'Jurisdiction, Applicable Law and Beyond after Google Spain': Christian Wiese Svanberg
Duration: 16 mins 15 secs
Share this media item:
Embed this media item:
Embed this media item:
About this item
| Description: |
Christian Wiese Svanberg, Attorney-at-law, Plesner delivers the third lecture from the "Jurisdiction, Applicable Law and Beyond after Google Spain" section of the "EU Internet Regulation After Google Spain" conference. (The second lecture was not recorded).
This conference was held at the Faculty of Law, University of Cambridge on 27 March 2015, and brought together leading experts on Data Protection and Privacy from around the World. The conference was held with the support of the Centre for European Legal Studies (CELS). |
|---|
| Created: | 2015-04-15 17:16 |
|---|---|
| Collection: | Google Spain Video backup MOVED |
| Publisher: | University of Cambridge |
| Copyright: | Christian Wiese Svanberg, Mr D.J. Bates |
| Language: | eng (English) |
Transcript
Transcript:
First of all I’d like to thank the organisers as well. It’s a great honour and privilege to be here. It’s been very interesting interventions so far anda great day. I hope to add to it.
Maybe I should add a little bit to my background in regards to what Nora has already mentioned. I initially started my career about ten years ago as a civil servant at the Danish DPA where I also served as an alternate for two years to the Article 29 Working Party. Then, I was the Chair, back in 2012, of the DAPIX Working Party which is negotiating the new draft Data Protection Regulation,which is the context that I'll be speaking from now. I have also co-authored an article that was published here by Cambridge in the Yearbook of European Legal Studies which touches upon the proposed Regulation and it has the title "The Illusion of Harmonization" - just so you know where I'm coming from in regards to the Regulation. As the privilege of being the last speaker in a long day of course I'll try to keep it short and to the point so let’s get into it.
Just quickly I thought it might make sense to just update a little bit on the General Data Protection Regulation and what has been going on and why it is taking so long. I think one of the things that is often missed in the debate on the Regulation is that there are many reasons why this is taking some time. Initially, is it even delayed because there's no set time limit of course? What's been said is that in some waysthe Council is delaying, it’s postponing, it’s not living up to some deadline. But there is no deadline. What is important to remember is that it took a long time to pass the current Directive. That took five years to negotiate. That was in 1995 and you only had twelve Member States. Now we have twenty eight Member States and a European Parliament that also wants to pay a big role. But even more important there are a lot of interests at stake. To give an example, back in October 2013 the European Council was supposed to discuss the Data Protection Regulation. For those of you who don’t know how the Council works, at the bottom you have the DAPIX expert working party and on the top of that you have the COREPER, which is the ambassadors to the EU of all the Member States, and then you have the Council of Ministers for whatever sector you are in, so in this case it is the Justice and Home Affairs Ministers, and on top of that you have the Heads of State or Heads of Government, in what's called the European Council, and they've only discussed the Data Protection Regulation once. That was in October 2013 and what's interesting is that on the very same day as Angela Merkel was going to go to Brussels to discuss this Regulation, this exact proposal, the revelation from Snowden came out about her phone being tapped. Now you could believe that that was a coincidence, but that could have happened two months later or two months earlier. Who knows? But it happened on the very same day. Now I don't believe in coincidences of that kind. So I take that as a very illustrative example of how many and how big the interests are that are at stake in this proposal and they are commercial, they are political and they are technological and societal and a lot of other things. I think the discussions today have demonstrated that but I think it’s important to keep that in mind when you're discussing whether or not this is moving too slowly and why this is taking so long and what are they actually discussing.
Well what's happening right now? I think it's fair to say that there has been a process in Council which is taking some time. I think they are also running out of time because I think there is a political incentive to get this done, at least in Council, within the year.
So I think that the latest development was that a few weeks ago they agreed what's called "a partial general approach" on the one-stop-shop. It was somewhat strained in the sense that it is not completely closed and there's a revision clause being put in so you can open this whole discussion up in maybe ten years time and have fun again. It was also agreed on the caveat that nothing is agreed until everything is agreed. So they're not completely agreed on this but still it's moving forward and I think that there are strong signs that they will close-up the Council part of this in June, which means that straight after that the so-called trilogue will begin. This means that the process shifts fundamentally. You go from having a large room with a lot of experts, a lot of leaks and a lot different agendas into a small room with only three stakeholders in the room being the Council presidency, the European Parliament rapporteur and the Commission’s civil servant negotiating this proposal. So I think that's going to energize the process in many ways and I think it will solve some of the issues that have been created, especially in Council I have to say. The Council’s process has in some ways broken down. I don't think what's happening right now is constructive on the one-stop-shop and that is going to need some fixing at some point. But then Mr Smith already touched upon that earlier.
The final timeframe - I put a question mark there because no one knows, no one can actually predict when this will happen. Some are saying that if they start in June they could do the trialogue by the end of the year. I find that fairly optimistic. That would be one of the fastest trialogue I have ever experienced and, given how big the proposal is and the stakes are high, I think that might be a bit positive. But then it may be early in 2016. That would not be completely out of the question I think. So that's probably the most likely scenario in my opinion but no one really knows.
Moving forward to the more specific point on jurisdiction. I thought that the best way to do this basically is to show what has been on the table so far regarding jurisdiction or applicable law. It's all in the same article. And actually it’s one of the few articles that all the three actors, including the Council, have actually agreed some kind of common position on. So with regard to territorial scope. What the text shows is what is basically similar to the existing wording. So that's not new wording in regards to territorial application. The underlined is the Commission proposal from 2012 and now new suggested added wording. So an interesting point here is that the processor is now mentioned specifically as someone who is obligated directly by the Regulation when processing data within the Union.
Now in the second instance of the original proposal of the Commission you can see they add on some new wording and what's actually the interesting bit here is that they focus on either the offering of goods or services to data subjects in the European Union or the monitoring of their behaviour. The interesting thing here is in regards, as can be seen in the first sentence, data subjects residing in the Union and the processing is being carried out by a controller not established in the Union. Now during the negotiations in Council one of the first questions we had as we did the first round of comments on this proposal was "okay so let's say that a European citizen who resides in the Union goes to New York and is caught by a video surveillance system by a controller who's not established in the Union - that would trigger this entire Regulation then."
The second question you can ask is what is monitoring? I think the original idea from the Commission, although they were not very willing to divulge precisely what they meant by monitoring, is with regards to online tracking, information technology, cookies. Obviously that's an important issue you want to address but of course you need to make sure what this means and this goes to the heart of why it’s taking a long time in Council because there are many issues like this throughout the Regulation and it's going to be difficult to define this and it's going to be one of the many issues that we have to leave to DPAs to figure out I think.
Moving forward the final part is also actually a pretty basic, already well-known text from the 1995 Directive. Doesn’t really add that much. Moving to what the Parliament then suggested, they added an extra sentence to the first section of the article saying that "whether or not processing takes place in the Union". So this would mean apparently that for instance a processor who decides to, or a controller who decides to, put data somewhere else will also in regards to that data be specifically caught by the Regulation. That makes sense in a certain way.
The bold here, is additional wording from the Parliament - what they thought was important to add. They've added "or processor" so again, a processor is now specifically targeted as a subject to regulate by the law. Obviously that also adds new questions and layers of complexity to work with. What will this actually mean for someone like Google? I'll come to that at the end. Also an important issue is whether or not a commercial transaction takes place. But again they’re keeping the idea of monitoring data subjects in the text. Actually, the Council is doing something very similar. Here is their proposal. In order to address the issue that I mentioned earlier about video surveillance going on in New York they narrow the provision to only take into account the monitoring that is covering behaviour that takes place within the European Union. So this would still presumably catch a tracking cookie being placed or following someone within the European Union but not if you are exposed to some sort of surveillance while on holiday on the Maldives. So that makes sense. Again maintaining the traditional public international law jurisdictional approach.
So what will this all lead to? Well, at the end of the day, I think it's fairly certain that there will be probably a large degree of extraterritoriality. That’s plain to see. All three co-legislators, all the three institutions, agree that the rules should apply in third countries. This raises a number of questions of course. The first of all is what is "monitoring" as I already mentioned, which is a separate issue. You can argue that for a long time and again the DPAs will have a lot of work cut out for them trying to figure out whether or not this rule has been triggered or not and if it has, how they enforce those rules. Coming from the Ministry of Justice, being a lawyer who cares about how you draft rules, I have to say that making rules is one thing, but you always want to make rules you can actually enforce in reality, for many reasons. Just as I am not a big fan of the title of the "right to be forgotten", because I think it creates false expectations. I think the same is the case if you're setting up rules that you claim apply to what is going on in a third country and not providing tools or realistic options for the authorities to enforce those rules. So I think that's going to be a central issue, that is probably not going to be solved by the legislator but more by the facts on the ground. I think it will create unrealistic expectations and you can also ask what will a third country think about the EU extending its competence in this way. Some will argue well the US for one is already doing this but, well, the world is bigger than just the US and I think the EU needs to consider carefully whether it is a suitable way to go to impose their rules on what's going on in third countries. But I'm afraid that then no one is going to be listening to me in this regard. I think it is definitely going to happen no matter what I say here today. What does this mean for the Google Spain precedent? Given the fact that that the court has said pretty clearly that they consider Google to be a data controller I don't think that there can be much doubt that these rules will obviously be triggered in regards to almost anything that someone, Google or any other search engine, will be doing because they will either be a data controller or a data processor, most likely a data controller given the precedent. Obviously, as long as you are using the same terms as have been laid out by the Court in the verdict there's no reason to assume that the law would be different. So going forward I think this is still going to be an issue and the place to solve that would be in the definition and the elaboration of the right to be forgotten in the actual Regulation and that is yet to be closed.
So that's all I want to say.
Let me just leave with one observation I made listening to some of the earlier interventions during the day. I often think when I hear discussions about this verdict that there is, what you might call a degree of cognitive dissonance. On the one hand, the argument is that it is absolutely crucial that data be removed from search engines, from Google. I think that the wording was in the Costeja case that the problem was Google. It was not the initial publication that was the issue. It was crucial that he went to Google and had the data removed because that's where people found the data. But then, on the other hand, sometimes even the same people in the next sentence can pivot and say "well when it comes to the discussion of freedom of speech and possibly censorship, well, Google is not really that important." "It’s not where we find our information necessarily". "It’s only part of our information resource." Google surely has to be important in both respects? I think it's important to recognize that fact and also recognize that the basic tension is that on the one hand you have a societal value which is freedom of speech and then you have a more perhaps personal value. So in each specific instance, there will always be a tendency to lean towards recognizing the individual's right to have something deleted and no one's really advocating the sort of societal side of that issue. I think that's a big tension right now in the debate and that's anissue. Where this can end up is going to be very interesting to see going forward. I don’t have the answer.
Maybe I should add a little bit to my background in regards to what Nora has already mentioned. I initially started my career about ten years ago as a civil servant at the Danish DPA where I also served as an alternate for two years to the Article 29 Working Party. Then, I was the Chair, back in 2012, of the DAPIX Working Party which is negotiating the new draft Data Protection Regulation,which is the context that I'll be speaking from now. I have also co-authored an article that was published here by Cambridge in the Yearbook of European Legal Studies which touches upon the proposed Regulation and it has the title "The Illusion of Harmonization" - just so you know where I'm coming from in regards to the Regulation. As the privilege of being the last speaker in a long day of course I'll try to keep it short and to the point so let’s get into it.
Just quickly I thought it might make sense to just update a little bit on the General Data Protection Regulation and what has been going on and why it is taking so long. I think one of the things that is often missed in the debate on the Regulation is that there are many reasons why this is taking some time. Initially, is it even delayed because there's no set time limit of course? What's been said is that in some waysthe Council is delaying, it’s postponing, it’s not living up to some deadline. But there is no deadline. What is important to remember is that it took a long time to pass the current Directive. That took five years to negotiate. That was in 1995 and you only had twelve Member States. Now we have twenty eight Member States and a European Parliament that also wants to pay a big role. But even more important there are a lot of interests at stake. To give an example, back in October 2013 the European Council was supposed to discuss the Data Protection Regulation. For those of you who don’t know how the Council works, at the bottom you have the DAPIX expert working party and on the top of that you have the COREPER, which is the ambassadors to the EU of all the Member States, and then you have the Council of Ministers for whatever sector you are in, so in this case it is the Justice and Home Affairs Ministers, and on top of that you have the Heads of State or Heads of Government, in what's called the European Council, and they've only discussed the Data Protection Regulation once. That was in October 2013 and what's interesting is that on the very same day as Angela Merkel was going to go to Brussels to discuss this Regulation, this exact proposal, the revelation from Snowden came out about her phone being tapped. Now you could believe that that was a coincidence, but that could have happened two months later or two months earlier. Who knows? But it happened on the very same day. Now I don't believe in coincidences of that kind. So I take that as a very illustrative example of how many and how big the interests are that are at stake in this proposal and they are commercial, they are political and they are technological and societal and a lot of other things. I think the discussions today have demonstrated that but I think it’s important to keep that in mind when you're discussing whether or not this is moving too slowly and why this is taking so long and what are they actually discussing.
Well what's happening right now? I think it's fair to say that there has been a process in Council which is taking some time. I think they are also running out of time because I think there is a political incentive to get this done, at least in Council, within the year.
So I think that the latest development was that a few weeks ago they agreed what's called "a partial general approach" on the one-stop-shop. It was somewhat strained in the sense that it is not completely closed and there's a revision clause being put in so you can open this whole discussion up in maybe ten years time and have fun again. It was also agreed on the caveat that nothing is agreed until everything is agreed. So they're not completely agreed on this but still it's moving forward and I think that there are strong signs that they will close-up the Council part of this in June, which means that straight after that the so-called trilogue will begin. This means that the process shifts fundamentally. You go from having a large room with a lot of experts, a lot of leaks and a lot different agendas into a small room with only three stakeholders in the room being the Council presidency, the European Parliament rapporteur and the Commission’s civil servant negotiating this proposal. So I think that's going to energize the process in many ways and I think it will solve some of the issues that have been created, especially in Council I have to say. The Council’s process has in some ways broken down. I don't think what's happening right now is constructive on the one-stop-shop and that is going to need some fixing at some point. But then Mr Smith already touched upon that earlier.
The final timeframe - I put a question mark there because no one knows, no one can actually predict when this will happen. Some are saying that if they start in June they could do the trialogue by the end of the year. I find that fairly optimistic. That would be one of the fastest trialogue I have ever experienced and, given how big the proposal is and the stakes are high, I think that might be a bit positive. But then it may be early in 2016. That would not be completely out of the question I think. So that's probably the most likely scenario in my opinion but no one really knows.
Moving forward to the more specific point on jurisdiction. I thought that the best way to do this basically is to show what has been on the table so far regarding jurisdiction or applicable law. It's all in the same article. And actually it’s one of the few articles that all the three actors, including the Council, have actually agreed some kind of common position on. So with regard to territorial scope. What the text shows is what is basically similar to the existing wording. So that's not new wording in regards to territorial application. The underlined is the Commission proposal from 2012 and now new suggested added wording. So an interesting point here is that the processor is now mentioned specifically as someone who is obligated directly by the Regulation when processing data within the Union.
Now in the second instance of the original proposal of the Commission you can see they add on some new wording and what's actually the interesting bit here is that they focus on either the offering of goods or services to data subjects in the European Union or the monitoring of their behaviour. The interesting thing here is in regards, as can be seen in the first sentence, data subjects residing in the Union and the processing is being carried out by a controller not established in the Union. Now during the negotiations in Council one of the first questions we had as we did the first round of comments on this proposal was "okay so let's say that a European citizen who resides in the Union goes to New York and is caught by a video surveillance system by a controller who's not established in the Union - that would trigger this entire Regulation then."
The second question you can ask is what is monitoring? I think the original idea from the Commission, although they were not very willing to divulge precisely what they meant by monitoring, is with regards to online tracking, information technology, cookies. Obviously that's an important issue you want to address but of course you need to make sure what this means and this goes to the heart of why it’s taking a long time in Council because there are many issues like this throughout the Regulation and it's going to be difficult to define this and it's going to be one of the many issues that we have to leave to DPAs to figure out I think.
Moving forward the final part is also actually a pretty basic, already well-known text from the 1995 Directive. Doesn’t really add that much. Moving to what the Parliament then suggested, they added an extra sentence to the first section of the article saying that "whether or not processing takes place in the Union". So this would mean apparently that for instance a processor who decides to, or a controller who decides to, put data somewhere else will also in regards to that data be specifically caught by the Regulation. That makes sense in a certain way.
The bold here, is additional wording from the Parliament - what they thought was important to add. They've added "or processor" so again, a processor is now specifically targeted as a subject to regulate by the law. Obviously that also adds new questions and layers of complexity to work with. What will this actually mean for someone like Google? I'll come to that at the end. Also an important issue is whether or not a commercial transaction takes place. But again they’re keeping the idea of monitoring data subjects in the text. Actually, the Council is doing something very similar. Here is their proposal. In order to address the issue that I mentioned earlier about video surveillance going on in New York they narrow the provision to only take into account the monitoring that is covering behaviour that takes place within the European Union. So this would still presumably catch a tracking cookie being placed or following someone within the European Union but not if you are exposed to some sort of surveillance while on holiday on the Maldives. So that makes sense. Again maintaining the traditional public international law jurisdictional approach.
So what will this all lead to? Well, at the end of the day, I think it's fairly certain that there will be probably a large degree of extraterritoriality. That’s plain to see. All three co-legislators, all the three institutions, agree that the rules should apply in third countries. This raises a number of questions of course. The first of all is what is "monitoring" as I already mentioned, which is a separate issue. You can argue that for a long time and again the DPAs will have a lot of work cut out for them trying to figure out whether or not this rule has been triggered or not and if it has, how they enforce those rules. Coming from the Ministry of Justice, being a lawyer who cares about how you draft rules, I have to say that making rules is one thing, but you always want to make rules you can actually enforce in reality, for many reasons. Just as I am not a big fan of the title of the "right to be forgotten", because I think it creates false expectations. I think the same is the case if you're setting up rules that you claim apply to what is going on in a third country and not providing tools or realistic options for the authorities to enforce those rules. So I think that's going to be a central issue, that is probably not going to be solved by the legislator but more by the facts on the ground. I think it will create unrealistic expectations and you can also ask what will a third country think about the EU extending its competence in this way. Some will argue well the US for one is already doing this but, well, the world is bigger than just the US and I think the EU needs to consider carefully whether it is a suitable way to go to impose their rules on what's going on in third countries. But I'm afraid that then no one is going to be listening to me in this regard. I think it is definitely going to happen no matter what I say here today. What does this mean for the Google Spain precedent? Given the fact that that the court has said pretty clearly that they consider Google to be a data controller I don't think that there can be much doubt that these rules will obviously be triggered in regards to almost anything that someone, Google or any other search engine, will be doing because they will either be a data controller or a data processor, most likely a data controller given the precedent. Obviously, as long as you are using the same terms as have been laid out by the Court in the verdict there's no reason to assume that the law would be different. So going forward I think this is still going to be an issue and the place to solve that would be in the definition and the elaboration of the right to be forgotten in the actual Regulation and that is yet to be closed.
So that's all I want to say.
Let me just leave with one observation I made listening to some of the earlier interventions during the day. I often think when I hear discussions about this verdict that there is, what you might call a degree of cognitive dissonance. On the one hand, the argument is that it is absolutely crucial that data be removed from search engines, from Google. I think that the wording was in the Costeja case that the problem was Google. It was not the initial publication that was the issue. It was crucial that he went to Google and had the data removed because that's where people found the data. But then, on the other hand, sometimes even the same people in the next sentence can pivot and say "well when it comes to the discussion of freedom of speech and possibly censorship, well, Google is not really that important." "It’s not where we find our information necessarily". "It’s only part of our information resource." Google surely has to be important in both respects? I think it's important to recognize that fact and also recognize that the basic tension is that on the one hand you have a societal value which is freedom of speech and then you have a more perhaps personal value. So in each specific instance, there will always be a tendency to lean towards recognizing the individual's right to have something deleted and no one's really advocating the sort of societal side of that issue. I think that's a big tension right now in the debate and that's anissue. Where this can end up is going to be very interesting to see going forward. I don’t have the answer.
Available Formats
| Format | Quality | Bitrate | Size | |||
|---|---|---|---|---|---|---|
| MPEG-4 Video | 1280x720 | 2.98 Mbits/sec | 364.23 MB | View | Download | |
| MPEG-4 Video | 640x360 | 1.94 Mbits/sec | 236.60 MB | View | Download | |
| WebM | 1280x720 | 2.17 Mbits/sec | 265.62 MB | View | Download | |
| WebM | 640x360 | 561.49 kbits/sec | 66.90 MB | View | Download | |
| iPod Video | 480x270 | 520.26 kbits/sec | 61.92 MB | View | Download | |
| MP3 | 44100 Hz | 249.95 kbits/sec | 29.78 MB | Listen | Download | |
| MP3 | 44100 Hz | 62.23 kbits/sec | 7.45 MB | Listen | Download | |
| Auto * | (Allows browser to choose a format it supports) | |||||