This article was first published on Lexis®PSL IP & IT on 11 February 2016.
What does the adoption of an ‘inextricable link’ test mean for the possible worldwide application of the Data Protection Directive?
The adoption of an ‘inextricable link’ test for the jurisdiction of the Data Protection Directive potentially significantly widens its application to data controllers based outside the European Union. The Court of Justice of the European Union (“CJEU”) first introduced the concept of the ‘inextricable link’ in its judgement in Costeja, but the updated Opinion by the WP29 shows the Data Protection Authorities (“DPAs”) now consider it to be a key aspect of the existing ‘establishment’ test in Article 4(1)(a) of the Directive.
Article 4(1)(a) provides that the Directive will apply to any data controller who has an establishment in an EU member state, where the data processing takes place ‘in the context of’ the activities of that establishment. An ‘establishment’ does not have to be a subsidiary, but merely the ‘effective and real exercise of activity through stable arrangements’ (see Recital 19 of the Directive). The CJEU’s 2015 decision in Weltimmo made it clear that the concept of an ‘establishment’ would be interpreted broadly.
In Costeja, the CJEU held that processing will be ‘in the context of’ the activities of an EU establishment where the activities are inextricably linked to the data processing. In respect of Google’s search engine, the CJEU held that the activities of Google’s Spanish affiliate in generating advertising revenue were ‘inextricably linked’ to the data processing conducted by Google Inc. in running its search engine, and therefore Google Inc. was subject to the Directive.
That the Directive can apply to a data controller who is not itself based in the EU is not new. As the Working Party explains in the Opinion, this is whole purpose of the test in Article 4(1)(c) of the Directive, which states that a controller not established in the EU will nonetheless be subject to the Directive if it uses equipment in the EU. The concept of ‘equipment’ (or ‘means of processing’ in some translations) has been increasingly widely interpreted in recent years to include cookies and user devices – and it would be wrong to think the ‘long arm’ of EU data protection law begins and ends with Costeja.
However, Costeja did, for the first time, focus attention on an economic link between the EU establishment and the non-EU controller, without there having to be any involvement in the actual data processing. Google Spain had no involvement in the data processing by Google’s search engine. Since Costeja, and as confirmed by the Working Party’s update, revenue-raising by the EU establishment will, in some circumstances, be sufficient on its own to meet the test in Article 4(1)(a). However, the Working Party is clear that this will not always be the case, and that each scenario must be assessed on its own merits.
What did the updated Opinion add to the CJEU’s decision in Google Spain?
The updated Opinion is very interesting because, legally speaking, the Costeja judgement only applies to the specific facts which the CJEU had before it. Accordingly, it is only strictly binding in respect of the advertising revenues of search engines. Critically, the CJEU referred to the fact that the adverts were displayed alongside the search results on a page as an argument in favour of applying an ‘inextricable link’. In businesses where this is not the case, but where there is still an economic link, the CJEU might not have reached the same conclusion.
The Working Party, however, relegates the display of the adverts alongside the search results to merely a footnote in its update, and in its examples refers to membership fees, subscriptions and donations, as well as advertising, as being potentially sufficient to constitute an ‘inextricable link’. Although the Working Party’s Opinion is not binding, it is clear that – in their view – an economic link, including an indirect economic link, may be all that is needed, without a need for any other contributing factors.
Admittedly, the Working Party cautioned against reading the CJEU ruling too broadly, such that ‘any and all establishments with the remotest links to the data processing activities will trigger application of EU law’. However, it seems fairly clear that the DPAs will take the view that any revenue generated by an EU establishment, which is then passed on to a non-EU establishment to fund its data processing, will potentially lead to an application of the Directive. The Opinion deals almost solely on the flow of revenue as the source of a link, and does not give examples of any other ‘links’ which might be sufficient.
Interestingly, the Working Party focused its examples on websites, and did not address the question of the sale of connected devices. Would the analysis it applied to a newspaper subscription also apply to a connected device such as a fitness band, which was sold in the UK, but where all the data was processed by the non-EU establishment? Such controllers have for a while been at risk of the broad interpretation of the ‘equipment’ test, but now face the application of the Directive solely on the basis of the economic link from the sale of the device.
Does the updated Opinion provide any insight into the application of the Google Spain decision for companies with multiple establishments?
The Opinion does not, unfortunately, provide a great deal of comfort for data controllers with multiple establishments in the EU which, as a result of Costeja, may now find themselves subject to the laws of multiple member states in respect of the same processing.
Under the ‘inextricable link’ test, a non-EU controller who has revenue-raising offices across the EU would be established in all of these member states for the same processing activity and, critically, the same data. This is a problem which has long existed for those caught by the ‘equipment’ test – a controller in the US, which uses data centres in Belgium and the UK, would be potentially subject to the laws of both these member states. Disappointingly, the Working Party does not provide a solution to this problem - merely commenting that the EU does not operate a ‘one stop shop’ system (although, of course, it will under the GDPR).
The Working Party’s somewhat frustrating response to a controller with multiple establishments is to give an example of a bank with a number of branch offices across the EU, and to say ‘What applies in the off-line, bricks-and-mortal world, must also apply in the digital world’. This is patently not true, and frequently is simply not possible. One of the things which technology companies struggle with most is the difficulty of applying data protection rules designed for an offline world to an online environment.
One point the Working Party considers, but does not form any conclusion on, is whether the concept of an ‘inextricable link’ would apply to an EU controller with multiple other establishments – on the basis that the test was formed by the CJEU as a way to ensure individuals in the EU were not deprived of their privacy rights in respect of non-EU controllers. In cases where the controller itself is in the EU, this issue would not arise – it is simply a question ofwhich law applies, not whether it applies at all.
How can any conflict of law issues be resolved?
In particular for non-EEA controllers, the question of conflict of laws remains a live one irrespective of whether they are subject to the Directive on the basis of the ‘equipment’ test or the now expanded ‘establishment’ test. Critically the Working Party avoided the really difficult question as regards conflict of laws by, in its examples, focusing on different data subjects to those at issue in Google Spain.
The Working Party referred to subscriptions, donations and membership fees, and created a specific case study of a newspaper in Washington DC. In each of these examples, the Working Party appears to only consider the data subjects as those who provide revenue directly to the EU establishment, for example by taking out a subscription for the newspaper. Their data is then processed by the non-EU controller, for example to analyse readership trends. In these cases there is a direct link between the data subjects and the activities of the EU establishment. Accordingly, whichever establishment has the relationship with the data subject is the relevant establishment for applicable law.
However this is quite different to the situation in the Costeja case. In Costeja, the question was not about the data of those individuals purchasing advertising, but anyone in the search engine. These individuals had absolutely no connection to any EU establishment. In the Working Party’s example, the equivalent question would be whether the individuals written about in the DC newspaper were protected by the Directive. In this scenario, the issue of conflict of laws becomes impossible to resolve – as there does not have to be any link between the data subject and the EU establishment.
It is this question which has led to much legal wrangling as to whether a US citizen, based in the US, can rely on the ‘right to be forgotten’ established by Costeja. If one takes the view that the processing is subject to EU law – because it is funded, at least partly, by revenue from the EU – there still does not appear to be any logical way to decide which member state’s law applies.
Nor does the CJEU’s decision in Weltimmo assist. In this case a Slovakian company operated essentially its entire business in Hungary, marketing exclusively Hungarian properties to individuals in Hungary. The CJEU held that the data processing was carried out ‘in the context of’ the fairly minimal arrangements which the business had in Hungary (a bank account, a post box and a single representative); accordingly, Hungarian law applied. In the face of quite extreme facts, it is difficult to see how the CJEU could have reached any other decision. Notably, however, the CJEU did not address the question of whether Slovakian law also applied – and if so what to do about any conflict.
The difficulty of conflicting laws is one reason to welcome the GDPR, which will apply across all member states, will limited scope for deviations under local law. It also introduces the ‘one stop shop’, so that a controller with multiple establishments can designate one ‘lead’ data protection authority to deal with in respect of its regulatory compliance.
What does the Opinion mean for the jurisdiction of EU data protection law going forward?
It is clear from the Opinion that the Working Party considers the ‘inextricable link’ test to be a fixed element of the ‘establishment’ test. However, they are also clear that each situation must be considered on its own merits, and so they can be no fixed criteria or ‘one size fits all’ approach.
The Costeja analysis must be viewed in the context of the now agreed GDPR. The GDPR retains the ‘establishment’ test for those controllers with an EU establishment. For those without an EU establishment, however, the current ‘equipment’ test is replaced with a new test of whether the controller offers goods and services to data subjects in the EU, or monitors the behaviour of data subjects in the EU.
The Working Party’s adoption of the ‘inextricable link’, therefore, can be seen as an attempt by the DPAs to gain jurisdiction over non-EU controllers who will almost certainly be subject to the GDPR, whilst they wait for the GDPR to come into force.
Although the Costeja analysis will presumably continue to apply to the interpretation of the ‘establishment’ test, the new test of offering goods and services is likely to render it somewhat redundant. It most cases it will be far more straightforward to decide someone is offering goods and services to individuals in the EU than it is to find this somewhat nebulous ‘inextricable link’.
One final point – there is one significant difference under the GDPR between those controllers caught by the ‘establishment’ test and those caught by the ‘offering goods and services’ test. Only those controllers processing data in the context of multiple establishments will be able to benefit from the one stop shop. For those offering goods and services into the EU, even if the data subjects are based in multiple member states, the one stop shop is not an option. This does give rise to the possibility that non-EU controllers would prefer to be ‘established’ by virtue of an ‘inextricable link’ than caught by the ‘offering goods and services’ test.