Victoria Hordern reviews the tests which apply for determining when EU data protection law applies and considers the numerous traps for the unwary
At the heart of EU data protection law is the passionate belief in the right to privacy. Indeed, the Treaty of Lisbon has now recognised both privacy and data protection as fundamental rights under EU law. As fundamental rights, there is a sense in which the scope of privacy and data protection must be expanded to the furthest extent possible. Yet, like any other law, it must be clear when and where EU data protection rules apply and the applicable law provision in the current Data Protection Directive has caused some headaches along the way. Whether the proposed new EU regime will prove to be a calming tonic remains to be seen.
Today's technology pays no attention to geographic borders. What do Cloud Computing networks care about the Atlantic Ocean so long as the network is resilient and customers can access their data? Businesses typically structure their systems in order to provide the best commercial proposition which often (but not always) involves cross-border data transfers. Therefore, cross-border data transfers are a part of everyday business.
But businesses need to understand which laws apply to their operations to ensure compliance and avoid being chased by regulators or disgruntled customers. Unfortunately, the Directive's provision concerning when it applies (found at Article 4) has not always provided much clarity.
Article 4 complexities
The interpretation of Article 4 has been beset with complexity from the beginning. It is designed to cover both controllers that have a clear physical established connection with an EU Member State and controllers that have no tangible connection with a Member State but make use of equipment located in a Member State to process personal data. These provisions immediately raise questions: What is considered to be 'established'? What amounts to 'equipment'? And what does 'makes use of' mean?
The EU approach embodies key differences from other data protection and privacy laws. First, EU law applies to the processing of personal data regardless of whether the individuals affected are EU citizens or not (a point at variance from the constitutional rights afforded only to US citizens in the US). Secondly, it is irrelevant if the individual affected is physically present in the EU or not. The trigger for application of the law attaches to the status of the controller and its actions and not to the individuals affected.
The aspects that have caused most debate and confusion are:
These provisions deal with different propositions. To fall under Article 4(1)(a) the controller's establishment must be located in the EU and the processing of personal data must be carried out in the context of the activities of that establishment. Whereas in Article 4(1)(c), the controller is specifically not established in the EU but makes use of equipment situated in the EU to process personal data.
Article 4(1) (a) – Establishment
Article 4(1)(a) reflects the country of origin concept derived from rules relating to the internal market. Simply put – where your business is established dictates which law applies. Establishment requires the effective and real exercise of activity through stable arrangements and is a concept interpreted by the CJEU. An establishment need not have a legal personality but there should be resources permanently available in that location to provide particular services. So a one-person office or agent may qualify as an establishment. Member States apply their own local rules to this provision which can result in differing interpretations of what constitutes the effective and real exercise of activity. Unsurprisingly Member States are more inclined to apply their own law where their own citizens are involved.
In the words of the Article 29 Working Party, the notion of 'establishment' in the context of the Internet-based economy has recently been interpreted in a very large manner by the CJEU. In the CJEU decision of May 2014 (known as the Google 'right to be forgotten' decision) the Court found that the advertising sales generated by Google Spain (the local subsidiary of the US company Google Inc.) were sufficiently linked to the Google search activities that the individual affected complained about. Even though Google Spain neither designed nor operated Google's search business in Spain, the data processing at issue related to the search business which Google Spain's sale of online advertising space helped to finance so this was processing of personal data carried out 'in the context of the activities' of the Spanish establishment. Therefore, EU data protection law applied.
The implications of this decision for the interpretation of Article 4(1)(a) are considerable since global businesses now need to demonstrate that there is no commercial connection between a local operation (whether branch or subsidiary) and a non-EU company in order to argue that EU data protection law does not apply to data processing by the non-EU company. In reality, for most global businesses this will be extremely difficult to prove. In any event, the ruling will ultimately be set alongside the final text of the EU Data Protection Regulation.
Article 4(1) (c) – Equipment
Articles 4(1)(c) and 4(1)(a) are designed to be mutually exclusive. Article 4(1)(c) has, on the whole, been the provision that has prompted most debate. The Article 29 Working Party has periodically examined the circumstances in which Article 4(1)(c) applies to non-EU businesses. In a 2002 working document (WP 56) the Working Party analysed Article 4(1)(c) in the context of non-EU based web sites. The Working Party emphasised that their position stems from the belief that the individual should not be without protection where his personal data is being processed in his country solely because the organisation performing the processing has not chosen to be established in an EU Member State. This type of language and approach (that we see reflected in a number of Working Party subsequent papers including WP 148 (search engines), WP 163 (social networking) and WP 185 (geolocation)) reveals the Working Party's concern to protect the rights of individuals living in the EU (note the reference to 'his country') and extending as far as possible the scope of EU rules.
In WP 56, the Working Party argued that, where equipment (which includes computers, terminals, and servers) situated in the EU is at the disposal (but not necessarily full control) of a non-EU controller, EU data protection law applies. Furthermore, the Working Party determined that the use by a non-EU controller of cookies placed on the hard drive of an EU user's personal computer can trigger the application of EU data protection law since the non-EU controller has some control over equipment used to process personal data.
It is also therefore unsurprising to read in more recent Working Party papers such as the September 2014 Opinion on the Internet of Things (WP 223) that in the face of developing technology the Working Party supports a wide interpretation of equipment. So, 'all objects that are used to collect and further process the individual's data in the context of the provision of services in the IoT qualify as equipment' including the devices themselves (eg step-counters, connected glasses, watches) and users' terminal devices (eg smartphones or tablets). Consequently, non-EU businesses seeking to launch an Internet of Things product in the EU should assume that EU data protection rules will apply in most circumstances.
Clearing up the ambiguity?
The fullest expression of the Article 29 Working Party's position on applicable law was set out in an Opinion published in 2010. The Opinion recognised the ambiguity concerning the applicable law rules and the need for improvement. It set out examples to help organisations work out whether EU data protection law applies and, if so, which Member State law applies.
In looking more closely at what constitutes 'making use of equipment', the Working Party encouraged a broad interpretation which would include the (automated or human) collection of personal data through surveys or questionnaires such as in some pharmaceutical trials. Yet, they recognised that such a broad application can result in unsatisfactory conclusions – such that a non-EU organisation that processes data on non-EU residents but uses equipment in the EU finds itself subject to the full weight of EU data protection rules.
A connecting factor that can aid interpretation according to the Working Party is the relevant 'targeting' of individuals which they suggest could be used as a complement to the 'equipment' criterion. But they hint at the legal gymnastics that a non-EU controller may be forced into when, due to Article 4(1)(c), EU law applies but there is no easy answer to how the non-EU controller can meet the adequacy requirements relating to data transfers under the Directive.
The Working Party goes on to recommend that the rules around applicable law be simplified so that they reflect the country of origin principle. Therefore, all establishments of a controller within the EU apply the same law regardless of the territory where they are located. But this is only acceptable to the Working Party if data protection law is harmonised across the EU, otherwise there is a danger of forum shopping. For those controllers established outside the EU, the Working Party considers that it is still helpful to retain the use of equipment connection but recommends that account is taken of whether individuals within the EU are targeted.
Proposed new regulation
So the big question is: does the proposed Regulation (which aims to harmonise data protection law across the EU) make the position on applicable law any clearer? We do not yet have a final text but there are indications from published documents of where we will end up.
First, the applicable law provision will retain the concept of processing personal data in the context of the activities of an establishment in the EU. The presence in the EU of a branch or subsidiary or only a single individual may all bring the data processing activity (whether the processing takes place within the EU or not) within the scope of EU data protection law. However, the big difference is that this rule applies both to controllers and processors. So a local presence in the EU acting as a processor even when the controller is located outside the EU could be caught under this rule.
Secondly, for non-EU organisations a new key emphasis is on whether they are processing personal information about individuals who reside in the EU (although the EU Parliament considers residence irrelevant), and are offering goods and services to these individuals or are monitoring their behaviour. The requirement that the individuals are residents appears to deal with one of the concerns the Article 29 Working Party previously raised. However, who determines whether someone is a resident or not? Does a two-month holiday in Paris by a Japanese citizen mean that they are a resident? Does the individual need to possess residency status as awarded under the local law of the Member State?
Furthermore, if a US company (with no EU presence) provides an ecommerce web site in English accessible to UK users but requiring payment in dollars, does that automatically exclude the US company from the scope of this provision since the currency selection suggests that the EU is not being targeted? If the same US ecommerce web site later offers UK users the opportunity to pay in pounds sterling but chooses not to comply with the Regulation, how easy will it be for EU data protection authorities to enforce the law? Or what about an Indian web site written in English that provides a forum for tourists (of whatever nationality) to exchange travel recommendations – is the provision of the forum considered to be a 'service' offered to residents in the UK?
But the most technically challenging aspect of the provision is that the law may apply where EU residents are monitored or tracked by non-EU organisations. This type of language looks primarily designed to catch online behavioural advertising networks (although there will be other services) that create profiles according to the behaviour of a device online (and behind the device, an individual) and then serve up relevant ads. This moves the focus away from identifying 'equipment' as under current law and onto the actual activity of targeting EU residents. But what does this mean in practice? Will a US online advertising network need to be able to differentiate between devices they monitor which have EU resident users behind them and those that do not? How will they do this? What if the network argues that it has no intention of monitoring EU residents but cannot prevent them visiting online sites that are part of its network?
So what does this mean for global businesses?
Following the Google Spain decision, all global businesses should take note of how they may be brought within the scope of EU data protection law even if it appears that a non-EU based part of their business is involved in different services from EU operations. Certainly a global business without a clearly identified EU-based controller should consider establishing an entity in one Member State in order to conduct all data processing subject to EU rules through that entity and the law of that Member State.
Going forward, the new Regulation's likely direction of travel will include applying EU data protection law to online services and behaviours that target EU individuals. Therefore, global businesses should think through how their online offerings are positioned and the likelihood that their customers are or will be EU individuals. In particular, global businesses operating online tracking or profiling technologies are far more likely to be caught by the scope of the new Regulation and would do well to prepare for it.
Victoria Hordern is a Senior Associate at Hogan Lovells in London.
This article first appeared as a blog post in Hogan Lovells' Chronicle of Data Protection blog at http://www.hldataprotection.com/