What does this cover?
The Article 29 Working Party (WP29), the body made up of the ICO and its European equivalents, issued an Opinion in December 2010 (the 2010 Opinion) which sought to clarify the scope of the application of EU data protection law (Data Protection Directive (95/46/EC) (the Directive)). Developments in the law, which have seemingly expanded the application of the Directive in both the Weltimmo case and Google Spain (see below), have created the necessity for a 2016 update to the 2010 Opinion; which WP29 published in January.
Article 4 of the Directive provides that Member States can apply their own national data protection laws (which implement the Directive) to the processing of personal data if the processing is carried out "in the context of the activities of an establishment of the controller" operating within that Member State.
The coverage intended by the wording, "in the context of the activities" gave rise to uncertainty and it was considered in the CJEU case of Google Spain (Case C-131/12) whether the scope of Article 4 extended to data processed outside of the EU. In 2014 the CJEU determined that; Google Inc. was a data controller and despite Google's data processing activity occurring in the U.S., Spanish data protection laws applied because Google Inc.'s Spanish-based subsidiary carried out commercial and advertising activity which were "inextricably linked' to the processing activity of Google Inc. Google Spain's activities provided Google Inc. the mechanism to support the search engine's economic profitability.
In its update to the 2010 Opinion, WP29 confirms that:
- "the notion of establishment has to be interpreted broadly";
- Google Spain's 'inextricable link' criterion is incorporated into the updated guidance. The extent to which a link is an 'inextricable link' to processing activity remains uncertain but is likely to include the types of revenue producing activity occurring in Google Spain and will apply to companies beyond search engine providers;
- "there may be several national laws applicable to the activities of a controller having multiple establishments in various Member States"; and
- The "broad reach" of EU data protection law "is expected to be further extended" by the GDPR.
To view WP29's updated Opinion on applicable law in light of the CJEU judgement in Google Spain, please click here.
What action could be taken to manage risks that may arise from this development?
To the extent that organisations offer services from one member state into another (e.g. through passporting), they should be aware of the potential for different data protections to apply. This position will be improved once the GDPR comes into force, due to the new "One-Stop-Shop" regime.