When is Facebook liable for illegal content under the E-commerce Directive? CG v. Facebook in the Northern Ireland courts

Lorna Woods, Professor of Internet Law, University of Essex

Introduction

The ubiquity of social media platforms and their significance in disseminating information (true or false) to potentially wide groups of people was highly unlikely to have been in the minds of the European legislators when they agreed, in 2000, the e-Commerce Directive (Directive 2000/31/EC) (ECD). Facebook itself was launched only in 2004. Despite the changing times and technological capabilities, the Commission has decided not to revise the ECD, specifically its safe harbour provisions for intermediaries, in its current single digital market programme.  Although the ECD seems set to remain unchanged, the application of the safe harbour provisions raises many difficult questions which have not yet been fully answered at EU level by the Court of Justice. CG v. Facebook ([2016] NICA 54), a decision of the Northern Irish Court of Appeal, illustrates some of these difficulties and certainly raises questions about the proper interpretation of the ECD and its relationship with the Data Protection Directive.

Intermediary Immunity - Legal Framework

The ECD provides immunity from liability for certain ‘information society service providers’ (ISS providers) on certain conditions.  To gain immunity, the ISS provider must

-          be an ISS provider within the terms of the ECD; and

-          one of the following applies:

-          the provider is a ‘mere conduit’ (Art. 12 ECD);

-          provides caching services (Art. 13 ECD); or

-          provides hosting services (Art. 14 ECD).

Each one of these three categories provides for a different level of immunity, which seems connected with the level of knowledge the ISS provider is assumed to have of the problematic content. Here Article 14, which deals with hosting, is the relevant provision. It provides:

1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:

(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or

(b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.

2. Paragraph 1 shall not apply when the recipient of the service is acting under the authority or the control of the provider.

3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information.

The recitals to the ECD give more detail as to the scope of services protected by Article 14 and there is a certain amount of case law on this point, notably Google Adwords (Case C-236/08) and the Grand Chamber decision in L’Oreal v. eBay (Case C-324/09). Recital 42 has been pointed to by the Court in these cases as relevant for understanding the sorts of activities protected by the immunity. Recital 42 refers to services of a

mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored.

The ECJ in Google Adwords referred to this as being ‘neutral’ (para 113-4). The Grand Chamber in its subsequent L’Oreal decision suggested that advice in optimising presentation would mean a provider was no longer neutral (para 114).

The provision protects relevant ISS providers from liability in relation to illegal content, provided they have no knowledge (actual or constructive) of the illegal activity or information, and that if they have such knowledge, they have acted expeditiously to remove it. In L'Oreal v eBay the Court of Justice provided a standard or test by which one can measure whether or not a website operator could be said to have acquired an 'awareness' of an illegal activity of illegal information in connection with its services, that is whether "a diligent economic operator would have identified the illegality and acted expeditiously".   The CJEU also held that an awareness of illegal activities or information may become apparent as the result of an investigation by the operator itself or where the operator receives notification of such activity.  Article 14 does not protect ISS providers from injunctions, or the costs associated with any such injunctions (see Recital 45).

Additionally, Article 15 specifies that, for those falling within Articles 12-14, Member States cannot impose a ‘general obligation’ to monitor content to determine whether content is illegal. There has been a considerable amount of dispute as to the relationship between this provision and the scope of immunity, especially given the requirements in L’Oreal.  Recital 40 notes that ‘service providers have a duty to act, under certain circumstances, with a view to preventing or stopping illegal activities’ and that the immunity provisions ‘should not preclude the development and effective operation, by the different interested parties, of technical systems of protection and identification and of technical surveillance instruments made possible by digital technology’. The Recitals also state:

(47) Member States are prevented from imposing a monitoring obligation on service providers only with respect to obligations of a general nature; this does not concern monitoring obligations in a specific case and, in particular, does not affect orders by national authorities in accordance with national legislation.

(48) This Directive does not affect the possibility for Member States of requiring service providers, who host information provided by recipients of their service, to apply duties of care, which can reasonably be expected from them and which are specified by national law, in order to detect and prevent certain types of illegal activities.

The distinction between general monitoring and specific monitoring has yet to be fully elaborated, and is an issued much discussed in the context of intellectual property enforcement, especially as regards keeping pirated copies of materials down after taking it down in the first place.

Facts of CG

McCloskey opened a Facebook page in August 2012 entitled ‘Keeping Our Kids Safe from Predators’ in which he published details of individuals who had criminal convictions relating to sexual offences involving children.  This page was not subject to any privacy settings.  One individual who was so named brought action against Facebook and an interim injunction was issued requiring Facebook to remove the page and related comments, on the basis that the comments responding to the posting were threatening, intimidatory, inflammatory, provocative, reckless and irresponsible. This was the XY litigation. Immediately after the page was removed, McCloskey set up a new page, Predators 2. CG was identified on this page on 22 April 2013; his photograph was published and there were discussions about where he lived. Comments included abusive language, violent language – including support for those who would commit violence against CG and for the exclusion of CG from the community in which he lived.  The disclosure of CG’s residence was contrary to the position taken by the Public Protection Arrangements in Northern Ireland (PPANI), which took the view that such disclosure interferes with the rehabilitation process.

On 26th April 2013, CG’s solicitors wrote to Facebook and its solicitors in Northern Ireland, claiming the material was defamatory and that CG’s life was at risk. A hardcopy of Predators 2 page was enclosed. Facebook’s response was that CG should use the online reporting tool, but CG expressed a desire not to have to engage with Facebook. By 22 May 2013 Facebook removed all postings on Predators 2, but on 28 May, CG issued proceedings. Subsequently, CG’s solicitors wrote to Facebook complaining that the photograph had been shared 1622 times and that other Facebook users had included comments threatening violence. They identified the main URL, but not all such instances which Facebook then requested. This information was provided on 3rd and 4th December and removed on 4th or 5th December. A further reposting of the photographed by RS occurred on 23 December, stating that this was what a “pedo” looked like. A letter of claim was send to Facebook on 8th January 2014, identifying the relevant URLs and the page was taken down on 22 January 2014.  While CG accepted that the defamation claim was without merit, it was accepted that he was extremely concerned about potential violence as well as the effect on his family.

Judgment at First Instance

The trial judge had to deal with claims against McCloskey, as well as claims against Facebook.  The trial judge, having reviewed the evidence, concluded that McCloskey’s conduct constituted harassment of CG. The case against Facebook was based on the tort of misuse of private information. To find that there had been such misuse, there had to be a reasonable expectation of privacy in relation to the relevant information  which should take into account all the circumstances (relying on JR38 [2015] UKSC 42 and Murray v. Express Newspapers [2008] EWCA Civ 446). The judge also accepted the submission that the Data Protection Act, and specifically the category of ‘sensitive data’, provided a useful touchstone as to what information could be seen as private (see Green Corns Ltd v. Claverly Group Limited [2005] EWHC 958). The judge concluded that the use of a photograph or name in conjunction with information which could identify where CG lived and any information about his family members were private information. The judge considered that Facebook was put on notice of the problematic nature of the material by the XY litigation (which mentioned the Predator 2 page) and that simple searches would reveal the page, as it had an almost identical name with identical purposes. The trial judge concluded that it was apparent on the face of the posts that consideration of the lawfulness of the posts was needed. As regards the Electronic Commerce (EC Directive) Regulations 2002, which implement the ECD in the UK, the judge rejected the contention that there was an obligation to give Facebook notice in a particular form. So, neither the ECD nor the 2002 Regulations protected Facebook from the claim of misuse of private information.

A further claim under the Data Protection Act was added late in the day. The judge concluded that –in the absence of relevant discovery - CG had not established this proposition. Facebook appealed. CG also appealed as regards the data protection point, but did not pursue this point.

Court of Appeal Judgment

The Court noted that there was agreement that McCloskey’s behaviour was unreasonable conduct sufficient to give rise to criminal liability (R v Curtis [2010] EWCA 123), and that the 2002 Regulations do not cover injunctions. The Court agreed that this was an appropriate case in which to make an order taking to down the material to protect CG from continued intimidation [para 40]. The Court noted that the tort of misuse of private information and harassment, while complementary, are not the same and that a finding of harassment did not automatically mean that there had been a misuse of private information.

As regards the tort, the Court noted that there was no dispute between the parties that this case was about an intrusion, but that the tort would come into play only if there was a reasonable expectation of privacy in the information, which is a fact sensitive determination.  The Court of Appeal noted the public interest in knowing about criminal convictions; it also disagreed with the trial court judge about the reading across of the categories of sensitive information in the DPA. It held:

The fact that the information is regulated for that purpose does not necessarily make it private’ [para 45].

Reviewing the material, the Court held that the context of harassment was determinative to the finding that CG has a reasonable expectation of privacy in the material [para 49]. By contrast, RS was protected by principles of open justice which allow citizens ‘to communicate the decisions of the criminal justice systems to others’ and therefore CG did not have a reasonable expectation of privacy in relation to that posting [para 51].

The Court then considered whether Facebook could rely on the safe harbour provisions of the ECD and the 2002 Regulations. It held that the 2002 Regulations need to be understood in the light of Art 15 ECD even though it is not formally implemented in the UK. According to the Court, Article 15 ‘clearly’ applied to Facebook [para 52]. While not expressly stated, the Court’s approach is based on the assumption that Article 14 (safe harbour provisions for those providing hosting services) and Regulation 19 of the 2002 Regulations, which implement it, also apply.

The Court then considered the issue of notice. Facebook argued that CG had not given proper notice, on the basis that CG had not used Facebook’s online submission process. The Court of Appeal agreed with the trial court’s dismissal of this argument, stating, ‘[a]ctual knowledge is sufficient however acquired’ [para 58]. Facebook challenged the approach taken at first instance, that Facebook had the resources to find the material and assess it [High Court, para 61].  It was also argued that the way the High Court approached the question of constructive knowledge also implied a monitoring obligation. The trial judge referred to the XY litigation; that litigation plus the letters of CG’s solicitors; and the litigation together with some elementary investigation of the profile. The Court of Appeal agreed with these concerns.  It stated the question as being:

Whether Facebook had actual knowledge of the misuse of private information … or knowledge of facts and circumstances which made it apparent that the publication of the information was private

before commenting that

[t]he task would, of course, have been different if there had been a viable claim in harassment made against Facebook [para 62].

It did not elaborate the basis or extent of the difference.

The Court concluded that the XY litigation did not fix Facebook with sufficient notice; that it only could do so if Facebook was subject to a monitoring obligation. In any event, knowledge of a propensity to harass did not fix Facebook with notice about the private information. As regards the correspondence, the Court held that this too was insufficient to fix Facebook with notice. While it referred to the problematic content, it did not refer to misuse of privacy. ‘The correspondence did not, therefore, provide actual notice of the basis of claim which is now advanced’ [para 64]. The Court also considered that there was nothing in the letters to indicate that the information was private. So, while ‘the omission of the correct form of legal characterisation of the claim ought not to be determinative of the knowledge and facts and circumstances which fix social networking sites such as Facebook with liability’, it is necessary to identify ‘a substantive complaint in respect of which the relevant unlawful activity is apparent’. 

Here, since there was no indication in the letter of claim that the address was the issue, the Court did not ‘consider that the correspondence raised any question of privacy in respect of the material published’. [para 69] By contrast, in the letter of 26th November, CG referred to the general identification of where CG was living and the threat from paramilitaries. This was sufficient to establish knowledge of facts and circumstances in relation to that particular post. Referring to the Court of Justice in L’Oreal, the Court noted that Facebook is obliged to act as a diligent economic operator. This point was not argued; Facebook was found to be liable in respect of that post for the period 26th November-4/5 December.

The burden of proof is in the first instance on the claimant to show knowledge; thereafter the ISS must prove it did not.

As regards the DPA, it was agreed that Predators contained personal data and sensitive personal data, the issue was whether Facebook Ireland could be seen as subject to the UK DPA.  The ECJ rulings in Google Spain (Case C-131/12) and Weltimmo (Case C-230/14) were argued before the Court. The Court did not accept the submission that Google Spain was limited to its particular facts and the concern that the protection offered by the Data Protection Directive would be undermined if it excluded out of EU data controllers. The Court here noted that Weltimmo in fact built on the approach in GoogleSpain. It concluded that Facebook is a data controller established in the UK for the purposes of the DPA.  Although the Court accepted that the ECD does not cover data protection, and this is reflected in Regulation 3 of the 2002 Regulations, the Court held at para 95:

The starting point has to be the matter covered by the e-Commerce Directive which is the exemption for information society services from the liability to pay damages in certain circumstances …We do not consider that this is a question relating to information society services covered by the earlier Data Protection Directive and accordingly do not accept that the scope of the exemption from damages is affected by those Directives.’

Comment

This case is one of a number coming through the Northern Irish court system regarding different types of problematic content and the responsibility of social media platforms to take action against such content.  Shortly before this case was handed down, the High Court handed down its decision in J20 v Facebook Ireland Ltd ([2016] NIQB 98). Other cases are working their way through the system: AY v Facebook (Ireland) Ltd ([2016] NIQB 76), concerning naked images of a school girl on a ‘shame page’; MM v BC, RS and Facebook ([2016] NIQB 60), concerning revenge porn; and Galloway v Frazer and Google t/a YouTube ([2016] NIQB 7) concerning defamatory and harassing videos.  While this case is based in the particular cultural and legal context of Northern Ireland, and raises questions on the meaning of private information, it also leads of questions about the interpretation of EU laws, notably the ECD and DPD.

The first point to note is that the Court does not directly address the question of the applicability of Articles 14 and 15 ECD, beyond stating the Article 15 clearly applies. Article 15 is dependent on the ISS provider providing services that fall within one of Article 12, 13 or 14 ECD, with Article 14 being relevant here. So the question is whether Article 14 ECD (and consequently Regulation 19 of the 2002 Regulations) applies here. While the text of Article 14 ECD refers to ‘the storage of information provided by a recipient of the service’, the case law makes it clear that not any storage will do. Rather, the service provider must be neutral as regards the content, technical and passive.  In this regard, services Facebook provide regarding information of interest to Facebook users (News Feed algorithm and content recommendation algorithm, as well as Ad Match services), may mean that the question of neutrality and passivity here is at least worthy of investigation, in that Facebook may promote certain content (in the term of L’Oreal, para 114). Of course in Netlog (Case C-360/10), the Court of Justice held that a social media platform could benefit from Article 14, but this does not mean that all will – much will depend on the facts (see eg Commission 2012 Working Paper on trust in the digital single market (SEC(2011) 1641 final, accompanying COM(2011) 942 final).

Assuming Article 14 (and its UK equivalent, Regulation 19) applies, the next question is whether Facebook was on notice.  The ECD is silent on the nature of any formalities, leaving it to Member States and industry (via self-regulation per Recital 40) to fill in the detail.  In its 2012 Working Paper, the Commission acknowledged that there were diverging views as to what notice required, ranging from those who argued that nothing less than a court order should be accepted (seemingly thereby focussing on just actual knowledge) through to those who suggested that general awareness of the use of the site for illegal content was sufficient (which covers constructive knowledge) (p. 33-34). It seems there are three main issues here:

- Whether notice has to be given in any particular format;

- Whether notice has to identify the illegality or whether identifying the problematic content will do; and

- The relationship between constructive notice and Article 15, also bearing in mind the obligations of the diligent economic operator.

Facebook argued of course that a person complaining about content should use the tools provided by Facebook and provide rather precise information.  The Court, rightly, held that to require a particular format to be used but run counter to the aim (particularly with reference to the 2002 Regulations) of facilitating the ability of users to make complaints. It is less clear the position of the Court with regard to the need to provide URLs. The need to provide specific URLs makes it difficult for claimants especially those who seek orders for content to be taken down and to stay down (seen particularly in the field of intellectual property enforcement, for example even in L’Oreal). In this case, where the Court found Facebook liable CG had provided specific URLs, but the Court is silent on whether the lack of specific URLs was a determinative factor in the other instances.  It is submitted that, provided sufficient identifying information about the content is provided, precise URLs should not be required especially for a diligent economic operator (discussed below).

The Court focussed on the question of whether CG sufficiently identified the reason why the content is illegal. In this, the Court observes that the omission of the correct legal characterisation is not determinative; to have held to the contrary would undermine the ability of claimants without lawyers to have material taken down. The Court moves on to suggest that the relevant unlawful activity has to be apparent. It does not consider to whom such unlawfulness must be apparent, or indeed the prior question of whether the ECD requires just notification of content or activity perceived as illegal by the complainant, rather than a justification of why the complainant thinks that. While on the facts of this case there are concerns that CG referred to causes of action that were clearly wrong (e.g, defamation), it is arguable that the Court’s position needs further refinement. Certainly the Court’s approach on this aspect seems generous to Facebook in terms of what it needs to be told.

In this regard a number of comments can be made.  While, an operator would need to make an assessment about the legitimacy of a take down request, that is a separate issue from the fact of being notified that someone thinks some content is problematic. Further, there may a world of difference between what a man on the street might so recognise and that which the diligent economic operator should recognise and the detail required for that. Indeed, in L’Oreal, the ECJ held:

although  such  a  notification  admittedly  cannot  automatically  preclude  the  exemption  from  liability  provided  for  in  Article  14  of  Directive  2000/31,  given  that  notifications  of  allegedly  illegal  activities  or  information  may  turn out to be insufficiently precise or inadequately substantiated, the fact remains that such notification  represents,  as  a  general  rule,  a  factor  of  which  the  national  court  must  take  account  when  determining,  in  the  light  of  the  information  so  transmitted  to  the  operator,  whether  the  latter  was  actually  aware  of  facts  or  circumstances  on  the  basis  of  which  a  diligent economic operator should have identified the illegality (para 121-2).

This suggests that a diligent economic operator may not just rely on what a complainant said, but may have to take steps to fill in the blanks.  As the Commission reported in 2012, it has been suggested by some that the degree to which it is obvious that the activity or information is illegal should play a role in this assessment.  Some content is more obviously problematic than others. This position is not incompatible with the approach of the Court here: the problem for CG is that an address is not usually that problematic in privacy terms, it was the context (not apparent on the face of it) that made it so [para 69].  This distinction may have relevance for the AY litigation, if not the revenge porn case – depending on the nature of the images.

The final point of concern relates to general monitoring. The rejection by the Court of the possibility becoming aware of a particular type of content (as from the XY litigation) and being on notice as a consequence deserves further examination. This depends on what is meant by ‘general monitoring’ as opposed to a ‘specific’ monitoring obligation, accepted by recital 47 ECD, and recognised by the Commission in its 2012 Working Paper (p. 26).  It is unfortunate that the Court did not give this more attention. While case law has made clear that filtering of all content, for example, constitutes general monitoring (SABAM v Scarlet (Case C-70/10)), it has been argued- principally in the context of IP enforcement -that searching for a particular instance of content (re-occurring) is not.  Such a broad view of general monitoring as the Court here adopted also seems to decrease the space in which the diligent economic operator acts, raising questions about the meaning of L’Oreal.  Note also that the Commission in its recent review noted ‘there are important areas such as incitement to terrorism, child sexual abuse and hate speech on which all types of online platforms must be encouraged to take more effective voluntary action to curtail exposure to illegal or harmful content’ (COM/2016/0288 final).  This suggests that the Commission may expect such platforms to be proactive and not merely reactive. 

Perhaps the most significant point, and one on which a reference should perhaps have been made, is the relationship between the ECD and DPD, a point yet not dealt with in English law (see Mosley v Google [2015] EWHC 59 (QB)).  The Court accepted fairly readily that Facebook (Ireland) falls under the UK DPA, but then insists that despite the fact that data protection is excluded from the field of application of the ECD, that Facebook pages and comments fell within the “matter covered by the e-Commerce Directive” which provide a “tailored solution for the liability of [ISS providers] in the particular circumstances” set out in the ECD. It did not explain why, beyond asserting that the ECD safe harbour provisions do ‘not interfere with any of the principles in relation to the processing of personal data, the protection individuals ... or the free movement of data’ [para 95]. In this assessment, the Court overlooked the fact that under the DPD a remedy must be provided to individuals, so as to make effective their rights and, that the protection awarded to data subjects should not vary depending on the mechanism used for that processing.  Furthermore, Recital 14 to the ECD elaborates that

The protection of individuals with regard to the processing of personal data is solely governed by Directive 95/46/EC …..the implementation and application of this Directive should be made in full compliance with the principles relating to the protection of personal data.

Whilst a Member State was free to provide more far-reaching to protection to intermediaries, this freedom reaches its limit when it conflicts with another harmonised area of EU law, such as data protection. The Court’s position on this point, and especially its reasoning, in the light of the terms of both directives, is not convincing.

In sum, the outcome – liability for Facebook on one aspect of the content posted – sounds on the face of it a narrowing of immunity.  The reality points in a different direction. While there are a number of problematic issues with which the court had to deal, the impact of this judgment lies in the statements of general principle which the Court made. Significantly, these fell into areas ultimately governed by EU law, rather than purely domestic matters.  It is far from certain that those issues are clearly determined at EU level, nor that the Court’s assessment here is free from doubt.

Photo credit: 

IP addresses as personal data - the CJEU's judgment in C-582/14 Breyer

Marcin Kotula, Legal Officer at the European Commission

The views expressed are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission

Background

In the Breyer case the CJEU was asked by the German Supreme Court (Bundesgerichtshof) if dynamic IP addresses are personal data within the meaning of the EU Data Protection Directive and to what extent they can be stored and processed to ensure the general operability of websites. Mr Breyer, the applicant in this case, is a German politician and privacy activist. He visited various websites of the German federal institutions. The information about the IP addresses of the visitors (or more precisely of the owners of the devices from which the websites were visited) as well as the information about the name of the accessed web page or file, the terms entered in the search fields, the time of access and the quantity of data transferred is stored in the log files after the visit.

One of the aims of the storage of those data is to prevent cyberattacks and enable prosecution of those who committed them. Mr Breyer did not agree with the storage of his IP address after the consultation of the websites and in the proceedings before the German court he requested the German government to cease this practice. The case eventually went up to the German Supreme Court which decided to seek interpretative guidance from the CJEU.

The questions of the German Supreme Court were specifically focussed on dynamic IP addresses. These are less privacy-invasive than static IP addresses. The difference between them is that the dynamic ones change with every new connection to the internet and the static ones do not. IP addresses are assigned by Internet Service Providers (ISPs) and take the form of a series of digits. In principle, in itself they do not reveal the identity of a specific natural person but can be combined with other information to identify the owner of a device that connects to the internet. Typically such other information is at the disposal of the ISP. In its Scarlet Extended judgment of 2011 the CJEU clarified that, from the perspective of the ISP, IP addresses are personal data. However, in the Breyer case the scenario was different. The German federal institutions which run the websites only had the IP addresses and the additional information that is needed to identify the visitors of those websites was held by the ISPs. The CJEU was asked to clarify if the German federal institutions (the data controllers) should treat the IP addresses as personal data even if they are not in possession of this additional information.

The CJEU's analysis

In its judgment of 19 October 2016 the CJEU referred to the definition of personal data in Article 2(a) of the Data Protection Directive 95/46/EC. This definition covers any information that relates to an individual who is identifiable, either directly or indirectly. In consequence, information can be regarded as personal data even if it does not itself identify a specific person.

Further indications on how to assess identifiability are given in Recital 26 of the Directive. This Recital clarifies that when determining if a given person is identifiable one should look at all the means that the data controller or any other person are likely to reasonably use to identify the person. On the basis of those indications the CJEU went on to examine if it is reasonably likely that the IP addresses held by the German federal institutions will be combined with the additional information held by the ISPs. The CJEU followed the line taken on this point in the Opinion of the Advocate General  (AG) and stated that the combination would not be reasonably likely if it was prohibited by law or disproportionately difficult in terms of time, cost and man-power. In the German scenario, the ISPs are not allowed to directly transmit such information to website providers. On the other hand, in the event of cyber-attacks the website providers can contact the competent authorities which then can obtain the additional information from the ISPs. The availability of this legal channel led the CJEU to conclude that, for the German federal institutions, the IP addresses of the visitors of their websites are personal data because these visitors can be identified with the help of the competent authorities and of the ISPs.

The CJEU then examined if the German federal institutions can store and process the IP addresses after the end of the visit of their website to ensure the general operability of the websites. Under the relevant provisions of the German Law on telemedia (Telemediengesetz - TMG) the collection and processing of users' data is allowed only in so far as this is necessary to facilitate and charge for the specific use of the online service. This does not seem to include the purpose of ensuring the general operability of the websites. The CJEU was therefore asked to clarify if the German provisions are compatible with Article 7(f) of the Data Protection Directive. The latter Article authorises the processing of personal data when it is necessary for the legitimate interests of the data controller or of third parties to whom the data are disclosed. This authorisation does not apply if the legitimate interests are overridden by the fundamental rights and freedoms of the person whose data is at stake (the data subject).

Since the maintenance of the operability of the websites and the prevention of cyberattacks might ultimately lead to criminal proceedings against the perpetrators the CJEU contemplated if the processing of IP addresses in such circumstances is not excluded from the Directive altogether. It looked into Article 3(2) first indent of the Directive which excludes the processing of personal data carried out in the context of criminal law activities of the State. It concluded that in the scenario at hand the German federal institutions are not acting as State authorities but rather as individuals.

As far as Article 7(f) is concerned the CJEU referred to its case-law (the ASNEF judgment of 2011). This judgment acknowledges that the legal bases for the processing of personal data that are set out in Article 7 of the Directive are exhaustive and that the Member States cannot add any new principles or impose additional requirements in that regard. Under Article 5 of the Directive the Member States can merely specify the conditions under which the processing is lawful but this needs to remain within the limits of Article 7 and of the objective of the Directive which seeks to strike a balance between the free movement of personal data and the protection of private life.

Against this background, the CJEU found that by excluding the possibility of processing to ensure the general operability of the websites the German provisions go further than just specifying the conditions of lawfulness. For the CJEU, these provisions should enable the balancing of the objective of ensuring the operability of the websites with the fundamental rights and freedoms of the users. Normally this balancing is to be carried out on a case-by-case basis. The German provisions exclude this possibility by categorically prescribing the result of this balancing from the outset. 

Comments

The judgment of the CJEU is generally in line with the previous case-law on the Data Protection Directive which tends to favour a wide interpretation of the main concepts of the Directive, such as the definitions of personal data and of processing. This interpretation is also compatible with the view of the Article 29 Data Protection Working Party which (in its Opinion of 2007) considers IP addresses as personal data with only one exception, i.e. of addresses allocated in cyber cafes or similar places where the users of computers are normally anonymous.

