Tag: Territorial scope

Posted on

The Antwerp court of first instance in CMB (Bocimar NV), ‘The Mineral Water’: In dubio pro reo or a perfect excuse for forum shopping?

The Antwerp court of first instance (criminal section) has held last Friday, 25 June (I have copy of the judgment (in Dutch) on file) in the prosecution against CMB (an Antwerp based shipowner; specifically: Bocimar NV) and a number of individuals for the alleged illegal transport of waste, in the shape of the discarded ship the Mineral Water, destined for beaching at Chittagong, Bangladesh (the same location of relevance in Begum v Maran).

The Mineral Water was built in 1999, bought by CMB in 2007. A decision was made ‘end 2015’ (the judgment does not clarify specific date and /or circumstance of that decision) to sell  her, with a view to recycling. That sale was approved on 19 January 2016 by Bocimar Board Decision, to a cash buyer based on the British Virgin Islands, when the ship was anchored at Fangcheng, China. Actual transfer of the ship happened at Malaysia a few weeks later. The ship’s registry was changed from Antwerp to Niue after the transfer and she was beached at Chittagong in February.

The case is a criminal prosecution which of course carries with it a high burden of proof. Seeing as the ship sailed under Belgian flag, the principled application of Belgian and EU law was not as such disputed. Neither do the original owners dispute that at the time of the January 2016 decision, the ship met with the definition of waste ia per CJEU Shell. However defendants argue the EU Waste Shipments Regulation – WSR does not apply for, they argue, the Mineral Water never sailed in European waters and was not physically exported from the EU with a view to recycling (p.5 in fine).

[The court later (p.8) notes this is not quite correct: occasionally EU ports were used for (un)loading and in 2015 there was rare bunkering at Malta].

The court held for the defence. Core to the decision is Article 2, 30 31 and 32: the definitions of ‘import’, ‘export’, ‘transfer’. The prosecutor seeks support in Article 2.22: ”country of dispatch’ means any country from which a shipment of waste is planned to be initiated or is initiated’. The court however held that neither the place of decision nor the flag State is of relevance to the territorial scope of application of the WSR. (Note the contrast on that point with the Ships Recycling Regulation – SRG 1257/2013, not applicable to the facts at issue).

One imagines more on that issue can and should be said upon appeal.

The countries of dispatch, transfer and destination of the ship are all ex-EU. Importantly, at p.8 the court notes there is no indication that the owners would have gamed the system to ensure the ship lay outside EU territorial waters at the time of the decision to discard.

The case shows the importance of the flag State in the SRG (itself not free of difficulties; the IMO Hong Kong Convention should avoid gaming). Of note is also that the place of decision-making (relevant for conflict of laws: locus delicti commissi, eg under A7 Rome II as discussed in Begum v Maran) did not play a  role. The crucial element was the almost complete lack of physical contact between the ship and the EU.

One assumes the prosecution will appeal.

Geert.

Handbook of EU Waste law, 2015, Chapter 3.

Posted on

A quick note on mutual trust and judicial co-operation: Rantos AG on Brussels IIa in SS v MCP.

Last week’s Opinion of Advocate General Rantos (successor to Sharpston AG) in C-603/20 PPU SS v MCP is of note for its emphasis on the principle of mutual trust that lies at the foundation of European Private International Law. Brussels IIa is not staple diet for the blog and I shall leave more intense analysis to others. In short, the AG opined that a Member State retains jurisdiction under the Regulation, without limit of time, if a child habitually resident in that Member State was wrongfully removed to, or retained in, a non-Member State where it in due course became habitually resident.

The third country at issue is India, a non-Hague Convention State, as opposed to the UK, now also a third country but a Hague State. Note that in future A97(2) Brussels IIa Recast give clear priority to A13 Hague Convention’s lis alibi pendens rule, in cases where the conditions for that article are fulfilled: see Cusworth DJ today in AA & BB [2021] EWFC 17 at 27).

Of note to the blog is the AG’s emphasis on mutual trust, at 62 ff:

all Member States comply, in principle, with EU law justifies recognising, subject to certain conditions, the jurisdiction of the courts of the Member State to which a child was abducted and where he or she has acquired a habitual residence. By contrast, if a child has been abducted to a non-Member State, the cooperation and mutual trust provided for in EU law cannot apply. Therefore, having regard to the context of Article 10 of Regulation No 2201/2003, there is no justification for accepting the jurisdiction of the courts of that non-Member State, including in the case where the abducted child has acquired his or her habitual residence in the latter State.

and at 84

Regulation No 2201/2003 is based on cooperation and mutual trust between the courts of the Member States, which allows, subject to certain conditions, jurisdiction to be transferred between those courts. Since provision is not made for cooperation and mutual trust in the case of courts of a non-Member State, it appears to me entirely justified and consistent with that regulation for the courts of the Member State in which a child was habitually resident before his or her abduction to a non-Member State to continue to have jurisdiction for an unlimited period of time, with a view to ensuring that the best interests of that child are protected.

With this he dismissed the view of the referring court,  that A10 BIIA should be interpreted as having a territorial scope confined to the Member States because otherwise the jurisdiction retained by the Member State of origin would continue to exist indefinitely. In that court’s view, that Member State would thus be in a stronger position jurisdictionally vis-à-vis a non-Member State than a Member State.

Geert.

EU Private International Law, 3rd ed. 2021, various places (see Index: ‘Mutual Trust’).

Posted on

Soriano v Forensic News LLC & Ors. (Inter alia) the GDPR jurisdictional gateways being tested.

Soriano v Forensic News LLC & Ors [2021] EWHC 56 (QB) engages ia the jurisdictional implications of the GDPR (this post focuses solely on the data protection claim). Claimant  (habitually resident in the UK) sues in relation to ten internet publications and various social media postings including on Facebook and on Twitter. He relies on various causes of action including data protection, malicious falsehood, libel, harassment and misuse of private information. Defendants are all domiciled in various US States.

The Brussels Ia Regulation is not engaged; the GDPR is. (On the partial overlap and conflict between BIa and the GDPR see my paper here). A79 GDPR reads

“Right to an effective judicial remedy against a controller or processor

    1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
    2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.”

At 45-47 the ‘establishment’ issue is not much discussed for the claimant at any rate meets with the habitual residence gateway. Focus of the discussion is on A3’s territorial scope provisions (I am not sure I agree with the suggestion at 46 that A79 logically comes before consideration of A3). Reference is made to Google Spain, Weltimmo and  Verein fur Konsumerentenininformation- see also my review with Yuliya Miadzvetskaya here. The European Data Protection Board’s Guidelines 3/2018 on the Territorial Scope of the GDPR are then turned to to consider targeting, processing and ‘related to’ per A3(2) GDPR.

At 60, Claimant’s case on A3 (2)(a) is set out as arguing that the Defendants, to the extent that they are data controllers, offer services to readers in the UK irrespective of payment. As for A3.2(b), it is contended that the website places cookies on readers’ devices and processes their personal data using Facebook and Google analytics for the purpose of targeting advertisements, with Facebook Ireland Ltd and Google Ireland Ltd operating as the registered joint data controller. Further, it is submitted (By Greg Callus – the same counsel as in the Court of Appeal judgment in Wright v Grannath which I reported yesterday) that the Defendants were collecting and obtaining data about the Claimant and were monitoring his behaviour within the UK and the EU with a view to making publishing decisions.

Justice Jay held claimant has no real prospect of success on either (a) or (b). At 64 ff: the ‘journalistic endeavour’ complained of is not oriented towards the UK in any relevant respect; as for article 3.2(a), there is nothing to suggest that the First Defendant is targeting the UK as regards the goods and services it offers; as for article 3.2(b), at 68

First Defendant’s use of cookies etc. is for the purpose of behavioural profiling or monitoring, but that is purely in the context of directing advertisement content. There is no evidence that the use of cookies has anything to do with the “monitoring” which forms the basis of the Claimant’s real complaint: the Defendant’s journalistic activities have been advanced not through any deployment of these cookies but by using the internet as an investigative tool. In my judgment, that is not the sort of “monitoring” that article 3.2(b) has in mind; or, put another way, the monitoring that does properly fall within this provision – the behavioural profiling that informs advertising choices – is not related to the processing that the Claimant complains about (assuming that carrying out research online about the Claimant amounts to monitoring at all).

(Obiter, at 69, it is held that had the good arguable case succeeded, the claim would have withstood a forum non conveniens argument).

At 112 ff the jurisdictional case for libel is upheld.

An interesting illustration of the unsettled nature of jurisdictional claims under the GDPR.

Geert.

EU Private International Law, 3rd ed. 2021, Heading 2.2.9.2.5, para 2.258 ff.

 

 

Posted on

It’s true! Belgian Supreme Court confirms order for Yahoo! to hand over IP-addresses.

Jurisdiction and the internet is a topic which has featured once or twice on this blog recently (and in a  paper which I have already referred to in those earlier postings). Belgian’s Supreme Court in ordinary (the Hof van Cassatie /Cour de Cassation) employed the objective territoriality principle in a case with roots going back to 2007 (the fraudulent purchase of and subsequent failure to pay for electronic equipment from a shop in Dendermonde, Belgium), Yahoo! was requested to hand over the IP addresses associated with e-mail accounts registered to Yahoo!’s e-mail service. Yahoo! Inc, domiciled in California, refused to comply, triggering fines under criminal law. (It’s corporate slogan btw used to be ‘it’s true!’ Hence the title of the post).

Responding to Yahoo!s claims that Belgium was imposing its criminal laws extraterritorially, the Court of Appeal had held that Yahoo! is territorially present in Belgium, hereby voluntarily submitting itself to the jurisdiction of the Belgian authorities: it takes an active part in economic life in Belgium, among others by use of the domain name http://www.yahoo.be, the use of the local language(s) on that website, pop-up of advertisements based on the location of the users, and accessibility in Belgium of Belgium-focussed customer services (among others: a ‘Belgian’ Q&A, FAQ, and post box). [Notice the similarity with the Pammer /Alpenhof criteria]. The Court of Appeal had suggested that the accusations of extraterritoriality could only be accepted had there been a request for the handover of data or objects which are located in the USA, with which there is no Belgian territorial link whatsoever, and if the holder of these objects or data is not accessible in Belgium (either physically or virtually).

The Supreme Court on 1 December confirmed all of the Court of Appeal’s arguments, essentially linking them to the objective territoriality principle. Yahoo! actively directs its activities towards consumers present in Belgium.

Even though the case involves a criminal proceeding, the Court’s judgment inevitably (not necessarily justifiably) will be used as further support for the Belgian tussle with Facebook.

Geert.

Posted on

A bar to ‘extraterritorial’ EU law. Landgericht Koln refuses to extend ‘right to be forgotten’ to .com domain .

Postcript 11 March 2016 Google have announced a new policy which  goes some way to addressing the EU’s concerns. An unusually conciliatory move.

An inevitable consequence of the rulings in Google Spain, Weltimmo and Schrems /Facebook /Safe harbour, is whether courts in the EU can or perhaps even must insist on extending EU data protection rules to websites outside of EU domain. The case has led to suggestions of ‘exterritorial reach’ of Google Spain or the ‘global reach’ of the RTBF, coupled with accusations that the EU oversteps its ‘jurisdictional boundaries’. This follows especially the order or at least intention, by the French and other data protection agencies, that Google extend its compliance policy to the .com webdomain.

The Landgericht Köln mid September (the case has only now reached the relevant databases) in my view justifiably upheld enforcement jurisdiction in a libel case only against Google.de for that is the website aimed at the German market. It rejected extension of the removal order vis-à-vis Google.com, in spite of a possibility for German residents to reach Google.com, because that service is not intended for the German speaking area and anyone wanting to reach it, has to do so intentionally. (See the ruling under 1, para 3 and 4).

I have further context to this issue in a paper which is on SSRN and which is being peer reviewed as we speak (I count readers of this blog as peers hence do please forward any comments).

Geert.

Posted on

ECJ in Google Spain confirms reach of EU Data Protection Directive. Right to be forgotten not upheld verbatim but may be realised in practice.

I reported earlier on the AG’s Opinion in Google Spain. The Court held this morning. It broadly confirms the AG’s view on jurisdiction however it did effectively read a (conditional and incrimental) right to be forgotten in the current Directive, in contrast with the AG.

The ECJ confirmed earlier case-law in which it held that the operation of loading personal data on an internet page must be considered to be such ‘processing’ within the meaning of Article 2(b) of Directive 95/46. This finding is not affected  by the fact that those data have already been published on the internet and are not altered by the search engine.

Who is the ‘controller’ of these data?  The activity of a search engine is liable to affect significantly, and additionally compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data. The operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of Directive 95/46 in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.  It is this operator who is the ‘controller’ within the meaning of the Directive.

The territorial scope of the Directive is the most relevant to the conflicts community: It is noteworthy that in the current version of the data protection directive, targeting of consumers is not a jurisdictional criterion for providers established outside of the EU.

The referring court had stated that Google Search is operated and managed by Google Inc. and that it has not been established that Google Spain carries out in Spain an activity directly linked to the indexing or storage of information or data contained on third parties’ websites. Nevertheless, according to the referring court, the promotion and sale of advertising space, which Google Spain attends to in respect of Spain, constitutes the bulk of the Google group’s commercial activity and may be regarded as closely linked to Google Search.

The ECJ notes that Google Spain engages in the effective and real exercise of activity through stable arrangements in Spain. As it moreover has separate legal personality, it constitutes a subsidiary of Google Inc. on Spanish territory and, therefore, an ‘establishment’ within the meaning of Article 4(1)(a) of Directive 95/46. However, is the processing of personal data by the controller ‘carried out in the context of the activities’ of an establishment of the controller on the territory of a Member State (necessary to trigger application of the Directive)?

Google Spain and Google Inc. dispute that this is the case since the processing of personal data at issue in the main proceedings is carried out exclusively by Google Inc., which operates Google Search without any intervention on the part of Google Spain; the latter’s activity is limited to providing support to the Google group’s advertising activity which is separate from its search engine service.

The court disagreed: Article 4(1)(a) of Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment (at 52): that is the case if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable (at 55). The very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory (at 57).

This view confirms broadly the AG’s use of Google’s ‘business model’ as a jurisdictional trigger.

 

The AG had also opined on the supposed ‘right to be forgotten’ concluding that it does not exist in current EU law (neither directive nor Charter). The ECJ’s findings work towards such right (without mentioning it specifically)  following a thorough review of the requirements of the Directive and the proportionality test implied, and by holding that given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites.

The operator of a search engine may therefore be obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful (at 88). The right to privacy however has to be assessed vis-a-vis the right of the public to information, in an ad hoc manner.

The judgment has plenty for the data protection community to chew over (sse e.g. Orla Linskey over at the EU law blog). For those of us who are conflicts lawyers, the jurisdictional trigger is most interesting (and will feed into the review of the Directive, one imagines).

Geert.

Posted on

‘Where law and new technology meet’ – JÄÄSKINEN AG turns to business model in Google Spain to establish scope of application of the data protection Directive. No right to be forgotten under the Directive or Charter.

As announced on the blog earlier, JÄÄSKINEN AG has opined this morning in Case C-131/12 Google Spain. The Opinion covers a lot of issues in relatively condensed space – one of these Opinions where you should not trust the summary of a blogger, for invariably the blog posting does not do justice to all issues addressed. Below my highlights on the basis of diagonal reading: for I find this too important an Opinion not to flag it immediately.

As summarised by the AG, according to Article 4(1) of the Directive, the primary factor that gives rise to the territorial applicability of the national data protection legislation is the processing of personal data carried out in the context of the activities of an establishment of the controller on the territory of the Member State. Further, when a controller is not established on EU territory but uses means or equipment situated on the territory of the Member State for processing of personal data, the legislation of that Member State applies unless such equipment or means is used only for purposes of transit through the territory of the EU. The territorial scope of application of the Directive and the national implementing legislation is triggered therefore either by the location of the establishment of the controller, or the location of the means or equipment being used when the controller is established outside the EEA. Nationality or place of habitual residence of data subjects is not decisive, nor is the physical location of the personal data – at least not in the current versions of the Directive. The AG points out that in future legislation relevant targeting of individuals could be taken into account in relation to controllers not established in the EU. Such an approach, attaching the territorial applicability of EU legislation to the targeted public, is consistent with the Court’s case-law on the applicability of the e-commerce Directive 2000/31, the Brussels I (‘jurisdiction’) Regulation and Directive 2001/29, the on copyright and related rights in the information society to cross-border situations. Again, though, it is not a criterion in the current version of the data protection Directive, with respect to providers established outside of the EU.

The AG turns to the business model of a company to assist him in establishing applicability of the Directive for the case at issue, where Google (domiciled in California) does have establishments in the EU (the establishment of the controller therefore being the trigger), as well as at least two known data centres:

‘Google Inc. is a Californian firm with subsidiaries in various EU Member States. Its European operations are to a certain extent coordinated by its Irish subsidiary. It currently has data centres at least in Belgium and Finland. Information on the exact geographical location of the functions relating to its search engine is not made public. Google claims that no processing of personal data relating to its search engine takes place in Spain. Google Spain acts as commercial representative of Google for its advertising functions. In this capacity is has taken responsibility for the processing of personal data relating to its Spanish advertising customers. Google denies that its search engine performs any operations on the host servers of the source web pages, or that it collects information by means of cookies of non registered users of its search engine.’ (at 62).

‘In my opinion the Court should approach the question of territorial applicability from the perspective of the business model of internet search engine service providers. This, as I have mentioned, normally relies on keyword advertising which is the source of income and, as such, the economic raison d’être for the provision of a free information location tool in the form of a search engine. The entity in charge of keyword advertising (called ‘referencing service provider’ in the Court’s case-law) is linked to the internet search engine. This entity needs presence on national advertising markets. For this reason Google has established subsidiaries in many Member States which clearly constitute establishments within the meaning of Article 4(1)(a) of the Directive. It also provides national web domains such as google.es or google.fi. The activity of the search engine takes this national diversification into account in various ways relating to the display of the search results because the normal financing model of keyword advertising follows the pay-per-click principle.’ (…) ‘In conclusion, processing of personal data takes place within the context of a controller’s establishment if that establishment acts as the bridge for the referencing service to the advertising market of that Member State, even if the technical data processing operations are situated in other Member States or third countries.’ (…)

‘For this reason, I propose that the Court should answer the first group of preliminary questions in the sense that processing of personal data is carried out in the context of the activities of an ‘establishment’ of the controller within the meaning of Article 4(1)(a) of the Directive when the undertaking providing the search engine sets up in a Member State for the purpose of promoting and selling advertising space on the search engine, an office or subsidiary which orientates its activity towards the inhabitants of that State.’  [footnotes omitted]

The AG uses the terms ‘targeted at’ [cf in this respect ‘intended target of information’ in Football Dataco] and ‘oriented at’ – not, as had become custom, ‘directed at’: presumably to emphasise the contrast with the other Directives mentioned above.

The AG then turns his attention inter alia to the alleged ‘right to be forgotten’: not one, he suggests, which exists under the current Directive, not even when read in conjunction with the Charter on Fundamental Rights and Freedoms (the EU’s version of the Human Rights Act). That surely is an important observation.

Much to chew on – not quite all digested above, however I do hope these first impressions may act as an appetizer for discussion elsewhere.

Geert.

%d bloggers like this: