Facebook fan pages and EU data protection law: the implications of Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH

Professor Lorna Woods, University of Essex

Facts of the Case

Many businesses rely on Facebook to support their business using a Facebook fanpage (which requires a specific registration with Facebook) and the Wirtschaftsakademie is one such. In this case, it received a notice from the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, a regional data-protection authority in Schleswig-Holstein (‘ULD’), to deactivate the fanpage. The ULD argued that the people coming to the page were not warned that their personal data would be collected by Facebook by means of cookies placed on the visitors’ hard disks. 

For the person running the fanpage, the advantage of using it is the receipt of (anonymous) statistics on site use from Facebook via a tool called ‘Facebook Insights’, a tool which is available free of charge under the standard, non-negotiable terms of use. For Facebook, it allows the acquisition of data to facilitate profiling for the purposes of delivering targetted adverts. The Wirtschaftsakademie challenged the ULD’s order, arguing that it was not responsible for the processing of data by Facebook. A number of questions were referred to the Court of Justice on the interpretation of the Data Protection Directive (Directive 95/46, the DPD), focussing on the questions of:

-          who was responsible for the data (ie who is a controller);

-          which regulatory authority might take action; and if so,

-          whether it would be constrained by the opinions as to the legality of the processing of other competent supervisory authorities. 

The Advocate-General took the view that both the Wirtschaftsakademie and Facebook were controllers and, although Facebook was established in Ireland, following the approach of the Court to jurisdiction in Google Spain and Google (Case C-131/12, discussed here), Facebook’s activities had to be assessed in the light of its activities in Germany.  ULD could thus bring the enforcement action.  In a judgment of the 5th June 2018, the Court of Justice came to the same conclusion.

The Judgment

The Court construed the first two questions referred (on Articles 2(d) and 17 DPD) as asking whether the choice of Facebook as a means of reaching its audience means that a user so doing is responsible for the data processing.  The Court, drawing on the approach in GoogleSpain and emphasising the aim of the DPD being to protect privacy, re-iterated that the concept of “controller” should be interpreted broadly, especially as the definition of “controller” foresees the possibility of joint controllers. Certainly Facebook determines the purposes and means of processing, thus bringing it within the meaning of “controller”. As regards the Wirtschaftakademie, the Court stated that mere use of the network would not make a user a controller, but that the use of fanpages involves more engagement with Facebook, and that engagement influences whose data is collected by Facebook (on the fanpage).  Although the statistics are transmitted to the fanpage administrator in anonymous form,

“Directive 95/46 does not, where several operators are jointly responsible for the same processing, require each of them to have access to the personal data concerned” (para 38).

Whilst Facebook might bear the most responsibility for processing, the Court also noted that where the fanpage is visited by those who do not have a Facebook account (and have therefore not signed up to Facebook’s terms),

“the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data” (para 41).

Concurring with the opinion of the Advocate General, the Court accepted that joint responsibility was not the same as equal responsibility – responsibility should be assessed on the basis of the case in hand (para 43).  The consequences of this for the supervisory authority - or the co-controllers - are not, however, drawn out.

The Court grouped questions 3 and 4 together to ask, where a non-EU company had multiple EU establishments, which regulator(s) would have the power to act (under Article 28(3) DPD).  As had been noted in Weltimmo (Case C-230/14, discussed here), the supervisory authority’s powers are, in general, limited to its own territory.  Reading Article 28 DPD in the light of Article 4(1) DPD, the Court stated that:

“where the national law of the Member State of the supervisory authority is applicable under Article 4(1)(a) of the directive because the processing in question is carried out in the context of the activities of an establishment of the controller in the territory of that Member State, that supervisory authority can exercise all the powers conferred on it by that law in respect of that establishment, regardless of whether the controller also has establishments in other Member States” (para 52). 

The question then becomes whether the controller satisfies the double test in Article 4(1) – that is, (1) whether the controller has an establishment in the member State in which the supervisory authority is based; and (2) whether the processing is carried out ‘in the context of the activities’ of the establishment.  Re-iterating Weltimmo, the Court stated that:

“establishment in the territory of a Member State implies the effective and real exercise of activity through stable arrangements, and the legal form of such an establishment, whether simply a branch or a subsidiary with a legal personality, is not the determining factor” (para 54).

Facebook maintains an office in Germany through Facebook Germany; the processing need not be by the controller itself but in the context of its activities – a phrase not to be interpreted narrowly (as already established in Weltimmo and Google Spain). The Court noted that the placing of the cookies and the following analysis of the resulting data was intended to enable Facebook to improve its system of advertising by better targetting its commercial communications; in developing this argument the Court expressly adopted the reasoning of the Advocate General. It concluded that ULD was thus competent to intervene.

The Court further held, in dealing with questions 5 and 6, that the determination of lawfulness is for each supervisory authority to undertake as an independent body.  The obligation on supervisory authorities to cooperate with one another does not attribute priority to the views of one supervisory authority over another, nor require a supervisory authority to comply with views expressed by another (para 69-70).

Comments

This case was significant: it determined the power of the supervisory authorities and their respective rights to disagree.  It also cast the net widely as regards the meaning of controller, and as a consequence the personal scope of the DPD, with implications for the practice of tracking and behavioural profiling.  It may be less easy to get content providers to use these platforms if they come with a potentially hefty liability price-tag – though as noted the extent of differential responsibility in this context is not yet known. The ruling made clear that the mere possibility of taking measures against Facebook in Ireland, or a decision by the Irish supervisory authority not to institute measures, would not prevent measures being taken against a jointly responsible local controller who administers a Facebook Page.  Following the ECJ’s ruling, the German data protection authorities have issued guidance as to what users of Facebook fanpages must do to comply with the law (see here and here).

