Posts Tagged rtbf

‘Right to be forgotten’ /data protection laws and the internet referred to CJEU.

Update 23 May 2017 the Case is C-136/17 and the relevant  dossier (partially in Dutch) is here, on the unparalleled website of the Dutch foreign ministry.

Many thanks to KU Leuven law student Dzsenifer Orosz (she is writing a paper on the issues for one of my conflict of laws courses) for alerting me to the French Conseil D’Etat having referred ‘right to be forgotten’ issues to the European Court of Justice.  I have of course on occasion reported the application of data protection laws /privacy issues on this blog (try ‘Google’ as a search on the blog’s search function). I also have a paper out on the case against applying the right to be forgotten to the .com domain, and with co-authors, one where we catalogue the application of RTBF until December 2016. See also my post on the Koln courts refusing application to .com.

The Conseil d’Etat has referred one or two specific Qs but also, just to be sure, has also asked the Court of Justice for general insight into how data protection laws apply to the internet. The Court is unlikely to offer such tutorial (not that it would not be useful). However any Advocate General’s opinion of course will offer 360 insight.

One to look forward to.

Geert.

 

, , , , , , , , , , , ,

Leave a comment

The Brussels Court of Appeal is spot on on Facebook, privacy, Belgium and jurisdiction.

The Brussels Court of Appeal has sided with Facebook  on 29 June. This post I am going to keep very, very simple: told you so. Geert.

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

Not the way the datr cookie crumbles. Belgian courts on soggy jurisdictional grounds in Facebook privacy ruling.

Update 11 July 2016 the Court of Appeal has sided with FB on 29 June. No surprises there!

Update 9 February 2016 the French privacy commission has now mirrored the Belgian action

Quite a lot of attention has been going to a Belgian court ordering Facebook to stop collecting data from non-users through the use of so-called datr cookies.  Applicant is Willem Debeuckelaere, the chairman of the Belgian privacy commission, in his capacity as chairman (not, therefore, as a private individual). Our interest here is of course in the court’s finding that it has jurisdiction to hear the case, and that it can apply Belgian law. The judgment is drafted in Dutch – an English (succinct) summary is available here.

Defendants are three parties: Facebook Inc, domiciled in California; Facebook Belgium BVBA, domiciled in Brussels; and Facebook Ireland Ltd., domiciled in Dublin. Facebook Belgium essentially is FB’s public affairs office in the EU. FB Ireland delivers FB services to the EU market.

Directive 95/46 and the Brussels I Recast Regulation operate in a parallel universe. The former dictates jurisdiction and applicable law at the level of the relationship between data protection authorities (DPAs), and data processors (the FBs, Googles etc. of this world). The latter concerns the relation between private individuals and both authorities and processors alike. That parallelism explains, for instance, why Mr Schrems is pursuing the Irish DPA in the Irish Courts, and additionally, FB in the Austrian courts.

Current litigation against FB lies squarely in the context of Directive 95/46. This need not have been the case: Mr Debeuckelaere, aforementioned, could have sued in his personal capacity. If he is not a FB customer, at the least vis-a-vis FB Ireland, this could have easily established jurisdiction on the basis of Article 7(2)’s jurisdiction for tort (here: invasion of privacy): with Belgium as the locus damni. Jurisdiction against FB Inc can not so be established in the basis of Article 7(2) (it does not apply to defendants based outside the EU). If the chairman qq natural person is a FB customer, jurisdiction for the Belgian courts may be based on the consumer contracts provisions of Regulation 1215/2012 – however that would have defeated the purpose of addressing FB’s policy vis-a-vis non-users, which I understand is what datr cookies are about.

Instead, the decision was taken (whether informed or not) to sue purely on the basis of the data protection Directive. This of course requires application of the jurisdictional trigger clarified in Google Spain. German precedent prior to the Google Spain judgment, did not look promising (Schleswig-Holstein v Facebook).

At the least, the Belgian court’s application of the Google Spain test, is debatable: as I note in the previous post,

Article 4(1)(a) of Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment (at 52): that is the case if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable (at 55). The very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory (at 57).

Google Spain’s task was providing support to the Google group’s advertising activity which is separate from its search engine service. Per the formula recalled above, this sufficed to trigger jurisdiction for the Spanish DPA. Google Spain is tasked to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable. The Belgian court accepts jurisdiction on the basis of Facebook Belgium’s activities being ‘inseparably linked’ (at p.15) to Facebook’s activities. With respect, I do not think this was the intention of the CJEU in Google Spain. At the very least, the court’s finding undermines the one stop principle of the data protection Directive, for Belgium’s position viz the EU Institutions means that almost all data processors have some form of public interest representation in Belgium, often indeed taking the form of a BVBA or a VZW (the latter meaning a not for profit association).

The court further justifies (p.16) its jurisdiction on the basis of the measures being provisionary. Provisionary measures fall outside the jurisdictional matrix of the Brussels I (Recast), provided they are indeed provisionary, and provided there is a link between the territory concerned and the provisional measures imposed. How exactly such jurisdiction can be upheld vis-a-vis Facebook Ireland and Facebook Inc, is not clarified by the court.

The court does limit the provisionary measures territorially: FB is only ordered to stop using datr cookies tracking data of non-FB users ‘vis-a-vis internetusers on Belgian territory’, lest these be informed of same.

I mentioned above that the data protection Directive and the Brussels I recast can be quite clearly distinguished at the level of jurisdiction. However findings of courts or public authorities on the basis of either of them, do still face the hurdle of enforcement. That is no different in this case. Recognition and enforcement of the judgment vis-a-vis FB Inc will have to follow a rather complex route, and it is not inconceivable that the US (in particular, the State of California) will refuse recognition on the basis of perceived extraterritorial jurisdictional claims (see here for a pondering of the issues). Even vis-a-vis Facebook Ireland, however, one can imagine enforcement difficulties. Even if these provisionary measures are covered by the Brussels I Recast (which may not be the case given the public character of plaintiff), such measures issued by courts which lack jurisdiction as to the substance of the matter, are not covered by the enforcement Title of the Regulation.

All in all, plenty to be discussed in appeal.

Geert.

 

 

 

, , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

Forget Facebook and Safe Harbour. CJEU in Weltimmo confirms wide prescriptive but finds limited executive jurisdiction in EU data protection.

A lot of attention last week went to the CJEU’s annulment of the EC’s ‘Safe Harbour’ decision in Schrems v Facebook  (aka Austrian student takes on internet giant). I will not detail that finding for I assume, for once, that readers will be au fait with that judgment. For those who are not: please refer to Steve Peers for excellent analysis as per usual. It is noteworthy though that the CJEU’s finding in Schrems is based in the main on a finding of ultra vires: often easily remedied, as those with a background in public law will know.

Schrems (held 6 October) confirmed the Court’s approach to the EU’s prescriptive jurisdiction in data protection laws, as in Google Spain. However the Thursday before, on 1 October, the Court took a more restrictive view on ‘executive’ or ‘enforcement’ jurisdiction in Case C-230/14 Weltimmo. Lorna Woods has the general context and findings over at EU Law analysis. The essence in my view is that the Court insists on internal limitations to enforcement. It discussed the scope of national supervisory authority’s power in the context of Directive 95/4, the same directive which was at issue in Google Spain. The Court held

Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

In other words, the supervisory authority in a Member State can examine the complaints it receives even if the law that applies to the data processing is the law of another Member State. However the scope of its sanctioning power is limited by its national borders.

This finding (I appreciate there are caveats) has important implications for the discussion on the territorial reach of the so-called ‘righ to be forgotten’. It supports in my view, the argument that the EU cannot extend its right to be forgotten rule to websites outside the EU’s domain. I have a paper forthcoming which discusses the various jurisdictional issues at stake here and the impact of Weltimmo on same.

Geert.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

Digital import suffices for jurisdiction of the US International Trade Commission in patent infringement

Update November 2015 the CA reversed the finding of jurisdiction on 10 November 2015, confining it to material items. However its judgment was not unanimous (one dissent) nor unequivocal in argument. The case is likely therefore to be continued.

Update 26 August 2015 the CA reportedly was skeptical of the jurisdictional line taken by the ITC, citing in particular enforcement challenges as well as seperation of powers: extension of jurisdiction such as in this case may have to be determined by Congress, not by a regulator.

Update 4 August 2015: the US Court of Appeals will hear arguments on the case mid August.

The US International Trade Commission has held (in re Align Technology Inc, 337-TA-833) that electronic /digital import of plans and manuals with a view to producing moulds for dental aligners (braces) suffices to give the ITC jurisdiction. As I understand the case, the companies violating Align Technology’s patents were based in Pakistan, without domestic residence of any kind in the United States. The data were then used by US-based dental practices to produce the braces.

The foreign residence of the patent infringers fed into arguments made by defendants that a cease and desist order by the ITC would be very difficult to enforce, an argument against upholding jurisdiction in the first place. The ITC was not swayed.

I understand Google, among others, argued that digital data do not qualify as ‘articles’ under relevant US law. Reminiscent to some degree of the dismissal of Google’s arguments by JÄÄSKINEN AG in  Google Spain, the ITC disagreed: digital data are very real articles as, I would argue, the massive market for digital download already amply illustrates.

Geert.

, , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a comment

%d bloggers like this: