digest the ruling largely for themselves for there is a lot in there: consideration of Article 8 ECHR; Directive 95/46; aforementioned precedent; tort law etc.
Of particular note is Stephens J’s finding at 61 that ‘(t)here is a clear public interest in open justice. There is a clear right to freedom of expression. In such circumstances the processing was not unwarranted and that there is no triable issue in relation to any allegation that Google Inc. has not satisfied this condition.’
A judgment to add to the growing pile of internet, jurisdiction and balancing of interests in privacy considerations.