Forum shopping (i.e. where businesses pick and choose the most privacy-friendly EU state to set up shop) has always been a somewhat unique side effect of EU data privacy law. Then last year saw the Google Spain case where the European Court of Justice said that if a global organisation has a sales and marketing office in an EU country, it must follow the laws of that particular country. Now we have a regulator in Germany applying the Google Spain principle to another tech giant: Facebook.
You may have seen in the press recently that Facebook has a “real name policy”. In fact, it changes users’ fake user names to real ones or blocks them. The Hamburg Data Protection Authority (DPA) has taken issue with this. It says that Facebook is violating an individual’s rights to “informational self-determination” under the German Telemedia Act. Facebook maintains that since its EU headquarters are in Ireland, it is subject to Irish, not German (or any other EU), data protection law. The Hamburg DPA has decided to fight this. It cited Google Spain and argued that because Facebook is economically active in Hamburg (i.e. has an office there), it has to abide by German law. In the DPA’s words: “Facebook cannot again argue that only Irish data protection law would be applicable. Anyone who stands on our pitch also has to play our game”.
However, the territorial test for application of data protection law under the current Directive is based on local establishment and use of equipment. Specifically, if a company is established in a jurisdiction it has to comply with local DP law. If it isn’t (but is established in Ireland) then Irish DP law applies. So in 2013 the Administrative Court of Schleswig-Holstein in Germany held that Facebook was subject to Irish and not German DP law, since the processing of personal data occurred in Ireland rather than Germany. (The Court did not come to a decision as to whether Facebook had infringed any German DP laws.) The Google Spain decision is re-interpreting the rules here.
It will be interesting to see how this all plays out, especially with the EU Data Protection Regulation now in its final stages of negotiation and the debate around whether the “one-stop shop” mechanism will finally put an end to forum shopping. To be continued…