The Google Spain case is most commonly recognised for introducing the ‘right to be forgotten’. However, the judgment has had a more subtle but no less significant side effect. The case also extended the territorial application of EU data protection law to entities located outside the EU but which have some presence – like a marketing subsidiary – in Europe. Following Google Spain, certain EU data protection authorities (“DPAs”) have taken an aggressive interpretation of this aspect to the case. DPAs have argued that Google Spain should be read as meaning that a pan-EU business should be simultaneously subject to the data protection laws of all EU Member States where it – or one of its affiliates – has a presence, even if that in-country affiliate has little to do with data processing. This has led to conflicting interpretations as to which national data protection law applies to a single set of processing activities under the Data Protection Directive. Helpfully, this past week has seen clarifying views provided at both national and EU level.
What does the Directive say?
Article 4 of the Directive sets down rules for determining if EU data protection law applies – and, if so, which Member State’s law should apply – to the processing of personal data. The CJEU tested the bounds of this first question in its Google Spain decision, where it addressed the territorial reach of EU data protection law under Article 4. The CJEU found that an “inextricable link” existed between the Spanish and US entities, despite the fact that Google Spain did not actually process personal data related to Google Search. This permitted the CJEU to bridge a perceived “gap” in protection and apply EU (in that case, Spanish) data protection law to the US-based Google, Inc.
However, another significant rule flows from Article 4 – that addressing a ‘conflict of laws’ scenario. This applies to a situation where more than one Member State’s national law has the potential to apply to a particular instance of data processing. Article 4(1)(a) states that:
“… when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable …”
What is the issue?
The precise intention behind this text has, over the past few years, served as an ever increasing point of contention in EU data protection law. One view is that the law of the Member State where the controller is principally established should apply, even where the controller is found to be established in other Member States. The competing view, however, is that each establishment of a controller must separately comply with the data protection rules of the Member State in which it is based.
A regulatory race
DPAs, in particular, have sought to leverage this language in order to re-regulate controllers that are already subject to another DPA’s and Member State’s oversight. Recently, the Article 29 Working Party (“WP29”) – the collective body of DPAs – published an updated Opinion 08/2010 on applicable law in light of Google Spain. In particular, WP29 changed its views on which Member State’s data protection laws are to apply in cases where companies have several establishments across the EU. In the Opinion, WP29 admits that the “baselines provided by the Directive … still provide a relatively high level of protection”. However, it argues that, because there is not full harmonisation of data protection law, companies must comply with local laws of each Member State in which it has a presence to the extent that the EU headquarters carries out processing in the context of the relevant local entity. This is an about face from the original Opinion of WP29 on this topic which stated that the location of the EU headquarters or centre of operations determines the applicable law, despite the presence of commercial offices in other Member States.
Last week, the Hamburg Administrative Court (the “HamburgCourt”) handed down a decision, suspending an order of the Hamburg DPA which had challenged Facebook’s ‘real name’ policy. The Hamburg DPA had argued that German national data protection law should apply to Facebook, and that users should be able to create profiles with pseudonymous (made-up) names. Despite Facebook’s headquarters being located in Ireland, the Hamburg DPA tried to lean on the existence of Facebook Germany’s offices as a means to apply German law. It is worth noting that the Hamburg DPA’s case was based on a provision of German data protection law – the right to a pseudonymous online profile – that has no equivalent under EU or Irish rules.
When the Court analysed the matter of applicable law under Article 4(1), it concluded that German law was not applicable, despite the office of Facebook in Germany. The Hamburg Court first found that Facebook did have an establishment in an EU Member State (Ireland) and therefore a broad interpretation of the ‘establishment test’ was not justified. Distinguishing the CJEU’s judgment in Google Spain, the Hamburg Court noted that there was no “gap” in protection to be bridged here but instead, there was a potential overlap of laws and regulation.
Where the controller has establishments in more than one Member State, the Hamburg Court indicated that the law of the state of the establishment with “the closest relationship” with the relevant data processing should be applicable. Given this, a case-by-case assessment must be undertaken. The Hamburg Court made it clear that if one of the establishments processes personal data as part of the activities of another primary establishment, then the data protection law of the Member State which hosts that primary establishment must apply. Because Facebook Ireland has the closest relationship with the relevant data processing, and not Facebook Germany, the Hamburg Court determined that German law was not applicable.
The Commission weighs in on inter-DPA cooperation
In parallel with the Hamburg Court’s decision, the European Parliament recently published the European Commission’s views on applicable data protection law. This arose in response to a German individual’s petition to the Parliament on the handling of personal data by PayPal. One of his complaints was that the German regulatory authorities cannot supervise PayPal, which is headquartered in Luxembourg.
In its reply, the Commission said it was the role of national DPAs to address these issues. The Commission pointed to the Luxembourgish DPA as the competent regulator, given that the processing of the individual’s data is carried out in the context of that establishment of the controller. This, again, supports the notion that the DPA of the Member State in which a controller’s EU headquarters is based is most likely the competent regulator. Citing the Weltimmocase, the Commission added that the individual can submit a complaint to their local DPA, who in turn is obliged to cooperate with the competent DPA.
How do these decisions affect the interpretation of Article 4(1)?
This interpretation provided by the Hamburg Court is to be favoured because it is capable of avoiding a scenario in which cross border services must observe a multitude of different national data protection laws. At this point, it is worth remembering that the Data Protection Directive has two distinct purposes. First, it is designed to ensure an adequate level of protection of personal data. Second, it was intended to contribute to the building of the EU’s Internal Market by removing a potential barrier to trade: overlapping and inconsistent national data protection rules that subject pan-EU businesses to re-regulation whenever they cross national borders.
The Hamburg Court found that there was no basis under EU law to justify the application of multiple data protection laws to the same processing activity – the Directive is intended to be uniform, Union-wide law, and it is both adequate and necessary that one instance of data processing is subject to the legal provisions of only one Member State. This significantly diverges from WP29’s views that despite “relatively high level of protection” of the Directive’s baseline, one must still comply with different national rules.
What does the future hold?
The most interesting facet of this debate is that the ‘one-stop-shop’ mechanism – which also addresses ‘conflicts of law’ scenarios – is a core component of the incoming data protection regime. The General Data Protection Regulation (“GDPR”), which is expected to formally replace the Directive in a little over 2 years’ time, more closely reflects the views of the Commission and the Hamburg Court.
In essence, one-stop-shop seeks to regulate a company in the Member State where its EU headquarters or centre of control is based. That Member State’s DPA is the “lead DPA”. Other DPAs can act as “concerned” DPAs to the extent that the controller’s activities affect individuals in their respective Member States.
Despite divergent views arising at DPA level, it appears that both national courts and EU institutions maintain a more pragmatic approach in relation to this conflict of laws issue. In any event, it is clear that the dual intentions of the Directive have sometimes been overlooked by DPAs when seeking to apply their own national law. It will be interesting to see whether DPAs modify their approach in light of these recent views.