Posts Tagged Google

Global Twinjunctions. X v Twitter.

Twitter injunctions – Twinjunctions if you like, rather like Facebook or Google Removal orders, provide classic scenarios for the consideration of the territorial scope of injunctive and enforcement proceedings. Michael Douglas has great review of [2017] NSWSC 1300 X v Twitter. On 28 September 2017, the Supreme Court of New South Wales awarded its final injunction with global reach, directed towards Twitter Inc (based at CAL) and its Irish counterpart, Twitter International Company.

Plaintiff requested removal of tweets and accounts, and also requested ia that Twitter disclose information relating to the identity of a troll, flagging a potential action against that person for breach of confidence. Twitter refused, appealing to its privacy policy. The eventual injunction went very far indeed, as Michael details. Of the issues under discussion, of interest to this post are the jurisdiction to grant injunctive relief against foreign defendants who do not appear; and the appropriateness of injunctions expressed to operate ‘everywhere in the world’.

Now, what is refreshing about Pembroke J’s review of the issues is his non-doctrinal analysis of the issue of jurisdiction. He emphasises that there is a long history of courts of equity making in personam orders that are intended to operate extra-territorially (the Court’s jurisdiction is one in equity); (at 40) that Twitter unlike other defendants may disagree with the ruling but will not seek to avoid its social responsibility; that there is a public interest in issuing the worldwide order (and in enforcing it: Pembroke J flags that there are Australia-based assets against which enforcement may be sought); and that given his experience with Twitter, it can be expected to use its best endeavours to give effect to the proposed orders, despite its objection that it is not feasible to pro-actively monitor user content.

Eventually of course the trouble with such an assessment, without consideration of wider issues of public and private international law, is that the issuing, or not, of orders of this kind by the courts, depends on the defendant’s attitude towards compliance. That is hardly a solution serving equal access to the law or indeed equity.

Geert.

 

 

, , , , , , , ,

Leave a comment

‘Right to be forgotten’ /data protection laws and the internet referred to CJEU.

Update 23 May 2017 the Case is C-136/17 and the relevant  dossier (partially in Dutch) is here, on the unparalleled website of the Dutch foreign ministry.

Many thanks to KU Leuven law student Dzsenifer Orosz (she is writing a paper on the issues for one of my conflict of laws courses) for alerting me to the French Conseil D’Etat having referred ‘right to be forgotten’ issues to the European Court of Justice.  I have of course on occasion reported the application of data protection laws /privacy issues on this blog (try ‘Google’ as a search on the blog’s search function). I also have a paper out on the case against applying the right to be forgotten to the .com domain, and with co-authors, one where we catalogue the application of RTBF until December 2016. See also my post on the Koln courts refusing application to .com.

The Conseil d’Etat has referred one or two specific Qs but also, just to be sure, has also asked the Court of Justice for general insight into how data protection laws apply to the internet. The Court is unlikely to offer such tutorial (not that it would not be useful). However any Advocate General’s opinion of course will offer 360 insight.

One to look forward to.

Geert.

 

, , , , , , , , , , , ,

Leave a comment

VKI v Amazon. Readers who read this item should also read plenty of others.

C-191/15 Verein für Konsumenteninformation v Amazon SarL is one of those spaghetti bowl cases, with plenty of secondary law having a say on the outcome. In the EU purchasing from Amazon (on whichever of its extensions) generally implies contracting with the Luxembourg company (Amazon EU) and agreeing to Luxembourg law as applicable law. Amazon has no registered office or establishment in Austria. VKI is a consumer organisation which acted on behalf of Austrian consumers, seeking an injunction prohibiting terms in Amazon’s GTCs (general terms and conditions), specifically those which did not comply with Austrian data protection law and which identified Luxembourg law as applicable law.

Rather than untangle the bowl for you here myself, I am happy to refer to masterchef Lorna Woods who can take you through the Court’s decision (with plenty of reference to Saugmandsgaard Øe’s Opinion of early June). After readers have consulted Lorna’s piece, let me point out that digital economy and applicable EU law is fast becoming a quagmire. Those among you who read Dutch can read a piece of mine on it here. Depending on whether one deals with customs legislation, data protection, or intellectual property, different triggers apply. And even in a pure data protection context, as prof Woods points out, there now seems to be a different trigger depending on whether one looks intra-EU (Weltimmo; Amazon) or extra-EU (Google Spain).

The divide between the many issues addressed by the Advocate General and the more narrow analysis by the CJEU, undoubtedly indeed announces further referral.

Geert.

(Handbook of) European Private International Law, 2016, Chapter 2, Heading 2.2.8.2.5.

, , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

The Brussels Court of Appeal is spot on on Facebook, privacy, Belgium and jurisdiction.

The Brussels Court of Appeal has sided with Facebook  on 29 June. This post I am going to keep very, very simple: told you so. Geert.

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

It’s true! Belgian Supreme Court confirms order for Yahoo! to hand over IP-addresses.

Jurisdiction and the internet is a topic which has featured once or twice on this blog recently (and in a  paper which I have already referred to in those earlier postings). Belgian’s Supreme Court in ordinary (the Hof van Cassatie /Cour de Cassation) employed the objective territoriality principle in a case with roots going back to 2007 (the fraudulent purchase of and subsequent failure to pay for electronic equipment from a shop in Dendermonde, Belgium), Yahoo! was requested to hand over the IP addresses associated with e-mail accounts registered to Yahoo!’s e-mail service. Yahoo! Inc, domiciled in California, refused to comply, triggering fines under criminal law.

Responding to Yahoo!s claims that Belgium was imposing its criminal laws extraterritorially, the Court of Appeal had held that Yahoo! is territorially present in Belgium, hereby voluntarily submitting itself to the jurisdiction of the Belgian authorities: it takes an active part in economic life in Belgium, among others by use of the domain name http://www.yahoo.be, the use of the local language(s) on that website, pop-up of advertisements based on the location of the users, and accessibility in Belgium of Belgium-focussed customer services (among others: a ‘Belgian’ Q&A, FAQ, and post box). [Notice the similarity with the Pammer /Alpenhof criteria]. The Court of Appeal had suggested that the accusations of extraterritoriality could only be accepted had there been a request for the handover of data or objects which are located in the USA, with which there is no Belgian territorial link whatsoever, and if the holder of these objects or data is not accessible in Belgium (either physically or virtually).

The Supreme Court on 1 December confirmed all of the Court of Appeal’s arguments, essentially linking them to the objective territoriality principle. Yahoo! actively directs its activities towards consumers present in Belgium.

Even though the case involves a criminal proceeding, the Court’s judgment inevitably (not necessarily justifiably) will be used as further support for the Belgian tussle with Facebook.

Geert.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

Not the way the datr cookie crumbles. Belgian courts on soggy jurisdictional grounds in Facebook privacy ruling.

Update 27 June 2017 Before the CJEU Case C-210/16 Wirtschaftsakademie Schleswig-Holstein GmbH v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein relates to some issues with relevance for the case at hand: in particular the respective powers of various authorities in the Member States with the parent company outside of the EU and one one of the data protection authorities based in the Member State where the company’s establishment is responsible for data processing under the group’s internal division of tasks and responsibilities.

Update 11 July 2016 the Court of Appeal has sided with FB on 29 June. No surprises there! Update 27 June 2017 both initial ruling and the CA’s judgment relate to the provisionary measures. The case is now going through the same courts in ordinary (non-urgent) fashion.

Update 9 February 2016 the French privacy commission has now mirrored the Belgian action

Quite a lot of attention has been going to a Belgian court ordering Facebook to stop collecting data from non-users through the use of so-called datr cookies.  Applicant is Willem Debeuckelaere, the chairman of the Belgian privacy commission, in his capacity as chairman (not, therefore, as a private individual). Our interest here is of course in the court’s finding that it has jurisdiction to hear the case, and that it can apply Belgian law. The judgment is drafted in Dutch – an English (succinct) summary is available here.

Defendants are three parties: Facebook Inc, domiciled in California; Facebook Belgium BVBA, domiciled in Brussels; and Facebook Ireland Ltd., domiciled in Dublin. Facebook Belgium essentially is FB’s public affairs office in the EU. FB Ireland delivers FB services to the EU market.

Directive 95/46 and the Brussels I Recast Regulation operate in a parallel universe. The former dictates jurisdiction and applicable law at the level of the relationship between data protection authorities (DPAs), and data processors (the FBs, Googles etc. of this world). The latter concerns the relation between private individuals and both authorities and processors alike. That parallelism explains, for instance, why Mr Schrems is pursuing the Irish DPA in the Irish Courts, and additionally, FB in the Austrian courts.

Current litigation against FB lies squarely in the context of Directive 95/46. This need not have been the case: Mr Debeuckelaere, aforementioned, could have sued in his personal capacity. If he is not a FB customer, at the least vis-a-vis FB Ireland, this could have easily established jurisdiction on the basis of Article 7(2)’s jurisdiction for tort (here: invasion of privacy): with Belgium as the locus damni. Jurisdiction against FB Inc can not so be established in the basis of Article 7(2) (it does not apply to defendants based outside the EU). If the chairman qq natural person is a FB customer, jurisdiction for the Belgian courts may be based on the consumer contracts provisions of Regulation 1215/2012 – however that would have defeated the purpose of addressing FB’s policy vis-a-vis non-users, which I understand is what datr cookies are about.

Instead, the decision was taken (whether informed or not) to sue purely on the basis of the data protection Directive. This of course requires application of the jurisdictional trigger clarified in Google Spain. German precedent prior to the Google Spain judgment, did not look promising (Schleswig-Holstein v Facebook).

At the least, the Belgian court’s application of the Google Spain test, is debatable: as I note in the previous post,

Article 4(1)(a) of Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment (at 52): that is the case if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable (at 55). The very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory (at 57).

Google Spain’s task was providing support to the Google group’s advertising activity which is separate from its search engine service. Per the formula recalled above, this sufficed to trigger jurisdiction for the Spanish DPA. Google Spain is tasked to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable. The Belgian court accepts jurisdiction on the basis of Facebook Belgium’s activities being ‘inseparably linked’ (at p.15) to Facebook’s activities. With respect, I do not think this was the intention of the CJEU in Google Spain. At the very least, the court’s finding undermines the one stop principle of the data protection Directive, for Belgium’s position viz the EU Institutions means that almost all data processors have some form of public interest representation in Belgium, often indeed taking the form of a BVBA or a VZW (the latter meaning a not for profit association).

The court further justifies (p.16) its jurisdiction on the basis of the measures being provisionary. Provisionary measures fall outside the jurisdictional matrix of the Brussels I (Recast), provided they are indeed provisionary, and provided there is a link between the territory concerned and the provisional measures imposed. How exactly such jurisdiction can be upheld vis-a-vis Facebook Ireland and Facebook Inc, is not clarified by the court.

The court does limit the provisionary measures territorially: FB is only ordered to stop using datr cookies tracking data of non-FB users ‘vis-a-vis internetusers on Belgian territory’, lest these be informed of same.

I mentioned above that the data protection Directive and the Brussels I recast can be quite clearly distinguished at the level of jurisdiction. However findings of courts or public authorities on the basis of either of them, do still face the hurdle of enforcement. That is no different in this case. Recognition and enforcement of the judgment vis-a-vis FB Inc will have to follow a rather complex route, and it is not inconceivable that the US (in particular, the State of California) will refuse recognition on the basis of perceived extraterritorial jurisdictional claims (see here for a pondering of the issues). Even vis-a-vis Facebook Ireland, however, one can imagine enforcement difficulties. Even if these provisionary measures are covered by the Brussels I Recast (which may not be the case given the public character of plaintiff), such measures issued by courts which lack jurisdiction as to the substance of the matter, are not covered by the enforcement Title of the Regulation.

All in all, plenty to be discussed in appeal.

Geert.

 

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

A bar to ‘extraterritorial’ EU law. Landgericht Koln refuses to extend ‘right to be forgotten’ to .com domain .

Postcript 11 March 2016 Google have announced a new policy which  goes some way to addressing the EU’s concerns. An unusually conciliatory move.

An inevitable consequence of the rulings in Google Spain, Weltimmo and Schrems /Facebook /Safe harbour, is whether courts in the EU can or perhaps even must insist on extending EU data protection rules to websites outside of EU domain. The case has led to suggestions of ‘exterritorial reach’ of Google Spain or the ‘global reach’ of the RTBF, coupled with accusations that the EU oversteps its ‘jurisdictional boundaries’. This follows especially the order or at least intention, by the French and other data protection agencies, that Google extend its compliance policy to the .com webdomain.

The Landgericht Köln mid September (the case has only now reached the relevant databases) in my view justifiably withheld enforcement jurisdiction in a libel case only against Google.de for that is the website aimed at the German market. It rejected extension of the removal order vis-à-vis Google.com, in spite of a possibility for German residents to reach Google.com, because that service is not intended for the German speaking area and anyone wanting to reach it, has to do so intentionally. (See the ruling under 1, para 3 and 4).

I have further context to this issue in a paper which is on SSRN and which is being peer reviewed as we speak (I count readers of this blog as peers hence do please forward any comments).

Geert.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

%d bloggers like this: