Posts Tagged GDPR
Court of Justice in Google v CNIL sees no objection in principle to EU ‘Right to be forgotten’ leading to worldwide delisting orders. Holds that as EU law stands, however, it is limited to EU-wide application, leaves the door open to national authorities holding otherwise.
Many commentators were wrong-footed on reading Advocate-General Szpunar’s Opinion in C-505/17 Google Inc v Commission nationale de l’informatique et des libertés (CNIL), concerning the territorial limits to right to have search results delisted, more popularly referred to as ‘the right to erasure’ or the ‘right to be forgotten’ (‘RTBF’ – a product of the CJEU in Google Spain). Far from ruling out ‘extraterritorial’ or worldwide force of the right, the AG saw no objection to it in principle, even if he suggested non-application to the case at issue (he did so again in his Opinion in C-18/18 Eva Glawischnig-Piesczek v Facebook, which I review here and on which judgment is forthcoming next week).
The Court yesterday held (the Twitter storm it created was later somewhat drowned by the UK Supreme Court’s decision in the prorogation case) and overall confirmed the AG’s views. As with the AG’s Opinion, it is important to read the Judgment for what it actually says, not just how the headlines saw it. For immediate analysis, readers may also want to read Daphne Keller’s and Michèle Finck’s threads and Dan Svantesson’s impromptu assessment.
It is again important to point out that the French data protection authority’s (CNIL) decision at issue, 2016/054 is a general CNIL instruction to Google to carry out global delisting in instances where natural persons request removal; not a case-specific one.
I have a case-note on the case and on C-137/17 (judgment also yesterday) forthcoming with Yuliya Miadzvetskaya, but here are my initial thoughts on what I think is of particular note.
1. The Court of Justice (in Grand Chamber) first of all, unusually, examines the questions in the light of both Directive 95/46, applicable to the facts at issue, and the GDPR Regulation ‘in order to ensure that its answers will be of use to the referring court in any event’ (at 41).
2. Next, at 52, the Court dismisses a fanciful distributive approach towards the computing reality of data processing:
Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of personal data processing. The referring court considers that (and the CJEU clearly agrees, GAVC), in those circumstances, that act of processing is carried out within the framework of Google’s establishment in French territory.
3. At 55, the Court points out that de-referencing carried out on all the versions of a search engine would meet the objective of data protection in full, particularly (at 56) given the fact that ‘(t)he internet is a global network without borders and search engines render the information and links contained in a list of results displayed following a search conducted on the basis of an individual’s name ubiquitous (the Court restating here its finding in both Google Spain and Bolagsupplysningen).
At 58 the Court employs that finding of ubiquitousness to ‘justify the existence of a competence on the part of the EU legislature to lay down the obligation, for a search engine operator, to carry out, when granting a request for de-referencing made by such a person, a de-referencing on all the versions of its search engine.’ No grand statements on public international law’s views on adjudicative extraterritoriality /universality. Just a simple observation.
The Court subsequently however (at 59-60) notes other States’ absence of a right to de-referencing and their different views on the balancing act between privacy and freedom of speech in particular. At 61-62 it then notes
While the EU legislature has, in Article 17(3)(a) of Regulation 2016/679, struck a balance between that right and that freedom so far as the Union is concerned (see, to that effect, today’s judgment, GC and Others (De-referencing of sensitive data), C‑136/17, paragraph 59), it must be found that, by contrast, it has not, to date, struck such a balance as regards the scope of a de-referencing outside the Union.
In particular, it is in no way apparent from the wording of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 or Article 17 of Regulation 2016/679 that the EU legislature would, for the purposes of ensuring that the objective referred to in paragraph 54 above is met, have chosen to confer a scope on the rights enshrined in those provisions which would go beyond the territory of the Member States and that it would have intended to impose on an operator which, like Google, falls within the scope of that directive or that regulation a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States.
In other words the Court has adopted the same approach as the United States Supreme Court has done in Morrison v. National Australia Bank; and Kiobel: there is a presumption against extraterritoriality, however it is not excluded. In the absence of indications of the legislator wish to extend the right to delisting extraterritorially it does not so exist in the current state of the law.
4. At 63 the Court hints at what might be required as part of such future potential extraterritorial extension: EU law does not currently provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the Union – in contrast with the regime it has intra-EU. This also hints at the CJEU taking a more multilateral approach to the issue than its SCOTUS counterpart.
5. At 69 the Court then adds that intra-EU, a delisting order covering all of the search engine’s EU extensions is both possible and may be appropriate: co-operation between authorities may lead to ‘where appropriate, a de-referencing decision which covers all searches conducted from the territory of the Union on the basis of that data subject’s name.’
6. A final twist then follows at 72:
Lastly, it should be emphasised that, while, as noted in paragraph 64 above, EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice. Accordingly, a supervisory or judicial authority of a Member State remains competent to weigh up, in the light of national standards of protection of fundamental rights (references to CJEU authority omitted, GAVC), a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.
Here I do not follow the Court: one could argue that the harmonised EU’s approach is currently not to extend the right to delisting extraterritorially. The Court on the other hand seems to be suggesting that the extraterritoriality issue was not discussed in the Directive or Regulation, that EU law does not occupy (‘pre-empt’) that regulatory space and consequently leaves it up to the Member States to regulate that right. (Update 27 September 2019: Other interpretations are collated here).
I shall need more detailed reading of the GDPR’s preparatory works to form a view as to whether the extraterritorial element was considered, and rejected, or simply not discussed. However I also want to already point out that if the decision is left to the Member States, the case-law and theory of pre-emption clarifies that such national action has to be taken in full compatibility with EU law. including free movement of services, say, which Google may rightfully invoke should there be a disproportionate impact on the Internal Market.
(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 22.214.171.124, Heading 126.96.36.199.5.
Ramona Ang v Reliantco: On bitcoins, choice of court, complex financial markets and ‘consumers’. As well as a first vindication of my GDPR jurisdictional prediction.
As noted, I have come up for some air after a few hectic weeks – next case to report on is  EWHC 879 (Comm) Ramona v Reliantco, held 12 April. (A similar case is pending with the CJEU against Reliantco as Case C-500/18).
Defendant (‘Reliantco’) is a company incorporated in Cyprus offering financial products and services through an online trading platform under the ‘UFX’ trade name. Claimant, Ms Ang, is an individual of substantial means who invested in Bitcoin futures, on a leveraged basis, through the UFX platform. She claims, essentially and primarily, that Reliantco wrongfully blocked and terminated her UFX account and should compensate her for the loss of her open Bitcoin positions, or at a minimum should refund her cash value invested. She also makes claims for relief in respect of what she says have been breaches of data protection obligations owed by Reliantco in connection with her UFX account.
The judgment does not concern the merits of Ms Ang’s claims but rather an application by Reliantco challenging jurisdiction. Reliantco contends that Ms Ang is bound by its standard terms and conditions, clause 27.1 of which provides that the courts of Cyprus are to have exclusive jurisdiction over “all disputes and controversies arising out of or in connection with” her customer agreement. Reliantco therefore relies on Article 25 Brussels Ia.
Ms Ang says that clause 27.1 is ineffective to require her to bring her claim in Cyprus, either because she is a consumer within Section 4 of Brussels (Recast) or because clause 27.1 was not incorporated into her UFX customer agreement with Reliantco in such a way as to satisfy the requirements of Article 25. Ms Ang says, in the alternative, that her data protection claims may be brought here notwithstanding Article 25 Brussels Ia even if Article 25 applies to her primary substantive claims.
All in all a nice set of jurisdictional issues and no surprise to have prof Jonathan Harris QC involved as counsel.
At all times material to her claim, Ms Ang was not employed or earning a living in any self-employed trade or profession (unless, which is contentious between the parties and considered below, her activity as a customer of Reliantco via the UFX platform is itself to be so classified). Ms Ang worked in money markets for two months as a trainee, observing US$/DM currency swaps. Other than that, she has no professional currency trading or money market experience (again, that is, unless her use of the UFX platform to invest in Bitcoin futures itself counts as such).
At 9, s little bit of Bitcoin drame enters the scene: Ms Ang’s husband, Craig Wright, is a computer scientist with cybersecurity and blockchain expertise who works as Chief Scientist for nChain Ltd, a blockchain technology company with a corporate vision “to transform how the world conducts all transactions – using the blockchain’s distributed, decentralised ledger that chronologically records transactions in an immutable way“. As a researcher, he publishes prolifically and has developed innovations for which patent protection has been sought. He is the same Craig Wright who has identified himself publicly as being ‘Satoshi Nakamoto’, the online pseudonym associated with the inventor (or a co-inventor) of Bitcoin. Baker J holds that he need not consider whether that claim is true, and on the evidence for this application I would not be in any position to do so.
Was Ms Ang a ‘consumer’? At 52 ff the arguments of Reliantco are summarised; at 55 ff those of Ms Ang.
CJEU precedent discussed by Baker J is C-89/91 Shearson; C-269/95 Benincasa; C-464/01 Gruber; C-498/16 Schrems; and the pending cases C‑208/18 Petruchová [I reviewed the AG’s Opinion (issued a day before the High Court’s judgment) yesterday] and C-500/18 Reliantco Investments and Reliantco Investments Limassol Sucursala Bucureşti.
Baker J concludes at 34 ‘the ECJ/CJEU has not decided whether contracts entered into by a wealthy private individual for the purpose of investing her wealth, or particular types of such contract, are not (or can never be) consumer contracts.’
Reference is then made to English precedent along the very lines of the precedent dismissed by Tanchev AG in Petruchová: including AMT Futures v Marzillier, and at 35 ff Standard Bank London Ltd v Apostolakis both through the English and the Greek courts – with differing results. At 44: ‘the disagreement between the English and Greek decisions in Apostolakis turns upon and is constituted by a difference of view as to whether investing private wealth for gain, if it takes the form of buying and selling foreign currency, is by nature a business activity so that an individual investing their wealth in that way cannot when doing so be a ‘consumer’ under Brussels (Recast). Longmore J thought there was no such proposition of law; the Greek court took the contrary view.’ German case-law is also discussed.
At 63 Baker J comes to the core of his reasoning: ‘In my judgment, the investment by a private individual of her personal surplus wealth (i.e. surplus to her immediate needs), in the hope of generating good returns (whether in the form of income on capital, capital growth, or a mix of the two), is not a business activity, generally speaking. It is a private consumption need, in the sense I believe intended by the ECJ in Benincasa, to invest such wealth with such an aim, i.e. that is an ‘end user’ purpose for a private individual and is not exclusively a business activity. That means, as was also Popplewell J’s conclusion in AMT v Marzillier, that it will be a fact-specific issue in any given case whether a particular individual was indeed contracting as a private individual to satisfy that need, i.e. as a consumer, or was doing so for the purpose of an investment business of hers (existing or planned).’
And at 65 in fine: the ‘question of purpose is the question to be asked, and it must be considered upon all of the evidence available to the court and not by reference to any one part of that evidence in isolation.’
At 68 he concludes ‘the purpose of her contract with Reliantco therefore was outside any business of hers’.
Baker J notes that he was not asked to defer any decision in C‑208/18 Petruchová. I believe it would have been of help to determine the issue before him. Tanchev AG (as noted, in an Opinion not available to Baker J at the time of his drafting his judgment) suggests that ‘to determine whether a person must be regarded as a consumer, reference must be made to the nature and objective of the contract, not to the subjective situation of the person concerned.’
