'Jurisdiction, Applicable Law and Beyond after Google Spain': Johannes Caspar

Well thank you for your nice invitation, David, to Cambridge. It's a great pleasure to be here and to speak to you. For a data commissioner in Germany, it's always a great thing just to go elsewhere and try to push the idea of data protection throughout Europe. Well, I want to give you a legal assessment about the problem of the applicability of national data protection law. As you see this is the structure of my essay and perhaps it will help you to get a notion about that in this short lecture. It’s a question which goes on at another level I think. We heard just now about the implications of the Google Spain decision for search engines but now we're on the point where we go on another level where we can see what great impact this decision has for all kinds of platforms on the internet, for all kinds of services. But, as the time is precious, let us begin.

Introduction on the historic adjustment on the right to forget:

Without exaggeration one can call the decision of the European Court of Justice in the case of Google Spain historical. This applies at least for the central part of the verdict that the judicial derivation of the so-called right to be forgotten, better called the right to be delisted, a right not to be found so easily. The ruling brought the shocking evidence to Google and other companies that from this point on they were seen as responsible data controllers by operating internet search engines. They also had to realize that they can’t escape European data protection provisions even if they are set up outside the EU but have an establishment in at least one of the Member States. The ruling of the Court of Justice therefore not only bolsters the privacy rights of people affected by the use of their data on the Internet. It also clarifies the scope of applicable national data protection law and helps to safeguard the data protection rights vice versa parties which play on grounds where data protection normally is an alien concept.

The content and range of the decision:

The European Court concludes that national data protection law is applicable if the activity of an establishment in the specific Member State is economically linked to the controller. This applies even in cases where the regional establishment in the Member State itself has no active part in processing personal data of the users of an internet service. It is sufficient if the activity of that establishment fosters, economically, the data processing of the holding company. Now there is a short way from the Google case to another global service provider which has its German establishment in the State of Hamburg. You know of which kind of service I’m speaking. It's the biggest social network - Facebook - that in the past has given several reasons for taking the data use policy under close scrutiny to the Data Protection Authority of Hamburg. Some examples. The first such reason was the Friend Finder, an aggressive advertising strategy of Facebook to increase the number of their users. The second one, another similar case, is the face recognition technology Facebook used to suggest whom to tag on photos uploaded by users to the network. This was introduced without asking the data subject effected for their informed consent. After we opened an administrative proceeding against Facebook, they decided to discontinue the features throughout Europe. Currently, a change of the data use policy of Facebook effective at the end of January 2015 led to new investigations not only by the Hamburg DPA but as well in the Netherlands and Belgium and we know that since last week also in France and Spain. The announcement that Facebook may share information about their users within the Facebook family for more or less undefined purposes is at least disturbing. The legal ground for transferring data between these different companies cannot be seen. Facebook therefore must clearly commit that there will be no unauthorized exchange of data, especially keeping in mind the weak privacy standards of the US companies in the hands of Facebook such as WhatsApp or Instagram. One can also count here the network advertiser Atlas. Facebook has argued for quite a long time that for European users the responsible controller, it is not Facebook Inc, located in California, but rather Facebook Limited in Ireland. From that they come to the conclusion that the Irish Data Protection Commissioner would be the only competent DPA. Despite this position, Facebook in the past was willing to answer our questions more or less to our satisfaction. Not so now. Facebook refused to give answers to our questions concerning the new data use policy. They returned to the argumentation of missing competence and the non-applicability of German data protection law.

Our legal position:

Until now, the competence issue in Germany has not been solved. There are two dissenting court decisions in Germany. The Administrative Court in 2013 denied the applicability of German data protection law. On the other hand the decision in January 2014 [by] the Berlin Court of Appeal for private law argued that the national data protection provisions are applicable for Facebook. Considering the current decision of the European Court the key question of applicable law under the framework of the Data Protection Directive must be addressed anew. The central provisions apply in the Google Spain decision concerning the applicability of national laws [is] Article 4(1)(a). The Article provides that each Member State shall apply the national provisions where "the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory several Member States, he must take the necessary measures to ensure that each of these establishments comply with the obligations laid out by the national law applicable". The clear notion of Article 4(1)(a).

To estimate the extent of the application of the national data protection law one has to analyze the key term "establishment" and the scope of the relevant activity. The Court refers to recital 19 of the Directive which states that "establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements" and that "the legal form of such an establishment, whether simply branch or subsidiary with the legal personality, is not the determining factor". The Court of Justice makes it clear that this does not require the processing of personal data in question to be carried out by the establishment concerned but only that it be carried out in the context activities of least of this establishment. In the case of the Google search engine it is sufficient that the establishment promotes and sells advertising space making the service more profitable. The Court of Justice explicitly develops its wide interpretation on the background of processing of data which is operated by an undertaking that has its seat in a third state but has an establishment in a Member State. Now what does this mean for those cases in which the controller claims to operate not in a third state but in a Member State of the EU? The multiplication of different national regulations is anticipated by the Data Protection Directive. It states that each controller has to ensure that the national regulations have in each case been followed. Recital 19 of the Data Protection Directive addresses this issue. A quotation "when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations of those by the national law applicable to its activities". The decision of the Court of Justice therefore, this is my opinion, is also then valid for controllers who operate within the EU. By contrast, Facebook which shares its main European establishment in Ireland argues that the Directive would aim to ensure a common level of privacy protection standards within the EU and harmonise data protection laws to establish a consistent internal market for internet services. The Data Protection Directive in order to ease the flow of personal data aims indeed for the equivalent level of protection of rights and freedom of individuals with regard to the processing of such data in all Member States. This is recital 8. It is clear that the interpretation of the term establishment by the Court of Justice intends to counter controllers trying to escape the obligations and guarantees of the Data Protection Directive and safeguards the effective and complete protection of fundamental rights and freedoms of natural persons. An interpretation of the scope of applicable law must therefore consider that with Directive 95/46 the European legislator sought to prevent individuals being deprived of the protections guaranteed by the Directive and that protection from being circumvented. A quotation from the European Court. Even if one follows the argument of Facebook on the harmonizing intent of the Directive, the right interpretation of the term establishment by the Court must therefore be also relevant for the data controller in Member States where the implementation of the Directive itself is deficient or/and the enforcement of national data protection is at least much less effective than in other Member States. As a result the controller whose strategy is to seek for lower levels of data protection in third States as well as in the EU must at least face this situation that he is obliged to the relevant data protection standards of Member States where its own branches or establishments are running an office.

I come to point four: implementation and law enforcement in Ireland:

Whether these requirements for the application of the principles of the Google decision are fulfilled in the case of Facebook Limited in Ireland must be examined. Here is not the place and the time for a final even but let me in short provide an initial assessment. As an example I will pick the enforcement of proper consent as a legal ground for processing data. As mentioned before, Facebook in 2011 implemented automatic face recognition to identify people in uploaded photos and attribute these to the users in question. Facebook itself when introducing this function did not inform the users that their faces would be biometrically evaluated. Under the pressure of growing resistance especially among consumers and Data Protection Authorities, Facebook prominently pointed the user to the facial recognition function and the possibility of deactivating it. Facebook was of the opinion that it had done all that was necessary to obtain the consent of those affected. True to the motto:if you don't you deactivate then you consent. The user's reaction not to deactivate the facial recognition function was regarded as a consent. We clearly pointed out that the failure to perform an action - deactivating - may not be interpreted as consent on the part of users. Consent from those affected is required by European as well as data protection law: unambiguous consent. This view was, by the way, repeatedly communicated by the Article 29 data protection group in its opinions on the processing of biometric data entry requirements for valid consent. That opinion was not shared by our colleagues in Ireland. In the first Irish audit report, they accepted Facebook’s argumentation that users give their consent to all of the network’s conditions of use including the guideline on data usage and that this provides substantive legitimation to the collection of user’s biometric data. A quotation from the Facebook Ireland audit report 2011: "Our consideration of this issue must also have regard to case law in Ireland regarding the use of biometrics. This case law has not considered that the processing of biometric data requires explicit consent." Further quotation: "For the reasons outlined above further notification in relation to the current deployment in the future is not strictly legally necessary under Irish law". This opinion ignores that with the opt out feature Facebook does not fulfil the requirements of the EU Data Protection Directive. Article 2(e) provides that the data subject's consent shall be "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". The EU Article 29 group opinion in 2012 on facial recognition in online and mobile services approves that the quotation "In this context, consent for enrolment cannot be derived from the general users acceptance of the whole terms and conditions of the underlying service unless the primary aim of the terms of the service is expected to involve facial recognition". It took quite some time for Facebook to accept this legal opinion. Only after the opening of administrative proceedings Facebook took the possibility and closed down the facial recognition function in Europe. The function of facial recognition was discontinued and the biometric data was deleted. This example shows and demonstrates one of the differences between the Irish Data Protection Act and the EU Directive. Deviating from the EU Directive, the Irish Data Protection Act has no binding legal definition of the term consent. This proved deficient implementation of the Directive and documents the gap between the provision of the EU Directive and the Irish Data Protection Act. This gap should have been closed by interpretation of the legal term "consent" by the Irish Data Protection Authority in the light of the European Directive. Referring to Irish case law certainly in my opinion is inappropriate. The question of free and explicit content is crucial for the other evaluation of the data use policy of Facebook which became effective just in January 2015. Has Facebook by issuing the new privacy policy acquired consent of their users that legitimates the processing of personal data from a European perspective? This is more doubtful.

I come to the conclusion:

The EU General Data Protection Regulation has been discussed on the EU and on the Member State level since 2012. It aims for structures and future data protection law not only for privacy rights but also towards a homogenous procedure of cooperation and law enforcement between different national supervisory authorities. The principle of the one-stop-shop should accomplish that only one Data Protection Authority is competent for a data controller throughout the EU. Against the background of the above, it is of great importance that the exclusive supervisory responsibility of the authority at the location of the headquarters of the data controller must not lead to forum shopping of a major Internet company. Otherwise you might face a race to the bottom in the protection the privacy in the EU. The General Regulation therefore has defined clearer and transparent procedures which provide effective provisions for the law enforcement. Consideration should therefore be given to the question of arming those supervisory authorities with particular rights for the case of the leading authority should remain inactive. That last view on consent, the actual proposal of the Council of the European Union raises doubts whether the procedure of the one-stop-shop will be effective enough for law enforcement regarding also the consent proposals of the Council in chapter two of the General Data Protection [Regulation], falls back below not only beyond the proposal of the Commission but also beyond the EU Directive itself. Instead of an explicit consent required by the proposal of the Commission mere unambiguity shall be sufficient. That we open the way to opt out solutions which are incompatible with the right to personal self-determination of the user. The essential requirement for the ongoing debate on the data protection regulations is to implement the definition which states that consent of the user always be given explicitly. The Data Protection Regulation must learn from the process of the European DPAs to enforce the fundamental rights to privacy especially against data use policy of global players like Google and Facebook.