Posts Tagged Internet
A quick flag to those of you following consumer protection and the Directive (2002/58) on privacy and electronic communications. In Case C-673/17 Planet49 the Court of Justice is being asked to clarify to what extent a website which pre-ticks boxes in general terms and conditions (here: to share relevant personal data) is compatible with relevant EU laws.
File of the case here (in Dutch only).
Thank you Stephen Pittel for flagging 2017 SCC 33 Douez v Facebook Inc. Stephen also discusses the forum non conveniens issue and I shall leave that side of the debate over to him. What is interesting for comparative purposes is the Supreme Court’s analysis of the choice of court clause in consumer contracts, which it refuses to enforce under public policy reasons, tied to two particular angles:
- ‘The burdens of forum selection clauses on consumers and their ability to access the court system range from added costs, logistical impediments and delays, to deterrent psychological effects. When online consumer contracts of adhesion contain terms that unduly impede the ability of consumers to vindicate their rights in domestic courts, particularly their quasi-constitutional or constitutional rights, public policy concerns outweigh those favouring enforceability of a forum selection clause.’ (emphasis added)
Infringement of privacy is considered such quasi-constitutional right.
- ‘Tied to the public policy concerns is the “grossly uneven bargaining power” of the parties. Facebook is a multi-national corporation which operates in dozens of countries. D is a private citizen who had no input into the terms of the contract and, in reality, no meaningful choice as to whether to accept them given Facebook’s undisputed indispensability to online conversations.’
With both angles having to apply cumulatively, consumers are effectively invited to dress up their suits as involving a quasi-constitutional issue, even if all they really want is their PSP to be exchanged, so to speak. I suspect however Canadian courts will have means of sorting the pretended privacy suits from the real ones.
A great judgment for the comparative binder (see also Jutta Gangsted and mine paper on forum laboris in the EU and the US here).
As I noted at the time, the long and the short of the case is whether the concept of ‘consumer’ under the protected categories of Brussels I (and Recast) is a dynamic or a static one; and what kind of impact assignment has on jurisdiction for protected categories.
On the first issue, Mr Schrems points to his history as a user, first having set up a personal account, subsequently, as he became the poster child for opposition to social media’s alleged infringement of privacy, a Facebook page. Each of those, he suggests, are the object of a separate contract with Facebook. FB suggests they are part of one and the same, initial contractual relationship. This one assumes, would assist FB with its line of argument that Herr Schrems’ initial use may have been covered by the forum consumentis, but that his subsequent professional use gazumps that initial qualification.
The Court suffices at 36 with the simple observation that the qualification as a single or dual contract is up to the national court (see inter alia the Gabriel, Engler and Ilsinger conundrum: Handbook, Chapter 2, Heading 184.108.40.206.a and generally the difficulties for the CJEU to force a harmonised notion of ‘contract’ upon the Member States), yet that nevertheless any such qualification needs to take into account the principles of interpretation of Brussels I’s protected categories: in particular, their restrictive interpretation. Whence it follows, the Court holds, that the interpretation needs to be dynamic, taking into account the subsequent (professional or not) use of the service: at 37-38: ‘il y a notamment lieu de tenir compte, s’agissant de services d’un réseau social numérique ayant vocation à être utilisés pendant une longue durée, de l’évolution ultérieure de l’usage qui est fait de ces services. Cette interprétation implique, notamment, qu’un requérant utilisateur de tels services pourrait invoquer la qualité de consommateur seulement si l’usage essentiellement non professionnel de ces services, pour lequel il a initialement conclu un contrat, n’a pas acquis, par la suite, un caractère essentiellement professionnel.’
The Court does add at 39-40 that acquired or existing knowledge of the sector or indeed the mere involvement in collective representation of the interests of the service’s users, has no impact on the qualification as a ‘consumer’: only professional use of the service does. (The Court in this respect refers to Article 169(1) TFEU’s objective to assist consumers with the representation of their collective interest).
On this point therefore the Court unlike the AG attaches more weight to restrictive interpretation than to predictability. (Bobek AG’s approach to the issue of dynamic /static was expressed more cautiously).
As for the assignment issue, the Court sides squarely with its AG: the assigned claims cannot be pursued in the jurisdiction which is the domicile of the assignee. That in my view de lega lata makes perfect sense.
(Handbook of) EU private international law, 2nd ed. 2016, Chapter 2, Heading 220.127.116.11.
For background to the Microsoft Ireland case under the Stored Communications Act (SCA), see here. The issue is essentially whether the US Justice Department may force Microsoft to grant access to e-mails stored on Irish servers.
With a group of EU data protection and conflicts lawyers, we have filed an amicus curiae brief in the case at the United States Supreme Court last week, arguing that the Court should interpret the SCA to apply only to data stored within the United States, leaving to Congress the decision whether and under what circumstances to authorize the collection of data stored in other countries.
There is not much point in me rehashing the arguments here: happy reading.
Apologies for late reporting. Bot AG opined end of October in C‑210/16 Fansites. [The official name of the case is Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht. It’s obvious why one prefers calling it Fansites].
The Advocate-General summarises (para 2-3) the case as involving ‘proceedings between the Wirtschaftsakademie Schleswig-Holstein GmbH, a company governed by private law and specialising in the field of education (‘the Wirtschaftsakademie’), and the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, a regional data-protection authority in Schleswig-Holstein (‘ULD’) concerning the lawfulness of an order issued by the latter against the Wirtschaftsakademie requiring it to deactivate a ‘fan page’ hosted on the website of Facebook Ireland Ltd. The reason for that order was the alleged infringement of the provisions of German law transposing Directive 95/46. Specifically, visitors to the fan page were not warned that their personal data are collected by the social network Facebook (‘Facebook’) by means of cookies that are placed on the visitor’s hard disk, the purpose of that data collection being to compile viewing statistics for the administrator of the fan page and to enable Facebook to publish targeted advertisements.’
The case ought to clarify the extent of the powers of intervention of supervisory authorities such as ULD with regard to the processing of personal data which involves the participation of several parties (at 13). I had flagged earlier that this case is relevant to the jurisdictional and applicable law issues involving datr cookies.
Whatever the outcome of the case, its precedent value will be limited by the imminent entry into force of the new General Data Protection Regulation – GDPR. The GDPR clearly introduces a ‘one-stop principle’ with only one lead authority (in FB’s case, Ireland’s data protection agency) having the authority to act (see also the AG’s observation of same in para 103).
As prof Lorna Woods in excellent analysis observes, the issue comes down to the interpretation of the phrase from Art. 4(1)(a), ‘in the context of the activities of an establishment’. Dan Svantesson has most superb analysis of Article 4(1)(a) here, anyone interested in the issue will find his insight most helpful.
Now, the Advocate-General leans heavily on Weltimmo however I would suggest its precedent value for the Fanpages case is constrained. Weltimmo concerned a company set up in Slovakia but with no relevant activities at all in that Member State. Indeed as the Court itself observed (at 16-18) , the company was effectively male fide (my words, not the CJEU’s) moving its servers and creating fog as to its exact whereabouts. In other words a case of blatant abuse. There is no suggestion of abuse in Fanpages. Moreover according to the CJEU in C-230/14 Weltimmo the phrase ‘in the context of the activities of an establishment’ cannot be interpreted restrictively (AG’s reference in para 87), yet that CJEU holding in Weltimmo cross-refers to Google Spain in which the crucial issue was whether EU data protection laws apply at all. That is very different in Weltimmo and in Fanpages. That EU authorities have jurisdiction and that EU privacy law applies is not at issue.
There is sufficient argument to find in the Directive, even before its transformation into the GDPR, that in cases such as these the same processing operation ought to be governed by the laws of just one Member State. It would be good for the CJEU to recognise that even before the entry into force of the GDPR.
(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 18.104.22.168.5.
Thank you Dan Svantesson for sharing preparatory work for a February 2018 conference on access to digital evidence in the cloud. The document, written by a group which comprises academia, relevant companies (including Apple, Google, Facebook and Microsoft) as well as regulators (including the EC and the USDJ), at this stage does not offer solutions. Rather, it sets out principles along which a future framework could be set out, including the concept of data control (not to be confused with data controller) and actual provision of service.
One of the issues to look out for is how a future international approach to access and jurisdiction in criminal matters may differ from courts’ and regulators’ approach in civil jurisdiction (including data protection and privacy).
Qualifying ‘consumers’ on social media and in the case of assignment. Bobek AG in Schrems v Facebook.
Bobek AG must have picked up his knack for colourful language at Teddy Hall. His Opinion last week in C-498/16 Schrems v Facebook is a delight and one does best service to it by simply inviting one reads it. Now, that must not absolve me of my duty to report succinctly on its contents – the Court itself I imagine will be equally short shrift with claimant’s arugments.
When I asked my students in the August exam to comment on the case, I simply gave them the preliminary questions and asked them how the CJEU should answer them:
1 Is Article 15 of Regulation 44/2001 to be interpreted as meaning that a ‘consumer’ within the meaning of that provision loses that status, if, after the comparatively long use of a private Facebook account, he publishes books in connection with the enforcement of his claims, on occasion also delivers lectures for remuneration, operates websites, collects donations for the enforcement of his claims and has assigned to him the claims of numerous consumers on the assurance that he will remit to them any proceeds awarded, after the deduction of legal costs?
2. Is Article 16 of Regulation (EC) No 44/2001 to be interpreted as meaning that a consumer in a Member State can also invoke at the same time as his own claims arising from a consumer supply at the claimant’s place of jurisdiction the claims of others consumers on the same subject who are domiciled
a. In the same Member State, b. In another Member State: or c. In a non-Member State,
if the claims assigned to him arise from consumer supplies involving the same defendant in the same legal context and if the assignment is not part of a professional or trade activity of the applicant, but rather serves to ensure the joint enforcement of claims?
The long and the short of the case is whether the concept of ‘consumer’ under the protected categories of Brussels I (and Recast) is a dynamic or a static one; and what kind of impact assignment has on jurisdiction for protected categories.
On the first issue, I expected my students to point to the CJEU’s precedent of applying the Regulation with a view to predictability and legal certainty; specifically for consumers, to Gruber and the burden of proof in cases of dual use; and to the Court’s judgment in Emrek. Other than the last issue, the AG points to all. Predictability points to a static approach: I would suggest the AG is right. Bobek AG does leave the door ajar for a dynamic interpretation: at 39: in exptional cases, a ‘dynamic’ approach to consumer status should not be entirely excluded. This could be potentially relevant in the event that a contract does not specify its aim, or it is open to different uses, and it lasts a long period of time, or is even indeterminate. It is conceivable that in such cases, the purpose for which a certain contractual service is used might change — not just partially, but even completely. Social media contracts may lead to such circumstances, one imagines, however there would be many ifs and buts to such analysis: including, I would suggest, the terms of the contract wich the service provider initially drew up.
On the issue of assignment the AG’s approach is entirely logical and not surprising: evidently Herr Schrems cannot have claims assigned to him and then exercise those claims using any other jurisdictional prerogatives then present in the original claim. While these may allow him to sue in the forum actoris of the original consumer, there is no valid argument whatsoever to suggest he could join them to his own domicile. The arguments made de lege ferenda (need for forum shopping in collective consumer redress) are justifiably rejected.
(Handbook of) EU private international law, 2nd ed. 2016, Chapter 2, Heading 22.214.171.124.