Nonetheless, some are questioning the case’s long-term significance.  The case referred to the DPD; the General Data Protection Regulation (GDPR) is now in force. To what extent is this decision then just a history lesson?  The GDPR did not entirely do away with concepts used in the DPD, so insofar as the GDPR refers to “controller” it would seem that that term should be interpreted in the light of this case; likewise the GDPR expressly envisages the possibility of joint controllers. 

Perhaps the big change is the introduction of the one-stop shop mechanism with the GDPR.  Although the GDPR general approach in Article 55 GDPR to national supervisory jurisdiction is based on Article 28(6) DPD, Article 56 GDPR aims to ensure that a multi-jurisdictional controller deals principally with one regulator. The one-stop shop mechanism is not, however, quite as simple as that.  There are exclusions from and exceptions to this principle (see Article 55(2) and Article 56(2)), as well as mechanisms to ensure that the various national supervisory authorities keep broadly in line with one another.  Thus multiple regulators (from the perspective of service providers such as Facebook) remain a possibility. Article 56(2) provides for a supervisory authority other than the lead supervisory authority to seek jurisdiction. The circumstances in which this could arise are in relation to complaints made by individuals to it; or in relation to possible infringements if they either concern only the local establishment, or substantially affect data subjects only in the local Member State.  In this context, a supervisory authority might take the view that a fanpage targets data subjects in its particular territory. 

Whether or not these would affect Facebook’s ability to deal with just one regulator is one question but what has not yet been considered is the impact going forward on any co-controller.  The GDPR is silent on how jurisdiction is to be assigned in cases where there are joint controllers.  The Article 29 Working Party Guidelines, which have been adopted by the European Data Protection Board (EDPB), suggest that the joint controllers should designate the main establishment.

Whether this would be appropriate in the context of unequal bargaining power between the joint controllers – as in the case of Facebook and its users – is uncertain. If Facebook designated as part of its terms of use that the relevant supervisory authority were to be the Irish Information Commissioner, this would mean that the weaker party could be subject to regulation from a ‘foreign’ regulator – perhaps in another language. This may be more difficult for an individual or small business to deal with than for a multinational company.  This issue has yet to be directly addressed.  In sum, it could be argued that the move the GDPR does nothing to remove the exposure to liability which might become a disincentive to businesses which see a fanpage as a low-cost option to continue to use fanpages (and similar platforms).

We might ask, moreover, is it just Facebook fanpages that would be affected by thie Court’s reasoning.  There is a pending case on the installation of like buttons, which again allow tracking, (see Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV (Case C-40/17)) but we might ask the question more broadly. What for example would be the position of Google analytics being run on a site? There are many examples where deals between supplier and customer include personal data of those engaging with the customer, without those persons necessarily being aware of it, or having a choice in the matter. A business which signs up to Office 365 may agree to default consents to monitoring of email, diary and contact details of its employees. Would this make the employer a joint controller with Microsoft?  It seems likely that there will be more cases on this – or similar questions – as we move into GDPR territory.

Photo credit: 77reviews.com

Who’s responsible for what happens on Facebook? Analysis of a new ECJ opinion

Lorna Woods, Professor of Internet Law, University of Essex

Who is responsible for data protection law compliance on Facebook fan sites? That issue is analysed in a recent opinion of an ECJ Advocate-General, in the case of Wirtschaftsakademie (full title: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht).

This case is one more in a line of cases dealing specifically with the jurisdiction of national data protection supervisory authorities, a line of reasoning which seems to operate separately from the Brussels I Recast Regulation, which concerns jurisdiction of courts over civil and commercial disputes.  While this is an Advocate-General’s opinion, and therefore not binding on the Court, if followed by the Court it would consolidates the Court’s prior broad interpretation of the Data Protection Directive.  While this might be the headline, it is worth considering a perhaps overlooked element of the data-economy: the role of the content provider in providing individuals whose data is harvested.

Facts

Wirtschaftsakademie set up a ‘fan page’ on Facebook.  The data protection authority in Schleswig-Holstein sought the deactivation of the fan page on the basis that visitors to the fan page were not warned that their personal data would be collected by the by means of cookies placed on the visitor’s hard disk. The purpose of that data collection was twofold: to compile viewing statistics for the administrator of the fan page; and to enable Facebook to target advertisements at each visitor by tracking the visitors’ web browsing habits, otherwise known as behavioural advertising.  Such activity must comply with the Data Protection Directive (DPD) (as implemented in the various Member States).  While the content attracting visitors was that of Wirtshaftsakademie, it relied on Facebook for data collection and analysis. It is here that a number of preliminary questions arise:

-          Who is the controller for the purposes of the data protection regime;

-          Which is the applicable national law; and

-          The scope of the national supervisory authority’s regulatory competence?

Opinion

Controller

The referring court had assumed that Wirtschaftsakademie was not a controller as it had no influence, in law or in fact, over the manner in which the personal data was processed by Facebook, and the fact that Wirtschaftsakademie had recourse to analytical tools for its own purposes does not change this [para 28]. Advocate General Bot, however, disagreed with this assessment, arguing that Wirtschaftsakademie was a joint controller for the purposes of the DPD – a possibility for which Article 2(d) DPD makes explicit provision (paras 42, 51, 52].  The Advocate General accepted that while the system was designed by Facebook so as to facilitate a data-driven business model and Wirtschaftsakademie was principally a user of the social network [para 53]. The Advocate General highlighted that without the participation of Wirtschaftsakademie the data processing in respect of the visitors to Wirtschaftsakademie could not occur; and he could end that processing by closing the relevant fan page down. In sum:

Inasmuch as he agrees to the means and purposes of the processing of personal data, as predefined by Facebook, a fan page administrator must be regarded as having participated in the determination of those means and purposes. [para 56]

Advocate General Bot further suggested that the use of the various filters included in the analytical tools provided meant that the user had a direct impact on how data was processed by Facebook. To similar effect, a user can also seek to reach specific audiences, as defined by the user.  As a result, the user has a controlling role in the acquisition phase of data processing by Facebook. The Advocate General rejected an formal analysis based on the terms of the contract concluded by the User and Facebook [para 60] and the fact that the user may be presented with ‘take it or leave it’ terms, does not affect the fact that the user may be a controller.

As a final point, the Advocate General referred to the risk of data protection rules being circumvented, arguing that:

had the Wirtschaftsakademie created a website elsewhere than on Facebook and implemented a tool similar to ‘Facebook Insights’ in order to compile viewing statistics, it would be regarded as the controller of the processing needed to compile those statistics [para 65].

A similar approach should be taken in relation to social media plug ins (such as Facebook’s like button), which allow Facebook to gather data on third party websites without the end-user’s consent (see Case C-40/17 Fashion ID, pending).

Having recognised that joint responsibility was an important factor in ensuring the protection of rights, the Advocate General – referring to the approach of the Article 29 Working Party on data protection – clarified that this did not mean that both parties would have equal responsibility, but rather their respective responsibility would vary depending on their involvement at the various stages of processing activities.

Applicable Law

Facebook is established outside the EU, but it has a number of EU established subsidiaries: the subsidiary which has responsibility for data protection is established in Ireland, while the other subsidiaries have responsibility for the sale of advertising.  This raises a number of questions: can the German supervisory authority exercise its powers and if so, against which subsidiary?

Applicable law is dealt with in Article 4 DPD, which refers to the competence of the Member State where the controller is established but which also envisages the possibility, in the case of a non-EU parent company, of multiple establishments.  The issue comes down to the interpretation of the phrase from Art. 4(1)(a), ‘in the context of the activities of an establishment’, which according to Weltimmo cannot be interpreted restrictively [para 87].  The Advocate General determined that there were two criteria [para 88]:

-          An establishment within the relevant Member State; and

-          Processing in connection with that establishment.

Relying on Weltimmo and Verein für Konsumenteninformation the Advocate General identified factors – which are based on the general freedom of establishment approach to the question of establishment looking for real activity through stable arrangements – the approach is not formalistic. Facebook Germany clearly satisfies these tests.

Referring to Article 29 Working Party Opinion 8/2010, the Advocate General re-iterated that in relation to the second criterion, it is context not location that is important. In Google Spain, the Court of Justice linked the selling of advertising (in Spain) to the processing of data (in the US) to hold that the processing was carried out in the context of the Spanish subsidiary given the economic nexus between the processing and the advertising revenue.  The business set up for Facebook here is the same, and the fact that there is an Irish office does not change the fact that the data processing takes place in the context of the German subsidiary.  The DPD does not introduce a one-stop shop; to the contrary, a deliberate choice was made to allow the application of multiple national legal systems (see Rec 19 DPD), and this approach is supported by the judgment in Verein für Konsumenteninformation in relation to Amazon.  The system will change with the entry into force of the General Data Protection Regulation (GDPR), but the Advocate General proposed that the Court should not pre-empt the entry into force of that legislation (due May 2018) in its interpretation, as the cooperation mechanism on which it depends is not yet in place [para 103].

Regulatory Competence

By contrast to Weltimmo, where the supervisory authority was seeking to impose a fine on a company established in another Member State, here the supervisory authority would be imposing German law on a German company.  There is a question, however, as to the addressee of any enforcement measure. On one interpretation, the German regulator should have the power only to direct compliance on the company established on its territory, even though that might not be effective. Alternatively, the DPD could be interpreted so as to allow the German regulator to direct compliance from Facebook Ireland. Looking at the fundamental role of controllers, Advocate General Bot suggested that this was the preferred solution. Article 28(1), (3) and (6) DPD entitle the supervisory authority of the Member State in which the establishment of the controller is located, by contrast to the position in Weltimmo, to exercise its powers of intervention without being required first to call on the supervisory authority of the Member State in which the controller is located to exercise its powers.

Comment

The novelty in this Opinion relates to the first question is significant because the business model espoused by social media companies depends on the participation of those providing content, who seem at the moment to take little responsibility for their actions.  The price paid by third parties (in terms of data) is facilitated by them, allowing them to avoid or minimise their business costs.  Should there be a consistency of enforcement applications against such users, this may gradually have an effect on the underlying platform’s business model.  While it is harder to regulate mice than elephants, at least these mice appear to be clearly within the geographic jurisdiction of the German regulator – and will remain so even when the GDPR is in force.

The Advocate General went out of his way to explain that there was no difference between the situation in issue here and that in the other relevant pending case, Case C-40/17 Fashion ID.  This case concerns the choice by a website provider to embed third party code allowing the collection of data in respect of visitors in the programming for the website for its own ends (increased visibility of and thus traffic to the website): the code in question is that underpinning the Facebook ‘like’ button, but would also presumably include similar codes from Twitter or Instagram.

If there was any doubt from cases – for example Weltimmo – about whether there is a one-stop shop (ie only one possible supervisory authority with jurisdiction across the EU) in the Data Protection Directive, the Advocate General expressly refutes this point.  In this context, it seems that this case adds little new, rather elaborating points of detail based on the precise factual set-up of Facebook operations in the EU. It seems well-established now that – at least under the DPD - clever multinational corporate structures cannot funnel data protection compliance through a chosen national regime.

It may be worth noting also the broad approach of the Advocate General to Google Spain when determining whether processing is in the context of activities. There the Court observed that:

‘in such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed [Google Spain, para 56]

Here, the Advocate General focussed on the fact that social networks such as Facebook generate much of their revenue from advertisements posted on the web pages set up and accessed by users and that there is therefore an indissoluble link between the two activities.  Thus it seems that the Google Spain reasoning applies broadly to many free services paid for by user data, even if third parties – for example those providing the content on the page visited – are involved too. 

Of course, the GDPR does introduce a one-stop shop. Arguably therefore these cases are of soon to be historic interest only.  The GDPR proposes that the regulator in respect of the controller’s main EU establishment should have lead responsibility for regulation, with regulators in respect of other Member States being ‘concerned authorities’.  There are two points to note: first, there is a system in place to facilitate the cooperation of the relevant supervisory authorities Art 60), including possible recourse to a ‘consistency mechanism’ (Art 63 et seq); secondly, the competence of the lead authority to act in relation to cross-border processing in Article 66 operates without prejudice to the competence of each national supervisory authority in its own territory set out in Article 55.  The first of these two points concerns the attempt to limit regulatory arbitrage and a downward spiral of standards in the GDPR as applied and the broad approach to establishment. The interest of the recipient state in regulating means that there may be many cases involving ‘concerned authorities’.  The precise implications of the second point are not clear; note however that it seems that the one-stop shop as regards Facebook would not stop data protection authorities taking enforcement action against users such as Wirtschaftsakademie.

Photo credit: Deccan Chronicle

IP addresses as personal data - the CJEU's judgment in C-582/14 Breyer

Marcin Kotula, Legal Officer at the European Commission

The views expressed are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission

Background

In the Breyer case the CJEU was asked by the German Supreme Court (Bundesgerichtshof) if dynamic IP addresses are personal data within the meaning of the EU Data Protection Directive and to what extent they can be stored and processed to ensure the general operability of websites. Mr Breyer, the applicant in this case, is a German politician and privacy activist. He visited various websites of the German federal institutions. The information about the IP addresses of the visitors (or more precisely of the owners of the devices from which the websites were visited) as well as the information about the name of the accessed web page or file, the terms entered in the search fields, the time of access and the quantity of data transferred is stored in the log files after the visit.

One of the aims of the storage of those data is to prevent cyberattacks and enable prosecution of those who committed them. Mr Breyer did not agree with the storage of his IP address after the consultation of the websites and in the proceedings before the German court he requested the German government to cease this practice. The case eventually went up to the German Supreme Court which decided to seek interpretative guidance from the CJEU.

The questions of the German Supreme Court were specifically focussed on dynamic IP addresses. These are less privacy-invasive than static IP addresses. The difference between them is that the dynamic ones change with every new connection to the internet and the static ones do not. IP addresses are assigned by Internet Service Providers (ISPs) and take the form of a series of digits. In principle, in itself they do not reveal the identity of a specific natural person but can be combined with other information to identify the owner of a device that connects to the internet. Typically such other information is at the disposal of the ISP. In its Scarlet Extended judgment of 2011 the CJEU clarified that, from the perspective of the ISP, IP addresses are personal data. However, in the Breyer case the scenario was different. The German federal institutions which run the websites only had the IP addresses and the additional information that is needed to identify the visitors of those websites was held by the ISPs. The CJEU was asked to clarify if the German federal institutions (the data controllers) should treat the IP addresses as personal data even if they are not in possession of this additional information.

The CJEU's analysis

In its judgment of 19 October 2016 the CJEU referred to the definition of personal data in Article 2(a) of the Data Protection Directive 95/46/EC. This definition covers any information that relates to an individual who is identifiable, either directly or indirectly. In consequence, information can be regarded as personal data even if it does not itself identify a specific person.

Further indications on how to assess identifiability are given in Recital 26 of the Directive. This Recital clarifies that when determining if a given person is identifiable one should look at all the means that the data controller or any other person are likely to reasonably use to identify the person. On the basis of those indications the CJEU went on to examine if it is reasonably likely that the IP addresses held by the German federal institutions will be combined with the additional information held by the ISPs. The CJEU followed the line taken on this point in the Opinion of the Advocate General  (AG) and stated that the combination would not be reasonably likely if it was prohibited by law or disproportionately difficult in terms of time, cost and man-power. In the German scenario, the ISPs are not allowed to directly transmit such information to website providers. On the other hand, in the event of cyber-attacks the website providers can contact the competent authorities which then can obtain the additional information from the ISPs. The availability of this legal channel led the CJEU to conclude that, for the German federal institutions, the IP addresses of the visitors of their websites are personal data because these visitors can be identified with the help of the competent authorities and of the ISPs.

The CJEU then examined if the German federal institutions can store and process the IP addresses after the end of the visit of their website to ensure the general operability of the websites. Under the relevant provisions of the German Law on telemedia (Telemediengesetz - TMG) the collection and processing of users' data is allowed only in so far as this is necessary to facilitate and charge for the specific use of the online service. This does not seem to include the purpose of ensuring the general operability of the websites. The CJEU was therefore asked to clarify if the German provisions are compatible with Article 7(f) of the Data Protection Directive. The latter Article authorises the processing of personal data when it is necessary for the legitimate interests of the data controller or of third parties to whom the data are disclosed. This authorisation does not apply if the legitimate interests are overridden by the fundamental rights and freedoms of the person whose data is at stake (the data subject).

Since the maintenance of the operability of the websites and the prevention of cyberattacks might ultimately lead to criminal proceedings against the perpetrators the CJEU contemplated if the processing of IP addresses in such circumstances is not excluded from the Directive altogether. It looked into Article 3(2) first indent of the Directive which excludes the processing of personal data carried out in the context of criminal law activities of the State. It concluded that in the scenario at hand the German federal institutions are not acting as State authorities but rather as individuals.

As far as Article 7(f) is concerned the CJEU referred to its case-law (the ASNEF judgment of 2011). This judgment acknowledges that the legal bases for the processing of personal data that are set out in Article 7 of the Directive are exhaustive and that the Member States cannot add any new principles or impose additional requirements in that regard. Under Article 5 of the Directive the Member States can merely specify the conditions under which the processing is lawful but this needs to remain within the limits of Article 7 and of the objective of the Directive which seeks to strike a balance between the free movement of personal data and the protection of private life.

Against this background, the CJEU found that by excluding the possibility of processing to ensure the general operability of the websites the German provisions go further than just specifying the conditions of lawfulness. For the CJEU, these provisions should enable the balancing of the objective of ensuring the operability of the websites with the fundamental rights and freedoms of the users. Normally this balancing is to be carried out on a case-by-case basis. The German provisions exclude this possibility by categorically prescribing the result of this balancing from the outset. 

Comments

The judgment of the CJEU is generally in line with the previous case-law on the Data Protection Directive which tends to favour a wide interpretation of the main concepts of the Directive, such as the definitions of personal data and of processing. This interpretation is also compatible with the view of the Article 29 Data Protection Working Party which (in its Opinion of 2007) considers IP addresses as personal data with only one exception, i.e. of addresses allocated in cyber cafes or similar places where the users of computers are normally anonymous.

The reply of the CJEU to the second question, i.e. if the IP addresses can be processed to ensure the general operability of the websites might, to a certain extent, be open to interpretation. On the one hand, the CJEU acknowledges that the purpose of ensuring the operability of the website is a legitimate aim of the German federal institutions under Article 7(f) of the Data Protection Directive. On the other hand, it reminds that such legitimate aims must be weighed against the fundamental rights and freedoms of the data subjects. Thus, it would seem that the provider of the website might not always be allowed to retain IP addresses without any further considerations. Instead, he might need to weigh the opposing interests when assessing individual situations. The CJEU itself does not spell out the criteria which should be taken into account when carrying out this kind of assessment.

An interesting suggestion was made in the Opinion of the AG. When analysing the wording of Recital 26 which reads that the assessment of the identifiability of a person must look at all the means that might be used not only by the data controller but also by any other person he comes to the conclusion that the formulation "any other person" should rather be understood as meaning only certain third parties which are accessible to the data controller and which the latter might reasonably approach to obtain the additional information. The CJEU did not address this issue in its judgment but by analysing only the option where the German federal institutions turn to the authorities that are competent to prosecute cyberattacks which then approach the ISPs to obtain the additional information the Court stayed within the limits of the suggestion put forward by the AG because these two third parties were either directly or indirectly accessible to the federal institutions. On the other hand, the question of the German court specifically mentioned the ISPs as the source of the additional information and did not ask about other possible scenarios.

Another interesting point was made in the course of the CJEU's analysis of whether the processing of IP addresses can be excluded from the Data Protection Directive as an activity of the State in the area of criminal law. Both the Court and the AG did not see any room for this exclusion to apply in the case at hand because the German Federal institutions were not acting in their capacity of public authorities when they processed the IP addresses. For the CJEU and the AG they acted as individuals. However, the term "individual" is normally used as a synonym for "natural person". For example the full titles of EU and international data protection instruments refer to the "protection of individuals with regard to the processing of personal data" (Data Protection Directive 95/46, Regulation 45/2001, Convention No. 108 of the Council of Europe).

This might be important in the context of another exclusion under the Data Protection Directive, namely the exclusion of the processing of personal data by natural persons in the course of a purely personal or household activity. Although it seems counterintuitive for a public authority to invoke an exception that is intended for natural persons it does not seem to be impossible when looking at the case-law of the CJEU on the exclusions. Out of the three CJEU cases which dealt with the latter exclusion, two of them (Rynes, Lindqvist) related to situations where personal data was indeed processed by a natural person, but the Satamedia case involved the processing by a private  company.

 

In Satamedia, the CJEU on the one hand concluded that Satamedia and Markkinapörssi were private companies and therefore could not rely on the exception for the State activities in criminal law. On the other hand, it then analysed if their processing could not be excluded as a purely personal or household activity and rejected this option because the companies in question were making the collected data accessible to an unrestricted number of people. Given the CJEU's and the AG's firm assertion in the Breyer case that the German federal institutions were processing IP addresses as individuals and the fact that the CJEU did not rule out this option in the case of private companies it seems possible to envisage a public authority invoking the private and household exclusion. In any event, the substantive conditions attached to the personal and household exception are rather strict. In all of the three previous CJEU cases mentioned above this exclusion was rejected because the data in question was published on the internet, made accessible to an unrestricted number of people or was outside the private setting of the person who collected it (videosurveillance of public spaces).

Finally, the scenario in the Breyer case seems to be very similar to pseudonymisation of personal data, i.e. a concept introduced in the new General Data Protection Regulation (GDPR, which will apply from 25 May 2018) and defined therein as  "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person". Under the GDPR pseudonymous data are nevertheless treated as data relating to an identifiable person and hence personal data but pseudonymisation is taken into account in the application of some of its provisions.

Photo credit: Digiquip group 

Which data protection and consumer law applies to Amazon? Comments on the VKI v Amazon judgment

Lorna Woods, Professor of Internet Law, University of Essex

The recent CJEU judgment in VKI v Amazon concerns jurisdiction both in the context of conflict of laws (applicable consumer laws) and the Data Protection Directive.  Essentially, the Court of Justice had to decide which Member State’s data protection law should apply where goods are sold across national borders but within the EU. In this, it forms part of a stream of case law (both decided and pending), dealing with the powers of states (and their institutions) to protect those within their boundaries notwithstanding the digital internal market.

Facts

The case concerned Amazon, a well-known large company engaged in on-line selling. It has a branch established in Luxembourg.  It has a domain name ending ‘.de’ and there is a German language page.  It concludes sales with customers in Austria. The company has no registered address in Austria.  Whenever a customer buys goods via Amazon the transaction is governed by Amazon’s unilaterally imposed standard terms and conditions. One term in the agreement is that the law applicable to the contract is that of Luxembourg. 

A consumer protection body in Austria (VKI) sought to challenge this: Austrian law provides higher protection for the consumer than the equivalent Luxembourgish law and it sought to injunct Amazon on the basis of Directive 2009/22/EC on injunctions for the protection of consumers’ interests through an action brought before the Austrian courts. Amazon countered that it has no legal connection with Austria – it is not established there.  While there were questions regarding the applicable law and the fairness of the jurisdiction clause in the contract in the light of the Unfair Contract Terms Directive, there was another issue concerning data protection. There were clauses in Amazon’s standard terms and conditions which indicated that data might be exchanged with credit-risk assessment and financial services companies in Germany and Switzerland.  Again VKI argued that Austrian data protection rules should apply.

Questions Referred

While on the face of it, the matter might seem to be one of contract law therefore governed by the Rome I Regulation on the law applicable to contractual obligations, the form of relief sought – the injunction – might seem to bring the question within the Rome II Regulation, which regulates the law applicable to non-contractual obligations – a fact which might affect the outcome in the case.  The national court asked whether an action for an injunction fell within Rome II and if so, where the damage might said to have taken place so as determine jurisdiction.  Irrespective of the outcome to that question, the referring court also asked about the impact of the Unfair Contract Terms Directive on the jurisdiction clause. It likewise also wanted to know whether the processing of data should be regulated by Luxembourg alone, or must the processor ‘also comply with the data protection rules of those Member States to which its commercial activities are directed?’

Judgment

The ECJ dealt with the questions on Rome I and II together.  It noted that they should be interpreted consistently with one another, as well as the Brussels I Regulation (which concerns the separate question of which country’s court has jurisdiction in cross-border cases).  The Court referred to its previous case law in relation to the previous Brussels Convention, and the Brussels I Regulation replacing the Convention, to conclude that an action for injunction within the terms of Directive 2009/22/EC (on the protection of consumers’ interests) falls within the meaning of a non-contractual obligation for the purposes of Rome II.  Article 6 of the Rome II Regulation deals with unfair competition.  In that circumstance, the law applicable is that ‘of the country where competitive relations or the collective interests of consumers are, or are likely to be, affected’.  The Court followed the Advocate General (Opinion, para 73) to hold that Article 6(1) covers the use of unfair terms inserted in standard terms and conditions, as ‘this is likely to affect the collective interests of consumers as a group and hence to influence the conditions of competition on the market’ (para 42). Here the relevant country is that where the consumers to whom the undertaking directs its activities reside and who are protected by the relevant consumer protection body (para 43).

Article 4(3) of the Rome II Regulation states that the law of another country applies if it is clear that the tort is manifestly more closely connected with it.  The ECJ approved the approach of the Advocate General (para 77) where he advised that Article 4(3) is not well suited to unfair competition. Article 6 is aimed at protecting collective interests and cannot be displaced by individual agreement (para 45).  Allowing the term of a contract to constitute ‘closer connection’ for the purposes of Article 4(3) would mean that such parties would be able to avoid the conditions for ‘freedom of choice’ set down in Article 14 Rome II.

The question of which law applies to the assessment of the unfairness of the contractual terms, however, falls under Rome I, whether or not it applies to a collective or individual action.

The Court then considered the Unfair Contract Terms Directive (Directive 93/13). That Directive contains the principle that a contractual term which has not been individually negotiated – that is, drafted in advance by the seller/supplier - must be regarded as unfair if it causes a significant imbalance to the detriment of the consumer. The Court agreed with the Advocate General (Opinion para 84) that the terms in issue here fell within that definition (para 63). The question of unfairness is to be determined on the facts by the national court within the scope of criteria determined by the Court of Justice. Since choice of law clauses are in principle permissible, such clauses are only unfair if its wording or context creates an imbalance – so if it is not drafted in intelligible language or if it seeks to deprive consumers of protections from which it would not be possible to derogate.  Here, this means that in relation to an Austrian consumer, the national court will ‘have to apply those Austrian statutory provisions which, under Austrian law, cannot be derogated from by agreement’ (para 70).

The Court then turned to Article 4 of the Data Protection Directive. Under Article 4, each Member State regulates processing carried out in the context of activities of an establishment in that Member State. Essentially the question is whether Amazon was established in Austria. The Court referred to its recent Weltimmo judgment, discussed here, which ruled that an undertaking does not need to have a branch or establishment.  Rather, it is a question of the stability of the arrangement and the effective exercise of activities (para 77) that is important.  Further, Article 4 does not require that the processing is carried out by the undertaking itself; the test is whether processing is carried out in the context of its activities (para 78).  This is a question of fact for the national court.

Comment

In terms of the importance of this judgment, we should note that the facts in issue are not uncommon – many on-line businesses have headquarters in one Member State but conclude contracts across multiple Member States. 

As regards the questions relating to applicable laws generally, we are now in a situation where national courts may have to assess questions pertaining to injunctions according to a different law from that relating to the contract itself.  This is not surprising, given case law in other fields, but it is the first confirmation of this point in the e-commerce context.  As an aside, it is also the first judgment on the Directive on injunctions for the protection of consumers’ interests.  It is worth noting that the Court seemed critical of attempts to bypass the protection in Article of 6 Rome II through the notion of ‘manifestly closer connection’ in Article 4(3).  It also specifically excluded the choice of law clause in the agreement as a determining factor in this regard too.

Perhaps the most interesting aspect is, however, the data protection aspect.  The Court did not go into much detail (perhaps signalling behind the scenes disagreement) and there are some curious silences as to some points touched upon by the Advocate General.  The Advocate General had in fact suggested that Article 4 had a ‘dual role’ (Opinion para 110).  So while Weltimmo might apply to determine applicable law, the broad approach to ‘establishment’ found in GoogleSpain to determine the outer territorial limit of the Data Protection Directive did not apply to the intra-EU setting.  The driver for the decision in GoogleSpain was a desire to ensure that the Data Protection Directive applied at all; it was therefore relevant to external processors (Opinion, para 124).  In this case, if the Austrian laws did not apply then the laws of one of the other Member States would and so the extensive approach would not be necessary.  This distinction was an innovation on the part of the Advocate General; it was certainly not visible in Weltimmo in which the Court relied on its reasoning in GoogleSpain, and nor was it apparent from GoogleSpain.  Further, the Advocate General seemed to be more stringent about finding ‘establishment’ than the Court in Weltimmo.  For example, the fact that Amazon may provide an aftersales service in Austria on its own was insufficient in his view (Opinion, paras 121 and 125); he also discounted the possibility that the accessibility of a website was likewise insufficient for this purpose (Opinion, paras 117 and 120). 

Against this background, the silence of the ECJ on the internal/external point is striking, especially given the repeated references to the Opinion through the rest of its judgment.  So is its silence on the subject of GoogleSpain. The Court’s reasoning is grounded only on Weltimmo.  On the one hand, we could argue that the Court has not agreed with the distinction put forward by the Advocate General, but by not applying GoogleSpain directly here, it has not ruled it out either. Note that the Article 29 Working Party (the advisory body set up by the data protection Directive) had applied the extensive interpretation from GoogleSpain in its updated Opinion 8/2010. The Court here also gave no further guidance on the topic of establishment, taking convenient refuge no doubt in the point that its role is to interpret EU law and not to assess facts.

Photo credit: www.creativeintent.co.uk 

Data retention and national law: whatever the CJEU rules, data retention may still survive!

Matthew White, Ph.D candidate, Sheffield Hallam University

Should governments be able to retain data on everyone’s use of the Internet and their phones – because it might arguably aid the fight against terrorism and serious crime? This ‘data retention’ issue raises fundamental questions about the balance between privacy and security, at both national and EU level. Initially, in the electronic privacy (e-Privacy) Directive, EU legislation set out an option for Member States to adopt data retention rules, as a derogation from the normal rule of confidentiality of communications in that Directive. Subsequently, in 2006, at the urging of the UK government in particular, the EU went a step further. It adopted the Data Retention Directive (DRD), which required telecom and Internet access providers to keep data on all use of the Internet and phones in case law enforcement authorities requested it.

However, on 8 April 2014, the Court of Justice of the European Union (CJEU) ruled that the latter Directive went too far. In its Digital Rights Ireland judgment (discussed here), that Court said that the EU’s Data Retention Directive (DRD) was invalid in light of a lack of compliance with the rights to privacy and data protection set out in Articles 7 and 8 of the EU Charter of Fundamental Rights (CFR) (para 69 and 73). This left open an important question: what happens to national data retention laws? Can they also be challenged for breach of the EU Charter rights, on the grounds that they are linked to EU law (the derogation in the e-Privacy Directive)? If so, do the standards in the Digital Rights Ireland judgment apply by analogy?

Instead of addressing this matter urgently, the United Kingdom government sat on its hands for a while and then unprecedentedly rushed through the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014). DRIPA 2014 was intended to be a reaction to the Digital Rights Ireland ruling, giving the UK as a matter of national law the power to retain data that had been struck down by the CJEU as a matter of EU law.

In 2015, Tom Watson (now the deputy leader of the UK Labour Party), David Davis (a Conservative party backbencher) and others challenged s.1 of DRIPA 2014 arguing that the powers to obligate data retention on public telecommunication operators set out in that section of DRIPA did not sufficiently reflect what the CJEU ruled in Digital Rights Ireland. Although that CJEU ruling only applied to EU legislation, they argued that it also applied by analogy to national legislation on data retention, since such legislation fell within the scope of the option to retain communications data set out in the derogation in the e-Privacy Directive, and so was linked to EU law (and therefore covered by the Charter). Even though the e-Privacy Directive only related to publicly available electronic communications services (Article 3(1)), it is submitted that any extension of the definition of public telecommunications operator would fall within the Data Protection Directive, and thus the CFR would still apply. The High Court (HC) ruled in the claimants’ favour in Davis where an order was made for s.1 of DRIPA to be disapplied by the 31^st of March 2016, insofar as it is incompatible with Digital Rights Ireland (para 122). This was in the hopes that it would give Parliament sufficient time to come up with a CFR compliant data retention law (para 121).

The government appealed to the Court of Appeal (CoA) which took a radically different approach maintaining that ‘the CJEU in Digital Rights Ireland was not laying down definitive mandatory requirements in relation to retained communications data’ (para 106). But for the sake of caution, the CoA made a preliminary reference to the CJEU asking:

(1) Did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law with which the national legislation of Member States must comply?

(2) Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the jurisprudence of the ECtHR?  

The CoA was not the only national court to make a preliminary reference to the CJEU on matters regarding data retention and the reach of Digital Rights Ireland. On the 4^th May 2015, the Force was with Kammarrätten i Stockholm when it asked the CJEU:

Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime (as described [below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC [the electronic privacy Directive], 1 taking account of Articles 7, 8 and 15(1) of the Charter?

If the answer to question 1 is in the negative, may the retention nevertheless be permitted where:

access by the national authorities to the retained data is determined as [described below under paragraphs 7-24], and

security requirements are regulated as [described below under paragraphs 26-31],

and all relevant data are to be retained for six months, calculated as from the day the communication is ended, and subsequently deleted as [described below under paragraphs 25]?

The way in which the first question in Davis and Watson is asked doesn’t specify whether the general obligation applies to every service provider under the state’s jurisdiction or specific service providers to retain what they individually process. The assumption is the former as ‘all means of electronic communication and all traffic data without any distinctions’ implies a catch all to the relevant services. The Home Secretary (and indeed the government) may argue that if the CJEU rules in the negative (note that Article 15(1) of the e-Privacy Directive only applies to publically available electronic communications services, thus the justification for retaining data from other services would have to be found in the Data Protection Directive (DPD)) it would mostly have affected cl.78 of the Investigatory Powers Bill (IPB) (currently before Parliament) which would grant the Secretary of State the power to issue retention notices on a telecommunications or any number of operators to retain for e.g. any or all data for 12 if the power in cl.1 of the draft Communications Data Bill (dCDB) had been replicated. The dCDB was a legislative measure introduced in 2012 to allow public authorities to keep up to date with the sophistication of e-Crime. Clause 1 maintained that:

1 Power to ensure or facilitate availability of data

(1) The Secretary of State may by order—

(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or

(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.

(2) An order under this section may, in particular—

(a) provide for—

(i) the obtaining (whether by collection, generation or otherwise) by telecommunications operators of communications data,

(ii) the processing, retention or destruction by such operators of data so obtained or other data held by such operators.

This measure was, however abandoned because the Liberal Democrats (in the then Coalition Government) did not approve of the far reaching nature of the proposal. In regards to cl.1, it clearly was a general power, as no distinction was made on who the obligation to retain may fall upon, and thus it is submitted that this power is analogous to the power which is the subject of the question being asked of the CJEU. Clause 78(1) of the IPB on the other hand, makes the distinction that a data retention notice may require a telecommunications operator to retain relevant communications data. Though there are two possible conflicts, the first, based on the assumption that the CJEU rules in the negative (to the first question) is cl.78(2)(a) and (b). This gives the Secretary of State the discretion to issue retention notices on any description of operators to retain all or any description of data. This could be considered a general obligation because it could affect all telecommunications operators and then be classed as a general obligation. 

 Secondly, retention ‘without distinction’ or ‘exceptions’ may be important when it comes to traffic data pertaining to journalists, politicians, and the medical and legal professions. But because the reference doesn’t mention specific service providers it cannot be said with certainty how much this would affect cl.78(1) which doesn’t make distinctions or exceptions.

When it comes to limitations on data retention, there is at least one, which was first noted in s.1(5) of DRIPA 2014 which allowed for a 12 month maximum period of retention. This is replicated in cl.78(3) and takes on board the recommendation of the Advocate General’s opinion (AG) in Digital Rights Ireland (para 149).

The President of the CJEU felt it was desirable to combine both preliminary references. The questions of access by both the Swedish and UK courts do not directly affect the cl.78 issuing of retention notices (insofar that it at least doesn’t involve every telecommunications operator) nor does answering whether Article 7 and 8 was intended to extend beyond Article 8 ECHR jurisprudence. The security arrangements are dealt with by cl.81 (whether they are adequate is a different matter) and thus not relevant to the issuing of retention notices.

This, however, proceeds on the assumption that the CJEU will rule in the negative to the Swedish preliminary reference regarding retention being lawful for the purposes of access, because if it does not, cl.78(2)(a) and (b) would not be affected at all. Moreover, the HC in Davis felt that the CJEU believed that data retention genuinely satisfied an objective of general interest (para 44) and that it must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens' rights set out in Articles 7 and 8 of the CFR (para 70). The CoA was silent on this matter, and therefore for the mean time, it is understood that if the CJEU rules in the positive, cl.78 would not be affected as a matter of EU law.

On the matter of whether the HC or the CoA had interpreted Digital Rights Ireland correctly, it is important to highlight one of the justifications for the CoA conclusions. It maintained in relation to mandatory requirements, that in the opinion of the AG, he was at least, not looking for the Directive to provide detailed regulation (para 77). Yet the CoA failed to mention his conclusions, where it was stated that the DRD was invalid as a result of the absence of sufficient regulation of the guarantees governing access to (by limiting access, if not solely to judicial authorities, at least to independent authorities, or, failing that, by making any request for access subject to review by the judicial authorities or independent authorities and it should have required a case-by-case examination of requests for access in order to limit the data provided to what is strictly necessary (para 127)) the data collected/retained and that the DRD should be suspended until the EU legislature adopts measures necessary to remedy the invalidity, but such measures must be adopted within a reasonable period (para 157-158). So at least in this regard the AG actually supports the stance of the HC (even though no reference was made on this point) and may therefore have had implications for the IPB (which does not require judicial or independent authorisation/review) in relation to access to communications data without a word from the CJEU.

Many thanks to Steve Peers for helpful comments on an earlier draft.

Photo credit: gizmondo.com.au