Obiter, he then reviews Article 25, where CJEU authority discussed is ia Colzanni and Cars on the Web. Ms Ang contended that she was not able to access the standard terms web page at the time she opened her account, and therefore clause 27.1 did not comply with Article 25 B1a. At 78 extensive technical detail is discussed and at 80 Baker J finds that the Cars on the Web criterion of accessibility and durability were met; and at 81 that in any case, the current issue is not one of a click-wrap agreement for a signed hard copy of the GTCs with choice of court in it, had also been sent.
Equally obiter, at 83 ff Baker J summarily discussed the GDPR jurisdictional arguments which would have been more relevant had he not accepted jurisdiction under the consumer title. The brief discussion entirely fulfills my summer 2018 prediciton here: Article 79 GDPR will create a lot of issues at the level of jurisdiction.
A very relevant case.
(Handbook of) EU private International Law, 2nd ed. 2016, Chapter 2, Heading 188.8.131.52.
Territoriality and delisting. Google score (cautious) French points ahead of Thursday’s AG Opinion in CJEU case.
X v Google LLC at the Tribunal de grande instance de Paris on 14 November 2018 is a good warm-up, forwarded to me (for which many thanks) by Jef Ausloos (I have copy for those interested). The case concerns an article in Le Monde linking a French resident, active in international hotel management, to a Moroccan enquiry into pedophilia. The court’s review of the facts suggests an unsubstantiated link between X and the case – yet the damage to claimant’s reputation evidently is done nevertheless. Claimant requests delinking not just for searches performed in France on all Google extensions, but rather for all searches performed globally.
The court first of all observes that for searches performed in France, delisting of many of the identified urls has already happened – and orders on the basis of French law (which it applies, it suggests, per the GDPR) Google LLC to carry out delisting for the others in as far as searches are carried out from French territory. X’s privacy is given priority over freedom of expression and Google LLC’s US domicile is not mentioned as being relevant (no verbatim discussion of same is recorded in the judgment. X’s French nationality and domicile however, are, hence presumably it is the infamous Article 14 Code Civil which is at play here). Google’s argument that the as listed urls link to articles in languages other than French and relating to facts taking place outside of France is dismissed as irrelevant.
Claimant however had requested global delisting, regardless of the user’s geographical location. That, the court holds, is a request it cannot grant. Its refusal is justified in one sentence only: a global delisting order would be disproportionate in the case of a French national and resident, simply because his employment record is international:
‘une telle mesure apparaît ici disproportionnée, s’agissant d’un résident français, le seul caractère international de ces démarches d’emploi ne pouvant justifier d’une telle restriction, qui conduirait in fine à soumettre le réseau internet à une injonction de portée globale.’
The judgment therefore does not tackle the conceptual issues surrounding jurisdiction (which the Belgian courts, for instance, have been tempted into in the Facebook case), neither does it rule out global injunctions in cases which have more than just a fleeting international element.
GDPR (General Data Protection Regulation) aficionados will have already seen the draft guidelines published by the EDPB – the European data protection board – on the territorial scope of the Regulation.
Of particular interest to conflicts lawyers is the Heading on the application of the ‘targeting’ criterion of GDPR’s Article 3(2). There are clear overlaps here between Brussels I, Rome I, and the GDPR and indeed the EDPB refers to relevant case-law in the ‘directed at’ criterion in Brussels and Rome.
(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 184.108.40.206.3, Heading 220.127.116.11.5.
I have an ever-updated post on Google’s efforts to pinpoint the exact territorial dimension of the EU’s data protection regime, GDPR etc. Now, Facebook are reportedly (see also here) appealing a fine imposed by the UK’s data protection authority in the wake of the Cambridge Analytica scandal. Facebook’s point at least as reported is that the breach did not impact UK users.
The issue I am sure exposes Facebook in the immediate term to PR challenges. However in the longer term it highlights the need to clarify the proper territorial reach of both data protection laws and their enforcement.
One to look out for.