Multi-jurisdictional personal data processing? Advocate General thinks not.

While on the subject of data protection and jurisdictional questions (see my earlier post about the Microsoft case), I thought it worth pointing out the Advocate General’s opinion in Verein für Konsumenteninformation v Amazon EU Sàrl (Case C-191/15), issued in recent weeks.

The Microsoft case concerned the limits of US jurisdiction over data held on servers in the EU. What about data held within the EU, but which is being processed in a number of EU member states? Is the data controller subject to the jurisdiction of all of those states? If so, life is potentially very complicated: data protection law in the EU is supposed to be harmonised, but there will always be legitimate variations in how member states implement aspects of the overarching law.

The AG’s opinion in the Amazon case would – if it comes to be followed by the CJEU – make life a bit less complicated for data controllers. His stance appears to be that the data controller should only be subject to a single jurisdiction. This turns on an analysis of where it is “established” – as to which, see the important case of Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (C-230/14).

When the CJEU tells us the answer, Panopticon will report on whether or not data controllers will find their EU lives a bit less complicated than they might otherwise be.

The Amazon opinion is not yet available in English. This post draws on what Cynthia O’Donaghue and Thomas Evans have written in Technology Law Dispatch here.

Robin Hopkins @hopkinsrobin