Can the mere offering of a mobile app subject the provider of such app to the privacy laws of countries in the European Union (EU)—even if the provider does not have any establishments or presence in the EU? The answer from the District Court of The Hague to that question is yes. The court confirmed on November 22, 2016, that app providers are subject to the Dutch Privacy Act by virtue of the mere offering of an app that is available on phones of users in the Netherland, even if they don’t have an establishment or employees there.
Context. EU privacy laws generally apply on the basis of two triggers: (i) if a company has a physical presence in the EU (in the form of an establishment or office or otherwise) and that physical presence is involved in the collection or other handling of personal information; or (ii) if a company doesn’t have a physical presence but makes use of equipment and means located in the EU to handle personal information.
Background. In 2013, the Dutch Data Protection Authority (DPA) completed an investigation into WhatsApp’s practice of asking users, including in the Netherlands, to give access to their electronic address book to WhatsApp and enable it to record phone numbers, including those of non-WhatsApp users on its U.S. servers. Further to the investigation, the DPA ordered that the company appoint a representative in the Netherlands accountable for compliance with the Dutch Privacy Act under Article 4 of the Act (i.e., where a company who processes personal information of users does not have an establishment in the Netherlands, but uses equipment there).
Key findings. The court decided that, simply by making an app available in the Netherlands, the company made “use of equipment” (i.e., smartphones on which the app is installed) in the Netherlands, even though the equipment is not the company’s own or specifically procured equipment. The court also found that such equipment was used for processing personal information (e.g., accessing users’ address books and transferring certain information to the United States). As a result, this triggered the application of EU privacy rules, as implemented in the Netherlands, through the Dutch Privacy Act.
The court also refuted the company’s argument that a representative must only be appointed in the EU in the context of information and reporting duties to the DPA and not substantive compliance with the Dutch Privacy Act. To the contrary, the court found that this representative had to comply with the full breadth of the Dutch Privacy Act.
To support its view, the court referred to works (on applicable law and apps on smart devices) of the Article 29 Working Party (WP29, a consortium of EU Member State DPAs) and to the European Court of Justice’s interpretation of the scope of EU privacy rules in the Google v. Spain case (i.e., Google’s search engine is subject to EU privacy rules even though the search engine is administered out of the U.S., C-131/12).
It is interesting to note that the court relies on the WP29 in reaching its decision. Although the court refers to the WP29’s work as “advice,” thereby acknowledging that it is not binding, the court nevertheless cites to such advice in support of its own findings and ruling.
Conclusion. App developers will want to take note of the District Court of The Hague’s WhatsApp decision, given that it appears to significantly broaden the reach of EU privacy rules.
Apps are almost always provided on a global basis. Under the WhatsApp decision, the mere fact that an app developer has customers in the EU, and has access (even at a distance) to such user’s personal information, may mean that it needs to comply with EU privacy rules, including appointing a representative in the EU. An app developer seeking to avoid this obligation may need to either geo-restrict the availability of its app (e.g., restrictions in app stores) or refrain from collecting users’ information (e.g., this could work for purely informative apps).
Finally, although this “use of equipment” criteria will disappear under the new EU privacy regime (the General Data Protection Regulation, effective as of May 25, 2018), it will be replaced by new criteria for applicability, including the offering of products or services to EU residents. It may well be likely (although this was not before the court in the WhatsApp case) that a court will reach a similar conclusion also under that new EU privacy regime.
The District Court of The Hague’s decision is available here.