Data Protection and the Applicable Law

Posted on | by Christopher Knight

One of the most interesting difficulties for data protection lawyers over the last few years (wake up at the back) has been the application of a DPA and a Directive drafted in an analogue age to a new digital world. The internet has posed many difficulties, and working out how to apply data protection law to it has been just one of them. It is an area which has begun to repeatedly trouble the CJEU. In Case C-191/15, Verein für Konsumenteninformation v Amazon EU Sàrl (judgment of 28 July 2016) the CJEU returned to the tricky and sui generis way the Directive deals with questions of the applicable law to data protection disputes.

The context is Amazon’s sales to Austrian customers. Amazon is a Luxembourg established company with no office in Austria, and whose terms and conditions say that Luxembourg law applies, but also that data may be shared with other Amazon group companies as well as, for purchases made using Amazon.de, a particular German firm. An Austrian consumer protection watchdog raised numerous issues over these terms and conditions on behalf of Austrian consumers, including what the applicable law was for those terms and conditions, what the applicable law was when seeking an injunction in respect of those conditions, and whether the choice of law clause in the conditions was fair under consumer protection laws. The final issue raised was what law was applicable to data protection issues arising out of a transaction covered by those terms and conditions.

Robin has already noted the lengthy Opinion of the Advocate General, which will doubtless be even more useful when it appears in English. The CJEU dealt with the data protection query rather more summarily. Having concluded that Rome II applied to the injunction (as a non-contractual matter), and Rome I to the terms themselves, it recognised that the Data Protection Directive effectively applies its own applicable law rules through Article 4.

That rule is relevantly in Article 4(1)(a): “Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable“. Clear? Good.

The CJEU held that it followed that the processing of data was governed by the law of the Member State in whose territory the establishment in the context of the activities of which it was processed the establishment was situated (at [74]). It referred back to its consideration of this issue, and how to work out where the establishment was, in Case C-230/14 Weltimmo (on which see here and here), without purporting to resolve any of the unanswered issues that judgment gave rise to. Doing so was, as ever, a matter for the national court. It did note that just because Amazon did not have a subsidiary or branch in Austria, that did not mean it might not be established there, but that merely having a website accessible to Austrians was not enough: at [76]. The CJEU also reiterated that the processing need not be “by” the establishment itself, so long as it is in the context of the activities of the establishment: a self-evidently wider proposition: at [78].

Does Amazon do so in the context of an establishment other than its registered office in Luxembourg? Happily for a court made up of five judges paid to give answers to difficult questions, the CJEU felt able not to give any answer at all, but to bat the matter back to the domestic court to decide for itself. The only cryptic clue it gave was to endorse the AG’s Opinion at [128] that if the establishment were in Germany (no doubt having had regard to the terms and conditions making express reference to data sharing with a German company), German law would govern the processing: at [80].

Not, one might think, a uniquely helpful set of answers from the CJEU. Twas ever thus. But it is another confirmation of the tricky nature of working out which law applies to data protection issues, using a mechanism distinctly less well established than those familiar to private international lawyers.

Christopher Knight