Tag: Schrems

Posted on

Brussels Court of Appeal rejects jurisdiction against Facebook Inc, Facebook Ireland in privacy, data protection case.

Update 17 June 2021 for analysis of the CJEU judgment in same see Lorna Woods here.

Update 10 September 2020 the case at the CJEU is listed as C-645/19.

The Brussels Court of Appeal held early May in a lengthy and scholarly judgment that it sees no ground in either public international law, or European law, for jurisdiction of the Belgian courts against Facebook Ireland and Facebook Inc (Palo Alto, California). I reported on the litigation inter alia here. I believe the Court is right, as readers of the blog know from my earlier postings.

Belgium’s Data Protection Authority (DPA) does not signal the rejection of jurisdiction against FB Ireland and FB Inc in its press release, however even its 3 page extract from the 121 page judgment clearly shows it (first bullet-point).

The questions which the Court of Appeal has sent up to Luxembourg concern Facebook Belgium only. The Court in the full judgment does not qualify FB Belgium’s activities as data processing. However it has very specific questions on the existence and extent of powers for DPAs other than the leading authority under the GDPR, including the question whether there is any relevance to the fact that action has started prior to the entry into force of the GDPR (25 May 2018). The Court is minded to interpret the one-stop shop principle extensively however it has doubt given the CJEU’s judgment in Fanpages

Crucial and so far, I believe, fairly unreported. (My delay explained by the possibility for use as an essay exam question – which eventually I have not).

Geert.

(Handbook of) EU private international law, 2nd ed.2016, chapter 2, Heading 2.2.8.2.5.

Posted on

Protection of privacy and private international law. Interim ILA report.

A short post effectively to deposit relevant documentation on the issue of privacy and private international law – which I frequently report on on the blog (e.g. use tag ‘rtbf’, or ‘internet’, or ‘privacy’, ‘Facebook’, or ‘Google’; see i.a. my recent posts re Facebook, Google , Schrems, etc.

Max Planck Luxembourg have the interim report on the International Law Association’s draft guidelines on jurisdiction and applicable law re privacy on their website, featuring many of the cases I have reported on over the years.

Happy reading.

Geert.

 

Posted on

One of those groundhog days. The Brussels Court of First instance on Facebook, privacy, Belgium and jurisdiction.

Update May 2019 the Court of Appeal reportedly has referred to the CJEU. However update 19 June 2019 as I explain here, that referral is on limited issues only. The court has rejected jurisdiction against FB Ireland and FB Inc.

I have flagged once or twice that the blog is a touch behind on reporting – I hope to be on top soon.

I blogged a little while ago that the Brussels Court of Appeal had sided with Facebook in their appeal against the Court of first instance’s finding of Belgian jurisdiction. I had earlier argued that the latter was wrong. These earlier skirmishes were in interim proceedings. Then, in February, the Court of First instance, unsurprisingly, reinstated its earlier finding, this time with a bit more substantial flesh to the bone.

First, a bit of Belgian surrealism. In an interlocutory ruling the court had requested FB to produce full copy of the Court of Appeal’s judgment upon which it relied for some of its arguments. Perhaps given the appalling state of reporting of Belgian case-law, this finding should not surprise. Yet it remains an absurd notion that parties should produce copies at all of Belgian judgments, not in the least copies of a Court of Appeal which is literally one floor up from the Court of first instance.

Now to the judgment. The court first of all confirms that the case does not relate to private international law for the privacy commission acts iure imperii (I summarise). Then follows a very lengthy and exhaustive analysis of Belgium’s jurisdiction on the basis of public international law. Particularly given the excellent input of a number of my public international law colleagues, this part of the judgment is academically interesting nay exciting – but also entirely superfluous. For any Belgian jurisdiction grounded in public international law surely is now exhausted regulated by European law, Directive 95/46 in particular.

In finally reviewing the application of that Directive, and inevitably of course with reference to Weltimmo etc. the Court essentially assesses whether Facebook Belgium (the jurisdictional anchor) carries out activities beyond mere representation vis-a-vis the EU institutions, and finds that it does carry out commercial activities directed at Belgian users. That of course is a factual finding which requires au faitness which the employees’ activities.

