Datonomy readers may have had to grapple with the tricky issue of which national data protection law to apply in the context of an online service with a cross border dimension. They are not alone – the German courts have recently considered the issue in relation to Facebook’s operations.
In April, the German Higher Administrative Court of Schleswig-Holstein ruled that German data protection law does not apply to Facebook’s collection and processing of personal data of users in Germany. Instead only Irish data protection law would be applicable.
The Internet giant faced an order by the Independent Data Protection Authority of Schleswig-Holstein, which wanted to force Facebook to allow German users the use of pseudonyms for the registration and for their profile names instead of the real name. German data protection law obliges website providers to enable this feature to the extent that this is technically possible and reasonable.
According to the Higher Administrative Court, German data protection law is however not applicable here, as it is Facebook’s Irish affiliate, Facebook Ireland Ltd., that is to be regarded as the relevant establishment for the processing of personal data of users in Germany, regarding the registration and the management of their accounts.
According to article 4 (1) a) of the directive 95/46 EC, only the data protection law of that Member State is applicable, where the establishment of a controller, which carries out the relevant processing of personal data in the context of its activities, is located.
The court furthermore stated that Facebook’s German subsidiary in Hamburg, Facebook Germany GmbH, would exclusively operate in the fields of marketing and advert acquisition without having any actual influence on the German user accounts.
Since the requirements of article 4 (1) a) of the directive 95/46/EC were fulfilled by Facebook Ireland Ltd. and its processing of personal data of German users, the court consequently did not examine the question, if German data protection law could be applied pursuant to article 4 (1) c) of the directive 95/46/EC, as both provisions are mutually exclusive.
The Higher Administrative Court completed its ruling with an additional statements saying that German data protection law would only insufficiently implement article 4 (1) a) of the directive 95/46/EC. The Higher Administrative Court further emphasised that if personal data is processed by an establishment that is not located in a EU/EEA member state, article 4 (1) c) of the directive 95/46/EC applies and determines the applicable national law.
Finding the applicable law
It is important to highlight that finding the applicable law under article 4 (1) of the directive 95/46/EC is anything but easy. The directive provides two distinctive situations, in which the national data protection law of a member state will apply:
- Article 4 (1) a): If the processing is carried out in the context of the activities of an establishment of the controller on the territory of a member state, the national provisions of that member state apply, regardless of where the controller is established; this can even be outside of the EU/EEA.
- Article 4 (1) c): If the controller is not established on EU/EEA territory and no relevant establishment in the EU/EEA is involved in the processing of personal data and, for purposes of processing personal data, the controller makes use of equipment, automated or otherwise, situated on the territory of a member state, the data protection law of this member state applies.
National data protection authorities in the EU take however different approaches when determining the meaning of the term “equipment”. While cookies or other software that are placed on a user’s PC or smart phone, are widely recognized as equipment, different views are taken when it comes to other scenarios. The Article 29 Working Party, for example, interprets the term equipment in a rather broad way stating that also the activities of a processor in a member state could constitute a “making use of equipment”. Other data protection authorities believe that a non-relevant establishment of a controller can be seen as equipment.
Conclusion and comment
In each case, the determination of the applicable national data protection law regime depends on how personal data are processed and on the particularities of the relevant establishment that is responsible for the processing. Since different national rules impose different rights and obligations on the data controller regarding the processing of personal data, companies should structure their data processing activities thoroughly in order to avoid legal uncertainties.
The Working Party sought to bring some clarity and consistency of interpretation to this difficult area in its 2010 Opinion here. Datonomy and its colleagues at Olswang commented on the Opinion here and here. Could applicable law conundrums become a thing of the past for companies with multinational operations? That is certainly one of the drivers behind the draft General Data Protection Regulation, which seeks to harmonise substantive data protection rules across Europe, and introduce “one stop” regulation by the Member State where the organisation is headquartered. In practice, will differences over substantive rules and local enforcement approaches ever be eradicated? Datonomy readers will have to wait and see!