Now the immediate dust has settled on last weeks’ judgments of the CJEU in Bara and in Weltimmo it is perhaps briefly revisiting both to note some of the real issues and questions which arise. Answers are harder to come by, but the theme is of a rigid approach by the Court to Directive 95/46/EC which squeezes data controllers until the regulatory pips squeak. The impact of both judgments, not to mention the forthcoming Schrems, could be really significant and, frankly, counter-productive in terms of encouraging the free movement of goods and services. Free movement of data is not a Treaty right, and there are obvious needs to place limits and protections on personal data, but whether the CJEU is adopting an approach which gives businesses sufficient room for practical manoeuvre is another matter.

Some thoughts then on a re-reading of both judgments:

Bara

• Although the context was transfers between public authorities, the principle is not so limited. Any transfer of data to a third party which does not already have express consent will be at risk of unfair processing.
• Just because the two parties to the transfer agree it, and may be obliged to do it (contractually, say), that does not mean the data subject has approved it. Because both making and taking the transfer are acts of processing both data controllers need to have notified the data subject. That is onerous and easy to overlook.
• Not only does the data subject need to have agreed the transfer, they need to know why the transfer is happening (i.e. the purpose). This is much more information being provided to the data subject than one usually sees.
• None of this is any different from the principle adopted in Optical Express; if someone fills in a travel survey with Thomas Cook and aren’t told that their data will be sold to another company who will send them laser eye surgery texts, how can they make an informed choice about what they want to object to? This is essentially the point Bara makes.
• But does anyone actually send DP notices to data subjects? Not, one suspects, very many. Certainly not as many as should do so.
• That also plays into compliance with the third and fourth data protection principles. If your data isn’t up to date, you cannot properly notify the data subjects (DPP4). If you have harvested and kept excessive amounts of data, you have to spend an unnecessary amount of time and money on notifications (DPP3).

Weltimmo

• Weltimmo has a more obvious immediate impact. You don’t get to situate yourself in one (doubtless the most regulatorily convenient) jurisdiction and ignore the regulators in all other Member States if you are targeting your online business to those other States. They can all come after you, and even if they can’t, they can get your home regulator to do so.
• This is a major move away from a one-stop shop system of DP regulation, whilst implying a pan-European consistency that isn’t really there on the ground. The variations in the application of Google Spain is a good example of just how far apart the national regulators can be.
• On any interpretation of the judgment, the outcome is not one which multi-national companies will have expected or wanted. Major online businesses face the prospect of being subject in every detail to regulators of every Member State. Nor can they ignore judgments in cases against them in more tangential parts of the business empire because under the Brussels I regime a civil judgment in one Member State is enforceable in any other.
• How one gets around Weltimmo is going to be tricky to work out. Will it be enough to have a website in English targeting English customers, but not to have any physical presence in England? What about no employees but an English bank account? Essentially, are the factors listed by the CJEU cumulative or distinct (given the need for only a “minimal” activity)?
• Private international lawyers will struggle to classify Article 4 slightly. Is it a jurisdiction issue or a choice of law issue? The CJEU states a conclusion in terms of an applicable law, whilst considering factors which are classically jurisdictional. In reality, it is probably both. The question of where an establishment is to be located is a jurisdictional one, although which law applies to that issue is probably an odd combination of the lex fori and sui generis European concepts as set out in Weltimmo. But once establishment has been, well, established, then that determines the choice of law: it is the law of the place of the establishment. It is just that there may be more than one establishment (i.e. at least Slovakia and Hungary) and therefore more than one applicable law. This is not very doctrinally coherent, particularly when one moves to trying to work out the jurisdictional competence of a court, and then the applicable law, of a private claim for breach of the implementing legislation. How are they meant to match up? Indeed, are they? Is Article 4 entirely divorced from Brussels I? (It might be for the actions of regulators, which would be engaging in administrative activities and outside the scope of Brussels I, but Article 4 applies to actions taken by the data subject too. Is it meant to be a self-contained code? Unclear.)

The fact that answers do not readily appear to all of these issues may itself be a troubling indicator of a lack of wider and/or deeper thought by the CJEU as to how its judgments will actually work in practice. Doubtless some will be worked through in time. But much of this is far too important to real people doing real things to be left to iron itself out over the next five years. Still waters may run deep, but it is the murky ones you drown in.

Christopher Knight

Back in July I posted on the Opinion of the AG in Case C-201/14 Bara v Presedintele Casei Nationala de Asigurari de Sanatate and the CJEU has now handed down its judgment, happily for me in English. The context is that people deriving their income from independent activities were called to pay their contributions to the Romanian National Fund for health insurance, following a tax notice issued by the Romanian health insurance fund. However, that tax notice was calculated on the basis of data on income provided National Tax Administration Agency under an internal administrative protocol. The complaint was that the transfer by the Tax Agency to the Health Insurance Fund of personal data, particularly related to income, was in breach of Directive 95/46/EC because no consent had been provided to the transfer, the data subjects had not been informed of the transfer and the transfer was not for the same purpose as the data was originally supplied.

The CJEU has dealt with the matter in pretty unambiguous terms. Such data sharing was a breach of Article 6 of the Directive, which requires processing to be fair and lawful, because data subjects were not informed of the transfer to another public body or the purpose for the transfer: at [34]. It was a breach of Article 10, which requires the data subject to be provided with information concerning the identity of the controller and the purposes of processing, because no such information had been provided, and the derogations in Article 13 had to be done through legislative measures, whilst the Romanian public bodies simply did it by way of a protocol: at [38] and [41]. Moreover, it was a breach of Article 11, which requires a controller who has not obtained the data from the subject itself to inform the data subject of its identity and the purposes of processing, because neither of the public authorities had told data subjects anything at all: at [43].

All in all, your mother was wrong. Do not share things. Or at least, do not share personal data without providing very clear information to the data subject about what is happening and why. It doesn’t matter if you are a public authority. Go to bed without any supper.

Christopher Knight

One of the great difficulties facing data protection lawyers is how Directive 95/46/EC copes with the internet age. How do you work out where processing has happened? How do you work out who is responsible? Where can you sue them or otherwise take action against them? What law applies (important given that the Directive has been implemented in different ways in different Member States)?

Article 4 provides some of the answer:

“1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.”

The decision of the CJEU Google Spain gave some consideration to these matters, but while it certainly established that one could pursue Google through it having a presence in a Member State, it did not really deal with the smaller fry.

However, the CJEU’s decision today in Case C-230/14 Weltimmo v Nemzeti (judgment of 1 October 2015) provides a bit more clarification. Weltimmo (as Anya’s post on the AG’s Opinion has previously discussed) is a company registered in Slovakia, but which the Hungarian data protection authority wished to fine for breaches of the Directive. Those breaches related to the activities of property dealing websites Weltimmo ran which advertised properties in Hungary and revealed various items of personal data of the property owners. What factors were relevant in working out whether Weltimmo was established in Hungary under Article 4?

Article 4, stressed the Court, was the key to determining the national law applicable: at [23]. The Directive had prescribed a broad territorial scope (see Google Spain): at [27]. In the particular context of the internet, said the Court without particularly expressing why there should be different tests for different types of business, when working out whether Weltimmo was also established in a State where it was not registered, one had consider “both the degree of stability of the arrangements and the effective exercise of the activities” in the light of “the specific nature of the economic activities” concerned: at [29]. (No mention of where there was not a clear economic activity.) An establishment can be shown by “any real and effective activity – even a minimal one – exercised through stable arrangements“: at [31].

What is relevant then? The presence of just one representative can be sufficient if acting with a sufficient degree of stability through the presence of the necessary equipment for the provision of the services (i.e. not necessarily where the servers are): at [30]. Running a website about properties in Hungary, written in Hungarian, which charges advertising fees constituted a real and effective activity in Hungary: at [32]. The presence of a representative in Hungary, who acts as a point of contact with the Slovak company and the data subjects, and a Hungarian bank account, and a Hungarian letter box for the business, were all capable of showing an establishment: at [33]. What is not relevant is the nationality of the data subjects: at [40] (which is consistent with the classic approach to jurisdiction under the Brussels I regime). The processing itself must take place in the context of the activities in Hungary, but the Court had no difficulty with that: at [38]. As a result, Hungarian law applied to Weltimmo: at [39].

This was all fact-specific of course, but it does give some fairly extensive guidance, and certainly indicates that any website aimed at a particular jurisdiction, plus some sort of physical presence of some sort, will be sufficient to amount to an establishment. Company registration elsewhere will not be an escape route.

There was also a second issue, which was technically obiter, about when a national regulator can take action against a data controller who may be subject to foreign laws. The CJEU strongly emphasised that it was the obligation of the regulator under Article 28 to take action within its own territory and to investigate every complaint made to it, irrespective of the applicable law: at [54]. What it cannot do, of course, is try to fine a controller not established in its own State: at [56]. So, if having investigated, the regulator reaches the conclusion that the controller is established elsewhere and subject to a foreign legal regime, it must ask the relevant national regulator to take over the case and impose any penalty based, in part, on the information provided between regulators: at [57]. Cross-border regulation might not yet be at a one-stop shop level, but it is meant to have teeth.

Weltimmo is a genuinely important decision and provides some very helpful guidance. By no means does it answer all of the questions, particularly outside of the internet, and it does not come close to the beginning of the end. But perhaps, following Google Spain, it is the end of the beginning.

Christopher Knight

Breaking news: AG Bot has just delivered his Opinion in Case C-362/14 Schrems v Data Protection Commissioner (the Facebook case) holding that the Commission decision establishing the ‘Safe Harbour’ scheme in the USA does not eliminate or reduce the national authorities’ duties to assess compliance with the Directive 95/46/EC, and in any event, the Safe Harbour decision is invalid in the light of the Snowdon revelations about mass data surveillance in the USA. The full text of the Opinion will be published, and doubtless discussed here, later on but if the CJEU agrees, it is a very significant decision.

I will be on BBC World later this morning discussing the implications of the Opinion.

Christopher Knight

By way of a (limited) update, the current expected listing for the Supreme Court hearing in Google Inc v Vidal-Hall is May-July 2016. Plenty of time to get your damages claims resolved between now and then…

CK

It is not very often that this blog reports developments north of the Wall, but we like to make occasional forays, to check up on events of cross-border impact (and of course Common Services Agency and South Lanarkshire are just two examples of gifts from our Scottish brethren which just keep on giving). Assuming you’ll have had your tea, readers may wish to briefly glance at the recent judgment of the Inner House (the Court of Appeal for Scottish civil matters) in The Christian Institute v Scottish Ministers [2015] CSIH 64.

The case was a challenge to the Children and Young People (Scotland) Act 2014, an Act of the Scottish Parliament. Constitutionally minded readers will be aware that challenges can be brought against Acts of the devolved legislatures on grounds which would not be countenanced against an Act of the Westminster Parliament. Parts 1 to 5 of the 2014 Act form a comprehensive scheme intended to promote and safeguard the rights and wellbeing of children and young people. Part 3 provides for the preparation of three year “children’s services plans” for local authority areas designed to secure, inter alia, that children’s services are provided in a way which: best safeguards, supports and promotes the wellbeing of children; ensures that any action to meet their needs is taken at the earliest appropriate time; is most integrated from the point of view of recipients; and constitutes the best use of available resources.  Part 4 requires service providers to make available, in relation to each child or young person, an identified individual (“named person”), whose general function is to promote, support or safeguard the wellbeing of the child or young person, on behalf of the service provider concerned.

The challenge was to the creation of the named person, based upon various Convention articles – particularly 8 and 9 – which need not concern us here. That challenge failed. However, there was also a DP challenge: to “the sections of the 2014 Act which deal with the sharing of information are incompatible with the requirement of the European Parliament and Council Directive on Data Protection (95/46/EC), as read and applied in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.  For this reason also the provisions are ultra vires of the Scottish Parliament.  They run contrary to the Data Protection Act 1998.  The fact that data could be shared, when not strictly necessary, rendered the information sharing provisions (2014 Act, ss 26 and 27) incompatible with Article 7 of the Directive (criteria for legitimacy).  There were insufficient safeguards against the unlawful sharing of data.  There was no inbuilt “right to be forgotten”“: at [6].

It may be useful to set out the Inner House’s summary of the relevant provisions, at [12]-[14]:

“A set of provisions, contained in sections 23 to 27 of the 2014 Act, regulates requests to, and giving assistance by, service providers and the associated sharing and disclosure of information.  Distinct provisions apply according to whether: the named person functions are transferring from one service provider to another (s 23); a service provider is requesting help from another service provider (s 25); a service provider is required to provide information to the service provider (s 26(1)), and vice versa (s 26(3)).  A distinction is drawn between information sharing (s 26) and disclosure (s 27), according to the incidence of confidentiality.

A service provider must generally provide the service provider with information which is likely to be relevant to the exercise of named person functions (s 26(1) and (2)).  An equivalent duty is placed upon the service provider in the reverse situation (s 26(3) and (4)).  The views of the child require to be sought (s 26(5)).  The information holder may decide that the information ought only to be provided if the likely benefit to wellbeing outweighs any adverse effect (s 26(7)).  The holder may provide information if it is necessary or expedient for the purposes of named person functions. The sharing of information is not permitted or required where disclosure is otherwise prohibited or restricted, other than in relation to a duty of confidentiality (s 26(11)).  Thus, disclosure may be permitted, notwithstanding a breach of confidentiality, if the criteria in section 26 are otherwise satisfied and there is no other legal bar to it taking place. It is between service providers, and not individual named persons, that the specified information may be shared.  Where information is to be provided in breach of confidentiality, the recipient must be informed of the breach, and must not provide the information to any other person, unless otherwise permitted or required to do so by law (s 27).

In combination, the provisions are calculated to integrate services in order to secure the wellbeing of children and young people.“

The Inner House dealt with the challenge fairly swiftly. It set out the Charter provisions and those of the Directive, before noting that the Directive had been implemented by the “labyrinthine” DPA (not unfair), which was not said to have failed to properly or fully implement the Directive. There was, as a result, no need to go beyond the DPA itself: at [96]. The Court’s reasoning at [97]-[100] is admirably clear.

The 2014 Act was not a mechanism which trumped the DPA. “Section 26(11) of the 2014 Act expressly provides that, with the exception of rules on confidentiality, the information sharing provisions are not to be held as permitting, far less requiring, the provision of information when it is prohibited or restricted by virtue of an enactment or rule of law.  This makes it clear that the operation of section 26 involves compliance with existing law.  That includes the Data Protection Act 1998 and hence the rights of the Charter and the principles in the Directive.” There might well be breaches in individual cases but they could be resolved on their own facts rather than through an abstract challenge. There “is no need for the 2014 Act to incorporate data protection principles, such as the need for consent or other specific protections, including the destruction of out of date data, within its four walls.  The 2014 Act creates a regime involving child welfare which directs what should happen regarding the sharing of relevant information, but it assumes that the actions of those operating the system will comply with data protection principles.”

The 2014 Act did not, held the Inner House, involve the creation or collection of any new data; personal, sensitive or otherwise. The Court was obviously significantly influenced by the social policy of the legislation, seeking to introduce a system for the co-ordination and sharing of existing data in relation to children and young persons whereby situations involving a potential risk to a child’s or young person’s well-being, as defined, can more readily be identified and the relevant agency alerted. There was not a proportionality exercise taking place expressly, but the reasoning suggests pretty clearly what the answer would have been had there been one. See too at [102]-[103].

The challenge on DP grounds consequently failed, and the judgment is one which is easy to understand and follow. The need for a single, coherent, statutory scheme for child welfare information sharing which nonetheless complied with existing DP requirements was an unsurprisingly powerful pull for the Court of Session. It is a reminder that data protection is an important safeguard, but it is neither something which prevents agencies doing their jobs nor a trump card to be played in any and all situations. Carefully calibrated and structured schemes need not fear the DPA.

Christopher Knight