What’s new?
The EU’s expert body on data protection, the Article 29 Working Party, recently published an Opinion on applicable law[1]. The WP is made up of representatives from each Member State’s data protection regulator. Its remit is to promote uniform application of the Directive and (among other things) highlight issues on which states are taking divergent approaches.
Although the WP’s opinions do not have the force of law, they provide valuable analysis and reflect the regulators’ collective interpretation of current rules. The WP’s views tend to indicate the direction of future EU policy, so the issues highlighted in the Opinion will influence the Commission’s proposals for reform of the Directive this year.
What are the issues?
The purpose of the Opinion is to clarify the application of the existing rules relating to applicable law (Articles 4, 17 and 28 of the Directive). The issue of applicable law has two dimensions:
· for processing taking place outside the EU but having a relevant connection with it, determining the extent to which EU privacy law applies at all; and
· for processing taking place within the EU in circumstances where more than one Member State’s laws could potentially apply, determining which national law applies and avoiding conflicts.
The WP’s overriding objectives here are to provide certainty and ensure there are no loopholes in the protection which the Directive is designed to provide for data subjects. Data subjects, it is argued in the Opinion, need to know which set of data protection laws protect their data, and organisations need to know which rules apply to their operations.
The difficulty with the applicable law (and many other) provisions of the Directive is the lack of uniformity in Member States’ transposition. Identified as far back as the Commission’s first report into implementation (2003) and highlighted in the 2010 RAND report[2] and the Commission’s recent ‘Communication’[3] on reform, the need for clarification has been given impetus by globalisation, the Internet and the emergence of virtual computing environments.
At the risk of teaching SCL readers to suck eggs, the concept of applicable law relates to which country’s rules apply in a given situation, and is distinct from jurisdiction, ie the rules which govern the ability of a national court to decide a case or enforce a judgment (or, in the case of data protection matters, the competence of one national regulator to enforce another country’s rules). As the Opinion observes, applicable law and jurisdiction often tend to coincide, but the Directive explicitly provides for the enforcement of one Member State’s laws by another country’s regulator. The WP promises a future opinion on jurisdiction.
Who is affected?
In broad terms, the guidance in the Opinion has implications (i) for any organisation processing personal data within the EU where there is any kind of cross border dimension and (ii) for organisations based outside the EU whose activities trigger obligations under the Directive. As with any aspect of data protection law, the principles apply regardless of business sector or the size of the data controller. The 12 worked illustrations in the Opinion include scenarios involving debt factoring, retail chains, HR databases, ISPs, geolocation services, cloud computing, social networking and e-health platforms.
The Opinion addresses the scenarios where:
· the data controller is established in one or more Member States ( Article 4(1)(a)); and
· the data controller is not established on Community territory but is processing data through equipment located in a member state (Article 4(1)(c)).
It also covers the scenario described in Article 4(1)(b), namely where EU data protection law extends across borders by virtue of public international law – the examples given involve foreign embassies, ships and other ‘special status’ bodies – which we assume are less likely to interest SCL readers.
But first: data controller or data processor?
Before considering applicable law, it is important to stress that, in practice, correctly identifying which national law applies often goes hand-in-hand with identifying who is a data controller and who is a data processor. This is often the case in outsourcing and cloud computing scenarios, where the simplistic controller/ processor distinction in the Directive fails to reflect the complexity of 21st century data handling arrangements. The Opinion acknowledges this, and refers back to its (very helpful) 2010 Opinion[4] on the subject. Here, the WP took a functional approach to the controller/ processor distinction, highlighting factors such as the extent of prior instructions, supervision and monitoring by the original controller and the receiving entity’s ‘room for manoeuvre’, as factors which will determine on a case-by-case basis whether an entity is a joint controller or a mere processor.[5]
Analysis of Article 4(1)(a)
But now, back to applicable law. Article 4(1) provides that:
‘Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable’.
The WP analyses and illustrates the two key concepts within this test, namely ‘establishment‘ and ‘context of activities‘.
‘Establishment’ is not defined in the Directive; however Recital 19 states that to determine whether an establishment is in existence within a Member State there must be an ‘effective and real exercise of activity through stable arrangement‘. Whilst establishments do not have to have a legal personality, and the form of an establishment is not conclusive, a stable establishment must (according to ECJ case law on the freedom of establishment) utilise both human and technical resources to provide a service. The Opinion also indicates that a controller can have multiple establishments and therefore be subject to multiple laws and likewise a single establishment through engaging in a number of different activities for different Member States could be subject to different national laws. Some helpful illustrations are given of the kind of arrangements which may or may not constitute an ‘establishment’. For example a server or computer, being simply the facility for processing, would not, but a one-person office or an agent could, assuming the elements of ‘effective and real exercise of activity’ and ‘stable arrangement’ are present.
Once the location of an establishment is determined, the ‘context of activities’ undertaken must also be examined. The Opinion emphasises the need to look at the ‘macro’ or ‘global picture’ of the particular processing activities, since it may be the case that a set of operations carried out in a number of different Member States (but all serving a single purpose) might indicate the application of a single national law.
The WP suggests that there are three elements to the analysis of the ‘context of the activities’: first, the degree of each establishment’s involvement in the processing along with the nature of the processing activity; second, the nature of the activities (simply put – who is doing what and where?); and third, the fact that the aim of the Directive is to guarantee effective privacy protection to individuals ‘in a simple, workable and predictable way‘.
Applying Article 4(1)(a) – some topical illustrations
Customer databases: The Opinion provides the example of a retail chain with shops throughout the EU, and a head office in Spain. If each shop collected customer data and transferred this to the head office where the data was then used to engage customer profiling, targeted marketing, etc – multiple national laws would be applicable. Based on the ‘context of activities’ test, Spanish law would govern the head office, whereas each shop would need to comply with the relevant national legislation in the context of their activities, namely collecting and processing personal information. An individual could go directly to their national regulator in case of complaint; if the complaint related to marketing by the head office, the case would be referred to the Spanish enforcement authorities.
Internet service provider: There is an interesting worked example of an ISP, headquartered in Japan but with commercial offices in most EU Member States, an office in Ireland dealing with issues connected with processing including IT support, and a data centre in Hungary devoted to the storage and processing of data relating to its users. This hypothesis illustrates the potential for one Member State’s law (in this illustration that of Ireland) to be applied to activities going on in another (here, the Hungarian data centre) – but subject to a strong caveat that it is always necessary to look at the precise activities going on and the macro picture of the organisation on a case-by-case basis.
Analysis of Article 4(1)(c)
Article 4(1)(c) is an anti-avoidance provision, aimed at scenarios where the data controller has no EU establishment but where the processing of personal data has a clear connection with a Member State. It provides:
‘Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where…. the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.’
This captures the growing number of technologies, such as search engines and cloud computing, where the data controller has no presence in the EU which would constitute an establishment. There are two elements to this test. First, whether the controller is ‘making use of’ equipment, which presupposes some kind of activity of the controller and the clear intention of the controller to process personal data. A controller does not need to own the equipment. The second element is whether the controller uses ‘equipment’ that is within the EEA. ‘Equipment’ is given a very broad meaning by the WP and (relying on the language used in drafts of the Directive and in other language versions) is interpreted to encompass the ‘means’ through which processing can occur. The Directive confirms that this may be ‘automated or otherwise’. One example given of ‘means’ is the use of questionnaires to gather personal data in pharmaceutical surveys. The Opinion acknowledges that its wide interpretation of the Directive could lead to the application of EU law in some circumstances where there is little real connection with the EU and recommends this be clarified in the revised directive.
Applicable law in cloud computing scenarios
The Opinion applies its analysis to cloud computing, where personal data are processed and stored on servers in several locations worldwide and the exact location of data may be hard to pinpoint at a given time. Here the first step is to determine which entity is the data controller and which is the data processor. Depending on the circumstances, different outcomes are possible. For example, if the user of the cloud services is an organisation based in the EU and accesses online services, such as a meeting organiser, and uploads personal data of its employees onto it, then the service is being used in the context of activities of its establishment in the EU and so Article 4(1)(a) would apply and the local law of the controller’s ‘establishment’ would apply.
In a different scenario, where the cloud service provider itself is a data controller and is based outside the EEA, Article 4(1)(c) might be applicable. The illustration given is of a cloud service provider of online agendas/ diaries, which is itself a ‘controller’ of the data uploaded by its users by virtue of providing value added services such as synchronisation of appointments and contacts. Assuming the service provider uses equipment/means within the EU to process this data then they would be subject to the national law of the location of such ‘means’. Examples of relevant ‘means’ are the use of calculation facilities, java scripts and cookies to store or retrieve personal information.
Applicable law and security issues
Security is the hot topic in privacy law in general, and outsourcing and cloud computing in particular. But those seeking more comprehensive guidance on this issue will not find it in this Opinion, and will have to wait for the new Directive (or even, as some advocate, the emergence of a self-regulatory standard). The Opinion simply reminds us that, under Article 17(3), in controller to processor contracts, the security obligations ‘as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor‘. The WP takes the view that it will ‘not be a problem’ for a processor to accept under contract the more onerous security obligations of a data controller based in another jurisdiction. Disappointingly, the Opinion does not touch on the (far more likely) scenario – for example in an offshoring – where a processor outside the EEA may be reluctant to sign up to unfamiliar EU privacy standards. At least the Opinion acknowledges that the real solution to this kind of problem is to concentrate on harmonising security standards.
Supervision and enforcement
Article 28(6) of the Directive provides that:
‘Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State. The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.’
The Opinion gives three illustrations. First, an ostensibly simple illustration of a UK entity carrying out processing for a data controller based in Germany. Here, German DP law would in theory apply (although if the UK entity was a ‘processor’, UK standards would apply to the security related aspects). The UK regulator would have power to inspect the UK premises and pass on findings to the German authorities. The German authority would then be able to impose sanctions on the German entity.
The second example is of a non-EU social networking site, targeting EU individuals, but with an establishment in an EU Member State; the applicable law is that of the country of that ‘establishment’ and that country’s regulator would have a duty to act (and to cooperate with other regulators in the event of complaints from individuals in other Member States). But, less helpfully, the Opinion does not analyse what would happen if the non-EU social networking site had no ‘establishment’ in the EU and was instead caught under the provisions of Article 4(1)(c).
The third illustration involves an EU-wide platform for exchanging health data, using the example of a tourist from Bulgaria having emergency treatment while on holiday in Portugal, and subsequently wanting to make a data protection related complaint against the authorities who had treated him. The legal analysis is sound enough – but we hope that in practice the recuperating Bulgarian tourist would have other priorities than to sue the life-saving Portuguese medics!
Proposals for improving applicable law rules in the revised Directive
Following a succession of consultations, the Commission published its Communication outlining priorities for reform in November and has promised a draft Directive at some point during 2011. The applicable law rules are among the issues earmarked for updating in the light of globalisation and technological change. The WP Opinion, fleshing this out in more detail, proposes a number of changes including:
· clarifying the concept of ‘context of activities’ with an emphasis on the degree of involvement in relation to the processing;
· shifting to a ‘country of origin’ approach whereby all establishments of multinationals would comply with the laws of the country of its main EU establishment;
· comprehensive harmonisation of national data protection laws as a precondition of the country of origin approach (to avoid businesses ‘forum shopping’ for the least onerous regime); and
· applying additional criteria to data controllers based outside the EU, where services are targeted at EU data subjects – similar to the approach taken in consumer protection.
Comment
The WP’s functional approach to applicable law – with the emphasis on the ‘context of activities’- and useful elucidation of ‘equipment’ and ‘means’ is welcome. It is a shame that the analysis does not go further or deeper in the context of outsourcing or cloud computing scenarios. Scenarios involving applicable law issues often also raise queries about whether a receiving overseas entity is a mere processor or a joint controller (or in some cases, a bit of each in relation to different aspects of its handling of the controller’s data). Integrating and illustrating the analysis of both issues would have made this Opinion more useful and accessible. Further illustration of the application of security obligations to processors would also have been welcome.
It is notable that the Opinion is lacking in examples of substantive data protection obligations which vary from one Member State to another and cause businesses practical problems – although such examples abound, and on the enforcement front we know that Member States’ sanctions vary significantly. So far as we are aware, there have been no reported cases which raise issues of conflict of laws in data protection – so, is applicable law really such a problem?
The real problems with applying current privacy rules to the virtual world – as highlighted in the recent article ‘Navigating the cloud: solutions for a cloud computing age’ by Dervish Tayyip are substantive issues like transparency, security and breach notification requirements. Legislation can never be fully future-proof but, with the prospect of a revised Directive, the European institutions at least have an opportunity to achieve far greater harmonisation on those obligations and rights which have a real impact on our privacy.
So, we return to the WP’s assertion that in a world where personal data constantly crosses borders, data subjects and data controllers need to know which national laws apply. But isn’t it more accurate to say that – both as individuals and businesses – what matters to us is that appropriate and proportionate standards protect our data, regardless of where in the EU (or for that matter the world or the ether) it is processed? Harmonisation of data protection law? Bring it on!
Claire Walker is Head of Commercial Know How at Olswang and a founder member of the Datonomy blog at http://www.datonomy.eu/
Shona Kerr is a Trainee Solicitor in Olswang’s MCT Group
[1] Opinion 8/2010 on applicable law, adopted 16 December 2010 http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf
[2] The ‘Review of the data Protection Directive’ by RAND, commissioned by the UK ICO and published in 2009 is available at http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/review_of_eu_dp_directive.pdf
[3] The Commission’s Communication ‘A comprehensive approach on personal data in the European Union’ November 2010 at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf
[4] Opinion 1/2010 on the concepts of ‘controller’ and ‘processors’ at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf.
[5] See also the article ‘Outsourcing: is your supplier a ‘data processor’ or a ‘joint controller’ – and why does it matter?’ on the Olswang website http://www.olswang.com/newsarticle.asp?sid=121&aid=2936
