Reforming EU data protection law: the Council takes its first baby steps

Steve Peers

The EU’s controversial data protection rules, currently in the form of a Directive dating back to 1995, would be reformed profoundly if a Regulation proposed by the Commission is adopted. Talks on this proposal have been underway since January 2012, with no immediate end in sight. However, in June, for the first time the Council (consisting of Member States’ justice ministers) has agreed its position on part of the proposal. Of course, the Council still has to agree its position on the rest of the text, and then negotiate with the European Parliament, which adopted its position on the entire text this spring. But at least this recent partial Council deal offers the first opportunity to assess the direction of negotiations.

Furthermore, this is a good occasion to assess whether the new legislation might impact upon the application of the controversial Google Spain judgment.

The partial Council deal

The Council deal only concerns the question of how the new EU rules will apply to non-EU countries. However this issue is of great importance in light of the ever-growing use of the Internet and social media, since the EU rules are potentially liable to apply worldwide.

To place the deal in context, it is necessary to look at four different things: (a) the current rules in the 1995 Directive, as interpreted by the CJEU; (b) the 2012 proposal; (c) the Council’s position; and (d) the EP’s position.

In each case, I will look at two different aspects which were addressed by the Council deal. First, when do the standard EU data protection rules apply, even where the company processing data is based outside the EU? Secondly, when do the special rules on external relations apply?

The current rules

Currently Article 4 of the 1995 Directive states firstly that the standard rules apply to a data controller established in a Member State. According to the CJEU in Google Spain, that concept applies at least where a non-EU company has established a subsidiary in a Member State, and that subsidiary carries out activities linked to the business model of the parent company. The current rules go on to say that if the controller is established on the territory of more than one Member State, it must comply with the national law of each of those States.

Furthermore, the standard rules in the 1995 Directive apply where a Member State’s national law applies by virtue of public international law, and where the controller is not established on EU territory, but uses equipment located on a Member State’s territory, unless that equipment is used only for the purposes of transit. This raises the question of whether the use of ‘cookies’,  for instance, amounts to the use of equipment on a national territory, since those cookies are installed on a Member State’s computer.

As for external transfers, the current rules provide (Article 25) that in principle data can only be transferred if there is an ‘adequate level of protection’ in the third country concerned. The Commission can adopt decisions either finding that there is, or is not, an adequate level of protection. By way of derogation (Article 26), Member States must nonetheless allow (unless their national law provides otherwise) external transfers to take place if: the data subject has given unambiguous consent; the transfer is necessary to perform a contract with the data controller or to implement pre-contractual measures which the data subject requested; the transfer is necessary to conclude or perform a contract in the interest of the data subject as a third party; the transfer is ‘necessary or legally required on important public interest grounds’ or related to legal claims; the transfer is in the data subject’s ‘vital interests’; or the transfer is from a register which provides information to the public or to persons with a legitimate interest.

A Member State may authorise an external transfer to a country with an inadequate level of protection if the data controller can offer ‘adequate safeguards’, in particular arising from contractual clauses. The Commission can decide that certain standard contractual clauses offer such protection. 

The 2012 proposal

The 2012 proposal (Article 3) suggests that the new Regulation should apply first of all where a controller or processor is established in the EU. Secondly, it should apply where the data controller is not established in the EU, but the data subjects reside in the Union, and the data controller either offers them goods or services, or monitors their behaviour. Thirdly, as before, it would apply where a Member State’s national law applies by virtue of public international law. The provision concerning the ‘use of equipment’ would be dropped.

As regards external transfers, the 2012 proposal maintains the basic structure of the current rules, but elaborates upon it. So there are more details on what the Commission has to take into account when assessing the adequacy of a third State, including judicial redress and supervisory authorities. Adequacy decisions taken pursuant to the 1995 Directive would remain in force.

External transfers would be permitted on the basis of binding corporate rules, or standard contractual rules adopted by the Commission or a national supervisory authority, or individually negotiated contractual rules authorised by a national supervisory authority. Otherwise transfers would require approval by a supervisory authority. Pre-existing authorisations by a supervisory authority would remain valid.

A new clause would elaborate upon the content of binding corporate rules that would be adopted unilaterally. These would require the approval of a supervisory authority.

Finally, further derogations would be permitted. Compared to the current rules, these would be optional, not mandatory. The new proposal would clarify that consent could only be given after the data subject had been warned of the risks, and that transfers in the data subject’s interest could only be given if the data subject were unable to consent. There would be a new ground of external transfers in the data controller’s or processor’s legitimate interest, subject to safeguards being in place. The concept of the ‘public interest’ justifying such transfers would be further clarified in national or EU law.