Judgment is being appealed by Facebook – rightly so I believe. Of note is also that once the GDPR applies, exclusive Irish jurisdiction is clear.

Geert.

 

 

 

Posted on

Schrems v Facebook. Consumer class actions and social media.

I reported on Bobek AG’s Opinion in Schrems v Facebook when it came out last year. The CJEU held this morning (judgment so far in FR and DE only) and largely confirms the AG’s Opinion.

As I noted at the time, the long and the short of the case is whether the concept of ‘consumer’ under the protected categories of Brussels I (and Recast) is a dynamic or a static one; and what kind of impact assignment has on jurisdiction for protected categories.

On the first issue, Mr Schrems points to his history as a user, first having set up a personal account, subsequently, as he became the poster child for opposition to social media’s alleged infringement of privacy, a Facebook page. Each of those, he suggests, are the object of a separate contract with Facebook. FB suggests they are part of one and the same, initial contractual relationship. This one assumes, would assist FB with its line of argument that Herr Schrems’ initial use may have been covered by the forum consumentis, but that his subsequent professional use gazumps that initial qualification.

The Court suffices at 36 with the simple observation that the qualification as a single or dual contract is up to the national court (see inter alia the Gabriel, Engler and Ilsinger conundrum: Handbook, Chapter 2, Heading 2.2.11.1.a and generally the difficulties for the CJEU to force a harmonised notion of ‘contract’ upon the Member States), yet that nevertheless any such qualification needs to take into account the principles of interpretation of Brussels I’s protected categories: in particular, their restrictive interpretation. Whence it follows, the Court holds, that the interpretation needs to be dynamic, taking into account the subsequent (professional or not) use of the service: at 37-38: ‘il y a notamment lieu de tenir compte, s’agissant de services d’un réseau social numérique ayant vocation à être utilisés pendant une longue durée, de l’évolution ultérieure de l’usage qui est fait de ces services. Cette interprétation implique, notamment, qu’un requérant utilisateur de tels services pourrait invoquer la qualité de consommateur seulement si l’usage essentiellement non professionnel de ces services, pour lequel il a initialement conclu un contrat, n’a pas acquis, par la suite, un caractère essentiellement professionnel.’

The Court does add at 39-40 that acquired or existing knowledge of the sector or indeed the mere involvement in collective representation of the interests of the service’s users, has no impact on the qualification as a ‘consumer’: only professional use of the service does. (The Court in this respect refers to Article 169(1) TFEU’s objective to assist consumers with the representation of their collective interest).

On this point therefore the Court unlike the AG attaches more weight to restrictive interpretation than to predictability. (Bobek AG’s approach to the issue of dynamic /static was expressed more cautiously).

As for the assignment issue, the Court sides squarely with its AG: the assigned claims cannot be pursued in the jurisdiction which is the domicile of the assignee. That in my view de lega lata makes perfect sense.

Geert.

(Handbook of) EU private international law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.

 

Posted on

Qualifying ‘consumers’ on social media and in the case of assignment. Bobek AG in Schrems v Facebook.

Bobek AG must have picked up his knack for colourful language at Teddy Hall. His Opinion last week in C-498/16 Schrems v Facebook is a delight and one does best service to it by simply inviting one reads it. Now, that must not absolve me of my duty to report succinctly on its contents – the Court itself I imagine will be equally short shrift with claimant’s arugments.

When I asked my students in the August exam to comment on the case, I simply gave them the preliminary questions and asked them how the CJEU should answer them:

1 Is Article 15 of Regulation 44/2001 to be interpreted as meaning that a ‘consumer’ within the meaning of that provision loses that status, if, after the comparatively long use of a private Facebook account, he publishes books in connection with the enforcement of his claims, on occasion also delivers lectures for remuneration, operates websites, collects donations for the enforcement of his claims and has assigned to him the claims of numerous consumers on the assurance that he will remit to them any proceeds awarded, after the deduction of legal costs?

2. Is Article 16 of Regulation (EC) No 44/2001 to be interpreted as meaning that a consumer in a Member State can also invoke at the same time as his own claims arising from a consumer supply at the claimant’s place of jurisdiction the claims of others consumers on the same subject who are domiciled

a. In the same Member State, b. In another Member State: or c. In a non-Member State,

if the claims assigned to him arise from consumer supplies involving the same defendant in the same legal context and if the assignment is not part of a professional or trade activity of the applicant, but rather serves to ensure the joint enforcement of claims?

 

The long and the short of the case is whether the concept of ‘consumer’ under the protected categories of Brussels I (and Recast) is a dynamic or a static one; and what kind of impact assignment has on jurisdiction for protected categories.

On the first issue, I expected my students to point to the CJEU’s precedent of applying the Regulation with a view to predictability and legal certainty; specifically for consumers, to Gruber and the burden of proof in cases of dual use; and to the Court’s judgment in Emrek. Other than the last issue, the AG points to all. Predictability points to a static approach: I would suggest the AG is right. Bobek AG does leave the door ajar for a dynamic interpretation: at 39: in exptional cases, a ‘dynamic’ approach to consumer status should not be entirely excluded. This could be potentially relevant in the event that a contract does not specify its aim, or it is open to different uses, and it lasts a long period of time, or is even indeterminate. It is conceivable that in such cases, the purpose for which a certain contractual service is used might change — not just partially, but even completely. Social media contracts may lead to such circumstances, one imagines, however there would be many ifs and buts to such analysis: including, I would suggest, the terms of the contract wich the service provider initially drew up.

On the issue of assignment the AG’s approach is entirely logical and not surprising: evidently Herr Schrems cannot have claims assigned to him and then exercise those claims using any other jurisdictional prerogatives then present in the original claim. While these may allow him to sue in the forum actoris of the original consumer, there is no valid argument whatsoever to suggest he could join them to his own domicile. The arguments made de lege ferenda (need for forum shopping in collective consumer redress) are justifiably rejected.

Geert.

(Handbook of) EU private international law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.

 

Posted on

It’s true! Belgian Supreme Court confirms order for Yahoo! to hand over IP-addresses.

Jurisdiction and the internet is a topic which has featured once or twice on this blog recently (and in a  paper which I have already referred to in those earlier postings). Belgian’s Supreme Court in ordinary (the Hof van Cassatie /Cour de Cassation) employed the objective territoriality principle in a case with roots going back to 2007 (the fraudulent purchase of and subsequent failure to pay for electronic equipment from a shop in Dendermonde, Belgium), Yahoo! was requested to hand over the IP addresses associated with e-mail accounts registered to Yahoo!’s e-mail service. Yahoo! Inc, domiciled in California, refused to comply, triggering fines under criminal law. (It’s corporate slogan btw used to be ‘it’s true!’ Hence the title of the post).

Responding to Yahoo!s claims that Belgium was imposing its criminal laws extraterritorially, the Court of Appeal had held that Yahoo! is territorially present in Belgium, hereby voluntarily submitting itself to the jurisdiction of the Belgian authorities: it takes an active part in economic life in Belgium, among others by use of the domain name http://www.yahoo.be, the use of the local language(s) on that website, pop-up of advertisements based on the location of the users, and accessibility in Belgium of Belgium-focussed customer services (among others: a ‘Belgian’ Q&A, FAQ, and post box). [Notice the similarity with the Pammer /Alpenhof criteria]. The Court of Appeal had suggested that the accusations of extraterritoriality could only be accepted had there been a request for the handover of data or objects which are located in the USA, with which there is no Belgian territorial link whatsoever, and if the holder of these objects or data is not accessible in Belgium (either physically or virtually).

The Supreme Court on 1 December confirmed all of the Court of Appeal’s arguments, essentially linking them to the objective territoriality principle. Yahoo! actively directs its activities towards consumers present in Belgium.

Even though the case involves a criminal proceeding, the Court’s judgment inevitably (not necessarily justifiably) will be used as further support for the Belgian tussle with Facebook.

Geert.

Posted on

Not the way the datr cookie crumbles. Belgian courts on soggy jurisdictional grounds in Facebook privacy ruling.

Update 27 June 2017 Before the CJEU Case C-210/16 Wirtschaftsakademie Schleswig-Holstein GmbH v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein relates to some issues with relevance for the case at hand: in particular the respective powers of various authorities in the Member States with the parent company outside of the EU and one one of the data protection authorities based in the Member State where the company’s establishment is responsible for data processing under the group’s internal division of tasks and responsibilities.

Update 11 July 2016 the Court of Appeal has sided with FB on 29 June. No surprises there! Update 27 June 2017 both initial ruling and the CA’s judgment relate to the provisionary measures. The case is now going through the same courts in ordinary (non-urgent) fashion.

Update 9 February 2016 the French privacy commission has now mirrored the Belgian action

Quite a lot of attention has been going to a Belgian court ordering Facebook to stop collecting data from non-users through the use of so-called datr cookies.  Applicant is Willem Debeuckelaere, the chairman of the Belgian privacy commission, in his capacity as chairman (not, therefore, as a private individual). Our interest here is of course in the court’s finding that it has jurisdiction to hear the case, and that it can apply Belgian law. The judgment is drafted in Dutch – an English (succinct) summary is available here.

Defendants are three parties: Facebook Inc, domiciled in California; Facebook Belgium BVBA, domiciled in Brussels; and Facebook Ireland Ltd., domiciled in Dublin. Facebook Belgium essentially is FB’s public affairs office in the EU. FB Ireland delivers FB services to the EU market.

Directive 95/46 and the Brussels I Recast Regulation operate in a parallel universe. The former dictates jurisdiction and applicable law at the level of the relationship between data protection authorities (DPAs), and data processors (the FBs, Googles etc. of this world). The latter concerns the relation between private individuals and both authorities and processors alike. That parallelism explains, for instance, why Mr Schrems is pursuing the Irish DPA in the Irish Courts, and additionally, FB in the Austrian courts.

Current litigation against FB lies squarely in the context of Directive 95/46. This need not have been the case: Mr Debeuckelaere, aforementioned, could have sued in his personal capacity. If he is not a FB customer, at the least vis-a-vis FB Ireland, this could have easily established jurisdiction on the basis of Article 7(2)’s jurisdiction for tort (here: invasion of privacy): with Belgium as the locus damni. Jurisdiction against FB Inc can not so be established in the basis of Article 7(2) (it does not apply to defendants based outside the EU). If the chairman qq natural person is a FB customer, jurisdiction for the Belgian courts may be based on the consumer contracts provisions of Regulation 1215/2012 – however that would have defeated the purpose of addressing FB’s policy vis-a-vis non-users, which I understand is what datr cookies are about.

Instead, the decision was taken (whether informed or not) to sue purely on the basis of the data protection Directive. This of course requires application of the jurisdictional trigger clarified in Google Spain. German precedent prior to the Google Spain judgment, did not look promising (Schleswig-Holstein v Facebook).

At the least, the Belgian court’s application of the Google Spain test, is debatable: as I note in the previous post,

Article 4(1)(a) of Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment (at 52): that is the case if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable (at 55). The very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory (at 57).

Google Spain’s task was providing support to the Google group’s advertising activity which is separate from its search engine service. Per the formula recalled above, this sufficed to trigger jurisdiction for the Spanish DPA. Google Spain is tasked to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable. The Belgian court accepts jurisdiction on the basis of Facebook Belgium’s activities being ‘inseparably linked’ (at p.15) to Facebook’s activities. With respect, I do not think this was the intention of the CJEU in Google Spain. At the very least, the court’s finding undermines the one stop principle of the data protection Directive, for Belgium’s position viz the EU Institutions means that almost all data processors have some form of public interest representation in Belgium, often indeed taking the form of a BVBA or a VZW (the latter meaning a not for profit association).

The court further justifies (p.16) its jurisdiction on the basis of the measures being provisionary. Provisionary measures fall outside the jurisdictional matrix of the Brussels I (Recast), provided they are indeed provisionary, and provided there is a link between the territory concerned and the provisional measures imposed. How exactly such jurisdiction can be upheld vis-a-vis Facebook Ireland and Facebook Inc, is not clarified by the court.

The court does limit the provisionary measures territorially: FB is only ordered to stop using datr cookies tracking data of non-FB users ‘vis-a-vis internetusers on Belgian territory’, lest these be informed of same.

I mentioned above that the data protection Directive and the Brussels I recast can be quite clearly distinguished at the level of jurisdiction. However findings of courts or public authorities on the basis of either of them, do still face the hurdle of enforcement. That is no different in this case. Recognition and enforcement of the judgment vis-a-vis FB Inc will have to follow a rather complex route, and it is not inconceivable that the US (in particular, the State of California) will refuse recognition on the basis of perceived extraterritorial jurisdictional claims (see here for a pondering of the issues). Even vis-a-vis Facebook Ireland, however, one can imagine enforcement difficulties. Even if these provisionary measures are covered by the Brussels I Recast (which may not be the case given the public character of plaintiff), such measures issued by courts which lack jurisdiction as to the substance of the matter, are not covered by the enforcement Title of the Regulation.

All in all, plenty to be discussed in appeal.

Geert.

 

 

 

Posted on

A bar to ‘extraterritorial’ EU law. Landgericht Koln refuses to extend ‘right to be forgotten’ to .com domain .

Postcript 11 March 2016 Google have announced a new policy which  goes some way to addressing the EU’s concerns. An unusually conciliatory move.

An inevitable consequence of the rulings in Google Spain, Weltimmo and Schrems /Facebook /Safe harbour, is whether courts in the EU can or perhaps even must insist on extending EU data protection rules to websites outside of EU domain. The case has led to suggestions of ‘exterritorial reach’ of Google Spain or the ‘global reach’ of the RTBF, coupled with accusations that the EU oversteps its ‘jurisdictional boundaries’. This follows especially the order or at least intention, by the French and other data protection agencies, that Google extend its compliance policy to the .com webdomain.

The Landgericht Köln mid September (the case has only now reached the relevant databases) in my view justifiably upheld enforcement jurisdiction in a libel case only against Google.de for that is the website aimed at the German market. It rejected extension of the removal order vis-à-vis Google.com, in spite of a possibility for German residents to reach Google.com, because that service is not intended for the German speaking area and anyone wanting to reach it, has to do so intentionally. (See the ruling under 1, para 3 and 4).

I have further context to this issue in a paper which is on SSRN and which is being peer reviewed as we speak (I count readers of this blog as peers hence do please forward any comments).

Geert.

Posted on

Forget Facebook and Safe Harbour. CJEU in Weltimmo confirms wide prescriptive but finds limited executive jurisdiction in EU data protection.

A lot of attention last week went to the CJEU’s annulment of the EC’s ‘Safe Harbour’ decision in Schrems v Facebook  (aka Austrian student takes on internet giant). I will not detail that finding for I assume, for once, that readers will be au fait with that judgment. For those who are not: please refer to Steve Peers for excellent analysis as per usual. It is noteworthy though that the CJEU’s finding in Schrems is based in the main on a finding of ultra vires: often easily remedied, as those with a background in public law will know.

Schrems (held 6 October) confirmed the Court’s approach to the EU’s prescriptive jurisdiction in data protection laws, as in Google Spain. However the Thursday before, on 1 October, the Court took a more restrictive view on ‘executive’ or ‘enforcement’ jurisdiction in Case C-230/14 Weltimmo. Lorna Woods has the general context and findings over at EU Law analysis. The essence in my view is that the Court insists on internal limitations to enforcement. It discussed the scope of national supervisory authority’s power in the context of Directive 95/4, the same directive which was at issue in Google Spain. The Court held

Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

In other words, the supervisory authority in a Member State can examine the complaints it receives even if the law that applies to the data processing is the law of another Member State. However the scope of its sanctioning power is limited by its national borders.

This finding (I appreciate there are caveats) has important implications for the discussion on the territorial reach of the so-called ‘righ to be forgotten’. It supports in my view, the argument that the EU cannot extend its right to be forgotten rule to websites outside the EU’s domain. I have a paper forthcoming which discusses the various jurisdictional issues at stake here and the impact of Weltimmo on same.

Geert.

%d bloggers like this: