Tag: Privacy

Posted on

Quite the song and dance. Dutch TikTok class action passes jurisdictional hurdle at first instance, cutting many a((n) appealable) corner in the process.

I reported earlier on the ongoing collective claim against TikTok here. Thank you Xandra Kramer and Eduardo Silva de Freitas for signalling and discussing the first instance jurisdictional finding. I note already that the Court [5.28] has refused interim permission to appeal on the jurisdictional finding (as in i.a. the applicable law issue in Airbus). [5.22] it also refused a preliminary reference o the CJEU even though my concise discussion below already shows that more is at play here than the court has made out. TikTok will now first have to argue the case on the merits to then (presumably) appealing both substance and jurisdictional finding.

As I flagged earlier and as Xandra and Eduardo discuss, the issue here is firstly the relationship between GDPR and Brussels Ia at the jurisdictional level: I discuss that in this paper. Against TikTok Ireland, jurisdiction is established on the basis of A80 GDPR, with no further discussion of A79 (even if A80 partially refers to A79 for the action it establishes).

In my view the court quite carelessly muddles the various concepts used in A79-80, all too easily dismisses ia CJEU Schrems, does not clearly distinguish between assignment, subrogation, mandate etc., and certainly does not correctly delineates the authority which the collective organisations might have under the GDPR: for it is not at all clear that this authority, beyond injunctive relief,  includes a (collective) claim for damages.

[5.13] the court already announces that it may not in fact have jurisdiction for all individuals who are no longer habitually resident in The Netherlands, a concession which in my view in fact goes towards undermining its own reasoning.

[5.14] ff the court then reviews A4 and 7(2) BIa, as a supplementary jurisdictional ground for the GDPR related claims and as a stand-alone ground for the non-GDPR related claims. The court’s decision to apply CJEU Wikingerhof as leading to forum delicti and not forum contractus is in my view optimistic, and surely if A7(2) is at play then the CJEU’s authority ia in Schrems is, too. Yet the court [5.17] quite happily assimilates the harmed individuals’ COMI etc. with the collective organisation.

[5.19-20] the court summarily accepts jurisdiction against the other (non-EU) TikTok entities on the basis of Dutch residual rules for related cases.

Jurisdictional issues will most definitely return upon eventual appeal.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.5.

 

 

Posted on

The Belgian DPA yet again on processing of activities and Article 3(1) v 3(2) GDPR. Google appeals a prime example of circular reasoning.

The Belgian Data Protection Controller (DPA)’s decision of March 2022 (thank you Peter Craddock for alerting me to it at the time) has been travelling with me since it was issued mid March 2022: a late posting, I realise. There is however follow-up because Google have appealed.

The case concerns a classic ‘right to be forgotten’ aka delisting request, which Google refused, made by a practising solicitor with a criminal conviction and disciplinary measures taken against him. Google was rebuked, but not fined, for not dealing with the request promptly. However in substance the DPA agreed with Google’s refusal to delist, citing the link of the convictions to the applicant’s current profession, the recent nature of the conviction, and the severity of the facts.

This post however wants to signal the issue for which Google have appealed: the territorial reach of the GDPR under Article 3(1) v 3(2) GDPR,  as also explained in the European Data Protection Board (EDPA) December 2019 guidelines on the territorial scope of the GDPR (and something which the Belgian Court of Appeal has grappled with before, albeit not in the 3(1) v 3(2) setting).

Article 3(1) of the GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether processing takes place in the Union or not“. Article 3(2) applies the GDPR to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union“.

Google Ireland was fast out off the picture by consent among the parties and the DPA [39-40]: it had no role at all in any of the processing. Google LL.C. admitted [44] that Article 3(1) applies to it, while Google Belgium [53] posits that as a mere internal consultancy /lobbying outfit for the Google group, it, too, has no role in the processing of the data.

Citing earlier decisions and CJEU Google Spain, the DPA nevertheless takes a broad view of ‘data processing’, arguing [64] that Google Spain identifies an ‘inextricable link’ between the various units of a group as sufficient to trigger DPA jurisdiction, even if one of these units has no role in the data processing.  While this reasoning ([68] and [71] in particular) suggests the wide notion of inextricable link triggers Article 3(1), in subsequent paras ([69] in particular) suggest the opposite causality: suggesting that because Article 3(1) applies, the activities are inextricably linked. Clearly, as Peter Craddock had pointed out before (I read it at the time but cannot find the source anymore I fear) that is a case of circular reasoning.

For Google, application of the GDPR to the US based entity as opposed to the EU based ones clearly is of significant difference. Its appeal with the Court of Appeal will be heard in the autumn.

Geert.

EU private international law, 3rd. ed. 2021, 2.256 ff.

 

Posted on

Lloyd v Google. More on the tort gateway and ‘damage’ under data protection law.

Update 7 October 2022 See Christopher Knight analysis here.

Update 6 October 2022 Sánchez-Bordona AG today opined in C-300/21, in a direction which largely would seem to follow the UKSC.

The UK Supreme Court in Lloyd v Google [2021] UKSC 50 held a few weeks back. It allowed the appeal, meaning the Court of Appeal‘s judgment is no longer good law and the High Court‘s approach is now the rule. The judgment essentially means that loss of control over private data is not considered ‘damage’ within the data protection Act 1998. The issue is one of statutory interpretation: on its proper interpretation, the SC understands the term “damage” in s. 13 to mean material damage (financial loss for instance) or mental distress, and not just unlawful processing. Loss of control therefore may still play a role in the common law tort of misuse of private information, and ‘damage’ was of course also considered flexibly in the context of consequential losses (Brownlie).

On class actions, the SC’s judgment is a set-back, too, with the judgment [80] holding

What limits the scope for claiming damages in representative proceedings is the compensatory principle on which damages for a civil wrong are awarded with the object of putting the claimant – as an individual – in the same position, as best money can do it, as if the wrong had not occurred. In the ordinary course, this necessitates an individualised assessment which raises no common issue and cannot fairly or effectively be carried out without the participation in the proceedings of the individuals concerned. A representative  action is therefore not a suitable vehicle for such an exercise.

Geert.

Posted on

Suing TikTok: on GDPR and ordinary jurisdiction, as well as applicable law in the Dutch collective claim.

A short note on the claim form for the collective claim by a group of parents based in The Netherlands against TikTok Technology Limited, domiciled at Dublin, Ireland.  It engages Article 79 GDPR, as well as the consumer section of Brussels Ia. At the applicable law level, it suggests application of Article 6 Rome I (consumer contracts; a logical counterpart of the jurisdictional analysis) and, in subsidiary fashion, Article 4 Rome II, each to suggest application of Dutch law.

I wrote on Article 79 here, and the problems which I signalled have in the meantime surfaced in case-law, as I signalled ia here.  Current case prima facie may not be entirely straightforward under GDPR, BIa and Rome I – one imagines a possible TikTok’s defence to go ia towards the meaning of ‘establishment’.

Geert.

Posted on

Google and the jurisdictional reach of the Belgian DPA in right to be forgotten cases. Another piece misplaced in the puzzle?

Thank you Nathalie Smuha for first signalling the €600,000.00 fine which the Belgian Data Protection Authority (DPA) issued on Tuesday against Google Belgium, together with a delisting order of uncertain reach (see below) and an order to amend the public’s complaint forms. The decision will eventually be back up here I am assume (at vanished yesterday) however I have copy here.

Nauta Dutilh’s Peter Craddock and Vincent Wellens have very good summary and analysis up already, and I am happy to refer. Let me add a few things of additional note:

  • The one-stop shop principle of the GDPR must now be under severe strain. CNIL v Google already put it to the test and this Belgian decision further questions its operationalisation – without even without for the CJEU to answer the questions of the Brussels Court of Appeal in the Facebook case. At 31, the DPA refers to a letter which Google LLC had sent on 23 June 2020 (a few days therefore after the French decision) to the Irish DPA saying that it would no longer object to national DPAs exercising jurisdiction in right to be forgotten cases. Of note is that in ordinary litigation, deep-pocket claimants seeking mozaik jurisdiction seldom do that because it serves the general interest.
  • Having said that, the Belgian DPA still had to establish jurisdiction against Google Belgium. Here, CJEU Google v Spain, Google v CNIL, and Wirtschaftsakademie led the DPA to take a ‘realistic’ /business plan approach (such as Jääskinen AG in Google Spain) rather than a legally pure approach: at 80 following extensive reference to CJEU authority, and to the effet utile of the GDPR, the DPA holds that it matters little whether the actual processing of the date takes places outside of the EU, by Google employees ex-EU, and that Google Belgium’s activities are supportive only. A Belgian resident’s right to be forgotten has been infringed; a Google entity is available there: that would seem to suffice.
  • That left the issue of the territorial reach of the delisting request. The DPA arguably cuts a few corners on the Google Belgium issue; here, it is simply most vague: at 81 ff it refers to the jurisdictional decision in e-Date Advertising, that for infringement of privacy within Brussels Ia, the courts of the person’s centre of interests are best placed to hear the case in its entirety, holding this should be applied mutatis mutandis in GDPR cases and removal orders. It then holds at 85 that neither Google v CNIL nor Belgian law give it specific power to impose a worldwide delisting order, yet at 91 that an EU-wide delisting order would seem an effective means of redress, to end up in its final order (p.48-49) not identifying a territorial scope for delisting.

I am confused. I suspect I am not the only one.

Geert.

(Handbook of) EU private international law, 2nd ed.2016, chapter 2, Heading 2.2.8.2.5.

 

Posted on

The GDPR’s one stop shop principle put to the test in French Supreme Court confirmation of CNIL jurisdiction over Google Android case. The Court also rebukes the spaghetti bowl of consent ticking and unticking.

Thank you Gaetan Goldberg for flagging that the French Supreme Court has confirmed on 19 June last, jurisdiction of the French Data Protection Agency (‘DpA’), CNIL for issuing its fine (as well as confirming the fine itself) imposed on Google for the abuse of data obtained from Android users. The Court was invited to submit preliminary references to the CJEU on the one-stop shop principle of  the GPDR, but declined to do so.

Readers of the blog know that my interest in the GDPR lies in the jurisdictional issues – I trust date protection lawyers will have more to say on the judgment.

With respect to the one stop shop principle (see in particular A56 GDPR) the Court held at 5 ff that Google do not have a ‘main establishment’ in the EU at least not at the time of the fine complained of, given that the Irish Google office (the only candidate for being the ‘main establishment) at least at that time did not have effective control over the use and destination of the data that were being transferred – US Google offices pulling the strings on that decision. A call by the CNIL under the relevant EU procedure did not make any of the other DPAs come forward as wanting to co-ordinate the action.

On the issue of consent the SC referred to CJEU Cc-673/17 Planet49 and effectively held that the spaghetti bowl of consent, ticking and unticking of boxes which an Android user has to perform to link a Google account to Android and hence unlock crucial features of Android, do not amount to consent or proper compliance with GDPR requirements.

Geert.

Posted on

A reminder: Austrian courts apply CJEU Eva Glawischnig-Piesczek v Facebook ruling. Limits removal to national territory only but does not rule out worldwide removal on principle.

I had already reported in March on the first application of the CJEU C-18/18 Eva Glawischnig-Piesczek v Facebook ruling in an update to my post on the latter. I thought I’ld add a separate post on the ruling for it, well, deserves it: the court held that orders based on Austrian copyright are limited to Austria (given copyright’s territorial limitations), but if they are based on personal rights, the claimant has to specify the requested territorial reach (so potentially global).

IPKat have further analysis here. As one or two of us discussed at the time of the CJEU ruling: the infringement of personality rights angle is an important one.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Posted on

Lloyd v Google. Court of Appeal overturns High Court, establishes jurisdiction viz US defendant. Takes a wider approach to loss of control over personal (browser-generated information) data constituting ‘damage’.

Update 4 June 2021 see a reference by the Austrian Supreme Court here, on the issue of whether loss of date control constitutes damage.

Update 16 July 2020 the Supreme Court has granted leave to appeal.

I reported earlier on Lloyd v Google at the High Court. The case involves Google’s alleged unlawful and clandestine tracking of iPhone users in 2011 and 2012 without their consent through the use of third party cookies.

The Court of Appeal in [2019] EWCA Civ 1599 has now overturned the High Court’s approach, nota bene just a day before the CJEU’s Eva Glawischnig-Piesczek v Facebook judgment.

Warby J in  [2018] EWHC 2599 (QB) Lloyd v Google (a class action suit with third party financing) had rejected jurisdiction against Google Inc (domiciled in the US) following careful consideration (and distinction) of the Vidal Hall (‘Safari users) precedent. In essence, Warby J held that both EU law (reference is made to CJEU precedent under Directive 90/314) and national law tends to suggest that “damage” has been extended in various contexts to cover “non-material damage” but only on the proviso that “genuine quantifiable damage has occurred”. This did not mean that misuse of personal data could not be disciplined under data protection laws (typically: by the data protection authorities) or other relevant national courses of action. But where it entails a non-EU domiciled party, and the jurisdictional gateway of ‘tort’ is to be followed, ‘damage’ has to be shown.

The Court of Appeal has now overturned. A first question it considered was whether control over data is an asset that has value. Sir Geoffrey Vos C at 47 held ‘a person’s control over data or over their BGI (browser-generated information, GAVC) does have a value, so that the loss of that control must also have a value’. Sir Geoffrey did not even have to resort to metanalysis to support this:  at 46: ‘The underlying reality of this case is that Google was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value.’ And at 57: ‘the EU law principles of equivalence and effectiveness (‘effet utile’, GAVC) point to the same approach being adopted to the legal definition of damage in the two torts which both derive from a common European right to privacy.’

(The remainder of the judgment concerns issues of reflection of damage on the class).

Conclusion: permission granted to serve the proceedings on Google outside the jurisdiction of the court.

All in all an important few days for digital media corporations.

Geert.

Posted on

Steady now. Eva Glawischnig-Piesczek v Facebook. The CJEU on jurisdiction and removal of hate speech.

Update 12 November 2020 the court in the Glawischnig case has now reportedly ordered worldwide removal.

Update 5 May 2020 see the report of the first application of the criteria by the Austrian courts on 30 March 2020 here: the court held that orders based on Austrian copyright are limited to Austria, but if they are based on personal rights, the claimant has to specify the requested territorial reach (so potentially global).

My interest in C-18/18 Eva Glawischnig-Piesczek v Facebook as I noted in my short first review of the case, concerns mostly the territorial reach of any measures taken by data protection authorities against hosting providers. The Court held last week and o boy did it provoke a lot of comment.

The case to a large degree illustrates the relationship between secondary and primary law, and the art of reading EU secondary law. Here: Article 15 of the e-commerce Directive 2001/31 which limits what can be imposed upon a provider; and the recitals of the Directive which seem to leave more leeway to the Member States. Scant harmonisation of tort law in the EU does not assist the Institutions in their attempts to impose a co-ordinated approach.

The crucial issue in the case was whether Article 15 prohibits the imposition on a hosting provider (Facebook, in this case) of an obligation to remove not only notified illegal content, but also identical and similar content, at a national or worldwide level? The Court held the Directive does not as such preclude such order, and that as to the worldwide injunctive issue, EU law has not harmonised and that it is up to the Member States to direct in any such orders in compliance with public international law.

The judgment to a large degree concerns statutory interpretation on filtering content, which Daphne Keller has already reviewed pre the judgment succinctly here, Dan Svantesson post the judgment here, as did Lorna Woods, and a frenzied Twitter on the day of the judgment e.g. in this thread. A most balanced analysis is provided by Andrej Savin here. e-Commerce law is not the focus of this blog, neither my professed area of expertise (choices, choices). I do want to emphasise though

  • that as always it pays to bear in mind the CJEU’s judicial economy. Here: the need to interpret its judgment in line with the circumstances of the case. As Steve Peers noted, the Austrian court had ruled that the post was defamatory, which is a recognised basis for limiting freedom of expression; see also at 40: ‘In that regard, it should be made clear that the illegality of the content of information does not in itself stem from the use of certain terms combined in a certain way, but from the fact that the message conveyed by that content is held to be illegal, when, as in the present case, it concerns defamatory statements made against a specific person.‘ Nota bene, the same need to read the judgment in context goes for the earlier Google v CNIL case, applying Directive 95/46 and the GDPR, which I review here.
  • that speaking strictly as a member of the public who has seen the devastating effect of ‘social’ media on people close to me, the technical discussions on filtering (‘what filter does the CJEU think might possibly ever be available to FB to remove content in the way the Court wishes’) are emphatically beside the point. The public justifiably are not interested in the how. A service is offered which clearly has negative effects on EU citisens. Remedy those effects, or remove the service from those citisens. That is true for the negative impacts of goods (in 25 years of regulatory Bar practice I have seen plenty of that). There is no reason it should be any less true for services.

The jurisdictional issues are what interest me more from the blog’s point of view: the territorial scope of any removal or filtering obligation. In Google viz the GDPR and the data protection Directive, the Court confirmed my reading, against that of most others’, of Szpunar AG’s Opinion. EU law does not harmonise the worldwide removal issue. Reasons of personal indemnification may argue in specific circumstances for universal jurisdiction and ditto reach of injunctive relief on ‘right to be forgotten’ issues. Public international law and EU primary law are the ultimate benchmark (Google V CNIL). It is little surprise the Court held similarly in Eva Glawischnig-Piesczek, even if unlike in Google, it did not flag the arguments that might speak against such order. As I noted in my review of Google, for the GDPR and the data protection Directive, it is not entirely clear whether the Court suggests EU secondary law simply did not address extraterritoriality or decided against it. For the e-commerce Directive in Eva Glawischnig-Piesczek the Court notes at 50-52

Directive 2000/31 does not preclude those injunction measures from producing effects worldwide. However, it is apparent from recitals 58 and 60 of that directive that, in view of the global dimension of electronic commerce, the EU legislature considered it necessary to ensure that EU rules in that area are consistent with the rules applicable at international level.  It is up to Member States to ensure that the measures which they adopt and which produce effects worldwide take due account of those rules.

In conclusion, Member States may order a host provider to remove information covered by the injunction or to block access to that information worldwide within the framework of the relevant international law. To my knowledge, the Brussels Court of Appeal is the only national court so far to consider public international law extensively viz the issue of jurisdiction, and decided against it, nota bene in a case against Facebook Inc.

Any suggestion that the floodgates are open underestimates the sophisticated engagement of national courts with public international law.

In general, the CJEU’s approach is very much aligned with the US (SCOTUS in particular) judicial approach in similar extraterritoriality issues (sanctions law; export controls; ATS;…). There is no madness to the CJEU’s approach. Incomplete: sure (see deference to national courts and the clear lack of EU law-making up its legislative mind on the issues). Challenging and work in progress: undoubtedly. But far from mad.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

Posted on

Proposition Walhalla. ‘The algorithms of the law must keep pace with new and emerging technologies.’

Update 18 August 2020 the judgment was overturned upon appeal and a breach of Article 8 ECHR found: [2020] EWCA Civ 1058 Bridges, R (On the Application Of) v South Wales Police. reviewed here.

Update 17 January 2020 the European Commission reportedly has a different view and is preparing a proposal to ban this use temporarily.

‘The algorithms of the law must keep pace with new and emerging technologies’ is the opening sentence of Hadon-Cave LJ and Swift J in R v The Chief Constable of South Wales Police and others [2019] EWHC 2341.

The central issue is whether the current legal regime in the United Kingdom is adequate to ensure the appropriate and non-arbitrary use of AFR (automated face recognition) in a free and civilized society. The High Court finds it is. No doubt appeal will follow. I leave the assessment of the findings (discussing in particular Article 8 ECHR: right to respect for one’s private and family life, one’s home and one’s correspondence) of the Court to others. It is the opening sentence which drew my attention as, inevitably, it did others’. It is a sentence upon which one can hinge en entire regulatory /new technologies course. Must the algorithms of the law (whatever these may be) keep pace with technology?  Or rather, guard against the challenges of same?

Discuss.

Geert.

%d bloggers like this: