Data Protection: Facebook and the Right Kind of Establishment

March 22, 2013

A German administrative Court has limited the jurisdiction of the German data protection authorities in two interesting cases involving Facebook, Facebook Ireland, Facebook Inc v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein.[1] Similar issues have arisen elsewhere and the case has a clear impact across the EU.

The German Court Case

The Data Protection Authority in Schleswig Holstein had ordered that the blocking of accounts of users who had registered on Facebook using false personal data or pseudonyms is against German data protection law. Facebook appealed against this order before the Administrative Court of Schleswig Holstein which decided that German data protection legislation (the ‘Budesdatenschutzgesetz’ or Federal Data Protection Act (FDPA)) has no application to this matter.

First, the Court held that a choice of law clause in the contract between Facebook Ireland and the German user does not apply to data protection law. The application or non-application of German data protection law is not dependent on the parties’ choice of law.

Applying the relevant provisions of the FDPA and Article 4 of Directive 95/46/EC the Court concluded that Irish data protection law is exclusively applicable.

The Court examined the provisions of German FDPA and found this to be an incomplete transposition of Article 4 of the Directive. According to Para 1 (5) Sentence 1 FDPA, German data protection law is not applicable if a data controller established in another EU Member State or EEA State processes personal data in Germany, unless this processing is carried out by an establishment in Germany.

According to Para 1 (5) Sentence 2 FDPA, German data protection law is applicable if a data controller who is not established in a EU Member State or an EEA State processes personal data in Germany. There is no express requirement for the use of equipment or facilities.

The Court then referred to the Directive. Article 4(1)(a) provides that if the data processing is carried out in the context (or in the German version ‘framework’) of the activities of an establishment of the controller on the territory of the Member State, that Member State’s implementation of the Directive will apply. Thus it is not sufficient that the data controller has an establishment in the Member State, the processing must occur within the framework of the activities of that establishment.

If the same controller is established in several Member States and processes data in the context of the activities of each establishment there, it will have to comply with the data protection laws of each Member State, according to Article 4(1)(a), 2nd sentence. Article 4(1)(c) provides that if the data controller is not established in a Member State but, for the purposes of processing personal data, makes use of equipment (or ‘means’ in some of the other language versions of the Directive) situated on the territory of that Member State, that Member State’s data protection law will apply.[2]

The Court also referred to Article 2(d), which defines as data controller the person who decides about the means and purposes of the processing of personal data. The Court disagreed with the Data Protection Authority’s interpretation that the applicability of German law results from Para 1(5) Sentence 1 of the FDPA and Article 4(1)(a) of the Directive based on the fact that Facebook has a subsidiary in Hamburg, Germany. The Court found in favour of Facebook’s evidence that the German subsidiary’s activities are limited to selling advertising and marketing. According to the Court, the processing of personal data of the German users (as referred to in the Administrative Court Order) does not take place in Germany. Hence the Court concluded that there is no processing in the context of the activities of the establishment in Germany.

The Court pointed out that Para 1(5) Sentence 1 of the FDPA has to be interpreted in conformity with the Directive, which means that the reference to establishment in Germany must be limited to the case where the processing is in the context of the activities of the establishment. Referring to the evidence presented by the Irish Data Protection Commissioner, the Court found that Facebook Ireland is the only establishment in Europe which is a data controller with responsibility for personal data collected from non-US users. The Court found on the facts that Facebook Ireland is not a joint controller over the personal data of EU users.[3]

The Court said it was not necessary to decide whether, if it had found that Facebook Inc in the USA was the only data controller and hence the German and other EU/EEA establishments were irrelevant (as they do not provide data processing in the framework of the activities of the data controller), this would have meant that Article 4(1)(c) (and Para 1(5) 2nd Sentence of the FDPA) would have been applicable.

This relates to an unintended gap in the Directive. Article 4(1) leaves open the question of whether an establishment in an EU Member State which does not process data in the framework of the activities of the data controller counts for the purpose of applying Article 4(1)(c). If it counts, there is a gap in the jurisdictional protection of the Directive, as neither Article 4(1)(c) nor Article 4(1)(a) would apply. The German Court seems to say implicitly that for the purposes of Article 4(1)(c) irrelevant establishments do not count (ie those that do not process personal data in the framework of the activities of the data controller). But, since this was not relevant to the case at issue, the Court did not make a clear pronouncement to this effect. The main point was that since Article 4(1)(a) applies there was no room for applying Article 4(1)(c).

The Court held that the physical location of the data and the location of the servers on which the processing is carried out are irrelevant to the question of applicable law under Article 4. Hence the Irish establishment which is responsible for making the decisions as a data controller for non-US personal data determines the applicable law, even if the data was stored on servers in the US (which is what the evidence seemed to suggest).

The Court held that the use of content delivery networks in Germany is irrelevant under Article 4(1)(a) as they do not amount to an establishment with the necessary degree of permanence.

The Court held that Irish data protection law applies exclusively in this case and that the German data protection authorities were not competent to issue the administrative order.

Issues Elsewhere in the EU

The German case is one of three similar cases currently proceeding through European courts.

In Italy, Google executives were convicted of offences of infringing Italian data protection law in connection with a video uploaded to Google Video showing abuse committed against a disabled student.[4] The Google Italy case is a good illustration of the wide interpretation of the phrase ‘in the context of the activities of an establishment’ by a national court in the EU. Unlike the German Administrative Court, the first instance court in Italy judge decided that Italian data protection law was applicable to the case, since Google had an establishment in Italy. The judge came to this conclusion despite (i) the fact that the data in connection with Google Video services was not processed in Italy but on servers in the US/Ireland, (ii) the defence’s assertion that decisions about content were not made in Italy and content was not hosted in Italy, and (iii) the fact that AdWord links were created based on users’ choices (not by Google Italy) and AdWords links went not to the videos but to advertisers’ web sites.[5] The judge found that:

‘(a) Google Italy was the “operative and commercial hand” of Google Inc; (b) like other Google subsidiaries, it was substantially a part of the group operating as a single unit, under the direction of Google Inc; (c) Google Italy had the possibility of linking advertising to the videos using the service Google AdWords.’[6]

It seems that the judge assumed that since Google Italy participated in the activities of Google Inc (in the widest sense of the word), the processing was done in the surrounding circumstances (or context) of Google Italy’s activities.[7] This argument somewhat puts the cart before the horse, as in reality the relationship is the inverse: the activities of Google Italy (which apparently do not involve data processing in relation to the videos, but other ancillary activities such as marketing) are carried out in the framework of Google Inc’s activities, or perhaps those of Google’s European headquarters in Ireland.

The Google Italy decision has been appealed, but the appeal decision was not available in English at the time of writing.

Thirdly a Spanish Court (Audienca Nacional) has referred several questions to the Court of Justice of the European Union on the interpretation of Article 4 of Directive 95/46/EC in relation to a dispute between the Spanish Data Protection Authority and Google.[8] In this reference the Spanish Court asks whether a relevant establishment under Article 4(1)(a) exists when a search engine establishes a subsidiary/office in a Member State with the purpose of promoting and selling advertising space on the search engine, which orientates its activity towards the inhabitants of that State and which collaborates with the parent company (in the US) in respect of data protection questions. Furthermore the Spanish Court asked the Court of Justice to interpret Article 4(1)(c) and decide whether there is use of equipment if the search engine uses crawlers and robots to locate and index information contained on servers in the relevant Member State and if the search engine uses the relevant country code top level domain of that Member State and ensures that research results are presented in the language of the Member State (ie in this case Spanish). Furthermore the Spanish Court asked whether it was sufficient for the equipment test in Article 4(1)(c) to be fulfilled if the search engine stores some of the indices on servers in Spain (Google refused to disclose where it maintained this data). Finally, the Spanish Court also asked the CJEU to rule on whether the Charter of Fundamental Rights (in particular Articles 7 and 8) mandated the application of EU data protection law to Google (regardless of the jurisdictional provisions in the Directive itself). While it may take a few years for the Court of Justice to answer these questions, the decision will finally provide clarity on the scope of the jurisdictional provisions in the Directive from the highest court in Europe.

Data Protection Reform Package

This clarification will come late in the life of the Directive, as the Proposal for a new Regulation on data protection has, in its current form, different provisions on jurisdiction and applicable law.[9] First of all the draft Regulation maintains the ground of jurisdiction based on the processing of personal data in the context of the activities of an establishment of the data controller in the EU in Article 3(1). However, the equipment ground has been abandoned in favour of a targeting test, draft Article 3(2) provides that ‘this Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to (a) the offering of goods or services to such data subjects in the Union or (b) the monitoring of their behaviour’. The connecting factor to the territory of the EU is that an undertaking outside the EU processes the personal data of persons resident in the EU and offers goods or services to such persons or monitors their behaviour. The equipment ground was largely fictional if it (as the Article 29 Working Party Opinion stated) applied to equipment on users’ computers such as cookies and other tracking devices. Hence, it is laudable that the Commission proposes to abandon this test in favour of a much clearer test: it is far from clear from doubt that the draft Article 3(2) would apply to Facebook or Google in the cases described above and impose the application of European data protection law on them. However, this would probably be seen as a form of extraterritorial application of the law and it is not clear whether the Regulation (if it stays in the current form) will be enforceable against such US-based companies.

Presumably the German Court would have not decided the case any differently (ie that Irish data protection law applies) had the Regulation been in force in the form of the Commission Proposal, as the German Court presumably would have found that Article 3(1) would have the effect of giving competence to the Irish data protection authority, applying the (fully harmonised) Regulation.

 

Dr Julia Hörnle is Professor in Internet Law at the Centre for Commercial Law Studies, Queen Mary University of London and Programme Director for the LLM/Diploma in Computer & Communications Law by Distance Learning



[1] Az 8B 60/12, Judgment of 14 February 2013 (Case against Facebook Ireland) and Az B8 61/12, Judgment of 14 February 2013 (Case against Facebook Inc).

[2] Unless the equipment is used only for the purposes of transit through the EU/EEA.

 

[3] The Court points out later that the legal assessment of Facebook Inc as a joint controller is not necessary, as it is clear that Facebook has a relevant establishment, so that Article 4(1)(c) is not in point.

[4] Tribunal of Milan, Sentenza n.1972/2010.

[5] G Sartor, MV de Azevedo Cunha ‘The Italian Google case: Privacy, Freedom of Speech and Responsibilities of Providers for User-Generated Contents’ (2010) 18(4) International Journal of Law and Information Technology 356-378, 363.

[6] Ibid.

[7] The Italian version of the DPD also refers to ‘context’, contesto.

[8] Case C-131/12 Google Spain v Agencia Espanola de Proteccion de Datos, Preliminary Reference of 9. March 2013

[9] See Proposal for a General Data Protection Regulation, European Commission COM(2012) 11 final of 25. January 2012