As a result of the significant Court of Justice of the EU (CJEU) ruling in the Google Spain case many large US based technology, cloud and social media companies will be deemed to have an EU establishment if they have local sales and marketing subsidiaries operating in the EU. The case involved a Spanish citizen’s request to be removed from Google’s search index.
The CJEU considered the ‘establishment’ test under the 1995 Directive, which states that processing of personal data does not necessarily have to be carried out where the controller is established in order for the Directive to apply – it is sufficient for the processing to be carried out “in the context of the activities of an establishment of the controller on the territory of the [relevant] Member State’.
The CJEU held there was “sufficient connection” between the activities of Google Spain and the data processing activities of its parent company’s search engine for the parent company to be established in Spain, because the activities in Spain were inextricably linked to the activities of the parent company’s search engine.
Crucially, this case means that a member state’s data protection laws may apply when a non EU based company sets up sales offices selling advertising space in an EU member state and otherwise focuses activities towards inhabitants of that member state. However, the case may have much broader application as well and it may be necessary for many large US technology, cloud and social media companies to examine their group structures and to consider whether local subsidiaries could result in the parent also being subject to the Directive particularly if the two are seen as inextricably linked which appears to be primarily an economic connection test.
The Irish Independent newspaper has quoted the Irish Data Protection Commissioner Helen Dixon (in the context of Twitter’s relocation of its global legal centre to Ireland) as stating that in the Google Spain case the CJEU “underlined” the fact that it doesn’t matter if a social media company says that they are a US data controller (rather than an EU data controller), by virtue of having a substantial business with an EU subsidiary it is likely that the local data protection authority would have jurisdiction in any event under the establishment test laid down in the Google Spain case.
Ms Dixon stated that although she had received queries in relation to Twitter, such social media information-rich organisations would always have been covered by the 1995 Directive and that the Office of the Data Protection Commissioner would have always have seen themselves as “responsible” for them.
A spokesman for the Office of the Data Protection Commissioner also stated that Twitter’s relocation of its’ non-US privacy accountability “won’t really change” existing law on the issue, nor the office’s official responsibility for dealing with Twitter, “EU law in each country was always, and remains, applicable to EU users.” This would appear to be a wider declaration of jurisdiction than the Google Spain case ever intended.
Interestingly, in the context of the lead authority mechanism employed in the audits of social media organisations with European HQs, the office also stated that it is not just the Irish authority that could be undertaking an investigation in the event of a complaint against a social media company; “if someone in Spain has a complaint about Twitter, it’s investigated there. We’re not the exclusive regulatory authority in this regard.