The reply of the CJEU to the second question, i.e. if the IP addresses can be processed to ensure the general operability of the websites might, to a certain extent, be open to interpretation. On the one hand, the CJEU acknowledges that the purpose of ensuring the operability of the website is a legitimate aim of the German federal institutions under Article 7(f) of the Data Protection Directive. On the other hand, it reminds that such legitimate aims must be weighed against the fundamental rights and freedoms of the data subjects. Thus, it would seem that the provider of the website might not always be allowed to retain IP addresses without any further considerations. Instead, he might need to weigh the opposing interests when assessing individual situations. The CJEU itself does not spell out the criteria which should be taken into account when carrying out this kind of assessment.

An interesting suggestion was made in the Opinion of the AG. When analysing the wording of Recital 26 which reads that the assessment of the identifiability of a person must look at all the means that might be used not only by the data controller but also by any other person he comes to the conclusion that the formulation "any other person" should rather be understood as meaning only certain third parties which are accessible to the data controller and which the latter might reasonably approach to obtain the additional information. The CJEU did not address this issue in its judgment but by analysing only the option where the German federal institutions turn to the authorities that are competent to prosecute cyberattacks which then approach the ISPs to obtain the additional information the Court stayed within the limits of the suggestion put forward by the AG because these two third parties were either directly or indirectly accessible to the federal institutions. On the other hand, the question of the German court specifically mentioned the ISPs as the source of the additional information and did not ask about other possible scenarios.

Another interesting point was made in the course of the CJEU's analysis of whether the processing of IP addresses can be excluded from the Data Protection Directive as an activity of the State in the area of criminal law. Both the Court and the AG did not see any room for this exclusion to apply in the case at hand because the German Federal institutions were not acting in their capacity of public authorities when they processed the IP addresses. For the CJEU and the AG they acted as individuals. However, the term "individual" is normally used as a synonym for "natural person". For example the full titles of EU and international data protection instruments refer to the "protection of individuals with regard to the processing of personal data" (Data Protection Directive 95/46, Regulation 45/2001, Convention No. 108 of the Council of Europe).

This might be important in the context of another exclusion under the Data Protection Directive, namely the exclusion of the processing of personal data by natural persons in the course of a purely personal or household activity. Although it seems counterintuitive for a public authority to invoke an exception that is intended for natural persons it does not seem to be impossible when looking at the case-law of the CJEU on the exclusions. Out of the three CJEU cases which dealt with the latter exclusion, two of them (Rynes, Lindqvist) related to situations where personal data was indeed processed by a natural person, but the Satamedia case involved the processing by a private  company.

 

In Satamedia, the CJEU on the one hand concluded that Satamedia and Markkinapörssi were private companies and therefore could not rely on the exception for the State activities in criminal law. On the other hand, it then analysed if their processing could not be excluded as a purely personal or household activity and rejected this option because the companies in question were making the collected data accessible to an unrestricted number of people. Given the CJEU's and the AG's firm assertion in the Breyer case that the German federal institutions were processing IP addresses as individuals and the fact that the CJEU did not rule out this option in the case of private companies it seems possible to envisage a public authority invoking the private and household exclusion. In any event, the substantive conditions attached to the personal and household exception are rather strict. In all of the three previous CJEU cases mentioned above this exclusion was rejected because the data in question was published on the internet, made accessible to an unrestricted number of people or was outside the private setting of the person who collected it (videosurveillance of public spaces).

Finally, the scenario in the Breyer case seems to be very similar to pseudonymisation of personal data, i.e. a concept introduced in the new General Data Protection Regulation (GDPR, which will apply from 25 May 2018) and defined therein as  "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person". Under the GDPR pseudonymous data are nevertheless treated as data relating to an identifiable person and hence personal data but pseudonymisation is taken into account in the application of some of its provisions.

Photo credit: Digiquip group 

Which data protection and consumer law applies to Amazon? Comments on the VKI v Amazon judgment

Lorna Woods, Professor of Internet Law, University of Essex

The recent CJEU judgment in VKI v Amazon concerns jurisdiction both in the context of conflict of laws (applicable consumer laws) and the Data Protection Directive.  Essentially, the Court of Justice had to decide which Member State’s data protection law should apply where goods are sold across national borders but within the EU. In this, it forms part of a stream of case law (both decided and pending), dealing with the powers of states (and their institutions) to protect those within their boundaries notwithstanding the digital internal market.

Facts

The case concerned Amazon, a well-known large company engaged in on-line selling. It has a branch established in Luxembourg.  It has a domain name ending ‘.de’ and there is a German language page.  It concludes sales with customers in Austria. The company has no registered address in Austria.  Whenever a customer buys goods via Amazon the transaction is governed by Amazon’s unilaterally imposed standard terms and conditions. One term in the agreement is that the law applicable to the contract is that of Luxembourg. 

A consumer protection body in Austria (VKI) sought to challenge this: Austrian law provides higher protection for the consumer than the equivalent Luxembourgish law and it sought to injunct Amazon on the basis of Directive 2009/22/EC on injunctions for the protection of consumers’ interests through an action brought before the Austrian courts. Amazon countered that it has no legal connection with Austria – it is not established there.  While there were questions regarding the applicable law and the fairness of the jurisdiction clause in the contract in the light of the Unfair Contract Terms Directive, there was another issue concerning data protection. There were clauses in Amazon’s standard terms and conditions which indicated that data might be exchanged with credit-risk assessment and financial services companies in Germany and Switzerland.  Again VKI argued that Austrian data protection rules should apply.

Questions Referred

While on the face of it, the matter might seem to be one of contract law therefore governed by the Rome I Regulation on the law applicable to contractual obligations, the form of relief sought – the injunction – might seem to bring the question within the Rome II Regulation, which regulates the law applicable to non-contractual obligations – a fact which might affect the outcome in the case.  The national court asked whether an action for an injunction fell within Rome II and if so, where the damage might said to have taken place so as determine jurisdiction.  Irrespective of the outcome to that question, the referring court also asked about the impact of the Unfair Contract Terms Directive on the jurisdiction clause. It likewise also wanted to know whether the processing of data should be regulated by Luxembourg alone, or must the processor ‘also comply with the data protection rules of those Member States to which its commercial activities are directed?’

Judgment

The ECJ dealt with the questions on Rome I and II together.  It noted that they should be interpreted consistently with one another, as well as the Brussels I Regulation (which concerns the separate question of which country’s court has jurisdiction in cross-border cases).  The Court referred to its previous case law in relation to the previous Brussels Convention, and the Brussels I Regulation replacing the Convention, to conclude that an action for injunction within the terms of Directive 2009/22/EC (on the protection of consumers’ interests) falls within the meaning of a non-contractual obligation for the purposes of Rome II.  Article 6 of the Rome II Regulation deals with unfair competition.  In that circumstance, the law applicable is that ‘of the country where competitive relations or the collective interests of consumers are, or are likely to be, affected’.  The Court followed the Advocate General (Opinion, para 73) to hold that Article 6(1) covers the use of unfair terms inserted in standard terms and conditions, as ‘this is likely to affect the collective interests of consumers as a group and hence to influence the conditions of competition on the market’ (para 42). Here the relevant country is that where the consumers to whom the undertaking directs its activities reside and who are protected by the relevant consumer protection body (para 43).

Article 4(3) of the Rome II Regulation states that the law of another country applies if it is clear that the tort is manifestly more closely connected with it.  The ECJ approved the approach of the Advocate General (para 77) where he advised that Article 4(3) is not well suited to unfair competition. Article 6 is aimed at protecting collective interests and cannot be displaced by individual agreement (para 45).  Allowing the term of a contract to constitute ‘closer connection’ for the purposes of Article 4(3) would mean that such parties would be able to avoid the conditions for ‘freedom of choice’ set down in Article 14 Rome II.

The question of which law applies to the assessment of the unfairness of the contractual terms, however, falls under Rome I, whether or not it applies to a collective or individual action.

The Court then considered the Unfair Contract Terms Directive (Directive 93/13). That Directive contains the principle that a contractual term which has not been individually negotiated – that is, drafted in advance by the seller/supplier - must be regarded as unfair if it causes a significant imbalance to the detriment of the consumer. The Court agreed with the Advocate General (Opinion para 84) that the terms in issue here fell within that definition (para 63). The question of unfairness is to be determined on the facts by the national court within the scope of criteria determined by the Court of Justice. Since choice of law clauses are in principle permissible, such clauses are only unfair if its wording or context creates an imbalance – so if it is not drafted in intelligible language or if it seeks to deprive consumers of protections from which it would not be possible to derogate.  Here, this means that in relation to an Austrian consumer, the national court will ‘have to apply those Austrian statutory provisions which, under Austrian law, cannot be derogated from by agreement’ (para 70).

The Court then turned to Article 4 of the Data Protection Directive. Under Article 4, each Member State regulates processing carried out in the context of activities of an establishment in that Member State. Essentially the question is whether Amazon was established in Austria. The Court referred to its recent Weltimmo judgment, discussed here, which ruled that an undertaking does not need to have a branch or establishment.  Rather, it is a question of the stability of the arrangement and the effective exercise of activities (para 77) that is important.  Further, Article 4 does not require that the processing is carried out by the undertaking itself; the test is whether processing is carried out in the context of its activities (para 78).  This is a question of fact for the national court.

Comment

In terms of the importance of this judgment, we should note that the facts in issue are not uncommon – many on-line businesses have headquarters in one Member State but conclude contracts across multiple Member States. 

As regards the questions relating to applicable laws generally, we are now in a situation where national courts may have to assess questions pertaining to injunctions according to a different law from that relating to the contract itself.  This is not surprising, given case law in other fields, but it is the first confirmation of this point in the e-commerce context.  As an aside, it is also the first judgment on the Directive on injunctions for the protection of consumers’ interests.  It is worth noting that the Court seemed critical of attempts to bypass the protection in Article of 6 Rome II through the notion of ‘manifestly closer connection’ in Article 4(3).  It also specifically excluded the choice of law clause in the agreement as a determining factor in this regard too.

Perhaps the most interesting aspect is, however, the data protection aspect.  The Court did not go into much detail (perhaps signalling behind the scenes disagreement) and there are some curious silences as to some points touched upon by the Advocate General.  The Advocate General had in fact suggested that Article 4 had a ‘dual role’ (Opinion para 110).  So while Weltimmo might apply to determine applicable law, the broad approach to ‘establishment’ found in GoogleSpain to determine the outer territorial limit of the Data Protection Directive did not apply to the intra-EU setting.  The driver for the decision in GoogleSpain was a desire to ensure that the Data Protection Directive applied at all; it was therefore relevant to external processors (Opinion, para 124).  In this case, if the Austrian laws did not apply then the laws of one of the other Member States would and so the extensive approach would not be necessary.  This distinction was an innovation on the part of the Advocate General; it was certainly not visible in Weltimmo in which the Court relied on its reasoning in GoogleSpain, and nor was it apparent from GoogleSpain.  Further, the Advocate General seemed to be more stringent about finding ‘establishment’ than the Court in Weltimmo.  For example, the fact that Amazon may provide an aftersales service in Austria on its own was insufficient in his view (Opinion, paras 121 and 125); he also discounted the possibility that the accessibility of a website was likewise insufficient for this purpose (Opinion, paras 117 and 120). 

Against this background, the silence of the ECJ on the internal/external point is striking, especially given the repeated references to the Opinion through the rest of its judgment.  So is its silence on the subject of GoogleSpain. The Court’s reasoning is grounded only on Weltimmo.  On the one hand, we could argue that the Court has not agreed with the distinction put forward by the Advocate General, but by not applying GoogleSpain directly here, it has not ruled it out either. Note that the Article 29 Working Party (the advisory body set up by the data protection Directive) had applied the extensive interpretation from GoogleSpain in its updated Opinion 8/2010. The Court here also gave no further guidance on the topic of establishment, taking convenient refuge no doubt in the point that its role is to interpret EU law and not to assess facts.

Photo credit: www.creativeintent.co.uk 

Money laundering, customer due diligence and data protection: the CJEU's judgment in Safe Interenvios

Marcin Kotula, Legal Officer at the European Commission

The views expressed are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission

Background

The recent judgment of the CJEU in the case of Safe Interenvios was triggered by a preliminary reference from the Provincial Court in Barcelona (Audiencia Provincial). The Court in Barcelona submitted to the CJEU a number of questions related to the interpretation of the third Anti-Money Laundering Directive 2005/60/EC (AML Directive, since replaced by the fourth money laundering Directive, discussed here).

In the case in question, Safe, a company which falls under the definition of a "financial institution" within the meaning of the AML Directive and of a "payment institution" within the meaning of the Payment Services Directive 2007/64 (PSD) has been transferring the funds of its customers abroad through the accounts it held with 3 banks, BBVA, Sabadell and Liberbank. The transfers were to be carried out by agents who were accordingly authorised by Safe and verified by the Bank of Spain (Banco de España). After discovering irregularities regarding Safe's agents the banks, acting under Spanish Law 10/2010 on the prevention of money laundering and terrorist financing^[1] which transposes the AML Directive in Spain requested various information from Safe. When Safe did not provide them with the requested information the banks closed its accounts. Before closing Safe's account BBVA informed SEPBLAC^[2] that Safe might be involved in money laundering activities.

Safe challenged the closure of its accounts before the Commercial Court in Barcelona (Juzgado de lo Mercantil) arguing that the banks have also been transferring funds abroad and that insofar they have been competing with Safe on the same market. In consequence, according to Safe, the closure of accounts was an act of unfair competition. Safe argued further that the information requested by the banks which related to Safe's customers as well as to the origin and destination of the funds could not have been provided without breaching the data protection legislation.

Safe's challenge was largely unsuccessful as the Commercial Court in Barcelona did not find a specific infringement of competition law by none of the banks. It concluded that BBVA closed Safe's account on the basis of checks which showed that nearly a quarter of transactions were not carried out by agents authorised by Safe and verified by the Bank of Spain. As for the closure of accounts by Sabadell and Liberbank, the court in Barcelona partly ruled in Safe's favour concluding that these two banks failed to properly set out the reasons for their closures.

Subsequently Safe, Sabadell and Liberbank appealed against that judgment to the Provincial Court in Barcelona which submitted the preliminary questions to the CJEU. 

The CJEU was asked, first, whether customer due diligence measures, laid down in the AML Directive to respond to the risks of money laundering and terrorist financing, could be applied by a credit institution (in the case at hand, a bank) to a financial/payment institution such as Safe, given that financial/payment institutions are already subject to supervision by competent authorities under the PSD and the AML Directive. The CJEU was then additionally asked what type of customer due diligence measures (standard, simplified or enhanced) could be applied in such a scenario and which circumstances could trigger the application of those measures. Finally, the national court asked if the measures and the provision of certain information requested by the banks from Safe are in line with EU competition law (Safe claimed that the banks compete with it on the payment services market) and with EU data protection law (according to Safe, the banks requested the identification data of its customers and of the recipients of the funds which Safe transferred).

The AML Directive sets out the legal framework for measures aimed at preventing and combatting money laundering and terrorist financing. Its provisions are to a great extent inspired by the recommendations of the Financial Action Task Force (FATF), the main international body in the area of combatting money laundering and terrorist financing.  Article 3 of the AML Directive defines which institutions and professions are to apply the anti-money laundering measures. The list in Article 3 includes credit institutions such as banks and financial institutions such as Safe. Chapter II of the AML Directive, which deals with customer due diligence, distinguishes between 3 types of such diligence, i.e. simplified, standard and enhanced.

As far as standard due diligence is concerned, Articles 7 and 8 of the AML Directive describe in which circumstances due diligence should be applied and what measures this might involve. The latter provision underlines that the extent the due diligence measures can be determined on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction.

Article 9 of the AML Directive specifies the checks that need to be undertaken before the establishment of a business relationship or the carrying-out of a transaction. It also indicates when a business relationship must be terminated or a transaction cannot be carried out.

Article 11 sets out the simplified customer due diligence measures which inter alia apply in situations where the customers are credit institutions or financial institutions. Such customers are already covered by the scope of Article 2 of the AML Directive and need to apply due diligence measures towards their own customers. Enhanced customer due diligence is dealt with in Article 13.

Pursuant to Article 37 of the AML Directive the compliance with the requirements of the Directive by the institutions and persons that need to apply it is supervised by competent authorities. Credit institutions and payment institutions are also covered by the PSD.

Payment institutions get authorised to provide payment services by competent authorities designated by the Member States. These authorities are also empowered to supervise the compliance with the requirements that are applicable to payment service providers.

The CJEU's analysis

The CJEU first dealt with the question if financial institutions such as Safe can be the addressees of standard or enhanced customer due diligence measures despite the derogation in Article 11 of the AML Directive which foresees the application of simplified due diligence measures towards financial institutions.

The Court underlined that Article 11 of the AML Directive does not derogate from Article 7(c) under which standard customer diligence measures must be applied when there is a suspicion of money laundering or terrorist financing. Thus, a national provision which authorises the application of standard due diligence measures vis-à-vis financial institutions in such circumstances of suspicion is compatible with the Directive.

In a similar vein, Article 11 of the AML Directive does not derogate from Article 13 thereof. The latter requires enhanced customer due diligence measures to be applied in situations where the risk of money laundering or terrorist financing is higher. Paragraphs (2) to (4) of Article 13 contain a non-exhaustive list of such situations which by their nature present a higher risk. Whilst this list does not include the transfer of funds abroad the Member States have a margin of discretion in applying a risk-based approach and identifying other situations which are, by their nature, associated with a greater risk of money laundering or terrorist financing. In the case at hand, the transfer of funds abroad was included by the Spanish legislator in Law 10/2010 (Article 11) as one of the higher-risk situations which trigger enhanced customer due diligence.

The CJEU then dealt with Article 9 of Spanish Law 10/2010 which on the one hand allows the non-application of standard customer due diligence towards financial institutions but on the other hand empowers the Minister of Economic Affairs and Finance to exclude the application of simplified due diligence towards certain customers. On this point, the CJEU noted that the AML Directive only lays down the minimum level of EU harmonisation with Article 5 of the Directive envisaging the possibility of adopting or retaining in force stricter provisions in the EU Member States. This conclusion was supported by an earlier CJEU judgment in Jyske Bank Gibraltar. The stricter provisions which can apply in the Member States need to serve the purpose of strengthening the fight against money laundering and terrorist financing. They may thus also relate to additional situations which, according to the Member State, present a risk of money laundering or terrorist financing  even if the AML Directive does not prescribe any type of customer due diligence for those situations.

The second group of questions before the CJEU related to the extent of powers which credit institutions may exercise in the context of customer due diligence and to the relation between those powers and the powers of the supervisory authorities under Article 37 of the AML Directive and under Article 21 of the PSD. Here, the Court noted that an institution covered by the AML Directive cannot establish a business relationship or carry out a transaction through its account or must terminate an existing business relationship when it is unable to obtain the various items of information that are defined  in Article 8 of the Directive. These items include the verification of the customer's and the beneficial owner's identity (in the latter case pursuant to a risk-based approach) as well as the information on the purpose and intended nature of the business relationship. The inability of the institution to obtain these types of information might be due to the customers' refusal to cooperate (as in the case at hand) or to other factors.

The CJEU went on to identify the limitations that need to be applied when taking a measure such as the termination of a business relationship or the refusal to carry out a transaction through the bank account. The measure must be proportionate to the risk of money laundering or terrorist financing and thus cannot be taken in the absence of sufficient information which point out to that risk.

The Court then stated that the powers exercised in the context of customer due diligence and the supervisory powers of the competent authorities under the AML Directive and the PSD are rather to be seen as separate and complementary. In consequence, a credit institution may take account of the due diligence measures which its customer had to apply towards its own customers but the extent of the credit institution's due diligence measures in such a scenario must be appropriate to the risk of money laundering and terrorist financing. In addition, a credit institution must in that case neither compromise the supervisory tasks of the competent institutions under the PSD nor replace those supervisory authorities.

Next, the CJEU spelled out the conditions in which the national legislation can authorise or require standard or enhanced customer due diligence measures towards a financial institution. The CJEU's reply to the first group of questions indicated already that such measures can be applied vis-à-vis financial institutions pursuant to Article 13 of the AML Directive (enhanced due diligence) and Article 5 (stricter provisions). In this part of the judgment however the Court examined how the Member States (when prescribing such measures) or the credit institutions (when authorised by the Member State to apply such measures) can exercise the powers under Article 5 and 13.

The CJEU started by recalling its case-law on the freedom to provide services and on the permissible restrictions of that freedom (Art. 56 TFEU). It reminded that in Jyske Bank Gibraltar the prevention of and fight against money laundering and terrorist financing was recognised as a legitimate public interest objective which could justify a barrier to the freedom to provide services. It then turned to the question if Article 11 of Spanish Law 10/2010 which identifies the transfer of money abroad as a situation which always presents a higher risk of money laundering and terrorist financing (and in consequence triggers enhanced customer due diligence) is appropriate for attaining this legitimate public interest objective. In that regard, the Court stressed that both the national legislator (when prescribing standard or enhanced due diligence measures towards a financial institution) and the credit institutions (when authorised by the Member State to apply such measures) must carry out a complete risk assessment prior to deciding on the measures to take. Such measures must furthermore be proportionate to the risk so identified. The final element of this part of the CJEU's judgment was thus dedicated to the proportionality of Article 11 of Spanish Law 10/2010. Here, the Court concluded that the restriction of the freedom to provide services laid down in Article 11 would be proportionate if no less restrictive means were available and if the restriction was compatible with the fundamental rights and freedoms under the Treaties and the Charter e.g. with the right to protection of personal data (Article 8 of the Charter) and with the principle of free competition. Whilst, in principle, leaving the protection of personal data aspects for the last part of the judgment the Court found that a less restrictive measure was available in this case. In the case at hand the Spanish legislator generally presumed that all transfers of money abroad present a higher risk of money laundering and terrorist financing whereas it could have provided a possibility of rebutting that presumption in individual cases which objectively do not present such a risk.

The last group of preliminary questions put before the CJEU focussed on the compatibility of the enhanced due diligence measures with the EU data protection law, as set out in the Data Protection Directive (Directive 95/46). The Provincial Court in Barcelona asked if Safe can be obliged to provide the banks with the identification data of its customers and in particular those from whom the transferred funds originated as well as with the identification data of the recipients of the funds. In the reply to the previous group of questions the CJEU has already indicated that the due diligence measures taken pursuant to Articles 5 and 13 of the AML Directive need to be compatible with Article 8 of the Charter, i.e. with the right to the protection of personal data. The reply to the last group of questions could have thus elaborated on this statement and clarified which personal data of the customers and recipients can be validly requested by credit institutions. However, in the case at hand BBVA denied that it requested the identification data of Safe's customers and of the recipients of the funds. It merely requested the identification data of Safe's agents who used BBVA's accounts. Moreover, the CJEU found the last group of questions not to be sufficiently precise because they only referred generally to the Data Protection Directive without specifying any of its provisions which could be relevant in this context. The part of the preliminary questions which related to the Data Protection Directive was therefore considered inadmissible.  

Comments

The replies of the CJEU to the preliminary questions point out in the direction of giving a certain degree of flexibility to the national legislators and to the institutions and persons which apply customer due diligence measures. On the other hand, the measures prescribed or authorised by the national authorities and the measures applied in individual cases by banks and other institutions and persons covered by the AML Directive need to be preceded by comprehensive risk assessments. Those risk assessments should lead to the definition of measures which are appropriate to the identified level of risk. The measures can vary depending on the type of customer, business relationship, product or transaction.

This kind of well-balanced approach seems in line with the objectives of the AML Directive and with the CJEU's case-law which recognised preventing and combatting money laundering and terrorist financing as an overriding reason in the public interest.

The CJEU added a further safeguard at the later stages of the judgment: the proportionality of the customer due diligence measures depends not only on the results of the risk assessment but also on their compliance with the fundamental rights and freedoms and general principles of law. The Court specifically mentions the principle of free competition and the right to the protection of personal data enshrined in Article 8 of the Charter.

In Safe the CJEU did not however provide any specific indications on the issue which personal data can be requested from the customer in the context of due diligence measures and in which circumstances. This was so because the last group of preliminary questions was based on facts which were disputed in the proceedings and eventually this last group was declared inadmissible by the Court.

The AML Directive does not really address the matter how the measures it designs relate to the protection of personal data. In fact, there is only one point in the text of the Directive which touches upon that issue. It is Recital 33 which refers to the applicability of national data protection laws and of the international transfers rules of the Data Protection Directive in the context of the transmission of information to the Financial Intelligence Units (FIUs) and the disclosure of information about such a transmission.

On the other hand, the new fourth Anti-Money Laundering Directive 2015/849 is much more outspoken in this respect. Its Chapter V implicitly states that Article 7(e) of the Data Protection Directive constitutes the legal basis for processing personal data for the purpose of the prevention of money laundering and terrorist financing by recognising, in Article 43, that such processing is a matter of public interest. The same Chapter deals also with the issue of the information that needs to be provided to the customer before establishing a business relationship or carrying out an occasional transaction. Finally, it lays down more precise indications with regard to the transmission of information to FIUs and to the disclosure of that fact to the customers. According to Article 41(4) this issue should be regulated in national laws which must strike the balance between the access of the customer to the personal data and the interests of the proper functioning of the anti-money laundering procedures and investigations.

The provisions on the different kinds of customer due diligence are also more precise in the new Directive. There is no longer a derogation from standard due diligence for financial institutions. The Directive is now accompanied by three annexes. The first of these annexes contains a non-exhaustive list of risk variables that shall be taken into account when determining the extent of customer due diligence measures. The second annex includes a non-exhaustive list of factors which point out to a potentially lower risk of money laundering and terrorist financing, i.e. the degree of risk that might trigger the application of simplified customer due diligence. Finally, the third annex is a non-exhaustive list of factors suggesting a higher degree of risk which requires the application of enhanced customer due diligence. Generally speaking, the factors included in the three annexes relate to types of customers, geographic areas, and particular products, services, transactions or delivery channels. In addition, Articles 17 and 18 of Directive 2015/849 envisage guidelines on the risk factors and the measures to be taken in situations of simplified customer due diligence and enhanced customer due diligence respectively. Such guidelines shall be issued by ESAs, i.e. the European Supervisory Authorities (EBA, EIOPA and ESMA) by 26 June 2017.

Photo credit: gfintegrity.org

---

[1] Ley 10/2010 de prevención del blanqueo de capitales y de la financiación del terrorismo.

[2] The Executive Service of the Commission for the Prevention of Money Laundering and Financial Crime of the Bank of Spain - Servicio Ejecutivo de la Comisión de Prevención de Blanqueo de Capitales e Infracciones Monetarias del Banco de España.