John O’Connor provides a timely update on recent Court of Justice of the EU rulings and the requirements for certain businesses regarding Data Protection
(i) New Test for Establishment for Data Protection Compliance Purposes
As a result of the recent Court of Justice of the EU (CJEU) ruling, many large US based technology, cloud and social media companies will be deemed to have an EU establishment if they have local sales and marketing subsidiaries operating in the EU.
The European Union’s draft data protection regulation (Regulation) which continues to be vigorously debated by the European institutions is likely to contain extra-territorial provisions extending the reach of EU data protection law outside the EU to non-EU companies offering goods or services to residents of the EU or monitoring behaviour of those residents.
Up until recently, it had been thought that the Regulation would be the decisive measure that ultimately brings many non-EU technology and social media companies within the scope of European data protection laws many of which, to date, have kept their core data processing activities outside of the EU to avoid becoming subject to the current EU Data Protection Directive. This was based on the traditional view that a non-EU parent company could generally shield itself from EU data protection law by ensuring that it did not have a physical establishment in the EU or use equipment in the EU to process personal data.
However, in May of 2014, the CJEU delivered a very significant judgment based on the EU’s existing data protection directive which dates from 1995 (Directive). The case involved a Spanish citizen’s request to be removed from Google’s search index.
Google Inc., has a subsidiary in Spain and that subsidiary was clearly established in Spain for the purposes of Spanish data protection legislation which is substantially derived from the Directive. Google Spain’s activities mainly related to selling advertising space to local customers on its parent company’s search engine and notably Google Spain was not involved with operating the functionality of the search engine which was conducted by its parent company.
The CJEU considered the ‘establishment’ test under the Directive in order to make its ruling. Under the Directive, processing of personal data does not necessarily have to be carried out where the controller is established in order for the Directive to apply – it is sufficient for the processing to be carried out “in the context of the activities of an establishment of the controller on the territory of the [relevant] Member State’.
The CJEU held that there was sufficient connection between the activities of Google Spain and the data processing activities of its parent company’s search engine for the parent company to be established in Spain because the activities in Spain were inextricably linked to the activities of the parent company’s search engine. The CJEU’s rationale was that Google Spain ensured the operation of the search engine (at least in so far as Spain is concerned) made economic sense and that in turn the search engine enabled those advertising activities to be performed.
Crucially, this case means that a member state’s data protection laws may apply when a non EU based company sets up sales offices selling advertising space in an EU member state and otherwise focuses activities towards inhabitants of that member state. However, the case may have much broader application as well and it may be necessary for many large US technology, cloud and social media companies to examine their group structures and to consider whether local subsidiaries could result in the parent also being subject to the Directive particularly if the two are seen as inextricably linked which appears to be primarily an economic connection test. This extension of EU data privacy law means that some of the extra-territorial effect of the new Regulation is already in force.
(ii) Progress on proposed Data Protection Regulation
In January 2012 the European Commission revealed a draft of the proposed Data Protection Regulation (Draft Regulation) to replace the existing Data Protection Directive (Directive 95/46/EC). The principal aim of the Draft Regulation is to harmonise current data protection laws across the European Union and to take account of European Union case law and best practice in the data protection field. At a surface level this harmonisation could make it considerably more straightforward for organisations with operations across the EU to comply with one uniform set of data protection laws applicable in each Member State; however it seems likely that this increased uniformity will come at the cost of a much stricter data protection regime, increased supervision by Data Protection Regulators and severe penalties of up to 5% of worldwide turnover for the most grievous of offences.
The legislative process is slowly progressing with the Council of the European Union (the Council) releasing the latest version of the draft Regulation on 19 December 2014. Divergence continues to exist between the Council and the European Commission and between Member States on a number of issues. An important example of such is in the area of data minimisation. Article 5(c) in the Commission’s text would require personal data to be “adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed”. In this regard the Council has proposed an amendment that deletes “limited to the minimum necessary” and replaces it with “not excessive”, which would appear to offer organisations a considerably more pragmatic approach to their obligations should it survive.
Further, in the Commission’s proposals, all public bodies, businesses with more than 250 permanent staff, and organisations with “core activities” that “consist of processing operations which … require regular and systematic monitoring of data subjects” would be required to appoint a Data Protection Officer (DPO). Under the Council’s plans, no organisation would be under an obligation to appoint a DPO unless required to do so under other EU legislation or the national laws of individual EU member states.
While in total the current Draft Regulation shows over 30 reservations have been entered by the European Commission and several more by Member States there is a broad expectation that agreement will be found and the legislation finalised in the next 12 months or so. This will be followed by a two year period for Member States and organisations to prepare prior to the new law becoming effective.
Meanwhile, the new Irish Data Protection Commissioner, Helen Dixon, recently confirmed there will be a significant recruitment drive by her office in 2015 with a plan to more than double her staff numbers. We are on the cusp of major change in the area of data protection and it is now strongly recommended for all organisations to take a more holistic approach to data protection compliance or risk the increased reputational and financial consequences that the short and medium term will undoubtedly bring.
This article was first published in Accountancy Plus on 30 March 2015.