The Council position

As regards the standard rules, the Council would amend the Commission proposal to clarify that the rules will apply whether or not the data controller offers goods or services for payment. However, as regards monitoring of behaviour, the rules will only apply if the data controller monitors behaviour within the EU.

For external transfers, the Council would add further detail to the rules regarding the assessment of the adequacy of third states, including a specific reference to participation in regional or multilateral data protection treaties. The Council also wants to give an advisory role to the planned new European Data Protection Board in this process. The Council would require the Commission to monitor the application of its adequacy decisions, and empower it to revoke them. However, the Commission would no longer have the power to adopt a decision specifying that a third State had inadequate protection.

The Council would also permit external transfers to take place on the basis of a code of conduct or a certification mechanism. Transfers in the private interest of the data processor or controller would be subject to a possible override in the data subject’s interests. The Commission would lose powers to define the public interests reasons for transfers, and Member States would gain more powers on this point.  

The EP position

The EP would amend the Commission proposal so that, where the controller or processor is established within the EU, it would not matter where the data was processed. Also, the standard rules would apply to the offering of goods or services or monitoring by data controllers or data processors, and would apply to any sort of monitoring of data subjects, not only the monitoring of behaviour. Unlike the Council, the EP would not limit the monitoring clause to behaviour within the EU. However, like the Council, the EP would apply the rules even if goods or services are not offered for payment.

As for external transfers, the EP agrees with the Council that the Commission should monitor its adequacy decisions, and that there should be a role for the new Board.  However, the EP wants to apply a ‘sunset clause’ to pre-existing adequacy decisions, and retain the power for the Commission to adopt ‘inadequacy’ decisions.

Similarly, pre-existing authorisations of contractual clauses would expire soon after the new rules were adopted, although the EP agrees with the Council that a form of certification process should justify external transfers. For binding corporate rules, the EP wants to ensure consultation of workers where their data is involved, and apply the rules to sub-contractors (the Council approaches the latter issue by referring to groups of companies). As regards the derogations, the EP would reject the idea of transfers in the legitimate interests of controllers.

Finally, the EP has proposed a new ‘Snowden clause’ which would mean that national courts could not recognise the decisions of non-EU courts which ordered the disclosure of personal data. However, this rule would be ‘without prejudice’ to mutual assistance treaties or any other international agreements between a non-EU state and the EU or any Member State.

Comments

One important point should be addressed at the outset: what is the result of the recent EP election on the EP’s position? In the EU system, proposed legislation does not fall simply because there is an election for the EP, or because there will be a new Commission as from November. Rather, the newly elected EP traditionally holds a vote at an early stage to decide whether to reaffirm the positions taken by the previous legislature. Usually it reaffirms almost all of the prior legislature’s positions. It should be recalled that the EP’s position on the data protection Regulation was adopted by a huge majority, and so despite the increase in the number of populist MEPs, a majority in favour of approving the EP’s prior position on this proposal should in principle not be hard to find.

For its part, the incoming Commission will decide whether to withdraw some of its pending proposals, but is very rare for an incoming Commission to withdraw a proposal which is actively under discussion in the Council and EP, such as the data protection proposal.

Moving on to the substance of the issues, as regards the application of the standard rules, all three institutions agree to keep the rule on establishment, extending it to data processors also. The EP’s suggested amendment regarding the location of the data processing is merely a clarification, which is probably not necessary.

The three institutions all agree to drop the ‘use of equipment’ clause, to keep the clause on public international law, and to add a new clause regarding goods and services and monitoring. The EP and the Council also agree that the ‘goods and services’ clause will apply even where there is no payment made. The institutions differ as regards extending the new clause also to data controllers, and differ as regards the exact scope of the monitoring of behaviour.

As for the external transfers rules, all three institutions would keep the current basic structure. They differ as regards: the ‘Snowden clause’ (although this rule is very weak, in light of its exceptions for any international treaties); whether the Commission can adopt an ‘inadequacy decision’ (it has never done so); sunset clauses for prior authorisations; whether private interests can justify external transfers; and the process of determining when the public interest can justify them.

Taken as a whole, the impact of the new rules depends on how the current rules are interpreted. There is no reason to doubt that the ‘establishment’ clause would be interpreted the same way as it was in Google Spain, ie applying at least where a subsidiary’s activity is linked to a non-EU parent company’s business model. But there is no case law clarifying what the ‘use of equipment’ means, and so it is not easy to assess what removal of this clause will mean in practice.

Instead the focus will be on what it means to offer goods or services (whether or not for payment), and what it means to monitor an individual. These concepts are clarified in the preamble, which indicates that the ‘offering goods or services’ rule will apply where there a website seeks to sell its products or services, and its online activity is particularly directed towards EU citizens (in light of the currency or language used). So the intention is apparently not to cover a non-profit body like Wikipedia, or a social network or search engine which does not charge for its services (although some such entities would be covered by the ‘establishment’ rule).

What about ‘monitoring’? Here, the preamble suggests that the new clause applies when an individual’s Internet activities are tracked with a view to profiling him or her. There is no suggestion in the preamble that keeping records of a person’s use of social networks would count as monitoring.  But if that is not the intention, it would be better for the EU legislature to rule it out more expressly. In any event, it is difficult to see how the Council’s limitation regarding the monitoring of behaviour within the EU would work in practice, in light of the nature of the Internet.

As regards the external transfer clauses, their importance depends on whether the standard clauses apply. The greater the number of businesses covered by the standard rules, the less important the external transfer rules are – and vice versa.

It is clear that the external transfer clauses will remain broadly similar to the current rules, so any corporate or NGO strategies regarding these clauses would only need to be amended modestly, rather than be overhauled. The biggest issues may be the EP’s insistence on its ‘Snowden clause’ and its rejection of the idea that external transfers can take place in the data controller’s interest, although the former clause is weak and data controllers can usually pursue their interests by means of obtaining consent or establishing a contractual relationship.

Much of the most difficult work as regards the negotiation of the new rules remains to be done. In fact, it is rather peculiar to negotiate a new law by defining its territorial scope before agreeing on its main substance.

While a vast number of issues will arise in the forthcoming negotiations, the following are particularly relevant to the fallout from the Google Spain decision, in particular as regards its possible impact on social networks and Wikipedia: the interpretation of a ‘data processor’ (which would be particularly significant if the EP gets its way and the entire clause on territorial scope applies to data processors); the possible application of the ‘household exception’ to user-generated content; the exception for journalism; and the definition of the grounds for processing personal data (notably consent and the controller’s legitimate interests).

Barnard & Peers: chapter 9 

Towards a Web 3.0? The impact of the Google Spain judgment on social networks and Wikipedia

Steve Peers

If its age could be measured in ‘Internet years’, the EU’s data protection Directive would be prehistoric. This can easily be demonstrated by comparison with the age of Facebook. The Directive was adopted seven years before the virtual panty raid on Harvard students’ privacy that ultimately launched Facebook. Indeed, when the Directive was adopted in 1995, Mark Zuckerberg was eleven years old, and attending primary school. He turns 30 today.

That’s a significant birthday – but is there anything in the Google Spain judgment that would ruin the party? This blog post looks in detail at the possible application of the judgment to two well-known features of the Internet: social networks and Wikipedia.

Long ago (in Internet years), the Internet shifted to a ‘Web 2.0’ model, dominated increasingly by user-generated content such as social networks and Wikipedia (along with blogs and many other forms of such content). The question I want to pose here is whether the Google Spain judgment could launch a ‘Web 3.0’: an Internet dominated by data subjects’ control of their personal data?

Applying the Google Spain judgment to social networks and Wikipedia

Material scope of EU law

First of all, the information placed on social networks and Wikipedia certainly constitutes personal data, at least as far as it concerns living natural persons. It’s an interesting question as to whether the legislation also applies to dead persons: this conjures up the image of the supporters and critics of (say) Ronald Reagan or Margaret Thatcher using data protection law to litigate over the reputation of their heroes (or villains). But the exclusion of legal persons means that data protection law cannot be a vehicle for companies (or other legal persons such as NGOs, political parties, charities or governments) to attempt to remove all traces of criticism of their actions.

As the CJEU has made clear several times, it isn’t relevant that the data was initially (or subsequently) made available elsewhere. This point is relevant to Wikipedia in particular, given the sources it links to for most of its information.  

Placing information on the Internet amounts to ‘data processing’, at least where it is available to the general public. This is particularly relevant to Wikipedia, but it’s also relevant to those social network profiles which are accessible to the outside world. In both cases, the personal data would also be accessible by means of search engines, which means that Google (or other search engines) would be separately liable for securing data protection rights under the conditions set out in the Google Spain judgment.

However, where a social network profile is genuinely closed to the outside world and made accessible only to persons selected by the data subject, the EU’s ‘Article 29’ working party on data protection (a body made up of national data protection supervisors, which gives non-binding advice on the application of EU data protection law) has suggested that the so-called ‘household exception’ in the Directive might apply. This would mean that, since the data could only be seen by a closed circle of (presumably) friends and family, the EU law wouldn’t apply at all. Obviously, though, that exception wouldn’t apply to any processing of the personal data in question by the company which established the social network itself, for direct marketing or other purposes.

Who is the ‘data controller’, ie the person with greater liability for application of EU data protection legislation, as regards social networks and Wikipedia? On this point, there is a clash between the nature of Web 2.0 and the putative Web 3.0, to the extent that the content of the personal data is generated by the users. In principle, each individual chooses how much personal data to place online and who has access to it, and similarly the editors of Wikipedia generate its content. The liability of the social network provider or Wikipedia might arise, however, to the extent that they alter the privacy settings, or could be regarded as controlling (as in Google Spain) the systematic presentation of the data to the outside world.  We can’t forget that in that judgment, the CJEU ruled that there has to be a ‘broad definition of the concept’ of a data controller.

Territorial scope

Back when the Internet was (in Internet years) a teenager, the CJEU ruled in Lindqvist that the special rules on external relations in the data protection Directive should not, by means of the nature of the Internet, become a general regime applicable to the entire world. But in Google Spain, the Court conversely was anxious to ensure that the general rules of the Directive were applicable to companies based outside the EU.

However, this doesn’t mean that all social networks, or Wikipedia, are necessarily subject to the Directive. They are certainly subject to it if they are in the same situation as Google: with a subsidiary in a Member State, which is selling advertising connected to the Internet-related activities of the parent body. But this is surely not the only scenario when the Directive applies to companies based outside the EU. As the CJEU said in Google Spain, the Directive has ‘a particularly broad territorial scope’ and the relevant rules ‘cannot be interpreted restrictively’. So while it is an oversimplification to say that the Directive applies to any entity ‘doing business in the EU’, it probably applies at least where there is a significant local activity (certainly in the form of a branch, possibly in the form of an agent or licensee) by the parent entity, that has some link to its Internet activities.

It is also still open to argue (since the Court did not address the issue) whether a parent company can be regarded as ‘established’ or using equipment on the territory due to its use of domain names, storage of data, and use of crawlers or robots on the territory, or whether the EU Charter of Fundamental Rights imposes broader criteria as regards the territorial scope of the rules.

Of course, there will be practical difficulties enforcing the Directive where a non-EU entity does not have assets in the EU. However, in such cases there might be possibilities to enforce the Directive’s rules by seeking to enforce a court ruling in a non-Member State, or more directly by means of obtaining an injunction to block access to the information which infringes data protection rules. Undoubtedly, such an injunction could be sought against Google, where the data is accessible by means of its search engine, and arguably (by analogy with copyright law) against an Internet service provider.

Personal scope

One interesting question which the Court did not have to deal with in Google Spain was the personal scope of data subjects. For instance, could a celebrity based in America, who finally gets tired of stories about her enormous backside, try to use EU data protection law to prevent access to such stories?

There is no requirement in the Directive that the data subject must be a national of a Member State, and/or domiciled in the EU. Nor do the rules on the territorial scope of the Directive mention this factor. So it must follow that non-EU citizens who are not resident in the EU can rely upon the Directive to assert their data protection rights within Member States. So in principle, at least, the supporters and detractors of Barack Obama or Vladimir Putin could bring their disputes, in the context of editing Wikipedia entries, to the courts and data protection supervisors of EU countries.

While this might sound absurd, in fact there are other reasons which would stand in the way of the application of EU data protection law to such disputes – to which we now turn.

Responsibility of data controllers

Data controllers must ensure that the data quality rules in the Directive are satisfied, and that data was processed in accordance with one of the legal grounds for processing.

On the latter point, one of the crucial factors in the Google Spain case was that Google could only rely (as regards its search engine) on its ‘legitimate [commercial] interest’ in processing personal data, in accordance with Article 7(f) of the Directive. The same provision refers to the interests of third parties, namely freedom of expression. However, the Court held that such interests were overridden by the data subject’s rights in that case, due to the huge invasion of his privacy due to the use of search engines.

Two issues arise here: the balancing test, and the grounds for processing. The first issue is particularly relevant for Wikipedia, since (like Google, as regards its search engine) it must rely on this balancing test in order to justify its processing of personal data, in the absence of other possible grounds to justify it.  

Applying the balancing test, the CJEU ruled on both Google’s interest and the public interest in freedom of expression. As regards Google, the Court stated that its ‘merely economic’ interests were outweighed by the data subject’s. This suggests that a non-profit body like Wikipedia would arguably have a greater claim to assert its interests than a profit-making entity.

As regards the public interest, the Court listed the factors to be considered as ‘the nature of the information’, its ‘sensitivity for the data subject’s private life’, and the public’s interest in the data, which could ‘vary, in particular’, on the data subject’s ‘role…in public life’. It should be recalled that the concept of ‘private life’ usually includes data concerning a person’s activity in public, but here the Court does suggest that there might be a distinction between public and private activities. So the balance tips in favour of freedom of expression the more that the person concerned is a public figure, and the more that the information concerns his or her public activities. So certainly Wikipedia could contain a record of public criticism of a politician; but the sordid details of his intern’s (postponed) dry-cleaning might possibly be another matter.

The crucial question here is whether the test can be regarded as severable: ie can it be argued that even if a person is a public figure, his or her public and private activities can be distinguished? In any event, his or her mistress or children are data subjects in their own right, so would have a data protection right to assert independently of the politician, and are unlikely to be public figures. But of course, some spurned mistresses are very keen indeed to waive their data protection rights.

But who is a public figure in the first place? Presumably the concept has an autonomous meaning in EU law, so it is not up to Wikipedia (or the persons concerned) to determine what it means by themselves. But surely the nature of Wikipedia is a significant factor to take into account when developing and applying such a definition.

As regards the nature of the personal data, what if the information in question reflects very badly upon the person concerned? The CJEU did not address this issue expressly in Google Spain. But it could be argued that it depends on the public interest in receiving that information. So while past financial difficulty does not raise a public interest issue, there is a better case for arguing (say) that a woman who has been groped by a particular car mechanic has every right to warn other women against him via means of social networks.

Another crucial element in the Google Spain judgment was the journalist exception in the Directive. It didn’t apply, because Google itself was not a journalist, and the Court disregarded the use that journalists make of search engines. But where content is user-generated, such as Wikipedia and on blogs, surely the exception must apply, given the Court’s broad approach to it in previous judgments such as Satamedia and Lindqvist. So in that case it could be argued that the exception should be applied in practice by the national courts. Indeed, perhaps the only reason why the CJEU undertook the task of applying the balancing test between privacy and freedom of expression itself in Google Spain was because the journalist exception did not apply.

As for the second issue, social networks will usually be able to point to other grounds justifying the processing of personal data: namely unambiguous consent, and necessity to perform a contract. This raises important questions of how to interpret these grounds for data processing, but these are clearly different issues not addressed at all by the Google Spain judgment.

That judgment would only be relevant as regards the processing of personal data about third parties in social networks, for instance a man ranting about his ex-girlfriend on his Facebook page. The way to resolve situations such as these is for social networks to adopt and apply robust privacy policies, but the Google Spain judgment can only be an indirect source of inspiration for such policies.  

The right to be forgotten

Finally, what of the ‘right to be forgotten’? The Court derived such an implicit right from the rules in the Directive on the relevance of data (one of the data quality principles), given that it might cease to be relevant over a long period of time.  While this can be seen as a positive right for data subjects, conversely it suggests that if information is accurate (and complies with all other rules in the Directive), there is not much of a right for a data subject to object to its dissemination as long as it is relatively fresh.

Conclusion

Is there good reason for Mark Zuckerberg's own knickers to be in a twist, following the Google Spain judgment? The CJEU does suggest that the territorial scope of the Directive is relatively broad, and as such is more likely to apply to social networks and other well-known Internet services than might otherwise have been thought. But it is not yet certain whether and when the Directive does apply to entities whose situation differs from Google’s. Equally the judgment confirms that the material scope of the Directive is broad, and it seems clear enough that its personal scope is broad too.

However, the judgment is unlikely to lead to a ‘Web 3.0’ as regards Internet services besides search engines, because there are basic differences in the substantive data protection law of the EU as it applies to the bodies offering such services. These differences concern in particular: the very nature of user-generated content (arguably changing who is the ‘data controller’); the existence of privacy or editing policies; the public figure exception; the possible application of different, additional grounds for processing personal data; and the Google Spain judgment itself – since it provides for an alternative, more effective means of blocking access to the personal data concerned.

Barnard & Peers: chapter 9